We just raised a $30M Series A: Read our story

NetIQ Sentinel OverviewUNIXBusinessApplication

NetIQ Sentinel is the #32 ranked solution in our list of top Security Information and Event Management (SIEM) tools. It is most often compared to Splunk: NetIQ Sentinel vs Splunk

What is NetIQ Sentinel?
NetIQ Sentinel is a full-featured Security Information and Event Management (SIEM) solution that simplifies the deployment, management and day-to-day use of SIEM, readily adapts to dynamic enterprise environments and delivers the true "actionable intelligence" security professionals need to quickly understand their threat posture and prioritize response.

NetIQ Sentinel is also known as Novell SIEM.

Buyer's Guide

Download the Security Information and Event Management (SIEM) Buyer's Guide including reviews and more. Updated: October 2021

NetIQ Sentinel Customers
Faysal Bank, GaVI, Handelsbanken, ISC Mªnster, Lambeth Council, Swisscard, The Municipality of Siena, Tukes, University of Dayton, University of the Sunshine Coast
NetIQ Sentinel Video

Archived NetIQ Sentinel Reviews (more than two years old)

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
AL
System specialist IDM/SIEM at SV Informatik GmbH
Real User
Provides an important central locking system for audit data, but it needs a new interface

Pros and Cons

  • "The most valuable feature of this solution is that it provides a central locking system for many event sources."
  • "There is no integration in the web-side of the tool."

What is our primary use case?

We are using this solution for logging.

Our environment is an on-premises deployment.

How has it helped my organization?

We have a regular database to audit and this solution is able to lock the audit data.

What is most valuable?

The most valuable feature of this solution is that it provides a central locking system for many event sources.

What needs improvement?

The web interface needs to be improved, as it has a java-based way to call its controls.

There is no integration in the web-side of the tool.

It is an important requirement to be able to develop collectors because the tool does not provide a portfolio of collectors for systems or devices.

For how long have I used the solution?

We have been using this solution for approximately fifteen years.

What do I think about the stability of the solution?

The stability of this tool is good, and we haven't had a big crash.

What do I think about the scalability of the solution?

It is not easy to scale the tool. In the live version, you have the usability tool that is the scaling version of Sentinel, but we do not use it. We have about one hundred people using this solution who feed events into Sentinel to look for anomalies in the database audits.

How are customer service and technical support?

Technical support for this solution is good.

Which solution did I use previously and why did I switch?

We did not use another solution prior to this one.

How was the initial setup?

This solution is easy to install. Our initial deployment took approximately three months.

There are a team of four people who maintain this solution.

What about the implementation team?

We used a consultant from NetIQ to assist with our deployment and it was a good experience.

Which other solutions did I evaluate?

We evaluated three other tools in addition to this one. They were Splunk, ArcSight, and Elasticsearch.  

What other advice do I have?

We are planning on changing tools.

I would rate this solution a four out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user674118
Security/Service Engineer at a comms service provider with 10,001+ employees
Real User
Valuable features are ​Anomaly dashboards, search/filters features.

What is our primary use case?

Primarily, I used a NetIQ Sentinel when I worked as a Security Analyst as a tool to collecting and filtering-out logs in order to investigating whether there's something "interesting" i.e. samples of real attack or malware activities. Sentinel is tool that if it's well configured, it remove from view all unnecessary information like logs about that the user opened a window in the system and shows you only needful entries. It removes data that can obscure your perspective and mislead in investigation.

Later, I used a NetIQ Sentinel more "administratively", which means that I created/remove/change a new event source and/or also investigate why they hasn't sent anything to log collector. I can tell that from administration perspective the interface of Sentinel is also very simple to operate and navigate. When interface is intuitive as in case of Sentinel, there's no need a special effort to done your job faster, convenient and with high performance.

What is most valuable?

Anomaly dashboards, search/filters features.

Anomaly dashboard provides possibility to find 0-day attacks. This feature is built based on the second-search/filters. It's great and very useful, because I would first find out if search/filter can give me the data that I needed. If not, I have possibility to change it, e.g. using regex or do search/filter fine-tuning. And when I have search/filter tested and know that it will catch information that I want see on chart, then I implement search/filter in new Anomaly dashboard.

The great idea is also fact that I can receive anomaly alerts via email. I don't need to watch charts all the time.

How has it helped my organization?

For example, from version 7.1 the company where I worked started using an anomaly dashboards. It very convenient, because SOC could and can react on possible attack, which are not seen in alerts made by rules. As I said before, anomaly dashboards can help detect a type of attacks called 0-day attacks. 0-day attack is threat haven't categorized as an attack yet and because of that there is no patch or solution, because it's unknown for systems like IDS/IPS.

What needs improvement?

I would prefer to extend dashboards part and their functions in Web GUI version, so the charts could be for configurable.

Efficiency of Security Team

Yes, it has.

Events per Day

~240 mln.

For how long have I used the solution?

One and a half of year.

What do I think about the stability of the solution?

No.

What do I think about the scalability of the solution?

No.

How are customer service and technical support?

8/10.

Which solution did I use previously and why did I switch?

No.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Find out what your peers are saying about Micro Focus, Splunk, IBM and others in Security Information and Event Management (SIEM). Updated: October 2021.
540,984 professionals have used our research since 2012.
ITCS user
Information Systems Manager at a healthcare company with 501-1,000 employees
Real User
The query tool of the web UI is so cool.

What is most valuable?

The query tool of the web UI is so cool! (Lucene-based, filters-based on taxonomy). The web interface gives you the ability to design, at query time, a simple report on the fly.

Support from provider its great, good experience with helpdesk.

How has it helped my organization?

Sentinel can help our customers meet PCI, and other requirements based on the reporting and control of related components. Questions like "who has access to that asset" and "who had access in such and such moment" can be solved quickly.

What needs improvement?

The Java desktop tool and the WMI integration (WECS server architecture).

The integration UI and modules deployment can improve.
In my opinion, the web interface can manage all the functionalities and configurations; no Java desktop app is necessary.

The Java app functions can be migrated to the web interface.
On the other hand, WMI integration, can be improved by removing the WECS collector. Sentinel Node can include all the functions. If an escenary needs more power, just deploy another Sentinel node (all in one) that can help in multiples use cases, not just WECS.

RAM consumition... some JRE problems.. but nothing that cannot be fixed by IT (for example file descriptor limits for Java).

For how long have I used the solution?

As part of my work, I’m responsible for deployment, tuning, integrating, and using Sentinel for bank projects.
Reporting IDE environments and processes is hard to take responsibility for, but not impossible.
Some functions look great but, in practice, some key limitations turn the process into something opaque.

What do I think about the stability of the solution?

Java needs a lot of RAM!! Some queries (if you're not careful) can consume lots of memory and destabilize the instance of the product (or OS platform, including RHEL).

What do I think about the scalability of the solution?

We have not had scalability issues. Storage retention policies and schema, online and offline, are very nice.
If Sentinel is integrated with Identity Manager and User Application Portal, the solution runs simply perfect!

How are customer service and technical support?

In my experience, support really rocks it! I had an opportunity to meet great people, very human and engineers.

Which solution did I use previously and why did I switch?

Yes.. sure... Syslog!!
SIEM is not a simple logging tool. The big clients (banks, big industries, government, etc.) need a solution according their size.

How was the initial setup?

Just follow the manuals after reading them. Linux knowledge helps, be cause Linux opens your hard mind. It is complex for mortals, familiar for "Linuxers".

What's my experience with pricing, setup cost, and licensing?

Sentinel is not for home use. Others versions are available by the same vendor, like Sentinel Rapid Deployment or Reporting Module that are offered for different needs. In other words, if price is a problem, go open source, not world class tool like Sentinel. NetIQ offers nice licence packages that can adjust better for some clients.

Which other solutions did I evaluate?

RSA Security Analytics was an option, but as part of NetIQ/Novell Identity Manager Deployment we prefer NetIQ SIEM Tools (integrations capabilities). It depends client needs whether another solution, like RSA Analytics, is the appropriate.

What other advice do I have?

Be careful with requirements, production resources are really needed. Be clear with objectives, and test it before use. Understanding SIEM concepts is basically the goal.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user674067
Manager Platform Monitoring at a non-tech company with 10,001+ employees
Vendor
It provides real time security event analytics. Take a look at other vendors like LogRhythm.

What is most valuable?

Scalability is the best feature.

How has it helped my organization?

It provides real time security event analytics.

What needs improvement?

Take a look at other vendors like LogRhythm. They are light years ahead of where this product is.

For how long have I used the solution?

I have used this solution for seven years.

What do I think about the stability of the solution?

We did have issues with stability. Java is not stable.

What do I think about the scalability of the solution?

We did not have scalability issues.

How are customer service and technical support?

Support is good, but only for backend support. Both Level-1 and Level-2 support teams are terrible.

Which solution did I use previously and why did I switch?

We did not have a…

What is most valuable?

Scalability is the best feature.

How has it helped my organization?

It provides real time security event analytics.

What needs improvement?

Take a look at other vendors like LogRhythm. They are light years ahead of where this product is.

For how long have I used the solution?

I have used this solution for seven years.

What do I think about the stability of the solution?

We did have issues with stability. Java is not stable.

What do I think about the scalability of the solution?

We did not have scalability issues.

How are customer service and technical support?

Support is good, but only for backend support. Both Level-1 and Level-2 support teams are terrible.

Which solution did I use previously and why did I switch?

We did not have a previous solution.

How was the initial setup?

The setup was complex.

What's my experience with pricing, setup cost, and licensing?

It's probably not a product that I would recommend to anyone.

Which other solutions did I evaluate?

We did not evaluate other options.

What other advice do I have?

The amount of time spent implementing this solution, tweaking it to suit our needs, and then maintaining it, ended up being the same as building one from scratch, using something like ELK.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user147231
Development Manager at a security firm with 51-200 employees
Vendor
The correlation engine allows our clients to generate rules more efficiently.

Valuable Features

Correlation rules - The correlation engine allows our clients to generate rules more efficiently. For example: the company has a policy which said that all connections to the databases can only be done by internal connection. So you can correlate the VPN logs, FW logs, dB logs to alert when this policy has been breached.

Improvements to My Organization

Detection of unauthorised access to systems.

Use of Solution

10 years

Deployment Issues

I haven't encountered any issues with deployment

Stability Issues

I haven't encountered any issues with stability

Scalability Issues

I haven't encountered any issues with scalability

Customer Service and Technical Support

Customer Service: Our clients have told us that they like their customer service.Technical Support: I provided technical support to LATAM.

Initial Setup

Initial setup was straightforward

Implementation Team

I was the implementer

Other Advice

Prepare a plan for short, medium and large implementation. Start with the simple, like so: FW, routers, etc., then move to more complex ones like applications in house.
Disclosure: My company has a business relationship with this vendor other than being a customer: I used to work for a company that was a Novell partner
ITCS user
Senior IT Security Consultant at a tech consulting company with 51-200 employees
Consultant
Our intital setup was complex but mainly because of all the network variables we had.

What is most valuable?

<ul> <li>Correlation Engine simpleness</li> <li>Visual agent deployment</li> <li>Stream based solution performed by iscale bus (no latency due to the database layer) </li> </ul>

How has it helped my organization?

<ul> <li>Better security incident analysis</li> <li>New scopes for security events and correlation</li> <li>Better performances on device failures actions</li> </ul>

What needs improvement?

<ul> <li>Correlation Engine</li> <li>Device support</li> <li>Agent development flexibility</li> </ul>

For how long have I used the solution?

I worked on version 5 and then 6 for a total of 6 years. My personal score is 4 stars based on my experience with the latest version I worked on (probably version 7 should be much more better.)

What was my experience with deployment of the solution?

On version 5, builder was somewhat unstable during deployment -> workaround strong procedure with too many middle steps of saves.

What do I think about the stability of the solution?

The wizard agent module is very sensible to network changes and needs a restart on every network change (versions 5 and 6).

What do I think about the scalability of the solution?

I have not seen any issues with scalability.

Which solution did I use previously and why did I switch?

I had another SIEM installation (nFX) working for another application domain.

How was the initial setup?

Complex but mainly because of all the network variables we had. Imagine to map firewalls rules passively and then request the ability from an external group not really involved in the installation.

What about the implementation team?

Actually we were the system integrator and we provided a large enterprise solution.

Which other solutions did I evaluate?

Novell SIEM was my second technology of this kind. Previously I experienced the nFX and later even the McAfee ESM and the Splunk ES.

What other advice do I have?

Be aware that without any technical support from NetIQ it could be very hard to administer.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free Security Information and Event Management (SIEM) Report and find out what your peers are saying about Micro Focus, Splunk, IBM, and more!