I've recently inherited / taken over a Sentinel installation that was unmaintained for a while. I think I now have everything in it upgraded to "current version" (see below for details), but I'm trying to make sense of what it's displaying. If I look in Collection / Event Sources, I have 26 configured sources, 9 of which are in status "error" (little red x). I don't think that they should be showing that, because they seem to be working. All of the "error" status event sources are Audit sources (eDir and IDM), but not all Audit sources are showing "error".

Taking three of them that are very similar, one shows the green arrow indicating that it's running, the other two show the red x for error. The two with "error" are definitely reporting events in to the Sentinel server. Both of the "error" servers show nn,nnn,nnn bytes received in the status. The one that is "running" seems to be reporting events as well, but the status in Sentinel shows 0 bytes received. All three are eDir servers. One has the IDM engine on it, though that doesn't seem to matter.

Server1 - eDir and IDM - status is "error"
Server2 - eDir only - status is "running"
Server3 - eDir only - status is "error"

Going to the Live View shows basically the same thing. One server (eDir only) shows green. The other two (eDir only on one, eDir + IDM on the other) show red. The error message is "Lost connection to application eDirInst on machine xx.xx.xx.xx" on all of the "error" status sources.

"tail -F nproduct.log" shows these sorts of lines on all three hosts:

Thu Dec 28 10:59:13 2017 [MonitorHealth]: ClientList.size=2, UploadList.size=0 , close_wait=4, LastMinEPS=6
Thu Dec 28 10:59:49 2017 [Novell Audit Cache]: Removed application eDirInst cache file /var/opt/novell/naudit/cache/lc3eb607cf9b35d750107fca8981e1ac4b.
so it would appear that all three hosts are uploading events to Sentinel. I can cause events (ndslogin on local host), auditds is loaded, and all three servers are configured to audit the same events.

Looking in /var/opt/novell/sentinel/log/server0.0.log i see eDirInst events being received and apparently processed by the Sentinel server for all three hosts. Lines like:

Thu Dec 28 11:19:18 EST 2017|INFO|eDirInst (/xx.xx.xx.xxx:54442)|esecurity.ccs.comp.evtsrcmgt.connector.auditserver.AuditConnectorServer.alertNewConnection
        Audit Server (ID D892E9F0-3CA7-102B-B598-005056C00005): Received new event source from machine xx.xx.xx.xxx:eDirInst
where "xx.xx.xx.xxx" is the IP addresses of each box.

One strange thing I've noticed is that "netstat -an | grep xx.xx.xx.xx" on the Sentinel server shows ESTABLISHED connections from servers 1 and 3 (the ones in "error" status), and no connection from server 2 (the one in "running" status). "netstat -an | grep yy.yy.yy.yy" on the event source servers shows "ESTABLISHED" connections to the Sentinel server from servers 1 and 3, and no connection from server 2. That is exactly the opposite of what the Sentinel status mark is showing me.

Sentinel is 8.1 appliance (Version:, registered and up to date as of yesterday.
eDir is (novell-NDSbase-
eDirInst is (novell-AUDTedirinst-
Platform agent is 2.0.2-81 (novell-AUDTplatformagent-2.0.2-81)
NetIQ Audit Connector is 2011-1r4-201701130600-release
NetIQ eDirectory Collector is 2011-1r9-201709280434-release

I know that the red x can be normal, it indicates that the connection has been disconnected. That seems to be wrong here. If anything, it seems to be inverted from actual reality. Am I missing something obvious here? I'd like to be seeing all little green arrows unless there's an actual error that I need to look in to.