NetIQ Sentinel collector and connector counting
A Sentinel deployment lights up data sources across the estate, and an audit that counts every source it can see will reach for a far larger number than the platform actually licenses. NetIQ Sentinel collector and connector counting is where a SIEM finding inflates, because a collector definition is not the same thing as an active, licensed feed, and the difference is worth a great deal of money.
NetIQ reached the OpenText estate through the Micro Focus acquisition that closed on January 31, 2023, and Sentinel sits inside that security portfolio alongside ArcSight, Voltage, and the broader NetIQ identity line. Like most Micro Focus products, Sentinel is governed by the Additional License Authorizations rather than the OpenText EULA, and the authorization is the document that defines what a collector is, what a connector is, and which of them the metric counts. An audit that skips that definition and counts configured objects will produce a headline number that the agreement does not support.
What a Sentinel collector and connector actually are
In a Sentinel architecture, a connector is the component that talks to a data source and brings events in, and a collector is the parsing logic that normalises those events into a usable form. A single deployment can hold many of each, and over years of operation the count grows: sources are added for a project, a test feed is wired up, a duplicate is created during a migration, a decommissioned system leaves its collector definition behind. The configured inventory is therefore almost always larger than the set of feeds that carry live production data on the day the audit runs.
This matters because a finding built on the configured inventory counts objects that exist in the management console but do not represent a live, licensed use. The defensive question is not how many collectors and connectors are defined, but how many are active, in production, and within the scope the authorization measures. That is a smaller number, and establishing it is the heart of the work.
A configured collector or connector is not a licensed feed. The metric counts active production data flows, and the gap between what the console lists and what actually carries events is where a Sentinel finding overreaches.
Where the counting inflates
Several patterns push a Sentinel collector and connector count above the defensible figure. Each is a line to challenge rather than a number to accept.
- Dormant definitions. Collectors and connectors that remain configured after the source was retired but no longer carry events. They sit in the console and inflate the count without representing use.
- Duplicate and migration artifacts. Objects created during platform upgrades or source migrations that were never cleaned up, counted twice as though they were two live feeds.
- Non production and lab feeds. Collectors wired to test sources or a lab environment, which the authorization may treat differently from production and which a blanket count sweeps in regardless.
- High availability and redundancy. Components that exist for resilience rather than to license additional throughput, counted as though each were an independent licensed feed.
Establishing these categories from the deployment record is what separates the configured inventory from the licensed one. The same discipline applies to ArcSight SmartConnector and collector counting, where the configured count similarly outruns the live feeds the license measures.
Reconstruct the count against the authorization
The four Rs put the authorization and the deployment record side by side. Respond inside the seven day notice window and route everything through a single controlled channel, so the collector and connector inventory is described once and consistently rather than handed over piecemeal. Reconstruct the effective position by reading the authorization for how it defines a collector, a connector, and the unit the metric counts, then setting the live feed record against it. Rebut the finding line by line where it counts dormant, duplicate, non production, or redundant objects as licensed feeds. Resolve on terms that fix the definition of a counted unit so the next audit does not relitigate the configured inventory.
The reconstruction step is the one that moves the number, and it is worth preparing before any vendor measurement runs. Our note on reconciling ArcSight entitlements before an audit sets out the same approach applied to the wider security portfolio, and the principle carries directly into a Sentinel matter.
A recent engagement
The anonymised banking matter recorded as E-03 involved an ArcSight EPS and connector finding that opened at $6.0M and settled at $1.8M, a 70 percent reduction. Connector counting was central to that result: a large share of the configured inventory turned out to be dormant or redundant rather than live, and splitting the active feeds from the console listing brought the number down. The same dynamic recurs in Sentinel matters, because the management console preserves history and an audit that counts what the console shows counts that history as though it were current use.
Hold the count to the active feeds
With NetIQ Sentinel collector and connector counting more than most aspects of a security audit, the finding depends on whether anyone reconciles the configured inventory against the live, licensed feeds. A buyer that accepts the console count is paying for years of accumulated definitions, not for the platform it actually runs. The defensive discipline is to read the authorization for what a counted unit is, document the active production feeds against it, and disqualify the dormant, duplicate, non production, and redundant objects line by line. Most of the reduction available on a Sentinel finding comes from that single reconciliation, and it is available to any buyer who insists on the definition the agreement actually contains.
Facing a Sentinel finding built on the console count?
We read the authorization for what a collector and connector are, reconcile the configured inventory against live feeds, and hold the finding to the licensed number. To get a defense team on the file, open a case or download the ArcSight EPS defense briefing.
Get The Number Down →Related field notes
These notes from the ArcSight and Security audit defense cluster cover connectors, collectors, and data source counting. Each links back to the complete OpenText audit defense playbook for 2026.
- Sentinel event and data volume audit considerations
- ArcSight connector counting in an OpenText audit
- how to challenge an ArcSight connector headcount
- decommissioned ArcSight connectors still on the audit
- NetIQ identity and access license counting traps
If an OpenText or Micro Focus audit notice has arrived, the first seven days matter more than any week that comes after. OpenText Audit Defense is an independent, buyer side practice founded in 2020 by former vendor compliance leadership. We have defended more than 200 audits, cut the average finding by 68 percent, and mitigated more than $90M in claims against vendor positions. We do not resell OpenText software and we are not affiliated with OpenText Corporation. To open a case, use the contact form on this site.