Sentinel 8.0 SP1 P2 resolves several previous issues. This patch update is available only for traditional installations of Sentinel.
Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure that our products meet all your needs. You can post feedback in the Sentinel forum on NetIQ Communities, our online community that also includes product information, blogs, and links to helpful resources.
The documentation for this product is available on the NetIQ website in HTML and PDF formats on a page that does not require you to log in. If you have suggestions for documentation improvements, click the comment icon on any page in the HTML version of the documentation posted at the Sentinel NetIQ Documentation page. To download this product, see the Sentinel Product Upgrade website.
The following sections outline the key features and enhancements, and also the issues resolved in this release:
Sentinel 8.0 SP1 P2 includes the following enhancements:
You can now set the end time for a data synchronization policy so that you can synchronize data only for certain time ranges. This ability is available only for new data synchronization policies and it is not available for existing data synchronization policies. (Bug 1053484)
When editing reports, the Date Picker no longer shows the date when the report was last run. It now defaults to the current date to avoid the need to click many months forward if the Start Time is older than the current date. (Bug 1016005)
Sentinel now generates audit events for ‘Failed To Correlate’ messages that occur when:
Events arrive late with a time difference greater than 30 seconds.
The reorder buffer is full.
(Bug 1018336)
To customize the way Lucene parses values in analyzed fields, you can add the lucene.search.stop.words.mode configuration property to the configuration.properties file.
For example, lucene.search.stop.words.mode=value, where value is one of the following:
empty - Do not use any of the default stop words.
add - Specify a comma-delimited string of stop words to add to the default list. This mode requires a second line to define the comma-delimited string.
For example:
lucene.search.stop.words.mode=add
lucene.search.stop.words.add=Word1,Word2,Word3
remove - Specify a comma-delimited string of stop words to remove from the default list. This mode requires a second line to define the comma-delimited string.
For example:
lucene.search.stop.words.mode=remove
lucene.search.stop.words.remove=Word1,Word2,Word3
custom - Specify a comma-delimited string of stop words to use instead of the default list. This mode requires a second line to define the comma-delimited string.
For example:
lucene.search.stop.words.mode=custom
lucene.search.stop.words.custom=Word1,Word2,Word3
(Bug 1040801)
The NoDataAlert internal event contains new event fields to identify which collector, connector, or event source does not have data.
Events from a Collector contain the following new fields:
CollectorID(rv22)
CollectorManagerID(rv21)
Events from a Connector contain the following new fields:
ConnectorID(rv23)
CollectorID(rv22)
CollectorManagerID(rv21)
Events from an event source contain the following new fields:
ConnectorID(rv23)
CollectorID(rv22)
EventSourceID(rv24)
CollectorManagerID(rv21)
(Bug 1044598)
Sentinel 8.0 SP1 P2 includes Jetty Web Server version 9.3.14.v20161028, which includes security fixes and other enhancements. (Bug 1062133)
New installations of Sentinel include the latest versions of several Sentinel plug-ins. These versions include the latest software fixes, documentation updates, and enhancements for the plug-in. For more information, see the specific plug-in documentation on the Sentinel Plug-ins Web site.
Upgrade installations of Sentinel update the following plug-ins to ensure that these plug-ins are compatible with Sentinel 8.0 SP1 P2 and later:
Sentinel Agent Manager Connector to version 2017.1r1
Sentinel Link Connector to version 2011.1r5
Sentinel 8.0 SP1 P2 includes software fixes that resolve several issues.
Sentinel Core Top 10 and Sentinel Core Top 10 Dashboard reports now take less time to execute. (Bug 1040660)
The /SentinelRESTServices/objects/plugin REST API now provides plugin information in human readable format. (Bug 992162)
Issue: When you use Data Federation to search for events in a distributed environment, the Search Results page displays duplicate events. (Bug 1048000)
Fix: The Search Results page no longer displays duplicate events.
Issue: The API documentation does not list all of the client download libraries the REST API requires to work properly. (Bug 1047684)
Fix: The Sentinel API Documentation now lists all the client download libraries the REST API requires.
Email notifications now display AM or PM appropriately. (Bug 1040423)
EventSearch Rest API completes successfully without any exceptions. (Bug 1038133)
Issue: Correlation Engine does not trigger current day events if the previous event had a timestamp beyond the epoch date. It displays the exception “Correlation reorder buffer is full” and crashes eventually. (Bug 1036765)
Fix: Correlation Engine now triggers current day events without exceptions.
Issue: Recent changes to how Sentinel validates correlation rules cause the Correlation Engine to fail to initialize if Sentinel has an older deployed rule with incorrect syntax. (Bugs 1039598 and 1039835)
Fix: Correlation Engine does not stop if there are older deployed rules with incorrect syntax. Also, you can now edit the invalid rule and correct the syntax to ensure that the rule works as expected.
Issue: When you export search results that include events from secondary storage, the CSV file only contains the headers and not the actual search results. (Bug 1043709)
Fix: The CSV file now includes search results you export.
Issue: When you upgrade Sentinel 8.0 and later, the installer displays the following error:
Installing: novell-Sentinelwebapp-8.0.0.1-3404 [done] Additional rpm output: /var/tmp/rpm-tmp.28463: line 263: [: search.hideUI=false: binary operator expected
(Bug 1025512)
Fix: This error no longer occurs during the upgrade process.
Issue: Two or three days after ISE integration, Sentinel becomes unresponsive. Sentinel server logs included the following message, which indicated out-of-memory exceptions and the inability to create threads:
java.lang.OutOfMemoryError: unable to create new native thread
This issue resulted from the large number of map updates that the ISE integration triggers, as well as an issue specific to maps with exactly one “RANGE” key plus one or more “STRING” keys. When this particular set of circumstances occurred, Sentinel created a separate h2temp directory for every unique String Key value. This meant that when the ISE ipmap.csv file had 6000+ entries (as might be typical during regular operating hours), Sentinel would recreate the 6000+ h2temp directories for every 30-second map update. (Bug 1030670)
Fix: The default map used to store maps, which specifically contain one “RANGE” key plus one or more “STRING” keys, is now in-memory map. The map does not use an H2 database and thus does not need to create the many h2temp directories.
NOTE:You can configure whether range/key maps use objects that require temporary directories. Add the new sentinel.mapping.h2.useDbRangeMap system property to the Sentinel configuration.properties file. This system property has the following values:
false: Use DataObjectKeyRangeMap objects, which do not require temporary directories (default value)
true: Use DBRangeMapDataObjectStorage objects, which require temporary directories
Issue: When a Sentinel server loses contact with a Collector Manager, the server generates LostContactWithCollectorManager and CollectorManagerDown internal events. The CollectorNodeName(port) and CollectorManagerId(rv21) event fields on these internal events do not display the information related to the Collector Manager. (Bug 1050941)
Fix: The CollectorNodeName(port) and CollectorManagerId(rv21) event fields now correctly display the Collector Manager Name and the Collector Manager ID.
All scheduled reports now run successfully. (Bug 1051167)
The Sentinel Core Top 10 report now runs successfully. (Bug 1055336)
This release resolves an issue where the agent data synchronization process (ETL) failed with an exception if an agent that you added synchronized with Sentinel before Sentinel Agent Manager collected the agent’s attributes. (Bug 1050192)
Issue: When a report job fails, you cannot search for it as an event. (Bug 1017358)
Fix: It is now possible to search for a failed report job as an event.
The scheduled search job now runs successfully. (Bug 1049055)
Scheduled reports now display the correct time range in the Reports and Searches panel. (Bug 1016735)
SSDM now processes events that have IPv6 addresses. (Bug 1006975)
For information about hardware requirements, supported operating systems, and browsers, see the Technical Information for Sentinel page.
Sentinel 8.0 SP1 P2 is available only for traditional installations of Sentinel. You can upgrade to Sentinel 8.0 SP1 P2 from Sentinel 7.4 and later.
Download the patch update from the Patch Finder website. For information about upgrading to Sentinel 8.0 SP1 P2, see Upgrading Sentinel
in the NetIQ Sentinel Installation and Configuration Guide.
NOTE:If you want to use Sentinel Link Connector, you must upgrade it to version 2011.r4, which includes software fixes for compatibility issues with Sentinel 8.0.1 and later.
After you upgrade Scalable Storage Data Manager (SSDM), you must re-submit Spark applications to consider the updated Spark files as well. Spark will not process any events that arrive during this phase until you re-submit Spark applications. To avoid this issue, perform the steps mentioned in NetIQ Knowledge Base Article 7018726.
Sentinel 8.0 SP1 P2 is compatible with Change Guardian 4.2 and later.
Before you upgrade, if your environment is not running a version of Change Guardian that is compatible with this version of Sentinel, you must first upgrade the Change Guardian Server, agents, and the Policy Editor to version 4.2 or later.
NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.
The Java 8 update included in Sentinel might impact the following plug-ins:
Cisco SDEE Connector
SAP (XAL) Connector
Remedy Integrator
For any issues with these plug-ins, NetIQ will prioritize and fix the issues according to standard defect-handling policies. For more information about support polices, see Support Policies.
Issue: SSDM in high availability mode does not populate the appropriate IP addresses of the HA cluster nodes in the Elasticsearch security plug-in configuration files. As a result, searches and event visualization dashboards show errors. (Bug 1012251)
Workaround: After installing the Elasticsearch security plug-in, perform the following steps on each node of the Elasticsearch cluster:
Log in to the Elasticsearch node as the user which Elasticsearch was installed as.
Add entries for the physical IP address of each active node and passive node of the HA cluster in the <elasticsearch_install_directory>/plugins/elasticsearch-security-plugin/elasticsearch-ip-whitelist.txt file as follows:
<Cluster_Node_Physical_IP>:<Target_Elasticsearch_HTTP_Port>
Add each entry in a new line and save the file.
In the <elasticsearch_install_directory>/plugins/elasticsearch-security-plugin/plugin-configuration.properties file, set the authServer.host property to the virtual IP address of the HA cluster as follows:
authServer.host=<Cluster_Virtual_IP>
Restart Elasticsearch.
Issue: Sentinel does not display the Alert dashboards after upgrade. This issue occurs because Sentinel does not delete the Alert dashboard related temporary directory during upgrade. (Bug 984796)
Workaround: Delete the temporary files manually by performing the following procedure:
Log in to the Sentinel server as the novell user.
Change to the webapps directory as follows:
cd /var/opt/novell/sentinel/3rdparty/jetty/webapps/
Remove the sentinel-elasticsearch-proxy.tmp directory as follows:
rm -rf sentinel-elasticsearch-proxy.tmp
Change to the contexts directory and update the timestamp of the sentinel-elasticsearch-proxy.xml file as follows:
cd /etc/opt/novell/sentinel/3rdparty/jetty/contexts/
touch sentinel-elasticsearch-proxy.xml
Refresh the Sentinel Main interface to view the Alert dashboards.
Issue: When you convert the active node to FIPS 140-2 mode in Sentinel HA, the synchronization to convert all the passive nodes to FIPS 140-2 mode is not performed completely. You must start the synchronization manually. (Bug 1014472)
Workaround: Manually synchronize all passive nodes to FIPS 140-2 mode as follows:
Log in as the root user on the active node.
Open the /etc/csync2/csync2.cfg file.
Change the following line:
include /etc/opt/novell/sentinel/3rdparty/nss/*;
to
include /etc/opt/novell/sentinel/3rdparty/nss;
Save the csync2.cfg file.
Start the synchronization manually by running the following command:
csync2 -x -v
Issue: An issue with Kibana prevents Internet Explorer 11 from being able to open the Event Visualization dashboard. (Bug 981308)
Workaround: Use a different browser to view or modify the Visualization dashboard.
Issue: If you try to install Sentinel on a computer that is running the SLES 11 SP4 operating system in FIPS mode, the installation process will fail. (Bug 990201)
Workaround: Ensure the operating system is not in FIPS mode, and then complete the following steps:
Install Sentinel. For more information, see Installing Sentinel
in the Sentinel Installation and Configuration Guide.
Enable Sentinel Server to run in FIPS mode. For more information, see Enabling Sentinel Server to Run in FIPS 140-2 Mode
in the Sentinel Installation and Configuration Guide.
Use the following command to enable the operating system to run in FIPS mode:
fips=1 /boot/grub/menu.lst
Issue: After you enable SSDM, when you log in to the Sentinel Main interface, the browser displays a blank page. (Bug 1006677)
Workaround: Close your browser and log in to the Sentinel Main interface again. This issue only happens once, the first time you log in to the Sentinel Main interface after you enable SSDM.
Issue: After you enable scalable storage, the SSDM server logs display multiple instances of the following message:
SEVERE|TimerThreadPool pool|esecurity.ccs.comp.scalablestorage.KibanaVisualAnalyticsUtil.initializeKibanaMappingSearchUnsuccessful in initializing the kibana mapping search call with status code 400
(Bug 1009662)
Workaround: You can safely ignore these messages. There is no functional impact.
Issue: When you upgrade Sentinel from version 7.3 to version 7.3 SP1 and start the Sentinel server, you might see the following exception in the server log:
Invalid length of data object ......
(Bug 933640)
Workaround: Ignore the exception. There is no impact to Sentinel performance because of this exception.
Issue: Sentinel alert views and alert dashboards do not display alerts that have IPv6 addresses in IP address fields. (Bug 924874)
Workaround: To view alerts with IPv6 addresses in Sentinel, perform the steps mentioned in NetIQ Knowledgebase Article 7016555.
Issue: In upgraded installations of Sentinel, when you search for alert attributes in the Tips table in the Sentinel Main interface, the search does not return the complete list of alert fields. However, alert fields display correctly in the Tips table if you clear the search. (Bug 914755)
Workaround: There is no workaround at this time.
Issue: If you run an event search when your role's security filter is blank and your role does not have event viewing permissions, the search does not complete. The search does not display any error message about the invalid event viewing permissions. (Bug 908666)
Workaround: Update the role with one of the following options:
Specify criteria in the Only events matching the criteria field. If users in the role should not see any events, you can enter NOT sev:[0 TO 5].
Select View system events.
Select View all event data (including raw data and NetFlow data).
Issue: When editing a saved search upgraded from Sentinel 7.2 to a later version, the Event fields panel, used to specify output fields in the search report CSV, is missing in the schedule page. (Bug 900293)
Workaround: After upgrading Sentinel, recreate and reschedule the search to view the Event fields panel in the schedule page.
Issue: Sentinel does not return any correlated events when you search for all correlated events that were generated after the rule was deployed or enabled, by clicking the icon next to Fire count in the Activity statistics panel in the Correlation Summary page for the rule. (Bug 912820)
Workaround: Change the value in the From field in the Event Search page to a time earlier than the populated time in the field and click Search again.
Issue: During Security Intelligence baseline regeneration, the start and finish dates for the baseline are incorrect and display 1/1/1970. (Bug 912009)
Workaround: The correct dates are updated after the baseline regeneration is complete.
Issue: Sentinel server shuts down when you run a search if there are a large number of events indexed in a single partition. (Bug 913599)
Workaround: Create retention policies in such a way that there are at least two partitions open in a day. Having more than one partition open helps reduce the number of events indexed in partitions.
You can create retention policies that filter events based on the estzhour field, which tracks the hour of the day. Therefore, you can create one retention policy with estzhour:[0 TO 11] as the filter and another retention policy with estzhour:[12 TO 23] as the filter.
For more information, see Configuring Data Retention Policies
in the NetIQ Sentinel Administration Guide.
Issue: Sentinel displays an error when you use the report_dev_setup.sh script to configure Sentinel ports for firewall exceptions. (Bug 914874)
Workaround: Configure Sentinel ports for firewall exceptions through the following steps:
Open the /etc/sysconfig/SuSEfirewall2 file.
Change the following line:
FW_SERVICES_EXT_TCP=" 443 8443 4984 22 61616 10013 289 1289 1468 1443 40000:41000 1290 1099 2000 1024 1590"
to
FW_SERVICES_EXT_TCP=" 443 8443 4984 22 61616 10013 289 1289 1468 1443 40000:41000 1290 1099 2000 1024 1590 5432"
Restart Sentinel.
Issue: Sentinel Generic Collector performance degrades when Generic Hostname Resolution Service Collector is enabled on Microsoft Active Directory and Windows Collector. EPS decreases by 50% when remote Collector Managers send events. (Bug 906715)
Workaround: There is no workaround at this time.
Issue: When you install Sentinel in FIPS 140-2 mode, the connector to Security Intelligence database fails to start, and Sentinel cannot access Security Intelligence, NetFlow, and alert data. (Bug 915241)
Workaround: Restart Sentinel after installing and configuring in FIPS 140-2 mode.
Issue: When FIPS 140-2 mode is enabled in your Sentinel environment, using Windows authentication for Agent Manager causes synchronization with the Agent Manager database to fail. (Bug 814452)
Workaround: Use SQL authentication for Agent Manager when FIPS 140-2 mode is enabled in your Sentinel environment.
Issue: The Sentinel High Availability installation in non-FIPS 140-2 mode completes successfully but displays the following error twice:
/opt/novell/sentinel/setup/configure.sh: line 1045: [: too many arguments
(Bug 810764)
Workaround: The error is expected and you can safely ignore it. Although the installer displays the error, the Sentinel High Availability configuration works successfully in non-FIPS 140-2 mode.
Issue: The Sentinel Main interface displays negative numbers in the Active Search Job Duration and Accessed columns when the Sentinel Main interface computer clock is behind the Sentinel server clock. For example, the Duration and Accessed columns display negative numbers when the Sentinel Main interface clock is set to 1:30 PM and the Sentinel server clock is set to 2:30 PM. (Bug 719875)
Workaround: Ensure the time on the computer you use to access the Sentinel Main interface is the same as or later than the time on the Sentinel server computer.
Issue: When you log in to the security dashboard and perform a search for IssueSAMLToken audit event, the IssueSAMLToken audit event displays incorrect hostname (InitiatorUserName) or (IP address) SourceIP. (Bug 870609)
Workaround: There is no workaround at this time.
Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.
For detailed contact information, see the Support Contact Information website.
For general corporate and product information, see the NetIQ Corporate website.
For interactive conversations with your peers and NetIQ experts, become an active member of our community. The NetIQ online community provides product information, useful links to helpful resources, blogs, and social media channels.
For information about NetIQ legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government restricted rights, patent policy, and FIPS compliance, see http://www.netiq.com/company/legal/.
Copyright © 2017 NetIQ Corporation. All Rights Reserved.