This patch update resolves issues in Sentinel 8.1. For more information about the new features, improved usability, and resolved issues in Sentinel 8.1, see the Sentinel 8.1 Release Notes.
Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure that our products meet all your needs. You can post feedback in the Sentinel forum on NetIQ Communities, our online community that also includes product information, blogs, and links to helpful resources.
The documentation for this product is available on the NetIQ website in HTML and PDF formats on a page that does not require you to log in. If you have suggestions for documentation improvements, click the comment icon on any page in the HTML version of the documentation posted at the Sentinel NetIQ Documentation page. To download this product, see the Sentinel Product Upgrade website.
For the latest version of these release notes, see Sentinel 8.1 Patch Update 1 Release Notes.
This patch update resolves the following enhancement and software issues:
The NoDataAlert event now includes tags assigned to the Event Source, Connector, or Collector node that is being alerted on. You can now filter on that tag to easily identify the specific node that is not receiving data.
The NoDataAlert event now includes the following event fields:
For Collector:
|
For Connector:
|
For Event Source:
|
Issue: When you restart Sentinel 8.1 or upgrade to Sentinel 8.1, it clears all existing Dynamic Lists. (Bug 1047127)
Fix: Restarting or upgrading to Sentinel 8.1 does not clear Dynamic Lists.
Issue: After the Sentinel 8.1 upgrade is complete, Sentinel Main and the dashboards do not launch and displays the HTTP ERROR 500 error. (Bug 1047106)
Fix: Sentinel 8.1 Main and dashboards now launch properly after the upgrade.
Issue: The Partition ID does not synchronize correctly, causing mismatched event details when correlating events with incidents. (Bug 1028620)
Fix: When correlating events with incidents, the Partition ID now returns the appropriate value.
NOTE:It can take up to two days for data synchronization to update the Partition ID value. To ensure you provide enough time for the data synchronizes correctly, set the value in the data retention policy to more than 2.
Issue: Sentinel automatically prints audit events to the log file. (Bug 969147)
Fix: By default, Sentinel no longer prints audit events to the log file.
If you want to print audit events to the log file, open the server_log.prop file and add the following comment:
"esecurity.ccs.comp.audit.AuditLogger.level=INFO"
Scheduled reports now display the correct time range in the Reports and Searches panel. (Bug 1016735)
Issue: Recent changes to how Sentinel validates correlation rules cause the Correlation Engine to fail to initialize if Sentinel has an older deployed rule with incorrect syntax. (Bugs 1039598 and 1039835)
Fix: Correlation Engine does not stop if there are older deployed rules with incorrect syntax. Also, you can now edit the invalid rule and correct the syntax to ensure that the rule works as expected.
Issue: After collecting attributes from an agent, the Device Details page displays a null value in Agent Version. (Bug 993290)
Fix: The Device Details page now displays the correct Agent Version value.
For information about hardware requirements, supported operating systems, and browsers, see the Technical Information for Sentinel page.
For information about installing Sentinel 8.1 Patch Update 1, see the NetIQ Sentinel Installation and Configuration Guide.
You can upgrade to Sentinel 8.1 Patch Update 1 from Sentinel 7.4 and later.
For information about upgrading to Sentinel 8.1 Patch Update 1, see the NetIQ Sentinel Installation and Configuration Guide.
NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.
The Java 8 update included in Sentinel might impact the following plug-ins:
Cisco SDEE Connector
SAP (XAL) Connector
Remedy Integrator
For any issues with these plug-ins, NetIQ will prioritize and fix the issues according to standard defect-handling policies. For more information about support polices, see Support Policies.
Issue: Installation of Collector Manager and Correlation Engine appliance fails in MFA mode if the operating system language is other than English. (Bug 1045967)
Workaround: Install Collector Manager and Correlation Engine appliances in English. After the installation is complete, change the language as needed.
Issue: If your environment has the default 25 EPS license and you run a report, the report fails with the following error:
License for Distributed Search feature is expired
(Bug 1034656)
Workaround: To run reports in the same JVM as Sentinel, complete the following steps:
Log in to the Sentinel server and open the /etc/opt/novell/sentinel/config/server.xml file.
Locate the following property:
<property name="reporting.process.oktorunstandalone">true</property>
Change the setting to false:
<property name="reporting.process.oktorunstandalone">false</property>
Restart Sentinel.
Issue: When you convert the active node to FIPS 140-2 mode in Sentinel HA, the synchronization to convert all the passive nodes to FIPS 140-2 mode is not performed completely. You must start the synchronization manually. (Bug 1014472)
Workaround: Manually synchronize all passive nodes to FIPS 140-2 mode as follows:
Log in as the root user on the active node.
Open the /etc/csync2/csync2.cfg file.
Change the following line:
include /etc/opt/novell/sentinel/3rdparty/nss/*;
to
include /etc/opt/novell/sentinel/3rdparty/nss;
Save the csync2.cfg file.
Start the synchronization manually by running the following command:
csync2 -x -v
Issue: An issue prevents Internet Explorer 11 from being able to open the Event Visualization dashboard. (Bug 981308)
Workaround: Use a different browser to view or modify the Visualization dashboard.
Issue: If you try to install Sentinel on a computer that is running the SLES 11 SP4 operating system in FIPS mode, the installation process will fail. (Bug 990201)
Workaround: Ensure the operating system is not in FIPS mode, and then complete the following steps:
Install Sentinel. For more information, see Installing Sentinel
in the Sentinel Installation and Configuration Guide.
Enable Sentinel Server to run in FIPS mode. For more information, see Enabling Sentinel Server to Run in FIPS 140-2 Mode
in the Sentinel Installation and Configuration Guide.
Use the following command to enable the operating system to run in FIPS mode:
fips=1 /boot/grub/menu.lst
Issue: A change to password storage in Sentinel 7.4 SP1 causes the following error to display when upgrading the appliance from versions prior to 7.4 SP1:
Failed to set encrypted password
(Bug 967764)
Workaround: The warning is expected and you can safely ignore it. There is no impact to the upgrade.
Issue: After you enable SSDM, when you log in to the Sentinel Main interface, the browser displays a blank page. (Bug 1006677)
Workaround: Close your browser and log in to the Sentinel Main interface again. This issue only happens once, the first time you log in to the Sentinel Main interface after you enable SSDM.
Issue: When you upgrade Sentinel from version 7.3 to version 7.3 SP1 and start the Sentinel server, you might see the following exception in the server log:
Invalid length of data object ......
(Bug 933640)
Workaround: Ignore the exception. There is no impact to Sentinel performance because of this exception.
Issue: Sentinel alert views and alert dashboards do not display alerts that have IPv6 addresses in IP address fields. (Bug 924874)
Workaround: To view alerts with IPv6 addresses in Sentinel, perform the steps mentioned in NetIQ Knowledgebase Article 7016555.
Issue: In upgraded installations of Sentinel, when you search for alert attributes in the Tips table in the Sentinel Main interface, the search does not return the complete list of alert fields. However, alert fields display correctly in the Tips table if you clear the search. (Bug 914755)
Workaround: There is no workaround at this time.
Issue:
Data synchronization fails when you try to synchronize IPv6 address fields in a human readable format to external databases. For information about configuring Sentinel to populate the IP address fields in human readable dot notation format, see Creating a Data Synchronization Policy
in the NetIQ Sentinel Administration Guide. (Bug 913014)
Workaround: To fix this issue, manually change the maximum size of the IP address fields to at least 46 characters in the target database, and re-synchronize the database.
Issue: If you run an event search when your role's security filter is blank and your role does not have event viewing permissions, the search does not complete. The search does not display any error message about the invalid event viewing permissions. (Bug 908666)
Workaround: Update the role with one of the following options:
Specify criteria in the Only events matching the criteria field. If users in the role should not see any events, you can enter NOT sev:[0 TO 5].
Select View system events.
Select View all event data (including raw data and NetFlow data).
Issue: When editing a saved search upgraded from Sentinel 7.2 to a later version, the Event fields panel, used to specify output fields in the search report CSV, is missing in the schedule page. (Bug 900293)
Workaround: After upgrading Sentinel, recreate and reschedule the search to view the Event fields panel in the schedule page.
Issue: Sentinel does not return any correlated events when you search for all correlated events that were generated after the rule was deployed or enabled, by clicking the icon next to Fire count in the Activity statistics panel in the Correlation Summary page for the rule. (Bug 912820)
Workaround: Change the value in the From field in the Event Search page to a time earlier than the populated time in the field and click Search again.
Issue: During Security Intelligence baseline regeneration, the start and finish dates for the baseline are incorrect and display 1/1/1970. (Bug 912009)
Workaround: The correct dates are updated after the baseline regeneration is complete.
Issue: Sentinel server shuts down when you run a search if there are a large number of events indexed in a single partition. (Bug 913599)
Workaround: Create retention policies in such a way that there are at least two partitions open in a day. Having more than one partition open helps reduce the number of events indexed in partitions.
You can create retention policies that filter events based on the estzhour field, which tracks the hour of the day. Therefore, you can create one retention policy with estzhour:[0 TO 11] as the filter and another retention policy with estzhour:[12 TO 23] as the filter.
For more information, see Configuring Data Retention Policies
in the NetIQ Sentinel Administration Guide.
Issue: Sentinel displays an error when you use the report_dev_setup.sh script to configure Sentinel ports for firewall exceptions. (Bug 914874)
Workaround: Configure Sentinel ports for firewall exceptions through the following steps:
Open the /etc/sysconfig/SuSEfirewall2 file.
Change the following line:
FW_SERVICES_EXT_TCP=" 443 8443 4984 22 61616 10013 289 1289 1468 1443 40000:41000 1290 1099 2000 1024 1590"
to
FW_SERVICES_EXT_TCP=" 443 8443 4984 22 61616 10013 289 1289 1468 1443 40000:41000 1290 1099 2000 1024 1590 5432"
Restart Sentinel.
Issue: Sentinel Generic Collector performance degrades when Generic Hostname Resolution Service Collector is enabled on Microsoft Active Directory and Windows Collector. EPS decreases by 50% when remote Collector Managers send events. (Bug 906715)
Workaround: There is no workaround at this time.
Issue: When exporting search results in Sentinel, the Web browser might display an error if you modify the operating system language settings. (Bug 834874)
Workaround: To export search results properly, perform either of the following:
While exporting the search results, remove any special characters (outside the ASCII characters) from the export filename.
Enable UTF-8 in the operating system language settings, restart the machine, and then restart the Sentinel server.
Issue: While you wait for one report result PDF to open, particularly report results of 1 million events, if you click another report result PDF to view, the report result is not displayed. (Bug 804683)
Workaround: Click the second report result PDF again to view the report result.
Issue: When FIPS 140-2 mode is enabled in your Sentinel environment, using Windows authentication for Agent Manager causes synchronization with the Agent Manager database to fail. (Bug 814452)
Workaround: Use SQL authentication for Agent Manager when FIPS 140-2 mode is enabled in your Sentinel environment.
Issue: The Sentinel High Availability installation in non-FIPS 140-2 mode completes successfully but displays the following error twice:
/opt/novell/sentinel/setup/configure.sh: line 1045: [: too many arguments
(Bug 810764)
Workaround: The error is expected and you can safely ignore it. Although the installer displays the error, the Sentinel High Availability configuration works successfully in non-FIPS 140-2 mode.
Issue: The Sentinel Main interface displays negative numbers in the Active Search Job Duration and Accessed columns when the Sentinel Main interface computer clock is behind the Sentinel server clock. For example, the Duration and Accessed columns display negative numbers when the Sentinel Main interface clock is set to 1:30 PM and the Sentinel server clock is set to 2:30 PM. (Bug 719875)
Workaround: Ensure the time on the computer you use to access the Sentinel Main interface is the same as or later than the time on the Sentinel server computer.
Issue: When you log in to the security dashboard and perform a search for IssueSAMLToken audit event, the IssueSAMLToken audit event displays incorrect hostname (InitiatorUserName) or (IP address) SourceIP. (Bug 870609)
Workaround: There is no workaround at this time.
Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.
For detailed contact information, see the Support Contact Information website.
For general corporate and product information, see the NetIQ Corporate website.
For interactive conversations with your peers and NetIQ experts, become an active member of our community. The NetIQ online community provides product information, useful links to helpful resources, blogs, and social media channels.
For information about NetIQ legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government restricted rights, patent policy, and FIPS compliance, see http://www.netiq.com/company/legal/.
Copyright © 2017 NetIQ Corporation. All Rights Reserved.