NetIQ Change Guardian 5.0 Release Notes

September 2017

NetIQ Change Guardian 5.0 improves usability and resolves several previous issues. Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure that our products meet all your needs. You can post feedback in the Change Guardian forum in the NetIQ Communities, our online community that also includes product information, blogs, and links to helpful resources.

The documentation for this product is available on the NetIQ website in HTML and PDF formats on a page that does not require you to log in. If you have suggestions for documentation improvements, click comment on this topic at the bottom of any page in the HTML version of the documentation posted at the Change Guardian Documentation page. To download this product, see the NetIQ Downloads website. To download patches for this product, see the Patch Finder website.

For the latest version of these release notes, see Change Guardian 5.0 Release Notes

1.0 What’s New?

The following outlines the key features and functions provided by this version, as well as issues resolved in this release:

1.1 Support for Azure Active Directory Monitoring

This version of Change Guardian supports monitoring functionality on the Azure Active Directory along with on-premises Active Directory. For information about the capabilities that are supported in this version of Change Guardian, see Understanding Azure Active Directory Monitoring in Change Guardian User Guide.

NOTE:During upgrade from Change Guardian 4.2 or later to Change Guardian 5.0, ensure that you reconfigure the Windows agent to enable Azure AD monitoring.

1.2 Simplified Packaging for Change Guardian for UNIX Installations

Change Guardian 5.0 bundles the Security Agent for UNIX 7.5 SP1 installer and makes it easy to install through the Change Guardian Agent Manager. The packaging and deployment model is similar to the model for the Windows agent that was introduced in Change Guardian 4.2.

You can use UNIX Agent Manager or Change Guardian Agent Manager (CG AM) to deploy and manage your agents. Both UAM and CG AM allow you to remotely install one or more Agents. However, there are certain specific functionalities available only on UAM or CG AM. Depending on your requirements, you can decide whether you need to install UAM, CG AM, or both. UAM and CG AM can coexist. For more information see Comparison of UAM and CG AM functionalities.

To get an overview of the most important considerations to make when you are installing or upgrading Security Agent for UNIX, see Deployment Considerations in Security Agent for UNIX documentation.

1.3 New Dashboard

Change Guardian 5.0 introduces a new Threat Response Dashboard. The Threat Response Dashboard is the main user interface for viewing and triaging alerts. Any user with permission to manage alerts can use the Threat Response Dashboard.

1.4 Interoperability of Directory and Resource Administrator With Change Guardian For Privileged Monitoring

Change Guardian 5.0 provides enhanced user monitoring in conjunction with Directory and Resource Administrator 9.1. Together they provide an integrated solution to control, manage and monitor the Active Directory environment.

When you use DRA to make changes to Active Directory, for example, when you create a user using Create User wizard in DRA, Change Guardian server gets notified and displays the actual user name, domain name and System ID of the user who logged in to DRA to make AD changes. For more information, see Interoperability of Directory and Resource Administrator With Change Guardian For Privileged Monitoring.

Before you upgrade Change Guardian to 5.0, you must first upgrade the Directory Resource Administrator to 9.1 or later.

1.5 Displaying Active Directory Attributes Correctly

When you log in to a host and make any changes to Active Directory in the domain controller machine, Change Guardian displays the IP address and the Active Directory hostname of the computer (through which you have logged in to the domain controller) in the event list on the Change Guardian web console.

The following logon types are supported:

  • Network logon

  • Remote Interactive logon

  • Remote Desktop logon

For example, when you modify the Active Directory attributes from the member server, the event that is forwarded to Change Guardian web console displays the actual user name and IP address in the event list.

NOTE:If you restart Change Guardian Windows Agent, you must restart the AD tools.

For Remote Interactive logon through domain controller, the source initiator IP address is displayed in the event list on Change Guardian web console.

1.6 Support of Higher TLS Versions for Enhanced Secure Communication

To improve the security posture and to prevent known vulnerabilities, now you can disable TLSv1.0 so that Change Guardian can use a higher version of TLS such as TLSv1.1 and TLSv1.2. For more information, see Enabling Higher Versions of TLS for Communication in the NetIQ Change Guardian User Guide.

NOTE:For upgrades, TLS 1.0 is enabled to ensure backward compatibility, but it will be disabled in a future release. Therefore, ensure that you upgrade all communications to TLS 1.1 or later.

For new installations, TLS 1.0 is disabled for enhanced security. Ensure that all the components communicating with Change Guardian are configured to use TLS 1.1 or 1.2.

1.7 Enhanced OpenSSL Security

Change Guardian bundles a newer version of OpenSSL to support new protocols and address known vulnerabilities.

1.8 Updates to Certified Platforms

There are several updates to the Change Guardian certified platforms.

For more information about the certified platforms, see the Technical Information for Change Guardian web page.

New Certified Platforms

Change Guardian is now certified on the following platforms:

Traditional installation: Red Hat Enterprise Linux Server (RHEL) 6.8 64-bit

Appliance installation:

ISO appliance:

  • VMware ESX 6.0

  • VMWare ESX 6.5

  • Hyper-V Server 2016

OVF appliance:

  • VMware ESX 6.0

  • VMWare ESX 6.5

Event Source: Security Agent for UNIX 7.5 SP1

Web Browser: Microsoft Edge

Deprecated Platforms

Traditional Installation:

  • Red Hat Enterprise Linux Server 6.6 64-bit

  • Red Hat Enterprise Linux Server 6.7 64-bit

Appliance Installation: Citrix XenServer 6.5 (for both ISO and OVF)

Web Browser: Microsoft Internet Explorer 10

Data Synchronization: Microsoft SQL Server 2005

1.9 Software Fixes

Change Guardian 5.0 includes software fixes that resolve several previous issues.

LDAP Browsing Displays Blank Screen

Issue: LDAP browsing displays a blank screen in the following scenarios:

  • Parent-child domain configuration, while browsing child domain. (Bug 984258)

  • Parent-child domain configuration, while browsing parent domain. (Bug 1005384)

  • Primary and multiple backups, if either of the computers are down. (Bug 981222 and 996346)

Fix: LDAP browsing does not display a blank screen now. It supports displaying more than 7000 users.

Forwarding Syslog Event Not Working Without Applying Filter

Issue: The syslog event forwarding is not working if the filter is not applied. (Bug 1008162)

Fix: Specify the filter string for seamless forwarding of syslog events.

Examples of filters: pn:"NetIQ Change Guardian" AND (sev:[0 TO 1])

pn:"NetIQ Change Guardian" AND (sev:[2 TO 5])

For more information see the following KB articles.

1.10 Displaying Correct Source Hostname Information for Active Directory Events

Issue: The Domain Controller hostname and IP address information was displayed for all Change Guardian Active Directory events.

Fix: The actual hostname and IP address of the computer from where the changes are made is displayed for all Change Guardian Active Directory events. (Bug 1042678)

1.11 VMware vSphere 5.5 Web Client Can Import OVF Templates

Issue: An issue with VMware vSphere 5.5 Web Client prevents you from using it to import .ovf templates. (DOC332977)

Workaround: You can now import an .ovf template, using the VMware vSphere 5.5 Client.

1.12 Approved Assets Does Not Require Authentication

You no longer need to provide username and password, when you select an asset in the All Assets list and that asset has an agent installed on it. (Bugs 942853)

1.13 Restoring Data to Remote Change Guardian Server Is Supported

Due to certificate updates, the Agent Manager Server data and configuration are now restored successfully on the secondary servers. (Bug 999503)

2.0 System Requirements

For information about hardware requirements, supported operating systems, and browsers, see the Technical Information page.

3.0 Upgrading Change Guardian

You can upgrade to Change Guardian 5.0 from Change Guardian 4.2 or later.

For information about the upgrade procedure, see Upgrading Change Guardian.

3.1 Upgrading the Change Guardian Appliance

To upgrade the appliance, use the zypper command line utility because user interaction is required to complete the upgrade. WebYaST is not capable of facilitating the required user interaction. For more information about upgrading the appliance using zypper, see Upgrading the Appliance by Using zypper in the NetIQ Change Guardian User Guide. (Bug 1054209)

4.0 Known Issues

NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.

4.1 Cannot View Alerts with IPv6 Data in Alert Views

Issue: Change Guardian alert views do not display alerts that have IPv6 addresses in IP address fields. (Bug 981570)

Workaround: To view alerts with IPv6 addresses in Change Guardian, perform the steps mentioned in NetIQ Knowledge base Article 7016555.

4.2 Cannot Install Change Guardian Server as Non-root User

The installation process does not support installing the Change Guardian Server as a non-root user. (Bug 948756)

4.3 Upgrade Process Fails if You Renamed the .msi Package for the Original Installation

If you renamed the .msi file when packaging the program to silently install a previous version of Change Guardian, the upgrade to the current release fails. During an upgrade, Microsoft Windows looks for an original installation with the same identification as the .msi package for the upgrade. For more information about this issue, see the Windows Installer Team Blog. (ENG328889)

4.4 Manual Configuration Required to Use Registry Browser

To enable the Registry Browser in Change Guardian, you must set the repositoryEnabled flag (under HKLM\Software\Wow6432Node\NetIQ\ChangeGuardianAgent\repositoryEnabled) to 1, and then restart the agent.

If you do not manually set the flag to 1, when you use the Registry Browser, you will receive a Could not connect to Windows Data Source error. (Bug 945225)

4.5 Local Users in Administrator Group Cannot Deploy Agents to Windows Computers

With Microsoft KB article 951016, Microsoft introduced a feature called UAC remote restrictions, which removes the SID (security identifier) for the Administrators group from the logon token for local non-Administrator user accounts in the Administrators group. The actual Administrator account remains unchanged. As a result, to deploy agents to Windows computers, you must use the actual Administrator account or a domain account that has administrator access to the computer. For more information, see (Bug 918180)

4.6 Option to Rerun Tasks from 'Failed Tasks' Does Not Work

Issue: If an agent installation, upgrade, or uninstall task fails, the option to re-run the task from the Failed Tasks list does not work. (Bug 942426)

Workaround: In Agent Manager, select the asset and run the task again.

4.7 Asset Tasks Remain 'In Progress' Indefinitely

Issue: If the connection between Agent Manager and a monitored asset is lost, tasks related to that asset remain In Progress indefinitely. (Bug 941549)

Workaround: Manually cancel the task in Agent Manager.

4.8 Issues Monitoring DNS Configuration Changes

If you create a policy to monitor for DNS Configuration Modified events, a limitation in Microsoft Windows prevents the policy from retrieving information about the users who performed the actions for which the policy is monitoring. As a result, Change Guardian does not support the following options when monitoring for DNS configuration changes:

  • Include Only or Exclude Events (Bug 906981)

  • Managed Events (Bug 906984)

4.9 Issue Monitoring Local User and Groups Privilege Events

If you create a policy to monitor for Local User and Groups Privilege events, a limitation in Microsoft Windows prevents the policy from retrieving information about the users who performed the actions for which the policy is monitoring. (Bug 957980)

4.10 Internal Audit Events Go Only to Primary Event Destination in FIPS Mode

If you run Change Guardian in FIPS mode, internal audit events go only to the primary event destination. They do not go to any additional event destinations in your environment. (Bug 956881)

4.11 Change Guardian Server Cannot Connect to Data Sources in FIPS Mode

Issue: If the Change Guardian Server is running in FIPS mode, when you browse data source objects while creating a policy, you will receive a Could not connect to Windows Data Source error. (Bug 956886)

Workaround: You can avoid this error by manually entering the file paths in the policy. To find the file paths, log on to the computer you want to monitor, and then use the cd and dir commands.

4.12 Deleting an Asset with Agent Manager Does Not Delete All Components

Issue: If you use Agent Manager to delete an asset, Agent Manager does not delete the NetIQ Change Guardian Agent component from the Installed Programs list in Windows. To remove all asset components completely, uninstall the NetIQ Change Guardian Agent component from the computer, and then use Agent Manager to delete the asset from Change Guardian. (Bug 940340)

4.13 Issue with Privileges for Local Users and Groups Prevents Change Guardian from Generating an Event

If you delete a privilege from a user, and it was the only privilege assigned to that user, Change Guardian will not generate any events for that privilege. This is caused by a known issue with the way Microsoft implements the removal of some privileges for local users and groups. (Bug 957505)

4.14 Manually Uninstalling an Agent Does Not Remove the Agent's Version Details from Agent Manager

Issue: If you manually uninstall an agent, Agent Manager continues to display version details for the agent. (Bug 946582)

Workaround: In Agent Manager, select the agent in the 'All Assets' group and delete it.

4.15 Tips Table Search Does Not Return the Complete List of Alert Fields in Upgraded Installations

Issue: In upgraded installations, when you search for alert attributes in the Tips table in the web interface, the search does not return the complete list of alert fields. However, alert fields display correctly in the Tips table if you clear the search. (Bug 914755)

Workaround: There is no workaround at this time.

4.16 Change Guardian Web Console is Blank if the License is Expired

Issue: If your Change Guardian license expires, the web console displays a blank page. (Bug 949208)

Workaround: Add the license through the command line by using the script. For more information, see Adding a License Key in the Change Guardian User Guide.

4.17 Change Guardian Cannot Retrieve Events Related to Users Logging On or Off a Domain Controller

Issue: If you have an agent on a Domain Controller, when domain users use their network credentials to log on or off from a remote domain member computer, Change Guardian cannot retrieve the events related to the users logging on or off. (Bug 939651)

Workaround: There is no workaround at this time.

4.18 Active Directory Does Not Synchronize New User if the Account Name is the Same as a Deleted User

Issue: If you delete a user from Active Directory, and then create a new user with same account name, Active Directory does not synchronize the new user. (Bug 940781)

Workaround: There is no workaround at this time.

4.19 Default Database Service Port Must Be Used for Change Guardian Server

To successfully install Change Guardian 4.2 or later, you cannot modify the default Database Service port. (ENG333165)

4.20 Event Severity is Always Calculated Automatically for Security Agent for UNIX Events

Event Severity is always calculated automatically for Security Agent for UNIX events, including events generated by policies configured with a custom severity. (DOC333969)

4.21 Forwarded Events Might Contain Extra Characters

When you use the Syslog Dispatcher to forward events in Change Guardian, event attributes might contain additional backslash (\) characters to escape the following characters: \, =, and |. These extra characters are necessary to allow the event to conform to the Common Event Format (CEF) specification. To remove them, parse the events with a CEF parser. (ENG334907)

4.22 File Integrity Diff Data Might Be Truncated in Events Forwarded to Syslog Servers

If you configure the Change Guardian Server to forward File Integrity events to a Syslog Server, and then you modify a monitored file, the diff data in the forwarded event might be truncated if the diff data size is greater than 1 KB. The forwarded event provides a URL that allows you to view the full event and the complete file diff data in the Change Guardian Web console. (ENG335411)

4.23 Events Not Generated When AD Schema Policies Created for Attributes and Class Together

Issue: When you assign the Active Directory schema policies which are created for Attribute and Class schema monitoring together to the monitor assets, the AD schema events are not generated successfully. (Bug 994045)

Workaround: You must assign Active Directory schema policies separately for Attributes and Class in the Policy Editor console for successful event generation.

4.24 Unable to Browse File Locations And Active Directories Using Policy Editor File Browser

Issue: Following are the conditions:

  • Unable to browse to file locations within a policy.

  • Unable browse active directory from within a policy. (Bug 995355)

Workaround: To enable LDAP browsing in policy editor, perform the steps mentioned in NetIQ Knowledgebase Article 7017291.

4.25 Backup Directory Not Removed After Successful Restore

Issue: After a successful restore, the Change Guardian backup directory remains on the Change Guardian server. (Bug 997595)

Workaround: Although there is no impact to the functionality, NetIQ recommends you to delete the directory before taking a new backup.

4.26 Agent Manager is Not Populated With the Newly Added Assets

Issue: When you launch the Agent Manager using Internet Explorer, and add an asset, the newly added assets are not populated in the Explorer until you do a manual refresh. (Bug 992655)

Workaround: Complete the following setting changes in IE browser each time you launch the Agent Manager:

  • Go to Tools > Internet Options.

  • In the General tab, click Settings button under the Browsing history space.

  • In the Website Data Settings window, select the Every time I visit the webpage radio button and click OK.

  • In the Internet Options window, click OK to save the setting.

4.27 New Installation of Change Guardian 5.0 Cannot Manage Security Agent for UNIX 7.5

Issue: When you have Security Agent for UNIX7.5 with Sentinel and SCM, and you want to install Change Guardian 5.0, Change Guardian 5.0 cannot manage 7.5 agents due to a profile mismatch.(Bug 1056377)

Workaround: Upgrade your agents to 7.5 SP1 or later using UAM.

4.28 Issues with Azure Active Directory For Change Guardian

Change Guardian is unable to generate events from Azure Active Directory for the following events and attributes:

  • Groups

    • Create Group Settings

    • Update Group Settings

    • Delete Group Settings

    • Set group managed by

  • Group Attributes

    • Classification

    • DirSyncEnabled

    • Is Membership Rule Locked

    • Is Public

    • Mail

    • Proxy Address

    • Well Known Object

  • User Events

    • Update User Credentials

    • Set Force Change User Password

    • Set License Properties

  • User Attributes

    • Alternative Security Id

    • Invite Resources

    • MS Exchange Remote Recipient Type

    • Preferred Data Location

NOTE:Change Guardian does not support the following:

  • Consolidating multiple events into a single event for Update user and Update group events.

  • Monitoring the managed groups.

4.29 Issues with DRA Coexisting with Change Guardian

Following are few issues with the DRA coexisting with Change Guardian:

  • Change Guardian events does not display the actual user name in the following scenarios:

    • When you define the computer account enabled or disabled, User account unlock policies.

    • When you make any modifications in the Group scope or Group Type.

    • When you make changes to the remote access permission in Dial In tab in DRA, two modification events are populated.The event shows User-Parameters in the delta.

  • Change Guardian events do not display the actual user name, when you make changes in the following tabs in DRA:

    • Account tab

    • Password tab

    • Member of tab

    • Terminal Services tab

    • Dial in tab

    • Call back tab

4.30 Issue With Removable Media Audit Events

Following are the issues with the removable media audit events:

  • When you audit a USB thumb drive it works and delivers events as expected. When you plug in a USB hard drive the policy does not trigger any events.

  • For windows, there are policies for removable media where you can get events for Device Attached, Device Detached, File Read, Write and Delete actions. For UNIX computers there are no policies for the removable media auditing.

    (Bug 1031419 and 1044959)

4.31 Exception While Installing Change Guardian 5.0 Version

Issue: With new platform support in Change Guardian 5.0. release, the following message appears during installation:

su: ignoring --preserve-environment, it's mutually exclusive with --login

Workaround: You can safely ignore this message. There is no functional impact. (Bug 1044685)

4.32 AD Authentication Fails when ‘LDAP Require Signing’ Is Enabled for an Asset Supporting SSL Protocol

Issue: AD Authentication on SSL supported asset fails when you use the Agent Manager to add asset that has LDAP Require signing enabled.

Workaround: Perform the following steps:

  1. Enable TLS 1.1 or TLS 1.2 on your SSL enabled AD machine by adding the appropriate registry keys.

  2. Add the client certificate of your SSL enabled AD machine to the root keystore in the Change Guardian server.

  3. To add client certificate to root keystore, go to /opt/novell/sentinel/jdk/jre/lib/security and perform the following steps

    1. Copy the client certificate.

    2. Run the command - /opt/novell/sentinel/jdk/jre/bin/keytool -import -alias ourCA -file <client certificate> -keystore cacerts.

  4. When prompted, specify the password as changeit.

  5. When prompted, specify yes for Trust this certificate?.(Bug 983410)

4.33 Change Guardian Server Installation Fails on FIPS Enabled Operating System

Issue: Change Guardian server installation fails if the Operating system is in FIPS mode. (Bug 996277 and 993398)

Workaround: Perform the installation in the following sequence:

  • Install Operating System in non-FIPS mode

  • Install Change Guardian server in FIPS mode

  • Convert Operating System to FIPS mode after successful installation of Change Guardian server.

4.34 Cannot View Alerts When OS is in FIPS Mode

Issue: Change Guardian alert views do not display alerts when OS is in FIPS mode. (Bug 1052197)

Workaround: There is no workaround at this time.

4.35 Exception After Changing Keystore Password With Specific Special Characters

Issue: When you upgrade Change Guardian to 5.0, change the keystore database password which consist of specific special characters, you will see the following exception: Failed to initialize Communicator

(Bug 1055428)

4.36 Unable to Change Password of Existing Email Configurations

Issue: You will not be able to change the password of the existing email configurations. (Bug 1058048)

Workaround: If you change your email password, you must perform the following steps to receive email notifications:

  1. Login to Policy Editor as a user in administrator role.

  2. Delete the existing email configuration.

  3. Create a new email configuration. For more information, see Understanding Change Guardian Email Alerts.

  4. Create a new routing rule. For more information, see Assigning Email Alerts to Events.

4.37 Document Available With The Change Guardian Installation Files Refers to Uncertified Operating Systems

Issue: A workaround in the User Guide > Troubleshooting section suggests to install Change Guardian on SLES 12 SP4 and Red Hat Enterprise Linux 7.3, which are not certified platforms. This incorrect reference is only in the documentation available with the Change Guardian installation files.

Workaround: Refer to the latest version of Troubleshooting section and the documentation available online at Change Guardian User Guide.

5.0 Contact Information

Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email We value your input and look forward to hearing from you.

For detailed contact information, see the Support Contact Information website.

For general corporate and product information, see the NetIQ Corporate website.

For interactive conversations with your peers and NetIQ experts, become an active member of our community. The NetIQ online community provides product information, useful links to helpful resources, blogs, and social media channels.

6.0 Legal Notice

For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent policy, and FIPS compliance, see

Copyright © 2017 NetIQ Corporation. All Rights Reserved.