This section contains some of the issues that might occur during installing or using Change Guardian, along with the actions to work around the issues.
Administration Console is Blank on Internet Explorer After Logging in
Change Guardian Agent for Windows Installation Using Agent Manager Fails
Asset Monitoring Failure Reports are not Captured for All Event Types
Azure AD Monitoring Events are not Captured for All Event and Attribute Types
Restarting the Change Guarding server with FIPS Mode Enabled Logs an Exception
Installing Change Guardian Agent for Windows Fails with SMB Protocol Mismatch
Change Guardian Web Console is Blank if the License Has Expired
Unable to Browse File Locations And Active Directories Using Policy Editor File Browser
If the Internet Security Level is set to High, a blank page appears after logging in to Sentinel and the file download pop-up might be blocked by the browser. To work around this issue, you need to first set the security level to Medium-high and then change to Custom level as follows:
Navigate to Tools > Internet Options > Security and set the security level to Medium-high.
Make sure that the Tools > Compatibility View option is not selected.
Navigate to Tools > Internet Options > Security tab > Custom Level, then scroll down to the Downloads section and select Enable under the Automatic prompting for file downloads option.
Issue: Change Guardian Agent for Windows installation using Change Guardian Agent Manager (CG AM) fails and displays the following error in failed task logs:
protocol negotiation failed...
This error might occur due to following reasons:
SMB1 protocol is disabled on Change Guardian Agent for Windows.
Change Guardian server is installed on SLES 11 SP4 or RHEL 6.7 platforms which supports SMBv1 only.
Workaround: Install Change Guardian Agent for Windows manually. For more information see Manual Installation.
Issue: The Asset monitoring failure reports are not captured for all event types such as audit failures, registry failures or system failures.
Workaround: To view the failure reports you must apply the policy where auditing mechanism of the specific event mentioned in the policy has failed.
Issue: When you upgrade Change Guardian 5.0 to Change Guardian 5.1 or later, Change Guardian server is unable to fetch events for the newly added events and attributes. The events are not captured if you have selected “All Events” or “All Attributes” when you created the policy using Change Guardian 5.0.
Workaround: Perform the following procedure to overcome this issue:
. In the left pane of the Policy Editor window, select Azure Active Directory > Azure Active directory Policies.
Expand the Azure Active directory Policies and select the policy where you are monitoring “All Events” or “All Attributes”.
Click Edit and modify the description.
Click Submit.
Enable the policy revision.
Issue: To enable the Registry Browser in Change Guardian, you must set the repositoryEnabled flag (under HKLM\Software\Wow6432Node\NetIQ\ChangeGuardianAgent\repositoryEnabled) to 1, and then restart the agent.
Workaround: Manually set the flag to 1, when you use the Registry Browser, to avoid the error Could not connect to Windows Data Source. (Bug 945225)
Issue: If the Change Guardian server is FIPS-mode enabled and the server is restarted, the server logs an error message: "An unexpected exception occurred while decrypting data failed. Root cause: CKR_ENCRYPTED_DATA_INVALID (sun.security.pkcs11.wrapper.PKCS11Exception) java.security.ProviderException: doFinal() failed" (Bug 1129167)
Workaround: You can ignore the exception.
Issue: You need to roll back to an older package of the agent package, but the Agent Manager does not allow you to change the agent package version. (Bug 1155538)
Workaround: You can enable a new package, and disable the previous package by using the following file /opt/netiq/ams/ams/repository/packageActiveStatus.new.example.
Issue: Change Guardian Agent for Windows installation fails displaying the following error message in failed task logs: Protocol negotiation failed.... The error might occur due to the following reasons:
SMB1 protocol is disabled on Change Guardian Agent for Windows.
Change Guardian server is installed on a Linux version that does not support SMB Version 2 (such as SLES 11.x or RHEL 6.x that has kernel version 2.6.x or lower), but only supports SMB Version 1. (Bug 1155405)
Workaround: Upgrade the operating system, on which Change Guardian server is running, to a version that supports SMB Version 2.
Alternatively, you can manually install the latest version of Change Guardian Agent for Windows. For more information, see Installing Change Guardian Agent for Windows.
Issue: If your Change Guardian license expires, the web console displays a blank page. (Bug 949208)
Workaround: Add the license through the command line by using the softwarekey.sh script. For more information, see Adding a License Key in the Change Guardian User Guide.
Issue: Following are the conditions:
Unable to browse to file locations within a policy.
Unable browse active directory from within a policy. (Bug 995355)
Workaround: To enable LDAP browsing in policy editor, perform the steps mentioned in NetIQ Knowledgebase Article 7017291.
Issue: Change Guardian does not receive Dell EMC events if the CEPA server is not running. Accessing the CEPA from a browser shows that the site cannot be reached.
Workaround: Start the CEPA server
To start the server:
Open services.mcs and run the EMC CAVA service.
In the Dell EMC web-console, check if the CEPA IP is provided in the following format: http://1.1.1.1:12228/cee