Novell Sentinel Log Manager 1.1 Release Notes

July 08, 2010

Novell Sentinel Log Manager collects data from a wide variety of devices and applications, including intrusion detection systems, firewalls, operating systems, routers, Web servers, databases, switches, mainframes, and antivirus event sources. Novell Sentinel Log Manager provides high event-rate processing, long-term data retention, regional data aggregation, and simple searching and reporting functionality for a broad range of applications and devices.

1.0 What's New in Sentinel Log Manager 1.1

1.1 Roles

Administrators can now create roles that can be assigned to any number of users. Each role can be assigned a different set of permissions, and the users belonging to a role inherit the permissions of the role they are in.

Sentinel Log Manager includes a few default roles with the required permissions. However, you can modify the permissions and create more roles based on your requirements.

For more information on group permissions, see Configuring Users and Roles in the Novell Sentinel Log Manager 1.1 Administration Guide.

1.2 Distributed Search

The Distributed Search feature enables you to search for events not only on your local Sentinel Log Manager server, but also on other Sentinel Log Manager servers distributed across the globe. After you set up the Distributed Search configuration to link multiple servers with the local server (search initiator), you can perform a search on the local server, and optionally instruct the search engine to also perform the search on the linked servers. Corresponding events from all the selected servers are retrieved and displayed in the search results. Each event in the search results displays the server information from which the event is being retrieved.

Exporting search results, sending search results to an action, and retrieving raw data events are enhanced to take advantage of this new feature. The reporting engine is also enhanced to use the same underlying search engine so that reports can include data from multiple Sentinel Log Manager servers.

For more information on Distributed Search, see Searching and Reporting Events in a Distributed Environment in the Novell Sentinel Log Manager 1.1 Administration Guide.

1.3 Tags

The Tags feature enables you to create and assign one or more searchable tag attributes to Event Management System (ESM) nodes such as event sources, event source servers, Collector Managers and Collector plug-ins, and also to reports. All the events coming from these ESM nodes are also tagged. By tagging, you can create logical groupings of these ESM nodes, the events themselves, and reports.

Events can be searched based on the tags applied to them, and event sources and reports can be filtered based on the tags they have.

Sentinel Log Manager includes some default tags; however, you can create new tags based on your requirements.

For more information on tags, see Configuring Tags in the Novell Sentinel Log Manager 1.1 Administration Guide.

1.4 Appliance

The Sentinel Log Manager appliance is a ready-to-run software appliance that combines a Novell SUSE Linux Enterprise Server (SLES) 11 operating system and Novell Sentinel Log Manager software with an update service. This appliance offers an enhanced browser-based user interface that supports collection, storage, reporting, and searching of log data from a wide variety of devices, applications, and protocols.

Sentinel Log Manager 1.1 appliance is available in the following formats:

  • A VMware appliance image

  • A Xen appliance image

  • A hardware appliance Live DVD image that is directly deployable to a hardware server

NOTE:Sentinel Log Manager 1.0 users can migrate their installation to a Sentinel Log Manager 1.1 appliance by following the instructions in Section 6.4, Migrating from 1.0 to 1.1 Appliance in the Novell Sentinel Log Manager 1.1 Installation Guide.

For more information about Sentinel Log Manager appliance installation, see Installing the Appliance in the Novell Sentinel Log Manager 1.1 Installation Guide.

1.5 Enhancements to LDAP Authentication

  • A new user interface is provided under the Users tab to configure a Sentinel Log Manager server for LDAP authentication.

  • LDAP authentication can be performed with or without using anonymous search on the LDAP directory.

For more information on LDAP authentication, see LDAP Authentication in the Novell Sentinel Log Manager 1.1 Administration Guide.

1.6 Enhancements to Reports

Reports are enhanced to enable drilling down into the events that make up the report. This drill-down option provides the ability to launch a search with the same query and time frame that was used to generate the report, so users can view details of the events used to generate the report.

Multiple report definitions and report results can be exported at one time and multiple report definitions can be imported at one time either from a report definition export zip file or a Collector Pack file.

For more information on these enhancements, see Reporting in the Novell Sentinel Log Manager 1.1 Administration Guide.

New report templates are added and existing report templates are updated. A few report templates that are not in use are also deleted. For more information on the available report templates, see Sentinel Log Manager Reports in the Novell Sentinel Log Manager 1.1 Administration guide.

1.7 Data Restoration

The new data restoration feature can restore the old, lost, or deleted event data. You can also perform a search on the restored event data.

A new Data Restoration section has been added in the storage > Configuration user interface. You can select specific event partitions to restore event data and configure when the restored event partitions can expire again.

For more information on data restoration, see Restoring Event Data in Configuring Data Storage in the Novell Sentinel Log Manager 1.1 Administration guide.

2.0 What’s New in Sentinel Log Manager

2.1 500 EPS Version of Sentinel Log Manager

The Novell Sentinel Log Manager is now available in a 500 EPS (events per second) version. The 500 EPS version is suitable for small deployments with only one Sentinel Log Manager server and a low event rate. It can also be used as a low-volume node reporting to another Sentinel or Sentinel Log Manager server in a large deployment.

2.2 New End User License Agreement

The end user license agreement (EULA) terms have been updated in this release. You must accept the new terms before proceeding to apply the latest patch. Some of the changes in the EULA are:

  • Novell Sentinel Log Manager is now available in a 500 EPS version.

  • Updated definition for Non-Production Instance.

  • Updated definition for Type I Device.

3.0 System Requirements

There are no major changes in the system requirements since the Sentinel Log Manager 1.0 release.

For a detailed information on hardware requirements and supported operating systems, browsers, and event sources, see the Novell Sentinel Log Manager 1.1 Installation Guide.

4.0 Installing Novell Sentinel Log Manager 1.1

To install Novell Sentinel Log Manager 1.1, see the Novell Sentinel Log Manager 1.1 Installation Guide.

5.0 Defects Fixed in Sentinel Log Manager 1.1

Bug Number



The Top 10 report for Intrusion Detection Systems can now be created as the DeviceAttackName field and is now included in the Events fields.


The TargetUserName and InitiatorIP fields are now populating values as expected when the password for a user is changed.


The InitiatorIP field is now populating values as expected when a user logs in to Sentinel Log Manager.


New reports have been created that can be used to perform audits on internal events.


You can now perform a wildcard search on events that contain uppercase characters.


Additional search queries that you add in the Refine panel now displays appropriate results.


The Refine panel now displays the count of events for the CustomerVar22 field, when it is added as an extra field to be displayed.


Users with non-standard characters in their passwords can now log in to the Web user interface and ESM interface as expected.


The Trust Management report now includes DEASSOC_TRUST events, which are generated when a user account is removed.


The Configuration link in the Web user interface is now replaced with a gear icon, which indicates that the links next to it are configuration links.


All JavaScript pop-up windows such as Search Tips, Run, and Delete now appear as expected on Internet Explorer 8 in French, Spanish, and Italian languages.


ESM now launches as expected the first time Sentinel Log Manager is installed on a server on which it was never installed before.


Internal audit event fields such as initUserName, initIP, and targetUserNamedetails are now populated with appropriate values and are displayed in the search results.

6.0 Known Issues

Bug Number



Issue: In ESM, the Collector nodes are incorrectly being set to the stopped state during a restart of the server. However, this is a sporadic issue.

Workaround: After restarting the server, log in to ESM and ensure that Collectors that are supposed to be running are set to the start state.


Issue: Legacy Collectors do not work on remote Collector Managers.

Workaround: Modify the ESEC_HOME/config/collector_mgr.xml file in the remote Collector Manager machine.

  1. Open the ESEC_HOME/config/collector_mgr.xml file in any editor.

  2. Change the following lines:

    <property name="workbench.home">..</property>
    <property name="properties.file">../config/</property>
    <property name="esecurity.home">..</property>


    <property name="workbench.home">${user.dir}/..</property>
    <property name="properties.file">../config/</property>
    <property name="esecurity.home">${user.dir}/..</property>
  3. Restart the remote Collector Manager services.


Issue: After you upgrade an earlier version of Sentinel Log Manager to Sentinel Log Manager 1.1, the Save as Report > Visualization drop-down list should include only report templates. However, a few Collector-specific reports might still appear in the Visualization list because they might not be deleted during the upgrade if they were in use prior to the upgrade.

Workaround: This happens because the Collector-specific reports that appear in the list were not automatically updated during the upgrade. Download the updated Collector Pack from the Sentinel 6.1 Content Web site and upload the pack by using the Sentinel Log Manager report upload option.


Issue: On the Collections > Event Source Servers page, when you modify more than one field of an event source and click Save to refresh the page, only one field is updated and the other fields show the old values.

Workaround: Change the values for the fields one at a time. Click Save after modifying each field.


Issue: Clicking alt+left on an event field in the search results to add a NOT clause to an empty query does not work as expected because purely NOT criteria queries are not allowed.

Workaround: alt+left clicking works as expected if you begin the search with a sev:[0 TO 5] query instead of an empty query. The events that are retrieved are same for both the queries.


Issue: The Event Summary, Top 10 Report, and Top 10 Dashboard base reports display events with -0- value instead of blank values when the Primary field is null.

Workaround: For the Event Summary and Top 10 reports, do not select the Primary fields that have no data (is null). For the Top 10 Dashboard reports, ignore the graphs of the fields that have -0- as the value in the X axis.


Issue: Exceptions are logged in the server_wrapper.log file, when large reports are run with NFS archiving configured.

Workaround: Run large reports when the EPS is at its lowest (e.g. at night or on weekends). More disks in the local storage RAID array might also help.


Issue: Search query times out and exceptions are logged while large reports are run on systems that have about 200 million events.

Workaround: Avoid running large reports when performing large searches.


Issue: The remote Collector Manager Installshield Wizard displays Sentinel 6.1 instead of Sentinel Log Manager.

Workaround: None. This is a user interface issue.


Issue: The Sentinel Log Manager user interface does not prompt to restart Sentinel services after you add a license key and does not perform some operations as expected.

Workaround: Restart the Sentinel Log Manager server after adding the license key.


Issue: On the appliance, the platform version is logged for every two minutes via kernel message to syslog at /var/log/messages.

Workaround: These messages are sent purposely so that the operating system can inform Sentinel Log Manager what version it is. If these messages cause problems for some reason, disable the wtmpmon script to prevent them from being generated.


Issue: The Sentinel Log Manager server does not function as expected if the Sentinel Log Manager 1.1 installation is relocated to a base directory that has spaces in its path. For example, /home/user/Sentinel Log Manager.

Workaround: Ensure that directory does not include spaces in its path.


Issue: While configuring the File Connector, when you click Browse to add an event source, the file browser does not appear and exceptions are logged in the control center log file.

Workaround: Specify or copy/paste the desired file path into the field rather than using the Browse button.


With about 3000 event sources, when the raw data partitioning goes from open > log state, the EPS rate goes down to 0.

Workaround: Install additional instances of Sentinel Log Manager so that the total number of event sources per instance is fewer than the recommended device limits as given in the System Requirements. For more information, see System Requirements in the Novell Sentinel Log Manager 1.1 Installation Guide.


Issue: WebYaST reports a DBus.Error.LimitsExceeded error when patch updates are being installed.

Workaround: Restart the yastws service:

/etc/init.d/yastws restart 

Alternatively, click Reboot in the Control Panel to restart the machine.


Issue: When you boot the machine from an ISO appliance image i.e run the ISO as live CD/DVD, if you run patch updates through WebYast > Updates, the system goes to a non-responsive state.

Workaround: Install the Live DVD to the hardware and then run the patch updates.


Issue: On systems that have more than a million events, after you initiate report generation and click Cancel to cancel the report generation, report generation is still in progress and does not cancel.

Workaround: None.


Issue: Sentinel Log Manager takes approximately 5 minutes to log in to the Web User Interface the first time after installation.

Workaround: None.


Issue: After you click the details++ link for the individual search results, the all details++ and all details-- links do not work as intended for the first 25 events.

Workaround: None.


Issue: The sample reports in Sentinel Log Manager show user data such as Full Name, Department, and Workforce ID that are not available in Sentinel Log Manager.

Workaround: None.


Issue: In the Search Results page with more than 75,000 events, when you scroll down to view the events, the scroll bar does not stop at the scrolled point and changes its location frequently.

Workaround: None.


Issue: Sentinel Log Manager allows you to change the IP address of the target server while editing the target server details and does not display any message saying that the specified IP address is different.

Workaround: None.


Issue: When you stop a Collector, the stopcollector internal event is generated twice in the event logs. The second stopcollector event that is generated does not show proper values for initUserName, initIP, and targetUserNamedetails event fields.

Workaround: None.

7.0 Documentation

The updated documentation and release notes are available at the Sentinel Log Manager documentation site .

user comments

comment: there are currently no user comments for this page.

Add Comment

user comments

comment: there are currently no user comments for this page.

Add Comment

user comments

comment: there are currently no user comments for this page.

Add Comment