Novell Sentinel Log Manager collects data from a wide variety of devices and applications, including intrusion detection systems, firewalls, operating systems, routers, Web servers, databases, switches, mainframes, and antivirus event sources. Novell Sentinel Log Manager provides high event-rate processing, long-term data retention, regional data aggregation, and simple searching and reporting functionality for a broad range of applications and devices.
The Sentinel Log Manager default license now allows you to use all the features of Sentinel Log Manager, except for the Data Restoration feature, with an unrestricted EPS for up to 60 days. After 60 days the enterprise features are disabled, and the system continues to run with the base license key that enables a limited set of features and limited event rate of 25 EPS. The base license key does not expire.
NOTE:All the functionalities, including Data Restoration and the ability to view all events, can be restored by upgrading the system to an enterprise license of Sentinel Log Manager.
For more information, see Managing License Keys
in the Sentinel Log Manager 1.2 Administration Guide.
Sentinel Log Manager now includes the following tags:
On systems that are running with the free license, all events that are received while the system averages more than 25 EPS are tagged with the OverEPSLimit tag. The details of these events are not accessible by search or reports until you upgrade the system to an enterprise event store license.
After you upgrade the system to an enterprise event store license, the full details of all events are available in any new searches performed and any new reports that are generated. You can use the new OverEPSLimit tag to specifically search for any such tagged events, by adding rv145:OverEpsLimit to your search criteria.
For more information, see Viewing Search Results
in the Sentinel Log Manager 1.2 Administration Guide.
On systems that are running with the free license, any report results that are generated do not include the event details of any events that were tagged with the OverEPSLimit tag. Sentinel Log Manager tags such report results with the new CreatedDuringEval tag.
After you upgrade the system to an enterprise event store license, you can run the tagged reports again to verify if they include any events that were originally tagged as OverEPSLimit. To specifically search for the tagged report results, enter CreatedDuringEval in the report search criteria.
For more information, see Viewing the Reports
in the Sentinel Log Manager 1.2 Administration Guide.
A new Licensed EPS indicator has been added to the Viewing Events Per Second Statistics
in the Sentinel Log Manager 1.2 Administration Guide.
The Data Restoration feature is not available in the free and trial version of Sentinel Log Manager. Therefore, a message is displayed indicating that you are not licensed to use the feature. In addition to that, after the trial license expires, a message is displayed indicating that the functionality is being limited for the following features:
Actions
Rules
Distributed Search
Sentinel Log Manager is now supported on the SUSE Linux Enterprise Server (SLES) 11 SP1 64-bit platform.
Novell is in the process of phasing out support for Legacy Collectors in the Sentinel product line. In the previous versions of Sentinel Log Manager, the system displays a warning if you import a Legacy Collector. Starting with version 1.2, clean installations of Sentinel Log Manager and Collector Manager do not run Legacy Collectors.
NOTE:Legacy Collectors were written using the Legacy Collector Builder application, which is no longer shipped with Sentinel products. Legacy Collectors are replaced by JavaScript Collectors that are written using the Sentinel Plug-In SDK. JavaScript Collectors are available at the Sentinel Plug-ins Web site.
Sentinel Log Manager 1.2 includes multiple updates to improve the security of the product:
Apache Tomcat has been upgraded to version 6.0.29 to fix security vulnerabilities.
The PostgreSQL database has been upgraded to version 8.3.12 to fix security vulnerabilities.
Sentinel Log Manager 1.2 includes the updated versions of the following plug-ins:
Syslog Integrator 6.1r4
Syslog Connector 6r9
Database Connector 6r8
Collector based reports
Password Changes 6.1r3 is a new report, which is a combined and updated version of the Self Password Changes and Password Resets reports.
McAfee Network Security Platform Collector 6.1r2
McAfee policy Orchestrator Collector 6.1r5
Microsoft Active Directory and Windows 6.1r5 Collector, which is a combined and updated version of the Active Directory 6.1r4 and Windows 6.1r4 Collectors.
Sentinel Log Manager 1.2 and later require the SLES 11 SP1 platform. Therefore, you must first ensure that the operating system is upgraded to SLES 11 SP1 before you install Sentinel Log Manager 1.2.
For detailed information on hardware requirements and supported operating systems, browsers, and event sources, see System Requirements
in the Sentinel Log Manager 1.2 Installation Guide.
Sentinel Log Manager 1.2 can only be used for clean installations. To install Novell Sentinel Log Manager 1.2, see the Sentinel Log Manager 1.2 Installation Guide.
The following table lists the defect numbers and the solutions provided for these defects in Sentinel Log Manager 1.2:
Bug Number |
Solution |
---|---|
615111 |
Using a symbolic link to point to the install directory after it is moved to a different partition now does not result in data management issues. |
656093 |
Security improvements have been made to decrease the vulnerability to session fixation attacks. |
652435 |
Turning on networked storage when there are a number of local closed partitions and decreasing the local storage space now results in moving the partitions to networked storage (with enough space) before the data is deleted from local storage. |
652438 |
When local storage space is running low, the system now attempts to move data to networked storage to free up space before deleting it from local storage. |
620681 |
A sporadic issue in Event Source Management (ESM) where Collector nodes are in the Stop state after a server restart is now fixed. Collector nodes that were in the Running state before the restart now continue to be in the Running state after the restart. |
661335 |
The logon.jsp file now includes the <body> tag, which was otherwise missing and caused Access Manager to fail while injecting credentials through the Access Manager Form Fill policy. Novell Access Manager and Single Sign-on products now work seamlessly while interacting with Sentinel Log Manager |
624095 |
Sentinel Log Manager now automatically closes any idle index loggers every time a clean up task is run at the back end, which reduces the number of open files on SLES. |
631900 |
Performance improvements have been made so that running large distributed reports across multiple instances of Sentinel Log Manager now works as expected and does not cause the target server to run out of memory. |
626338 |
The ReportPluginUpload, TruststoreUploadServlet, and LdapCertFileUploadServlet servlets now do not allow unauthorized users to upload files. |
652430 |
Events can now be searched from multiple restored partitions that are prefixed with the same date and/or retention policy. |
641361 |
Events can now be searched from the restored event data that is in the local storage. The event data does not need to be placed in the configured networked storage directory for it to be searchable. |
658444 |
The LEA connector now works as expected with Sentinel Log Manager. |
617477 |
Clicking alt+left on an event field while performing an All Events search now appends a NOT clause to the search query and displays the expected search results. |
617663 |
You can now modify more than one field of an event source at once. After you click to refresh the page, the new values are reflected in the relevant fields. |
619173 |
The Search Target Name in the Event List report now shows the actual search target name as expected. |
628824, 581698 |
Issue with the start_tomcat.sh script not finding the bonded IP address in a NIC bonded setup is now fixed. The start_tomcat.sh script now finds the right IP address to be written to the JNLP files on startup and enables ESM to launch successfully. |
615088 |
The EPS limits of Sentinel Log Manager Actions are now documented. For more information, see |
608905 |
The need to restart the services after applying the license key is now not necessary. |
618698 |
Extracting the installer.tar.gz file as the root user now does not change the ownership or permissions of the files. The ownership and permissions that were set before the extract are preserved. |
656600 |
The issue with connection leaks in the database when the transactions are in an idle state is now fixed. |
612557 |
The SentinelLogManager tag now cannot be deleted, which is as expected because it is a system tag and is used to tag the internal events. |
618895 |
While saving a distributed search as a report, the search targets on which the search is performed are now auto-selected by default. |
656710 |
Data transmitted over ActiveMQ is now compressed, which reduces the network bandwidth utilization between a Collector Manager and the server. |
652429 |
The CustomerVar (cv) fields are now HTML encoded to avoid execution of malicious JavaScripts and prevent any XSS attacks. Therefore, when Novell Audit fields are mapped to custom Sentinel fields, clicking the link in the search results page now works as expected and does not execute any JavaScripts. |
619920 |
The issue with the dbconfig command not changing the appuser password is now fixed. Running the dbconfig command against the entire /etc/opt/novell/sentinel_log_mgr/config directory now changes the appuser password as expected. |
615572 |
While editing the IP address of a search target server, if you change the IP address and click , the changes are not saved and an appropriate error message is displayed as expected. |
616707 |
In the tab, if there are no report definitions, all the report options such as , , and are now disabled. |
622384 |
When retention policy names are renamed or when new policies are created, the policy names are now displayed correctly in the local and distributed search results. |
616334 |
In the local and distributed search results, the link now does not appear for users who do not have the View all data permission, which is as expected because these users are restricted from viewing the raw data. |
617652 |
A new command, ssl_certs, is now included in the /opt/novell/sentinel_log_mgr/setup directory. This command enables you to replace the self-signed SSL certificates with the CA signed certificates. The procedure to replace the default self-signed certificates with CA signed certificates is now documented. For more information, see |
The following table lists the enhancements made in the 1.2 version to improve the usability of Sentinel Log Manager:
Bug Number |
Description |
---|---|
666893 |
Issue: Sentinel Log Manager 1.2 cannot perform search and run reports on the data that is restored from Sentinel Log Manager 1.1. This is because Sentinel Log Manager 1.1 uses squashfs version 3.4 and Sentinel Log Manager 1.2 uses squashfs version 4.0, which is not backward compatible and cannot open a squashed file system created with previous versions. Workaround: None. Contact Novell Technical Support for assistance. |
673028 |
Issue: On Windows 7 with Firefox as the browser, non-admin users cannot login to the ESM user interface. When you launch ESM, it tries to copy the ESMWebStart.jnlp file to the C:\Program Files (x86)\Mozilla Firefox\ directory. The non-admin users do not have sufficient rights to write to this directory. Workaround: Perform either of the following:
|
659873 |
Issue: The Synchronous call Timed out for request exception is logged in the tomcat0.0.log after the installation of Sentinel Log Manager and also each time the services are restarted. Workaround: None. Although an exception is logged, the system works as expected. |
667611 |
Issue: The link in the search results page does not appear for non-admin users. Instead, a link is displayed, which does not perform any action when it is clicked.Workaround: None. |
663470 |
Issue: Sentinel Log Manager does not install 64-bit JRE on 64-bit Windows system. Workaround: None. This is by design. The Sentinel Log Manager installer only includes 32-bit JRE and does not include 64-bit JRE. |
666560 |
Issue: The default SSL certificate has been signed by using a weak hash algorithm (MD5) instead of using the SHA1 algorithm. Workaround:
You can get the SSL certificate from any trusted CA, which is signed by using the SHA1 algorithm and replace it with the default SSL certificate. For information on replacing the SSL certificate with a CA signed certificate, see |
601697 |
Issue: When Web server (tomcat) dumps memory, the Web server does not restart on its own and becomes inactive. Workaround: Restart the Sentinel Log Manager service. |
662191 |
Issue: The remote Collector Manager installation does not proceed if the default installation path contains special characters. Workaround: Change the default installation path and ensure that the new path you specify does not include special characters. |
664393 |
Issue: Sentinel Log Manager does not display the data retention policies if the data is large in the networked storage. The du command runs for a longer time to find the disk usage and a message is displayed in the Web user interface indicating that refreshing retention policies failed. Workaround: Increase the timeout period so that Sentinel Log Manager does not timeout before retrieving the disk usage space.
|
For the list of known issues in Sentinel Log Manager 1.1 versions, see Novell Sentinel Log Manager 1.1.0.2 Release Notes.
The updated documentation and release notes are available at the Sentinel Log Manager documentation site .
Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export, or import deliverable. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. Please refer to the Novell International Trade Services Web page for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.
Copyright © 2011 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.
For Novell trademarks, see the Novell Trademark and Service Mark list.
All third-party trademarks are the property of their respective owners.