Novell Sentinel Log Manager 1.2.0.1 Release Notes

June 2011

Novell Sentinel Log Manager collects data from a wide variety of devices and applications, including intrusion detection systems, firewalls, operating systems, routers, Web servers, databases, switches, mainframes, and antivirus event sources. Novell Sentinel Log Manager provides high event rate processing, long-term data retention, regional data aggregation, and simple searching and reporting functionality for a broad range of applications and devices.

Sentinel Log Manager 1.2.0.1 can be used as a clean installer and also as an upgrade installer. The Sentinel Log Manager 1.2.0.1 upgrade installer can be used to upgrade Sentinel Log Manager 1.1 and later.

1.0 What’s New

1.1 What’s New in Sentinel Log Manager 1.2.0.1

1.1.1 SLES 11 SP1 Support

Sentinel Log Manager 1.2 and later supports the SUSE Linux Enterprise Server (SLES) 11 SP1 64-bit platform. The Sentinel Log Manager 1.2.0.1 upgrade installer is mainly intended to upgrade Sentinel Log Manager 1.1.0.x systems to work seamlessly with SLES 11 SP1.

1.1.2 Updates to the Squashfs Package

Previous versions of Sentinel Log Manager (1.1.x) use the squashfs 3.4-35.1 version. Because SLES 11 SP1 supports squashfs 4.0 and later, Sentinel Log Manager 1.2 and later use the squashfs 4.0-1.2.10 version.

1.1.3 Security Improvements

The following updates have been made to fix security vulnerability issues:

  • The Java Runtime Environment (JRE) has been upgraded to version 1.6.0.24.

  • Apache Tomcat has been upgraded to version 6.0.32.

1.1.4 Software Fixes

Sentinel Log Manager 1.2.0.1 includes the latest software fixes and enhancements for an existing installation of Sentinel Log Manager 1.1.0.x and later. The set of new features and fixed defects depends on the version from which you upgrade. For example, if the system is running Sentinel Log Manager 1.1, the defect fixes from 1.1.0.1 are also applied as part of this upgrade.

1.2 What’s New in Sentinel Log Manager 1.2

For information on what’s new in Sentinel Log Manager 1.2, see the Novell Sentinel Log Manager 1.2 Release Notes.

1.3 What’s New in Sentinel Log Manager 1.1.0.2

For information on what’s new in Sentinel Log Manager 1.1.0.2, see the Novell Sentinel Log Manager 1.1.0.2 Release Notes.

1.4 What’s New in Sentinel Log Manager 1.1.0.1

For information on what’s new in Sentinel Log Manager 1.1.0.1, see the Novell Sentinel Log Manager 1.1.0.1 Release Notes.

2.0 System Requirements

Sentinel Log Manager 1.2 and later require the SLES 11 SP1 platform. Therefore, you must first ensure that the operating system is upgraded to SLES 11 SP1 before you install Sentinel Log Manager 1.2.0.1.

For detailed information on hardware requirements and supported operating systems, browsers, and event sources, see System Requirements in the Sentinel Log Manager 1.2 Installation Guide.

3.0 Installing Novell Sentinel Log Manager

To install Novell Sentinel Log Manager, see the Sentinel Log Manager 1.2 Installation Guide.

4.0 Upgrading to Novell Sentinel Log Manager 1.2.0.1

To upgrade Novell Sentinel Log Manager to the latest patch, see “Upgrading Sentinel Log Manager” in the Novell Sentinel Log Manager 1.2 Installation Guide.

5.0 Defects Fixed and Enhancements

5.1 Defects Fixed

The following table lists the defect numbers and the solutions provided for these defects in Sentinel Log Manager 1.2.0.1:

Bug Number

Solution

658208

When you restart an event source that is configured to alert when no data is received for a specified time, the event source no longer generates duplicate messages indicating No Data Received for Event Source in server logs.

664016

The Collectors do not stop immediately if the Collector Manager is unable to retrieve the license of a plug-in because of some exceptions in the Sentinel Log Manager server, such as an out of memory error. The Collectors now continue to run for 3 days and then stop if the license information is still not retrieved.

664393

Sentinel Log Manager now displays the data retention policies as expected regardless of the data size in the networked storage.

665506

When you configure the Log to Syslog action, the Port field now automatically displays the default port number for the specified protocol.

666893

Sentinel Log Manager 1.2 and later can now perform searches and run reports on the data that is restored from Sentinel Log Manager 1.1.

674782

Performance improvements have been made so that the Sentinel Log Manager Web server does not run out of memory when a large number of Database Connectors and event sources are configured to the system.

675488

When a search query is exported to a CSV file, all the fields—including the non-searchable fields such as Event time (dt)—are exported to the CSV file.

676764

Sentinel Log Manager effectively handles the mount operations when a search involves networked storage partitions that are equal to or more than the maximum number of loop devices supported by the system.

678252

Performance improvements have been made so that the Search query does not time out when a narrow search looking for a small set of events is performed over a large number of partitions.

682405

The remote Collector Manager installation on the Windows platform now proceeds without any errors even if the installation path includes braces in its path.

678078

When you edit the Log to Syslog action, the last saved encoding type is now displayed rather than System default.

5.2 Enhancements

The following table lists the enhancements made in the 1.2.0.1 version to improve the functionality of Sentinel Log Manager:

bug Number

Description

673993

The SMTP Integrator 6.1r2 has been included in this version of Sentinel Log Manager.

673409

For better reports performance, the Jasper print object file (raw result file) is no longer bundled with the generated report results. This improves report generation time when the report contains a large number of events.

679674

Sentinel Log Manager now supports overriding of server IP address. This enables you to configure the Sentinel Log Manager Web server to listen on a specific IP address on systems that have multiple IP addresses. For more information, see Overriding the IP Address in the Web Server in the Sentinel Log Manager 1.2 Administration Guide.

680881

Search response time has been improved by optimizing the search algorithm to do search in parallel across partitions.

690797

To improve the search performance and to avoid searches that might not be relevant, enhancements have been made so that Sentinel Log Manager does not perform searches by default whenever a new search tab is initiated. This includes the following actions:

  • Clicking New Search.

  • Searching tagged events.

  • On the Collections > Event Sources page, selecting the required event source configurations, then clicking the search icon.

For these actions, the search results are not displayed by default unless you click the Search button.

6.0 Known Issues

Bug Number

Description

697069

Issue: In the Sentinel Log Manager 1.2.0.1 version, after you configure a networked storage and click Health to view the disk statistics, a message appears indicating an error reading disk statistics for networked storage capacity. Also, it takes a long time, up to 30 minutes, to display the disk statistics.

Workaround: None. This is a one-time delay. After 30 minutes, the disk statistics are displayed as expected.

696002

Issue: After Sentinel Log Manager is upgraded to the 1.2.0.1 version, the java.lang.NullPointerException is logged several times in the tomcat0.0.log file.

Workaround: None. Although an exception is logged, Sentinel Log Manager works as expected.

694750

Issue: After the appliance is upgraded to the 1.2.0.1 version, the Reboot and Shutdown buttons in WebYaST do not work.

Workaround: Switch to the Console mode and manually specify the reboot or shutdown command.

693399

Issue: The upgrade does not proceed if symbolic links have been used for the following folders and subfolders:

  • opt/novell (Base folder)

  • etc/opt/novell (Configuration folder)

  • var/opt/novell (Data folder)

Workaround: Remove symoblic links; that is, move these directories back to the standard installation directories.

693408

Issue: A large data set in the raw_data_files_info table causes the system to slow down.

Workaround: Create an index for the file_name column in the raw_data_files_info table so that the database does not take a long time to look up the raw data files:

CREATE INDEX raw_data_files_info_index ON raw_data_files_info
(file_name) TABLESPACE SENDATA1;

693677

Issue: When you upgrade a Xen appliance to the 1.2.0.1 version, then attempt to restart the appliance to complete the upgrade procedure, the appliance does not restart.

Workaround: After the upgrade is complete and before you restart the system, modify the .xenconfig file that is included in the installer file:

  1. Open the .xenconfig file by using a text editor.

    The .xenconfig file is prefixed with the installer filename. For example, sentinel_log_manager_1.2.0.1_64_xen.x86_64-0.0.xenconfig

  2. Append the following:

    extra="xencons=tty"
    
  3. Save the changes.

  4. Restart the appliance.

The appliance restarts successfully.

While the appliance restarts, the version is displayed as SLM 1.1.0.0. However, after the restart is complete, the correct version is displayed.

692031

Issue: Raw data files are not being deleted according to the specified data retention policies.

Workaround: None.

690561

Issue: The value in the TargetUserName event field is truncated if the value includes the “-” character.

Workaround: Do not include characters such as “-” in the TargetUserName field.

688080

Issue: Searching for any component such as Collector, Connector, and Event Source in the Event Source Management (Live View) > Attribute Filter > Search field does not return any result if the component name includes “-” in its name.

Workaround: Do not include characters such as “-” in the component name.

687385

Issue: Sentinel Log Manager installation fails if the dbauser password includes special characters such as “$”,” _”, and “!”.

Workaround: Do not include special characters in the password.

687809

Issue: The Data Restoration feature does not restore the networked storage data if the novell user ID (UID) and the group ID (GID) are not the same on both the source (server that has the networked storage data) and destination (server where the networked storage data is being restored).

Workaround: Unsquash and squash the squash file system (index.sqfs):

  1. Copy the partition that you want to restore to the Sentinel Log Manager server where you want to restore the data at the following location:

    /var/opt/novell/sentinel_log_mgr/data/archive_remote/<sentinel_log_manager_server_UUID>/eventdata_archive 
    
  2. Log in to the Sentinel Log Manager server where you want to restore the data as the root user.

  3. Change to the directory where you copied the partition that you want to restore:

    cd /var/opt/novell/sentinel_log_mgr/data/archive_remote/<sentinel_log_manager_server_UUID>/eventdata_archive/<partition_ID>
    
  4. Unsquash the index.sqfs file:

    unsquashfs index.sqfs
    

    The index.sqfs file is unsquashed and the squashfs-root folder is created.

  5. Assign permission for novell user and novell group to the <partition_ID> folder:

    chown -R novell:novell <partition_ID>
    
  6. Remove the index:

    rm -r index.sqfs
    
  7. Switch to novell user:

    su novell
    
  8. Squash the squashfs-root folder:

    mksquashfs squashfs-root/ index.sqfs
    
  9. Restore the partitions by using the Data Restoration feature. For more information, see Restoring Data in the Sentinel Log Manager 1.2 Administration Guide.

694221

Issue: The backup and restore utility (backup_util.sh) does not restore or extract the networked storage partitions.

Workaround: Copy the backed-up tar file to the networked storage location where you want to restore the backed-up data, then extract the tar file manually:

  1. Copy the backup file <backup.tar.gz> file to the eventdata_archive folder, which is the networked storage location:

    scp <backup.tar.gz> <networked_storage_location>/<sentinel_log_manager_server_UUID>/eventdata_archive
    
  2. Change the ownership to novell user:

    chown novell:novell <backup.tar.gz>
    
  3. Extract the file:

    tar zxvf <backup.tar.gz>
    
  4. Restart the Sentinel Log Manager server.

Use the Data Restoration feature to restore the extracted partitions. For more information, see Restoring Data in the Sentinel Log Manager 1.2 Administration Guide.

659294

Issue: When you save a search query as a report, then run the report on both local and distributed servers, the report results page is blank and an unparsable date exception is logged in server0.0.log. If you export the report results to a CSV file, the date and time of the report are not readable because the Event time (dt) field is in the UNIX time format.

Workaround: While running a report, do not include both local and distributed systems simultaneously.

NOTE:This issue is only for reports that are created from a search query. The default Sentinel Log Manager reports do not have this issue.

693657

Issue: The free license key (25 EPS) is not added in the .primary key file when a license with a fixed time boundary is added during the custom installation.

Workaround: The free license key is available in the /etc/opt/novell/sentinel_log_mgr/config/trial.license file:

  1. Open trial.license in an editor.

  2. Copy the license keys.

  3. Add these license keys either by using the Sentinel Log Manager Web interface or through the command prompt.

    For information on adding license keys, see Adding a License Key in the Sentinel Log Manager 1.2 Administration Guide.

687643

Issue: Reports that are scheduled to run once, run again a second time on the following day at the same time.

Workaround: None.

657701

Issue: After Sentinel Log Manager is upgraded to the 1.2.0.1 version, exceptions are logged in the server_wrapper.log.

Workaround: Ignore the exception. Although exceptions are logged, the system works as expected.

686240

Issue: The Search feature does not return appropriate results when a range search that includes double digits is performed on integer type fields such as xdasid. For example, if the search query is xdasid:[0 to 12], the query returns only events with an xdasid of 0 and 1 and does not return events with an xdasid ranging from 0 through 12.

Workaround: Specify the integers in the search query. For example, to search for events with an xdasid ranging from 0 through 12, you can specify the query in either of the following ways:

  • xdasid:[0 TO 9,10,11,12]

  • xdasid:[0 TO 9] OR xdasid:10 OR xdasid:11 OR xdasid:12

681770

Issue: Sentinel Log Manager does not display the data retention policies if there is a large amount of data in the local storage. The du command runs for a longer time to find the disk usage and a message is displayed in the Web user interface indicating that refreshing retention policies failed.

Workaround: Increase the timeout period so that Sentinel Log Manager does not time out before retrieving the disk usage space:

  1. Log in to Sentinel Log Manager as a novell user.

  2. Open the /etc/opt/novell/sentinel_log_mgr/config/server.xml file in an editor.

  3. Add the taskTimeoutPeriod property in the DiskStatisticsCache component as follows:

    <obj-component id="DiskStatisticsCache">        <class>esecurity.ccs.comp.diskstatistics.DiskStatisticsCache</class>
    <property name="emaSmoothingFactor">0.2</property>
    <property name="diskStatsCheckInterval">300000</property> 
    <property name="taskTimeoutPeriod">200000</property>
    </obj-component>
    
  4. Modify the diskStatsCheckInterval property so that the value is greater than or equal to taskTimeoutPeriod.

  5. Restart Sentinel Log Manager.

641545

Issue: In the Event Source Management user interface, when you import a plug-in, if you type the filename of the plug-in rather than clicking Browse to select the plug-in, an error is displayed indicating that an invalid plug-in is selected for import. The error message pops up as you start typing the filename and continues to appear even after you click Cancel.

Workaround: Use the Browse button to select the plug-in rather than manually typing the filename of the plug-in.

612872

Issue: The Event Source Management > Help > Help option does not launch the Sentinel Log Manager documentation Web site and instead displays the error Help not Installed.

Workaround: To view the latest Sentinel Log Manager documentation, go to the Sentinel Log Manager 1.2 documentation Web site.

630174

Issue: When you install additional Collector Managers, the installer prompts you to select the amount of RAM to allocate to the Sentinel server processes. However, the Collector Manager always uses 1.2 GB of RAM and does not consider the specified RAM.

Workaround: Ignore the memory allocation settings and click Next to proceed with the installation.

For a list of known issues in Sentinel Log Manager 1.2, see the Novell Sentinel Log Manager 1.2 Release Notes.

7.0 Documentation

The updated documentation and release notes are available at the Sentinel Log Manager documentation site.