Sentinel 8.0.0.1 Release Notes

Issue: The Visual Analytics component is not installed on some Sentinel appliance upgrades because the upgrade is dependent on a file that may have been removed from the Sentinel appliance. Sentinel fails to start after upgrade with the following error:

Fix: The Visual Analytics component is installed successfully and the Sentinel 8.0.0.1 appliance starts as expected.

Issue: Sentinel does not display the Threat Response Dashboard when you upgrade to Sentinel 8.0. This issue occurs if you originally installed a Sentinel version earlier than Sentinel 7.3.0.0, upgraded it to Sentinel 7.3.x or later, and then upgraded it to Sentinel 8.0. (Bug 1013377)

Fix: Sentinel now displays the Threat Response Dashboard properly.

Issue: In an RPM based installation of Elasticsearch, Event Visualization dashboards and searches in SSDM do not work. (Bug 1014448)

Workaround: After installing the Elasticsearch Security plug-in, perform the following steps on each node of the Elasticsearch cluster:

Issue: SSDM in high availability mode does not populate the appropriate IP addresses of the HA cluster nodes in the Elasticsearch security plug-in configuration files. As a result, searches and event visualization dashboards show errors. (Bug 1012251)

Workaround: After installing the Elasticsearch security plug-in, perform the following steps on each node of the Elasticsearch cluster:

Issue: Sentinel does not display the Alert dashboards after upgrade. This issue occurs because Sentinel does not delete the Alert dashboard related temporary directory during upgrade. (Bug 984796)

Workaround: Delete the temporary files manually by performing the following procedure:

Issue: When you convert the active node to FIPS 140-2 mode in Sentinel HA, the synchronization to convert all the passive nodes to FIPS 140-2 mode is not performed completely. You must start the synchronization manually. (Bug 1014472)

Workaround: Manually synchronize all passive nodes to FIPS 140-2 mode as follows:

Issue: In SSDM environments, if you create a tile map visualization with default options, an issue with Kibana prevents the new tile map visualization from working in the Event Visualization dashboard. For more information about the Kibana issue, see https://github.com/elastic/kibana/issues/7717. (Bug 1001909)

Workaround: When you create a new tile map visualization, under Options, select WMS compliant map server.

Issue: An issue with Kibana prevents Internet Explorer 11 from being able to open the Event Visualization dashboard. (Bug 981308)

Workaround: Use a different browser to view or modify the Visualization dashboard.

Issue: If you try to install Sentinel on a computer that is running the SLES 11 SP4 operating system in FIPS mode, the installation process will fail. (Bug 990201)

Workaround: Ensure the operating system is not in FIPS mode, and then complete the following steps:

Issue: Sentinel does not receive events through Sentinel Link Connector. (Bug 989784)

Workaround: The Sentinel Link Connector version 2011.1r4 resolves this issue. Until it is officially released on the Sentinel Plug-ins website, you can download the preview version of the Connector from the Previews section.

Issue: NetIQ eDirectory Instrumentation cannot connect to Audit Connector through Platform Agent. As a result, Sentinel cannot receive events from eDirectory. This issue occurs because eDirectory Instrumentation uses MD5 RSA certificate algorithm, which has been deprecated in Java 8 update 77 that is used in Sentinel 8.0.0.1. (Bug 985312)

Workaround: To enable eDirectory Instrumentation to use a custom certificate, perform the steps mentioned in NetIQ Knowledgebase Article 7017764.

Issue: A change to password storage in Sentinel 7.4 SP1 causes the following error to display when upgrading the appliance from versions prior to 7.4 SP1:

Workaround: The warning is expected and you can safely ignore it. There is no impact to the upgrade.

Issue: After you enable SSDM, when you log in to the Sentinel Main interface, the browser displays a blank page. (Bug 1006677)

Workaround: Close your browser and log in to the Sentinel Main interface again. This issue only happens once, the first time you log in to the Sentinel Main interface after you enable SSDM.

Issue: The com.novell.sentinel.spark.StreamingEventIndexer job does not support IPv6. If an event contains an IPv6 address, the job fails. (Bug 1006975)

Workaround: The workaround is to change the IP type to a string. To make this change, contact technical support.

Issue: After you enable scalable storage, the SSDM server logs display multiple instances of the following message:

Workaround: You can safely ignore these messages. There is no functional impact.

Issue: When you upgrade Sentinel from version 7.3 to version 7.3 SP1 and start the Sentinel server, you might see the following exception in the server log:

Workaround: Ignore the exception. There is no impact to Sentinel performance because of this exception.

Issue: Sentinel alert views and alert dashboards do not display alerts that have IPv6 addresses in IP address fields. (Bug 924874)

Workaround: To view alerts with IPv6 addresses in Sentinel, perform the steps mentioned in NetIQ Knowledgebase Article 7016555.

Issue: The Bar Mitzvah security vulnerability exists in Sentinel Link Connector. Sentinel Link Connector uses the RC4 algorithm in SSL and TSL protocols, which might allow plaintext recovery attacks against the initial bytes of a stream. For more information, see CVE-2015-2808. (Bug 933741)

Workaround: The Sentinel Link Connector version 2011.1r4 resolves this issue. Until it is officially released on the Sentinel Plug-ins website, you can download the Connector from the Previews section.

Issue: The Agent Manager Connector version 2011.1r3 does not set the CONNECTION_MODE property in the events if the Collector parsing the events supports multiple connection modes. (Bug 880564)

Workaround: The Agent Manager Connector version 2011.1r5 and later resolve this issue. Until it is officially released on the Sentinel Plug-ins website, you can download the Connector from the Previews section.

Issue: Sentinel Agent Manager 7.3 ignores the value specified in RawDataTapFileSize attribute in the SMServiceHost.exe.config file for the raw data file size configuration, and stops writing to the raw data file when the file size reaches 10 MB. (Bug 867954)

Workaround: Manually copy the content of the raw data file into another file and clear it when the file size reaches 10 MB, so that Sentinel Agent Manager can write new data into it.

Issue: In upgraded installations of Sentinel, when you search for alert attributes in the Tips table in the Sentinel Main interface, the search does not return the complete list of alert fields. However, alert fields display correctly in the Tips table if you clear the search. (Bug 914755)

Workaround: There is no workaround at this time.

Issue: Data synchronization fails when you try to synchronize IPv6 address fields in a human readable format to external databases. For information about configuring Sentinel to populate the IP address fields in human readable dot notation format, see Creating a Data Synchronization Policy in the NetIQ Sentinel Administration Guide. (Bug 913014)

Workaround: To fix this issue, manually change the maximum size of the IP address fields to at least 46 characters in the target database, and re-synchronize the database.

Issue: If you run an event search when your role's security filter is blank and your role does not have event viewing permissions, the search does not complete. The search does not display any error message about the invalid event viewing permissions. (Bug 908666)

Workaround: Update the role with one of the following options:

Issue: When editing a saved search upgraded from Sentinel 7.2 to a later version, the Event fields panel, used to specify output fields in the search report CSV, is missing in the schedule page. (Bug 900293)

Workaround: After upgrading Sentinel, recreate and reschedule the search to view the Event fields panel in the schedule page.

Issue: Sentinel does not return any correlated events when you search for all correlated events that were generated after the rule was deployed or enabled, by clicking the icon next to Fire count in the Activity statistics panel in the Correlation Summary page for the rule. (Bug 912820)

Workaround: Change the value in the From field in the Event Search page to a time earlier than the populated time in the field and click Search again.

Issue: During Security Intelligence baseline regeneration, the start and finish dates for the baseline are incorrect and display 1/1/1970. (Bug 912009)

Workaround: The correct dates are updated after the baseline regeneration is complete.

Issue: Sentinel server shuts down when you run a search if there are a large number of events indexed in a single partition. (Bug 913599)

Workaround: Create retention policies in such a way that there are at least two partitions open in a day. Having more than one partition open helps reduce the number of events indexed in partitions.

Issue: Sentinel displays an error when you use the report_dev_setup.sh script to configure Sentinel ports for firewall exceptions. (Bug 914874)

Workaround: Configure Sentinel ports for firewall exceptions through the following steps:

Issue: Sentinel Generic Collector performance degrades when Generic Hostname Resolution Service Collector is enabled on Microsoft Active Directory and Windows Collector. EPS decreases by 50% when remote Collector Managers send events. (Bug 906715)

Workaround: There is no workaround at this time.

Issue: When you install Sentinel in FIPS 140-2 mode, the connector to Security Intelligence database fails to start, and Sentinel cannot access Security Intelligence, Netflow, and alert data. (Bug 915241)

Workaround: Restart Sentinel after installing and configuring in FIPS 140-2 mode.

Issue: When exporting search results in Sentinel, the Web browser might display an error if you modify the operating system language settings. (Bug 834874)

Workaround: To export search results properly, perform either of the following:

Issue: While you wait for one report result PDF to open, particularly report results of 1 million events, if you click another report result PDF to view, the report result is not displayed. (Bug 804683)

Workaround: Click the second report result PDF again to view the report result.

Issue: When FIPS 140-2 mode is enabled in your Sentinel environment, using Windows authentication for Agent Manager causes synchronization with the Agent Manager database to fail. (Bug 814452)

Workaround: Use SQL authentication for Agent Manager when FIPS 140-2 mode is enabled in your Sentinel environment.

Issue: The Sentinel High Availability installation in non-FIPS 140-2 mode completes successfully but displays the following error twice:

Workaround: The error is expected and you can safely ignore it. Although the installer displays the error, the Sentinel High Availability configuration works successfully in non-FIPS 140-2 mode.

Issue: The Sentinel Main interface displays negative numbers in the Active Search Job Duration and Accessed columns when the Sentinel Main interface computer clock is behind the Sentinel server clock. For example, the Duration and Accessed columns display negative numbers when the Sentinel Main interface clock is set to 1:30 PM and the Sentinel server clock is set to 2:30 PM. (Bug 719875)

Workaround: Ensure the time on the computer you use to access the Sentinel Main interface is the same as or later than the time on the Sentinel server computer.

Issue: When you log in to the security dashboard and perform a search for IssueSAMLToken audit event, the IssueSAMLToken audit event displays incorrect hostname (InitiatorUserName) or (IP address) SourceIP. (Bug 870609)

Workaround: There is no workaround at this time.