Sentinel 8.0 SP1 Patch Update 1 resolves several previous issues. This patch update is available only for traditional installations of Sentinel.
Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure that our products meet all your needs. You can post feedback in the Sentinel forum on NetIQ Communities, our online community that also includes product information, blogs, and links to helpful resources.
The documentation for this product is available on the NetIQ website in HTML and PDF formats on a page that does not require you to log in. If you have suggestions for documentation improvements, click the comment icon on any page in the HTML version of the documentation posted at the Sentinel NetIQ Documentation page. To download this product, see the Sentinel Product Upgrade website.
The following sections outline the key features and enhancements, and also the issues resolved in this release:
Sentinel 8.0 SP1 Patch Update 1 provides fixes to resolve the CVE-2016-1000031 vulnerability, which was discovered by Jacob Baines from Tenable Network Security. These fixes are in addition to previously released updates. We would like to offer our thanks to Jacob Baines for finding and reporting these security vulnerabilities to us.
Sentinel 8.0 SP1 Patch Update 1 includes software fixes that resolve several issues.
Issue: When viewing all event details, dates and times are incorrectly formatted in the UTC (Coordinated Universal Time) format. (Bug 1031523, Bug 1034531)
Fix: Event detail fields now display all dates in the format specific to the specified locale in your browser.
Issue: When you upgrade Sentinel 8.0 and later, the installer displays the following error:
Installing: novell-Sentinelwebapp-8.0.0.1-3404 [done] Additional rpm output: /var/tmp/rpm-tmp.28463: line 263: [: search.hideUI=false: binary operator expected
(Bug 1025512)
Fix: This error no longer occurs during the upgrade process.
Issue: If you modify the criteria for a search and select Begin Time, End Time, or Sentinel Process Time, the search results are invalid. (Bug 894421)
Fix: The Begin Time, End Time, or Sentinel Process Time options are no longer available when editing search criteria.
Issue: If you restart the Sentinel service on a Collector Manager computer that has multiple database collectors, some of the collectors are unable to reconnect to the event sources. (Bug 1015375)
Fix: All collectors now reconnect after restarting the Sentinel service.
Issue: Running the /SentinelRESTServices/objects/alert/count API always returns 0, even if there are multiple alerts. (Bug 1028317)
Fix: The /SentinelRESTServices/objects/alert/count API now returns the correct number of alerts.
Issue: You cannot delete an element from a dynamic list in Control Center if the element value contains a backslash. (Bug 1027494)
Fix: You can now delete element values with backslashes from dynamic lists in Control Center.
Issue: If you configure an anomaly definition to send an email notification when there is a deviation from the baseline, Sentinel cannot send the email and returns an IllegalStateException error. (Bug 816622)
Fix: Sentinel now correctly sends the email.
Issue: When you save a search to a CSV file, the CSV file does not maintain the specified order of the fields. (Bug 979916)
Fix: When you save a search to a CSV file, the CSV file now maintains the specified field order.
Issue: If you schedule a report to run with the current date range but the From date is in the future, the report fails. (Bug 914094)
Fix: Sentinel allows you to set From date to a future date to report event sources that are not properly time-synchronized. Sentinel now runs the report without error.
For information about hardware requirements, supported operating systems, and browsers, see the Technical Information for Sentinel page.
Sentinel 8.0 SP1 Patch Update 1 is available only for traditional installations of Sentinel.
You can upgrade to Sentinel 8.0 SP1 Patch Update 1 from the following Sentinel versions:
Sentinel 8.0 and later
IMPORTANT:Upgrade from Sentinel 8.0.1 will not complete due to symbolic links. Follow the steps mentioned in the Sentinel Knowledge Base to upgrade from Sentinel 8.0.1.
Sentinel 7.4 and later up to Sentinel 7.4 SP4 Hotfix 1
Download the patch update from the Patch Finder website. For information about upgrading to Sentinel 8.0 SP1 Patch Update 1, see Upgrading Sentinel
in the NetIQ Sentinel Installation and Configuration Guide.
NOTE:If you want to use Sentinel Link Connector, you must upgrade it to version 2011.r4, which includes software fixes for compatibility issues with Sentinel 8.0.1 and later.
After you upgrade Scalable Storage Data Manager (SSDM), you must re-submit Spark applications to consider the updated Spark files as well. Spark will not process any events that arrive during this phase until you re-submit Spark applications. To avoid this issue, perform the steps mentioned in NetIQ Knowledge Base Article 7018726.
Sentinel 8.0 SP 1 Patch Update 1 is compatible with Change Guardian 4.2 and later.
Before you upgrade, if your environment is not running a version of Change Guardian that is compatible with this version of Sentinel, you must first upgrade the Change Guardian Server, agents, and the Policy Editor to version 4.2 or later.
NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.
The Java 8 update included in Sentinel might impact the following plug-ins:
Cisco SDEE Connector
SAP (XAL) Connector
Remedy Integrator
For any issues with these plug-ins, NetIQ will prioritize and fix the issues according to standard defect-handling policies. For more information about support polices, see Support Policies.
Issue: SSDM in high availability mode does not populate the appropriate IP addresses of the HA cluster nodes in the Elasticsearch security plug-in configuration files. As a result, searches and event visualization dashboards show errors. (Bug 1012251)
Workaround: After installing the Elasticsearch security plug-in, perform the following steps on each node of the Elasticsearch cluster:
Log in to the Elasticsearch node as the user which Elasticsearch was installed as.
Add entries for the physical IP address of each active node and passive node of the HA cluster in the <elasticsearch_install_directory>/plugins/elasticsearch-security-plugin/elasticsearch-ip-whitelist.txt file as follows:
<Cluster_Node_Physical_IP>:<Target_Elasticsearch_HTTP_Port>
Add each entry in a new line and save the file.
In the <elasticsearch_install_directory>/plugins/elasticsearch-security-plugin/plugin-configuration.properties file, set the authServer.host property to the virtual IP address of the HA cluster as follows:
authServer.host=<Cluster_Virtual_IP>
Restart Elasticsearch.
Issue: Sentinel does not display the Alert dashboards after upgrade. This issue occurs because Sentinel does not delete the Alert dashboard related temporary directory during upgrade. (Bug 984796)
Workaround: Delete the temporary files manually by performing the following procedure:
Log in to the Sentinel server as the novell user.
Change to the webapps directory as follows:
cd /var/opt/novell/sentinel/3rdparty/jetty/webapps/
Remove the sentinel-elasticsearch-proxy.tmp directory as follows:
rm -rf sentinel-elasticsearch-proxy.tmp
Change to the contexts directory and update the timestamp of the sentinel-elasticsearch-proxy.xml file as follows:
cd /etc/opt/novell/sentinel/3rdparty/jetty/contexts/
touch sentinel-elasticsearch-proxy.xml
Refresh the Sentinel Main interface to view the Alert dashboards.
Issue: When you convert the active node to FIPS 140-2 mode in Sentinel HA, the synchronization to convert all the passive nodes to FIPS 140-2 mode is not performed completely. You must start the synchronization manually. (Bug 1014472)
Workaround: Manually synchronize all passive nodes to FIPS 140-2 mode as follows:
Log in as the root user on the active node.
Open the /etc/csync2/csync2.cfg file.
Change the following line:
include /etc/opt/novell/sentinel/3rdparty/nss/*;
to
include /etc/opt/novell/sentinel/3rdparty/nss;
Save the csync2.cfg file.
Start the synchronization manually by running the following command:
csync2 -x -v
Issue: In SSDM environments, if you create a tile map visualization with default options, an issue with Kibana prevents the new tile map visualization from working in the Event Visualization dashboard. For more information about the Kibana issue, see https://github.com/elastic/kibana/issues/7717. (Bug 1001909)
Workaround: When you create a new tile map visualization, under Options, select WMS compliant map server.
Issue: An issue with Kibana prevents Internet Explorer 11 from being able to open the Event Visualization dashboard. (Bug 981308)
Workaround: Use a different browser to view or modify the Visualization dashboard.
Issue: If you try to install Sentinel on a computer that is running the SLES 11 SP4 operating system in FIPS mode, the installation process will fail. (Bug 990201)
Workaround: Ensure the operating system is not in FIPS mode, and then complete the following steps:
Install Sentinel. For more information, see Installing Sentinel
in the Sentinel Installation and Configuration Guide.
Enable Sentinel Server to run in FIPS mode. For more information, see Enabling Sentinel Server to Run in FIPS 140-2 Mode
in the Sentinel Installation and Configuration Guide.
Use the following command to enable the operating system to run in FIPS mode:
fips=1 /boot/grub/menu.lst
Issue: Sentinel does not receive events through Sentinel Link Connector. (Bug 989784)
Workaround: The Sentinel Link Connector version 2011.1r4 resolves this issue. Until it is officially released on the Sentinel Plug-ins website, you can download the preview version of the Connector from the Previews section.
Issue: A change to password storage in Sentinel 7.4 SP1 causes the following error to display when upgrading the appliance from versions prior to 7.4 SP1:
Failed to set encrypted password
(Bug 967764)
Workaround: The warning is expected and you can safely ignore it. There is no impact to the upgrade.
Issue: After you enable SSDM, when you log in to the Sentinel Main interface, the browser displays a blank page. (Bug 1006677)
Workaround: Close your browser and log in to the Sentinel Main interface again. This issue only happens once, the first time you log in to the Sentinel Main interface after you enable SSDM.
Issue: The com.novell.sentinel.spark.StreamingEventIndexer job does not support IPv6. If an event contains an IPv6 address, the job fails. (Bug 1006975)
Workaround: The workaround is to change the IP type to a string. To make this change, contact technical support.
Issue: After you enable scalable storage, the SSDM server logs display multiple instances of the following message:
SEVERE|TimerThreadPool pool|esecurity.ccs.comp.scalablestorage.KibanaVisualAnalyticsUtil.initializeKibanaMappingSearchUnsuccessful in initializing the kibana mapping search call with status code 400
(Bug 1009662)
Workaround: You can safely ignore these messages. There is no functional impact.
Issue: When you upgrade Sentinel from version 7.3 to version 7.3 SP1 and start the Sentinel server, you might see the following exception in the server log:
Invalid length of data object ......
(Bug 933640)
Workaround: Ignore the exception. There is no impact to Sentinel performance because of this exception.
Issue: Sentinel alert views and alert dashboards do not display alerts that have IPv6 addresses in IP address fields. (Bug 924874)
Workaround: To view alerts with IPv6 addresses in Sentinel, perform the steps mentioned in NetIQ Knowledgebase Article 7016555.
Issue: In upgraded installations of Sentinel, when you search for alert attributes in the Tips table in the Sentinel Main interface, the search does not return the complete list of alert fields. However, alert fields display correctly in the Tips table if you clear the search. (Bug 914755)
Workaround: There is no workaround at this time.
Issue:
Data synchronization fails when you try to synchronize IPv6 address fields in a human readable format to external databases. For information about configuring Sentinel to populate the IP address fields in human readable dot notation format, see Creating a Data Synchronization Policy
in the NetIQ Sentinel Administration Guide. (Bug 913014)
Workaround: To fix this issue, manually change the maximum size of the IP address fields to at least 46 characters in the target database, and re-synchronize the database.
Issue: If you run an event search when your role's security filter is blank and your role does not have event viewing permissions, the search does not complete. The search does not display any error message about the invalid event viewing permissions. (Bug 908666)
Workaround: Update the role with one of the following options:
Specify criteria in the Only events matching the criteria field. If users in the role should not see any events, you can enter NOT sev:[0 TO 5].
Select View system events.
Select View all event data (including raw data and NetFlow data).
Issue: When editing a saved search upgraded from Sentinel 7.2 to a later version, the Event fields panel, used to specify output fields in the search report CSV, is missing in the schedule page. (Bug 900293)
Workaround: After upgrading Sentinel, recreate and reschedule the search to view the Event fields panel in the schedule page.
Issue: Sentinel does not return any correlated events when you search for all correlated events that were generated after the rule was deployed or enabled, by clicking the icon next to Fire count in the Activity statistics panel in the Correlation Summary page for the rule. (Bug 912820)
Workaround: Change the value in the From field in the Event Search page to a time earlier than the populated time in the field and click Search again.
Issue: During Security Intelligence baseline regeneration, the start and finish dates for the baseline are incorrect and display 1/1/1970. (Bug 912009)
Workaround: The correct dates are updated after the baseline regeneration is complete.
Issue: Sentinel server shuts down when you run a search if there are a large number of events indexed in a single partition. (Bug 913599)
Workaround: Create retention policies in such a way that there are at least two partitions open in a day. Having more than one partition open helps reduce the number of events indexed in partitions.
You can create retention policies that filter events based on the estzhour field, which tracks the hour of the day. Therefore, you can create one retention policy with estzhour:[0 TO 11] as the filter and another retention policy with estzhour:[12 TO 23] as the filter.
For more information, see Configuring Data Retention Policies
in the NetIQ Sentinel Administration Guide.
Issue: Sentinel displays an error when you use the report_dev_setup.sh script to configure Sentinel ports for firewall exceptions. (Bug 914874)
Workaround: Configure Sentinel ports for firewall exceptions through the following steps:
Open the /etc/sysconfig/SuSEfirewall2 file.
Change the following line:
FW_SERVICES_EXT_TCP=" 443 8443 4984 22 61616 10013 289 1289 1468 1443 40000:41000 1290 1099 2000 1024 1590"
to
FW_SERVICES_EXT_TCP=" 443 8443 4984 22 61616 10013 289 1289 1468 1443 40000:41000 1290 1099 2000 1024 1590 5432"
Restart Sentinel.
Issue: Sentinel Generic Collector performance degrades when Generic Hostname Resolution Service Collector is enabled on Microsoft Active Directory and Windows Collector. EPS decreases by 50% when remote Collector Managers send events. (Bug 906715)
Workaround: There is no workaround at this time.
Issue: When you install Sentinel in FIPS 140-2 mode, the connector to Security Intelligence database fails to start, and Sentinel cannot access Security Intelligence, Netflow, and alert data. (Bug 915241)
Workaround: Restart Sentinel after installing and configuring in FIPS 140-2 mode.
Issue: When exporting search results in Sentinel, the Web browser might display an error if you modify the operating system language settings. (Bug 834874)
Workaround: To export search results properly, perform either of the following:
While exporting the search results, remove any special characters (outside the ASCII characters) from the export filename.
Enable UTF-8 in the operating system language settings, restart the machine, and then restart the Sentinel server.
Issue: While you wait for one report result PDF to open, particularly report results of 1 million events, if you click another report result PDF to view, the report result is not displayed. (Bug 804683)
Workaround: Click the second report result PDF again to view the report result.
Issue: When FIPS 140-2 mode is enabled in your Sentinel environment, using Windows authentication for Agent Manager causes synchronization with the Agent Manager database to fail. (Bug 814452)
Workaround: Use SQL authentication for Agent Manager when FIPS 140-2 mode is enabled in your Sentinel environment.
Issue: The Sentinel High Availability installation in non-FIPS 140-2 mode completes successfully but displays the following error twice:
/opt/novell/sentinel/setup/configure.sh: line 1045: [: too many arguments
(Bug 810764)
Workaround: The error is expected and you can safely ignore it. Although the installer displays the error, the Sentinel High Availability configuration works successfully in non-FIPS 140-2 mode.
Issue: The Sentinel Main interface displays negative numbers in the Active Search Job Duration and Accessed columns when the Sentinel Main interface computer clock is behind the Sentinel server clock. For example, the Duration and Accessed columns display negative numbers when the Sentinel Main interface clock is set to 1:30 PM and the Sentinel server clock is set to 2:30 PM. (Bug 719875)
Workaround: Ensure the time on the computer you use to access the Sentinel Main interface is the same as or later than the time on the Sentinel server computer.
Issue: When you log in to the security dashboard and perform a search for IssueSAMLToken audit event, the IssueSAMLToken audit event displays incorrect hostname (InitiatorUserName) or (IP address) SourceIP. (Bug 870609)
Workaround: There is no workaround at this time.
Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.
For detailed contact information, see the Support Contact Information website.
For general corporate and product information, see the NetIQ Corporate website.
For interactive conversations with your peers and NetIQ experts, become an active member of our community. The NetIQ online community provides product information, useful links to helpful resources, blogs, and social media channels.
For information about NetIQ legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government restricted rights, patent policy, and FIPS compliance, see http://www.netiq.com/company/legal/.
Copyright © 2017 NetIQ Corporation. All Rights Reserved.