Sentinel 8.0 SP1 includes new certified platforms and resolves several previous issues.
Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure that our products meet all your needs. You can post feedback in the Sentinel forum on NetIQ Communities, our online community that also includes product information, blogs, and links to helpful resources.
The documentation for this product is available on the NetIQ website in HTML and PDF formats on a page that does not require you to log in. If you have suggestions for documentation improvements, click the comment icon on any page in the HTML version of the documentation posted at the Sentinel NetIQ Documentation page. To download this product, see the Sentinel Product Upgrade website.
The following sections outline the key features and enhancements, and also the issues resolved in this release:
Sentinel now certifies the following platforms:
Elasticsearch 5.0 for Sentinel Scalable Data Manager
SUSE Linux Enterprise Server (SLES) 12 SP2 64-bit
Red Hat Enterprise Linux Server (RHEL) 7.3 64-bit
For more information about the certified platforms, see the Technical Information for Sentinel web page.
Sentinel 8.0 SP1 resolves the following security vulnerabilities, which were discovered by Jacob Baines from Tenable Network Security:
Account enumeration (CVE-2017-5184)
Remote denial-of-service (CVE-2017-5185)
Java Deserialization (CVE-2016-1000031)
We would like to offer our thanks to Jacob Baines for finding and reporting these security vulnerabilities to us.
Sentinel now provides the chg_keystore_pass.sh script that allows you to change the keystore passwords.
As a security best practice, NetIQ recommends that you change the keystore passwords immediately after upgrading to Sentinel 8.0 SP1.
Perform the following procedure to change the keystore passwords:
Log in to the Sentinel server as the novell user.
Go to the /opt/novell/sentinel/bin directory.
Run the chg_keystore_pass.sh script and follow the on-screen prompts to change the keystore passwords.
(Conditional) If you are using Sentinel Plug-ins SDK to create reports, perform the steps specified in NetIQ Knowledgebase Article 7018370.
(Bug 1000651 and Bug 881263)
Performance Snapshot log entries are an important source for troubleshooting since they record key performance indicators over time. These log entries are written to the server.log files, which might be rolling over so often that the system performance snapshots are lost.
To prevent the loss of performance snapshot information among large numbers of other messages in the server.log files, the performance snapshot log entries have been moved to their own log files. By default, Sentinel writes the performance snapshot entries to rolling log files and stores these files in the /var/opt/novell/sentinel/log/ directory with the name performance_snapshot%u.%g.log.
Sentinel includes Java 8 update121, which includes fixes for several security vulnerabilities.
By default, you can export 200,000 events from search results to a CSV file. You can now customize the number of events you want to export from the search results.
To customize the event limit:
Log in to the Sentinel server as the novell user.
Open the /etc/opt/novell/sentinel/config/configuration.properties file.
Add the sentinel.search.export.batchsize property and set the desired value.
NOTE:If the value is too high, there may be system performance issues.
Restart the Sentinel server.
Sentinel 8.0 SP1 includes software fixes that resolve several issues.
Cannot Set the Count Value in Structured Correlation Rules to More Than 100
Anomaly Detection Notification Emails Do Not Display Time in Local Time Zone of the Sentinel Server
Sentinel Does Not Handle Negative Numbers in Event Routing Rule Criteria Correctly
Sentinel Displays Timeout Exceptions When Retrieving Raw Data Retention Size
Sentinel Does Not Populate ObserverEventTime and SentinelProcessTime for Internal Events
Sentinel Displays the Minimum Disk Space Not Available Message When the Storage is Almost Full
Issue: In an RPM based installation of Elasticsearch, Event Visualization dashboards and searches in SSDM do not work. (Bug 1014448)
Fix: Event Visualization dashboards and searches in SSDM now work.
Issue: The Count value for structured correlation rules is limited to 100. (Bug 1021630)
Fix: The Count value limit for structured correlation rules has been increased to 2147483647.
Issue: Sentinel Main interface does not start. The server logs display the following error:
Too many open files ERROR: Out of file descriptors. Waiting one second before trying to accept more connections.
This issue occurs because the default operating system soft limit is 1024, which is less and results in too many open connections. (Bug 1023410)
Fix: Sentinel increases the operating system soft limit to 32768.
Issue: If you select more than one Collector Manager or Event Source Sever in the Collection > Event Sources page in the Sentinel Main interface, Sentinel does not save these selections when you log off and log in again. (Bug 1006730)
Fix: Sentinel now saves the event source selections correctly.
Issue: When an anomaly triggers, the notification email that is sent contains the anomaly trigger time in Coordinated Universal Time (UTC), and not in local time zone of the Sentinel server. (Bug 996559)
Fix: Anomaly detection notification emails now contain time in local time zone of the Sentinel server.
Issue: Sentinel does not clean up the event associations data present in the exported associations directory. As a result, the directory increases in size and might cause performance issues. (Bug 891686)
Fix: Sentinel now retains the event associations data that is present in the exported associations directory (/var/opt/novell/sentinel/data/eventdata/exported_associations) for 14 days by default. However, you can change this retention period.
Perform the following steps to change the event associations data retention period:
Log in to the Sentinel server as the novell user.
Open the /etc/opt/novell/sentinel/config/configuration.properties file.
Add the following line in the file:
sentinel.exportedAssociations.retention.period=<retention period>
For example, if you want to set the Export Association files retention period to 90 days:
sentinel.exportedAssociations.retention.period=90
Save the modified configuration.properties file.
Restart Sentinel.
Issue: Data synchronization to the Oracle 11g database does not work after upgrading Sentinel to 8.0.0.1 version. This issue occurs because the Message (msg) event field size was increased from 4000 to 8000 characters in Sentinel 8.0.0.1 and Oracle 11g supports a maximum of 4000 characters. (Bug 1021125)
Fix: Run a script on the Oracle 11g table to change the Message field data type to nclob, which supports more than 4000 characters. For more information, see the Knowledge Base article.
Issue: If you specify a negative number range as the event routing rule criteria where both the numbers in the range are negative (example: (cv1:[-2000000000 TO -500])), Sentinel does not process the rule and displays the following error:
Error FILT0001(Filter): Error occurred while retrieving global filters.
(Bug 1018620)
Fix: Sentinel now handles negative numbers in the event routing rule criteria correctly.
Issue: Sentinel tries to retrieve the Raw Data Retention size in the Storage > Event user interface every 30 minutes. When there is a large number of rawdata_archive subdirectories, Sentinel takes a long time to retrieve the Raw Data Retention size and displays timeout exceptions. (Bug 983554)
Fix: Sentinel retrieves the Raw Data Retention size more efficiently. You can also set the threshold for the network storage size such that if it exceeds the threshold, Sentinel will not attempt to retrieve the Raw Data Retention size. By default, the threshold is 5000000000000 (5 TB).
You can change the threshold as follows
Log in to the Sentinel server as a novell user.
Open the /etc/opt/novell/sentinel/config/configuration.properties file.
Update the value of the diskstatistics.du.threshold property as required.
Restart the Sentinel server.
Issue: Sentinel populates internal events only with the EventTime (dt) and not the ObserverEventTime (det) and SentinelProcessTime (spt) values. (Bug 1012776)
Fix: Sentinel now populates internal events with the ObserverEventTime (det) and SentinelProcessTime (spt) values.
Issue: Sentinel displays the following message in the audit logs when only 5 GB of the storage space is free, which is a short notice for users to take any action:
Minimum disk space configured for PersistQueue (107 GB) is not available.
(Bug 1008357)
Fix: Sentinel now displays the message when 5% of the overall storage is available. For example, if the storage size is 1 TB, Sentinel displays the message when there is only 50 GB left in the storage.
Issue: Scheduled reports display incorrect report date in the email body. (Bug 1020988)
Fix: Scheduled reports now display the correct report date in email.
Issue: NetIQ eDirectory Instrumentation cannot connect to Audit Connector through Platform Agent. As a result, Sentinel cannot receive events from eDirectory. This issue occurs because eDirectory Instrumentation uses MD5 RSA certificate algorithm, which has been deprecated in Java 8 update 77 used in Sentinel 8.0.1. (Bug 985312)
Fix: eDirectory Instrumentation connects to Audit Connector through Platform Agent.
For information about hardware requirements, supported operating systems, and browsers, see the Technical Information for Sentinel page.
You can upgrade to Sentinel 8.0 SP1 from Sentinel 7.3 or later. For Sentinel Scalable Data Manager (SSDM), you can upgrade to Sentinel 8.0 SP1 from Sentinel 8.0 or later.
Download the Sentinel installer from the Patch Finder website. For information about upgrading to Sentinel 8.0 SP1, see Upgrading Sentinel
in the NetIQ Sentinel Installation and Configuration Guide.
NOTE:If you want to use Sentinel Link Connector, you must upgrade it to version 2011.r4, which includes software fixes for compatibility issues with Sentinel 8.0.1 and later.
To upgrade the appliance, use the zypper command line utility because user interaction is required to complete the upgrade. WebYaST is not capable of facilitating the required user interaction. For more information about upgrading the appliance using zypper, see Upgrading the Appliance by Using zypper
in the NetIQ Sentinel Installation and Configuration Guide.
After you upgrade Scalable Storage Data Manager (SSDM), you must re-submit Spark applications to consider the updated Spark files as well. Spark will not process any events that arrive during this phase until you re-submit Spark applications. To avoid this issue, perform the steps mentioned in NetIQ Knowledge Base Article 7018726.
Sentinel 8.0 SP 1 is compatible with Change Guardian 4.2 and later.
Before you upgrade, if your environment is not running a version of Change Guardian that is compatible with this version of Sentinel, you must first upgrade the Change Guardian Server, agents, and the Policy Editor to version 4.2 or later.
NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.
The Java 8 update included in Sentinel might impact the following plug-ins:
Cisco SDEE Connector
SAP (XAL) Connector
Remedy Integrator
For any issues with these plug-ins, NetIQ will prioritize and fix the issues according to standard defect-handling policies. For more information about support polices, see Support Policies.
Section 4.3, Sentinel Does Not Display the Alert Dashboards After Upgrade
Section 4.5, Tile Map Visualizations Do Not Work in Sentinel Scalable Data Manager
Section 4.7, Cannot Install Sentinel on SLES 11 SP4 in FIPS Mode
Section 4.8, Cannot Receive Events through Sentinel Link Connector
Section 4.11, StreamingEventIndexer Job Does Not Support IPv6
Section 4.12, Multiple SEVERE Messages in the Server Logs After You Enable Scalable Storage
Section 4.14, Cannot View Alerts with IPv6 Data in Alert Views
Section 4.16, Data Synchronization Fails While Synchronizing IPv6 Addresses in Human Readable Format
Section 4.17, Event Search Does Not Respond if You Do Not Have Any Event Viewing Permissions
Section 4.25, The Web Browser Displays an Error When Exporting Search Results in Sentinel
Section 4.26, Unable to View More Than One Report Result at a Time
Section 4.27, Agent Manager Requires SQL Authentication When FIPS 140-2 Mode is Enabled
Section 4.28, Sentinel High Availability Installation in Non-FIPS 140-2 Mode Displays an Error
Section 4.29, Active Search Jobs Duration and Accessed Columns Inaccuracies
Issue: When you upgrade Sentinel 8.0 and later, the installer displays the following error:
Installing: novell-Sentinelwebapp-8.0.0.1-3404 [done] Additional rpm output: /var/tmp/rpm-tmp.28463: line 263: [: search.hideUI=false: binary operator expected /var/tmp/rpm-tmp.40511: line 254: [: too many arguments
(Bug 1025512)
Workaround: Ignore the error. There is no functional impact.
Issue: SSDM in high availability mode does not populate the appropriate IP addresses of the HA cluster nodes in the Elasticsearch security plug-in configuration files. As a result, searches and event visualization dashboards show errors. (Bug 1012251)
Workaround: After installing the Elasticsearch security plug-in, perform the following steps on each node of the Elasticsearch cluster:
Log in to the Elasticsearch node as the user which Elasticsearch was installed as.
Add entries for the physical IP address of each active node and passive node of the HA cluster in the <elasticsearch_install_directory>/plugins/elasticsearch-security-plugin/elasticsearch-ip-whitelist.txt file as follows:
<Cluster_Node_Physical_IP>:<Target_Elasticsearch_HTTP_Port>
Add each entry in a new line and save the file.
In the <elasticsearch_install_directory>/plugins/elasticsearch-security-plugin/plugin-configuration.properties file, set the authServer.host property to the virtual IP address of the HA cluster as follows:
authServer.host=<Cluster_Virtual_IP>
Restart Elasticsearch.
Issue: Sentinel does not display the Alert dashboards after upgrade. This issue occurs because Sentinel does not delete the Alert dashboard related temporary directory during upgrade. (Bug 984796)
Workaround: Delete the temporary files manually by performing the following procedure:
Log in to the Sentinel server as the novell user.
Change to the webapps directory as follows:
cd /var/opt/novell/sentinel/3rdparty/jetty/webapps/
Remove the sentinel-elasticsearch-proxy.tmp directory as follows:
rm -rf sentinel-elasticsearch-proxy.tmp
Change to the contexts directory and update the timestamp of the sentinel-elasticsearch-proxy.xml file as follows:
cd /etc/opt/novell/sentinel/3rdparty/jetty/contexts/
touch sentinel-elasticsearch-proxy.xml
Refresh the Sentinel Main interface to view the Alert dashboards.
Issue: When you convert the active node to FIPS 140-2 mode in Sentinel HA, the synchronization to convert all the passive nodes to FIPS 140-2 mode is not performed completely. You must start the synchronization manually. (Bug 1014472)
Workaround: Manually synchronize all passive nodes to FIPS 140-2 mode as follows:
Log in as the root user on the active node.
Open the /etc/csync2/csync2.cfg file.
Change the following line:
include /etc/opt/novell/sentinel/3rdparty/nss/*;
to
include /etc/opt/novell/sentinel/3rdparty/nss;
Save the csync2.cfg file.
Start the synchronization manually by running the following command:
csync2 -x -v
Issue: In SSDM environments, if you create a tile map visualization with default options, an issue with Kibana prevents the new tile map visualization from working in the Event Visualization dashboard. For more information about the Kibana issue, see https://github.com/elastic/kibana/issues/7717. (Bug 1001909)
Workaround: When you create a new tile map visualization, under Options, select WMS compliant map server.
Issue: An issue with Kibana prevents Internet Explorer 11 from being able to open the Event Visualization dashboard. (Bug 981308)
Workaround: Use a different browser to view or modify the Visualization dashboard.
Issue: If you try to install Sentinel on a computer that is running the SLES 11 SP4 operating system in FIPS mode, the installation process will fail. (Bug 990201)
Workaround: Ensure the operating system is not in FIPS mode, and then complete the following steps:
Install Sentinel. For more information, see Installing Sentinel
in the Sentinel Installation and Configuration Guide.
Enable Sentinel Server to run in FIPS mode. For more information, see Enabling Sentinel Server to Run in FIPS 140-2 Mode
in the Sentinel Installation and Configuration Guide.
Use the following command to enable the operating system to run in FIPS mode:
fips=1 /boot/grub/menu.lst
Issue: Sentinel does not receive events through Sentinel Link Connector. (Bug 989784)
Workaround: The Sentinel Link Connector version 2011.1r4 resolves this issue. Until it is officially released on the Sentinel Plug-ins website, you can download the preview version of the Connector from the Previews section.
Issue: A change to password storage in Sentinel 7.4 SP1 causes the following error to display when upgrading the appliance from versions prior to 7.4 SP1:
Failed to set encrypted password
(Bug 967764)
Workaround: The warning is expected and you can safely ignore it. There is no impact to the upgrade.
Issue: After you enable SSDM, when you log in to the Sentinel Main interface, the browser displays a blank page. (Bug 1006677)
Workaround: Close your browser and log in to the Sentinel Main interface again. This issue only happens once, the first time you log in to the Sentinel Main interface after you enable SSDM.
Issue: The com.novell.sentinel.spark.StreamingEventIndexer job does not support IPv6. If an event contains an IPv6 address, the job fails. (Bug 1006975)
Workaround: The workaround is to change the IP type to a string. To make this change, contact technical support.
Issue: After you enable scalable storage, the SSDM server logs display multiple instances of the following message:
SEVERE|TimerThreadPool pool|esecurity.ccs.comp.scalablestorage.KibanaVisualAnalyticsUtil.initializeKibanaMappingSearchUnsuccessful in initializing the kibana mapping search call with status code 400
(Bug 1009662)
Workaround: You can safely ignore these messages. There is no functional impact.
Issue: When you upgrade Sentinel from version 7.3 to version 7.3 SP1 and start the Sentinel server, you might see the following exception in the server log:
Invalid length of data object ......
(Bug 933640)
Workaround: Ignore the exception. There is no impact to Sentinel performance because of this exception.
Issue: Sentinel alert views and alert dashboards do not display alerts that have IPv6 addresses in IP address fields. (Bug 924874)
Workaround: To view alerts with IPv6 addresses in Sentinel, perform the steps mentioned in NetIQ Knowledgebase Article 7016555.
Issue: In upgraded installations of Sentinel, when you search for alert attributes in the Tips table in the Sentinel Main interface, the search does not return the complete list of alert fields. However, alert fields display correctly in the Tips table if you clear the search. (Bug 914755)
Workaround: There is no workaround at this time.
Issue:
Data synchronization fails when you try to synchronize IPv6 address fields in a human readable format to external databases. For information about configuring Sentinel to populate the IP address fields in human readable dot notation format, see Creating a Data Synchronization Policy
in the NetIQ Sentinel Administration Guide. (Bug 913014)
Workaround: To fix this issue, manually change the maximum size of the IP address fields to at least 46 characters in the target database, and re-synchronize the database.
Issue: If you run an event search when your role's security filter is blank and your role does not have event viewing permissions, the search does not complete. The search does not display any error message about the invalid event viewing permissions. (Bug 908666)
Workaround: Update the role with one of the following options:
Specify criteria in the Only events matching the criteria field. If users in the role should not see any events, you can enter NOT sev:[0 TO 5].
Select View system events.
Select View all event data (including raw data and NetFlow data).
Issue: When editing a saved search upgraded from Sentinel 7.2 to a later version, the Event fields panel, used to specify output fields in the search report CSV, is missing in the schedule page. (Bug 900293)
Workaround: After upgrading Sentinel, recreate and reschedule the search to view the Event fields panel in the schedule page.
Issue: Sentinel does not return any correlated events when you search for all correlated events that were generated after the rule was deployed or enabled, by clicking the icon next to Fire count in the Activity statistics panel in the Correlation Summary page for the rule. (Bug 912820)
Workaround: Change the value in the From field in the Event Search page to a time earlier than the populated time in the field and click Search again.
Issue: During Security Intelligence baseline regeneration, the start and finish dates for the baseline are incorrect and display 1/1/1970. (Bug 912009)
Workaround: The correct dates are updated after the baseline regeneration is complete.
Issue: Sentinel server shuts down when you run a search if there are a large number of events indexed in a single partition. (Bug 913599)
Workaround: Create retention policies in such a way that there are at least two partitions open in a day. Having more than one partition open helps reduce the number of events indexed in partitions.
You can create retention policies that filter events based on the estzhour field, which tracks the hour of the day. Therefore, you can create one retention policy with estzhour:[0 TO 11] as the filter and another retention policy with estzhour:[12 TO 23] as the filter.
For more information, see Configuring Data Retention Policies
in the NetIQ Sentinel Administration Guide.
Issue: Sentinel displays an error when you use the report_dev_setup.sh script to configure Sentinel ports for firewall exceptions. (Bug 914874)
Workaround: Configure Sentinel ports for firewall exceptions through the following steps:
Open the /etc/sysconfig/SuSEfirewall2 file.
Change the following line:
FW_SERVICES_EXT_TCP=" 443 8443 4984 22 61616 10013 289 1289 1468 1443 40000:41000 1290 1099 2000 1024 1590"
to
FW_SERVICES_EXT_TCP=" 443 8443 4984 22 61616 10013 289 1289 1468 1443 40000:41000 1290 1099 2000 1024 1590 5432"
Restart Sentinel.
Issue: Sentinel Generic Collector performance degrades when Generic Hostname Resolution Service Collector is enabled on Microsoft Active Directory and Windows Collector. EPS decreases by 50% when remote Collector Managers send events. (Bug 906715)
Workaround: There is no workaround at this time.
Issue: When you install Sentinel in FIPS 140-2 mode, the connector to Security Intelligence database fails to start, and Sentinel cannot access Security Intelligence, Netflow, and alert data. (Bug 915241)
Workaround: Restart Sentinel after installing and configuring in FIPS 140-2 mode.
Issue: When exporting search results in Sentinel, the Web browser might display an error if you modify the operating system language settings. (Bug 834874)
Workaround: To export search results properly, perform either of the following:
While exporting the search results, remove any special characters (outside the ASCII characters) from the export filename.
Enable UTF-8 in the operating system language settings, restart the machine, and then restart the Sentinel server.
Issue: While you wait for one report result PDF to open, particularly report results of 1 million events, if you click another report result PDF to view, the report result is not displayed. (Bug 804683)
Workaround: Click the second report result PDF again to view the report result.
Issue: When FIPS 140-2 mode is enabled in your Sentinel environment, using Windows authentication for Agent Manager causes synchronization with the Agent Manager database to fail. (Bug 814452)
Workaround: Use SQL authentication for Agent Manager when FIPS 140-2 mode is enabled in your Sentinel environment.
Issue: The Sentinel High Availability installation in non-FIPS 140-2 mode completes successfully but displays the following error twice:
/opt/novell/sentinel/setup/configure.sh: line 1045: [: too many arguments
(Bug 810764)
Workaround: The error is expected and you can safely ignore it. Although the installer displays the error, the Sentinel High Availability configuration works successfully in non-FIPS 140-2 mode.
Issue: The Sentinel Main interface displays negative numbers in the Active Search Job Duration and Accessed columns when the Sentinel Main interface computer clock is behind the Sentinel server clock. For example, the Duration and Accessed columns display negative numbers when the Sentinel Main interface clock is set to 1:30 PM and the Sentinel server clock is set to 2:30 PM. (Bug 719875)
Workaround: Ensure the time on the computer you use to access the Sentinel Main interface is the same as or later than the time on the Sentinel server computer.
Issue: When you log in to the security dashboard and perform a search for IssueSAMLToken audit event, the IssueSAMLToken audit event displays incorrect hostname (InitiatorUserName) or (IP address) SourceIP. (Bug 870609)
Workaround: There is no workaround at this time.
Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.
For detailed contact information, see the Support Contact Information website.
For general corporate and product information, see the NetIQ Corporate website.
For interactive conversations with your peers and NetIQ experts, become an active member of our community. The NetIQ online community provides product information, useful links to helpful resources, blogs, and social media channels.
For information about NetIQ legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government restricted rights, patent policy, and FIPS compliance, see http://www.netiq.com/company/legal/.
Copyright © 2017 NetIQ Corporation. All Rights Reserved.