Sentinel 8.1 Release Notes

June 2017

Sentinel 8.1 includes new features, improves usability, and resolves several previous issues.

Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure that our products meet all your needs. You can post feedback in the Sentinel forum on NetIQ Communities, our online community that also includes product information, blogs, and links to helpful resources. You can also share your ideas for improving the product in the Ideas Portal.

The documentation for this product is available on the NetIQ website in HTML and PDF formats on a page that does not require you to log in. If you have suggestions for documentation improvements, click the comment icon on any page in the HTML version of the documentation posted at the Sentinel NetIQ Documentation page. To download this product, see the Sentinel Product Upgrade website.

For the latest version of these release notes, see Sentinel 8.1 Release Notes.

1.0 What’s New?

The following sections outline the key features and functions provided by this version, as well as issues resolved in this release:

1.1 Security Vulnerability Fixes

Sentinel 8.1 provides additional fixes to resolve the CVE-2016-1000031 vulnerability, which was discovered by Jacob Baines from Tenable Network Security. We would like to offer our thanks to Jacob Baines for finding and reporting these security vulnerabilities to us.

1.2 New Authentication Methods

Sentinel 8.1 introduces the following new authentication methods:

  • Kerberos Authentication: Uses secret-key cryptography to provide strong authentication.

  • Multi-factor Authentication (MFA): A more advanced method of authentication that uses a combination of at least two factors. For example, a combination of a password and a token or a smart card and a fingerprint.

  • OAuth Authentication: Allows users to log in to Sentinel using providers such as Google or Facebook.

1.3 New Dashboards

Sentinel 8.1 introduces the following new dashboards:

  • Security Health Dashboard: Provides a high-level overview of system security as it relates to threats from low-reputation IP addresses, vulnerabilities, and potential exploitation of any vulnerabilities. The dashboard provides a high-level overview of the current state of system security, including information about whether the system is secure or compromised.

  • Events Overview Dashboard: Provides a high-level overview of all incoming events. The widgets provide information on specific types, such as correlation events, system events, and others.

1.4 Managing Multiple Dashboards

Sentinel 8.1 introduces the capability to manage multiple dashboards. The first time you log in, Sentinel takes you to Manage Dashboards. From here, you can:

  • Access any dashboard to which you have permissions

  • Create a new dashboard

  • Set any dashboard as your home page

1.5 Deprecation of Alert Views and Event Views in Sentinel Main

With the availability of Threat Intelligence and Events Overview dashboards in My Sentinel, the Alert Views and Event Views in Sentinel Main > Real-time Views are now deprecated and will be removed in the future to avoid redundancy of user interfaces for these features.

1.6 Additions to Scalable Storage Functionality

This release includes several additions to expand the Sentinel scalable storage functionality:

Additional Features in Sentinel Scalable Data Manager

Sentinel Scalable Data Manager (SSDM) now includes the following Sentinel Enterprise capabilities:

  • Correlation

    • Real-time event pattern correlation

    • Actions triggered by correlation rules

    • Alerts triage and visualization

  • User identity data integration

  • NetFlow collection and visualization

  • Data federation

  • Solution Designer

For information about the Sentinel Enterprise services and features not available in SSDM, see Scalable Storage Configuration in the NetIQ Sentinel Installation and Configuration Guide.

Enabling Scalable Storage in Upgrade Installations

You no longer need to do a fresh installation of Sentinel to use the scalable storage capability. You can now enable scalable storage even in upgrade installations of Sentinel. For information to enable scalable storage, see Configuring Scalable Storage in the NetIQ Sentinel Administration Guide.

Migrating Data From Traditional Storage to Scalable Storage

If you want to leverage your existing data in traditional storage in Sentinel with scalable storage, you can now migrate data from traditional storage to scalable storage. For more information, see Migrating Data from Sentinel with Traditional Storage in the NetIQ Sentinel Administration Guide.

Distributing Events Across Correlation Engines

In a scalable storage setup where the EPS rate is usually high, Correlation Engines could be loaded with a large number of events to process. By default, all events are sent to all Correlation Engines. To avoid event overload, you can check the EPS utilization on the Correlation Engine and then distribute the event load evenly across multiple Correlation Engines as necessary. Distributing events across Correlation Engines not only helps you in balancing the event load, it also helps you segregate events tenant-wise to specific Correlation Engines. For example, in a multi-tenant environment, you can set up designated Correlation Engines for each tenant so that the Correlation Engine processes events specific to each tenant.

The option to distribute events across Correlation Engines is available only in Sentinel with scalable storage. For more information, see Distributing Events Across Correlation Engines in the NetIQ Sentinel User Guide.

1.7 Configuring Threat Intelligence Data Sources

The Threat Intelligence Solution Pack in previous versions of Sentinel includes data sources such as Palevo and ZeuS, which provide a known list of botnet IP addresses. Starting with Sentinel 8.1, these data sources are no longer part of the Solution Pack and are available out-of-the-box when you install Sentinel. In addition to Palevo and Zeus, Sentinel also provides additional data sources that provide information about existing or emerging threats to an organization’s security. Many of these data sources are updated daily. Sentinel provides the ability to download this data into a map file, update it at scheduled intervals or as needed, and incorporate the relevant threat information into correlation rules. The option to manage these threat intelligence data sources is now available in Integration > Threat Intelligence Sources in Sentinel Main.

For more information, see Configuring Threat Intelligence Data Sources in the NetIQ Sentinel Administration Guide.

1.8 Manage Dynamic Lists in Sentinel Main

You no longer need to use Sentinel Control Center to configure or manage Dynamic Lists. The user interface to configure and manage Dynamic Lists is now available in Sentinel Main with improved usability. For more information, see Configuring Dynamic Lists in the NetIQ Sentinel User Guide.

1.9 Updates to Certified Platforms

There are several updates to the Sentinel certified platforms. For detailed information about the certified platforms, see the Technical Information for Sentinel page.

New Certified Platforms

Sentinel is now certified on the following platforms:

Traditional installation:

  • SUSE Linux Enterprise Server 12 SP2 64-bit

  • Red Hat Enterprise Linux Server 6.8 64-bit

Appliance installation:

  • VMware ESX 6.5 (for both ISO and OVF)

  • Hyper-V Server 2016 (ISO only)

Data Synchronization: Microsoft SQL Server 2016

Deprecated Platforms

SUSE Linux Enterprise Server 12 SP1

1.10 Latest Plug-Ins

New installations of Sentinel include the latest versions of several Sentinel plug-ins. These versions include the latest software fixes, documentation updates, and enhancements for the plug-in. For more information, see the specific plug-in documentation on the Sentinel Plug-ins Web site.

Upgrade installations of Sentinel update the following plug-ins to ensure that these plug-ins are compatible with Sentinel 8.1 and later:

  • Sentinel Agent Manager Connector to version 2017.1r1

  • Sentinel Link Connector to version 2011.1r5

1.11 Software Fixes

Sentinel 8.1 includes software fixes that resolve several issues.

Cannot Search for Failed Report Jobs

Issue: When a report job fails, you cannot search for it as an event. (Bug 1017358)

Fix: It is now possible to search for a failed report job as an event.

Sentinel Does Not Log Delayed Event Sources

Issue: Sentinel allows you to log the event sources from which events arrive that are delayed beyond a specified threshold. This is helpful for troubleshooting issues related to delayed arrival. Sentinel was not updating the log file with the event sources. (Bug 979931)

Fix: Sentinel now updates the log file as part of the performance snapshot.

Error Occurs When an Anomaly Definition Configured with Baseline Attempts to Send Email Notification

Issue: If you configure an anomaly definition to send an email notification when there is a deviation from the baseline, Sentinel cannot send the email and returns an IllegalStateException error. (Bug 816622)

Fix: Sentinel now correctly sends the email.

Report Fails if ‘From Date’ is Later than Current Date

Issue: If you schedule a report to run with the current date range but the From date is in the future, the report fails. (Bug 914094)

Fix: Sentinel allows you to set the From date to a future date to report event sources that are not properly time-synchronized. Sentinel now runs the report without error.

Saving a Search to CSV Does Not Maintain Specified Field Order

Issue: When you save a search to a CSV file, the CSV file does not maintain the specified order of the fields. (Bug 979916)

Fix: When you save a search to a CSV file, the CSV file now maintains the specified field order.

After Restarting the Sentinel Service on a Collector Manager Computer with Multiple Database Collectors, Some Collectors Cannot Reconnect

Issue: If you restart the Sentinel service on a Collector Manager computer that has multiple database collectors, some of the collectors are unable to reconnect to the event sources. (Bug 1015375, Bug 1041866)

Fix: All collectors now reconnect after you restart the Sentinel service.

Some Edit Criteria Options Create Invalid Searches

Issue: If you modify the criteria for a search and select Begin Time, End Time, or Sentinel Process Time, the search results are invalid. (Bug 894421)

Fix: The Begin Time, End Time, or Sentinel Process Time options are no longer available when editing search criteria.

Custom Certificate Prevents Sentinel Agent Manager from Connecting to Sentinel

Issue: If a custom certificate subject contains multiple attributes or special characters, Sentinel Agent Manager is unable to connect to Sentinel. (Bug 1018133)

Fix: Sentinel Agent Manager is now able to connect to Sentinel when the custom certificate subject contains multiple attributes or special characters.

Error When Upgrading Sentinel 8.0 and Later

Issue: When you upgrade Sentinel 8.0 and later, the installer displays the following error:

Installing: novell-Sentinelwebapp-8.0.0.1-3404 [done]
Additional rpm output:
/var/tmp/rpm-tmp.28463: line 263: [: search.hideUI=false: binary operator expected
/var/tmp/rpm-tmp.40511: line 254: [: too many arguments

(Bug 1025512)

Fix: This error no longer occurs during the upgrade process.

/SentinelRESTServices/objects/alert/count API Always Returns 0

Issue: Running the /SentinelRESTServices/objects/alert/count API always returns 0, even if there are multiple alerts. (Bug 1028317)

Fix: The /SentinelRESTServices/objects/alert/count API now returns the correct number of alerts.

Event Detail Fields Display Incorrectly Formatted Dates

Issue: When viewing all event details, dates and times are incorrectly formatted in the UTC (Coordinated Universal Time) format. (Bug 1031523, Bug 1034531)

Fix: Event detail fields now display all dates in the format appropriate to the specified locale in your browser.

Multiple SEVERE Messages in the Server Logs After You Enable Scalable Storage

Issue: After you enable scalable storage, the SSDM server logs display multiple instances of the following message:

SEVERE|TimerThreadPool pool|esecurity.ccs.comp.scalablestorage.KibanaVisualAnalyticsUtil.initializeKibanaMappingSearchUnsuccessful in initializing the kibana mapping search call with status code 400

You can safely ignore these messages. There is no functional impact. (Bug 1009662)

Fix: The SSDM server logs no longer display this message.

SSDM in HA Mode Does Not Populate Elasticsearch Security Plug-In Configuration Files Properly

Issue: SSDM in HA (high availability) mode does not populate the appropriate IP addresses of the HA cluster nodes in the Elasticsearch security plug-in configuration files. As a result, searches and event visualization dashboards show errors. (Bug 1012251)

Fix: SSDM in high availability mode now correctly populates the appropriate IP addresses of the HA cluster nodes in the Elasticsearch security plug-in configuration files.

Errors in SSDM Event Visualization Dashboards and Searches After Installing Elasticsearch Security Plug-In

Issue: In an RPM-based installation of Elasticsearch, Event Visualization dashboards and searches in SSDM do not work. (Bug 1014448)

Fix: Event Visualization dashboards and searches in SSDM now work.

Cannot Receive Events from NetIQ eDirectory

Issue: NetIQ eDirectory Instrumentation cannot connect to Audit Connector through Platform Agent. As a result, Sentinel cannot receive events from eDirectory. This issue occurs because eDirectory Instrumentation uses MD5 RSA certificate algorithm, which has been deprecated in Java 8 update 77 that is used in Sentinel 8.1. (Bug 985312)

Fix: A new version of Audit Connector allows Sentinel to receive events from eDirectory.

StreamingEventIndexer Job Does Not Support IPv6

Issue: The com.novell.sentinel.spark.StreamingEventIndexer job does not support IPv6. If an event contains an IPv6 address, the job fails. (Bug 1006975)

Fix: The com.novell.sentinel.spark.StreamingEventIndexer job now supports IPv6.

Sentinel Agent Manager 7.3 Does Not Consider the RawDataTapFileSize Configuration

Issue: Sentinel Agent Manager 7.3 ignores the value specified in the RawDataTapFileSize attribute in the SMServiceHost.exe.config file for the raw data file size configuration, and stops writing to the raw data file when the file size reaches 10 MB. (Bug 867954)

Fix: Sentinel Agent Manager correctly uses the specified values in the RawDataTapFileSize attribute in the SMServiceHost.exe.config file and writes new data to the raw data file.

Tile Map Visualizations Do Not Work in Sentinel Scalable Data Manager

Issue: In SSDM environments, if you create a tile map visualization with default options, an issue with Kibana prevents the new tile map visualization from working in the Event Visualization dashboard. For more information about the Kibana issue, see https://github.com/elastic/kibana/issues/7717. (Bug 1001909)

Fix: Tile map visualizations with default options now work correctly in the Event Visualization dashboard.

2.0 System Requirements

For information about hardware requirements, supported operating systems, and browsers, see the Technical Information for Sentinel page.

3.0 Installing Sentinel 8.1

For information about installing Sentinel 8.1, see the NetIQ Sentinel Installation and Configuration Guide.

4.0 Upgrading to Sentinel 8.1

You can upgrade to Sentinel 8.1 from Sentinel 7.4 and later.

For information about upgrading to Sentinel 8.1, see the NetIQ Sentinel Installation and Configuration Guide.

5.0 Known Issues

NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.

The Java 8 update included in Sentinel might impact the following plug-ins:

  • Cisco SDEE Connector

  • SAP (XAL) Connector

  • Remedy Integrator

For any issues with these plug-ins, NetIQ will prioritize and fix the issues according to standard defect-handling policies. For more information about support polices, see Support Policies.

5.1 Installation of Collector Manager and Correlation Engine Appliance Fails in Languages Other than English in MFA Mode

Issue: Installation of Collector Manager and Correlation Engine appliance fails in MFA mode if the operating system language is other than English. (Bug 1045967)

Workaround: Install Collector Manager and Correlation Engine appliances in English. After the installation is complete, change the language as needed.

5.2 Sentinel Cannot Run Local Reports with Default EPS License

Issue: If your environment has the default 25 EPS license and you run a report, the report fails with the following error:

License for Distributed Search feature is expired

(Bug 1034656)

Workaround: To run reports in the same JVM as Sentinel, complete the following steps:

  1. Log in to the Sentinel server and open the /etc/opt/novell/sentinel/config/obj-component.JasperReportingComponent.properties file.

  2. Locate the reporting.process.oktorunstandalone property.

  3. (Conditional) If the property is not in the file, add it.

  4. Set the property to false. For example:

    reporting.process.oktorunstandalone=false

  5. Restart Sentinel.

5.3 Correlation Engine is Disconnected After Upgrade

Issue: Recent changes to how Sentinel validates rules cause the Correlation Engine to fail to connect if your environment has an older deployed rule with incorrect syntax. (Bug 1039598)

Workaround: To reconnect the Correlation Engine, you can correct the syntax in the rule that is causing the problem and then restart Sentinel.

To find the rule and correct its syntax, complete the following steps:

  1. In the server.log file, search for Failed to initialize CorrelationEngine.

    For example, when you search for Failed to initialize CorrelationEngine, you will see a log message similar to the following:

    Wed May 17 10:58:09 CDT 2017|INFO|Container Startup Thread|esecurity.base.ccs.proxy.ComponentElementProxy.activate

    Failed to initialize CorrelationEngine

    Scroll up to see the previous log message, which specifies the rule and displays its syntax. It will be similar to the following:

    Wed May 17 10:58:09 CDT 2017|SEVERE|Container Startup Thread|esecurity.base.ccs.proxy.ComponentElementProxy.activate

    Root cause: Duration must be within a day (antlr.RecognitionException)

    esecurity.ccs.correlation.impl.tpm.IllegalRuleException: SEN-13003 Invalid Rule Definition: filter(((e.evt = "GET: Forbidden")) AND ((e.port = "Apache HTTP Server")) AND ((e.dhn = "n0")) AND ((e.fn != "favicon.ico")) AND ((e.fn != "apple-touch-icon-precomposed.png")) AND ((e.fn != "apple-touch-icon.png")) AND ((e.fn != "apple-touch-icon-120x120-precomposed.png")) AND ((e.fn != "apple-touch-icon-120x120.png")))flow trigger(20,86460,discriminator(e.sip))

    In this example, the log message indicates the problem occurred because the specified duration was longer than a day. The syntax of the rule specifies more seconds (86460) than are in a day (86400).

  2. Log in to Sentinel.

  3. Open a new browser tab.

  4. In the new tab, go to the following URL:

    https://<YOUR SENTINEL IP>:8443/SentinelRESTServices/objects/correlation-rule

  5. To find the rule name and ID in the list of correlation rules, search for a unique part of the rule syntax, such as 86460.

  6. (Conditional) If you cannot find the rule name and ID in the list of correlation rules, complete the following steps:

    1. In a command prompt, switch to the novell user. Use the following command:

      su - novell

    2. Change to the /opt/novell/sentinel/bin directory.

    3. Use the following SQL command:

      ./db.sh sql SIEM dbauser "select * from CORR_RULE where rule_lg like '%UniqueText%'"

      Where UniqueText is a unique part of the rule syntax, such as 86460.

  7. (Conditional) If you have not already switched to the novell user, open a command prompt and switch to the novell user. Use the following command:

    su - novell

  8. Change to the /opt/novell/sentinel/bin directory.

  9. Verify the rule is in the database. Use the following SQL command:

    ./db.sh sql SIEM dbauser "select * from CORR_RULE where RULE_ID=RuleID"

    Where RuleID is the ID of the rule you found previously.

  10. Update the rule with a new filter that will not trigger an error during validation. Use the following SQL command:

    ./db.sh sql SIEM dbauser "update CORR_RULE set rule_lg = 'filter(1=0)' where RULE_ID=RuleID"

    Where RuleID is the ID of the rule you found previously.

  11. Verify the filter has been changed in the database. Use the following SQL command:

    ./db.sh sql SIEM dbauser "select * from CORR_RULE where RULE_ID=RuleID"

    Where RuleID is the ID of the rule you found previously.

  12. Stop Sentinel. Use the following command:

    ./server.sh stop

  13. Restart Sentinel. Use the following command:

    ./server.sh start

5.4 Synchronization Needs to be Started Manually in Sentinel High Availability After You Convert the Active Node to FIPS 140-2 Mode

Issue: When you convert the active node to FIPS 140-2 mode in Sentinel HA, the synchronization to convert all the passive nodes to FIPS 140-2 mode is not performed completely. You must start the synchronization manually. (Bug 1014472)

Workaround: Manually synchronize all passive nodes to FIPS 140-2 mode as follows:

  1. Log in as the root user on the active node.

  2. Open the /etc/csync2/csync2.cfg file.

  3. Change the following line:

    include /etc/opt/novell/sentinel/3rdparty/nss/*;

    to

    include /etc/opt/novell/sentinel/3rdparty/nss;

  4. Save the csync2.cfg file.

  5. Start the synchronization manually by running the following command:

    csync2 -x -v

5.5 Cannot Launch Event Visualization Dashboard

Issue: An issue prevents Internet Explorer 11 from being able to open the Event Visualization dashboard. (Bug 981308)

Workaround: Use a different browser to view or modify the Visualization dashboard.

5.6 Cannot Install Sentinel on SLES 11 SP4 in FIPS Mode

Issue: If you try to install Sentinel on a computer that is running the SLES 11 SP4 operating system in FIPS mode, the installation process will fail. (Bug 990201)

Workaround: Ensure the operating system is not in FIPS mode, and then complete the following steps:

  1. Install Sentinel. For more information, see Installing Sentinel in the Sentinel Installation and Configuration Guide.

  2. Enable Sentinel Server to run in FIPS mode. For more information, see Enabling Sentinel Server to Run in FIPS 140-2 Mode in the Sentinel Installation and Configuration Guide.

  3. Use the following command to enable the operating system to run in FIPS mode:

    fips=1 /boot/grub/menu.lst

5.7 When Upgrading the Sentinel Appliance from Versions Prior to 7.4 SP1, an Incorrect Warning Displays

Issue: A change to password storage in Sentinel 7.4 SP1 causes the following error to display when upgrading the appliance from versions prior to 7.4 SP1:

Failed to set encrypted password

(Bug 967764)

Workaround: The warning is expected and you can safely ignore it. There is no impact to the upgrade.

5.8 Sentinel Main Interface Displays Blank Page After Converting to Sentinel Scalable Data Manager

Issue: After you enable SSDM, when you log in to the Sentinel Main interface, the browser displays a blank page. (Bug 1006677)

Workaround: Close your browser and log in to the Sentinel Main interface again. This issue only happens once, the first time you log in to the Sentinel Main interface after you enable SSDM.

5.9 Exception in the Sentinel Server Log When You Upgrade Sentinel Versions Prior to 7.3 SP1 to Versions 7.3 SP1 and Later

Issue: When you upgrade Sentinel from version 7.3 to version 7.3 SP1 and start the Sentinel server, you might see the following exception in the server log:

Invalid length of data object ......

(Bug 933640)

Workaround: Ignore the exception. There is no impact to Sentinel performance because of this exception.

5.10 Cannot View Alerts with IPv6 Data in Alert Views

Issue: Sentinel alert views and alert dashboards do not display alerts that have IPv6 addresses in IP address fields. (Bug 924874)

Workaround: To view alerts with IPv6 addresses in Sentinel, perform the steps mentioned in NetIQ Knowledgebase Article 7016555.

5.11 Tips Table Search Does Not Return the Complete List of Alert Fields in Upgraded Sentinel Installations

Issue: In upgraded installations of Sentinel, when you search for alert attributes in the Tips table in the Sentinel Main interface, the search does not return the complete list of alert fields. However, alert fields display correctly in the Tips table if you clear the search. (Bug 914755)

Workaround: There is no workaround at this time.

5.12 Data Synchronization Fails While Synchronizing IPv6 Addresses in Human Readable Format

Issue: Data synchronization fails when you try to synchronize IPv6 address fields in a human readable format to external databases. For information about configuring Sentinel to populate the IP address fields in human readable dot notation format, see Creating a Data Synchronization Policy in the NetIQ Sentinel Administration Guide. (Bug 913014)

Workaround: To fix this issue, manually change the maximum size of the IP address fields to at least 46 characters in the target database, and re-synchronize the database.

5.13 Event Search Does Not Respond if You Do Not Have Any Event Viewing Permissions

Issue: If you run an event search when your role's security filter is blank and your role does not have event viewing permissions, the search does not complete. The search does not display any error message about the invalid event viewing permissions. (Bug 908666)

Workaround: Update the role with one of the following options:

  1. Specify criteria in the Only events matching the criteria field. If users in the role should not see any events, you can enter NOT sev:[0 TO 5].

  2. Select View system events.

  3. Select View all event data (including raw data and NetFlow data).

5.14 The Event fields Panel is Missing in the Schedule Page When Editing Some Saved Searches

Issue: When editing a saved search upgraded from Sentinel 7.2 to a later version, the Event fields panel, used to specify output fields in the search report CSV, is missing in the schedule page. (Bug 900293)

Workaround: After upgrading Sentinel, recreate and reschedule the search to view the Event fields panel in the schedule page.

5.15 Sentinel Does Not Return Any Correlated Events When You Search for Events for the Deployed Rule with the Default Fire Count Search

Issue: Sentinel does not return any correlated events when you search for all correlated events that were generated after the rule was deployed or enabled, by clicking the icon next to Fire count in the Activity statistics panel in the Correlation Summary page for the rule. (Bug 912820)

Workaround: Change the value in the From field in the Event Search page to a time earlier than the populated time in the field and click Search again.

5.16 Security Intelligence Dashboard Displays Invalid Baseline Duration When Regenerating a Baseline

Issue: During Security Intelligence baseline regeneration, the start and finish dates for the baseline are incorrect and display 1/1/1970. (Bug 912009)

Workaround: The correct dates are updated after the baseline regeneration is complete.

5.17 Sentinel Server Shuts Down When Running a Search If There Are Large Number of Events in a Single Partition

Issue: Sentinel server shuts down when you run a search if there are a large number of events indexed in a single partition. (Bug 913599)

Workaround: Create retention policies in such a way that there are at least two partitions open in a day. Having more than one partition open helps reduce the number of events indexed in partitions.

You can create retention policies that filter events based on the estzhour field, which tracks the hour of the day. Therefore, you can create one retention policy with estzhour:[0 TO 11] as the filter and another retention policy with estzhour:[12 TO 23] as the filter.

For more information, see Configuring Data Retention Policies in the NetIQ Sentinel Administration Guide.

5.18 Error While Using the report_dev_setup.sh Script to Configure Sentinel Ports for Firewall Exceptions on Upgraded Sentinel Appliance Installations

Issue: Sentinel displays an error when you use the report_dev_setup.sh script to configure Sentinel ports for firewall exceptions. (Bug 914874)

Workaround: Configure Sentinel ports for firewall exceptions through the following steps:

  1. Open the /etc/sysconfig/SuSEfirewall2 file.

  2. Change the following line:

    FW_SERVICES_EXT_TCP=" 443 8443 4984 22 61616 10013 289 1289 1468 1443 40000:41000 1290 1099 2000 1024 1590"

    to

    FW_SERVICES_EXT_TCP=" 443 8443 4984 22 61616 10013 289 1289 1468 1443 40000:41000 1290 1099 2000 1024 1590 5432"

  3. Restart Sentinel.

5.19 Sentinel Generic Collector Performance Degrades When Generic Hostname Resolution Service Collector is Enabled

Issue: Sentinel Generic Collector performance degrades when Generic Hostname Resolution Service Collector is enabled on Microsoft Active Directory and Windows Collector. EPS decreases by 50% when remote Collector Managers send events. (Bug 906715)

Workaround: There is no workaround at this time.

5.20 The Web Browser Displays an Error When Exporting Search Results in Sentinel

Issue: When exporting search results in Sentinel, the Web browser might display an error if you modify the operating system language settings. (Bug 834874)

Workaround: To export search results properly, perform either of the following:

  • While exporting the search results, remove any special characters (outside the ASCII characters) from the export filename.

  • Enable UTF-8 in the operating system language settings, restart the machine, and then restart the Sentinel server.

5.21 Unable to View More Than One Report Result at a Time

Issue: While you wait for one report result PDF to open, particularly report results of 1 million events, if you click another report result PDF to view, the report result is not displayed. (Bug 804683)

Workaround: Click the second report result PDF again to view the report result.

5.22 Agent Manager Requires SQL Authentication When FIPS 140-2 Mode is Enabled

Issue: When FIPS 140-2 mode is enabled in your Sentinel environment, using Windows authentication for Agent Manager causes synchronization with the Agent Manager database to fail. (Bug 814452)

Workaround: Use SQL authentication for Agent Manager when FIPS 140-2 mode is enabled in your Sentinel environment.

5.23 Sentinel High Availability Installation in Non-FIPS 140-2 Mode Displays an Error

Issue: The Sentinel High Availability installation in non-FIPS 140-2 mode completes successfully but displays the following error twice:

/opt/novell/sentinel/setup/configure.sh: line 1045: [: too many arguments 

(Bug 810764)

Workaround: The error is expected and you can safely ignore it. Although the installer displays the error, the Sentinel High Availability configuration works successfully in non-FIPS 140-2 mode.

5.24 Active Search Jobs Duration and Accessed Columns Inaccuracies

Issue: The Sentinel Main interface displays negative numbers in the Active Search Job Duration and Accessed columns when the Sentinel Main interface computer clock is behind the Sentinel server clock. For example, the Duration and Accessed columns display negative numbers when the Sentinel Main interface clock is set to 1:30 PM and the Sentinel server clock is set to 2:30 PM. (Bug 719875)

Workaround: Ensure the time on the computer you use to access the Sentinel Main interface is the same as or later than the time on the Sentinel server computer.

5.25 IssueSAMLToken Audit Event Displays Incorrect Information in the Security Intelligence Dashboard

Issue: When you log in to the security dashboard and perform a search for IssueSAMLToken audit event, the IssueSAMLToken audit event displays incorrect hostname (InitiatorUserName) or (IP address) SourceIP. (Bug 870609)

Workaround: There is no workaround at this time.

6.0 Contact Information

Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.

For detailed contact information, see the Support Contact Information website.

For general corporate and product information, see the NetIQ Corporate website.

For interactive conversations with your peers and NetIQ experts, become an active member of our community. The NetIQ online community provides product information, useful links to helpful resources, blogs, and social media channels.