Sentinel 8.1 includes new features, improves usability, and resolves several previous issues.
Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure that our products meet all your needs. You can post feedback in the Sentinel forum on NetIQ Communities, our online community that also includes product information, blogs, and links to helpful resources. You can also share your ideas for improving the product in the Ideas Portal.
The documentation for this product is available on the NetIQ website in HTML and PDF formats on a page that does not require you to log in. If you have suggestions for documentation improvements, click the comment icon on any page in the HTML version of the documentation posted at the Sentinel NetIQ Documentation page. To download this product, see the Sentinel Product Upgrade website.
For the latest version of these release notes, see Sentinel 8.1 Release Notes.
The following sections outline the key features and functions provided by this version, as well as issues resolved in this release:
Sentinel 8.1 provides additional fixes to resolve the CVE-2016-1000031 vulnerability, which was discovered by Jacob Baines from Tenable Network Security. We would like to offer our thanks to Jacob Baines for finding and reporting these security vulnerabilities to us.
Sentinel 8.1 introduces the following new authentication methods:
Kerberos Authentication: Uses secret-key cryptography to provide strong authentication.
Multi-factor Authentication (MFA): A more advanced method of authentication that uses a combination of at least two factors. For example, a combination of a password and a token or a smart card and a fingerprint.
OAuth Authentication: Allows users to log in to Sentinel using providers such as Google or Facebook.
Sentinel 8.1 introduces the following new dashboards:
Security Health Dashboard: Provides a high-level overview of system security as it relates to threats from low-reputation IP addresses, vulnerabilities, and potential exploitation of any vulnerabilities. The dashboard provides a high-level overview of the current state of system security, including information about whether the system is secure or compromised.
Events Overview Dashboard: Provides a high-level overview of all incoming events. The widgets provide information on specific types, such as correlation events, system events, and others.
Sentinel 8.1 introduces the capability to manage multiple dashboards. The first time you log in, Sentinel takes you to Manage Dashboards. From here, you can:
Access any dashboard to which you have permissions
Create a new dashboard
Set any dashboard as your home page
With the availability of Threat Intelligence and Events Overview dashboards in My Sentinel, the Alert Views and Event Views in Sentinel Main > Real-time Views are now deprecated and will be removed in the future to avoid redundancy of user interfaces for these features.
This release includes several additions to expand the Sentinel scalable storage functionality:
Sentinel Scalable Data Manager (SSDM) now includes the following Sentinel Enterprise capabilities:
Correlation
Real-time event pattern correlation
Actions triggered by correlation rules
Alerts triage and visualization
User identity data integration
NetFlow collection and visualization
Data federation
Solution Designer
For information about the Sentinel Enterprise services and features not available in SSDM, see Scalable Storage Configuration
in the NetIQ Sentinel Installation and Configuration Guide.
You no longer need to do a fresh installation of Sentinel to use the scalable storage capability. You can now enable scalable storage even in upgrade installations of Sentinel. For information to enable scalable storage, see Configuring Scalable Storage
in the NetIQ Sentinel Administration Guide.
If you want to leverage your existing data in traditional storage in Sentinel with scalable storage, you can now migrate data from traditional storage to scalable storage. For more information, see Migrating Data from Sentinel with Traditional Storage
in the NetIQ Sentinel Administration Guide.
In a scalable storage setup where the EPS rate is usually high, Correlation Engines could be loaded with a large number of events to process. By default, all events are sent to all Correlation Engines. To avoid event overload, you can check the EPS utilization on the Correlation Engine and then distribute the event load evenly across multiple Correlation Engines as necessary. Distributing events across Correlation Engines not only helps you in balancing the event load, it also helps you segregate events tenant-wise to specific Correlation Engines. For example, in a multi-tenant environment, you can set up designated Correlation Engines for each tenant so that the Correlation Engine processes events specific to each tenant.
The option to distribute events across Correlation Engines is available only in Sentinel with scalable storage. For more information, see Distributing Events Across Correlation Engines
in the NetIQ Sentinel User Guide.
The Threat Intelligence Solution Pack in previous versions of Sentinel includes data sources such as Palevo and ZeuS, which provide a known list of botnet IP addresses. Starting with Sentinel 8.1, these data sources are no longer part of the Solution Pack and are available out-of-the-box when you install Sentinel. In addition to Palevo and Zeus, Sentinel also provides additional data sources that provide information about existing or emerging threats to an organization’s security. Many of these data sources are updated daily. Sentinel provides the ability to download this data into a map file, update it at scheduled intervals or as needed, and incorporate the relevant threat information into correlation rules. The option to manage these threat intelligence data sources is now available in Integration > Threat Intelligence Sources in Sentinel Main.
For more information, see Configuring Threat Intelligence Data Sources
in the NetIQ Sentinel Administration Guide.
You no longer need to use Sentinel Control Center to configure or manage Dynamic Lists. The user interface to configure and manage Dynamic Lists is now available in Sentinel Main with improved usability. For more information, see Configuring Dynamic Lists
in the NetIQ Sentinel User Guide.
There are several updates to the Sentinel certified platforms. For detailed information about the certified platforms, see the Technical Information for Sentinel page.
Sentinel is now certified on the following platforms:
Traditional installation:
SUSE Linux Enterprise Server 12 SP2 64-bit
Red Hat Enterprise Linux Server 6.8 64-bit
Appliance installation:
VMware ESX 6.5 (for both ISO and OVF)
Hyper-V Server 2016 (ISO only)
Data Synchronization: Microsoft SQL Server 2016
SUSE Linux Enterprise Server 12 SP1
New installations of Sentinel include the latest versions of several Sentinel plug-ins. These versions include the latest software fixes, documentation updates, and enhancements for the plug-in. For more information, see the specific plug-in documentation on the Sentinel Plug-ins Web site.
Upgrade installations of Sentinel update the following plug-ins to ensure that these plug-ins are compatible with Sentinel 8.1 and later:
Sentinel Agent Manager Connector to version 2017.1r1
Sentinel Link Connector to version 2011.1r5
Sentinel 8.1 includes software fixes that resolve several issues.
Error Occurs When an Anomaly Definition Configured with Baseline Attempts to Send Email Notification
Saving a Search to CSV Does Not Maintain Specified Field Order
Custom Certificate Prevents Sentinel Agent Manager from Connecting to Sentinel
/SentinelRESTServices/objects/alert/count API Always Returns 0
Multiple SEVERE Messages in the Server Logs After You Enable Scalable Storage
SSDM in HA Mode Does Not Populate Elasticsearch Security Plug-In Configuration Files Properly
Sentinel Agent Manager 7.3 Does Not Consider the RawDataTapFileSize Configuration
Tile Map Visualizations Do Not Work in Sentinel Scalable Data Manager
Issue: When a report job fails, you cannot search for it as an event. (Bug 1017358)
Fix: It is now possible to search for a failed report job as an event.
Issue: Sentinel allows you to log the event sources from which events arrive that are delayed beyond a specified threshold. This is helpful for troubleshooting issues related to delayed arrival. Sentinel was not updating the log file with the event sources. (Bug 979931)
Fix: Sentinel now updates the log file as part of the performance snapshot.
Issue: If you configure an anomaly definition to send an email notification when there is a deviation from the baseline, Sentinel cannot send the email and returns an IllegalStateException error. (Bug 816622)
Fix: Sentinel now correctly sends the email.
Issue: If you schedule a report to run with the current date range but the From date is in the future, the report fails. (Bug 914094)
Fix: Sentinel allows you to set the From date to a future date to report event sources that are not properly time-synchronized. Sentinel now runs the report without error.
Issue: When you save a search to a CSV file, the CSV file does not maintain the specified order of the fields. (Bug 979916)
Fix: When you save a search to a CSV file, the CSV file now maintains the specified field order.
Issue: If you restart the Sentinel service on a Collector Manager computer that has multiple database collectors, some of the collectors are unable to reconnect to the event sources. (Bug 1015375, Bug 1041866)
Fix: All collectors now reconnect after you restart the Sentinel service.
Issue: If you modify the criteria for a search and select Begin Time, End Time, or Sentinel Process Time, the search results are invalid. (Bug 894421)
Fix: The Begin Time, End Time, or Sentinel Process Time options are no longer available when editing search criteria.
Issue: If a custom certificate subject contains multiple attributes or special characters, Sentinel Agent Manager is unable to connect to Sentinel. (Bug 1018133)
Fix: Sentinel Agent Manager is now able to connect to Sentinel when the custom certificate subject contains multiple attributes or special characters.
Issue: When you upgrade Sentinel 8.0 and later, the installer displays the following error:
Installing: novell-Sentinelwebapp-8.0.0.1-3404 [done] Additional rpm output: /var/tmp/rpm-tmp.28463: line 263: [: search.hideUI=false: binary operator expected /var/tmp/rpm-tmp.40511: line 254: [: too many arguments
(Bug 1025512)
Fix: This error no longer occurs during the upgrade process.
Issue: Running the /SentinelRESTServices/objects/alert/count API always returns 0, even if there are multiple alerts. (Bug 1028317)
Fix: The /SentinelRESTServices/objects/alert/count API now returns the correct number of alerts.
Issue: When viewing all event details, dates and times are incorrectly formatted in the UTC (Coordinated Universal Time) format. (Bug 1031523, Bug 1034531)
Fix: Event detail fields now display all dates in the format appropriate to the specified locale in your browser.
Issue: After you enable scalable storage, the SSDM server logs display multiple instances of the following message:
SEVERE|TimerThreadPool pool|esecurity.ccs.comp.scalablestorage.KibanaVisualAnalyticsUtil.initializeKibanaMappingSearchUnsuccessful in initializing the kibana mapping search call with status code 400
You can safely ignore these messages. There is no functional impact. (Bug 1009662)
Fix: The SSDM server logs no longer display this message.
Issue: SSDM in HA (high availability) mode does not populate the appropriate IP addresses of the HA cluster nodes in the Elasticsearch security plug-in configuration files. As a result, searches and event visualization dashboards show errors. (Bug 1012251)
Fix: SSDM in high availability mode now correctly populates the appropriate IP addresses of the HA cluster nodes in the Elasticsearch security plug-in configuration files.
Issue: In an RPM-based installation of Elasticsearch, Event Visualization dashboards and searches in SSDM do not work. (Bug 1014448)
Fix: Event Visualization dashboards and searches in SSDM now work.
Issue: NetIQ eDirectory Instrumentation cannot connect to Audit Connector through Platform Agent. As a result, Sentinel cannot receive events from eDirectory. This issue occurs because eDirectory Instrumentation uses MD5 RSA certificate algorithm, which has been deprecated in Java 8 update 77 that is used in Sentinel 8.1. (Bug 985312)
Fix: A new version of Audit Connector allows Sentinel to receive events from eDirectory.
Issue: The com.novell.sentinel.spark.StreamingEventIndexer job does not support IPv6. If an event contains an IPv6 address, the job fails. (Bug 1006975)
Fix: The com.novell.sentinel.spark.StreamingEventIndexer job now supports IPv6.
Issue: Sentinel Agent Manager 7.3 ignores the value specified in the RawDataTapFileSize attribute in the SMServiceHost.exe.config file for the raw data file size configuration, and stops writing to the raw data file when the file size reaches 10 MB. (Bug 867954)
Fix: Sentinel Agent Manager correctly uses the specified values in the RawDataTapFileSize attribute in the SMServiceHost.exe.config file and writes new data to the raw data file.
Issue: In SSDM environments, if you create a tile map visualization with default options, an issue with Kibana prevents the new tile map visualization from working in the Event Visualization dashboard. For more information about the Kibana issue, see https://github.com/elastic/kibana/issues/7717. (Bug 1001909)
Fix: Tile map visualizations with default options now work correctly in the Event Visualization dashboard.
For information about hardware requirements, supported operating systems, and browsers, see the Technical Information for Sentinel page.
For information about installing Sentinel 8.1, see the NetIQ Sentinel Installation and Configuration Guide.
You can upgrade to Sentinel 8.1 from Sentinel 7.4 and later.
For information about upgrading to Sentinel 8.1, see the NetIQ Sentinel Installation and Configuration Guide.
NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.
The Java 8 update included in Sentinel might impact the following plug-ins:
Cisco SDEE Connector
SAP (XAL) Connector
Remedy Integrator
For any issues with these plug-ins, NetIQ will prioritize and fix the issues according to standard defect-handling policies. For more information about support polices, see Support Policies.
Section 5.2, Sentinel Cannot Run Local Reports with Default EPS License
Section 5.3, Correlation Engine is Disconnected After Upgrade
Section 5.6, Cannot Install Sentinel on SLES 11 SP4 in FIPS Mode
Section 5.10, Cannot View Alerts with IPv6 Data in Alert Views
Section 5.12, Data Synchronization Fails While Synchronizing IPv6 Addresses in Human Readable Format
Section 5.13, Event Search Does Not Respond if You Do Not Have Any Event Viewing Permissions
Section 5.20, The Web Browser Displays an Error When Exporting Search Results in Sentinel
Section 5.21, Unable to View More Than One Report Result at a Time
Section 5.22, Agent Manager Requires SQL Authentication When FIPS 140-2 Mode is Enabled
Section 5.23, Sentinel High Availability Installation in Non-FIPS 140-2 Mode Displays an Error
Section 5.24, Active Search Jobs Duration and Accessed Columns Inaccuracies
Issue: Installation of Collector Manager and Correlation Engine appliance fails in MFA mode if the operating system language is other than English. (Bug 1045967)
Workaround: Install Collector Manager and Correlation Engine appliances in English. After the installation is complete, change the language as needed.
Issue: If your environment has the default 25 EPS license and you run a report, the report fails with the following error:
License for Distributed Search feature is expired
(Bug 1034656)
Workaround: To run reports in the same JVM as Sentinel, complete the following steps:
Log in to the Sentinel server and open the /etc/opt/novell/sentinel/config/obj-component.JasperReportingComponent.properties file.
Locate the reporting.process.oktorunstandalone property.
(Conditional) If the property is not in the file, add it.
Set the property to false. For example:
reporting.process.oktorunstandalone=false
Restart Sentinel.
Issue: Recent changes to how Sentinel validates rules cause the Correlation Engine to fail to connect if your environment has an older deployed rule with incorrect syntax. (Bug 1039598)
Workaround: To reconnect the Correlation Engine, you can correct the syntax in the rule that is causing the problem and then restart Sentinel.
To find the rule and correct its syntax, complete the following steps:
In the server.log file, search for Failed to initialize CorrelationEngine.
For example, when you search for Failed to initialize CorrelationEngine, you will see a log message similar to the following:
Wed May 17 10:58:09 CDT 2017|INFO|Container Startup Thread|esecurity.base.ccs.proxy.ComponentElementProxy.activate
Failed to initialize CorrelationEngine
Scroll up to see the previous log message, which specifies the rule and displays its syntax. It will be similar to the following:
Wed May 17 10:58:09 CDT 2017|SEVERE|Container Startup Thread|esecurity.base.ccs.proxy.ComponentElementProxy.activate
Root cause: Duration must be within a day (antlr.RecognitionException)
esecurity.ccs.correlation.impl.tpm.IllegalRuleException: SEN-13003 Invalid Rule Definition: filter(((e.evt = "GET: Forbidden")) AND ((e.port = "Apache HTTP Server")) AND ((e.dhn = "n0")) AND ((e.fn != "favicon.ico")) AND ((e.fn != "apple-touch-icon-precomposed.png")) AND ((e.fn != "apple-touch-icon.png")) AND ((e.fn != "apple-touch-icon-120x120-precomposed.png")) AND ((e.fn != "apple-touch-icon-120x120.png")))flow trigger(20,86460,discriminator(e.sip))
In this example, the log message indicates the problem occurred because the specified duration was longer than a day. The syntax of the rule specifies more seconds (86460) than are in a day (86400).
Log in to Sentinel.
Open a new browser tab.
In the new tab, go to the following URL:
https://<YOUR SENTINEL IP>:8443/SentinelRESTServices/objects/correlation-rule
To find the rule name and ID in the list of correlation rules, search for a unique part of the rule syntax, such as 86460.
(Conditional) If you cannot find the rule name and ID in the list of correlation rules, complete the following steps:
In a command prompt, switch to the novell user. Use the following command:
su - novell
Change to the /opt/novell/sentinel/bin directory.
Use the following SQL command:
./db.sh sql SIEM dbauser "select * from CORR_RULE where rule_lg like '%UniqueText%'"
Where UniqueText is a unique part of the rule syntax, such as 86460.
(Conditional) If you have not already switched to the novell user, open a command prompt and switch to the novell user. Use the following command:
su - novell
Change to the /opt/novell/sentinel/bin directory.
Verify the rule is in the database. Use the following SQL command:
./db.sh sql SIEM dbauser "select * from CORR_RULE where RULE_ID=RuleID"
Where RuleID is the ID of the rule you found previously.
Update the rule with a new filter that will not trigger an error during validation. Use the following SQL command:
./db.sh sql SIEM dbauser "update CORR_RULE set rule_lg = 'filter(1=0)' where RULE_ID=RuleID"
Where RuleID is the ID of the rule you found previously.
Verify the filter has been changed in the database. Use the following SQL command:
./db.sh sql SIEM dbauser "select * from CORR_RULE where RULE_ID=RuleID"
Where RuleID is the ID of the rule you found previously.
Stop Sentinel. Use the following command:
./server.sh stop
Restart Sentinel. Use the following command:
./server.sh start
Issue: When you convert the active node to FIPS 140-2 mode in Sentinel HA, the synchronization to convert all the passive nodes to FIPS 140-2 mode is not performed completely. You must start the synchronization manually. (Bug 1014472)
Workaround: Manually synchronize all passive nodes to FIPS 140-2 mode as follows:
Log in as the root user on the active node.
Open the /etc/csync2/csync2.cfg file.
Change the following line:
include /etc/opt/novell/sentinel/3rdparty/nss/*;
to
include /etc/opt/novell/sentinel/3rdparty/nss;
Save the csync2.cfg file.
Start the synchronization manually by running the following command:
csync2 -x -v
Issue: An issue prevents Internet Explorer 11 from being able to open the Event Visualization dashboard. (Bug 981308)
Workaround: Use a different browser to view or modify the Visualization dashboard.
Issue: If you try to install Sentinel on a computer that is running the SLES 11 SP4 operating system in FIPS mode, the installation process will fail. (Bug 990201)
Workaround: Ensure the operating system is not in FIPS mode, and then complete the following steps:
Install Sentinel. For more information, see Installing Sentinel
in the Sentinel Installation and Configuration Guide.
Enable Sentinel Server to run in FIPS mode. For more information, see Enabling Sentinel Server to Run in FIPS 140-2 Mode
in the Sentinel Installation and Configuration Guide.
Use the following command to enable the operating system to run in FIPS mode:
fips=1 /boot/grub/menu.lst
Issue: A change to password storage in Sentinel 7.4 SP1 causes the following error to display when upgrading the appliance from versions prior to 7.4 SP1:
Failed to set encrypted password
(Bug 967764)
Workaround: The warning is expected and you can safely ignore it. There is no impact to the upgrade.
Issue: After you enable SSDM, when you log in to the Sentinel Main interface, the browser displays a blank page. (Bug 1006677)
Workaround: Close your browser and log in to the Sentinel Main interface again. This issue only happens once, the first time you log in to the Sentinel Main interface after you enable SSDM.
Issue: When you upgrade Sentinel from version 7.3 to version 7.3 SP1 and start the Sentinel server, you might see the following exception in the server log:
Invalid length of data object ......
(Bug 933640)
Workaround: Ignore the exception. There is no impact to Sentinel performance because of this exception.
Issue: Sentinel alert views and alert dashboards do not display alerts that have IPv6 addresses in IP address fields. (Bug 924874)
Workaround: To view alerts with IPv6 addresses in Sentinel, perform the steps mentioned in NetIQ Knowledgebase Article 7016555.
Issue: In upgraded installations of Sentinel, when you search for alert attributes in the Tips table in the Sentinel Main interface, the search does not return the complete list of alert fields. However, alert fields display correctly in the Tips table if you clear the search. (Bug 914755)
Workaround: There is no workaround at this time.
Issue:
Data synchronization fails when you try to synchronize IPv6 address fields in a human readable format to external databases. For information about configuring Sentinel to populate the IP address fields in human readable dot notation format, see Creating a Data Synchronization Policy
in the NetIQ Sentinel Administration Guide. (Bug 913014)
Workaround: To fix this issue, manually change the maximum size of the IP address fields to at least 46 characters in the target database, and re-synchronize the database.
Issue: If you run an event search when your role's security filter is blank and your role does not have event viewing permissions, the search does not complete. The search does not display any error message about the invalid event viewing permissions. (Bug 908666)
Workaround: Update the role with one of the following options:
Specify criteria in the Only events matching the criteria field. If users in the role should not see any events, you can enter NOT sev:[0 TO 5].
Select View system events.
Select View all event data (including raw data and NetFlow data).
Issue: When editing a saved search upgraded from Sentinel 7.2 to a later version, the Event fields panel, used to specify output fields in the search report CSV, is missing in the schedule page. (Bug 900293)
Workaround: After upgrading Sentinel, recreate and reschedule the search to view the Event fields panel in the schedule page.
Issue: Sentinel does not return any correlated events when you search for all correlated events that were generated after the rule was deployed or enabled, by clicking the icon next to Fire count in the Activity statistics panel in the Correlation Summary page for the rule. (Bug 912820)
Workaround: Change the value in the From field in the Event Search page to a time earlier than the populated time in the field and click Search again.
Issue: During Security Intelligence baseline regeneration, the start and finish dates for the baseline are incorrect and display 1/1/1970. (Bug 912009)
Workaround: The correct dates are updated after the baseline regeneration is complete.
Issue: Sentinel server shuts down when you run a search if there are a large number of events indexed in a single partition. (Bug 913599)
Workaround: Create retention policies in such a way that there are at least two partitions open in a day. Having more than one partition open helps reduce the number of events indexed in partitions.
You can create retention policies that filter events based on the estzhour field, which tracks the hour of the day. Therefore, you can create one retention policy with estzhour:[0 TO 11] as the filter and another retention policy with estzhour:[12 TO 23] as the filter.
For more information, see Configuring Data Retention Policies
in the NetIQ Sentinel Administration Guide.
Issue: Sentinel displays an error when you use the report_dev_setup.sh script to configure Sentinel ports for firewall exceptions. (Bug 914874)
Workaround: Configure Sentinel ports for firewall exceptions through the following steps:
Open the /etc/sysconfig/SuSEfirewall2 file.
Change the following line:
FW_SERVICES_EXT_TCP=" 443 8443 4984 22 61616 10013 289 1289 1468 1443 40000:41000 1290 1099 2000 1024 1590"
to
FW_SERVICES_EXT_TCP=" 443 8443 4984 22 61616 10013 289 1289 1468 1443 40000:41000 1290 1099 2000 1024 1590 5432"
Restart Sentinel.
Issue: Sentinel Generic Collector performance degrades when Generic Hostname Resolution Service Collector is enabled on Microsoft Active Directory and Windows Collector. EPS decreases by 50% when remote Collector Managers send events. (Bug 906715)
Workaround: There is no workaround at this time.
Issue: When exporting search results in Sentinel, the Web browser might display an error if you modify the operating system language settings. (Bug 834874)
Workaround: To export search results properly, perform either of the following:
While exporting the search results, remove any special characters (outside the ASCII characters) from the export filename.
Enable UTF-8 in the operating system language settings, restart the machine, and then restart the Sentinel server.
Issue: While you wait for one report result PDF to open, particularly report results of 1 million events, if you click another report result PDF to view, the report result is not displayed. (Bug 804683)
Workaround: Click the second report result PDF again to view the report result.
Issue: When FIPS 140-2 mode is enabled in your Sentinel environment, using Windows authentication for Agent Manager causes synchronization with the Agent Manager database to fail. (Bug 814452)
Workaround: Use SQL authentication for Agent Manager when FIPS 140-2 mode is enabled in your Sentinel environment.
Issue: The Sentinel High Availability installation in non-FIPS 140-2 mode completes successfully but displays the following error twice:
/opt/novell/sentinel/setup/configure.sh: line 1045: [: too many arguments
(Bug 810764)
Workaround: The error is expected and you can safely ignore it. Although the installer displays the error, the Sentinel High Availability configuration works successfully in non-FIPS 140-2 mode.
Issue: The Sentinel Main interface displays negative numbers in the Active Search Job Duration and Accessed columns when the Sentinel Main interface computer clock is behind the Sentinel server clock. For example, the Duration and Accessed columns display negative numbers when the Sentinel Main interface clock is set to 1:30 PM and the Sentinel server clock is set to 2:30 PM. (Bug 719875)
Workaround: Ensure the time on the computer you use to access the Sentinel Main interface is the same as or later than the time on the Sentinel server computer.
Issue: When you log in to the security dashboard and perform a search for IssueSAMLToken audit event, the IssueSAMLToken audit event displays incorrect hostname (InitiatorUserName) or (IP address) SourceIP. (Bug 870609)
Workaround: There is no workaround at this time.
Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.
For detailed contact information, see the Support Contact Information website.
For general corporate and product information, see the NetIQ Corporate website.
For interactive conversations with your peers and NetIQ experts, become an active member of our community. The NetIQ online community provides product information, useful links to helpful resources, blogs, and social media channels.
For information about NetIQ legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government restricted rights, patent policy, and FIPS compliance, see http://www.netiq.com/company/legal/.
Copyright © 2017 NetIQ Corporation. All Rights Reserved.