Sentinel 8.1 Service Pack 1 Release Notes

January 2018

Sentinel 8.1 SP1 includes new features, improves usability, and resolves several previous issues.

Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure that our products meet all your needs. You can post feedback in the Sentinel forum, our online community that also includes product information, blogs, and links to helpful resources.

The documentation for this product is available on the NetIQ website in HTML and PDF formats on a page that does not require you to log in. If you have suggestions for documentation improvements, click the comment icon on any page in the HTML version of the documentation posted at the Sentinel Documentation page. To download this product, see the Sentinel Product Upgrade website.

1.0 What’s New?

The following sections outline the key features and enhancements, and also the issues resolved in this release:

1.1 Security Vulnerability Fix

Sentinel 8.1.1 includes fixes to resolve the Sweet32 (CVE-2016-2183) vulnerability.

1.2 Oracle Java Runtime Environment Upgrade

Sentinel includes Java 8 update152, which includes fixes for several security vulnerabilities.

1.3 Enhancements

Sentinel 8.1.1 includes the following enhancements:

New Audit Events for ‘Failed To Correlate’ Messages

Sentinel now generates audit events for ‘Failed To Correlate’ messages that occur when:

  • Events arrive late with a time difference greater than 30 seconds.

  • The reorder buffer is full.

(Bug 1018336)

Adds the Ability to Assign the View Report Results Permission to a Role

Issue: Customers requested the ability to create a role that would let a user view report results but not run or delete reports. The View Report Results permission exists but cannot be granted to a role in User/Role Management. (Bug 1047479)

Fix: You can now make the View Report Results permission visible in User/Role Management so that you assign a role this permission. Complete the following steps:

  1. Open the /etc/opt/novell/sentinel/config/ file for editing.

  2. Add the following property:

  3. Save your changes.

  4. Exit and restart the Web UI.

    You should also press Control-F5 to clear the browser cache.

  5. Navigate to User/Role Management, and create a new role.

    You should see the View Report Results permission.

Enhancement to Editing Time Range

When editing reports, the Date Picker no longer shows the date when the report was last run. It now defaults to the current date to avoid the need to click many months forward if the Start Time is older than the current date. (Bug 1016005)

Ability to Set End Time for Data Synchronization

You can now set the end time for a data synchronization policy so that you can synchronize data only for certain time ranges. This ability is available only for new data synchronization policies and it is not available for existing data synchronization policies. (Bug 1053484)

Ability to Add Up To 60 Characters for a User Name

You can now enter a maximum of 60 characters in the Username field, while creating users. (Bug 1063025)

Enhancements to the Raw Data Retention Size Refresh Rate

The following enhancements are done for raw data retention size refresh interval in the Storage > Events > Data Retention user interface:

  • The default Raw Data Retention size refresh interval has been changed to every 12 hours to avoid performance issues when raw data is large.

  • The default timeout interval has been changed to every 60 minutes.

You can customize these default values, if required:

  1. Log in to the Sentinel server as novell user.

  2. In the /etc/opt/novell/sentinel/config directory, create a file as:

  3. In the properties file, set the properties to the desired value as follows:

    <obj-component id="DiskStatisticsCache">
    <property name="onlineRawDataCheckInterval">value_in_milliseconds</property>
    <property name="onlineRawDataTaskTimeoutPeriod">value_in_milliseconds</property>
  4. Restart the Sentinel server.

(Bug 1027773)

summary_key Column as the Primary Key for Event Summary Tables

summary_key column in Event Summary tables is now the primary key, which allows other database tools to benefit from proper meta data. (Bug 1048739)

1.4 Software Fixes

Sentinel 8.1.1 includes software fixes that resolve the following issues:

Search Results in the Exported CSV File Are Blank

Issue: When you export search results that include events from secondary storage, the CSV file only contains the headers and not the actual search results. (Bug 1043709, Bug 1073502)

Fix: The CSV file now includes the search results you export.

Email Notifications for Scheduled Reports Do Not Display AM or PM for Time

Email notifications now display AM or PM appropriately. (Bug 1040423)

Sentinel Main in Appliance Does Not Launch When Upgraded From Sentinel 7.0.3.x or Earlier

Sentinel Main now launches successfully. (Bug 1047106)

EventSearch Rest API Does Not Work After Upgrading Sentinel 7.4.3 to Sentinel 8.0.1

EventSearch Rest API completes successfully without any exceptions. (Bug 1038133)

Correlation Engine Does Not Trigger Current Day Events if the Previous Event Had a Time Stamp Beyond the Epoch Date

Issue: Correlation Engine does not trigger current day events if the previous event had a time stamp beyond the epoch date. It displays the exception Correlation reorder buffer is full and crashes eventually. (Bug 1036765)

Fix: Correlation Engine now triggers current day events without exceptions.

Sentinel Not Responsive after Enabling ISE Integration

Issue: Two or three days after ISE integration, Sentinel becomes unresponsive. Sentinel server logs included the following message, which indicated out-of-memory exceptions and the inability to create threads:

java.lang.OutOfMemoryError: unable to create new native thread

This issue resulted from the large number of map updates that the ISE integration triggers, as well as an issue specific to maps with exactly one “RANGE” key plus one or more “STRING” keys. When this particular set of circumstances occurred, Sentinel created a separate h2temp directory for every unique String Key value. This meant that when the ISE ipmap.csv file had 6000+ entries (as might be typical during regular operating hours), Sentinel would recreate the 6000+ h2temp directories for every 30-second map update. (Bug 1036765)

Fix: The default map used to store maps, which specifically contains one “RANGE” key plus one or more “STRING” keys, is now in-memory map. The map does not use an H2 database and thus does not need to create the many h2temp directories.

NOTE:You can configure whether range/key maps use objects that require temporary directories. Add the new sentinel.mapping.h2.useDbRangeMap system property to the Sentinel file. This system property has the following values:

  • false: Use DataObjectKeyRangeMap objects, which do not require temporary directories (default value)

  • true: Use DBRangeMapDataObjectStorage objects, which require temporary directories

Refinement Panel Displays Error During Search

Issue: If you run a search for events, and then click the Search button while the search is still running, the refinement panel displays the following message:

Field counts based on the first 0 events.

(Bug 999743)

Fix: The Search button is now disabled while the search is running. After all jobs are completed, the Search button will be available again.

Sentinel API Documentation Does Not List All the Required Libraries

Issue: The API documentation does not list all of the client download libraries the REST API requires to work properly. (Bug 1047684)

Fix: The Sentinel API Documentation now lists all the client download libraries that the REST API requires.

Event Fields Do Not Display Collector Manager Information

Issue: When a Sentinel server loses contact with a Collector Manager, the server generates LostContactWithCollectorManager and CollectorManagerDown internal events. The CollectorNodeName(port) and CollectorManagerId(rv21) event fields on these internal events do not display the information related to the Collector Manager. (Bug 1050941)

Fix: The CollectorNodeName(port) and CollectorManagerId(rv21) event fields now correctly display the Collector Manager Name and the Collector Manager ID.

Some Scheduled Reports are Failing

All scheduled reports now run successfully. (Bug 1051167)

Sentinel Core Top 10 and Sentinel Core Top 10 Dashboard Reports Take a Longer Time to Execute

Sentinel Core Top 10 and Sentinel Core Top 10 Dashboard reports now take less time to execute. (Bug 1040660)

Alert View Appropriately Filters Data for ‘All New Alerts’

This release resolves an issue where Sentinel erroneously displayed all alerts even though you chose the All New Alerts filter in the Alert View. (Bug 991732)

The /SentinelRESTServices/objects/plugin REST API Provides Plugin Information in Encrypted Format

The /SentinelRESTServices/objects/plugin REST API now provides plugin information in human readable format. (Bug 992162)

Scheduled Search Job Fails

The scheduled search job now runs successfully. (Bug 1049055)

Sentinel Core Top 10 Report Fails

The Sentinel Core Top 10 report now runs successfully. (Bug 1055336)

Data Federation Search Results Contain Duplicate Events

Issue: When you use Data Federation to search for events in a distributed environment, the Search Results page displays duplicate events. (Bug 1048000)

Fix: The Search Results page no longer displays duplicate events.

Sentinel Agent Manager Synchronizes Agents without Exceptions

This release resolves an issue where the agent data synchronization process (ETL) failed with an exception if an agent that you added synchronized with Sentinel before Sentinel Agent Manager collected the agent’s attributes. (Bug 1050192)

Correlation Engine Indicates Status as Offline When the Engine is Actually Idle

Correlation Engine now indicates its status as Idle when it is in Idle state. (Bug 1062386)

Errors in Server Logs when the Message Field in the Event Has More Than 8000 Characters

Issue: When the Message field of an event has more than 8000 characters, Sentinel truncates the message. It prints the first 8000 characters as well as the truncated characters along with the following message in the logs resulting in the logs filled with the Message information:

Value for attribute msg is too long. Size is 4,096 utf-8 (each char may be multi-byte), max is 4,000 bytes, truncating <truncated_characters>

(Bug 927550)

Fix: Sentinel now displays only 256 characters from the truncated message in the server0.0 log.

Data Synchronization Does Not Work After Upgrading Sentinel to Version

Data synchronization works successfully after upgrading Sentinel to (Bug 1052566)

Agent Manager Section in Sentinel Main is Grayed Out

Issue: In the Data Collection > Event Sources tab, the Agent Manager section is grayed out and you must use Sentinel Control Center to perform any operation. (Bug 1008335)

Fix: The Agent Manager section is now enabled in Sentinel Main.

Report Generation Fails if Events Contain Special Characters

Report generation is successful even if events contain special characters. (Bug 1060132)

Collector Manager Does Not Restart When There Are Large Event Offsets

Collector Manager now restarts successfully and processes event sources' offsets as expected. (Bug 1049771)

Auto Alert Always Updates EventThroughputUtilization at 100% utilization

Issue: Auto Alert Always Updates EventThroughputUtilization at 100% utilization, even though there are no alerts being generated. (Bug 1065679)

Fix: Auto alert updates now display the actual EventThroughputUtilization percentage.

The collectormgr-status REST API Endpoint Displays Incorrect Status

Issue: When there are multiple Collector Managers set up with one Sentinel server, the collectormgr-status API endpoint displays the 404 not found error even though the Collector Managers are present. (Bug 1011921)

Fix: The collectormgr-status API now displays the status correctly. Does Not Back Up the Firewall Configuration File

The script now backs up the firewall configuration file so that you can revert easily in case of any failures. The script also includes enhancements to improve usability. (Bug 752657)

NOTE:The SuSEfirewall2 file is backed up only when the PostgreSQL port is not added to the SUSE firewall configuration.

The Test Connectivity Button in the Sentinel Agent Manager Console Initiates With a Ping

Issue: Test Connectivity initiates with a ping, which is a security concern.(Bug 1009722)

Fix: The Test Connectivity button no longer uses an ICMP packet (Ping) followed by an HTTP command to the Connector port as part of its testing procedure. It now relies only on the HTTP command to validate if the connection is successful. This may cause the connectivity test to take up to a minute longer when the remote end is not live or responding properly.

When Upgrading the Sentinel Appliance from Versions Prior to 7.4 SP1, an Incorrect Warning Displays

Issue: A change to password storage in Sentinel 7.4 SP1 causes the following error to display when upgrading the appliance from versions prior to 7.4 SP1:

Failed to set encrypted password

(Bug 967764)

Fix: Sentinel no longer displays the warning message.

Exception in the Sentinel Server Log When You Upgrade Sentinel Versions Prior to 7.3 SP1 to Versions 7.3 SP1 and Later

Issue: When you upgrade Sentinel from version 7.3 to version 7.3 SP1 and start the Sentinel server, you might see the following exception in the server log:

Invalid length of data object ......

(Bug 933640)

Fix: Sentinel no longer displays the exception during the upgrade.

Cannot View Alerts with IPv6 Data in Alert Views

Issue: Sentinel alert views and alert dashboards do not display alerts that have IPv6 addresses in IP address fields. (Bug 924874)

Fix: Alert views and alert dashboards now display alerts that have IPv6 addresses in IP address fields.

2.0 System Requirements

For information about hardware requirements, supported operating systems, and browsers, see the Technical Information for Sentinel page.

3.0 Upgrading to Sentinel 8.1.1

You can upgrade to Sentinel 8.1.1 from Sentinel 7.4 and later. For information about upgrading to Sentinel 8.1.1, see the NetIQ Sentinel Installation and Configuration Guide.

4.0 Known Issues

NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.

The Java 8 update included in Sentinel might impact the following plug-ins:

  • Cisco SDEE Connector

  • SAP (XAL) Connector

  • Remedy Integrator

For any issues with these plug-ins, NetIQ will prioritize and fix the issues according to standard defect-handling policies. For more information about support polices, see Support Policies.

4.1 Sentinel Cannot Run Local Reports with Default EPS License

Issue: If your environment has the default 25 EPS license and you run a report, the report fails with the following error:

License for Distributed Search feature is expired

Workaround: To run reports in the same JVM as Sentinel, complete the following steps:

  1. Log in to the Sentinel server and open the /etc/opt/novell/sentinel/config/server.xml file.

  2. Locate the following property:

    <property name="reporting.process.oktorunstandalone">true</property>

  3. Change the setting to false:

    <property name="reporting.process.oktorunstandalone">false</property>

  4. Restart Sentinel.

4.2 Cannot convert Sentinel to FIPS mode due to an issue with Mozilla NSS

Issue: If you try to convert Sentinel (Server, RCM or RCE) to FIPS mode either during installation or post installation, an issue with the Mozilla NSS packages that are provided by the SLES 12 operating system prevent the conversion from being completed successfully. The conversion stops at the prompt for the FIPS keystore database password even though the specified password meets the expected criteria. (Bug 1065329)

Workaround: To convert Sentinel to FIPS mode, perform the following steps:

  1. Log in to Sentinel Server, RCM, or RCE as the root user.

  2. Launch  YaST software manager:

    yast sw_single

  3. Search for the following packages and install or upgrade to the latest version:

    • mozilla-nss-tools 

    • libfreebl3-hmac 

    • libsoftokn3-hmac 

  4. Clean up the artifacts from the previous FIPS conversion attempts:

     rm -rf /etc/opt/novell/sentinel/3rdparty/nss
     rm /etc/opt/novell/sentinel/3rdparty/newpwfile
  5. Retry FIPS conversion.

4.3 Correlation Engine is Disconnected After Upgrade

Issue: Recent changes to how Sentinel validates rules cause the Correlation Engine to fail to connect if your environment has an older deployed rule with incorrect syntax. (Bug 1039598)

Workaround: To reconnect the Correlation Engine, you can correct the syntax in the rule that is causing the problem and then restart Sentinel.

To find the rule and correct its syntax, complete the following steps:

  1. In the server.log file, search for Failed to initialize CorrelationEngine.

    For example, when you search for Failed to initialize CorrelationEngine, you will see a log message similar to the following:

    Wed May 17 10:58:09 CDT 2017|INFO|Container Startup Thread|esecurity.base.ccs.proxy.ComponentElementProxy.activate

    Failed to initialize CorrelationEngine

    Scroll up to see the previous log message, which specifies the rule and displays its syntax. It will be similar to the following:

    Wed May 17 10:58:09 CDT 2017|SEVERE|Container Startup Thread|esecurity.base.ccs.proxy.ComponentElementProxy.activate

    Root cause: Duration must be within a day (antlr.RecognitionException)

    esecurity.ccs.correlation.impl.tpm.IllegalRuleException: SEN-13003 Invalid Rule Definition: filter(((e.evt = "GET: Forbidden")) AND ((e.port = "Apache HTTP Server")) AND ((e.dhn = "n0")) AND ((e.fn != "favicon.ico")) AND ((e.fn != "apple-touch-icon-precomposed.png")) AND ((e.fn != "apple-touch-icon.png")) AND ((e.fn != "apple-touch-icon-120x120-precomposed.png")) AND ((e.fn != "apple-touch-icon-120x120.png")))flow trigger(20,86460,discriminator(e.sip))

    In this example, the log message indicates the problem occurred because the specified duration was longer than a day. The syntax of the rule specifies more seconds (86460) than are in a day (86400).

  2. Log in to Sentinel.

  3. Open a new browser tab.

  4. In the new tab, go to the following URL:

    https://<YOUR SENTINEL IP>:8443/SentinelRESTServices/objects/correlation-rule

  5. To find the rule name and ID in the list of correlation rules, search for a unique part of the rule syntax, such as 86460.

  6. (Conditional) If you cannot find the rule name and ID in the list of correlation rules, complete the following steps:

    1. In a command prompt, switch to the novell user. Use the following command:

      su - novell

    2. Change to the /opt/novell/sentinel/bin directory.

    3. Use the following SQL command:

      ./ sql SIEM dbauser "select * from CORR_RULE where rule_lg like '%UniqueText%'"

      Where UniqueText is a unique part of the rule syntax, such as 86460.

  7. (Conditional) If you have not already switched to the novell user, open a command prompt and switch to the novell user. Use the following command:

    su - novell

  8. Change to the /opt/novell/sentinel/bin directory.

  9. Verify the rule is in the database. Use the following SQL command:

    ./ sql SIEM dbauser "select * from CORR_RULE where RULE_ID=RuleID"

    Where RuleID is the ID of the rule you found previously.

  10. Update the rule with a new filter that will not trigger an error during validation. Use the following SQL command:

    ./ sql SIEM dbauser "update CORR_RULE set rule_lg = 'filter(1=0)' where RULE_ID=RuleID"

    Where RuleID is the ID of the rule you found previously.

  11. Verify the filter has been changed in the database. Use the following SQL command:

    ./ sql SIEM dbauser "select * from CORR_RULE where RULE_ID=RuleID"

    Where RuleID is the ID of the rule you found previously.

  12. Stop Sentinel. Use the following command:

    ./ stop

  13. Restart Sentinel. Use the following command:

    ./ start

4.4 Synchronization Needs to be Started Manually in Sentinel High Availability After You Convert the Active Node to FIPS 140-2 Mode

Issue: When you convert the active node to FIPS 140-2 mode in Sentinel HA, the synchronization to convert all the passive nodes to FIPS 140-2 mode is not performed completely. You must start the synchronization manually. (Bug 1014472)

Workaround: Manually synchronize all passive nodes to FIPS 140-2 mode as follows:

  1. Log in as the root user on the active node.

  2. Open the /etc/csync2/csync2.cfg file.

  3. Change the following line:

    include /etc/opt/novell/sentinel/3rdparty/nss/*;


    include /etc/opt/novell/sentinel/3rdparty/nss;

  4. Save the csync2.cfg file.

  5. Start the synchronization manually by running the following command:

    csync2 -x -v

4.5 Cannot Launch Event Visualization Dashboard

Issue: An issue prevents Internet Explorer 11 from being able to open the Event Visualization dashboard. (Bug 981308)

Workaround: Use a different browser to view or modify the Visualization dashboard.

4.6 Cannot Install Sentinel on SLES 11 SP4 in FIPS Mode

Issue: If you try to install Sentinel on a computer that is running the SLES 11 SP4 operating system in FIPS mode, the installation process will fail. (Bug 990201)

Workaround: Ensure the operating system is not in FIPS mode, and then complete the following steps:

  1. Install Sentinel. For more information, see Installing Sentinel in the Sentinel Installation and Configuration Guide.

  2. Enable Sentinel Server to run in FIPS mode. For more information, see Enabling Sentinel Server to Run in FIPS 140-2 Mode in the Sentinel Installation and Configuration Guide.

  3. Use the following command to enable the operating system to run in FIPS mode:

    fips=1 /boot/grub/menu.lst

4.7 Sentinel Main Interface Displays Blank Page After Converting to Sentinel Scalable Data Manager

Issue: After you enable SSDM, when you log in to the Sentinel Main interface, the browser displays a blank page. (Bug 1006677)

Workaround: Close your browser and log in to the Sentinel Main interface again. This issue only happens once, the first time you log in to the Sentinel Main interface after you enable SSDM.

4.8 Tips Table Search Does Not Return the Complete List of Alert Fields in Upgraded Sentinel Installations

Issue: In upgraded installations of Sentinel, when you search for alert attributes in the Tips table in the Sentinel Main interface, the search does not return the complete list of alert fields. However, alert fields display correctly in the Tips table if you clear the search. (Bug 914755)

Workaround: There is no workaround at this time.

4.9 Event Search Does Not Respond if You Do Not Have Any Event Viewing Permissions

Issue: If you run an event search when your role's security filter is blank and your role does not have event viewing permissions, the search does not complete. The search does not display any error message about the invalid event viewing permissions. (Bug 908666)

Workaround: Update the role with one of the following options:

  1. Specify criteria in the Only events matching the criteria field. If users in the role should not see any events, you can enter NOT sev:[0 TO 5].

  2. Select View system events.

  3. Select View all event data (including raw data and NetFlow data).

4.10 The Event fields Panel is Missing in the Schedule Page When Editing Some Saved Searches

Issue: When editing a saved search upgraded from Sentinel 7.2 to a later version, the Event fields panel, used to specify output fields in the search report CSV, is missing in the schedule page. (Bug 900293)

Workaround: After upgrading Sentinel, recreate and reschedule the search to view the Event fields panel in the schedule page.

4.11 Sentinel Does Not Return Any Correlated Events When You Search for Events for the Deployed Rule with the Default Fire Count Search

Issue: Sentinel does not return any correlated events when you search for all correlated events that were generated after the rule was deployed or enabled, by clicking the icon next to Fire count in the Activity statistics panel in the Correlation Summary page for the rule. (Bug 912820)

Workaround: Change the value in the From field in the Event Search page to a time earlier than the populated time in the field and click Search again.

4.12 Security Intelligence Dashboard Displays Invalid Baseline Duration When Regenerating a Baseline

Issue: During Security Intelligence baseline regeneration, the start and finish dates for the baseline are incorrect and display 1/1/1970. (Bug 912009)

Workaround: The correct dates are updated after the baseline regeneration is complete.

4.13 Error While Using the Script to Configure Sentinel Ports for Firewall Exceptions on Upgraded Sentinel Appliance Installations

Issue: Sentinel displays an error when you use the script to configure Sentinel ports for firewall exceptions. (Bug 914874)

Workaround: Configure Sentinel ports for firewall exceptions through the following steps:

  1. Open the /etc/sysconfig/SuSEfirewall2 file.

  2. Change the following line:

    FW_SERVICES_EXT_TCP=" 443 8443 4984 22 61616 10013 289 1289 1468 1443 40000:41000 1290 1099 2000 1024 1590"


    FW_SERVICES_EXT_TCP=" 443 8443 4984 22 61616 10013 289 1289 1468 1443 40000:41000 1290 1099 2000 1024 1590 5432"

  3. Restart Sentinel.

4.14 Sentinel Generic Collector Performance Degrades When Generic Hostname Resolution Service Collector is Enabled

Issue: Sentinel Generic Collector performance degrades when Generic Hostname Resolution Service Collector is enabled on Microsoft Active Directory and Windows Collector. EPS decreases by 50% when remote Collector Managers send events. (Bug 906715)

Workaround: There is no workaround at this time.

4.15 Agent Manager Requires SQL Authentication When FIPS 140-2 Mode is Enabled

Issue: When FIPS 140-2 mode is enabled in your Sentinel environment, using Windows authentication for Agent Manager causes synchronization with the Agent Manager database to fail. (Bug 814452)

Workaround: Use SQL authentication for Agent Manager when FIPS 140-2 mode is enabled in your Sentinel environment.

4.16 Sentinel High Availability Installation in Non-FIPS 140-2 Mode Displays an Error

Issue: The Sentinel High Availability installation in non-FIPS 140-2 mode completes successfully but displays the following error twice:

/opt/novell/sentinel/setup/ line 1045: [: too many arguments 

(Bug 810764)

Workaround: The error is expected and you can safely ignore it. Although the installer displays the error, the Sentinel High Availability configuration works successfully in non-FIPS 140-2 mode.

4.17 Active Search Jobs Duration and Accessed Columns Inaccuracies

Issue: The Sentinel Main interface displays negative numbers in the Active Search Job Duration and Accessed columns when the Sentinel Main interface computer clock is behind the Sentinel server clock. For example, the Duration and Accessed columns display negative numbers when the Sentinel Main interface clock is set to 1:30 PM and the Sentinel server clock is set to 2:30 PM. (Bug 719875)

Workaround: Ensure the time on the computer you use to access the Sentinel Main interface is the same as or later than the time on the Sentinel server computer.

4.18 IssueSAMLToken Audit Event Displays Incorrect Information in the Security Intelligence Dashboard

Issue: When you log in to the security dashboard and perform a search for IssueSAMLToken audit event, the IssueSAMLToken audit event displays incorrect hostname (InitiatorUserName) or (IP address) SourceIP. (Bug 870609)

Workaround: There is no workaround at this time.

4.19 Sentinel Server Shuts Down When Running a Search If There Are Large Number of Events in a Single Partition

Issue: Sentinel server shuts down when you run a search if there are a large number of events indexed in a single partition. (Bug 913599)

Workaround: Create retention policies in such a way that there are at least two partitions open in a day. Having more than one partition open helps reduce the number of events indexed in partitions.

You can create retention policies that filter events based on the estzhour field, which tracks the hour of the day. Therefore, you can create one retention policy with estzhour:[0 TO 11] as the filter and another retention policy with estzhour:[12 TO 23] as the filter.

For more information, see Configuring Data Retention Policies in the NetIQ Sentinel Administration Guide.

4.20 Data Synchronization Fails While Synchronizing IPv6 Addresses in Human Readable Format

Issue: Data synchronization fails when you try to synchronize IPv6 address fields in a human readable format to external databases. For information about configuring Sentinel to populate the IP address fields in human readable dot notation format, see Creating a Data Synchronization Policy in the NetIQ Sentinel Administration Guide. (Bug 913014)

Workaround: To fix this issue, manually change the maximum size of the IP address fields to at least 46 characters in the target database, and re-synchronize the database.

4.21 Unable to View More Than One Report Result at a Time

Issue: While you wait for one report result PDF to open, particularly report results of 1 million events, if you click another report result PDF to view, the report result is not displayed. (Bug 804683)

Workaround: Click the second report result PDF again to view the report result.

5.0 Contact Information

Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email We value your input and look forward to hearing from you.

For detailed contact information, see the Support Contact Information website.

For general corporate and product information, see the NetIQ Corporate website.

For interactive conversations with your peers and NetIQ experts, become an active member of our community. The NetIQ online community provides product information, useful links to helpful resources, blogs, and social media channels.