Sentinel 8.1 SP1 includes new features, improves usability, and resolves several previous issues.
Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure that our products meet all your needs. You can post feedback in the Sentinel forum, our online community that also includes product information, blogs, and links to helpful resources.
The documentation for this product is available on the NetIQ website in HTML and PDF formats on a page that does not require you to log in. If you have suggestions for documentation improvements, click the comment icon on any page in the HTML version of the documentation posted at the Sentinel Documentation page. To download this product, see the Sentinel Product Upgrade website.
The following sections outline the key features and enhancements, and also the issues resolved in this release:
Sentinel 8.1.1 includes fixes to resolve the Sweet32 (CVE-2016-2183) vulnerability.
Sentinel includes Java 8 update152, which includes fixes for several security vulnerabilities.
Sentinel 8.1.1 includes the following enhancements:
Sentinel now generates audit events for ‘Failed To Correlate’ messages that occur when:
Events arrive late with a time difference greater than 30 seconds.
The reorder buffer is full.
(Bug 1018336)
Issue: Customers requested the ability to create a role that would let a user view report results but not run or delete reports. The View Report Results permission exists but cannot be granted to a role in User/Role Management. (Bug 1047479)
Fix: You can now make the View Report Results permission visible in User/Role Management so that you assign a role this permission. Complete the following steps:
Open the /etc/opt/novell/sentinel/config/ui-configuration.properties file for editing.
Add the following property:
viewReportResults.hideUI=false
Save your changes.
Exit and restart the Web UI.
You should also press Control-F5 to clear the browser cache.
Navigate to User/Role Management, and create a new role.
You should see the View Report Results permission.
When editing reports, the Date Picker no longer shows the date when the report was last run. It now defaults to the current date to avoid the need to click many months forward if the Start Time is older than the current date. (Bug 1016005)
You can now set the end time for a data synchronization policy so that you can synchronize data only for certain time ranges. This ability is available only for new data synchronization policies and it is not available for existing data synchronization policies. (Bug 1053484)
You can now enter a maximum of 60 characters in the Username field, while creating users. (Bug 1063025)
The following enhancements are done for raw data retention size refresh interval in the Storage > Events > Data Retention user interface:
The default Raw Data Retention size refresh interval has been changed to every 12 hours to avoid performance issues when raw data is large.
The default timeout interval has been changed to every 60 minutes.
You can customize these default values, if required:
Log in to the Sentinel server as novell user.
In the /etc/opt/novell/sentinel/config directory, create a file as: obj-component.DiskStatisticsCache.properties.
In the properties file, set the properties to the desired value as follows:
<obj-component id="DiskStatisticsCache"> <class>esecurity.ccs.comp.auth.DiskStatisticsCache</class> <property name="onlineRawDataCheckInterval">value_in_milliseconds</property> <property name="onlineRawDataTaskTimeoutPeriod">value_in_milliseconds</property> </obj-component>
Restart the Sentinel server.
(Bug 1027773)
summary_key column in Event Summary tables is now the primary key, which allows other database tools to benefit from proper meta data. (Bug 1048739)
Sentinel 8.1.1 includes software fixes that resolve the following issues:
Issue: When you export search results that include events from secondary storage, the CSV file only contains the headers and not the actual search results. (Bug 1043709, Bug 1073502)
Fix: The CSV file now includes the search results you export.
Email notifications now display AM or PM appropriately. (Bug 1040423)
Sentinel Main now launches successfully. (Bug 1047106)
EventSearch Rest API completes successfully without any exceptions. (Bug 1038133)
Issue: Correlation Engine does not trigger current day events if the previous event had a time stamp beyond the epoch date. It displays the exception Correlation reorder buffer is full and crashes eventually. (Bug 1036765)
Fix: Correlation Engine now triggers current day events without exceptions.
Issue: Two or three days after ISE integration, Sentinel becomes unresponsive. Sentinel server logs included the following message, which indicated out-of-memory exceptions and the inability to create threads:
java.lang.OutOfMemoryError: unable to create new native thread
This issue resulted from the large number of map updates that the ISE integration triggers, as well as an issue specific to maps with exactly one “RANGE” key plus one or more “STRING” keys. When this particular set of circumstances occurred, Sentinel created a separate h2temp directory for every unique String Key value. This meant that when the ISE ipmap.csv file had 6000+ entries (as might be typical during regular operating hours), Sentinel would recreate the 6000+ h2temp directories for every 30-second map update. (Bug 1036765)
Fix: The default map used to store maps, which specifically contains one “RANGE” key plus one or more “STRING” keys, is now in-memory map. The map does not use an H2 database and thus does not need to create the many h2temp directories.
NOTE:You can configure whether range/key maps use objects that require temporary directories. Add the new sentinel.mapping.h2.useDbRangeMap system property to the Sentinel configuration.properties file. This system property has the following values:
false: Use DataObjectKeyRangeMap objects, which do not require temporary directories (default value)
true: Use DBRangeMapDataObjectStorage objects, which require temporary directories
Issue: If you run a search for events, and then click the Search button while the search is still running, the refinement panel displays the following message:
Field counts based on the first 0 events.
(Bug 999743)
Fix: The Search button is now disabled while the search is running. After all jobs are completed, the Search button will be available again.
Issue: The API documentation does not list all of the client download libraries the REST API requires to work properly. (Bug 1047684)
Fix: The Sentinel API Documentation now lists all the client download libraries that the REST API requires.
Issue: When a Sentinel server loses contact with a Collector Manager, the server generates LostContactWithCollectorManager and CollectorManagerDown internal events. The CollectorNodeName(port) and CollectorManagerId(rv21) event fields on these internal events do not display the information related to the Collector Manager. (Bug 1050941)
Fix: The CollectorNodeName(port) and CollectorManagerId(rv21) event fields now correctly display the Collector Manager Name and the Collector Manager ID.
All scheduled reports now run successfully. (Bug 1051167)
Sentinel Core Top 10 and Sentinel Core Top 10 Dashboard reports now take less time to execute. (Bug 1040660)
This release resolves an issue where Sentinel erroneously displayed all alerts even though you chose the All New Alerts filter in the Alert View. (Bug 991732)
The /SentinelRESTServices/objects/plugin REST API now provides plugin information in human readable format. (Bug 992162)
The scheduled search job now runs successfully. (Bug 1049055)
The Sentinel Core Top 10 report now runs successfully. (Bug 1055336)
Issue: When you use Data Federation to search for events in a distributed environment, the Search Results page displays duplicate events. (Bug 1048000)
Fix: The Search Results page no longer displays duplicate events.
This release resolves an issue where the agent data synchronization process (ETL) failed with an exception if an agent that you added synchronized with Sentinel before Sentinel Agent Manager collected the agent’s attributes. (Bug 1050192)
Correlation Engine now indicates its status as Idle when it is in Idle state. (Bug 1062386)
Issue: When the Message field of an event has more than 8000 characters, Sentinel truncates the message. It prints the first 8000 characters as well as the truncated characters along with the following message in the logs resulting in the logs filled with the Message information:
Value for attribute msg is too long. Size is 4,096 utf-8 (each char may be multi-byte), max is 4,000 bytes, truncating <truncated_characters>
(Bug 927550)
Fix: Sentinel now displays only 256 characters from the truncated message in the server0.0 log.
Data synchronization works successfully after upgrading Sentinel to 8.1.0.1. (Bug 1052566)
Issue: In the Data Collection > Event Sources tab, the Agent Manager section is grayed out and you must use Sentinel Control Center to perform any operation. (Bug 1008335)
Fix: The Agent Manager section is now enabled in Sentinel Main.
Report generation is successful even if events contain special characters. (Bug 1060132)
Collector Manager now restarts successfully and processes event sources' offsets as expected. (Bug 1049771)
Issue: Auto Alert Always Updates EventThroughputUtilization at 100% utilization, even though there are no alerts being generated. (Bug 1065679)
Fix: Auto alert updates now display the actual EventThroughputUtilization percentage.
Issue: When there are multiple Collector Managers set up with one Sentinel server, the collectormgr-status API endpoint displays the 404 not found error even though the Collector Managers are present. (Bug 1011921)
Fix: The collectormgr-status API now displays the status correctly.
The report_dev_setup.sh script now backs up the firewall configuration file so that you can revert easily in case of any failures. The script also includes enhancements to improve usability. (Bug 752657)
NOTE:The SuSEfirewall2 file is backed up only when the PostgreSQL port is not added to the SUSE firewall configuration.
Issue: Test Connectivity initiates with a ping, which is a security concern.(Bug 1009722)
Fix: The Test Connectivity button no longer uses an ICMP packet (Ping) followed by an HTTP command to the Connector port as part of its testing procedure. It now relies only on the HTTP command to validate if the connection is successful. This may cause the connectivity test to take up to a minute longer when the remote end is not live or responding properly.
Issue: A change to password storage in Sentinel 7.4 SP1 causes the following error to display when upgrading the appliance from versions prior to 7.4 SP1:
Failed to set encrypted password
(Bug 967764)
Fix: Sentinel no longer displays the warning message.
Issue: When you upgrade Sentinel from version 7.3 to version 7.3 SP1 and start the Sentinel server, you might see the following exception in the server log:
Invalid length of data object ......
(Bug 933640)
Fix: Sentinel no longer displays the exception during the upgrade.
Issue: Sentinel alert views and alert dashboards do not display alerts that have IPv6 addresses in IP address fields. (Bug 924874)
Fix: Alert views and alert dashboards now display alerts that have IPv6 addresses in IP address fields.
For information about hardware requirements, supported operating systems, and browsers, see the Technical Information for Sentinel page.
You can upgrade to Sentinel 8.1.1 from Sentinel 7.4 and later. For information about upgrading to Sentinel 8.1.1, see the NetIQ Sentinel Installation and Configuration Guide.
NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.
The Java 8 update included in Sentinel might impact the following plug-ins:
Cisco SDEE Connector
SAP (XAL) Connector
Remedy Integrator
For any issues with these plug-ins, NetIQ will prioritize and fix the issues according to standard defect-handling policies. For more information about support polices, see Support Policies.
Issue: If your environment has the default 25 EPS license and you run a report, the report fails with the following error:
License for Distributed Search feature is expired
Workaround: To run reports in the same JVM as Sentinel, complete the following steps:
Log in to the Sentinel server and open the /etc/opt/novell/sentinel/config/server.xml file.
Locate the following property:
<property name="reporting.process.oktorunstandalone">true</property>
Change the setting to false:
<property name="reporting.process.oktorunstandalone">false</property>
Restart Sentinel.
Issue: If you try to convert Sentinel (Server, RCM or RCE) to FIPS mode either during installation or post installation, an issue with the Mozilla NSS packages that are provided by the SLES 12 operating system prevent the conversion from being completed successfully. The conversion stops at the prompt for the FIPS keystore database password even though the specified password meets the expected criteria. (Bug 1065329)
Workaround: To convert Sentinel to FIPS mode, perform the following steps:
Log in to Sentinel Server, RCM, or RCE as the root user.
Launch YaST software manager:
yast sw_single
Search for the following packages and install or upgrade to the latest version:
mozilla-nss-tools
libfreebl3-hmac
libsoftokn3-hmac
Clean up the artifacts from the previous FIPS conversion attempts:
rm -rf /etc/opt/novell/sentinel/3rdparty/nss rm /etc/opt/novell/sentinel/3rdparty/newpwfile
Retry FIPS conversion.
Issue: Recent changes to how Sentinel validates rules cause the Correlation Engine to fail to connect if your environment has an older deployed rule with incorrect syntax. (Bug 1039598)
Workaround: To reconnect the Correlation Engine, you can correct the syntax in the rule that is causing the problem and then restart Sentinel.
To find the rule and correct its syntax, complete the following steps:
In the server.log file, search for Failed to initialize CorrelationEngine.
For example, when you search for Failed to initialize CorrelationEngine, you will see a log message similar to the following:
Wed May 17 10:58:09 CDT 2017|INFO|Container Startup Thread|esecurity.base.ccs.proxy.ComponentElementProxy.activate
Failed to initialize CorrelationEngine
Scroll up to see the previous log message, which specifies the rule and displays its syntax. It will be similar to the following:
Wed May 17 10:58:09 CDT 2017|SEVERE|Container Startup Thread|esecurity.base.ccs.proxy.ComponentElementProxy.activate
Root cause: Duration must be within a day (antlr.RecognitionException)
esecurity.ccs.correlation.impl.tpm.IllegalRuleException: SEN-13003 Invalid Rule Definition: filter(((e.evt = "GET: Forbidden")) AND ((e.port = "Apache HTTP Server")) AND ((e.dhn = "n0")) AND ((e.fn != "favicon.ico")) AND ((e.fn != "apple-touch-icon-precomposed.png")) AND ((e.fn != "apple-touch-icon.png")) AND ((e.fn != "apple-touch-icon-120x120-precomposed.png")) AND ((e.fn != "apple-touch-icon-120x120.png")))flow trigger(20,86460,discriminator(e.sip))
In this example, the log message indicates the problem occurred because the specified duration was longer than a day. The syntax of the rule specifies more seconds (86460) than are in a day (86400).
Log in to Sentinel.
Open a new browser tab.
In the new tab, go to the following URL:
https://<YOUR SENTINEL IP>:8443/SentinelRESTServices/objects/correlation-rule
To find the rule name and ID in the list of correlation rules, search for a unique part of the rule syntax, such as 86460.
(Conditional) If you cannot find the rule name and ID in the list of correlation rules, complete the following steps:
In a command prompt, switch to the novell user. Use the following command:
su - novell
Change to the /opt/novell/sentinel/bin directory.
Use the following SQL command:
./db.sh sql SIEM dbauser "select * from CORR_RULE where rule_lg like '%UniqueText%'"
Where UniqueText is a unique part of the rule syntax, such as 86460.
(Conditional) If you have not already switched to the novell user, open a command prompt and switch to the novell user. Use the following command:
su - novell
Change to the /opt/novell/sentinel/bin directory.
Verify the rule is in the database. Use the following SQL command:
./db.sh sql SIEM dbauser "select * from CORR_RULE where RULE_ID=RuleID"
Where RuleID is the ID of the rule you found previously.
Update the rule with a new filter that will not trigger an error during validation. Use the following SQL command:
./db.sh sql SIEM dbauser "update CORR_RULE set rule_lg = 'filter(1=0)' where RULE_ID=RuleID"
Where RuleID is the ID of the rule you found previously.
Verify the filter has been changed in the database. Use the following SQL command:
./db.sh sql SIEM dbauser "select * from CORR_RULE where RULE_ID=RuleID"
Where RuleID is the ID of the rule you found previously.
Stop Sentinel. Use the following command:
./server.sh stop
Restart Sentinel. Use the following command:
./server.sh start
Issue: When you convert the active node to FIPS 140-2 mode in Sentinel HA, the synchronization to convert all the passive nodes to FIPS 140-2 mode is not performed completely. You must start the synchronization manually. (Bug 1014472)
Workaround: Manually synchronize all passive nodes to FIPS 140-2 mode as follows:
Log in as the root user on the active node.
Open the /etc/csync2/csync2.cfg file.
Change the following line:
include /etc/opt/novell/sentinel/3rdparty/nss/*;
to
include /etc/opt/novell/sentinel/3rdparty/nss;
Save the csync2.cfg file.
Start the synchronization manually by running the following command:
csync2 -x -v
Issue: An issue prevents Internet Explorer 11 from being able to open the Event Visualization dashboard. (Bug 981308)
Workaround: Use a different browser to view or modify the Visualization dashboard.
Issue: If you try to install Sentinel on a computer that is running the SLES 11 SP4 operating system in FIPS mode, the installation process will fail. (Bug 990201)
Workaround: Ensure the operating system is not in FIPS mode, and then complete the following steps:
Install Sentinel. For more information, see Installing Sentinel
in the Sentinel Installation and Configuration Guide.
Enable Sentinel Server to run in FIPS mode. For more information, see Enabling Sentinel Server to Run in FIPS 140-2 Mode
in the Sentinel Installation and Configuration Guide.
Use the following command to enable the operating system to run in FIPS mode:
fips=1 /boot/grub/menu.lst
Issue: After you enable SSDM, when you log in to the Sentinel Main interface, the browser displays a blank page. (Bug 1006677)
Workaround: Close your browser and log in to the Sentinel Main interface again. This issue only happens once, the first time you log in to the Sentinel Main interface after you enable SSDM.
Issue: In upgraded installations of Sentinel, when you search for alert attributes in the Tips table in the Sentinel Main interface, the search does not return the complete list of alert fields. However, alert fields display correctly in the Tips table if you clear the search. (Bug 914755)
Workaround: There is no workaround at this time.
Issue: If you run an event search when your role's security filter is blank and your role does not have event viewing permissions, the search does not complete. The search does not display any error message about the invalid event viewing permissions. (Bug 908666)
Workaround: Update the role with one of the following options:
Specify criteria in the Only events matching the criteria field. If users in the role should not see any events, you can enter NOT sev:[0 TO 5].
Select View system events.
Select View all event data (including raw data and NetFlow data).
Issue: When editing a saved search upgraded from Sentinel 7.2 to a later version, the Event fields panel, used to specify output fields in the search report CSV, is missing in the schedule page. (Bug 900293)
Workaround: After upgrading Sentinel, recreate and reschedule the search to view the Event fields panel in the schedule page.
Issue: Sentinel does not return any correlated events when you search for all correlated events that were generated after the rule was deployed or enabled, by clicking the icon next to Fire count in the Activity statistics panel in the Correlation Summary page for the rule. (Bug 912820)
Workaround: Change the value in the From field in the Event Search page to a time earlier than the populated time in the field and click Search again.
Issue: During Security Intelligence baseline regeneration, the start and finish dates for the baseline are incorrect and display 1/1/1970. (Bug 912009)
Workaround: The correct dates are updated after the baseline regeneration is complete.
Issue: Sentinel displays an error when you use the report_dev_setup.sh script to configure Sentinel ports for firewall exceptions. (Bug 914874)
Workaround: Configure Sentinel ports for firewall exceptions through the following steps:
Open the /etc/sysconfig/SuSEfirewall2 file.
Change the following line:
FW_SERVICES_EXT_TCP=" 443 8443 4984 22 61616 10013 289 1289 1468 1443 40000:41000 1290 1099 2000 1024 1590"
to
FW_SERVICES_EXT_TCP=" 443 8443 4984 22 61616 10013 289 1289 1468 1443 40000:41000 1290 1099 2000 1024 1590 5432"
Restart Sentinel.
Issue: Sentinel Generic Collector performance degrades when Generic Hostname Resolution Service Collector is enabled on Microsoft Active Directory and Windows Collector. EPS decreases by 50% when remote Collector Managers send events. (Bug 906715)
Workaround: There is no workaround at this time.
Issue: When FIPS 140-2 mode is enabled in your Sentinel environment, using Windows authentication for Agent Manager causes synchronization with the Agent Manager database to fail. (Bug 814452)
Workaround: Use SQL authentication for Agent Manager when FIPS 140-2 mode is enabled in your Sentinel environment.
Issue: The Sentinel High Availability installation in non-FIPS 140-2 mode completes successfully but displays the following error twice:
/opt/novell/sentinel/setup/configure.sh: line 1045: [: too many arguments
(Bug 810764)
Workaround: The error is expected and you can safely ignore it. Although the installer displays the error, the Sentinel High Availability configuration works successfully in non-FIPS 140-2 mode.
Issue: The Sentinel Main interface displays negative numbers in the Active Search Job Duration and Accessed columns when the Sentinel Main interface computer clock is behind the Sentinel server clock. For example, the Duration and Accessed columns display negative numbers when the Sentinel Main interface clock is set to 1:30 PM and the Sentinel server clock is set to 2:30 PM. (Bug 719875)
Workaround: Ensure the time on the computer you use to access the Sentinel Main interface is the same as or later than the time on the Sentinel server computer.
Issue: When you log in to the security dashboard and perform a search for IssueSAMLToken audit event, the IssueSAMLToken audit event displays incorrect hostname (InitiatorUserName) or (IP address) SourceIP. (Bug 870609)
Workaround: There is no workaround at this time.
Issue: Sentinel server shuts down when you run a search if there are a large number of events indexed in a single partition. (Bug 913599)
Workaround: Create retention policies in such a way that there are at least two partitions open in a day. Having more than one partition open helps reduce the number of events indexed in partitions.
You can create retention policies that filter events based on the estzhour field, which tracks the hour of the day. Therefore, you can create one retention policy with estzhour:[0 TO 11] as the filter and another retention policy with estzhour:[12 TO 23] as the filter.
For more information, see Configuring Data Retention Policies
in the NetIQ Sentinel Administration Guide.
Issue:
Data synchronization fails when you try to synchronize IPv6 address fields in a human readable format to external databases. For information about configuring Sentinel to populate the IP address fields in human readable dot notation format, see Creating a Data Synchronization Policy
in the NetIQ Sentinel Administration Guide. (Bug 913014)
Workaround: To fix this issue, manually change the maximum size of the IP address fields to at least 46 characters in the target database, and re-synchronize the database.
Issue: While you wait for one report result PDF to open, particularly report results of 1 million events, if you click another report result PDF to view, the report result is not displayed. (Bug 804683)
Workaround: Click the second report result PDF again to view the report result.
Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.
For detailed contact information, see the Support Contact Information website.
For general corporate and product information, see the NetIQ Corporate website.
For interactive conversations with your peers and NetIQ experts, become an active member of our community. The NetIQ online community provides product information, useful links to helpful resources, blogs, and social media channels.
For information about NetIQ legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government restricted rights, patent policy, and FIPS compliance, see http://www.netiq.com/company/legal/.
Copyright © 2018 NetIQ Corporation. All Rights Reserved.