Sentinel 8.2 Release Notes

July 2018

Sentinel 8.2 includes new features, improves usability, and resolves several previous issues.

Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure that our products meet all your needs. You can post feedback in the Sentinel forum, our online community that also includes product information, blogs, and links to helpful resources. You can also share your ideas for improving the product in the Ideas Portal.

The documentation for this product is available in HTML and PDF formats on a page that does not require you to log in. If you have suggestions for documentation improvements, click the comment icon on any page in the HTML version of the documentation posted at the Sentinel Documentation page. To download this product, see the Product Download website.

1.0 What’s New?

The following sections outline the key features and functions provided by this version, as well as issues resolved in this release:

1.1 Data Collection Using ArcSight SmartConnectors

Sentinel leverages ArcSight SmartConnector to collect events from various types of event sources not directly supported by Sentinel such as Office 365. SmartConnectors collect events from supported devices, normalizes events into the Common Event Format (CEF), and forwards them to Sentinel through the Syslog Connector. The Connector then forwards the events to Universal Common Event Format Collector for parsing.

For more information about configuring Sentinel with SmartConnectors, see the Universal Common Event Format Collector documentation on the Sentinel plug-ins website.

1.2 IP Flow Data Collection

Sentinel now allows you to collect IP Flow (IPFIX, JFlow, sFlow, and so on) data in addition to NetFlow data by leveraging ArcSight SmartConnectors. IP Flow data describes basic information about all the network connections between hosts, including transmitted packets and bytes. This helps you to visualize the behavior of individual hosts or the entire network. You can use the IP Flow data when analyzing and visualizing events. IP Flow data is collected as events and therefore are considered for EPS count.

To configure IP Flow data collection, install and configure the ArcSight SmartConnector. While configuring, ensure that you configure the relevant SmartConnectors that collect IP Flow data. For more information, see the Universal Common Event Format Collector documentation on the Sentinel Plug-ins Website.

In upgrade installations of Sentinel, you can either continue to use NetFlow capabilities or choose to configure IP Flow data collection. For more information, see Configuring IP Flow Data Collection in the Sentinel Installation and Configuration Guide.

1.3 Event Visualization in Traditional Storage

Sentinel with traditional storage now includes the capability to visualize events through event visualization dashboards, such as Threat Hunting and User Activity dashboards. These dashboards provide a customizable interface that help you to search, view, and analyze events in detail. These visualizations thereby help you to drill-down to potential threats much faster. In addition to the out-of-the box dashboards, you can create your own dashboards as required.

These dashboards are disabled by default. To enable these dashboards, you must enable event visualization in Sentinel. The dashboards display only the events processed after you enabled event visualization. To view the existing events present in traditional storage, Sentinel provides you the ability to migrate events from file-based storage to Elasticsearch. For more information, see Configuring the Visualization Data Store in the Sentinel Installation and Configuration Guide.

1.4 New Dashboards

This release introduces the following new dashboards:

  • Threat Hunting dashboard: This dashboard helps you to analyze potential threats or any abnormal activity in your environment, such as signs of compromise, intrusion, or exfiltration of data. For example, you can visualize information about the most targeted source/destination IP address, source host reputation and threat, exploit detection, policy violations, attacks on vulnerable computers, and so on.

  • User Activity dashboard: This dashboard provides a high-level visualization of user activities in the system. For example, you can visualize information about privileged operations, file access monitoring, weekend and weekday activities, events with higher repetitive count, and so on.

  • IP Flow real-time dashboard: This dashboard provides a real-time, high-level overview of the IP Flow data in your environment.

  • IP Flow Overview dashboard: This dashboard helps you to perform a detailed analysis of your network traffic at a much granular level. The dashboard helps you analyze details such as communication between source and target computers, the top hosts and top ports sending data to a specific IP address, and geographical location of the source and target IP addresses.

1.5 Alerts Dashboard in My Sentinel

For better user experience, the Alerts dashboard has been now moved from Sentinel Main to My Sentinel. To access the Alerts dashboard, launch My Sentinel and click the Alerts dashboard from the list of available dashboards. For more information about alert dashboards, see Analyzing Alert Dashboards in the Sentinel User Guide.

1.6 Searching Events and Alerts from My Sentinel

You can now search for events and alerts indexed in Elasticsearch from the My Sentinel user interface. This search view helps you analyze the percentage comparison of different event field entities, event trends, and so on. This Search option provides a common platform to search for both events and alerts in the same user interface, just by changing the search index. For more information about searching events and alerts in My Sentinel, see Searching Events and Searching Alerts in the Sentinel User Guide.

1.7 Incident Probability

Based on the existing alerts escalated as an incident, Sentinel now analyzes the probability of a current alert being escalated to an incident and displays the Incident Probability value in the Alerts View user interface. This value helps you to analyze the probability of escalating an alert to an incident much faster. For more information, see Viewing and Triaging Alerts in the Sentinel User Guide.

1.8 SLES 12 SP3 in Sentinel Appliance

Fresh installations of Sentinel appliance include SLES 12 SP3 operating system and is based on the Sentinel Appliance Manager framework. Sentinel Appliance Manager provides a simple Web-based user interface that helps you to configure and manage the appliance. It replaces the existing WebYast functionality.

Sentinel includes open-vm-tools out-of-the-box in SLES 12 SP3, which enhance the performance of vir-tual machines and allows better management of guests on the host server. For more information about open-vm-tools, see open-vm-tools documentation.

In upgrade installations of Sentinel, you can choose to either upgrade Sentinel without upgrading the SLES operating system or upgrade both Sentinel and the SLES operating system. Since Sentinel 8.2 appliance now includes SLES 12 SP3, the SLES 11 updates channel is now deprecated and will be removed when SUSE ends general support for SLES 11. Therefore, it is recommended that you upgrade the operating system to SLES 12 SP3 to continue receiving operating system updates and also leverage open-vm-tools.

For information about installing or upgrading the appliance, see the Sentinel Installation and Configuration Guide.

1.9 Connector for HTTP Server

Sentinel now includes a Connector for HTTP Server that allows a Sentinel system to receive events from other NetIQ software such as Change Guardian and Secure Configuration Manager. In addition to events, the Connector also receives event attachments such as the delta information for a Change Guardian file change event. You can now distribute Change Guardian assets across multiple Sentinel Collector Managers and multiple Event Source Servers to scale data collection. For more information, see the Connector documentation.

1.10 Resolving Hostnames and IP Addresses in Events

You can now configure Sentinel servers and Collector Managers to resolve hostname to IP address or IP address to hostname for all the incoming events. This feature replaces the Generic Hostname Resolution Service Collector, which had a negative impact on event rate (Bug 906715). The Generic Hostname Resolution Service Collector is deprecated and will not be supported in Sentinel 8.2 and later. For more information, see Resolving Hostnames and IP Addresses in the Sentinel Administration Guide.

1.11 Consent Banner During Login

Sentinel now allows you to display a consent banner before login. You can specify the content of the banner as per your requirements. For more information about adding a consent banner, see Adding a Consent Banner in the Sentinel Installation and Configuration Guide.

After you have added the consent banner, you must accept the terms in the consent banner every time you log in to Sentinel.

1.12 LDAP Authentication Against Multiple LDAP Servers Or Domains

Sentinel now supports LDAP authentication against multiple LDAP servers and domains, for unique users. For more information about LDAP authentication against multiple LDAP servers and domains, see LDAP Authentication Against Multiple LDAP Servers Or Domains in the Sentinel Administration Guide.

1.13 New and Updated Plug-Ins

New installations of Sentinel 8.2 include new and updated versions of Sentinel plug-ins. These versions include the latest software fixes, documentation updates, and enhancements for the plug-in. For more information, see the specific plug-in documentation on the Sentinel Plug-ins Website.

Upgrade installations of Sentinel include new plug-ins such as Universal Common Event Format Collector 2011.1r1 and HTTP Server Connector 2018 1.r1. They also automatically update only the following plug-ins to the latest version:

  • Syslog Connector 2018.1r2: The Connector can now receive events in CEF format.

  • Sentinel Link Collector 2011.1r3: The Collector now supports HTTPSERVER connection method that allows parsing of events from Change Guardian and Secure Configuration Manager through the HTTP Server Connector.

In addition to these enhancements, these updated plug-ins also include several software fixes.

To upgrade other plug-ins to the latest version, download the desired plug-in from the Sentinel Plug-ins Website. For more information, refer to the specific plug-in documentation.

1.14 Security Vulnerability Fix

This release resolves a potential information disclosure vulnerability (CVE-2018-7675). (Bug 1080555)

1.15 TargetDataHash Column in the Event Field

Sentinel event fields now include the TargetDataHash column, which displays the hash value of the data object. Therefore, hash values are no longer populated in the Message field and are now searchable. (Bug 1069674)

1.16 Enhanced Usability in the Storage > Health Pie Charts

In Sentinel Main > Storage > Health, the pie charts now display the disk usage for the overall disk storage and not just the storage allocated for Sentinel.

1.17 Enhancements to REST API Calls Authentication

Administrators can now change their password through the REST API, only after providing their current password.

1.18 Updates to Certified Platforms

There are several updates to the Sentinel certified platforms. For more information about the certified platforms, see the Technical Information for Sentinel web page.

Operating Systems

  • SUSE Linux Enterprise Server 12 SP3 64-bit (traditional and appliance installation)

  • Red Hat Enterprise Linux Server 7.5 64-bit (traditional installation)

  • Red Hat Enterprise Linux Server 7.4 64-bit (traditional installation)

  • Red Hat Enterprise Linux Server 6.9 64-bit (traditional installation)

Data Indexing

Elasticsearch 5.6.3

Data Synchronization

Microsoft SQL Server 2017

Event Source

Security Agent for UNIX 7.5.1

1.19 Java Runtime Environment Upgrade

Sentinel includes Java 8 update162, which includes fixes for several security vulnerabilities.

1.20 Deprecation of TLS 1.0 Communication Protocol

Since Sentinel supports TLS 1.2 and TLS 1.1, TLS 1.0 is deprecated and will be removed in the future. If you have any external clients communicating (inbound or outbound) with the Sentinel server such as REST APIs or external databases for data synchronization, ensure that they use at least TLS 1.1 for communication.

1.21 Software Fixes

Sentinel 8.2 includes software fixes that resolve several issues.

Sentinel Shuts Down Due to Memory Dump When There Are a Large Number of Raw Data Files

Issue: When there are a large number of raw data files in network storage and if the raw data retention monitoring task is initiated when there is heavy load on the system, a memory dump occurs and Sentinel eventually shuts down. (Bug 1067897)

Fix: Sentinel has now optimized the methods used to obtain the list of raw data files such that only the files that need to be expired are buffered in memory as opposed to buffering all files and directories, which avoids the memory dump issue.

Few Out-of-the-Box Action Instances are Associated to an Incorrect Integrator Instance

Issue: In Sentinel Control Center > Action Manager, a few out-of-the-box action instances such as Log to Syslog and Send SNMP Trap are incorrectly associated to the File Integrator instance. (Bug 976191)

Fix: The Log to Syslog action is now associated to the Syslog Integrator instance and Send SNMP Trap action is now associated to the snmp Integrator instance.

Cannot Synchronize Data to Oracle Database by Using the Service Name

You can now specify either the Database name or the Service when creating data synchronization policies for Oracle database. (Bug 1057613)

Permission Denied Error Displayed During Sentinel Install Or Upgrade

Issue: Sentinel displays the following error during install or upgrade:

/tmp/install-sentinel.5133.vDt4E1AOea/ Permission denied

However, Sentinel installation and upgrade proceeds successfully. (Bug 1025472)

Fix: You will no longer see the Permission Denied error.

The Event Fields Count is Zero in the Search Refine Panel

Issue: When you try to refine the search criteria while a search is in progress, the event fields count in the Refine panel is zero. (Bug 1062588)

Fix: The Refine panel is disabled until the search is complete.

Sentinel Prompts For a Keystore Password

Sentinel does not prompt for a password unless you have changed the default keystore password. (Bug 1036860)

Cannot Convert Sentinel to FIPS Mode

Issue: When you try to convert Sentinel to FIPS mode, the conversion fails if you use Mozilla Network Security Services (NSS) 3.29. The conversion fails because two dependent RPM files libfreebl3-hmac and libsoftokn3-hmac, are unavailable. Sentinel keeps prompting you to enter the keystore password. (Bug 1033224)

Fix: The Sentinel installer checks for the dependent RPM files and prompts you to install them.

Search Results Are Not Sorted With Millisecond Precision

Search results for events are sorted with millisecond precision. (Bug 1060000)

Data Sync Policies Do Not Reconnect After the External Database Recovers from a Downtime

Sentinel keeps retrying for the connection for 12 hours. If the external database is still not reachable, resynchronize data synchronize policies manually. (Bug 1037631)

Insufficient Permission Error Displayed In The Alert Details Page

Issue: When you access the Alert Details page from Sentinel Main > Real-time Views > Alert Views, the following error is displayed: Insufficient permission for user '<username>', although you have the Allow users to manage alerts permission. (Bug 1090898)

Fix: The Alert Details page loads without the error.

Cannot View Alerts with IPv6 Data in Alert Views

Sentinel Alert Views and Alert dashboards now display alerts that have IPv6 addresses in IP address fields. (Bug 924874)

Cannot Close or Add Comments to Multiple Alerts

Issue: When you select multiple alerts, the Close and Comment buttons are disabled. (Bug 1093233)

Fix: You can now close or add comments to multiple alerts at once.

2.0 System Requirements

For information about hardware requirements, supported operating systems, and browsers, see the Technical Information for Sentinel page.

3.0 Installing Sentinel 8.2

For information about installing Sentinel 8.2, see the Sentinel Installation and Configuration Guide.

NOTE:There are a few usability issues during the appliance installation. For more information, see Section 5.7, Usability Issues in the Appliance Installation Screens.

4.0 Upgrading to Sentinel 8.2

You can upgrade to Sentinel 8.2 from Sentinel and later.

NOTE:Sentinel leverages Kibana for visualizing and searching events in dashboards. Sentinel 8.2 includes an updated version of Kibana. Therefore, if you have any custom dashboards, you need to recreate them after upgrading Sentinel.

Some of the Sentinel dashboards that leverage Kibana do not load after you upgrade to Sentinel 8.2. This issue occurs because Elasticsearch and Kibana versions have been upgraded in Sentinel 8.2, and the existing Kibana index file is not compatible with the upgraded versions of Elasticsearch and Kibana. To fix this issue, you must manually delete the existing Kibana index file and recreate a new Kibana index file. For more information, see the Knowledge Base Article 7022736.

For information about upgrading to Sentinel 8.2, see the Sentinel Installation and Configuration Guide.

5.0 Known Issues

Micro Focus strives to ensure our products provide quality solutions for your enterprise software needs. The following known issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.

The Java 8 update included in Sentinel might impact the following plug-ins:

  • Cisco SDEE Connector

  • SAP (XAL) Connector

  • Remedy Integrator

For any issues with these plug-ins, we will prioritize and fix the issues according to standard defect-handling policies. For more information about support polices, see Support Policies.

5.1 Sentinel 8.2 Appliance in Hyper-V Server 2016 Does Not Start When You Reboot

Issue: In Hyper-V Server 2016, Sentinel appliance does not start when you reboot it and displays the following message:

A start job is running for dev-disk-by\..

This issue occurs because the operating system modifies the disk UUID during installation. Therefore, during reboot it cannot find the disk.

(Bug 1097792)

Workaround: Manually modify the disk UUID. For more information, see Knowledge Base Article 7023143.

5.2 Incorrect Information About jquery in Vulnerability Scan Reports

Issue: Vulnerability scans report issues, such as the following message, with a vulnerable version of jquery:

The file 'jquery-1.11.3.min.js' includes a vulnerable version of the library 'jquery'.

The noted vulnerability affects only versions 1.8.0 to 1.12.0, but the reported URL redirects to a much newer version of jquery (3.x). (Bug 1094393)

Workaround: Ignore the issue since it is a false positive.

5.3 Error When Upgrading to Sentinel 8.2 HA Appliance

Issue: When you upgrade to Sentinel 8.2 HA appliance, Sentinel displays the following error:

Installation of novell-SentinelSI-db-<version> failed:
with --nodeps --force) Error: Subprocess failed. Error: RPM failed: Command exited with status 1.
Abort, retry, ignore? [a/r/i] (a): 

(Bug 1099679)

Workaround: Before you respond to the above prompt, perform the following:

  1. Start another session using PuTTY or similar software to the host where you are running the upgrade.

  2. Add the following entry in the /etc/csync2/csync2.cfg file:


  3. Remove the sentinel folder from /var/opt/novell:

    rm -rf /var/opt/novell/sentinel

  4. Return to the session where you had initiated the upgrade and enter r to proceed with the upgrade.

5.4 Installation of Collector Manager and Correlation Engine Appliance Fails in Languages Other than English in MFA Mode

Issue: Installation of Collector Manager and Correlation Engine appliance fails in MFA mode if the operating system language is other than English. (Bug 1045967)

Workaround: Install Collector Manager and Correlation Engine appliances in English. After the installation is complete, change the language as needed.

5.5 Cannot Launch Event Visualization Dashboard

Issue: An issue prevents Internet Explorer 11 from being able to open the Event Visualization dashboard. (Bug 981308)

Workaround: Use a different browser to view or modify the visualization dashboard.

5.6 When Upgrading the Sentinel Appliance from Versions Prior to 7.4 SP1, an Incorrect Warning Displays

Issue: A change to password storage in Sentinel 7.4 SP1 causes the following error to display when upgrading the appliance from versions prior to 7.4 SP1:

Failed to set encrypted password

(Bug 967764)

Workaround: The warning is expected and you can safely ignore it. There is no impact to the upgrade.

5.7 Usability Issues in the Appliance Installation Screens

Issue: The Next and Back buttons in the appliance installation screens do not appear or are disabled in some cases, such as the following:

  • When you click Back from the Sentinel precheck screen to edit or review the information in the Sentinel Server Appliance Network Settings screen, there is no Next button to proceed with the installation. The Configure button allows you to only edit the specified information.

  • If you have specified incorrect network settings, the Sentinel Precheck screen indicates that you cannot proceed with the installation due to incorrect network information. There is no Back button to go the previous screen to modify the network settings.

(Bug 1089063)

Workaround: Restart the appliance installation.

5.8 Error Message During Sentinel Start Up

Issue: Sentinel displays the following message during start up in the server.log file:

Value for attribute rv43 is too long

(Bug 1092937)

Workaround: Ignore the exception. Although the message is displayed, Sentinel works as expected.

5.9 SSDM Displays an Exception When Deleting Events Whose Retention Period Has Expired

Issue: When there is a large number of events whose retention period has expired and SSDM tries to delete those events from Elasticsearch, the following exception is displayed in the server.log file: Read timed out

(Bug 1088511)

Workaround: Ignore the exception. This exception occurs due to the time taken to delete the large amount of data. Although the exception is displayed, SSDM successfully deletes the events from Elasticsearch.

5.10 Sentinel Generic Collector Performance Degrades When Generic Hostname Resolution Service Collector is Enabled

Issue: Sentinel Generic Collector performance degrades when Generic Hostname Resolution Service Collector is enabled on Microsoft Active Directory and Windows Collector. EPS decreases by 50% when remote Collector Managers send events. (Bug 906715)

Workaround: Uninstall the Collector and configure the Sentinel server and Collector Manager to resolve hostname to IP address or vice versa. For more information, see Resolving Hostnames and IP Addresses in the Sentinel Administration Guide.

5.11 Collector Manager Runs Out of Memory if Time Synchronization is Enabled in open-vm-tools

Issue: If you manually install and enable time synchronization in open-vm-tools, they periodically synchronize time between the Sentinel appliance (guest) and the VMware ESX server (host). These time synchronizations can result in moving the guest clock either behind or ahead of the ESX server time. Until the time is synchronized between the Sentinel appliance (guest) and the ESX server (host), Sentinel does not process events. As a result, a large number of events are queued up in the Collector Manager, which may eventually drop events once it reaches its threshold. To avoid this issue, Sentinel disables time synchronization by default in the open-vm-tools version available in Sentinel. (Bug 1099341)

Workaround: Disable time synchronization. For more information about disabling time synchronization, see Disabling Time Synchronization.

5.12 Agent Manager Requires SQL Authentication When FIPS 140-2 Mode is Enabled

Issue: When FIPS 140-2 mode is enabled in Sentinel, using Windows authentication for Agent Manager causes synchronization with the Agent Manager database to fail. (Bug 814452)

Workaround: Use SQL authentication for Agent Manager.

5.13 Sentinel High Availability Installation in Non-FIPS 140-2 Mode Displays an Error

Issue: The Sentinel High Availability installation in non-FIPS 140-2 mode completes successfully but displays the following error twice:

/opt/novell/sentinel/setup/ line 1045: [: too many arguments 

(Bug 810764)

Workaround: The error is expected and you can safely ignore it. Although the installer displays the error, the Sentinel High Availability configuration works successfully in non-FIPS 140-2 mode.

5.14 Internet Explorer 11 Does Not Load Dashboards as Expected

Issue: In Internet Explorer 11, when you launch the dashboards:

  • Alert and Threat Hunting dashboard redirects to My Dashboard.

  • User Activity dashboard displays an error.

This issue occurs due to the URL length limitation in Internet Explorer 11. (Bug 1068418)

Workaround: Perform the following:

  1. Launch Event Visualization dashboard.

  2. Click Management > Advanced Settings.

  3. Set the value of storeInSessionStorage to true.

5.15 Elasticsearch Service Restart in Sentinel Fails with an Error in RHEL 6

Issue: Restarting the Elasticsearch services in Sentinel fails with the unable to install syscall filter error after adding the Elasticsearch node to the cluster in RHEL 6. (Bug 1068600)

Workaround: Perform the following:

  1. Log in to the Sentinel server as the novell user.

  2. Open the /etc/opt/novell/sentinel/3rdparty/elasticsearch/elasticsearch.yml file.

  3. Set the value of bootstrap.system_call_filter to false.

  4. Restart the Elasticsearch services in Sentinel:

    rcsentinel stopSIdb

    rcsentinel startSIdb

5.16 Keytool Command Displays a Warning

Issue: While using Keytool command, the following warning is displayed: The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12which is an industry standard format using "keytool -importkeystore -srckeystore /<sentinel_install_directory>/etc/opt/novell/sentinel/config/.webserverkeystore.jks -destkeystore /<sentinel_install_directory>/etc/opt/novell/sentinel/config/.webserverkeystore.jks -deststoretype pkcs12". (Bug 1086612)

Workaround: The warning is expected and you can safely ignore it. Although the warning is displayed, Keytool command works as expected.

5.17 Sentinel Does Not Process Threat Intelligence Feeds In FIPS Mode

Issue: In FIPS mode, when processing out-of-the-box threat Intelligence feeds from URLs, Sentinel displays the following error: Received fatal alert: protocol_version. This issue occurs because the out-of-the-box threat feeds now support only TLS 1.2, which does not work in FIPS mode. (Bug 1086631)

Workaround: Click Sentinel Main > Integration > Threat Intelligence Sources. Edit each URL to change the protocol from http to https.

5.18 Logging Out From Sentinel Main Does Not Log Out Of Dashboards And Vice Versa

Issue: If Sentinel is integrated with NetIQ Advanced Authentication Framework MFA mode, you do not get logged out of Sentinel dashboards when you log out of Sentinel Main and vice versa due to an issue in the Advanced Authentication Framework. (Bug 1087856)

Workaround: Until a fix is available in the Advanced Authentication Framework, refresh the screen to view the login screen.

5.19 Unable to Access Sentinel Appliance Management Console In High Availability Mode

Issue: After installing or upgrading to Sentinel 8.2 in high availability mode, launching Sentinel Appliance Management Console displays an error. (Bug 1093574)

Workaround: After installing or upgrading to Sentinel 8.2, if the error is displayed after a failover, run the following command to restart Sentinel services:

systemctl restart vabase-datamodel.service vabase-jetty.service vabase.service