Sentinel 8.2 Service Pack 2 Release Notes

June 2019

Sentinel 8.2 SP2 resolves several previous issues.

Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure that our products meet all your needs. You can post feedback in the Sentinel forum, our online community that also includes product information, blogs, and links to helpful resources. You can also share your ideas for improving the product in the Ideas Portal.

The documentation for this product is available in HTML and PDF formats on a page that does not require you to log in. If you have suggestions for documentation improvements, click the comment icon on any page in the HTML version of the documentation posted at the Sentinel Documentation page. To download this product, see the Product Download website.

1.0 What’s New?

The following sections outline the key features provided by this version, as well as issues resolved in this release:

1.1 Updates to Certified Platforms

Sentinel is now certified on the following platforms:

  • SUSE Linux Enterprise Server (SLES) 12 SP4 64-bit (traditional and appliance installation)

  • Red Hat Enterprise Linux Server 7.6 64-bit (traditional installation)

1.2 Deprecating SLES 12 SP3

SLES 12 SP3 is now deprecated since SUSE will be removing support for SLES 12 SP3. Therefore, fresh installations of Sentinel 8.2 SP2 appliance now includes SLES 12 SP4.

1.3 Software Fixes

Sentinel 8.2 SP2 includes software fixes that resolve the following issues:

Ability to Paste Passwords in the Profile Page

Issue: In the Profile page, you can paste a password to the following fields: Old Password, New Password, and Confirm New Password.(Bug 1118162)

Fix: You cannot paste to the following fields: Old Password, New Password, and Confirm New Password. This fix restricts users from pasting the current password in the Old Password field.

Sentinel Server Does Not Set Browser Security Headers in the Server Response

Sentinel server sets browser security headers in the server response. (Bug 1118173)

Cannot Import Intermediate and Root Certificates while Configuring the Syslog Server SSL Connector in Event Source Management

Issue: When you configure custom certificates for the Syslog SSL Sever connector, there is no option to select a required certificate and import it. (Bug 1125116)

Fix: Use Syslog Connector 2019.1r1 or later to select the alias such as webserver, intermediate, or root. This fix is available only when you configure custom certificates in Sentinel Control Center > Event Source Management > Live View. This fix is not available when you configure certificates using Sentinel Main.

Sentinel REST API Document Does Not Include the Explanation for Possible State and Status Values of Data Collection Methods

Sentinel REST API document now includes the explanation for possible state and status values of Data Collection methods. (Bug 1129261)

The Alert REST API Displays an Exception

The Alert REST API displays the required alerts without displaying an exception. (Bug 1117842)

The Alert REST API Does Not Display Field Values of Alerts when the API Includes the Field Parameter

Issue: The Alert REST API does not consider the field parameter. When the Alert REST API includes the names of fields whose values need to be returned, the API does not display the field values. (Bug 1118799)

Fix: The Alert REST API displays the values of the specified fields for the required alerts.

Ability to Modify the State of an Alert Without Assigning the Alert to the Owner

The Save button is now enabled only after an alert is assigned to the owner. Therefore, you cannot modify an alert without assigning it to the owner. (Bug 1126506)

Java Threads of Sentinel and Collector Manager do Not Terminate after a Task has been Completed

Issue: Java thread count of Sentinel and Collector Manager increases over time because the Java threads do not terminate after a task has been completed. (Bug 1128183)

Fix: Java threads of Sentinel and Collector Manager terminate as soon as a task is completed.

Event Visualization Dashboard Does Not Display Events

Issue: Event Visualization dashboard does not display events because the data type of two event fields BeginTime and EndTime do not match the mapping template of the Elasticsearch index. The Reset Filters section does not display the filters bgndt (BeginTime) and endt (EndTime). (Bug 1131318)

Fix: The Event Visualization dashboard displays events. The Reset Filters section displays the filters bgndt (BeginTime) and endt (EndTime).

Events Forwarded to Syslog Devices through Syslog Integrator Display Only the First Word of the Device Vendor Name Instead of the Complete Name

Issue: Events forwarded to syslog devices from Sentinel display only the first word of the Device Vendor name when:

  • Sentinel forwards events to syslog devices through Syslog Integrator in CEF.

  • Device Vendor name has two or more words.

(Bug 1118199)

Fix: Events forwarded to syslog devices through Syslog Integrator display the complete name of the device vendor.

2.0 System Requirements

For more information about hardware requirements, supported operating systems, and browsers, see the Technical Information for Sentinel page.

3.0 Installing Sentinel 8.2 SP2

For information about installing Sentinel 8.2 SP2, see the Sentinel Installation and Configuration Guide.

4.0 Upgrading to Sentinel 8.2 SP2

You can upgrade to Sentinel 8.2 SP2 from Sentinel 8.2 or later.

IMPORTANT:If you have already upgraded to SLES 12 SP3 and run the post-upgrade utility, you must download the latest version of the post upgrade utility and run it again. This is important to ensure that upgrade to 8.2 SP2 and later works fine.

Download and run the latest utility from Sentinel Appliance 8.2 SLES11SP4 to SLES12SP3 Migration Tools B in the Micro Focus Patch Finder website.

NOTE:If you have installed Sentinel 8.2 appliance in high availability mode, the Sentinel installation does not contain the folders to launch the Sentinel Appliance Management Console. For more information about launching the Sentinel Appliance Management Console in high availability mode, see Upgrading to Sentinel 8.2 Patch Update 1 or Later.

WARNING:If you upgrade from Sentinel 8.2 or 8.2 P1 to 8.2 SP2, you must manually assign the Send events and attachments permission to non-administrator users who send events or attachments to Sentinel. Unless you assign this permission, Sentinel will no longer receive events and attachments from Change Guardian and Secure Configuration Manager.

You need not reassign this permission if you are upgrading from 8.2 SP1 to 8.2 SP2.

For information about upgrading to Sentinel 8.2 SP2, see the Sentinel Installation and Configuration Guide.

5.0 Known Issues

Micro Focus strives to ensure our products provide quality solutions for your enterprise software needs. The following known issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.

The Java 8 update included in Sentinel might impact the following plug-ins:

  • Cisco SDEE Connector

  • SAP (XAL) Connector

  • Remedy Integrator

For any issues with these plug-ins, we will prioritize and fix the issues according to standard defect-handling policies. For more information about support polices, see Support Policies.

5.1 Installing Sentinel, Collector Manager, and Correlation Engine as an OVF Appliance Image Does Not Display the Login Screen

Issue: The installer halts at the installation in progress screen and does not display the login screen even though the installation is complete.

Workaround: Reboot the virtual machine and launch Sentinel, Collector Manager, or Correlation Engine. (Bug 1134657)

5.2 Sentinel 8.2 Appliance in Microsoft Hyper-V Server 2016 Does Not Start When You Reboot

Issue: In Hyper-V Server 2016, Sentinel appliance does not start when you reboot it and displays the following message:

A start job is running for dev-disk-by\..

This issue occurs because the operating system modifies the disk UUID during installation. Therefore, during reboot it cannot find the disk.

(Bug 1097792)

Workaround: Manually modify the disk UUID. For more information, see Knowledge Base Article 7023143.

5.3 Error When Upgrading to Sentinel 8.2 HA Appliance

Issue: When you upgrade to Sentinel 8.2 HA appliance, Sentinel displays the following error:

Installation of novell-SentinelSI-db-8.2.0.0-<version> failed:
with --nodeps --force) Error: Subprocess failed. Error: RPM failed: Command exited with status 1.
Abort, retry, ignore? [a/r/i] (a): 

(Bug 1099679)

Workaround: Before you respond to the above prompt, perform the following:

  1. Start another session using PuTTY or similar software to the host where you are running the upgrade.

  2. Add the following entry in the /etc/csync2/csync2.cfg file:

    /etc/opt/novell/sentinel/config/configuration.properties

  3. Remove the sentinel folder from /var/opt/novell:

    rm -rf /var/opt/novell/sentinel

  4. Return to the session where you had initiated the upgrade and enter r to proceed with the upgrade.

5.4 Installation of Collector Manager and Correlation Engine Appliance Fails in Languages Other than English in MFA Mode

Issue: Installation of Collector Manager and Correlation Engine appliance fails in MFA mode if the operating system language is other than English. (Bug 1045967)

Workaround: Install Collector Manager and Correlation Engine appliances in English. After the installation is complete, change the language as needed.

5.5 Internet Explorer 11 Cannot Launch Event Visualization Dashboard

Workaround: Use a different browser to view or modify the visualization dashboard. (Bug 981308)

5.6 Usability Issues in the Appliance Installation Screens

Issue: The Next and Back buttons in the appliance installation screens do not appear or are disabled in some cases, such as the following:

  • When you click Back from the Sentinel precheck screen to edit or review the information in the Sentinel Server Appliance Network Settings screen, there is no Next button to proceed with the installation. The Configure button allows you to only edit the specified information.

  • If you have specified incorrect network settings, the Sentinel Precheck screen indicates that you cannot proceed with the installation due to incorrect network information. There is no Back button to go the previous screen to modify the network settings.

(Bug 1089063)

Workaround: Restart the appliance installation.

5.7 Error Message During Sentinel Start Up

Issue: Sentinel displays the following message during start up in the server.log file:

Value for attribute rv43 is too long

(Bug 1092937)

Workaround: Ignore the exception. Although the message is displayed, Sentinel works as expected.

5.8 SSDM Displays an Exception When Deleting Events Whose Retention Period Has Expired

Issue: When there is a large number of events whose retention period has expired and SSDM tries to delete those events from Elasticsearch, the following exception is displayed in the server.log file:

java.net.SocketTimeoutException: Read timed out

(Bug 1088511)

Workaround: Ignore the exception. This exception occurs due to the time taken to delete the large amount of data. Although the exception is displayed, SSDM successfully deletes the events from Elasticsearch.

5.9 Collector Manager Runs Out of Memory if Time Synchronization is Enabled in open-vm-tools

Issue: If you manually install and enable time synchronization in open-vm-tools, they periodically synchronize time between the Sentinel appliance (guest) and the VMware ESX server (host). These time synchronizations can result in moving the guest clock either behind or ahead of the ESX server time. Until the time is synchronized between the Sentinel appliance (guest) and the ESX server (host), Sentinel does not process events. As a result, a large number of events are queued up in the Collector Manager, which may eventually drop events once it reaches its threshold. To avoid this issue, Sentinel disables time synchronization by default in the open-vm-tools version available in Sentinel. (Bug 1099341)

Workaround: Disable time synchronization. For more information about disabling time synchronization, see Disabling Time Synchronization.

5.10 Agent Manager Requires SQL Authentication When FIPS 140-2 Mode is Enabled

Issue: When FIPS 140-2 mode is enabled in Sentinel, using Windows authentication for Agent Manager causes synchronization with the Agent Manager database to fail. (Bug 814452)

Workaround: Use SQL authentication for Agent Manager.

5.11 Sentinel High Availability Installation in Non-FIPS 140-2 Mode Displays an Error

Issue: The Sentinel High Availability installation in non-FIPS 140-2 mode completes successfully but displays the following error twice:

/opt/novell/sentinel/setup/configure.sh: line 1045: [: too many arguments 

(Bug 810764)

Workaround: The error is expected and you can safely ignore it. Although the installer displays the error, the Sentinel High Availability configuration works successfully in non-FIPS 140-2 mode.

5.12 Internet Explorer 11 Does Not Load Dashboards as Expected

Issue: In Internet Explorer 11, when you launch the dashboards:

  • Alert and Threat Hunting dashboard redirects to My Dashboard.

  • User Activity dashboard displays an error.

This issue occurs due to the URL length limitation in Internet Explorer 11. (Bug 1068418)

Workaround: Perform the following:

  1. Launch Event Visualization dashboard.

  2. Click Management > Advanced Settings.

  3. Set the value of storeInSessionStorage to true.

5.13 Keytool Command Displays a Warning

Issue: While using Keytool command, the following warning is displayed: The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12which is an industry standard format using "keytool -importkeystore -srckeystore /<sentinel_install_directory>/etc/opt/novell/sentinel/config/.webserverkeystore.jks -destkeystore /<sentinel_install_directory>/etc/opt/novell/sentinel/config/.webserverkeystore.jks -deststoretype pkcs12". (Bug 1086612)

Workaround: The warning is expected and you can safely ignore it. Although the warning is displayed, Keytool command works as expected.

5.14 Sentinel Does Not Process Threat Intelligence Feeds In FIPS Mode

Issue: In FIPS mode, when processing out-of-the-box threat Intelligence feeds from URLs, Sentinel displays the following error: Received fatal alert: protocol_version. This issue occurs because the out-of-the-box threat feeds now support only TLS 1.2, which does not work in FIPS mode. (Bug 1086631)

Workaround: Perform the following:

  1. Click Sentinel Main > Integration > Threat Intelligence Sources.

  2. Edit each URL to change the protocol from http to https.

5.15 Logging Out From Sentinel Main Does Not You Log Out of Dashboards And Vice Versa in Multi-factor Authentication mode

Issue: In multi-factor authentication mode, if you log out of Sentinel Main you do not get logged out of Sentinel dashboards and vice versa. This is due to an issue in the Advanced Authentication Framework. (Bug 1087856)

Workaround: Until a fix is available in the Advanced Authentication Framework, refresh the screen to view the login screen.

6.0 Contacting Micro Focus

For specific product issues, contact Micro Focus Support at https://www.microfocus.com/support-and-services/.

Additional technical information or advice is available from several sources: