Sentinel 8.3 includes new features and resolves several previous issues.
Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure that our products meet all your needs. You can post feedback in the Sentinel forum, our online community that also includes product information, blogs, and links to helpful resources. You can also share your ideas for improving the product in the Ideas Portal.
The documentation for this product is available in HTML and PDF formats on a page that does not require you to log in. If you have suggestions for documentation improvements, click the comment icon on any page in the HTML version of the documentation posted at the Sentinel Documentation page. To download this product, see the Product Download website.
The following sections outline the key features provided by this version, as well as issues resolved in this release:
This release includes the following performance improvements in the Security Intelligence dashboard:
Historical data loads faster.
Baseline creation happens faster.
For the Moving Average comparison type, the delay during subsequent anomaly detection has been reduced and anomaly detection is now consistent.
For the Threshold comparison type, the actual count of anomalies and the search count are now consistent.
For better user experience, theis now available on , in addition to .
For better user experience, the Alert Views is now available on, in addition to . The following enhancements are available only when you access from on your home page:
Theis now displayed as one of the alert columns and you can click it to view the details of an alert.
Ability to copy alert links from an alert view and easily share it with others. To share, you can select the alerts you want to share, click, and share the alert link.
Ability to filter alerts using either an alert field or a combination of various alert fields.
Ability to customize the columns in an alert view. You can now display the columns you require and hide the columns you do not want to display. After you modify the columns, other users will see the modified columns instead of the default columns of the same alert view.
Ability to exporting the required alerts to a CSV file.
Sentinel now provides the following permissions for non-administrator users:
Create and use Alert Views
In prior versions of Sentinel, the Allow users to manage alerts permission allowed users to manage both alerts and alert views. In Sentinel 8.3, the new permission Create and use Alert Views allows users to create private alert views and view shared alert views. The Allow users to manage alerts permission allows users to manage only alerts and not alert views.
After you select this permission, you can assign the following permissions:
Share Alert Views: Allows users to share their alert views as follows:
Users of the default tenant can share their alert views with users of the same tenant or other tenants.
Users of a non-default tenant can share their alert views with other users of the same tenant.
Edit Alert Views: Assigns the Share Alert Views permission and allows users to edit shared alert views as follows:
Users of the default tenant can edit shared alert views.
Users of a non-default tenant can edit shared alert views except public alert views.
Create and use Event Views: Allows users to create private event views and view shared event views.
After you select this permission, you can assign the following permissions:
Share Event views: Allows users to share their event views as follows:
Users of the default tenant can share their event views with users of the same tenant or other tenants.
Users of a non-default tenant can share their event views with other users of the same tenant.
Edit Event Views: Assigns the Share Event Views permission and allows users to edit shared event views as follows:
Users of the default tenant can edit shared event views.
Users of a non-default tenant can edit shared event views except public event views.
Edit Home Dashboard: Assigns the Share dashboard permission and allows users to edit shared dashboards as follows:
Users of the default tenant can edit shared dashboards.
Users of a non-default tenant can edit shared dashboards except public dashboards.
Share Home Dashboard: Allows users to share their dashboards as follows:
Users of the default tenant can share their dashboards with users of the same tenant or other tenants.
Users of a non-default tenant can share their dashboards with other users of the same tenant.
Fresh installations of Sentinel now stores Security Intelligence data, alerts data, and so on in PostgreSQL instead of MongoDB.
If you are upgrading from a prior version of Sentinel, you must first migrate this data to PostgreSQL and then upgrade Sentinel.
For more information about migrating data and upgrading Sentinel, see the following chapters in the Sentinel Installation and Configuration Guide depending on your Sentinel deployment:
You can now generate a report in CSV format. To generate a report in CSV format, select CSV from the drop-down list and click .> . Select
A new event field nameddisplays the difference between the time when the event was generated ( ) and the time when Sentinel processes the event ( ). This field allows you to easily analyze if an event has arrived late. You can create correlation rules to filter events based on the time difference quickly and accurately.
Sentinel can now collect events from Kaspersky DB using SmartConnector.
Reporting has been enhanced in the following ways:
Sentinel now provides a new reportto view event sources that are active, inactive, and removed during a specified time period. You can also configure the report to display only the event sources of a specific status.
When creating or running a report, you can now select the following time slice options from the Last 24 Hours, Last 7 Days, Last 30 Days, and Last 60 Minutes.drop-down list:
You can now configure Sentinel to trigger an audit event when a list item expires from a dynamic list. For more information about triggering an audit event, see Generating an Audit Event when a List Item Expires From a Dynamic List in the Sentinel Administration Guide.
Sentinel is now certified on the following platforms:
Red Hat Enterprise Linux Server 8 64-bit
Red Hat Enterprise Linux Server 8.1 64-bit
Red Hat Enterprise Linux Server 7.7 64-bit
SUSE Linux Enterprise Server (SLES) 15 64-bit
SUSE Linux Enterprise Server 15 SP1 64-bit
New installations of Sentinel 8.3 include new and updated versions of Sentinel plug-ins. These versions include the latest software fixes, documentation updates, and enhancements for the plug-in. For more information, see the specific plug-in documentation on the Sentinel Plug-ins Website.
When you upgrade Sentinel, plug-ins such as Universal Common Event Format Collector 2011.1r4, Syslog Connector 2020.1r1, and Agent Manager Connector 2020.1r1 are upgraded to the latest version. These plug-ins include the following enhancements:
Universal Common Event Format Collector 2011.1r4: The collector can now collect events from Kaspersky DB using SmartConnector.
Syslog Connector 2020.1r1: You can now use regular expressions to match the AppID of the event to the AppID of a collector when you configure the Connector to route events based on the unique application IDs.
Agent Manager Connector 2020.1r1: You can now match the AppID of an event to a regular expression either in the Sentinel Agent Manager Connector or the respective Collector, when configuring data collection based on matching application IDs.
To upgrade other plug-ins to the latest version, download the desired plug-in from the Sentinel Plug-ins Website. For more information, refer to the specific plug-in documentation.
Sentinel no longer includes NetFlow. Therefore, you can uninstall any existing NetFlow Collector Managers because you will not require these any more.
Only the following feeds are now supported for Threat Intelligence Sources: Abuse.ch Feodo Tracker and Abuse.ch SSL Blacklist.
Sentinel 8.3 includes software fixes that resolve the following issues:
Issue: When configuring Collectors or Connectors, you can specify letters, negative values, or zero as the time period in the (Bug 1140021)field.
Fix: Sentinel now allows you to enter only positive values in thefield. If you enter an invalid value, Sentinel displays a message stating that the value is invalid.
Issue: When clearing up primary storage, Sentinel clears the storage space twice instead of once. This leads to deletion of double the amount of data than the expected amount data to be deleted. (Bug 1130108)
Fix: When clearing up primary storage, Sentinel now clears the storage space only once and deletes only the required amount of data.
Issue: When the ExtendedInformation (ei) field in Sentinel is converted to CEF, it is not mapped in the CEF event. (Bug 1143287)
Fix: The ExtendedInformation (ei) field is now included when an event is forwarded from Sentinel in CEF.
Issue: When forwarding events in CEF, the Syslog Integrator parses an event value to the dvhost field, which is not in the list of CEF fields. (Bug 1143290)
Fix: The dvhost field is now renamed to dvchost. The dvchost field is displayed in the list of CEF fields and the Syslog Integrator parses values to this field.
Issue: When creating a free-form rule, you can create a correlation rule that contains regular expression with more than two consecutive question marks (?) which makes it an invalid regular expression. (Bug 1136581)
Fix: Sentinel allows you to create a correlation rule only if the regular expression is valid. If the regular expression is invalid, Sentinel displays an error and does not allow you to save the correlation rule.
Issue: When trying to install open-vm-tools on the Sentinel server and Collector Manager, an error message displays stating that dependent packages are missing. (Bug 1153959)
Fix: Install the dependent packages provided as a patch. For more information, see the Knowledge Base Article 7024280.
Issue: When subrules of a Sequence rule have the same criteria, the subrule fires based on the sequence of sub-rules and not the sequence of events.(Bug 1106118)
Fix: A Sequence correlation rule will fire in the order of the subrules irrespective of the filter criteria it holds. When multiple subrules have the same criteria, all the subsequent subrules are also considered for the correlation rule to fire.
The REST API includes the ModifiedDate and CreatedDate fields each correlation rule with the correct date and time. (Bug 1163137)
All the events now contain the details of the (Bug 1158183).
You can now successfully generate reports consisting of multiple pages. (Bug 1160542)
Issue: Starting, stopping, or restarting a collector, connector or an event source logs an exception. This leads to too many exceptions being logged in the Sentinel log files.(Bug 1165444)
Fix: Starting, stopping or restarting a collector, connector or an event source does not log exceptions.
For more information about hardware requirements, supported operating systems, and browsers, see the Sentinel System Requirements.
Do not upgrade from RHEL version 7.7 to version 8.x because this is not supported by Red Hat. For more information, see the RedHat documentation.
If you want to upgrade RHEL 7.6 to 8.x, you must first upgrade the current Sentinel installation to 8.3 and then upgrade the operating system to 8.x. Do not upgrade the operating system before upgrading Sentinel because this can corrupt your Sentinel installation or deployment.
For information about installing Sentinel 8.3, see the Sentinel Installation and Configuration Guide.
You can upgrade to Sentinel 8.3 only from Sentinel 8.2 or later.
You must upgrade Sentinel only after you migrate the alerts data and Security Intelligence data from MongoDB to PostgreSQL. The data migration process is different for each Sentinel deployment. Therefore, read the relevant sections carefully to migrate data before you upgrade Sentinel.
NetFlow capabilities are removed when you upgrade to Sentinel 8.3. Therefore, you will lose any NetFlow data collected prior to the upgrade to 8.3.
If you upgrade from Sentinel 8.2 or 8.2 P1 to 8.3, you must manually assign thepermission to non-administrator users who send events or attachments to Sentinel. Unless you assign this permission, Sentinel will no longer receive events and attachments from Change Guardian and Secure Configuration Manager.
You need not reassign this permission if you are upgrading from 8.2 SP1 or 8.2 SP2 to 8.3.
You do not have to enable IP Flow after you upgrade because IP Flow is now enabled by default.
After you upgrade, you can do the following:
The data in MongoDB is now redundant because Sentinel 8.3 and later will store data only in PostgreSQL. To clear up the disk space, delete this data.
In prior versions of Sentinel, the Allow users to manage alerts permission allowed users to manage both alerts and alert views. In Sentinel 8.3, the Allow users to manage alerts permission allows users to manage only alerts and not alert views. To enable users to manage alert views, you must assign the Create and use Alert Views permission.
Micro Focus strives to ensure our products provide quality solutions for your enterprise software needs. The following known issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.
The Java 8 update included in Sentinel might impact the following plug-ins:
Cisco SDEE Connector
SAP (XAL) Connector
For any issues with these plug-ins, we will prioritize and fix the issues according to standard defect-handling policies. For more information about support polices, see Support Policies.
Issue: In (Bug 1146879)> > , the chart is not available. This is because Zulu OpenJDK does not include the necessary fonts.
Workaround: Use the following commands to install the fonts:
yum install fontconfig
yum install dejavu
Issue: When you select a tenant while creating a role, there are no permissions listed under (Bug 1163847)for tenant users.
Workaround: None. Ignore thelabel for tenant users.
Issue: Launching a Kibana dashboard displays the following message: No default index pattern. You must select or create one to continue. (Bug 1163143)
Workaround: To set a Kibana index pattern as the default index pattern:
Select any of the following:
Issue: The (Bug 1162070)> option does not work in Firefox and Edge.
Workaround: Perform the following steps:
Manually select all the alerts on each page of the alert view using the check box that allows you to select all the alerts.
Paste it in the desired application.
Issue: The installer halts at the installation in progress screen and does not display the login screen even though the installation is complete.
Workaround: Reboot the virtual machine and launch Sentinel, Collector Manager, or Correlation Engine. (Bug 1134657)
Issue: In Hyper-V Server 2016, Sentinel appliance does not start when you reboot it and displays the following message:
A start job is running for dev-disk-by\..
This issue occurs because the operating system modifies the disk UUID during installation. Therefore, during reboot it cannot find the disk.
Workaround: Manually modify the disk UUID. For more information, see Knowledge Base Article 7023143.
Issue: When you upgrade to Sentinel 8.2 HA appliance, Sentinel displays the following error:
Installation of novell-SentinelSI-db-184.108.40.206-<version> failed: with --nodeps --force) Error: Subprocess failed. Error: RPM failed: Command exited with status 1. Abort, retry, ignore? [a/r/i] (a):
Workaround: Before you respond to the above prompt, perform the following:
Start another session using PuTTY or similar software to the host where you are running the upgrade.
Add the following entry in the /etc/csync2/csync2.cfg file:
Remove the sentinel folder from /var/opt/novell:
rm -rf /var/opt/novell/sentinel
Return to the session where you had initiated the upgrade and enter r to proceed with the upgrade.
Issue: Installation of Collector Manager and Correlation Engine appliance fails in MFA mode if the operating system language is other than English. (Bug 1045967)
Workaround: Install Collector Manager and Correlation Engine appliances in English. After the installation is complete, change the language as needed.
Issue: Theand buttons in the appliance installation screens do not appear or are disabled in some cases, such as the following:
When you clickfrom the Sentinel precheck screen to edit or review the information in the Sentinel Server Appliance Network Settings screen, there is no button to proceed with the installation. The button allows you to only edit the specified information.
If you have specified incorrect network settings, the Sentinel Precheck screen indicates that you cannot proceed with the installation due to incorrect network information. There is nobutton to go to the previous screen to modify the network settings.
Workaround: Restart the appliance installation.
Issue: Sentinel displays the following message during start up in the server.log file:
Value for attribute rv43 is too long
Workaround: Ignore the exception. Although the message is displayed, Sentinel works as expected.
Issue: When there is a large number of events whose retention period has expired and SSDM tries to delete those events from Elasticsearch, the following exception is displayed in the server.log file:
java.net.SocketTimeoutException: Read timed out
Workaround: Ignore the exception. This exception occurs due to the time taken to delete the large amount of data. Although the exception is displayed, SSDM successfully deletes the events from Elasticsearch.
Issue: If you manually install and enable time synchronization in open-vm-tools, they periodically synchronize time between the Sentinel appliance (guest) and the VMware ESX server (host). These time synchronizations can result in moving the guest clock either behind or ahead of the ESX server time. Until the time is synchronized between the Sentinel appliance (guest) and the ESX server (host), Sentinel does not process events. As a result, a large number of events are queued up in the Collector Manager, which may eventually drop events once it reaches its threshold. To avoid this issue, Sentinel disables time synchronization by default in the open-vm-tools version available in Sentinel. (Bug 1099341)
Workaround: Disable time synchronization. For more information about disabling time synchronization, see Disabling Time Synchronization.
Issue: When FIPS 140-2 mode is enabled in Sentinel, using Windows authentication for Agent Manager causes synchronization with the Agent Manager database to fail. (Bug 814452)
Workaround: Use SQL authentication for Agent Manager.
Issue: The Sentinel High Availability installation in non-FIPS 140-2 mode completes successfully but displays the following error twice:
/opt/novell/sentinel/setup/configure.sh: line 1045: [: too many arguments
Workaround: The error is expected and you can safely ignore it. Although the installer displays the error, the Sentinel High Availability configuration works successfully in non-FIPS 140-2 mode.
Issue: While using Keytool command, the following warning is displayed: The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12which is an industry standard format using "keytool -importkeystore -srckeystore /<sentinel_install_directory>/etc/opt/novell/sentinel/config/.webserverkeystore.jks -destkeystore /<sentinel_install_directory>/etc/opt/novell/sentinel/config/.webserverkeystore.jks -deststoretype pkcs12". (Bug 1086612)
Workaround: The warning is expected and you can safely ignore it. Although the warning is displayed, Keytool command works as expected.
Issue: In FIPS mode, when processing out-of-the-box threat Intelligence feeds from URLs, Sentinel displays the following error: Received fatal alert: protocol_version. This issue occurs because the out-of-the-box threat feeds now support only TLS 1.2, which does not work in FIPS mode. (Bug 1086631)
Workaround: Perform the following:
Click> > .
Edit each URL to change the protocol from http to https.
Issue: In multi-factor authentication mode, if you log out of (Bug 1087856)you do not get logged out of Sentinel dashboards and vice versa. This is due to an issue in the Advanced Authentication Framework.
Workaround: Until a fix is available in the Advanced Authentication Framework, refresh the screen to view the login screen.
For specific product issues, contact Micro Focus Support at https://www.microfocus.com/support-and-services/.
Additional technical information or advice is available from several sources:
© Copyright 2001-2020 Micro Focus or one of its affiliates.
The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice.
For additional information, such as certification-related notices and trademarks, see http://www.microfocus.com/about/legal/.