Novell Sentinel 7.0 Readme

October 31, 2011

Sentinel 7.0 is a security information and event management (SIEM) solution as well as a compliance monitoring solution. Sentinel automatically monitors the most complex IT environments and provides the security information required to protect your IT environment.

1.0 What’s New

The following sections outline the key features and functions provided by this version of Sentinel.

1.1 Simplified Installation

Enhancements to the installation program allow you to more easily install Sentinel. For more information, see the Sentinel 7.0.1 Installation Guide.

1.2 Ready-to-run Software Appliance

This release offers a ready-to-run software appliance built on SUSE Studio. Delivered as a VMWare, Xen, or ISO image, and certified to run on all major hypervisors, the software appliance enables you to deploy a cost-effective and simple to use SIEM solution by reducing product deployment complexity and cost. The software appliance can be installed on hardware or in a virtual environment.

1.3 Anomaly Detection

This release allows you to easily identify anomalies in your environment. By establishing specific baselines and comparing incoming data to what's normal in your unique environment, Sentinel can deliver better intelligence and faster detection of anomalous activities.You can tune your environment's baselines to detect anomalous events and see how your security and compliance posture changes over a period of time.

1.4 Unified Single Solution

Sentinel combines Log Management with Security Information and Event Management in a single unified solution.

1.5 Enhanced Data Storage

This release provides an efficient, file-based event storage tier optimized for long-term archival of events. The new event store provides 10:1 compression, fully supports indexed searches, and speeds up relevant reporting tasks, while still allowing the flexibility to store some or all of your events in a back-end traditional relational database store.

1.6 Enhanced Correlation

A new graphical rule builder allows you to quickly build event correlation rules directly from the events collected in your environment. Additionally, you can test these rules prior to deployment to reduce false-positive alerting, improve event correlation capabilities, and ultimately deliver improved exploit detection capabilities.

1.7 Distributed Search

This release provides organizations that have deployed several instances of Sentinel or Sentinel Log Manager in different locations the ability to search events not only on their local Sentinel servers but also on the existing Sentinel and Sentinel Log Manager servers from a single, centralized console.

1.8 Limitations to the Legacy Collector Support

Novell is phasing out support for Legacy Collectors in the Sentinel product line. In the previous versions of Sentinel, the system displays a warning if you import a Legacy Collector. Starting with version 7.0, clean installations of Sentinel and Collector Manager do not run Legacy Collectors.

NOTE:Legacy Collectors were written using the Legacy Collector Builder application, which is no longer shipped with Sentinel products. Legacy Collectors have been replaced by JavaScript Collectors, which are written using the Sentinel Plug-In SDK, since 2007. JavaScript Collectors are available at the Sentinel Plug-ins Web site (

2.0 Known Issues

The following table lists the known issues associated with bugs in Sentinel 7.0:

Bug Number



Issue: When you rename a role in the Sentinel Web interface, Sentinel does not update the name in list of all roles in the far left panel.

Workaround: Log out of the Sentinel Web interface. When you log back in to the Sentinel Web interface, the role name is updated.


Issue: The Security Intelligence Dashboard does not properly display the event count for totals that range from 1,000,000 to 1,100,000.

Workaround: There is no solution at this time.


Issue: If you select multiple events in the Sentinel Web interface and select the Target/ping or Initiator/ping action, Sentinel displays action output for the first event only.

Workaround: There is no solution at this time.


Issue: If you change an event field name in the Sentinel Control Center, the change isn’t immediately reflected in the Sentinel Web interface Filter builder.

Workaround: Refresh the Web browser to display the event field change in the Sentinel Web interface.


Issue: When you have at least one role containing an asterisk (*) in the name, you cannot use ‘*’ as a wild card when searching filters with Share with roles selected from the Sentinel Web interface.

Workaround: To use ‘*’ as a wild card when searching filters, rename roles that contain an asterisk.


Issue: Accessing the Sentinel REST API documentation from a browser bookmark returns an error.

Workaround: Access Sentinel REST API documentation directly from the Sentinel Web interface Help menu.


Issue: Solution Manager does not install correlation rules when a correlation rule with an identical name already exists on the system. A NullPointerException error is logged in the console.

Workaround: Ensure all correlation rules have a unique name.


Issue: When you execute a Sentinel Link action from the Sentinel Web interface Sentinel displays a success message even when the Sentinel Link Connector integration test failed from the Sentinel Control Center.

Workaround: There is no solution at this time.


Issue: When the appuser password contains any the of the following special characters, the iTrac feature does not work properly: ‘+’, ‘\’, ‘#’, or ‘,’. The administrator user password provided during a standard configuration installation is used by the admin, dbuser, and appuser.

Workaround: Ensure the appuser password does not contain ‘+’, ‘\’, ‘#’, or ‘,’.


Issue: When a Sentinel server forwards a correlation event to another Sentinel server, the associated View Triggers link is enabled on the Correlation Events tab even though there are no triggers to display.

Workaround: There is no solution at this time.


Issue: When a Security Intelligence dashboard and an anomaly definition have identical names, the dashboard link is disabled on the Anomaly Details page.

Workaround: Ensure you use unique names when creating dashboards and anomaly definitions.


Issue: The Sentinel Web interface displays negative numbers in the Active Search Job Duration and Accessed columns when the Sentinel Web interface computer clock is behind the Sentinel server clock. For example, the Duration and Accessed columns display negative numbers when the Sentinel Web interface clock is set to 1:30 PM and the Sentinel server clock is set to 1:33 PM.

Workaround: Ensure the time on the computer you use to access the Sentinel Web interface is the same as or later than the time on the Sentinel server computer.


Issue: When the system is under heavy load connections to remote Collector Managers drop and are then re-established minutes later.

Workaround: For information on assessing your environment and determining how to handle the number of events generated, see Novell Technical Information Document (TID) # 7009554 “Sentinel 7.0 Performance Monitoring.”


Issue: After a Connector is upgraded, Sentinel might not display the latest Connector details in the Plug-in Details window.

Workaround: Refresh the ESM user interface by clicking Reload Event Source Management Data in the ESM toolbar to update the Connector details.


Issue: When you use forwarded ports or destination network-address-translation, baseline and trending does not function properly in the Security Intelligence dashboard.

Workaround: Append the default port number to the URL when accessing Sentinel baselining in the following instances:

  • Sentinel has been configured to listen on the default port, 443.

  • Sentinel is listening on a non-default port but port forwarding is enabled, which routes traffic from the default port to the port on which Sentinel is listening.


Issue: When running a remote Collector Manager on a Xen system the Sentinel JVM may fail due to a lack of allocated memory and write the following types of messages to the wrapper log file:

  • There is insufficient memory for the Java Runtime Environment to continue.

  • Native memory allocation (malloc) failed to allocate NNNNN bytes for ChunkPool::allocate.

  • An error report file with more information is saved as: /var/opt/novell/sentinel/data/hs_err_pidNNNN.log

  • JVM exited unexpectedly.

  • JVM exited in response to signal UNKNOWN (N).

  • Launching a JVM...

Workaround: To ensure the system has sufficient swap space to run the Sentinel JVM, increase the swap space to 2 GB or higher.


Issue: Sorting of localized strings does not work correctly in certain languages. If a localized language uses non-ascii characters or characters with diacritical marks, the sorting of strings in these languages does not work.

Workaround: There is no solution at this time.


Issue: The Sentinel Control Center Configure Action Responsible drop-down list includes temporary users created by the system for job processes, such as a distributed search.

Workaround: Ensure you specify a valid Sentinel user. Sentinel deletes each temporary user when the associated job is complete.


Issue: When installing Sentinel 7.0 in a non-default location, the Sentinel installation program stops after you accept the license agreement.

Workaround: If you are installing Sentinel 7.0 as the root user, do not install the product in a non-default location. If you are installing Sentinel 7.0 as non-root user, ensure you have the appropriate file for your operating system installed before you install Sentinel 7.0 in a non-default location.

  • squashfs-4.0-1.2.10 for SLES

  • squashfs-tools-4.0-3.el6.x86_64 for RHEL


Issue: When viewing the Sentinel Web interface from a browser with a language preference of Czech, the Classifier drop-down list is blank when creating a Security Intelligence dashboard.

Workaround: To enable the Classifier drop-down list, change your browser language preference to English, or perform the following steps:

  1. On the Sentinel server, browse to \var\opt\novell\sentinel\3rdparty\jetty\webapp.

  2. Unpack the novellsentinel.war and siem_baselining.war files.

  3. Delete the date-cs-CZ.js.gz file from the following folders:

    • novellsentinel.war\js\lib\i18n\

    • siem_baselining.war\js\lib\i18n\

  4. Pack the novellsentinel.war and siem_baselining.war files.

  5. Restart the Sentinel server.


Issue: The script does not accept localized values when running the script in the following languages:

  • Traditional Chinese

  • Brazilian Portuguese

  • French

Workaround: Specify values in English to allow the script to run.


Issue: When you create a baseline from a category view, Sentinel generates an error message and does not return to the main dashboard page when you click the associated link.

Workaround: To get back to the main dashboard page you must log out of the Sentinel Web interface and then log back in.


Issue: When you filter on the new or old name of a renamed anomaly, the message Showing X of Y total anomalies uses the total anomaly count of both the old and new name for X. The message should use the number of anomalies matching the name for which you filtered.

Workaround: There is no workaround at this time.


Issue: Identity Vault Collector 6.1r2 does not support Sentinel 7.0.

Workaround: Go to the Cool Solutions Sentinel page for an unsupported workaround. To see and download the most recent Sentinel plug-ins, go to Sentinel Plug-in page on the Novell Web site.

3.0 Enhancements and Defects Fixed in Sentinel 7.0

The following table lists enhancements and defects fixed in Sentinel 7.0.

Bug Number



Enhancements: Sentinel 7.0 provides you the ability to track and log all user activity.


Enhancement: Sentinel 7.0 detects idle Correlation Engines and provides you an option to delete them from your Sentinel architecture.


Enhancement: When the Sentinel installation program encounters an unexpected response the installer becomes unresponsive and does not provide an error message.


Enhancement: Sentinel 7.0 allows you to select inlist when creating a simple rule from the Correlation Rule Builder.


Enhancement: The Sentinel Web interface allows administrators to specify which features users can access.


Enhancement: Sentinel 7.0 provides enhanced search performance when searching over a long period of time when there are no partitions.


Enhancement: Sentinel 7.0 provides the ability to remove stored data based on the event source.


Enhancement: Sentinel 7.0 provides the ability to include wildcard searches that also support the NOT operator.


Enhancement: Sentinel 7.0 provides the ability to import and search archived event data.


Enhancement: Sentinel 7.0 provides the ability to create different user roles, which allow you to quickly and easily assign permissions related to a specific job function or workflow.


Enhancement: Active Views now retain column order and size customizations.


Enhancement: Active Views now allows you to easily shift empty event table columns to the right.


Resolved Issue: This release resolves an issue where Sentinel displays the message 'Active view is disconnected from the server' when you access Active Views on a computer running RHEL.


Resolved Issue: This release resolves an issue where validation and download fails when configuring the Download Manager to use a proxy server.


Resolved Issue: This release resolves an issue where accessing event details from Active Views may cause the screen to become unresponsive.


Resolved Issue: This release resolves an issue where trying to import any of the Solution Packs from the Novell Web site, the installation fails.


Resolved Issue: This release resolves an issue where deleting the default Send Mail Plug-in or Action prevents users from sending e-mail.


Resolved Issue: This release resolves an issue where restarting a Collector Manager from Event Source Management (ESM), some Collector plug-ins do not return to their original state.


Resolved Issue: This release resolves an issue where Sentinel allowed passwords created during installation to contain special characters; however, did not allow passwords created using the Sentinel Control Center to contain special characters other than ‘#’, ‘_’, ‘$’.

4.0 Documentation

The following sources provide information about Sentinel 7.0: