Sentinel 7.1.0.1 provides several enhancements and resolves specific previous issues. This document outlines why you should install this hotfix.
Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable inputs. We hope you continue to help us ensure our products meet all your needs. You can post feedback in the Sentinel Community Support Forums, our community Web site that also includes product notifications, blogs, and product user groups.
For more information about this hotfix and for the latest readme, see the Sentinel 7.1 Documentation Web site. To download this hotfix, visit the Novell Patch Finder Web site.
The following sections outline the enhancements provided and the issues resolved in this hotfix:
This hotfix includes the following enhancements:
Sentinel now provides the Distinct operator in free-form correlation rules, which considers only the unique values in events. You can use the operator to differentiate scans versus flood type attacks. In flood type attacks the overall quantity is important, with scans the overall unique information disseminated is important.
The following are some examples where you can use the Distinct operator:
Example 1 You want a rule to trigger if five events have unique source IP addresses but the same destination IP address within a 10 second period. You can create a free-form rule as follows:
trigger(5,10, discriminator(e.dip, distinct e.sip)
Example 2 You want a rule to trigger if three severity 5 events occur from distinct combination of initiator IP addresses and initiator users within a 60 second period. You can create a free-form rule as follows:
filter(e.sev = 5) flow trigger(3, 60, discriminator(distinct e.sip, distinct e.sun))
Example 3 You want a rule to trigger if three severity 5 events occur from the same initiator IP address but distinct initiator users within a 60 second period. You can create a free-form rule as follows:
filter(e.sev = 5) flow trigger(3, 60, discriminator(e.sip, distinct e.sun))
Example 4 You want a rule to trigger if three severity 5 events occur from the same initiator user but distinct initiator IP addresses within a 60 second period. You can create a free-from rule as follows:
filter(e.sev = 5) flow trigger(3, 60, discriminator(distinct e.sip, e.sun))
This hotfix improves the usability of correlated events by providing detailed information about correlation rules that generated the event. The default correlated events display the rule name and description as the event name and message respectively. For custom correlated events, you can customize the event name and message by adding the correlation rule name, description, ID, and the rule as parameters in the Send E-mail and Generate Custom Correlation Event actions.
While the Collector Manager is backing up a large amount of data, the Health status for the Collector Manager now displays the Warning icon to indicate that data backup is in progress. The Warning icon is displayed only in the following scenarios:
the total backed up bytes >= 1 MB
the total backed up messages >= 50
the total backed up bytes or backed up messages increased in the last interval
Range maps no longer restrict the range entries to be a number range. Range maps now support IPv4 ranges in the form of an individual IP address (10.0.0.1), a range (10.0.0.1-10.0.0.5), or a subnet (10.0.0.0/24.)
Sentinel 7.1.0.1 now supports synchronizing event data to Microsoft SQL 2012 and Microsoft SQL 2008 R2 databases.
Sentinel appliance now includes Net-SNMP package for the SNMP software, which allows you to monitor the hardware performance and failures.
The Sentinel server appliance now includes iSCSI client modules, which help you mount remote iSCSI mass storage to serve as primary or secondary storage for Sentinel.
Sentinel 7.1.0.1 provides software fixes for the following issues. For the list of software fixes and enhancements in previous releases, see the Sentinel 7.1 Documentation Web site.
Issue: When a raw data file is in the archived state and new events arrive to the same file, the status of the file changes to compressed. (BUG 832606)
Fix: The status of the raw data file now does not change from archived to compressed even when new events arrive.
Issue: Sentinel stores the database user password in clear text in the .pgpass file. (BUG 830331)
Fix: Sentinel no longer uses the .pgpass file. It now links the database user with the OS user (novell) by using the peer authentication option provided by PostgreSQL.
Issue: The Sentinel Web interface does not reflect changes made to customer variable names in the Sentinel Control Center. (BUG 831184)
Fix: The Sentinel Web interface now reflects changes made to customer variable names when you refresh the browser or when you log out log in again to the Web interface.
Issue: The Event Source Management (ESM) interface does not display all nodes even after you refresh the interface. (BUG 830091)
Fix: The ESM console now displays all the nodes correctly.
Issue: If the port number is not provided by the Collector, Sentinel displays a long negative number for the port number in the Web interface. (BUG 831121)
Fix: If the Collector does not provide the port number, Sentinel does not display the port number in the Sentinel Web interface.
Issue: Some correlation rules generate a large number of correlated events. As a result, Sentinel services initiate multiple simultaneous searches to get the list of events that generated the correlated events. These simultaneous searches consume all open files and causes Sentinel to run out of memory. (BUG 825992)
Fix: This hotfix improves the system availability by limiting the number of simultaneous searches to five.
Issue: Correlated event names and messages do not explain why they were correlated. (BUG 829602)
Fix: Correlated events now display the correlation rule name and rule description as the event name and message respectively.
Issue: Raw data files are written in the gzip format but the extension of the files on the filesystem is .zip. (BUG 830718)
Fix: The new raw data files have .gz extension.
Issue: The Web site for Sentinel Plug-ins in Web console > Collection > Event Sources is referred to as “Sentinel Content” instead of “Sentinel Plug-ins.” (BUG 815048)
Fix: The Web site is now referred to as “Sentinel Plug-ins.”
You can upgrade to Sentinel 7.1.0.1 from Sentinel 7.0 or later.
For information about hardware requirements, supported operating systems, and browsers, see Meeting System Requirements
in the NetIQ Sentinel 7.1 Installation and Configuration Guide.
Download the hotfix from the Novell Patch Finder Web site. For information about upgrading to Sentinel 7.1.0.1, see “Upgrading Sentinel” in the NetIQ Sentinel 7.1 Installation and Configuration Guide.
If you upgrade Sentinel from 7.0 to 7.1.0.1 and your Sentinel installation is in a non-default location, run the following commands as the novell user:
ln -s
"$RPM_INSTALLATION_PREFIX/opt/novell/sentinel/3rdparty/activemq/activemq-all-5.4.2.jar"
"$RPM_INSTALLATION_PREFIX/opt/novell/sentinel/lib/activemq-all-5.4.2.jar"
Where $RPM_INSTALLATION_PREFIX is the location of the Sentinel installation.
When you upgrade the appliance from Sentinel 7.0.1 or earlier, the upgrade fails in WebYaST because the vendor name for the patch has changed from Novell to NetIQ. You must upgrade the appliance by using the zypper patch command.
To upgrade the appliance by using zypper:
Back up your configuration, then create an ESM export. For more information, see Backing Up and Restoring the Data
in the NetIQ Sentinel 7.0.1 Administration Guide.
Log in to the appliance console as the root user.
Run the following command:
/usr/bin/zypper patch
Enter 1 to accept the vendor change from Novell to NetIQ.
Enter Y to proceed.
Enter yes to accept the license agreement.
Restart the Sentinel appliance.
When you upgrade Sentinel in a high availability setup, first upgrade the passive nodes in the cluster, then upgrade the active cluster node.
Ensure that the .pgpass file is available in all the cluster nodes. The upgrade installer requires the .pgpass file to authenticate the Sentinel database. If the .pgpass file is not available on the cluster node, copy the.pgpass file located at /home/novell from the active cluster node.
Enable the maintenance mode on the cluster:
crm configure property maintenance-mode=true
Maintenance mode helps you to avoid any disturbance to the running cluster resources while you update Sentinel. You can run this command from any cluster node.
Verify whether the maintenance mode is active:
crm status
The cluster resources should appear in the unmanaged state.
Upgrade the passive cluster node:
Stop the cluster stack:
rcopenais stop
Stopping the cluster stack ensures that the cluster resources remain accessible and avoids fencing of nodes.
Log in as root to the server where you want to upgrade Sentinel.
Extract the install files from the tar file:
tar xfz <install_filename>
Run the following command in the directory where you extracted the install files:
./install-sentinel --cluster-node
After the upgrade is complete, restart the cluster stack:
rcopenais start
Repeat Step 3 for all passive cluster nodes.
Upgrade the active cluster node:
Back up your configuration, then create an ESM export.
For more information about backing up data, see Backing Up and Restoring Data
in the NetIQ Sentinel 7.1 Administration Guidehttps://www.netiq.com/documentation/sentinel71/s71_admin/data/bookinfo.html#bookinfo.
Stop the cluster stack:
rcopenais stop
Stopping the cluster stack ensures that the cluster resources remain accessible and avoids fencing of nodes.
Log in as root to the server where you want to upgrade Sentinel.
Run the following command to extract the install files from the tar file:
tar xfz <install_filename>
Run the following command in the directory where you extracted the install files:
./install-sentinel
After the upgrade is complete, start the cluster stack:
rcopenais start
Disable the maintenance mode on the cluster:
crm configure property maintenance-mode=false
You can run this command from any cluster node.
Verify whether the maintenance mode is inactive:
crm status
The cluster resources should appear in the Started state.
(Optional) Verify whether the Sentinel upgrade is successful:
rcsentinel version
NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issue is currently being researched. If you need further assistance with any issue, please contact Technical Support.
Issue: Upgrade installations of Sentinel 7.1.0.1 do not include the ISO 27000 Series Solution Pack. (BUG 828317)
Workaround: Download and install the ISO 27000 Series Solution Pack from the Sentinel Plug-ins Web site.
Issue: After you upgrade to Sentinel 7.1.0.1, when you try to verify the integrity of newly created raw data files, Sentinel displays the Cannot verify the integrity of .open or .log files. The files might be in use error.
Workaround: There is no workaround at this time.
Issue: Raw data files created prior to Sentinel 7.1 have the .zip extension format. (BUG 832108)
Workaround: Open the raw data files by using utilities such as WinZIP, WinRAR, or 7z.
Issue: If the Sentinel Control Center is already running when you perform the Nessus vulnerability scan, the Sentinel services restart. (BUG 839447)
Workaround: Close the Sentinel Control Center before performing the Nessus vulnerability scan.
Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.
For detailed contact information, see the Support Contact Information Web site.
For general corporate and product information, see the NetIQ Corporate Web site.
For interactive conversations with your peers and NetIQ experts, become an active member of Qmunity, our community Web site that offers product forums, product notifications, blogs, and product user groups.
NetIQ Sentinel is protected by United States Patent No(s): 05829001.
THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A NON-DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLY SET FORTH IN SUCH LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT, NETIQ CORPORATION PROVIDES THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW DISCLAIMERS OF EXPRESS OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE, THIS STATEMENT MAY NOT APPLY TO YOU.
For purposes of clarity, any module, adapter or other similar material ("Module") is licensed under the terms and conditions of the End User License Agreement for the applicable version of the NetIQ product or software to which it relates or interoperates with, and by accessing, copying or using a Module you agree to be bound by such terms. If you do not agree to the terms of the End User License Agreement you are not authorized to use, access or copy a Module and you must destroy all copies of the Module and contact NetIQ for further instructions.
This document and the software described in this document may not be lent, sold, or given away without the prior written permission of NetIQ Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of NetIQ Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data.
This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time.
U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the government's rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement.
© 2013 NetIQ Corporation and its affiliates. All Rights Reserved.
For information about NetIQ trademarks, see http://www.netiq.com/company/legal/.