Sentinel 7.1.0.2 provides several enhancements and resolves specific previous issues. This document outlines why you should install this hotfix.
Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable inputs. We hope you continue to help us ensure our products meet all your needs. You can post feedback in the Sentinel Community Support Forums, our community Web site that also includes product notifications, blogs, and product user groups.
For more information about this hotfix and for the latest readme, see the Sentinel 7.1 Documentation Web site. To download this hotfix, visit the Novell Patch Finder Web site.
The following sections outline the enhancements provided and the issues resolved in this hotfix:
This hotfix includes the following enhancement:
The Sentinel administrator can now choose from the two display options for the name and message fields for a correlated event. The default display option (introduced in Sentinel 7.1.0.1) for the name field is to show the name of the correlation rule and for the message field is to show the description of the correlation rule. The alternative (used in Sentinel 7.1.0.0 and previous versions) is the name field set to the default value CorrelatedEvent and message to show the message field of the original triggering event.
To change the name and message field display for the correlation events back to the Sentinel 7.1.0.0 standard:
Add the following property in the $ESEC_CONFIG_HOME/config/configuration.properties file:
sentinel.correlation.eventformat=7.1
Restart the Sentinel server.
NOTE:If you set sentinel.correlation.eventformat to anything other than 7.1, the system will default to the 7.1.0.1 behavior.
Sentinel 7.1.0.2 provides software fixes for the following issues. For the list of software fixes and enhancements in previous releases, see the Sentinel 7.1 Documentation Web site.
Issue: In Sentinel 7.1.0.0 and 7.1.0.1, the copy process that moves parsed event data partitions from primary storage to secondary storage can truncate files larger than 2 GB. The copy process copies the first 2 GB successfully, but does not copy the remainder of the file and does not report any error. (BUG 860845)
This issue does not occur if secondary storage is disabled. This issue is unlikely to occur if the event rate is low (less than 500 events per second) or if there are multiple data retention policies in effect (which increases the number of event partitions and therefore decreases the probability that any individual event partition is larger than 2 GB). This issue does not affect raw (unparsed) data. For more information on this issue, see TID 7014515 in the Novell Support Knowledge Base.
Fix: Sentinel now uses a different copy process to avoid this error. After copying an event data file to secondary storage, Sentinel runs data checks automatically to verify that the copy completed successfully. If the file check fails, Sentinel automatically retries the copy. The default data check is a quick verification of file size to detect file truncation. Sentinel also provides an alternate check that compares strong checksums (hashes) of the source file and its copy to detect file truncation and additionally many forms of data corruption. However, the alternate check requires significant I/O and will impact the system performance.
To enable the alternate check:
Log in to the Sentinel server.
Open the etc/opt/novell/sentinel/config/configuration.properties file in an editor.
Set the partition.archiver.quickintegritycheck property to false as follows:
partition.archiver.quickintegritycheck=false
Restart the Sentinel server.
Issue: You cannot export local search results with more than 50,000 events to a file. (BUG 844532)
Fix: You can now export local search results up to 200,000 events to a file.
Issue: The View Triggers option displays events that did not trigger the correlation event. (BUG 848523)
Fix: The View Triggers option now displays only events that triggered the correlation event.
Issue: When you create a Security Intelligence dashboard and use filters where the event fields are not enclosed in quotes or filters that contain wildcard characters (for example, * or ?), Sentinel logs several errors. (BUG 847504)
Fix: Sentinel no longer logs errors when you create the Security Intelligence dashboard.
Issue: Some correlation rules generate a large number of correlated events. As a result, Sentinel services initiate multiple simultaneous searches to get the list of events that generated the correlated events. These non-user initiated simultaneous searches consume all open files and causes Sentinel to run out of memory. (BUG 861397)
Fix: This hotfix improves the system availability by limiting the number of non-user initiated simultaneous searches to five.
Issue: When you try to download raw data files from the Sentinel Web console, Sentinel displays the error Action Failed 500 The call failed on the server.(BUG 847496)
Fix: You can now download raw data files from Sentinel successfully.
Issue: While upgrading Sentinel server, the installer updates some of the Sentinel plug-ins. If a newer version of the plug-in is already installed, the installer downgrades the plug-in to the version included with the installer. (BUG 861392)
Fix: Sentinel plug-ins are no longed downgraded while upgrading Sentinel.
Issue: Sentinel automatically performs raw data cleanup every four hours. After performing the raw data cleanup, Sentinel closes the writer stream, which is required to write the raw event data into the file. Therefore, Sentinel can no longer write the raw event data into the files and repeatedly logs the error, Writer not initialized: unable to write in the server logs. This results in large amount of memory utilization. (BUG 846976)
Fix: Sentinel no longer closes the writer stream after raw data cleanup and Sentinel continues to write raw event data into the files.
Issue: When synchronizing event data with the database, if the database table contains the event fields, ModifiedBy and Createdby, Sentinel logs the errors, Invalid Event Attribute ModifiedBy and Invalid Event Attribute CreatedBy in the server logs. The event fields ModifiedBy and Createdby appear blank in the database table. (BUG 848144)
Fix: The event fields ModifiedBy and Createdby are restricted for internal use only and are no longer part of the database table creation window for data synchronization. For the existing database tables, no values appear for the event fields in the tables. Sentinel no longer logs the error while synchronizing event data with the database.
You can upgrade to Sentinel 7.1.0.2 from Sentinel 7.0 or later.
For information about hardware requirements, supported operating systems, and browsers, see Meeting System Requirements
in the NetIQ Sentinel 7.1 Installation and Configuration Guide.
Download the hotfix from the Novell Patch Finder Web site. For information about upgrading to Sentinel 7.1.0.2, see “Upgrading Sentinel” in the NetIQ Sentinel 7.1 Installation and Configuration Guide.
If you upgrade Sentinel from 7.0 to 7.1.0.2 and your Sentinel installation is in a non-default location, run the following commands as the novell user:
ln -s
"$RPM_INSTALLATION_PREFIX/opt/novell/sentinel/3rdparty/activemq/activemq-all-5.4.2.jar"
"$RPM_INSTALLATION_PREFIX/opt/novell/sentinel/lib/activemq-all-5.4.2.jar"
Where $RPM_INSTALLATION_PREFIX is the location of the Sentinel installation.
When you upgrade the appliance from Sentinel 7.0.1 or earlier, the upgrade fails in WebYaST because the vendor name for the patch has changed from Novell to NetIQ. You must upgrade the appliance by using the zypper patch command.
To upgrade the appliance by using zypper:
Back up your configuration, then create an ESM export. For more information, see Backing Up and Restoring the Data
in the NetIQ Sentinel 7.0.1 Administration Guide.
Log in to the appliance console as the root user.
Run the following command:
/usr/bin/zypper patch
Enter 1 to accept the vendor change from Novell to NetIQ.
Enter Y to proceed.
Enter yes to accept the license agreement.
Restart the Sentinel appliance.
When you upgrade Sentinel in a high availability setup, first upgrade the passive nodes in the cluster, then upgrade the active cluster node.
Ensure that the .pgpass file is available in all the cluster nodes. The upgrade installer requires the .pgpass file to authenticate the Sentinel database. If the .pgpass file is not available on the cluster node, copy the.pgpass file located at /home/novell from the active cluster node.
Enable the maintenance mode on the cluster:
crm configure property maintenance-mode=true
Maintenance mode helps you to avoid any disturbance to the running cluster resources while you update Sentinel. You can run this command from any cluster node.
Verify whether the maintenance mode is active:
crm status
The cluster resources should appear in the unmanaged state.
Upgrade the passive cluster node:
Stop the cluster stack:
rcopenais stop
Stopping the cluster stack ensures that the cluster resources remain accessible and avoids fencing of nodes.
Log in as root to the server where you want to upgrade Sentinel.
Extract the install files from the tar file:
tar xfz <install_filename>
Run the following command in the directory where you extracted the install files:
./install-sentinel --cluster-node
After the upgrade is complete, restart the cluster stack:
rcopenais start
Repeat Step 3 for all passive cluster nodes.
Upgrade the active cluster node:
Back up your configuration, then create an ESM export.
For more information about backing up data, see Backing Up and Restoring Data in the NetIQ Sentinel 7.1 Administration Guide.
Stop the cluster stack:
rcopenais stop
Stopping the cluster stack ensures that the cluster resources remain accessible and avoids fencing of nodes.
Log in as root to the server where you want to upgrade Sentinel.
Run the following command to extract the install files from the tar file:
tar xfz <install_filename>
Run the following command in the directory where you extracted the install files:
./install-sentinel
After the upgrade is complete, start the cluster stack:
rcopenais start
Disable the maintenance mode on the cluster:
crm configure property maintenance-mode=false
You can run this command from any cluster node.
Verify whether the maintenance mode is inactive:
crm status
The cluster resources should appear in the Started state.
(Optional) Verify whether the Sentinel upgrade is successful:
rcsentinel version
NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issue is currently being researched. If you need further assistance with any issue, please contact Technical Support.
For the list of known issues in previous releases, see the Sentinel 7.1 Documentation Web site.
Issue: If you have Java 7 update 45 installed on the client computer, Sentinel Control Center does not launch. (BUG 847497)
Workaround: Upgrade to Sentinel 7.1.1.2 or launch the Sentinel Control Center from the command prompt. To upgrade to Sentinel 7.1.1.2, see Sentinel 7.1.1.2 readme. To launch the Sentinel Control Center, execute the following command in the command prompt:
javaws <path of the jnlp file>
Issue: If you have Java 7 update 51 installed on the client computer, Sentinel Control Center does not launch. (BUG 862771)
Workaround: Upgrade to Sentinel 7.1.1.2 or add the Sentinel Web Console URL to the Java security Exception site list. To upgrade to Sentinel 7.1.1.2, see Sentinel 7.1.1.2 readme.
To edit the Java security Exception site list:
In Control Panel > Java > Security, click Edit Site List.
In the Exception Site List window, click Add and specify the Sentinel Web Console URL in the exception list field.
Click OK.
Issue: You cannot export distributed search results with more than 50,000 events to a file. (BUG 863985)
Workaround: There is no workaround at this time.
Issue: When large number of Syslog event sources are configured and DNS lookup does not resolve properly, Sentinel takes longer time to start. (BUG 863490).
Workaround: To resolve this issue:
Download the latest version of Syslog Connector (Syslog Connector 2011.1r3) from the Sentinel Plug-ins Web site.
Copy the Syslog Connector plug-in package (.cnz) to the following location:
/var/opt/novell/sentinel/data/updates/pending
Restart the Sentinel service.
Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.
For detailed contact information, see the Support Contact Information Web site.
For general corporate and product information, see the NetIQ Corporate Web site.
For interactive conversations with your peers and NetIQ experts, become an active member of Qmunity, our community Web site that offers product forums, product notifications, blogs, and product user groups.
NetIQ Sentinel is protected by United States Patent No(s): 05829001.
THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A NON-DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLY SET FORTH IN SUCH LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT, NETIQ CORPORATION PROVIDES THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW DISCLAIMERS OF EXPRESS OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE, THIS STATEMENT MAY NOT APPLY TO YOU.
For purposes of clarity, any module, adapter or other similar material ("Module") is licensed under the terms and conditions of the End User License Agreement for the applicable version of the NetIQ product or software to which it relates or interoperates with, and by accessing, copying or using a Module you agree to be bound by such terms. If you do not agree to the terms of the End User License Agreement you are not authorized to use, access or copy a Module and you must destroy all copies of the Module and contact NetIQ for further instructions.
This document and the software described in this document may not be lent, sold, or given away without the prior written permission of NetIQ Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of NetIQ Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data.
This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time.
U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the government's rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement.
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.
For information about NetIQ trademarks, see http://www.netiq.com/company/legal/.