NetIQ Sentinel 7.1 Release Notes

June 2013

Sentinel 7.1 includes new features, improves usability, and resolves several previous issues. Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable inputs. We hope you continue to help us ensure our products meet all your needs. You can post feedback in the Sentinel Community Support Forums, our community Web site that also includes product notifications, blogs, and product user groups.

You can upgrade to Sentinel 7.1 from Sentinel 7.0 or later, or perform a new installation. Sentinel 7.1 includes all fixes and features addressed in each Sentinel 7.0 Service Pack and hotfix. For information about what’s new in previous releases, see the “Previous Releases” section in the Sentinel Documentation Web site.

To download this product, see the Novell Downloads Web site. For more information about this release and for the latest release notes, see the Sentinel Documentation Web site.

1.0 What’s New?

The following sections outline the key features and functions provided by this version, and issues resolved in this release:

1.1 Agent-Based Data Collection

Sentinel now provides you the flexibility for agent-based data collection. Depending on what is best for your environment, you can determine whether to use the agent-based data collection approach or the traditional agent-less data collection approach. For information about agent-based data collection, see Configuring Agent-Based Data Collection in the NetIQ Sentinel 7.1 Administration Guide.

1.2 Federal Information Processing Standard 140-2 Certification

Sentinel 7.1 leverages the Federal Information Processing Standards (FIPS) 140-2 compliant features to meet the security requirements of U.S. Federal agencies and customers with highly secure environments. Sentinel is now re-certified by Common Criteria at EAL3+ and provides FIPS 140-2 Inside. For more information, see Operating Sentinel in FIPS 140-2 Mode in the NetIQ Sentinel 7.1 Installation and Configuration Guide.

1.3 Out-of-the-Box Solution Pack for ISO 27000 Series

Sentinel 7.1 provides the Solution Pack for ISO 27000 Series that helps you solve problems related to ISO 27002 management and security within enterprises. This Solution Pack provides a control-based framework and a wide variety of reports that help you verify whether your organization is in compliance with the ISO/IEC 27002:2005 information security standard. For more information about this Solution Pack, see the Solution Pack for ISO 27000 Series documentation on the Sentinel Plug-ins Web site.

1.4 High Availability Configuration

Sentinel 7.1 delivers an officially validated and tested high availability configuration that is easier to set up and configure. For more information, see Configuring Sentinel for High Availability in the NetIQ Sentinel 7.1 Installation and Configuration Guide.

1.5 Usability Improvements

Sentinel 7.1 introduces several changes in the user interface (UI) to improve the usability in the following features:

  • Reports:

    • Ability to create reports based on an existing report: You can now create a new report by first selecting an existing report and then refining the report criteria as necessary.

    • View events for a report template: You can now directly view events for a report template without scheduling the report. The search results provide a preview of what to expect when you generate a report and the ability to investigate further.

    • View report data in specific time zone: You can now select the time zone in which you want to populate the report data. This feature is currently available only for ISO Solution Pack reports.

    • Detailed report emails: Report emails now contain detailed information about the report. You can see the report definition used, report result name, the user who generated the report, the time the report was generated, and so on.

    • Grouping of reports: As the number of reports grow over time, it can become difficult to manage all of your reports. By default, Sentinel now groups the reports by category. Sentinel also allows you to change the grouping to none, listing all your reports and searches under one heading. Sentinel highlights the Favorites with a star and sorts them first in each group.

    • Event List type reports: Sentinel no longer treats Event List type reports as a type of report, instead it treats them as Searches. Sentinel now allows you to save your search criteria as a Search so that you can reuse the criteria to execute the same search interactively or to schedule a search to gather the events in a CSV file.

  • Searches and criteria building:

    • Sentinel now provides a new Criteria field along with the ability to refine the criteria by using the Add Criteria dialog box. These new fields replace the Filter and Tag selection fields across the Sentinel console wherever they were used. The Add Criteria dialog box allows you to build a new criteria by using the most recently used criteria and existing filters and tags.

    • Sentinel now displays the search progress when you perform a search. Understanding the progress is particularly helpful when you perform a search on a large number of events. The search progress dialog box provides you options to interrupt the search and display only the results gathered so far. You can also cancel the current search and refine your search query to get fewer results.

    • When you specify a search query with incorrect case-sensitivity, Sentinel now displays an appropriate message that indicates that the specified search query is invalid.

  • Correlation:

    Sentinel now allows you to redeploy a modified rule with a single click. After you modify a rule, Sentinel now displays a prompt that provides the Redeploy link. This enhancement replaces several manual clicks to redeploy a modified rule.

  • Filters:

    • You can now create a filter similar to how you create a search. Sentinel now provides you the option to create a filter either by specifying the filter criteria or by using existing filters and tags.

    • Sentinel no longer treats Filters as searches, but as saved and shareable criteria. You can use this criteria as building blocks for Searches and refining other criteria.

In addition to the above listed changes, captions, icons, and the location of some elements in the Sentinel Web console have changed to improve usability. For more information, see the relevant chapters in the NetIQ Sentinel 7.1 User Guide.

1.6 Latest Plug-Ins

New installations of Sentinel 7.1 include the latest versions of several Sentinel plug-ins. These versions include the latest software fixes, documentation updates, and enhancements for the plug‐in. For more information, see the specific plug-in documentation on the Sentinel Plug-ins Web site.

The upgrade installation of Sentinel 7.1 provides new and updated versions of the following plug-ins to ensure that the plug-in is compatible with Sentinel 7.1 and later.

  • Agent Manager Connector 2011.1r1 - New Connector

  • LDAP Integrator 2011.1r1

  • SOAP Integrator 2011.1r1

  • SMTP Integrator 2011.1r1

  • Sentinel Core Solution Pack 2011.1r4

NOTE:The upgrade installation does not upgrade individual Collectors. For Sentinel Agent Manager, you must upgrade the host-based event source Collectors to ensure they are compatible.

1.7 Enhancements

Sentinel 7.1 includes the following enhancements:

PostgreSQL Upgrade

Sentinel 7.1 upgrades PostgreSQL to version 9.1.9 to fix security vulnerabilities.

Increase in the UDP Kernel Buffer Value

Sentinel 7.1 increases the UDP kernel buffer value to 67108864 if the existing value is less than 67108864 during the installation. Increasing the default UDP kernel buffer value reduces network packet drops, which in turn prevents event drops.

Ability to Configure the Grace Period to Close a Partition

The default grace time to close a partition is now 10 minutes instead of 24 hours. Reducing the grace time period allows you to back up the partition without having to wait for 24 hours, while providing a reasonable time to accommodate late arriving events to the event store. You can change the default value as necessary. To customize the grace time period to close a partition, see Setting the Grace Period to Close Event Data Partitions in the NetIQ Sentinel 7.1 Administration Guide.

Support for Inclusion of Filters and Searches in the Solution Pack

When you create a solution pack, you can now include Filters and Searches in the Solution Pack. For more information, see Using Solution Packs in the NetIQ Sentinel 7.1 Administration Guide.

Ability to Configure the Number of Raw Data Events that can be Copied

To prevent unnecessary disk space consumption and to make the system more stable, Sentinel now sets a limit of 100,000 raw data events when copying the raw data events from the Connector. When the limit reaches 100,000, Sentinel automatically deselects the Copy Raw Data to a file option and stops copying the raw data. If you want to collect the raw data again, edit the Connector and select the Copy Raw Data to a file option. You can also change the default limit as necessary. For more information, see Setting the Raw Data Limit in the NetIQ Sentinel 7.1 Administration Guide.

Inclusion of the kernel-firmware Package in the ISO Appliance

The ISO appliance installer now includes the kernel-firmware package by default, which provides hardware drivers for physical servers.

Support for Multiple Key Columns and String Type Keys in the Mapping Service

Range maps are no longer restricted to have a single key column of type NumberRange. You can now use one key column of type NumberRange and zero or more other key columns of type String. For example, you can create a map that lists the allowed maintenance time for each individual server in an enterprise, for which you need to match both the hostname and the time range. For more information on range maps, see Adding a Number Range Map Definition in the NetIQ Sentinel 7.1 Administration Guide.

Improved Error Messages for LDAP Test Connection Failures

When the LDAP test connection fails, Sentinel now displays detailed error messages that help you troubleshoot the issue more efficiently.

Soft Appliance on the Physical Server By Default

The Sentinel appliance configuration page now includes the Install Sentinel appliance to hard drive (for Live DVD image only) check box to automatically run the yast2 live-installer command to install the ISO appliance on the physical server. You no longer have to run the yast2 live-installer command during installation. This check box is selected by default. If you deselect this check box, the appliance will not be installed on the physical server and will run only in the LIVE DVD mode. If you decide to install the appliance to the hard drive in LIVE DVD mode, you can still run the yast2 live-installer command.

1.8 Software Fixes

Sentinel 7.1 provides software fixes for the following issues. For the list of software fixes and enhancements in previous releases, see the Sentinel 7.1 Documentation Web site.

iTRAC Does Not Work If the appuser Password Contains Special Characters

Issue: Sentinel logs the TimerThreadPool exception several times and iTRAC does not work if the appuser password contains any of the following special characters: ‘+’, ‘\’, ‘#’, or ‘,’. (BUG 717679)

Fix: Sentinel now allows passwords with special characters.

iTRAC Connection to the Database Fails Due to Special Characters

Issue: iTRAC fails to connect to the database if the JDBC connection URL contains special characters. (BUG 570933)

Fix: iTRAC now successfully connects to the database even if the JDBC connection URL contains special characters.

Remote Collector Managers Do Not Cache Events

Issue: In some cases, remote Collector Managers do not cache events generated when the Sentinel server is down or when the link from the Remote Collector Manager to the server is down. (BUG 787716)

Fix: Remote Collector Managers now cache events without affecting the data collection.

Some Filters Do Not Display Events in the Dashboard

Issue: Filters do not display events in the dashboard if the same word occurs multiple times in the filter criteria for an event field. (BUG 795825)

Fix: Filters now displays relevant events in the dashboard even if the same word occurs multiple times in the filter criteria.

The Search Refine Panel Displays Incorrect Results

Issue: The values in the Refine panel are case-sensitive whereas the actual Search functionality is case-insensitive. Therefore, Sentinel considers each event field as unique whose values are same except for the case-sensitivity and displays incorrect results in the Refine panel. (BUG 788584)

Fix: Sentinel now combines event field values ignoring case and displays the consolidated results for the event field in the Refine panel.

Invalid Search Query When You Investigate for More Events for an Incident

Issue: In the Incidents View, when you click Investigate and select any of the options to view the events for an incident, it results in an invalid search query and does not display events for the incident. (BUG 782336)

Fix: Sentinel now displays the relevant events for incidents.

The setmemory.sh Script Does Not Export Some Customer-Set Variables

Issue: The setmemory.sh script does not export customer-set variables unless the variables are set by the script. (BUG 760106)

Fix: Sentinel now exports customer-set variables.

Uninstalling Sentinel or its Components Uninstalls All Novell Products

Issue: When you uninstall Sentinel or any of the Sentinel components, the uninstall script uninstalls other Novell products in the system. This issue occurs in rare instances where the Sentinel product manifest file is not found, or the installation or upgrade of Sentinel or its components was incomplete. (BUG 779756)

Fix: The uninstall script no longer uninstalls other Novell products when uninstalling Sentinel or any of its components.

Web Interface Does Not Indicate that Uploading a Collector Pack Report is Not Supported

Issue: When you attempt to upload a report for a different Sentinel platform after extracting it from a Collector Pack, the report does not import. However, an error message is logged in the error log. (BUG 803629)

Fix: Sentinel now displays a message that indicates that the plug-in you selected to upload is not a supported type.

The Incident XML File Does Not Include the Events Added to the Incident

Issue: When you execute the Incident Command through the iTRAC workflow template, the XML file in the attachments does not include the incident details and the events added to the incident. (BUG 796615)

Fix: The XML file now includes the incident details and the events added to the incident.

Sentinel Displays Icons Incorrectly for Correlation Rules With Longer Names

Issue: For correlation rules with longer names, Sentinel displays the deployed status icon multiple times for a single rule because the rule spans into multiple lines in the Correlation panel. (BUG 808801)

Fix: Sentinel now displays only one icon for a correlation rule even though the rule spans into multiple lines.

2.0 System Requirements

For information on hardware requirements, supported operating systems, and browsers, see Meeting System Requirements in the NetIQ Sentinel 7.1 Installation and Configuration Guide.

3.0 Installing Sentinel 7.1

To install Sentinel 7.1, see the NetIQ Sentinel 7.1 Installation and Configuration Guide.

4.0 Upgrading to Sentinel 7.1

You can upgrade to Sentinel 7.1 from Sentinel 7.0 or later. To upgrade to Sentinel 7.1, see Upgrading Sentinel in the NetIQ Sentinel 7.1 Installation and Configuration Guide.

5.0 Known Issues

NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.

For the list of known issues in previous versions of Sentinel, see the “Previous Releases” section in the Sentinel 7.1 Documentation Web site.

5.1 Unable to Upgrade a Sentinel Server Installed as a Non-Root User in a Non-Default Location

Issue: When you upgrade a Sentinel server installed as a non-root user in a non-default location to Sentinel 7.1, the upgrade fails. (BUG 822239)

Workaround: Perform the following steps before you upgrade the Sentinel server:

  1. Extract the squashfs RPM from the Sentinel 7.1 installer.

  2. Install the squashfs RPM as the root user in the Sentinel server.

  3. Proceed with upgrading the Sentinel server to Sentinel 7.1.

5.2 Unable to Install the Remote Collector Manager If the Password Contains Special Characters

Issue: When you install a remote Collector Manager, if you specify a password that contains special characters, such as ‘$’, ‘"‘, ‘\’, or ‘/’, the installation does not proceed and results in errors. (BUG 812111)

Workaround: Do not use special characters in the remote Collector Manager password.

5.3 Restarting a Remote Collector Manager Causes Some Event Sources to Lose Connection

Issue: When you restart a remote Collector Manager appliance, the Syslog event sources connected on the UDP port lose connection. (BUG 795057)

Workaround: There is no workaround available at the time of this release.

5.4 Sentinel Does Not Display Identity Information

Issue: When you create users in Identity Manager, Sentinel does not populate the user identity information in the People tab. This issue occurs because the Driver for Sentinel is not compatible with Sentinel 7.1. (BUG 803725)

Workaround: There is no fix or workaround available at the time of this release. A newer version of the driver, which resolves this issue, will be available soon on the Novell Download Web site. If the Driver for Sentinel is required in your environment, please verify the availability of the driver update prior to installing Sentinel 7.1.

5.5 Sentinel Control Center Does Not Launch Due to Certificate Validation Failure

Issue: Sentinel Control Center does not launch and displays the Failed Certificate Validation error if the Always trust content from the publisher is not selected. (BUG 786572)

Workaround: This error occurs because some of the settings in Java 7 are disabled. To enable these settings:

  1. Launch the Java Control Panel (jcontrol).

  2. Click Advanced and enable the following settings:

    • Check publisher certificate for revocation

    • Enable online certificate validation

  3. Launch Sentinel Control Center. It may prompt you to install the concurrent.jar file.

  4. Click Install to install the file.

5.6 Unable to Execute the Log to Syslog Action on Events

Issue: When you execute the Log to Syslog actions on a large number of events, for example more than 200, Sentinel executes the action only on the first 25 events and then stops with an IO exception. (BUG 807446)

Fix: The Syslog Integrator version 2011.1r1 and later resolve this issue. However, the 2011.1r1 version is not available at the time of this release. You can download the pre-release version of the Integrator from the Sentinel Pre-release Plug-ins Web site.

5.7 Unable to View More Than One Report Result at a Time

Issue: While you wait for one report result PDF to open, particularly report results of 1 million events, if you click another report result PDF to view, the report result is not displayed. (BUG 804683)

Workaround: Click the second report result PDF again to view the report result.

5.8 Agent Manager Requires SQL Authentication When FIPS Mode is Enabled

Issue: When FIPS mode is enabled in your Sentinel environment, using Windows authentication for Agent Manager causes synchronization with the Agent Manager database to fail. (BUG 814452)

Workaround: Use SQL authentication for Agent Manager when FIPS mode is enabled in your Sentinel environment.

5.9 Sentinel CIFS Storage Fails When the Operating System is FIPS Enabled

Issue: When the Linux operating system (RHEL or SLES) on the Sentinel server is FIPS enabled, the Common Internet File System (CIFS) storage functionality fails in Sentinel. (BUG 793720)

This is a known issue in the Linux kernel where mounting a CIFS share fails if the operating system is FIPS enabled. For more information, see:

Workaround: There is no fix or workaround available at the time of this release.

5.10 Audit Connector Does Not Work on Non-FIPS Remote Collector Manager Connected to Sentinel in FIPS Mode

Issue: Data collection fails for the Audit Connector deployed on a non-FIPS remote Collector Manager connected to a Sentinel server in FIPS mode. (BUG 809425)

Workaround: The Audit Connector version 2011.1r2 and later resolve this issue. However, the 2011.1r2 version is not available at the time of this release. You can download the pre-release version of the Connector from the Sentinel Pre-release Plug-ins Web site.

5.11 File Connector Configured with SCP or CIFS Does Not Work on Sentinel in FIPS Mode

Issue: When you use SCP or CIFS as the file event source on a Sentinel server in FIPS mode, the File Connector does not work. (BUG 808343)

Workaround: The File Connector version 2011.1r2 and later resolve this issue. However, if SCP is the file event source, this Connector works only if it is deployed in a non-FIPS remote Collector Manager. The 2011.1r2 version is not available at the time of this release. You can download the pre-release version of this Connector from the Sentinel Pre-release Plug-ins Web site.

5.12 Some of the Sentinel Images Do Not Appear in Internet Explorer 8 and Later

Issue: In Internet Explorer 8 and later, some of the Sentinel application images do not appear in certain sections of the Web interface, such as in the left navigation panel, the Collection page, the Applications page, and so on. (BUG 785361)

Fix: This is a known issue in Microsoft Internet Explorer 8 and later. To fix this issue, perform the steps mentioned in Winhelponline.com or contact Microsoft Technical Support.

5.13 Sentinel Web Interface Does Not Launch in Some Versions of Windows with Internet Explorer 8 as the Browser

Issue: Sentinel Web Interface does not launch on Windows Server 2003 SP2 64-bit and Windows XP SP3 64-bit operating systems with Internet Explore 8 as the browser. (BUG 786822)

Fix: This issue occurs because Sentinel uses the SHA256RSA signature algorithm for the Web server certificate. Some versions of Windows operating systems do not recognize the Web server certificate if the signature algorithm is SHA256RSA. To fix this issue, you must upgrade the operating system with the hotfix provided by Microsoft. For more information, see the Microsoft Support Web site.

5.14 Some of the Icons Appear Incorrectly in Internet Explorer 10

Issue: On Internet Explorer 10, some of the icons in the Web interface appear incorrectly. (BUG 815252)

Workaround: This is a sporadic issue. Set the default browser settings as follows every time this occurs:

  1. Press F12.

  2. Set Browser mode to IE 10.

  3. Set Document mode to Standards.

5.15 Sentinel High Availability Installation in FIPS Mode Displays an Error

Issue: If FIPS mode is enabled, the Sentinel High Availability installation displays the Sentinel server configuration.properties file is not correct. Check the configuration file and then run the convert_to_fips.sh script again to enable FIPS mode in Sentinel server error. However, the installation completes successfully. (BUG 817828)

Workaround: There is no fix or workaround available at the time of this release. Although the installer displays the error, the Sentinel High Availability configuration works successfully in FIPS mode.

5.16 Distributed Search Does Not Work If the Target Sentinel Server is in High Availability Mode

Issue: Distributed search fails if the target Sentinel server in High Availability mode migrates to another High Availability cluster node than the one that was running Sentinel when it was added as a target. (BUG 816719)

Workaround: Change the target server IP address to the common cluster IP address of the Sentinel server in High Availability mode.

5.17 Sentinel High Availability Installation Does Not Check for the Required NSS Packages

Issue: When you perform a silent installation of Sentinel in High Availability mode and when FIPS mode is enabled, the installer does not check for the required NSS packages. (BUG 815941)

Workaround: Ensure that the required NSS packages are available on the system before you start the installation.

5.18 Sentinel High Availability Installation in Non-FIPS Mode Displays an Error

Issue: The Sentinel High Availability installation in non-FIPS mode displays the /opt/novell/sentinel/setup/configure.sh: line 1045: [: too many arguments error twice. However, the installation completes successfully. (BUG 810764)

Workaround: There is no fix or workaround available at the time of this release. Although the installer displays the error, the Sentinel High Availability configuration works successfully in non-FIPS mode.

5.19 The Help Menu Displays the HTTP 404 Error

Issue: The Help menu in Event Source Management and the Sentinel Web console displays the HTTP 404 Error and does not launch the Sentinel documentation Web site. (BUG 814138)

Workaround: To view the latest Sentinel documentation, see the Sentinel 7.1 Documentation Web site.

5.20 Unable to Delete Renamed Dashboards After Upgrading the Xen Appliance

Issue: After you upgrade the Xen appliance to Sentinel 7.1, if you rename a dashboard and then delete the renamed dashboard, Sentinel displays an error. However, Sentinel deletes the dashboard successfully. (BUG 816542)

Workaround: There is no workaround at the time of this release.

6.0 Contact Information

Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.

For detailed contact information, see the Support Contact Information Web site.

For general corporate and product information, see the NetIQ Corporate Web site.

For interactive conversations with your peers and NetIQ experts, become an active member of NetIQ Forums, our community Web site that offers product forums, product notifications, blogs, and product user groups.