Novell Sentinel Log Manager 1.2.0.2 Readme

January 18, 2012

Sentinel Log Manager collects data from a wide variety of devices and applications, including intrusion detection systems, firewalls, operating systems, routers, Web servers, databases, switches, mainframes, and antivirus event sources. Novell Sentinel Log Manager provides high event rate processing, long-term data retention, regional data aggregation, and simple searching and reporting functionality for a broad range of applications and devices.

You can use Sentinel Log Manager 1.2.0.2 to upgrade Sentinel Log Manager 1.2 or later, or for a new installation.

1.0 What’s New

1.1 What’s New in Sentinel Log Manager 1.2.0.2

1.1.1 Enhancements to the Search Configuration

A new tab, Configuration, has been added to the Search Setup feature so you can configure the maximum number of simultaneous searches that can run in the system, because many simultaneous searches can slow down system performance. Configuring the maximum number of searches helps you maintain stable system performance.

For more information, see Configuring the Search Limit in the Sentinel Log Manager 1.2 Administration Guide.

1.1.2 Security Improvements

The following security improvements have been made to fix security vulnerabilities:

  • The Java Runtime Environment (JRE) has been upgraded to version 1.6.0_27.

  • Directory traversal vulnerability CVE-2011-5028 has been fixed. Users authenticated to the Sentinel Log Manager Web interface now do not have access to system files.

1.1.3 Plug-Ins Upgrade

Sentinel Log Manager 1.2.0.2 includes the updated version of Sentinel plug-ins. The latest version of the Collectors and Connectors are available only when you perform a new installation. The latest version of Integrators and Actions are available in both new and upgrade installations.

1.1.3.1 Collectors
  • Microsoft Active Directory and Windows 6.1r6

  • Novell iManager 6.1r4

  • Novell eDirectory 6.1r9

  • Novell Open Enterprise Server 6.1r6

  • Oracle Solaris 6.1r3

  • Red Hat Enterprise Linux 6.1r2

  • Sentinel Link 2011.r1

  • Suse Linux Enterprise Server (SLES) 6.1r4

1.1.3.2 Connectors
  • Audit 6r9

  • Checkpoint LEA 2011.1r1

  • File 2011.1r1

  • Sentinel Link 2011.1r1

  • Syslog 6r10

  • Windows Event (WMI) 2011.1r1

1.1.3.3 Integrators
  • Sentinel Link 2011.1r1

  • SNMP Integrator 2011.1r1

  • Syslog 6.1r4

1.1.3.4 Actions
  • Execute a Command 2011.1r1

  • Sentinel Link 2011.1r1

1.1.4 Software Fixes

Sentinel Log Manager 1.2.0.2 includes software fixes and enhancements. If you use the upgrade installer, the set of new features and fixed defects depends on the version from which you upgrade. For example, if the system is running Sentinel Log Manager 1.2, defect fixes from 1.2.0.1 are also applied as part of this upgrade.

For the list of software fixes in previous releases, see the Sentinel Log Manager 1.2 documentation.

1.2 What’s New in Sentinel Log Manager 1.2.0.1

1.2.1 SLES 11 SP1 Support

Sentinel Log Manager 1.2 and later supports the SUSE Linux Enterprise Server (SLES) 11 SP1 64-bit platform. The Sentinel Log Manager 1.2.0.1 upgrade installer is mainly intended to upgrade Sentinel Log Manager 1.1.0.x systems to work seamlessly with SLES 11 SP1.

1.2.2 Updates to the Squashfs Package

Previous versions of Sentinel Log Manager (1.1.0.x) use the squashfs 3.4-35.1 version. Because SLES 11 SP1 supports squashfs 4.0 and later, Sentinel Log Manager 1.2 and later use the squashfs 4.0-1.2.10 version.

1.2.3 Security Improvements

The following updates have been made to fix security vulnerability issues:

  • The Java Runtime Environment (JRE) has been upgraded to version 1.6.0.24.

  • Apache Tomcat has been upgraded to version 6.0.32.

1.2.4 Software Fixes

Sentinel Log Manager 1.2.0.1 includes the latest software fixes and enhancements for an existing installation of Sentinel Log Manager 1.1.0.x and later. The set of new features and fixed defects depends on the version from which you upgrade. For example, if the system is running Sentinel Log Manager 1.1, the defect fixes from 1.1.0.1 are also applied as part of this upgrade.

For the list of software fixes in previous releases, see the Sentinel Log Manager 1.2 documentation.

2.0 System Requirements

Sentinel Log Manager 1.2 and later require the SLES 11 SP1 platform. Therefore, you must first ensure that the operating system is upgraded to SLES 11 SP1 before you install or upgrade Sentinel Log Manager.

For more information about system requirements, see System Requirements in the Sentinel Log Manager 1.2 Installation Guide.

3.0 Installing Novell Sentinel Log Manager

To install Novell Sentinel Log Manager 1.2 and later, see the Sentinel Log Manager 1.2 Installation Guide.

4.0 Upgrading to Novell Sentinel Log Manager 1.2.0.2

To upgrade Novell Sentinel Log Manager to the latest patch, see “Upgrading Sentinel Log Manager” in the Novell Sentinel Log Manager 1.2 Installation Guide.

5.0 Defects Fixed and Enhancements

5.1 Defects Fixed

The following table lists the defects fixed in Sentinel Log Manager 1.2.0.2:

Bug Number

Solution

647619

When you click a number adjacent to the rules, the rules associated to an action display as expected.

659294

When you run a search query report on both local and distributed servers and export the report results to a CSV file, the Event time (dt) field in the report is in readable format and no exceptions are logged.

671012

Sentinel Log Manager now displays the license date in the long date format to avoid ambiguity. For example, if the license expiry date is 10/10/11, Sentinel Log Manager now displays the date as October 10, 2011.

687643

Reports that are scheduled to run once, now run only once as expected.

690102

The DISK_SIZE_ALLOCATED and DISK_SIZE_USED columns in the DISK_MONITOR table are changed to a Numeric data type that allows you to store a higher disk size value.

692031

Sentinel Log Manager now deletes raw data files according to the specified data retention policies.

693408

When you have a large data set in the raw_data_files_info table, the system does not slow down because of performance improvements in Sentinel Log Manager.

694221

When you run the backup_util.sh script with the -e option, the script extracts the backed up partitions as expected.

697069

After you configure a network storage and click Health to view the disk statistics, the disk statistics display immediately as expected.

698833

In NAT environments, the Event Source Manager launches as expected.

699702

When search queries are not processing because of issues in the Sentinel services, the Search interface displays an appropriate message.

706338

A Collector Manager handling a large number of event sources does not change to the Unknown state when a Collector or Connector is stopped.

706344

Sentinel Log Manager now closes search jobs that are idle for a long time, such as 1 hour, to free up system resources.

709872

When you select a specific set of raw data files for download, only the selected raw data files download from the event source as expected.

715610

You can now use the esm_manager.sh script to manage event sources through the command line.

720404

The following versions of the Sentinel Log Manager appliance now includes the CD-ROM device option:

  • Xen appliance

  • VMware appliance

  • ISO appliance

720858

After you upgrade a remote Collector Manager that is in the Running state, the remote Collector Manager services restart automatically.

722262

Reports run on both local and remote servers display the correct number of events in PDF as expected.

723601

When you run a report that is saved in the remote server, the system generates the report results as expected.

723886

When you drill down report results that include local and target servers, events from the target server display only once as expected.

716603

When you run a report on both local and remote servers, events from the remote server display in the report results as expected.

5.2 Enhancements

The following table lists the enhancements made in the 1.2.0.2 version to improve the functionality of Sentinel Log Manager:

bug Number

Description

721941

The Event Source Management application title bar now displays the IP address of the Sentinel Log Manager server.

709257

The Report Definition Name, Report Name, and footer information display appropriate information in the reports after you install Sentinel Core Solution Pack version 2011.1r1.

689074

The Assign to loopback IP option in the appliance installer is now selected by default so that the installation finishes successfully even if users forget to select this option.

687143

The UUID of the event data directory in the network storage is now unique for each instance of Sentinel Log Manager. This enhancement is applicable only for clean installations of Sentinel Log Manager 1.2 Hotfix 2 and later.

693607

When the system deletes the expired raw data files from local and network storage, it generates an internal audit event (DeleteExpiredRawDataFile).

6.0 Known Issues

Bug Number

Description

741234

Issue: Report results cannot be e-mailed to the configured recipients if you delete the default Send an E-mail action.

Workaround: Refer to TID# 7010006 available in the Novell Support Knowledge Base.

740313

Issue: When you run a search or a report on remote servers, a temporary file and a folder, restservices.esec-tmp-mgr*, are created for every such search and report in the /opt/novell/sentinel_log_mgr/3rdparty/tomcat/temp/ folder, which do not get cleaned up. This results in filling up the disk space.

Workaround: Manually delete the restservices.esec-tmp-mgr* files and folders at regular intervals.

734816

Issue: When you upgrade Sentinel Log Manager, the database upgrade fails if the dbauser password does not match the password stored in the .pgpass file.

Workaround: Update the password in the .pgpass file with the current dbauser password and then proceed with the upgrade. For more information, see appendix Troubleshooting Installation in the Sentinel Log Manager 1.2 Installation Guide.

731811

Issue: After you upgrade the server, which is a Syslog receiver, to the latest version of Sentinel Log Manager, the Log to Syslog actions in the Syslog sender server do not re-establish the connection to the Syslog receiver.

Workaround: Re-establish the connection in the Syslog sender server:

  1. Log in to the Sentinel Log Manager web interface with a user account that is a member of the administrator role.

  2. Select rules > Actions.

  3. Click the edit link adjacent to the Log to Syslog action configuration.

  4. Click Save without making any changes.

  5. Repeat Step 3 and Step 4 for all actions configured by using the Log to Syslog action plug-in.

The Syslog sender server re-establishes the connection.

730530

Issue: The Lucene Query Parser Syntax link in the Search Tips table does not work.

Workaround: Refer to appendix Search Query Syntax in the Sentinel Log Manager 1.2 Administration Guide.

731010

Issue: When you drill down into Event List type report results and select the save as rule or the save as retention option, the NullPointerException message is logged in the server0.0 logs and the specified query is not saved.

Workaround: Use the same query in the Search interface, and select save as rule or save as retention as required. The query is saved accordingly.

728903

Issue: After you successfully upgrade the appliance to the 1.2.0.2 version, the uninitialized constant Patch::LICENSES_DIR message might be displayed in the WebYaST. However, this is a sporadic issue.

Workaround: Restart the appliance. For more information, see Starting and Stopping the Appliance in the Sentinel Log Manager 1.2 Administration Guide.

726116

Issue: When you save a search query report with the query, rv145:OverEPSLimit, the system does not generate report results and logs an exception in the server0.0 log file.

Workaround: None.

725052

Issue: If you install Sentinel Log Manager in a non-default location that has spaces in its directory name, the Sentinel Log Manager services do not start. For example, /opt/sentinel log manager.

Workaround: Do not include spaces in the directory name where you want to install Sentinel Log Manager. For example, /opt/sentinellogmanager.

724876

Issue: If you install Sentinel Log Manager in a non default location in the root directory, such as /root/sentinellogmanager, the installation does not proceed.

Workaround: Do not install Sentinel Log Manager in the root directory.

723781

Issue: When you export search results to a file that has an ampersand (&) in its name, the system displays the HTTP Status 500 error and does not export the search results to the file.

Workaround: Do not use the ampersand (&) symbol in the filename where you want to export the search results.

713724

Issue: When the system deletes the expired raw data files, incorrect messages such as unable to delete raw data file <filename> are logged in the server.log file for files that are deleted already.

Workaround: Ignore the log messages. Sentinel Log Manager deletes the expired raw data files as expected although incorrect messages are logged.

710692

Issue: If you use the Select All option to download the raw data files from an event source, then use the Clear All option to clear the selection and select a specific number of raw data files to download, the number of files downloaded is higher than the number of files selected for download.

Workaround: This issue happens only when you use the Select All and the Clear All options consecutively. Select the raw data files manually instead of using the Select All option.

701280

Issue: When you search or run reports in the network storage, the following exception is logged in the DAS server log:

 java.io.IOException: Input/output error
        at sun.nio.ch.FileDispatcher.pread0(Native Method)
        at sun.nio.ch.FileDispatcher.pread(FileDispatcher.java:31)
        at sun.nio.ch.IOUtil.readIntoNativeBuffer(IOUtil.java:230)
        at sun.nio.ch.IOUtil.read(IOUtil.java:206)
        at sun.nio.ch.FileChannelImpl.read(FileChannelImpl.java:625)

However, this is a sporadic issue.

Workaround: None. Contact Novell Technical Support for assistance.

700058

Issue: The Microsoft Active Directory and Windows Event Count Trend 6.1.r2 report results are blank if events are sent from the Microsoft Active Directory 6.1r4 Collector.

Workaround: Download and upgrade the latest version of the Microsoft Active Directory and Windows Collector from the Sentinel Plug-ins Web site. For information about upgrading the Collector, refer to the Collector documentation.

694852

Issue: After you install Sentinel Log Manager, the Invalid expiration date for temporary license/ License Expired: Data Restoration not executed message is logged several times in the server_wrapper.log file.

Workaround: Ignore the log messages. Sentinel Log Manager works as expected although these messages are logged.

7.0 Documentation

The updated documentation and release notes are available at the Sentinel Log Manager documentation site.