Sentinel 7.3.1 includes new features, improves usability, and resolves several previous issues.
Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure that our products meet all your needs. You can post feedback in the Sentinel forum on NetIQ Communities, our online community that also includes product information, blogs, and links to helpful resources.
The documentation for this product is available on the NetIQ website in HTML and PDF formats on a page that does not require you to log in. If you have suggestions for documentation improvements, click comment on this topic at the bottom of any page in the HTML version of the documentation posted at the Sentinel NetIQ Documentation page. To download this product, see the Sentinel Product Upgrade website.
The following sections outline the key features and software issues resolved in this release:
Sentinel 7.3.1 includes Server Java Runtime Environment (JRE) version 8 update 45, that includes fixes for several security vulnerabilities and also improves Sentinel performance.
To be able to launch Sentinel Control Center and Solution Designer on any client computer, you must install JRE 8 on the client computer.
The JRE folder structure has been changed from /opt/novell/sentinel/jre to /opt/novell/sentinel/jdk/jre.
NOTE: Sentinel 7.3 documentation does not reflect the changes to the JRE folder structure.
This service pack resolves the following security vulnerabilities:
Logjam (CVE -2015-4000)
Bar Mitzvah (CVE-2015-2808)
NOTE:
As part of fixing these security vulnerabilities, there are some changes to the communication protocols used on the Sentinel server. Therefore, when you upgrade the Sentinel server to version 7.3.1, you must also upgrade the Collector Manager, Correlation Engine, and the NetFlow Collector Manager to version 7.3.1 for seamless communication.
Fixing these vulnerabilities in Sentinel has caused communication failure with Change Guardian and Secure Configuration Manager. For more information about the workaround for this issue, see Section 4.4, Cannot Receive Events from Secure Configuration Manager After Upgrading to Sentinel 7.3.1 and Section 4.5, Cannot Receive Events from Change Guardian After Upgrading to Sentinel 7.3.1.
Sentinel 7.3.1 includes the following software fixes that resolve several previous issues.
For the list of software fixes and enhancements in previous releases, see the specific release notes.
Alert Roll-up Occasionally Fails and Sentinel Incorrectly Creates New Alerts
Sentinel Does Not Display Customized Alert Properties for Remote Alerts
Sometimes Sentinel Does Not Display Alerts in Alert Views After a Restart
Documentation for Methods Related to Sentinel Plug-ins Requires Updating
Sentinel Might Display an Error When You Create or Regenerate a Baseline
Security Intelligence Dashboards Consume Large Amounts of Memory
Cannot Set Action Time Attributes When Creating Correlation Rules in Some Languages
Sentinel Does Not Display Values for Long Data Type Event Fields
Sentinel Server Might Shut Down When Running Searches That Span Across a Large Number Days
Selected ESS Type is Reset in Connector Editor Upon Closing ESS Editor
Solution Manager Does Not Deploy Imported Filters Created By Non-Admin Users
Sentinel Does Not Generate Reports If There are Commas in the Data Source Names
Synchronization Issues Between Sentinel and Sentinel Agent Manager
Autocomplete Functionality in the Sentinel Login Page Might Cause Security Vulnerabilities
Arrows Used for Sort Order in Event Sources Page are Almost Invisible
Sentinel Server Might Stop When Malformed Data is Sent To the Proxy Port
Sentinel Sometimes Displays an Error When Non-Administrators Run Reports
Cannot Add Data Sources or Authorized Requestors In Sentinel Appliance Installations
Sentinel Displays Irrelevant Data If the Event Search Criteria Contains Special Characters
Alert Dashboards Might Not Display Alerts in the Number of Alerts and Their Source Pane
Collector Manager Drops Events When Disconnected From Sentinel
Search Duration Fields are Overlapped By the Content of the Search Name Field
Alert Roll-up Fails When the Repeat Count Field is Configured to a Value in Alerts
Sentinel Might Delete Archived Partitions if it Cannot Access the Corresponding Online Partitions
Issue: When the Sentinel server is running in FIPS 140-2 mode, you cannot launch Sentinel Control Center and Solution Designer in the client computer using Java Web Start if the JRE version is 8 or later. (BUG 907263)
Fix: Sentinel 7.3.1 supports JRE 8. You can now launch Sentinel Control Center and Solution Designer when Sentinel is in FIPS 140-2 mode.
Issue: In the alert view, the Occurrences count decreases when you refresh the alert view. (BUG 913838)
Fix: Few minutes after the alert roll up happens, Occurrences count displays the correct value when you refresh the alert view.
Issue: Sentinel might create a new alert instead of rolling up alert information to an existing alert. This is a sporadic issue. (BUG 914512)
Fix: Sentinel does not create new alerts when the alert information can be rolled up to an existing identical alert.
Issue: In alert views, when you click View Details next to any remote alert and go to the Alert Details page, trigger events for that alert do not display in the Associated Data panel. (BUG 916116)
Fix: You can view the trigger events for remote alerts in the Alert Details page.
Issue: The State and Priority fields in remote alerts do not display any data if they are customized. (BUG 915762)
Fix: Sentinel 7.3.1 improves the mechanism to communicate with the remote data source server to obtain customized values. Sentinel now displays data for State and Priority fields correctly.
Issue: Sometimes, Sentinel does not display alerts in alert views if you restart Sentinel. (BUG 916133)
Fix: Alert views display alerts correctly even after you restart Sentinel.
Issue: The documentation for some operations in Sentinel Plug-ins does not provide examples about how to use the Sentinel Plug-ins REST APIs. (BUG 744255)
Fix: Sentinel API documentation contains examples about how to use REST APIs for performing various operations.
Issue: The data provider for the SpyEye Tracker feed has discontinued updates to this feed, stating that the SpyEye threat appears to be mitigated. This feed plug-in is still bundled in Sentinel. The data provider no longer supplies valid threat feeds; so, the feed plug-in populates the dynamic lists with unexpected data, and related correlation rules do not work properly. The Feeds user interface only indicates that data was processed successfully, but does not indicate that the data is invalid. (BUG 916560).
Fix: Go to the Solution Manager and upgrade the Threat Intelligence Solution Pack version to 2011.1r2. This solution pack removes SpyEye Tracker components. For more information, see the Threat Intelligence Solution Pack documentation on the Sentinel Plug-ins website.
Issue: If Sentinel is in FIPS 140-2 mode, the Sentinel Web interface does not launch in Internet Explorer (with TLS version set only to 1.2) and logs an exception in the server logs. In Chrome, the Sentinel Web interface launches but logs an exception. (BUG 926093)
Fix: You can now launch the Sentinel Web interface in Internet Explorer and Chrome without logging any exceptions when Sentinel is in FIPS 140-2 mode.
Issue: When you launch the Sentinel Web interface using port forwarding or Destination Network Address Translation (DNAT), Sentinel Web interface displays a blank page. (BUG 694732)
Fix: Sentinel Web interface launches correctly. The URL built when you use port forwarding or DNAT will not have any port number.
Issue: When you create or regenerate a Security Intelligence baseline, Sentinel creates the baseline successfully, but displays an error message. (BUG 848067)
Fix: Sentinel creates Security Intelligence baseline correctly, and does not display any error message.
Issue: Security Intelligence (SI) dashboards consume large amounts of memory, which results in the Sentinel server shutting down. (BUG 906615)
Fix: Sentinel 7.3.1 fixes this issue by improving the SI processing mechanism.
Issue: If you have set your system language to a language other than English, such as German and Australian English, the Action Time attributes do not work while creating expressions for a new correlation rule. (BUG 888663)
Fix: Sentinel now reads the browser settings made for the selected system language, and accordingly maps the internal parameters created for the Action Time attributes. Now you can use Action Time attributes in any language, while creating expressions for a new correlation rule.
Issue: When you run a distributed report, Sentinel does not apply the search filters, such as the security filter for the role. All the events are recorded in the report. (BUG 915179)
Fix: When running distributed reports, Sentinel applies the role security filter of the user who runs or schedules the distributed report.
Issue: When you sort the event sources for Create Date, Parse, or EPS columns in the Collection > Event Sources tab, sorting does not work correctly. (BUG 899652)
Fix: In Sentinel 7.3.1, sorting of event sources works correctly.
Issue: If event fields are of long data type, and if the value is longer than [-9007199254740991 TO 9007199254740991], Sentinel does not display any value for those fields. (BUG 911147)
Fix: Sentinel displays long data type event fields correctly. If the event fields are of long data type and if the value is longer than [-9007199254740991 TO 9007199254740991], Sentinel treats those fields as text strings.
Issue: When users log in to the Sentinel Web interface, the Sentinel server authenticates them twice. This results in generation of duplicate audit events for user logins. (BUG 891602)
Fix: Sentinel server does not generate duplicate audit events for user logins.
Issue: When you restart the Sentinel server, it might not start correctly if there are large number of connections to the PostgreSQL database, resulting in huge memory utilization. (BUG 923365)
Fix: The PostgreSQL database uses a fixed size pool, which reduces the memory utilization.
Issue: Sentinel server might shut down when you run searches that span across a large number of days. This is a sporadic issue. (BUG 915845)
Fix: Sentinel 7.3.1 improves memory utilization during searches that span across large number of days.
Issue: In Event Source Management, the Event Source Server (ESS) you select is reset in Connector Editor when you close the ESS Editor. (BUG 896333)
Fix: Sentinel 7.3.1 preserves the selected ESS after you close the ESS Editor.
Issue: Sentinel Web interface might time out unexpectedly and become unresponsive. (BUG 914121)
Fix: In Sentinel 7.3.1, the Web interface does not time out.
Issue: Solution Manager does not deploy filters when you create a solution pack using the filter created by a non-admin user, import the solution pack to another Sentinel system, and then try to deploy the filter. (BUG 910124)
Fix: You can deploy imported filters that are created by non-admin users. In the target Sentinel server, those filters will be owned by the admin user.
Issue: Sentinel might display an error and become unresponsive while updating country maps. (BUG 908525)
Fix: Sentinel 7.3.1 modifies the maps update mechanism and fixes this issue.
Issue: Sentinel does not display the delta information in events sent by Change Guardian if the size of the delta information is more than 10 KB. (BUG 886894)
Fix: Sentinel 7.3.1 updates the delta information field in events so that it displays the content even if it is more than 10 KB size.
Issue: While generating distributed search reports, Sentinel displays an error if the data source names consist of commas. (BUG 871186)
Fix: Sentinel 7.3.1 generates reports in distributed environments correctly, even if there are commas in the data source names.
Issue: Reports generation takes a very long time to generate, and Sentinel becomes unresponsive if the user account that scheduled the report no longer exists. (BUG 886450)
Fix: When Sentinel deletes a user account, it also deletes all the report generation schedules created by that user account.
Issues:
When you delete agents in Sentinel Agent Manager (SAM), the updates are not synchronized in Sentinel, and those agents might still display as active agents in Sentinel. (BUG 862431)
Unmanaged agents and managed agents that are offline disappear from Sentinel after the daily agent scan, even though the same agents display correctly on SAM. Also, these agents send event data only for a short period of time after they disappear from Sentinel. (BUG 922073)
Sentinel displays errors if there are uninstalled agents in SAM during SAM-Sentinel synchronization. (BUG 919624)
Agent table synchronization takes a long time to complete, and prevents/delays data being written to the table. (BUG 927513)
Fix: Sentinel has a fine-tuned agents synchronization mechanism between Sentinel and Sentinel Agent Manager such that it updates only active agents.
Issue: Autocomplete functionality in the Sentinel login page might cause security vulnerabilities, because it exposes user login credentials. (BUG 822435)
Fix: Sentinel 7.3.1 disables the autocomplete functionality.
Issue: In the Collection > Events Sources page, the arrows that show the sorting order in Collector Managers, Event Source Servers, and Collector Plug-ins lists are not clearly visible. (BUG 897992)
Fix: In Sentinel 7.3.1, arrows that show the sorting order in event sources lists are clearly visible.
Issue: When the Sentinel proxy port receives malformed data such that the first 4 bytes of the data consumes large amounts of memory, Sentinel tries to allocate memory space for that data, and eventually runs out of memory. If this repeats for a few times, Sentinel server might shut down. (BUG 878690)
Fix: You can now configure the size of the data sent to the proxy port, the number of client connections, and the read timeout period. To configure these properties:
Log in as novell user and open the /etc/opt/novell/sentinel/config/configuration.properties file.
Set the proxied.client.max.payload.size property to the maximum data size for the proxy port.
Default value is 1 GB. If the data exceeds the specified limit, Sentinel stops the data transfer.
Set the proxied.client.max.connections property to the maximum number of times a client can try to send data to the proxy port. Default value is 10.
Set the proxied.client.read.timeout property to the maximum time period after which the data transfer stops. Default value is 30 seconds.
Save the configuration.properties file and restart Sentinel.
Also, there is no limit on the data buffer size now. Sentinel buffers data dynamically while receiving data from the proxy port.
Issue: Sentinel does not process raw data files that were not closed properly. This is a sporadic issue.(BUG 913841)
Fix: Sentinel correctly processes the raw data files that were not closed.
Issue: Sentinel might display an error when non-administrator users run reports that are created by the administrator user. (BUG 919966)
Fix: Non-administrator users can run and view all the reports to which their role has access permissions.
Issue: Sentinel displays an error when you try to add data sources or authorized requestors in Sentinel Appliance installations when two or more NICs are configured. (BUG 900177)
Fix: Perform the following steps after upgrading to Sentinel 7.3.1:
In the authorized requestor server, add the following property in the /etc/opt/novell/sentinel/config/configuration.properties file as follows:
sentinel.distsearch.console.ip=<one of the authorized requestor's IP addresses>
In the data source server, add the following property in the /etc/opt/novell/sentinel/config/configuration.properties file as follows:
sentinel.distsearch.target.ip=<one of the data source's IP addresses>
Restart Sentinel:
rcsentinel restart
Log in to the authorized requestor server and click Integration. If the data source you want to add is already present, delete it and add it again using one of the IP addresses you specified in Step 2.
Similarly, add authorized requestors using the IP addresses you specified in Step 1.
Issue: Sentinel displays irrelevant event data if the event search criteria substring contains special characters such as $ and # in event fields. (BUG 923724)
Fix: Perform the following steps to enable usage of special characters in event fields:
Log in as novell user and open the etc/opt/novell/sentinel/config/configuration.properties file.
Set the indexedLog.tokenizedField.enableSplCharSrch property to true.
Restart Sentinel.
Issue: Alert dashboards might not display any alerts in the Number of Alerts and Their Source pane, even though alerts are present. This happens because the default setting is to display alerts based on the longitude of their origin. (BUG 924361)
Fix: The Number of Alerts and Their Source pane now displays alerts based on the country of their origin by default.
Issue: While sending events to Sentinel, the Collector Manager drops events if it gets restarted or disconnected from Sentinel. (BUG 916418)
Fix: Collector Manager writes the events to a message broker while restarting or when disconnected from Sentinel, and sends these events to Sentinel when it re-establishes the connection.
Issue: In the Reports and Searches page, the content of the search name field overwrites the search duration fields. This makes it difficult to view the search name correctly and also to select the search duration time range. (BUG 928992)
Fix: The search result label and the date range fields do not overlap now.
Issue: Map updates take a long time to complete and might also bring the Sentinel performance down if the maps are large in size. (BUG 921905)
Fix: Sentinel 7.3.1 improves memory utilization during large map updates.
Issue: In Sentinel High Availability environments, remote Collector Manager and remote Correlation Engine fail to connect with Sentinel server after a failover. (BUG 912476)
Fix: Remote Collector Manager and remote Correlation Engine now connect with the Sentinel server after failover.
Issue: When you create alerts through REST API, Sentinel creates new alerts instead of rolling up alert information to an existing alert when the Repeat Count field is configured to a value. (BUG 909431)
Fix: Sentinel ignores the Repeat Count field and rolls up alerts correctly.
Issue: Sentinel might delete archived partitions on the secondary storage if it cannot connect to the corresponding online partitions on primary storage. This is a sporadic issue.(BUG 927972)
Fix: Sentinel does not delete archived partitions on the secondary storage.
For information about hardware requirements, supported operating systems, and browsers, see the Technical Information for Sentinel page.
You can upgrade to Sentinel 7.3.1 from Sentinel 7.0 or later.
Download the Sentinel installer from the NetIQ Download website. For information about upgrading to Sentinel 7.3.1, see Upgrading Sentinel
in the NetIQ Sentinel Installation and Configuration Guide.
After the upgrade, the Data Proxy User (formerly Search Proxy User) role will not have the Allow users to manage alerts permission. This permission is necessary for the role to be able to perform remote alert search. Assign the Allow users to manage alerts permission to the Data Proxy User role manually. For more information, see Configuring Roles and Users
in the NetIQ Sentinel Administration Guide.
NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.
The updates included in this service pack, including the Java 8 update and the security vulnerability fixes, might impact the following plug-ins:
Cisco SDEE Connector
SAP Connector
Remedy Integrator
For any issues with these plug-ins, NetIQ will prioritize and fix the issues according to standard defect-handling policies. For more information about support polices, see Support Policies.
Section 4.1, Cannot View Alerts with IPv6 Data in Alert Views
Section 4.5, Cannot Receive Events from Change Guardian After Upgrading to Sentinel 7.3.1
Section 4.7, Bar Mitzvah Security Vulnerability in Sentinel Link Connector
Section 4.11, Sentinel Agent Manager Does Not Consider the RawDataTapFileSize Configuration
Section 4.13, Data Synchronization Fails While Synchronizing IPv6 Addresses in Human Readable Format
Section 4.14, Event Search Does Not Respond if You Do Not Have Any Event Viewing Permissions
Section 4.19, New Incoming Alerts Incorrectly Appear to be Selected When You Modify Existing Alerts
Section 4.20, Loading Historical Security Intelligence Data Takes a Long Time
Section 4.27, Sentinel Does Not Configure the Sentinel Appliance Network Interface By Default
Section 4.28, The Web Browser Displays an Error When Exporting Search Results in Sentinel
Section 4.29, Partitions Removed from Secondary Storage are Also Removed from Primary Storage
Section 4.30, Sentinel Services Might Not Start Automatically After the Installation
Section 4.31, Cannot Enable Kerberos Authentication in Sentinel Appliance Installations
Section 4.33, Restarting a Remote Collector Manager Causes Some Event Sources to Lose Connection
Section 4.34, Unable to View More Than One Report Result at a Time
Section 4.35, Agent Manager Requires SQL Authentication When FIPS 140-2 Mode is Enabled
Section 4.36, Sentinel High Availability Installation in FIPS 140-2 Mode Displays an Error
Section 4.37, Sentinel High Availability Installation in Non-FIPS 140-2 Mode Displays an Error
Section 4.38, Appliance Update From Versions Prior to Sentinel 7.2 Fails in WebYaST
Section 4.40, Sentinel Link Action Displays Incorrect Message
Section 4.41, Dashboard and Anomaly Definitions with Identical Names
Section 4.42, Active Search Jobs Duration and Accessed Columns Inaccuracies
Issue: Sentinel alert views and alert dashboards do not display alerts that have IPv6 addresses in IP address fields. (BUG 924874)
Workaround: To view alerts with IPv6 addresses in Sentinel, perform the steps mentioned in NetIQ Knowledgebase Article 7016555.
Issue: Sentinel displays an error when you try to configure NFS as secondary storage location after you Sentinel appliance to version 7.3.1. (BUG 934851)
Workaround: After upgrading to Sentinel appliance 7.3.1, restart the SLES operating system using the following command:
init 6
Issue: When you upgrade Sentinel from version 7.3 to version 7.3.1 and start the Sentinel server, you might see the following exception in the server log:
Invalid length of data object ......
(BUG 933640)
Workaround: Ignore the exception. There is no impact to Sentinel performance because of this exception.
Issue: Sentinel uses the Diffie-Hellman protocol to communicate with Secure Configuration Manager. As part of fixing the Logjam vulnerability, the certificate key size for the Diffie-Hellman protocol in Sentinel has been increased to 2048. However, Secure Configuration Manager uses the default certificate key size; that is, 1024. Because of this mismatch, Secure Configuration Manager can no longer communicate with Sentinel. (BUG 935987)
Workaround: Until a fix is available from Secure Configuration Manager, you can perform the following steps:
WARNING:Performing this workaround overrides the fix for the Logjam vulnerability specified in Section 1.2, Security Vulnerability Fixes.
Log in as novell user and open the /etc/opt/novell/sentinel/config/configuration.properties file.
Comment out the following line following line by prefixing #:
jdk.tls.ephemeralDHKeySize=2048
Restart Sentinel.
Issue: As part of fixing the Bar Mitzvah vulnerability, Sentinel disabled the RC4 ciphers on SSL ports enabled for the Web server. However, Change Guardian uses RC4 ciphers to communicate with Sentinel. Therefore, Change Guardian can no longer communicate with Sentinel. (BUG 935401)
Workaround: Until a fix is available from Change Guardian, you can perform the following steps:
WARNING:Performing this workaround overrides the fix for the Bar Mitzvah vulnerability specified in Section 1.2, Security Vulnerability Fixes.
Log in as novell user and open the /etc/opt/novell/sentinel/3rdparty/jetty/jetty-ssl.xml file.
Delete the following lines from the ExcludeCipherSuites list:
<Item>SSL_RSA_WITH_RC4_128_SHA</Item>
<Item>SSL_RSA_WITH_RC4_128_MD5</Item>
Restart Sentinel.
Restart the Change Guardian service in the Change Guardian agent computer.
Issue: When Sentinel is integrated with Change Guardian 4.1, it does not display Change Guardian delta attached information, in spite of being configured to receive Change Guardian events. (BUG 936704)
Workaround: Upgrade Change Guardian to version 4.1.1 or later.
Or
The Change Guardian Solution Pack 2011.1r4 resolves this issue. Until it is officially released, you can download the Solution Pack from the Sentinel Plug-ins Previews website. You can view the delta information in the following Change Guardian reports after you apply the Solution Pack:
Change Guardian Events
Change Guardian Events by Asset
Change Guardian Events by Policy
Change Guardian Events by User
Issue: The Bar Mitzvah security vulnerability exists in Sentinel Link Connector. Sentinel Link Connector uses the RC4 algorithm in SSL and TSL protocols, which might allow plaintext recovery attacks against the initial bytes of a stream. For more information, see CVE-2015-2808. (BUG 933741)
Workaround: The Sentinel Link Connector version 2011.1r4 and later resolve this issue. Until it is officially released on the Sentinel Plug-ins website, you can download the Connector from the Previews section.
Issue: If you specified a $ character in the password, Sentinel stores the password differently in the database depending on where the $ is placed in the password. If the password starts with the $ special character, Sentinel stores the password with a file name. If the $ character is somewhere in the middle of the password, Sentinel truncates the password to the location of the $ character. (BUG 734500)
Workaround: The actual password is stored in the home/novell/.pgpass file. Obtain the password from this file and then log in to Sentinel. For example, if you specified the password as abc$123, the Sentinel stores the password as abc in the .pgpass file. You can log in to Sentinel by specifying abc as the password.
Issue: The Agent Manager Connector version 2011.1r3 does not set the CONNECTION_MODE property in the events if the Collector parsing the events supports multiple connection modes. (BUG 880564)
Workaround: The Agent Manager Connector version 2011.1r5 and later resolve this issue. Until it is officially released on the Sentinel Plug-ins website, you can download the Connector from the Previews section.
Issue: A vulnerability exists in SSL 3.0 that might allow plaintext of secure connections to be calculated. For more information, see CVE-2014-3566. This vulnerability exists in the bundled version of Syslog Connector 2011.1r4 since it uses the SSL protocol. (BUG 920018)
Workaround: The Syslog Connector version 2011.1r5 and later resolve this issue. Until it is officially released on the Sentinel Plug-ins website, you can download the Connector from the Previews section.
Issue: Sentinel Agent Manager ignores the value specified in RawDataTapFileSize attribute in the SMServiceHost.exe.config file for the raw data file size configuration, and stops writing to the raw data file when the file size reaches 10 MB. (BUG 867954)
Workaround: Manually copy the content of the raw data file into another file and clear it when the file size reaches 10 MB, so that Sentinel Agent Manager can write new data into it.
Issue: In upgraded installations of Sentinel 7.3, when you search for alert attributes in the Tips table in the Web interface, the search does not return the complete list of alert fields. However, alert fields display correctly in the Tips table if you clear the search. (BUG 914755)
Workaround: There is no workaround at this time.
Issue:
Data synchronization fails when you try to synchronize IPv6 address fields in a human readable format to external databases. For information about configuring Sentinel to populate the IP address fields in human readable dot notation format, see Creating a Data Synchronization Policy
in the NetIQ Sentinel Administration Guide. (BUG 913014)
Workaround: To fix this issue, manually change the maximum size of the IP address fields to at least 46 characters in the target database, and re-synchronize the database.
Issue: If run an event search when your role's security filter is blank and your role does not have event viewing permissions, the search does not complete. The search does not display any error message about the invalid event viewing permissions. (BUG 908666)
Workaround: Update the role with one of the following options:
Specify a criteria in the Only events matching the criteria field. If users in the role should not see any events, you can enter NOT sev:[0 TO 5].
Select View system events.
Select View all event data (including raw data and NetFlow data).
Issue: When editing a saved search upgraded from Sentinel 7.2 to a later version, the Event fields panel, used to specify output fields in the search report CSV, is missing in the schedule page. (BUG 900293)
Workaround: After upgrading Sentinel, recreate and reschedule the search to view the Event fields panel in the schedule page.
Issue: Sentinel does not return any correlated events when you search for all correlated events that were generated after the rule was deployed or enabled, by clicking the icon next to Fire count in the Activity statistics panel in the Correlation Summary page for the rule. (BUG 912820)
Workaround: Change the value in the From field in the Event Search page to a time earlier than the populated time in the field and click Search again.
Issue: Sentinel running in FIPS 140-2 mode does not display Change Guardian delta attached information when you search for Change Guardian events and click the Change Guardian icon, in spite of being configured to receive Change Guardian events. Change Guardian 4.1.1.1 and earlier versions do not support sending events in FIPS 140-2-compatible mode. (BUG 912230)
Workaround: There is no workaround at this time.
Issue: Upgrading to Sentinel 7.3 causes data collection and data synchronization with the DB2 database to fail, because the upgrade removes the IBM DB2 JDBC driver. (BUG 909343)
Workaround: After upgrading to Sentinel 7.3, add the correct JDBC Driver and configure it for data collection and data synchronization, by performing the following steps:
Copy the correct version of the IBM DB2 JDBC driver (db2jcc-*.jar) for your version of the DB2 database in the /opt/novell/sentinel/lib folder.
Ensure that you set the necessary ownership and permissions for the driver file.
Configure this driver for data collection. For more information, see the Database Connector documentation.
Issue: When you click Select All in alerts views to select alerts, deselect few alerts, and modify them, new incoming alerts are also selected in the refreshed alert views. This results in wrong count of alerts selected for modification, and also it appears as if you are modifying new incoming alerts too. However, only the originally selected alerts are modified. (BUG 904830)
Workaround: No new alerts will appear in the alert view if you create the alert view with a custom time range.
Issue: Historical Security Intelligence (SI) data takes a long time to load in Sentinel systems that have a high Events Per Second (EPS) load. (BUG 908599)
Workaround: If you are creating a security intelligence dashboard with historical data, plan to deploy the dashboard when the load on your system is lower, if possible. There is no other workaround at this time.
Issue: During Security Intelligence baseline regeneration, the start and finish dates for the baseline are incorrect and display 1/1/1970. (BUG 912009)
Workaround: The correct dates are updated after the baseline regeneration is complete.
Issue: Sentinel server shuts down when you run a search if there are a large number of events indexed in a single partition. (BUG 913599)
Workaround: Create retention policies in such a way that there are at least two partitions open in a day. Having more than one partition open helps reduce the number of events indexed in partitions.
You can create retention policies that filter events based on the estzhour field, which tracks the hour of the day. Therefore, you can create one retention policy with estzhour:[0 TO 11] as the filter and another retention policy with estzhour:[12 TO 23] as the filter.
For more information, see Configuring Data Retention Policies
in the NetIQ Sentinel Administration Guide.
Issue: Sentinel displays an error when you use the report_dev_setup.sh script to configure Sentinel ports for firewall exceptions. (BUG 914874)
Workaround: Configure Sentinel ports for firewall exceptions through the following steps:
Open the /etc/sysconfig/SuSEfirewall2 file.
Change the following line:
FW_SERVICES_EXT_TCP=" 443 8443 4984 22 61616 10013 289 1289 1468 1443 40000:41000 1290 1099 2000 1024 1590"
to
FW_SERVICES_EXT_TCP=" 443 8443 4984 22 61616 10013 289 1289 1468 1443 40000:41000 1290 1099 2000 1024 1590 5432"
Restart Sentinel.
Issue: Sentinel Generic Collector performance degrades when Generic Hostname Resolution Service Collector is enabled on Microsoft Active Directory and Windows Collector. EPS decreases by 50% when remote Collector Managers send events. (BUG 906715)
Workaround: There is no workaround at this time.
Issue: When you install Sentinel in FIPS 140-2 mode, connector to Security Intelligence database fails to start, and Sentinel cannot access Security Intelligence, Netflow, and alert data. (BUG 915241)
Workaround: Restart Sentinel after installing and configuring in FIPS 140-2 mode.
Issue: When you upgrade to Sentinel 7.3 from a custom installation of Sentinel that was installed by a non-root user and was configured in FIPS 140-2 mode, Security Intelligence database and Alert Dashboard occasionally do not start. (BUG 916285)
Workaround: Perform the following steps:
Go to <custom installation directory>/opt/novell/sentinel/bin to know the Sentinel Indexing Service.
Run the following command:
./si_db.sh status
Verify whether the following output displayed:
Connection between alert store and indexing service is running. Security Intelligence database is running. Indexing service is running.
If any of the above mentioned three services are not running, perform the following steps.
Run the following command to stop Sentinel:
rcsentinel stop
Log in to the Sentinel server as the novell user.
Run the following command:
<custom installation directory>/opt/novell/sentinel/bin/si_db.sh startnoauth
Run the following commands to add dbauser and appuser users:
cd <custom installation directory>/opt/novell/sentinel/3rdparty/mongodb/bin
./mongo
use admin
db.addUser ("dbauser", "novell")
use analytics
db.addUser ("appuser", "novell")
exit
Stop the MongoDB database:
<custom installation directory>/opt/novell/sentinel/bin/si_db.sh stop
Perform the following steps to add encrypted password fields:
Run the following command to get the encrypted password for the novell user:
<custom installation directory>/opt/novell/sentinel/bin/encryptpwd -e novell
Encrypted password is displayed. For example:
bVWOzu6okMmMCkgM0aHeQ==
In the configuration.properties file, update the baselining.sidb.password and baselining.sidb.dbpassword properties with the encryptedpassword. for example:
baselining.sidb.password=9bVWOzu6okMmMCkgM0aHeQ==
baselining.sidb.dbpassword=9bVWOzu6okMmMCkgM0aHeQ==
Exit from novell user account and start Sentinel as root user using the following command:
rcsentinel start
NOTE:Run the configure.sh script to reset the password whenever needed. For more information about running the configure.sh script, see Modifying the Configuration after Installation
in the NetIQ Sentinel Installation and Configuration Guide.
Issue: When installing Sentinel Appliance, the network interface is not configured by default. (BUG 867013)
Workaround: To configure the network Interface:
In the Network Configuration page, click Network Interfaces.
Select the network interface and click Edit.
Select Dynamic Address and then select either DHCP or Static assigned IP Address.
Click Next and then OK.
Issue: When exporting search results in Sentinel, the Web browser might display an error if you modify the operating system language settings. (BUG 834874)
Workaround: To export search results properly, perform either of the following:
While exporting the search results, remove any special characters (outside the ASCII characters) from the export filename.
Enable UTF-8 in the operating system language settings, restart the machine, and then restart the Sentinel server.
Issue: If the number of days of data that secondary storage can hold is less than the number of days of data that primary storage holds, Sentinel does not use the disk space in primary storage efficiently. Partitions removed from secondary storage to free up space will also be removed from primary storage. (BUG 860888)
Workaround: Allocate enough space in secondary storage to hold data for the total number of days you want to keep online (searchable).
For more information, see Event Data
in the NetIQ Sentinel Administration Guide.
Issue: On systems with more than 2 TB disk space, Sentinel might not start automatically after the installation. (BUG 846296)
Workaround: As a one-time activity, start the Sentinel services manually by specifying the following command:
rcsentinel start
Issue: In Sentinel appliance installations, if you configure Kerberos authentication in the Kerberos module, the console displays a confirmation message that the Kerberos client configuration was successful. When you view the Kerberos module again, however, the Enable Kerberos Authentication option is deselected. (BUG 843623)
Workaround: There is no workaround at this time.
Issue: When you install a remote Collector Manager, if you specify a password that contains special characters, such as ‘$’, ‘"‘, ‘\’, or ‘/’, the installation fails with errors. (BUG 812111)
Workaround: Do not use special characters in the remote Collector Manager password.
Issue: When you restart a remote Collector Manager appliance, the Syslog event sources connected on the UDP port lose connection. (BUG 795057)
Workaround: There is no workaround available at this time.
Issue: While you wait for one report result PDF to open, particularly report results of 1 million events, if you click another report result PDF to view, the report result is not displayed. (BUG 804683)
Workaround: Click the second report result PDF again to view the report result.
Issue: When FIPS 140-2 mode is enabled in your Sentinel environment, using Windows authentication for Agent Manager causes synchronization with the Agent Manager database to fail. (BUG 814452)
Workaround: Use SQL authentication for Agent Manager when FIPS 140-2 mode is enabled in your Sentinel environment.
Issue: If FIPS 140-2 mode is enabled, the Sentinel High Availability installation displays the following error:
Sentinel server configuration.properties file is not correct. Check the configuration file and then run the convert_to_fips.sh script again to enable FIPS mode in Sentinel server.
However, the installation completes successfully. (BUG 817828)
Workaround: There is no fix or workaround available at this time. Although the installer displays the error, the Sentinel High Availability configuration works successfully in FIPS 140-2 mode.
Issue: The Sentinel High Availability installation in non-FIPS 140-2 mode completes successfully but displays the following error twice:
/opt/novell/sentinel/setup/configure.sh: line 1045: [: too many arguments
(BUG 810764)
Workaround: There is no fix or workaround available at this time. Although the installer displays the error, the Sentinel High Availability configuration works successfully in non-FIPS 140-2 mode.
Issue: Appliance update from versions prior to Sentinel 7.2 fails because the vendor for the update packages has changed from Novell to NetIQ. (BUG 780969)
Workaround:
Use the zypper command to upgrade the appliance. For more information, see Upgrading the Appliance by Using zypper
in the NetIQ Sentinel Installation and Configuration Guide.
Issue: Solution Manager does not install correlation rules when a correlation rule with an identical name already exists on the system. A NullPointerException error is logged in the console. (BUG 713962)
Workaround: Ensure that all correlation rules have a unique name.
Issue: When you execute a Sentinel Link action from the Web interface Sentinel displays a success message even though the Sentinel Link Connector integrator test failed from the Sentinel Control Center. (BUG 710305)
Workaround: There is no workaround at this time.
Issue: When a Security Intelligence dashboard and an anomaly definition have identical names, the dashboard link is disabled on the Anomaly Details page. (BUG 715986)
Workaround: Ensure you use unique names when creating dashboards and anomaly definitions.
Issue: The Sentinel Web interface displays negative numbers in the Active Search Job Duration and Accessed columns when the Sentinel Web interface computer clock is behind the Sentinel server clock. For example, the Duration and Accessed columns display negative numbers when the Sentinel Web interface clock is set to 1:30 PM and the Sentinel server clock is set to 2:30 PM. (BUG 719875)
Workaround: Ensure the time on the computer you use to access the Sentinel Web interface is the same as or later than the time on the Sentinel server computer.
Issue: When you log in to the security dashboard and perform a search for IssueSAMLToken audit event, the IssueSAMLToken audit event displays incorrect hostname (InitiatorUserName) or (IP address) SourceIP. (BUG 870609)
Workaround: There is no workaround at this time.
Issue: Sentinel Control Center does not launch when the NetIQ Identity Manager Designer is installed on the client computer and Designer uses the system JRE. Designer needs to add some supporting jar files like xml-apis.jar to the lib/endorsed directory. Some of the classes in the xml-apis.jar file override the corresponding classes in the system JRE that is used by the Sentinel Control Center. (BUG 888085)
Workaround: Configure Designer to use its own JRE.
Issue: While collecting event data, Sentinel Agent Manager does not capture the Windows Insertion String fields with null values. (BUG 838825)
Workaround: There is no workaround at this time.
Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.
For detailed contact information, see the Support Contact Information website.
For general corporate and product information, see the NetIQ Corporate website.
For interactive conversations with your peers and NetIQ experts, become an active member of our community. The NetIQ online community provides product information, useful links to helpful resources, blogs, and social media channels.
NetIQ Sentinel is protected by United States Patent No(s): 05829001.
THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A NON-DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLY SET FORTH IN SUCH LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT, NETIQ CORPORATION PROVIDES THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW DISCLAIMERS OF EXPRESS OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE, THIS STATEMENT MAY NOT APPLY TO YOU.
For purposes of clarity, any module, adapter or other similar material (“Module”) is licensed under the terms and conditions of the End User License Agreement for the applicable version of the NetIQ product or software to which it relates or interoperates with, and by accessing, copying or using a Module you agree to be bound by such terms. If you do not agree to the terms of the End User License Agreement you are not authorized to use, access or copy a Module and you must destroy all copies of the Module and contact NetIQ for further instructions.
This document and the software described in this document may not be lent, sold, or given away without the prior written permission of NetIQ Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of NetIQ Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data.
This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time.
U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the government's rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement.
© 2015 NetIQ Corporation. All Rights Reserved.
For information about NetIQ trademarks, see http://www.netiq.com/company/legal/.