Sentinel 7.1.2 includes new features, improves usability, and resolves several previous issues.
Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable inputs. We hope you continue to help us ensure our products meet all your needs. You can post feedback in the Sentinel Community Support Forums, our community Web site that also includes product notifications, blogs, and product user groups.
The documentation for this product and the latest release notes are available on the NetIQ Web site on a page that does not require you to log in. If you have suggestions for documentation improvements, click comment on this topic at the bottom of any page in the HTML version of the documentation posted at the Sentinel 7.1 Documentation Web site.
To download this product, see the Sentinel Product Web site.
The following sections outline the enhancements and the issues resolved in Sentinel 7.1.2:
Sentinel 7.1.2 includes the following enhancements:
Sentinel 7.1.2 now includes Java 7 update 51, which includes fixes for several security vulnerabilities.
The Sentinel appliance now includes the Audit package (auditd) that helps you to log and track system activities. It helps you to detect any violation of your security policies and ensures that violations are addressed.
By default, the binary auditd is disabled. To enable the audit package, see the Suse Linux Enterprise Server documentation.
Sentinel 7.1.2 improves the Sentinel system performance in the following areas:
Sentinel 7.1.2 improves the Sentinel system performance in the areas of Searching and Reporting, and also improves the system stability under high load.
Sentinel 7.1.2 includes several fixes to improve the processing speed for Security Intelligence dashboards. Sentinel monitors the event load and generates a performance event that provides details about the event load on Security Intelligence. If the system overloads, Sentinel generates an audit event to notify that the Security Intelligence cannot process events any further. This allows you to understand the event load on Security Intelligence and make adjustments accordingly.
Sentinel 7.1.2 includes several fixes to monitor the correlation actions in queue. Sentinel logs the information about the number of correlation actions to be executed, in the server logs. Sentinel also generates an audit event if the correlation actions in queue increases beyond 75% of the hard-coded queue size limit. This allows you to understand the load on correlation actions and make adjustments accordingly.
Sentinel 7.1.2 improves the event rate when receiving events or attachments from NetIQ Change Guardian. Sentinel 7.1.2 also monitors the uploading of events and attachments from NetIQ Change Guardian by generating an internal performance event, EventsResourcePerformanceSummary, every five minutes providing details about the number of requests received and the number of requests rejected. This helps you to understand the event load when receiving events from NetIQ Change Guardian.
Sentinel 7.1.2 provides software fixes for the following issues.
Issue: When Sentinel receives large volumes of raw data from multiple remote collector managers, Sentinel may run out of memory. (BUG 860377)
Fix: Sentinel 7.1.2 improves the system stability and Sentinel does not run out of memory.
Issue: When you run a summary-type report on large data sets, and if the number of unique groups in the report exceeds the default limit of 10,000, the report fails and displays an exception.(BUG 840640)
Fix: The default limit for the maximum number of unique groups in a report is now increased to 20,000. You can also modify this limit by adding the following property in the $ESEC_CONFIG_HOME/configuration.properties file:
sentinel.reporting.maxgroupnodes=<Max_Group_Value>
Restart the Sentinel server after modifying the sentinel.reporting.maxgroupnodes property.
Issue: Upgrades from Sentinel versions prior to 7.1.1.0 include a data migration process for the Security Intelligence database. If there is a large amount of data in this database, the upgrade utilizes many system resources and Sentinel becomes slow and unresponsive. (BUG 867685)
Fix: The migration utility now migrates the data in batches and there is a sleep period after migration of each batch. This ensures that Security Intelligence migration process does not utilize many system resources and Sentinel runs properly.
Issue: When you back up the Sentinel data using the -i option, the backup does not include the authentication details for the appuser and dbuser in the Security Intelligence database. Therefore, when you restore the backup, the Sentinel fails to authenticate with the Security Intelligence database and displays an error. (BUG 853713)
Fix: Sentinel now overwrites the records related to authentication details when you restore the backup. Therefore, the Security Intelligence dashboard now launches successfully.
Issue: When Configuring Anomaly Detection, the Total Number of Events Cannot be Set to Greater Than Zero. (BUG 843843)
Fix: You can now specify the total number of events as Greater than zero.
Issue: When you perform a search, the IssueSAMLToken audit event displays incorrect hostname (InitiatorUserName) and SourceIP (IP address). (BUG 830905)
Fix: The IssueSAMLToken audit event now displays correct information.
However, this issue still exists if you log in to the Security Intelligence dashboard. For more information, see Section 4.3, When You Log In to the Security Intelligence Dashboard, the IssueSAMLToken Audit Event Displays Incorrect Information.
Issue: When you upload a map file containing semicolons as delimiters and if number range is not the first column, Sentinel does not display maps in the Edit Map Definition window and throws a null point exception in the Java Console log. (BUG 858535)
Fix: The Edit Definition window now displays maps without the exception.
Issue: The Event Configuration window displays incorrect map name for the event fields that are referenced from custom maps. (BUG 859045)
Fix: The Event Configuration window now displays the correct map name for the event fields that are referenced from custom maps.
Issue: If the total number of events from multiple targets is less than 25, Sentinel does not show the distributed search result and displays an error. (BUG 862125)
Fix: Sentinel now displays the distributed search result even if the total number of events from multiple targets is less than 25.
Issue: If the Sentinel user password contains a colon (:), login to the Sentinel Web Console fails and displays an error. (BUG 817681)
Fix: Sentinel now allows login using password that contains the colon character.
Issue: Some correlation rules generate a large number of correlated events. As a result, Sentinel services initiate multiple simultaneous searches to get the list of events that generated the correlated events. These simultaneous non-user initiated searches consume all open files and causes Sentinel to run out of memory. (BUG 869882)
Fix: Sentinel 7.1.2 improves the system availability by limiting the number of simultaneous non-user initiated searches to five.
You can upgrade to Sentinel 7.1.2 from Sentinel 7.0 or later.
For information about hardware requirements, supported operating systems, and browsers, see Meeting System Requirements
in the NetIQ Sentinel 7.1 Installation and Configuration Guide.
Download the service pack from the Product Download Web site. You can configure the upgrade installation script to back up the configuration data and the baseline Security Intelligence data before upgrading Sentinel. For more information, see Automatic Back Up of Configuration Data and Baseline Security Intelligence Data.
The following sections provide information about upgrading Sentinel:
NOTE:
After the upgrade is complete, when the system starts for the first time, Sentinel might take a few minutes to start because the system performs a one-time update to the Security Intelligence schema. The time required to start depends on the amount of Security Intelligence data in your system.
After you upgrade Sentinel, clear the Java Web Start cache on the client computers to use the latest version of Sentinel applications. You can clear the Java Web Start cache by either using the javaws -clearcache command or by using Java Control Center. For more information, see http://www.java.com/en/download/help/plugin_cache.xml.
You can now configure Sentinel to automatically back up the configuration data and the baseline Security Intelligence data before the upgrade. Enabling this automatic back up causes the upgrade process to take longer and will require more disk space. To estimate the additional time and disk space required, run the back up utility manually, using the -c and -b options.
To configure automatic data backup, perform the following steps:
Open the /etc/opt/novell/sentinel/config/configuration.properties file.
Add the following property and set the value to true:
sentinel.upgrade.backup=true
Save the changes.
When you upgrade Sentinel, it automatically backs up the configuration data and the baseline Security Intelligence data, and stores the backup files at the /var/opt/novell/sentinel/data/updates directory.
NOTE:You must manually back up other data, such as the event data, raw event data, Security Intelligence database, and so on as necessary. For more information about backing up and restoring data, see “Backing Up and Restoring Data” in the Sentinel 7.1 Administration Guide.
For information about upgrading to Sentinel 7.1.2, see “Upgrading Sentinel” in the NetIQ Sentinel 7.1 Installation and Configuration Guide.
When you upgrade the Sentinel traditional installation in a high availability setup, first upgrade the passive nodes in the cluster, then upgrade the active cluster node.
Enable the maintenance mode on the cluster:
crm configure property maintenance-mode=true
Maintenance mode helps you to avoid any disturbance to the running cluster resources while you update Sentinel. You can run this command from any cluster node.
Verify whether the maintenance mode is active:
crm status
The cluster resources should appear in the unmanaged state.
Upgrade the passive cluster node:
Stop the cluster stack:
rcopenais stop
Stopping the cluster stack ensures that the cluster resources remain accessible and avoids fencing of nodes.
Log in as root to the server where you want to upgrade Sentinel.
Extract the install files from the tar file:
tar xfz <install_filename>
Run the following command in the directory where you extracted the install files:
./install-sentinel --cluster-node
After the upgrade is complete, restart the cluster stack:
rcopenais start
Repeat Step 3 for all passive cluster nodes.
Upgrade the active cluster node:
Back up your configuration, then create an ESM export.
For more information about backing up data, see Backing Up and Restoring Data
in the NetIQ 7.1 Administration Guide.
Stop the cluster stack:
rcopenais stop
Stopping the cluster stack ensures that the cluster resources remain accessible and avoids fencing of nodes.
Log in as root to the server where you want to upgrade Sentinel.
Run the following command to extract the install files from the tar file:
tar xfz <install_filename>
Run the following command in the directory where you extracted the install files:
./install-sentinel
After the upgrade is complete, start the cluster stack:
rcopenais start
Disable the maintenance mode on the cluster:
crm configure property maintenance-mode=false
You can run this command from any cluster node.
Verify whether the maintenance mode is inactive:
crm status
The cluster resources should appear in the Started state.
(Optional) Verify whether the Sentinel upgrade is successful:
rcsentinel version
When you upgrade the appliance from Sentinel 7.0.1 or earlier, the upgrade fails in WebYaST because the vendor name for the patch has changed from Novell to NetIQ. You must upgrade the appliance by using the zypper patch command.
To upgrade the appliance by using zypper:
Back up your configuration, then create an ESM export. For more information, see Backing Up and Restoring the Data
in the NetIQ Sentinel 7.1 Administration Guide.
Log in to the appliance console as the root user.
Run the following command:
/usr/bin/zypper patch
Enter 1 to accept the vendor change from Novell to NetIQ.
Enter Y to proceed.
Enter yes to accept the license agreement.
Restart the Sentinel appliance.
If you upgrade Sentinel from 7.0 to 7.1.2 and your Sentinel installation is in a non-default location, run the following commands as the novell user:
ln -s
"$RPM_INSTALLATION_PREFIX/opt/novell/sentinel/3rdparty/activemq/activemq-all-5.4.2.jar"
"$RPM_INSTALLATION_PREFIX/opt/novell/sentinel/lib/activemq-all-5.4.2.jar"
Where $RPM_INSTALLATION_PREFIX is the location of the Sentinel installation.
NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issue is currently being researched. If you need further assistance with any issue, please contact Technical Support.
For the list of known issues in previous versions of Sentinel, see the “Previous Releases” section in the Sentinel 7.1 Documentation Web site.
Issue: If Sentinel is in FIPS mode, the Sentinel Web console does not launch in Internet Explorer (with TLS version set only to 1.2) and logs an exception in the server logs. (BUG 875251)
Workaround: To launch Sentinel Web Console in FIPS mode in Internet Explorer:
Downgrade the Java version on the Sentinel server to Java 7 update 45.
For more information, see the instructions in TID 7014980 in the NetIQ Support Knowledge Base.
In the Internet Explorer, click Tools > Internet Options > Advanced.
In the security section, select either Use TLS 1.0 or Use TLS 1.1.
NOTE:Changing the value of the TLS to 1.0 or 1.1 might decrease your security level.
Issue: Sentinel 7.1.2 includes Oracle Java 1.7 update 51, which has a known issue related to RSA client key exchange in FIPS mode (http://www.oracle.com/technetwork/java/javase/7u51-relnotes-2085002.html). This causes connection problems when Sentinel is running in FIPS mode and attempting to receive connections from clients like Security Manager and Sentinel Agent Manager. (BUG 872305)
Workaround: To successfully establish the SSL connection in FIPS-compatible mode, downgrade the Java version on all Sentinel servers to Java 7 update 45 (which doesn't have the key exchange issue).
For more information, see the instructions in TID 7014980 in the NetIQ Support Knowledge Base.
NOTE:To establish successful connection between Sentinel Agent Manger and Sentinel running in the FIPS mode, ensure you install or upgrade to Sentinel Agent Manager Connector 2011.1r3. To download the Sentinel Agent Manager Connector, see the Sentinel Plug-ins Web site.
Issue: When you log in to the security dashboard and perform a search for IssueSAMLToken audit event, the IssueSAMLToken audit event displays incorrect hostname (InitiatorUserName) or (IP address) SourceIP. (BUG 870609)
Workaround: There is no workaround at this time.
Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.
For detailed contact information, see the Support Contact Information website.
For general corporate and product information, see the NetIQ Corporate website.
For interactive conversations with your peers and NetIQ experts, become an active member of our community. The NetIQ online community provides product information, useful links to helpful resources, blogs, and social media channels.
NetIQ Sentinel is protected by United States Patent No(s): 05829001.
THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A NON-DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLY SET FORTH IN SUCH LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT, NETIQ CORPORATION PROVIDES THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW DISCLAIMERS OF EXPRESS OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE, THIS STATEMENT MAY NOT APPLY TO YOU.
For purposes of clarity, any module, adapter or other similar material ("Module") is licensed under the terms and conditions of the End User License Agreement for the applicable version of the NetIQ product or software to which it relates or interoperates with, and by accessing, copying or using a Module you agree to be bound by such terms. If you do not agree to the terms of the End User License Agreement you are not authorized to use, access or copy a Module and you must destroy all copies of the Module and contact NetIQ for further instructions.
This document and the software described in this document may not be lent, sold, or given away without the prior written permission of NetIQ Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of NetIQ Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data.
This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time.
U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the government's rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement.
© 2014 NetIQ Corporation. All Rights Reserved.
For information about NetIQ trademarks, see http://www.netiq.com/company/legal/.