Sentinel 8.1 SP1 includes new features, improves usability, and resolves several previous issues.

Transcription

1 Sentinel 8.1 Service Pack 1 Release Notes January 2018 Sentinel 8.1 SP1 includes new features, improves usability, and resolves several previous issues. Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure that our products meet all your needs. You can post feedback in the Sentinel forum, our online community that also includes product information, blogs, and links to helpful resources. The documentation for this product is available on the NetIQ website in HTML and PDF formats on a page that does not require you to log in. If you have suggestions for documentation improvements, click the comment icon on any page in the HTML version of the documentation posted at the Sentinel Documentation page. To download this product, see the Sentinel Product Upgrade website. Section 1, What s New?, on page 1 Section 2, System Requirements, on page 9 Section 3, Installing Sentinel 8.1.1, on page 9 Section 4, Upgrading to Sentinel 8.1.1, on page 9 Section 5, Known Issues, on page 9 Section 6, Contact Information, on page 16 Section 7, Legal Notice, on page 16 1 What s New? The following sections outline the key features and enhancements, and also the issues resolved in this release: Section 1.1, Security Vulnerability Fix, on page 1 Section 1.2, Oracle Java Runtime Environment Upgrade, on page 1 Section 1.3, Enhancements, on page 2 Section 1.4, Software Fixes, on page Security Vulnerability Fix Sentinel includes fixes to resolve the Sweet32 (CVE ) vulnerability. 1.2 Oracle Java Runtime Environment Upgrade Sentinel includes Java 8 update152, which includes fixes for several security vulnerabilities. Sentinel 8.1 Service Pack 1 Release Notes 1

2 1.3 Enhancements Sentinel includes the following enhancements: Section 1.3.1, New Audit Events for Failed To Correlate Messages, on page 2 Section 1.3.2, Adds the Ability to Assign the View Report Results Permission to a Role, on page 2 Section 1.3.3, Enhancement to Editing Time Range, on page 2 Section 1.3.4, Ability to Set End Time for Data Synchronization, on page 3 Section 1.3.5, Ability to Add Up To 60 Characters for a User Name, on page 3 Section 1.3.6, Enhancements to the Raw Data Retention Size Refresh Rate, on page 3 Section 1.3.7, summary_key Column as the Primary Key for Event Summary Tables, on page New Audit Events for Failed To Correlate Messages Sentinel now generates audit events for Failed To Correlate messages that occur when: Events arrive late with a time difference greater than 30 seconds. The reorder buffer is full. (Bug ) Adds the Ability to Assign the View Report Results Permission to a Role Issue: Customers requested the ability to create a role that would let a user view report results but not run or delete reports. The View Report Results permission exists but cannot be granted to a role in User/Role Management. (Bug ) Fix: You can now make the View Report Results permission visible in User/Role Management so that you assign a role this permission. Complete the following steps: 1 Open the /etc/opt/novell/sentinel/config/ui-configuration.properties file for editing. 2 Add the following property: viewreportresults.hideui=false 3 Save your changes. 4 Exit and restart the Web UI. You should also press Control-F5 to clear the browser cache. 5 Navigate to User/Role Management, and create a new role. You should see the View Report Results permission Enhancement to Editing Time Range When editing reports, the Date Picker no longer shows the date when the report was last run. It now defaults to the current date to avoid the need to click many months forward if the Start Time is older than the current date. (Bug ) 2 Sentinel 8.1 Service Pack 1 Release Notes

3 1.3.4 Ability to Set End Time for Data Synchronization You can now set the end time for a data synchronization policy so that you can synchronize data only for certain time ranges. This ability is available only for new data synchronization policies and it is not available for existing data synchronization policies. (Bug ) Ability to Add Up To 60 Characters for a User Name You can now enter a maximum of 60 characters in the Username field, while creating users. (Bug ) Enhancements to the Raw Data Retention Size Refresh Rate The following enhancements are done for raw data retention size refresh interval in the Storage > Events > Data Retention user interface: The default Raw Data Retention size refresh interval has been changed to every 12 hours to avoid performance issues when raw data is large. The default timeout interval has been changed to every 60 minutes. You can customize these default values, if required: 1. Log in to the Sentinel server as novell user. 2. In the /etc/opt/novell/sentinel/config directory, create a file as: objcomponent.diskstatisticscache.properties. 3. In the properties file, set the properties to the desired value as follows: <obj-component id="diskstatisticscache"> <class>esecurity.ccs.comp.auth.diskstatisticscache</class><property name="onlinerawdatacheckinterval">value_in_milliseconds</property><property name="onlinerawdatatasktimeoutperiod">value_in_milliseconds</property></objcomponent> 4. Restart the Sentinel server. (Bug ) summary_key Column as the Primary Key for Event Summary Tables summary_key column in Event Summary tables is now the primary key, which allows other database tools to benefit from proper meta data. (Bug ) 1.4 Software Fixes Sentinel includes software fixes that resolve the following issues: Section 1.4.1, Search Results in the Exported CSV File Are Blank, on page 4 Section 1.4.2, Notifications for Scheduled Reports Do Not Display AM or PM for Time, on page 5 Section 1.4.3, Sentinel Main in Appliance Does Not Launch When Upgraded From Sentinel x or Earlier, on page 5 Section 1.4.4, EventSearch Rest API Does Not Work After Upgrading Sentinel to Sentinel 8.0.1, on page 5 Section 1.4.5, Correlation Engine Does Not Trigger Current Day Events if the Previous Event Had a Timestamp Beyond the Epoch Date, on page 5 Sentinel 8.1 Service Pack 1 Release Notes 3

4 Section 1.4.6, Sentinel Not Responsive after Enabling ISE Integration, on page 5 Section 1.4.7, Refinement Panel Displays Error During Search, on page 5 Section 1.4.8, Sentinel API Documentation Does Not List All the Required Libraries, on page 6 Section 1.4.9, Event Fields Do Not Display Collector Manager Information, on page 6 Section , Some Scheduled Reports are Failing, on page 6 Section , Sentinel Core Top 10 and Sentinel Core Top 10 Dashboard Reports Take a Longer Time to Execute, on page 6 Section , Alert View Appropriately Filters Data for All New Alerts, on page 6 Section , The /SentinelRESTServices/objects/plugin REST API Provides Plugin Information in Encrypted Format, on page 6 Section , Scheduled Search Job Fails, on page 6 Section , Sentinel Cannot Run Local Reports with Default EPS License, on page 6 Section , Sentinel Core Top 10 Report Fails, on page 7 Section , Data Federation Search Results Contain Duplicate Events, on page 7 Section , Sentinel Agent Manager Synchronizes Agents without Exceptions, on page 7 Section , Correlation Engine Indicates Status as Offline When the Engine is Actually Idle, on page 7 Section , Errors in Server Logs when the Message Field in the Event Has More Than 8000 Characters, on page 7 Section , Data Synchronization Does Not Work After Upgrading Sentinel to Version , on page 7 Section , Agent Manager Section in Sentinel Main is Grayed Out, on page 7 Section , Report Generation Fails if Events Contain Special Characters, on page 7 Section , Collector Manager Does Not Restart When There Are Large Event Offsets, on page 7 Section , Auto Alert Always Updates EventThroughputUtilization at 100% utilization, on page 8 Section , The collectormgr-status REST API Endpoint Displays Incorrect Status, on page 8 Section , report_dev_setup.sh Does Not Back Up the Firewall Configuration File, on page 8 Section , The Test Connectivity Button in the Sentinel Agent Manager Console Initiates With a Ping, on page 8 Section , When Upgrading the Sentinel Appliance from Versions Prior to 7.4 SP1, an Incorrect Warning Displays, on page 8 Section , Exception in the Sentinel Server Log When You Upgrade Sentinel Versions Prior to 7.3 SP1 to Versions 7.3 SP1 and Later, on page 8 Section , Cannot View Alerts with IPv6 Data in Alert Views, on page Search Results in the Exported CSV File Are Blank Issue: When you export search results that include events from secondary storage, the CSV file only contains the headers and not the actual search results. (Bug , Bug ) Fix: The CSV file now includes the search results you export. 4 Sentinel 8.1 Service Pack 1 Release Notes

5 Notifications for Scheduled Reports Do Not Display AM or PM for Time notifications now display AM or PM appropriately. (Bug ) Sentinel Main in Appliance Does Not Launch When Upgraded From Sentinel x or Earlier Sentinel Main now launches successfully. (Bug ) EventSearch Rest API Does Not Work After Upgrading Sentinel to Sentinel EventSearch Rest API completes successfully without any exceptions. (Bug ) Correlation Engine Does Not Trigger Current Day Events if the Previous Event Had a Timestamp Beyond the Epoch Date Issue: Correlation Engine does not trigger current day events if the previous event had a timestamp beyond the epoch date. It displays the exception Correlation reorder buffer is full and crashes eventually. (Bug ) Fix: Correlation Engine now triggers current day events without exceptions Sentinel Not Responsive after Enabling ISE Integration Issue: Two or three days after ISE integration, Sentinel becomes unresponsive. Sentinel server logs included the following message, which indicated out-of-memory exceptions and the inability to create threads: java.lang.outofmemoryerror: unable to create new native thread This issue resulted from the large number of map updates that the ISE integration triggers, as well as an issue specific to maps with exactly one RANGE key plus one or more STRING keys. When this particular set of circumstances occurred, Sentinel created a separate h2temp directory for every unique String Key value. This meant that when the ISE ipmap.csv file had entries (as might be typical during regular operating hours), Sentinel would recreate the h2temp directories for every 30-second map update. (Bug ) Fix: The default map used to store maps, which specifically contains one RANGE key plus one or more STRING keys, is now in-memory map. The map does not use an H2 database and thus does not need to create the many h2temp directories. NOTE: You can configure whether range/key maps use objects that require temporary directories. Add the new sentinel.mapping.h2.usedbrangemap system property to the Sentinel configuration.properties file. This system property has the following values: false: Use DataObjectKeyRangeMap objects, which do not require temporary directories (default value) true: Use DBRangeMapDataObjectStorage objects, which require temporary directories Refinement Panel Displays Error During Search Issue: If you run a search for events, and then click the Search button while the search is still running, the refinement panel displays the following message: Sentinel 8.1 Service Pack 1 Release Notes 5

6 Field counts based on the first 0 events. (Bug ) Fix: The Search button is now disabled while the search is running. After all jobs are completed, the Search button will be available again Sentinel API Documentation Does Not List All the Required Libraries Issue: The API documentation does not list all of the client download libraries the REST API requires to work properly. (Bug ) Fix: The Sentinel API Documentation now lists all the client download libraries that the REST API requires Event Fields Do Not Display Collector Manager Information Issue: When a Sentinel server loses contact with a Collector Manager, the server generates LostContactWithCollectorManager and CollectorManagerDown internal events. The CollectorNodeName(port) and CollectorManagerId(rv21) event fields on these internal events do not display the information related to the Collector Manager. (Bug ) Fix: The CollectorNodeName(port) and CollectorManagerId(rv21) event fields now correctly display the Collector Manager Name and the Collector Manager ID Some Scheduled Reports are Failing All scheduled reports now run successfully. (Bug ) Sentinel Core Top 10 and Sentinel Core Top 10 Dashboard Reports Take a Longer Time to Execute Sentinel Core Top 10 and Sentinel Core Top 10 Dashboard reports now take less time to execute. (Bug ) Alert View Appropriately Filters Data for All New Alerts This release resolves an issue where Sentinel erroneously displayed all alerts even though you chose the All New Alerts filter in the Alert View. (Bug ) The /SentinelRESTServices/objects/plugin REST API Provides Plugin Information in Encrypted Format The /SentinelRESTServices/objects/plugin REST API now provides plugin information in human readable format. (Bug ) Scheduled Search Job Fails The scheduled search job now runs successfully. (Bug ) Sentinel Cannot Run Local Reports with Default EPS License Issue: If your environment has the default 25 EPS license and you run a report, the report fails with the following error: License for Distributed Search feature is expired (Bug ) 6 Sentinel 8.1 Service Pack 1 Release Notes

7 Fix: Sentinel Core Top 10 Report Fails The Sentinel Core Top 10 report now runs successfully. (Bug ) Data Federation Search Results Contain Duplicate Events Issue: When you use Data Federation to search for events in a distributed environment, the Search Results page displays duplicate events. (Bug ) Fix: The Search Results page no longer displays duplicate events Sentinel Agent Manager Synchronizes Agents without Exceptions This release resolves an issue where the agent data synchronization process (ETL) failed with an exception if an agent that you added synchronized with Sentinel before Sentinel Agent Manager collected the agent s attributes. (Bug ) Correlation Engine Indicates Status as Offline When the Engine is Actually Idle Correlation Engine now indicates its status as Idle when it is in Idle state. (Bug ) Errors in Server Logs when the Message Field in the Event Has More Than 8000 Characters Issue: When the Message field of an event has more than 8000 characters, Sentinel truncates the message. It prints the first 8000 characters as well as the truncated characters along with the following message in the logs resulting in the logs filled with the Message information:value for attribute msg is too long. Size is 4,096 utf-8 (each char may be multi-byte), max is 4,000 bytes, truncating <truncated_characters>(bug ) Fix: Sentinel now displays only 256 characters from the truncated message in the server0.0 log Data Synchronization Does Not Work After Upgrading Sentinel to Version Data synchronization works successfully after upgrading Sentinel to (Bug ) Agent Manager Section in Sentinel Main is Grayed Out Issue: In the Data Collection > Event Sources tab, the Agent Manager section is grayed out and you must use Sentinel Control Center to perform any operation. (Bug ) Fix: The Agent Manager section is now enabled in Sentinel Main Report Generation Fails if Events Contain Special Characters Report generation is successful even if events contain special characters. (Bug ) Collector Manager Does Not Restart When There Are Large Event Offsets Collector Manager now restarts successfully and processes event sources' offsets as expected. (Bug ) Sentinel 8.1 Service Pack 1 Release Notes 7

8 Auto Alert Always Updates EventThroughputUtilization at 100% utilization Issue: Auto Alert Always Updates EventThroughputUtilization at 100% utilization, even though there are no alerts being generated. (Bug ) Fix: Auto alert updates now display the actual EventThroughputUtilization percentage The collectormgr-status REST API Endpoint Displays Incorrect Status Issue: When there are multiple Collector Managers set up with one Sentinel server, the collectormgrstatus API endpoint displays the 404 not found error even though the Collector Managers are present. (Bug ) Fix: The collectormgr-status API now displays the status correctly report_dev_setup.sh Does Not Back Up the Firewall Configuration File The report_dev_setup.sh script now backs up the firewall configuration file so that you can revert easily in case of any failures. The script also includes enhancements to improve usability. (Bug ) NOTE: The SuSEfirewall2 file is backed up only when the PostgreSQL port is not added to the SUSE firewall configuration The Test Connectivity Button in the Sentinel Agent Manager Console Initiates With a Ping Issue: Test Connectivity initiates with a ping, which is a security concern.(bug ) Fix: The Test Connectivity button no longer uses an ICMP packet (Ping) followed by an HTTP command to the Connector port as part of its testing procedure. It now relies only on the HTTP command to validate if the connection is successful. This may cause the connectivity test to take up to a minute longer when the remote end is not live or responding properly When Upgrading the Sentinel Appliance from Versions Prior to 7.4 SP1, an Incorrect Warning Displays Issue: A change to password storage in Sentinel 7.4 SP1 causes the following error to display when upgrading the appliance from versions prior to 7.4 SP1: Failed to set encrypted password (Bug ) Fix: Sentinel no longer displays the warning message Exception in the Sentinel Server Log When You Upgrade Sentinel Versions Prior to 7.3 SP1 to Versions 7.3 SP1 and Later Issue: When you upgrade Sentinel from version 7.3 to version 7.3 SP1 and start the Sentinel server, you might see the following exception in the server log: Invalid length of data object... (Bug ) 8 Sentinel 8.1 Service Pack 1 Release Notes

9 Fix: Sentinel no longer displays the exception during the upgrade Cannot View Alerts with IPv6 Data in Alert Views Issue: Sentinel alert views and alert dashboards do not display alerts that have IPv6 addresses in IP address fields. (Bug ) Fix: Alert views and alert dashboards now display alerts that have IPv6 addresses in IP address fields. 2 System Requirements For information about hardware requirements, supported operating systems, and browsers, see the Technical Information for Sentinel page. 3 Installing Sentinel For information about installing Sentinel 8.1.1, see the NetIQ Sentinel Installation and Configuration Guide. 4 Upgrading to Sentinel You can upgrade to Sentinel from Sentinel 7.4 and later. For information about upgrading to Sentinel 8.1.1, see the NetIQ Sentinel Installation and Configuration Guide. 5 Known Issues NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support. The Java 8 update included in Sentinel might impact the following plug-ins: Cisco SDEE Connector SAP (XAL) Connector Remedy Integrator For any issues with these plug-ins, NetIQ will prioritize and fix the issues according to standard defect-handling policies. For more information about support polices, see Support Policies. Section 5.1, Sentinel Cannot Run Local Reports with Default EPS License, on page 10 Section 5.2, Cannot convert Sentinel to FIPS mode due to an issue with Mozilla NSS, on page 10 Section 5.3, Correlation Engine is Disconnected After Upgrade, on page 11 Section 5.4, Synchronization Needs to be Started Manually in Sentinel High Availability After You Convert the Active Node to FIPS Mode, on page 13 Section 5.5, Cannot Launch Event Visualization Dashboard, on page 13 Section 5.6, Cannot Install Sentinel on SLES 11 SP4 in FIPS Mode, on page 13 Section 5.7, Sentinel Main Interface Displays Blank Page After Converting to Sentinel Scalable Data Manager, on page 13 Sentinel 8.1 Service Pack 1 Release Notes 9

10 Section 5.8, Tips Table Search Does Not Return the Complete List of Alert Fields in Upgraded Sentinel Installations, on page 14 Section 5.9, Event Search Does Not Respond if You Do Not Have Any Event Viewing Permissions, on page 14 Section 5.10, The Event fields Panel is Missing in the Schedule Page When Editing Some Saved Searches, on page 14 Section 5.11, Sentinel Does Not Return Any Correlated Events When You Search for Events for the Deployed Rule with the Default Fire Count Search, on page 14 Section 5.12, Security Intelligence Dashboard Displays Invalid Baseline Duration When Regenerating a Baseline, on page 14 Section 5.13, Error While Using the report_dev_setup.sh Script to Configure Sentinel Ports for Firewall Exceptions on Upgraded Sentinel Appliance Installations, on page 15 Section 5.14, Sentinel Generic Collector Performance Degrades When Generic Hostname Resolution Service Collector is Enabled, on page 15 Section 5.15, Agent Manager Requires SQL Authentication When FIPS Mode is Enabled, on page 15 Section 5.16, Sentinel High Availability Installation in Non-FIPS Mode Displays an Error, on page 15 Section 5.17, Active Search Jobs Duration and Accessed Columns Inaccuracies, on page 16 Section 5.18, IssueSAMLToken Audit Event Displays Incorrect Information in the Security Intelligence Dashboard, on page Sentinel Cannot Run Local Reports with Default EPS License Issue: If your environment has the default 25 EPS license and you run a report, the report fails with the following error: License for Distributed Search feature is expired Workaround: To run reports in the same JVM as Sentinel, complete the following steps: 1 Log in to the Sentinel server and open the /etc/opt/novell/sentinel/config/server.xml file. 2 Locate the following property: <property name="reporting.process.oktorunstandalone">true</property> 3 Change the setting to false: <property name="reporting.process.oktorunstandalone">false</property> 4 Restart Sentinel. 5.2 Cannot convert Sentinel to FIPS mode due to an issue with Mozilla NSS Issue: If you try to convert Sentinel (Server, RCM or RCE) to FIPS mode either during installation or post installation, an issue with the Mozilla NSS packages that are provided by the SLES OS prevent the conversion from being completed successfully. The conversion stops at the prompt for the FIPS keystore database password even though the specified password meets the expected criteria. (Bug ) Workaround: Upgrade the SLES NSS packages to their latest versions and then retry the FIPS conversion. 10 Sentinel 8.1 Service Pack 1 Release Notes

11 Perform the following steps to upgrade the SLES NSS packages: 1 Log in to the Sentinel server as the root user. 2 Download the following RPMs from x86_64/: mozilla-nspr or later libsoftokn or later libfreebl or later mozilla-nss or later mozilla-nss-tools or later 3 Upgrade the RPMs as follows: cd <rpm_download_directory> rpm -Uvh mozilla-nspr-<version>.rpm rpm -Uvh --nodeps libsoftokn3-<version>.rpm rpm -Uvh libfreebl3-<version>.rpm rpm -Uvh mozilla-nss-<version>.rpm rpm -Uvh mozilla-nss-tools-<version>.rpm 4 Clean up the artifacts from the previous FIPS conversion attempts: rm -rf /etc/opt/novell/sentinel/3rdparty/nss rm /etc/opt/novell/sentinel/3rdparty/newpwfile 5 Retry FIPS conversion. 5.3 Correlation Engine is Disconnected After Upgrade Issue: Recent changes to how Sentinel validates rules cause the Correlation Engine to fail to connect if your environment has an older deployed rule with incorrect syntax. (Bug ) Workaround: To reconnect the Correlation Engine, you can correct the syntax in the rule that is causing the problem and then restart Sentinel. To find the rule and correct its syntax, complete the following steps: 1 In the server.log file, search for Failed to initialize CorrelationEngine. For example, when you search for Failed to initialize CorrelationEngine, you will see a log message similar to the following: Wed May 17 10:58:09 CDT 2017 INFO Container Startup Thread esecurity.base.ccs.proxy.componentelementproxy.activate Failed to initialize CorrelationEngine Scroll up to see the previous log message, which specifies the rule and displays its syntax. It will be similar to the following: Wed May 17 10:58:09 CDT 2017 SEVERE Container Startup Thread esecurity.base.ccs.proxy.componentelementproxy.activate Root cause: Duration must be within a day (antlr.recognitionexception) esecurity.ccs.correlation.impl.tpm.illegalruleexception: SEN Invalid Rule Definition: filter(((e.evt = "GET: Forbidden")) AND ((e.port = "Apache HTTP Server")) AND ((e.dhn = "n0")) AND ((e.fn!= "favicon.ico")) AND ((e.fn!= "apple-touch-icon-precomposed.png")) AND ((e.fn!= "apple-touch- Sentinel 8.1 Service Pack 1 Release Notes 11

12 icon.png")) AND ((e.fn!= "apple-touch-icon-120x120-precomposed.png")) AND ((e.fn!= "apple-touch-icon-120x120.png")))flow trigger(20,86460,discriminator(e.sip)) In this example, the log message indicates the problem occurred because the specified duration was longer than a day. The syntax of the rule specifies more seconds (86460) than are in a day (86400). 2 Log in to Sentinel. 3 Open a new browser tab. 4 In the new tab, go to the following URL: SENTINEL IP>:8443/SentinelRESTServices/objects/correlation-rule 5 To find the rule name and ID in the list of correlation rules, search for a unique part of the rule syntax, such as (Conditional) If you cannot find the rule name and ID in the list of correlation rules, complete the following steps: 6a In a command prompt, switch to the novell user. Use the following command: su - novell 6b Change to the /opt/novell/sentinel/bin directory. 6c Use the following SQL command:./db.sh sql SIEM dbauser "select * from CORR_RULE where rule_lg like '%UniqueText%'" Where UniqueText is a unique part of the rule syntax, such as (Conditional) If you have not already switched to the novell user, open a command prompt and switch to the novell user. Use the following command: su - novell 8 Change to the /opt/novell/sentinel/bin directory. 9 Verify the rule is in the database. Use the following SQL command:./db.sh sql SIEM dbauser "select * from CORR_RULE where RULE_ID=RuleID" Where RuleID is the ID of the rule you found previously. 10 Update the rule with a new filter that will not trigger an error during validation. Use the following SQL command:./db.sh sql SIEM dbauser "update CORR_RULE set rule_lg = 'filter(1=0)' where RULE_ID=RuleID" Where RuleID is the ID of the rule you found previously. 11 Verify the filter has been changed in the database. Use the following SQL command:./db.sh sql SIEM dbauser "select * from CORR_RULE where RULE_ID=RuleID" Where RuleID is the ID of the rule you found previously. 12 Stop Sentinel. Use the following command:./server.sh stop 13 Restart Sentinel. Use the following command:./server.sh start 12 Sentinel 8.1 Service Pack 1 Release Notes

13 5.4 Synchronization Needs to be Started Manually in Sentinel High Availability After You Convert the Active Node to FIPS Mode Issue: When you convert the active node to FIPS mode in Sentinel HA, the synchronization to convert all the passive nodes to FIPS mode is not performed completely. You must start the synchronization manually. (Bug ) Workaround: Manually synchronize all passive nodes to FIPS mode as follows: 1 Log in as the root user on the active node. 2 Open the /etc/csync2/csync2.cfg file. 3 Change the following line: include /etc/opt/novell/sentinel/3rdparty/nss/*; to include /etc/opt/novell/sentinel/3rdparty/nss; 4 Save the csync2.cfg file. 5 Start the synchronization manually by running the following command: csync2 -x -v 5.5 Cannot Launch Event Visualization Dashboard Issue: An issue prevents Internet Explorer 11 from being able to open the Event Visualization dashboard. (Bug ) Workaround: Use a different browser to view or modify the Visualization dashboard. 5.6 Cannot Install Sentinel on SLES 11 SP4 in FIPS Mode Issue: If you try to install Sentinel on a computer that is running the SLES 11 SP4 operating system in FIPS mode, the installation process will fail. (Bug ) Workaround: Ensure the operating system is not in FIPS mode, and then complete the following steps: 1. Install Sentinel. For more information, see Installing Sentinel in the Sentinel Installation and Configuration Guide. 2. Enable Sentinel Server to run in FIPS mode. For more information, see Enabling Sentinel Server to Run in FIPS Mode in the Sentinel Installation and Configuration Guide. 3. Use the following command to enable the operating system to run in FIPS mode: fips=1 /boot/grub/menu.lst 5.7 Sentinel Main Interface Displays Blank Page After Converting to Sentinel Scalable Data Manager Issue: After you enable SSDM, when you log in to the Sentinel Main interface, the browser displays a blank page. (Bug ) Workaround: Close your browser and log in to the Sentinel Main interface again. This issue only happens once, the first time you log in to the Sentinel Main interface after you enable SSDM. Sentinel 8.1 Service Pack 1 Release Notes 13

14 5.8 Tips Table Search Does Not Return the Complete List of Alert Fields in Upgraded Sentinel Installations Issue: In upgraded installations of Sentinel, when you search for alert attributes in the Tips table in the Sentinel Main interface, the search does not return the complete list of alert fields. However, alert fields display correctly in the Tips table if you clear the search. (Bug ) Workaround: There is no workaround at this time. 5.9 Event Search Does Not Respond if You Do Not Have Any Event Viewing Permissions Issue: If you run an event search when your role's security filter is blank and your role does not have event viewing permissions, the search does not complete. The search does not display any error message about the invalid event viewing permissions. (Bug ) Workaround: Update the role with one of the following options: 1 Specify criteria in the Only events matching the criteria field. If users in the role should not see any events, you can enter NOT sev:[0 TO 5]. 2 Select View system events. 3 Select View all event data (including raw data and NetFlow data) The Event fields Panel is Missing in the Schedule Page When Editing Some Saved Searches Issue: When editing a saved search upgraded from Sentinel 7.2 to a later version, the Event fields panel, used to specify output fields in the search report CSV, is missing in the schedule page. (Bug ) Workaround: After upgrading Sentinel, recreate and reschedule the search to view the Event fields panel in the schedule page Sentinel Does Not Return Any Correlated Events When You Search for Events for the Deployed Rule with the Default Fire Count Search Issue: Sentinel does not return any correlated events when you search for all correlated events that were generated after the rule was deployed or enabled, by clicking the icon next to Fire count in the Activity statistics panel in the Correlation Summary page for the rule. (Bug ) Workaround: Change the value in the From field in the Event Search page to a time earlier than the populated time in the field and click Search again Security Intelligence Dashboard Displays Invalid Baseline Duration When Regenerating a Baseline Issue: During Security Intelligence baseline regeneration, the start and finish dates for the baseline are incorrect and display 1/1/1970. (Bug ) Workaround: The correct dates are updated after the baseline regeneration is complete. 14 Sentinel 8.1 Service Pack 1 Release Notes

15 5.13 Error While Using the report_dev_setup.sh Script to Configure Sentinel Ports for Firewall Exceptions on Upgraded Sentinel Appliance Installations Issue: Sentinel displays an error when you use the report_dev_setup.sh script to configure Sentinel ports for firewall exceptions. (Bug ) Workaround: Configure Sentinel ports for firewall exceptions through the following steps: 1 Open the /etc/sysconfig/susefirewall2 file. 2 Change the following line: FW_SERVICES_EXT_TCP=" : " to FW_SERVICES_EXT_TCP=" : " 3 Restart Sentinel Sentinel Generic Collector Performance Degrades When Generic Hostname Resolution Service Collector is Enabled Issue: Sentinel Generic Collector performance degrades when Generic Hostname Resolution Service Collector is enabled on Microsoft Active Directory and Windows Collector. EPS decreases by 50% when remote Collector Managers send events. (Bug ) Workaround: There is no workaround at this time Agent Manager Requires SQL Authentication When FIPS Mode is Enabled Issue: When FIPS mode is enabled in your Sentinel environment, using Windows authentication for Agent Manager causes synchronization with the Agent Manager database to fail. (Bug ) Workaround: Use SQL authentication for Agent Manager when FIPS mode is enabled in your Sentinel environment Sentinel High Availability Installation in Non-FIPS Mode Displays an Error Issue: The Sentinel High Availability installation in non-fips mode completes successfully but displays the following error twice: /opt/novell/sentinel/setup/configure.sh: line 1045: [: too many arguments (Bug ) Workaround: The error is expected and you can safely ignore it. Although the installer displays the error, the Sentinel High Availability configuration works successfully in non-fips mode. Sentinel 8.1 Service Pack 1 Release Notes 15

16 5.17 Active Search Jobs Duration and Accessed Columns Inaccuracies Issue: The Sentinel Main interface displays negative numbers in the Active Search Job Duration and Accessed columns when the Sentinel Main interface computer clock is behind the Sentinel server clock. For example, the Duration and Accessed columns display negative numbers when the Sentinel Main interface clock is set to 1:30 PM and the Sentinel server clock is set to 2:30 PM. (Bug ) Workaround: Ensure the time on the computer you use to access the Sentinel Main interface is the same as or later than the time on the Sentinel server computer IssueSAMLToken Audit Event Displays Incorrect Information in the Security Intelligence Dashboard Issue: When you log in to the security dashboard and perform a search for IssueSAMLToken audit event, the IssueSAMLToken audit event displays incorrect hostname (InitiatorUserName) or (IP address) SourceIP. (Bug ) Workaround: There is no workaround at this time. 6 Contact Information Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you. For detailed contact information, see the Support Contact Information website. For general corporate and product information, see the NetIQ Corporate website. For interactive conversations with your peers and NetIQ experts, become an active member of our community. The NetIQ online community provides product information, useful links to helpful resources, blogs, and social media channels. 7 Legal Notice For information about NetIQ legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government restricted rights, patent policy, and FIPS compliance, see Copyright 2018 NetIQ Corporation. All Rights Reserved. 16 Sentinel 8.1 Service Pack 1 Release Notes