Page 1
Novell Sentinel Log Manager 1.0.0.5
Release Notes
Novell®
March 30, 2010
Novell® SentinelTM Log Manager collects data from a wide variety of devices and applications,
including intrusion detection systems, firewalls, operating systems, routers, Web servers, databases,
switches, mainframes, and antivirus event sources. Novell Sentinel Log Manager provides high
event-rate processing, long-term data retention, regional data aggregation, and simple searching and
reporting functionality for a broad range of applications and devices.
Section 1, “What's New in Novell Sentinel Log Manager,” on page 1
Section 2, “Prerequisite,” on page 3
Section 3, “Installing Novell Sentinel Log Manager 1.0.0.5,” on page 3
novdocx (en) 19 February 2010
Section 4, “Issues Fixed,” on page 5
Section 5, “Known Issues,” on page 14
Section 6, “Documentation Conventions,” on page 19
Section 7, “Legal Notices,” on page 19
1 What's New in Novell Sentinel Log Manager
The following sections list the new and enhanced features of Novell Sentinel Log Manager.
Section 1.1, “What’s New in Novell Sentinel Log Manager 1.0.0.5,” on page 1
Section 1.2, “What’s New in Novell Sentinel Log Manager 1.0.0.4,” on page 2
Section 1.3, “New Plug-Ins,” on page 3
1.1 What’s New in Novell Sentinel Log Manager 1.0.0.5
“500 EPS Version of Sentinel Log Manager” on page 1
“New End User License Agreement” on page 2
1.1.1 500 EPS Version of Sentinel Log Manager
The Novell Sentinel Log Manager is now available in a 500 EPS (events per second) version. The
500 EPS version is suitable for small deployments with only one Sentinel Log Manager server and a
low event rate. It can also be used as a low volume node reporting to another Sentinel or Sentinel
Log Manager server in a large deployment.
Novell Sentinel Log Manager 1.0.0.5 Release Notes 1
Page 2
1.1.2 New End User License Agreement
The end user license agreement (EULA) terms have been updated in this release. You must accept
the new terms before before proceeding to apply the latest patch. Some of the changes in the EULA
are:
Novell Sentinel Log Manager is now available in a 500 EPS version.
novdocx (en) 19 February 2010
Updated definition for
Updated definition for
Non-Production Instance
Type I Device
.
.
1.2 What’s New in Novell Sentinel Log Manager 1.0.0.4
“New Data Collection User Interface” on page 2
“LDAP Authentication” on page 2
“Enhancements to the Search Result User Interface” on page 2
“New User Interface for Actions” on page 3
“Enhancement to the Admin User Interface” on page 3
1.2.1 New Data Collection User Interface
The new and enhanced data collection user interface enables you to perform several new tasks:
Refine all the event sources by using the new Event Sources screen.
Start and stop the audit and syslog event source server by using the new Event Source Servers
tab.
Set the time zone for event sources.
Search for events that are coming from one or many event sources.
For more information about data collection configuration, see “Configuring Data Collection” in the
Novell Sentinel Log Manager 1.0.0.4 Administration Guide.
1.2.2 LDAP Authentication
Sentinel Log Manager now supports LDAP authentication in addition to the database authentication.
A new Authentication Type option has been added in the user > Add a user window of the Sentinel
Log Manager, which enables you to create user accounts that use LDAP authentication.
For more information about configuring the Sentinel Log Manager server for LDAP authentication,
see “User Administration” in the Novell Sentinel Log Manager 1.0.0.4 Administration Guide.
1.2.3 Enhancements to the Search Result User Interface
The enhanced search result interface enables you to perform several new tasks:
Export search report results.
Send search results to an action.
Download the raw data files for the selected event result's event source by using the get raw
data link.
View new event fields information in the search results.
2 Novell Sentinel Log Manager 1.0.0.5 Release Notes
Page 3
For example, it displays the Source IP address, Rawdata Record ID, Collector Script, Collector
name, Collector Manager ID, Connector ID, and Event Source ID information for the incoming
events.
View all the event fields information for the event source by using the show all fields link.
For more information about searching events and generating reports, see “Searching” in the Novell
Sentinel Log Manager 1.0.0.4 Administration Guide.
1.2.4 New User Interface for Actions
The new user interface for actions allows you to create multiple action instances that you can also
use while configuring rules. You can also view the number of rules that are associated with an
action.
For more information about configuring rules and actions, see “Configuring Rules” in the Novell
Sentinel Log Manager 1.0.0.4 Administration Guide.
1.2.5 Enhancement to the Admin User Interface
The new admin user interface enables you to assign new permissions for a user:
novdocx (en) 19 February 2010
You can now allow users to view all reports that are stored on the server
Enable Sentinel Log Manager configuration reporting
You can now set a filter for the events a user can view.
For more information about configuring users, see “User Administration” in the Novell Sentinel Log
Manager 1.0.0.4 Administration Guide.
1.3 New Plug-Ins
A new Generic Forwarder Action 6.1r2 plug-in has been added to send search results to an action
instance.
2 Prerequisite
The Sentinel Log Manager Hot fix 5 (1.0.0.5) should be installed on top of an existing Sentinel Log
Manager 1.0.0.0, 1.0.0.1, 1.0.0.2, 1.0.0.3, or 1.0.0.4 installation.
3 Installing Novell Sentinel Log Manager 1.0.0.5
IMPORTANT: The Sentinel Log Manager Hot fix 5 (1.0.0.5) must be installed on the Sentinel Log
Manager server and all the Collector Managers running on remote machines. This Hot fix does not
update the Collector Manager installer script that you can download from the Sentinel Log Manager
web server. Hence, regardless of whether you have installed a Collector Manager before or after
applying the Hot fix on the Sentinel Log Manager server, it is mandatory to apply this Hot fix to all
the Collector Managers.
Section 3.1, “System Requirements,” on page 4
Section 3.2, “Installing on a Sentinel Log Manager Server,” on page 4
Section 3.3, “Installing on a Remote Collector Manager,” on page 4
Novell Sentinel Log Manager 1.0.0.5 Release Notes 3
Page 4
3.1 System Requirements
For a detailed information on hardware requirements and supported operating systems, browsers,
and event sources, see “System Requirements” (http://www.novell.com/documentation/
novelllogmanager10/novell_log_manager/data/bjx8zq7.html) in the Novell Sentinel Log Manager
Guide.
3.2 Installing on a Sentinel Log Manager Server
To perform a quick and simple installation of Novell Sentinel Log Manager 1.0.0.5 on a Sentinel
Log Manager server:
novdocx (en) 19 February 2010
1 Log in to the Sentinel Log Manager as the
The
novell
user is created during the Sentinel Log Manager installation process and does not
novell
user.
have a password by default. Therefore, you can create a password in order to log in as this user,
or you can su - to this user.
2 Download or copy the installer
SENTINEL_LOG_MANAGER_1.0.0.5.zip
to a temporary
directory.
3 Change to the temporary directory.
4 Unzip the install package by using the following command:
unzip SENTINEL_LOG_MANAGER_1.0.0.5.zip
5 Change to the unzipped directory.
cd SENTINEL_LOG_MANAGER_1.0.0.5
6 (Optional) Stop the Sentinel Log Manager services by using the following command:
Installation_Directory/bin/server.sh stop
7 Run the hotfix installer and follow the prompts.
./service_pack.sh
3.3 Installing on a Remote Collector Manager
“Installing on Unix” on page 4
“Installing on Windows” on page 5
3.3.1 Installing on Unix
1 Log in to the Sentinel Log Manager as the
2 Download or copy the installer
directory.
3 Change to the temporary directory.
4 Unzip the install package by using the following command:
unzip SENTINEL_LOG_MANAGER_1.0.0.5.zip
5 Change to the unzipped directory.
cd SENTINEL_LOG_MANAGER_1.0.0.5
6 (Optional) Stop the Collector Manager by using the following command:
Installation_Directory/bin/sentinel.sh stop
4 Novell Sentinel Log Manager 1.0.0.5 Release Notes
root
user.
SENTINEL_LOG_MANAGER_1.0.0.5.zip
to a temporary
Page 5
7 Run the hotfix installer and follow the prompts.
./service_pack.sh
3.3.2 Installing on Windows
novdocx (en) 19 February 2010
1 Log in to the Sentinel Log Manager as an
2 Download or copy the installer
SENTINEL_LOG_MANAGER_1.0.0.5.zip
Administrator
.
to a temporary
directory.
3 Change to the temporary directory.
4 Unzip the installer package.
5 Change to the unzipped directory.
cd SENTINEL_LOG_MANAGER_1.0.0.5
6 (Optional) Stop the Collector Manager by using the following command:
Installation_Directory/bin/sentinel.bat stop
7 Go to the installation directory.
8 Execute the
service_pack.bat
from the command window and follow the prompt.
4 Issues Fixed
Section 4.1, “Issues Fixed in Sentinel Log Manager 1.0.0.5 Release,” on page 5
Section 4.2, “Issues Fixed in Sentinel Log Manager 1.0.0.4 Release,” on page 7
Section 4.3, “Issues Fixed in Sentinel Log Manager 1.0.0.3 Release,” on page 9
Section 4.4, “Issues Fixed in Sentinel Log Manager 1.0.0.2 Release,” on page 10
Section 4.5, “Issues Fixed in Sentinel Log Manager 1.0.0.1 Release,” on page 11
4.1 Issues Fixed in Sentinel Log Manager 1.0.0.5 Release
This section lists the issues fixed in Novell Sentinel Log Manager 1.0.0.5 release.
Table 1 Issues Fixed in Sentinel Log Manager 1.0.0.5 Release
Issues Fixed Description
582427 Issue:Legacy collectors stopped sending event data after Sentinel Log
Manager was upgraded to Hot fix 4.
Fixed:The latest version of agent-manager.jar file is bundled with the Hot
fix 5 to enable legacy collectors to send event data.
581908 Issue:The collector debugger fails as the latest version of libuuid.jar was
not present in the webstart webserver directory.
Fixed: The latest version of libuuid.jar file is now bundled with the Hot fix 5
build, to enable the collector debugger to function properly.
Novell Sentinel Log Manager 1.0.0.5 Release Notes 5
Page 6
Issues Fixed Description
581912 Issue: Upgrading to Hot Fix 4 fails on a remote 64 bit Linux Collector
Manager.
Fixed: The installer now checks for the directory name. The upgrade
procedure now works fine.
590171 Issue: The All Vendors All Products Top 10 Report is not installed when
user upgrades to Hot fix 4 from versions older than Hot Fix 3.
Fixed: The report is now installed.
novdocx (en) 19 February 2010
581698 Issue: The
address to write to JNLP files on startup.
Fixed: The script now attempts to read the user specified SERVER_IP
value from the
present or if the IP address is not set in the file, then the script determines
the IP address automatically.
To enable the script to read the SERVER_IP value from the configuration
file, create the
directory and specify the IP address in the following format:
start_tomcat.sh
ipaddress.conf
ipaddress.conf
script is unable to find the correct IP
file. If the
file in the
ipaddress.conf
file is not
$ESEC_HOME/config
SERVER_IP=<ip address value>
For example,
572619 Issue: Attempt to download raw data files for an Event Source which has a
name with double byte characters results in the
java.io.FileNotFoundException
Fixed: Users can now download raw data files with double byte characters
in their names.
583775 Issue: A non-admin user is allowed to click the Get Raw Data link in their
search results. This links should be presented only to administrators.
Fixed: Now, when a non-admin user clicks the Get Raw Data link, the
following error message is displayed in the resulting page:
SERVER_IP=192.168.1.255
error.
563886 Issue: The Collector framework must stop overwriting event fields so that
580749 Issue: If you click the Help button from Web UI, an error page is displayed.
586957 Issue: Clicking details+ in Web UI fails for the events from a Collector that
6 Novell Sentinel Log Manager 1.0.0.5 Release Notes
Must be an Administrator to download Raw Data
the Sentinel Link can properly report the agent that parsed the event.
Fixed: The Collector framework now doesn't overwrite the event fields
other than the rv21-rv25 fields.
This is because an extra / is added to the URL.
Fixed: This issue is now fixed. If you click the Help button, the Novell
Sentinel Log Manager documentation page opens.
does not populate the rv32 field.
Fixed: Clicking details+ in Web UI now expands even for events with
empty rv32 field.
Page 7
Issues Fixed Description
591055, 591059 Issue: After upgrading to Hot fix 4, the data parsed by Collectors is not
displayed in the generated report.
Fixed: The data is now displayed in the generated reports.
4.2 Issues Fixed in Sentinel Log Manager 1.0.0.4 Release
This section lists the issues fixed in Novell Sentinel Log Manager 1.0.0.4 release.
Table 2 Issues fixed in Sentinel Log Manager 1.0.0.4 Release
Issues Fixed Description
551079 Issue: In the report details, if the time range is not set to custom date
range, then the time shown reflect the actual times the report had been
run.
Fixed: After the report is run, the date range is being displayed
appropriately in the report details.
novdocx (en) 19 February 2010
545195 Issue: When there are many event sources in the Operating System
section of syslog server user interface, the browser reports an
unresponsive script
interface also becomes unusable.
Fixed: A new Data Collection user interface with Sentinel Log Manager
hotfix 4 properly manages the event sources.
532421 Issue: The e-mails received from Sentinel Log Manager has Novell
Identity Audit Event text in the subject line.
Fixed: The Subject field is now user configurable.
549330 Issue: The Device Event Time field is appearing as searchable field in the
search tips popup.
Fixed: The Device Event Time field is not a searchable field. It is now
deleted from the search tips popup.
523499 Issue: Passwords with both backward and forward slashes and single
quote characters are not accepted while login.
Fixed: Now the passwords with escape characters (\, /, and ‘) are allowed.
499349 Issue: When executing a search from the search toolbar on the upper right
hand corner of the user interface, it would intermittently open a search tab
with the search criteria of a previous search rather than the currently typed
in search.
error. As a result Sentinel Log Manager user
4.2.1 Enhancement
This section lists the enhancements in Novell Sentinel Log Manager 1.0.0.4 Release.
Fixed: The new search tab now always has the most recently typed in
search criteria.
Novell Sentinel Log Manager 1.0.0.5 Release Notes 7
Page 8
Table 3 Enhancements in Sentinel Log Manager 1.0.0.4 Release
Issues Fixed Description
553146 Issue: A raw data link is required next to each search result entry that will
take you to the unparsed raw data on the Raw Data Download page. The
event will display the data originated from the event source.
Fixed: A get raw data link is added to each search result. Clicking on this
link opens a Raw Data Download page in a new tab and points to the
appropriate event source.
509882 Issue: An option to export the report results option should be included.
Fixed: Sentinel Log Manager interface now provides you an option to
export the report results.
508992 Issue: An option needs to be provided to know the number of events the
user has scrolled through.
Fixed: The left pane of the search result displays the number of events the
user has scrolled through.
novdocx (en) 19 February 2010
504105 Issue: LDAP authentication option should be added for Sentinel Log
Manager.
Fixed: Sentinel Log Manager now supports the LDAP authentication
option.
557632 Issue: The exported results
.csv
file should display the important fields
columns at the beginning.
Fixed: Important fields are placed in the beginning of csv report. The fields
are ordered as dt, port, sev, evt, msg, rv42, shn, sip, rv35, sun, rv41, dhn,
dip, rv45, dun, sp, isvcc, dp, tsvcc, ttd, ttn, rv36, and fn followed by other
fields as long as field has valid value.
542187 Issue: Exported search results were unreadable with too many empty
columns, which was causing it to throw some errors while opening in open
office.
Fixed: The empty columns are removed from the search results to make it
more readable and compact.
547204 Issue: Subject was not configurable in the Send an Email action user
interface and all the mails had default subject value.
Fixed: Now you can specify a subject line using the Subject field in the
Send an Email action user interface.
530183 Issue: The number of records value that went into a collector should be
displayed in the Collector status details pane of the Event Source
Management interface.
8 Novell Sentinel Log Manager 1.0.0.5 Release Notes
Fixed: The Total Records Sent and Records Sent in Last Interval fields are
included in the Collector status details pane of the Event Source
Management interface.
Page 9
Issues Fixed Description
495806 Issue: Export search result has the same event count limit as search
refinement (50,000).
Fixed: The 50,000 limit for exporting results has been removed. Now the
user will be prompted to enter the number of results they want to export.
4.3 Issues Fixed in Sentinel Log Manager 1.0.0.3 Release
This section lists the issues fixed in Novell Sentinel Log Manager 1.0.0.3 Release.
Table 4 Issues fixed in Sentinel Log Manager 1.0.0.3 Release
Issues Fixed Description
563948 Issue: A message stating that no events have been found by the search is
displayed even before the search is completed.
novdocx (en) 19 February 2010
Fixed: The
found after the completion of a search.
560580 Issue: Occasional searches run from the search tool bar used the previous
search string instead of the new search string.
Fixed: A new search run from the search tool bar uses the new search
string.
556411 Issue: Squashfs indexes that were mounted by a previous running
instance of the server are not cleaned up when the server starts, resulting
is failed searches.
Fixed: The server now detects if old mounts need to be cleaned up and
cleans them up allowing searches to complete normally.
552519 Issue: The softwarekey.sh script was not included in the install, making it
difficult to reset the license key with the server turned off.
Fixed: The softwarekey.sh script is now included.
549582 Issue: An event is not searchable by its original timestamp if it arrives
more than a day late.
Fixed: The event is searchable by its original timestamp no matter how
late it arrives.
546324 Issue: A rule or data retention policy configured with a filter that is just a full
text search (i.e., no field such as
the server that prevents any users from logging into the Web interface or
ESM user interface.
no events found
message only appears if no events are
sev:5
is specified) results in an error on
Fixed: The bug is fixed so that all valid filters are now accepted and
evaluated properly. Filter validation is also done before allowing a user to
save a filter to prevent an invalid filter from being saved that would cause
logins to fail.
Novell Sentinel Log Manager 1.0.0.5 Release Notes 9
Page 10
Issues Fixed Description
545837 Issue: The Event Source Management (ESM) user interface is not able to
read the maxclausecount property in the
SentinelPreferences.properties
Fixed: The Event Source Management (ESM) user interface works fine
with a high number (>=~1000) event sources and does not log any
clause count exceeded
545197 Issue: When many event sources are configured (for example, 2000+), the
Event Source Management (ESM) user interface consumes lot of memory
on webstart (for example, 1GB) and also becomes unusable.
Fixed: The ESM user interface now works fine if there are many event
sources are configured.
527007 Issue: To turn on or off the data logging for all of the operating system
event sources and all of the Application collectors, a Data logging (All) On
and Off option is required for the APPLICATIONS and OS tables under the
Collection > Syslog Server tab.
Fixed: To turn on or off the data logging for all of the operating system
event sources and all of the Application collectors, a Data logging (All) On
and Off option is provided for the APPLICATIONS and OS tables under
the Collection > Syslog Server tab.
exceptions.
file.
max
novdocx (en) 19 February 2010
4.3.1 Enhancement
Top N type reports are now supported. A Top N type report named
Top 10 Report
is installed with this hotfix and is available as a Visualization from the Search Save
All Vendors All Products
As Report dialog as well from the main report list. This report provides an easy way to view a
dashboard of the most frequent activity being monitored by Sentinel Log Manager.
4.4 Issues Fixed in Sentinel Log Manager 1.0.0.2 Release
This section lists the issues fixed in Novell Sentinel Log Manager 1.0.0.2 Release.
Table 5 Issues fixed in Sentinel Log Manager 1.0.0.2 Release
Issues Fixed Description
537273 Issue: Non-admin user is able to log in to the Event Source Management
interface by using a cached ESM jnlp file.
Fixed: Only authorized admin user can log in to the Event Source
Management interface.
536377 Issue: Lucene indexes are not being committed on a timely basis.
Fixed: Lucene indexes are now being committed on a timely basis - once a
minute.
535736 Issue: The Rule user interface does not perform the filter validation.
10 Novell Sentinel Log Manager 1.0.0.5 Release Notes
Fixed: The specified filter value is validated by the Rule user interface.
Page 11
Issues Fixed Description
536589 Issue: IndexedLogComponent can get stuck on deactivate when shutting
down under heavy load (high EPS).
Fixed: IndexedLogComponent will now shutdown gracefully under heavy
load.
540119 Issue: When the Sentinel Log Manager Server runs for many days (for
example, 25-40 days), it stores huge amount of EPS data, which is
generated over time. This eps information is transferred to the tomcat
server in a verbose format so it consumes a lot of memory and also while
parsing the eps data it causes out of memory at the tomcat server.
Fixed: The eps data information will now be transferred in a more compact
format from the Sentinel Log manager server to the Tomcat server.
541858 Issue: A few events that are generated on a remote Collector Manager do
not get displayed on the Sentinel Log Manager server.
Fixed: All the events that are generated on a remote Collector Manager
will be displayed on the Sentinel Log Manager server as expected.
novdocx (en) 19 February 2010
543029 Issue: When one Sentinel Log Manager is configured with multiple
Collector Managers. On changing a Collector for an event source under
the Collection > Syslog Server tab, the Collector and the event source gets
assigned to the wrong Collector Manager.
Fixed: On changing a Collector for an event source under the Collection >
Syslog Server tab, the Collector and the event source will be assigned to
their respective Collector Manager.
4.5 Issues Fixed in Sentinel Log Manager 1.0.0.1 Release
This section lists the issues fixed in Novell Sentinel Log Manager 1.0.0.1 Release.
Table 6 Issues fixed in Sentinel Log Manager 1.0.0.1 Release
Issues Fixed Description
527031 Issue: If the browser and the server are running in different time zones, the
dates in the search results are not displaying correctly.
Fixed: The dates in the search results are now displayed in the local
timezone of the browser, regardless of which timezone the server is
running in.
527006 Issue: The values in all of the drop down boxes in the raw data download
page should be sorted alphabetically.
Fixed: The values in the drop-down box appears in the alphabetical order.
Novell Sentinel Log Manager 1.0.0.5 Release Notes 11
Page 12
Issues Fixed Description
526143 Issue: The communication links between the Sentinel Log Manager server
and either Tomcat or Collector Managers do not always recover when the
link is dropped temporarily. The link may get dropped temporarily due to
network outage, system load, or a variety of other reasons. If this occurs to
the link with Tomcat, the Web Server becomes unresponsive. If this occurs
to the link with Collector Managers, data from the Collector Managers no
longer flows to the Sentinel Log Manager, although the data is cached on
the Collector Manager file system.
Fixed: The communication links between the Sentinel Log Manager server
and either Tomcat or Collector Managers recovers even when the link is
dropped temporarily.
526119 Issue: Online data storage graphs are not displayed when the nfs archive
location is unshared.
Fixed: The Online data storage graphs are being displayed even if the
archive location is not accessible.
524994 Issue: In Internet Explorer 8 browser, an error message is displayed on
entering a search criteria and hitting enter instead of clicking on Search
button.
novdocx (en) 19 February 2010
Fixed: The search results appear as expected.
525099 Issue: Sentinel Log Manager does not need to listen on port 1099.
Fixed: Sentinel Log Manager does not listen on port 1099.
525075 Issue: On the Firefox browser if you log in to Sentinel Log Manager with
the Administrator or Report Administrator credentials, perform a self edit
and save the user details twice, then by default it takes the Auditor
permission.
Fixed: On performing a self edit of the Administrator or Report
Administrator user accounts, the settings will not change to Auditor
permission.
524606 Issue: The scheduled report is getting deleted when it is edited and invalid
start time is entered.
Fixed: After editing the scheduled report and giving invalid start time, the
scheduled report will not get deleted.
524453 Issue: The Data Archive user interface always reports the following error
when setting the archive location, even if the save succeeded:
Failed Data Archive Configuration Save.
Archive could not be configured, as archive was already configured.
Fixed: No error message is displayed when archive location is set
successfully.
12 Novell Sentinel Log Manager 1.0.0.5 Release Notes
Page 13
Issues Fixed Description
523873 Issue: If archiving is configured to use NFS and the connection to the NFS
server is lost, the archiving process will stop working and the storage
graphs on the user interface will not be displayed.
Fixed: The issue has partially been fixed in the code. However, the other
half of it needs to be fixed manually. Since the hotfix contains code to
automatically set the NFS mount options automatically to the correct
value, remove the
from the server.conf and restart the Sentinel Log Manager service to
correct the problem. The code will automatically use the NFS mount
options
To restart the Sentinel Log Manager service, execute the following
command:
soft,proto=tcp,timeo=60,retrans=1
-Dnovell.sentinel.mount.options
.
property
<Installation_Directory>/bin/server.sh restart
522907 Issue: On deleting a data retention policy an unnecessary exception is
logged if the policy has events that match the specified filter criteria. The
exception should not be logged because no real error actually occurred.
novdocx (en) 19 February 2010
Fixed: The exception is no longer logged.
509112 Issue: On performing a search that returns more than 50,000 results. the
event fields that were selected (by default) in the Select Event Fields
window are not displayed in the user interface on scrolling through the
search results.
Fixed: All the events fields are being displayed.
529773 Issue: Event router server is not executing an action to send events from
remote Collector Managers to the Sentinel Machine.
Fixed: Event router server is now able to send events to the Sentinel
machine from the remote collector manager.
528049 Issue: On the data collection page, the data logging on/off buttons are not
working for the Syslog server event sources.
Fixed: The data logging on/off buttons now correctly turn the event source
on/off and reflect the proper current state of the event source.
524998 Issue: On the Internet Explorer 8 browser, the scroll bar to view the license
is disabled.
Fixed: The license key can be viewed by using the scroll bar.
527023 Issue: An exception log message appears when archiving is disabled.
Fixed: The exception message has been changed to an INFO level log
message
disabled.
Archive location is not configured
when archiving is
527306 Issue: server.sh script is not automatically correcting the permissions of
the postgresql data directory before startup.
Fixed: server.sh script automatically corrects the permissions of the
folder. The permissions of
data
folder reverts back to the old permissions.
Novell Sentinel Log Manager 1.0.0.5 Release Notes 13
data
Page 14
Issues Fixed Description
532219 Issue: In some cases, an Out of Memory occurs in the Tomcat server
related to the Data Collector Events Per Second chart.
Fixed: The out of memory issue conditions has been fixed when
generating this chart.
novdocx (en) 19 February 2010
501503 Issue: The
multiple interfaces returned by
Fixed: The script now excludes ipv6 addresses from its search for the best
address to use and, therefore, does a better job at choosing the right IP
address.
start_tomcat.sh
script selects the wrong IP if there are
/sbin/ifconfig
5 Known Issues
Section 5.1, “Known Issue in Sentinel Log Manager 1.0.0.5,” on page 15
Section 5.2, “Known Issues in Sentinel Log Manager 1.0,” on page 15
Section 5.3, “Known Issues in Sentinel Plug-ins,” on page 18
.
14 Novell Sentinel Log Manager 1.0.0.5 Release Notes
Page 15
5.1 Known Issue in Sentinel Log Manager 1.0.0.5
Table 7 Known Issue in Sentinel Log Manager 1.0.0.5
Issue Number Description
591895 Issue: After upgrading, events generated in Hot fix 4 is not displayed in
Hot fix 5 reports.
Workaround: This issue occurs because a machine upgraded to Hot fix 5
has events with two different values in their CollectorScript field. To
display the Hot fix 4 events in the Hot fix 5 report, do the following
1. Run a search query in the following format:
sev:[0 TO 5] AND (agent:”<non-HF4 agent value>” OR
agent:”<HF4 agent value>” )
2. Save the search as a report with type Visualization.
3. Select a corresponding template from the available templates.
You can use this report template to generate future reports.
novdocx (en) 19 February 2010
For example, to create a new Cisco Firewall Event Count Trend Report:
1. Run the following search query:
sev:[0 TO 5] AND (agent:"Cisco Firewall" OR
agent:"Cisco_Firewall")
The CollectorScript value for events generated in Hot fix 4 is
Cisco_Firewall_<Cisco Firewall Collector Version>
The CollectorScriot value for events generated in version other than
Hot fix 4 is
Cisco Firewall <Cisco Firewall Collector
Version>
NOTE: In the report query, exclude the collector version from the
query as it creates a dependency on the version of the collector.
This query returns all the Cisco Firewall events in the server.
2. Click Save as Report, then select type as Visualization.
3. Select the All Vendors All Products Event Count Trend 6.1r1
template.
4. Specify a name, then click Save to save the file.
Now when you run the report, events generated in Hot fix 4 is also
included in the report.
5.2 Known Issues in Sentinel Log Manager 1.0
This section lists the known issues in Novell Sentinel Log Manager 1.0 Release.
Novell Sentinel Log Manager 1.0.0.5 Release Notes 15
Page 16
Table 8 Known Issues in Sentinel Log Manager 1.0 Release
Issue Number Description
523007 Issue: Export Result and Save as Report links are not visible after
performing search operation using custom option in search result page.
Workaround: To view all the links, set the screen resolution to 1280 x
1024.
503808 Issue: The Event Source Management (ESM) application fails to launch in
the first attempt when it is installed on a server where it has never been
installed before.
Workaround: Re-launch the application.
524575 On Microsoft Internet Explorer* 8, all javascript pop-up windows display
error when French (fr) or Italian (it) or Spanish (es) languages are selected
on login page.
Workaround: Use the Firefox 3 web browser instead.
510824 Issue: After clicking the details++ link for the individual search results, the
all details++ and all details-- link does not work as intended.
novdocx (en) 19 February 2010
Workaround: Avoid using the all details link until this issue is fixed.
524473 Issue: The prompt for using the 90 day evaluation license is not localized
in non-English versions of the product.
521942 Issue: If many reports are run within a sort period of time (for example, 40-
50 reports within 5-10 minutes), you may experience the following error:
java.lang.OutOfMemoryError: PermGen space
Workaround: This is a temporary error due to the number of reports being
run. Try running the report again later.
16 Novell Sentinel Log Manager 1.0.0.5 Release Notes
Page 17
Issue Number Description
novdocx (en) 19 February 2010
525753 Issue: If the command
during Sentinel Log Manager installation, the user is unable to accept a
certificate when Collector Manager is installed.
Workaround: To avoid the issue, before installing the Log Manager server,
test the
hostname. This needs to be tested on the Log Manager server machine,
not the machine where the Collector Manager is going to be installed.
If you get stuck in a loop during the Collector Manager install, the
workaround is the following:
hostname -f
1. There is no need to exit the Collector Manager install. Instead,
perform the following steps while the Collector Manager install
remains at the user/password prompt.
2. Log in to the Log Manager server as the
3. Run the following command:
server.sh stop
4. Specify the command to change directory:
sentinel_log_mgr_1.0_x86-64/config
5. hostname -f (make sure a valid hostname is returned - if not, fix
hostname)
NOTE: All passwords must remain set to
commands.
hostname -f
command to make sure it returns a valid
did not return a valid hostname
novell
user.
cd /opt/novell/
password
in the following
../jre/bin/keytool -delete -alias broker keystore .activemqkeystore.jks -storepass
password
../jre/bin/keytool -genkey -alias broker keyalg RSA -keystore .activemqkeystore.jks storepass password -keypass password -dname
"CN=`hostname -f`, O=broker"
../jre/bin/keytool -list -keystore
.activemqkeystore.jks -v -storepass password
../jre/bin/keytool -export -alias broker keystore .activemqkeystore.jks -storepass
password -file .activemq.cer
../jre/bin/keytool -delete -alias broker keystore .activemqclientkeystore.jks storepass password
../jre/bin/keytool -import -noprompt -alias
broker -keystore .activemqclientkeystore.jks storepass password -file .activemq.cer
6. Run the following command:
server.sh start
7. Return to the Collector Manager install and enter the user/pass/
accept cert. You should see a valid issuer name and the acceptance
of the certificate should proceed normally.
Novell Sentinel Log Manager 1.0.0.5 Release Notes 17
Page 18
5.3 Known Issues in Sentinel Plug-ins
The collectors supporting the following event sources that are bundled with Sentinel Log Manager
have known issues. These issues are fixed in the latest version of the collectors available on the
Sentinel 6.1 Content Web site (http://support.novell.com/products/sentinel/sentinel61.html).
Novell Access Manager 3.1
Novell Identity Manager 3.6.1
Novell Netware 6.5
Novell Modular Authentication Services 3.3
Novell Open Enterprise Server 2.0.2
Novell SUSE
Novell eDirectory
Support Web Site (http://download.novell.com/Download?buildid=RH_B5b3M6EQ~)
Novell iManager 2.7
McAfee* VirusScan* Enterprise (8.0i, 8.5i, and 8.7i)
®
Linux Enterprise Server
TM
8.8.3 with the eDirectory instrumentation patch found on the Novell
novdocx (en) 19 February 2010
The following table lists known issues that still exist in other Sentinel Plug-ins:
Table 9 Known Issues in Sentinel Plug-ins
Issue Number Description
524664 Issue: Queue full condition might cause unpredictable behavior.
If a queue size limit is set for the Integrator, and the queue is full, and the
Integrator configuration specifies that the oldest messages are to be
dropped, it is possible that the thread which attempts to drop the oldest
message has a conflict with the thread that is reading data from the queue
to send it over the wire. One or both threads might incorrectly modify the
queue read pointer, or other unexpected behaviors may occur such as
exceptions, etc.
Workaround: Do not specify a queue limit.
or
Specify that the newest message should be dropped instead of the oldest.
522544 Issue: Collector stops requesting data from the Database Connector if the
event source is restarted but the collector is not also restart.
Workaround: Stop the collector, then start the event source. Starting the
event source causes the collector to start.
504507 Issue: When configuring a File event source, the browse button does not
18 Novell Sentinel Log Manager 1.0.0.5 Release Notes
work properly when running the Event Source Management Interface on
some operating systems (for example, Windows XP).
Workaround: Type in the file or directory path in the text field.
Page 19
Issue Number Description
524671 Issue: Integrators threads are not started when server starts.
Currently, the Sentinel Link Integrator is not initialized and started until
they receive their first event from an action. This is because it may have
events stored in its queue that should be forwarded. When the Integrator
starts, a background thread is also started to process this.
Workaround: If Integrator is not sending events, either because no events
are happening or events are being filtered by rules, you must generate a
fake event that does not get filtered in order to get your Integrator started.
To determine if the Integrator thread is started, search for a message in
the log that indicates that the Integrator has started. It will be logged by the
StoreAndForward logger
(esecurity.ccs.comp.Integrator.slink.StoreAndForward), and will have a
message similar to the following:
Thread processing messages from store and forward queue
starting up
or
.
novdocx (en) 19 February 2010
SentinelLinkStoreAndForward thread starting up
NOTE: The actual message might change, so search for messages
logged by the StoreAndForward logger.
526364 Issue: Some connector documentation has the wrong version of the
connector stated in the documentation. For example, the documentation
may say 6r5 when the version of the connector is really 6r6.
Workaround: This is a typo. To determine the correct version of the
connector, open the Event Source Manager Interface, select the
connector from the list of connectors on the left hand side of the interface,
and click the info button.
.
6 Documentation Conventions
In this documentation, a greater-than symbol (>) is used to separate actions within a step and items
in a cross-reference path.
®
A trademark symbol (
, TM, etc.) denotes a Novell trademark; an asterisk (*) denotes a third-party
trademark
7 Legal Notices
Novell, Inc. makes no representations or warranties with respect to the contents or use of this
documentation, and specifically disclaims any express or implied warranties of merchantability or
fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication
and to make changes to its content, at any time, without obligation to notify any person or entity of
such revisions or changes.
Novell Sentinel Log Manager 1.0.0.5 Release Notes 19
Page 20
Further, Novell, Inc. makes no representations or warranties with respect to any software, and
specifically disclaims any express or implied warranties of merchantability or fitness for any
particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of
Novell software, at any time, without any obligation to notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export
controls and the trade laws of other countries. You agree to comply with all export control
regulations and to obtain any required licenses or classification to export, re-export, or import
deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion
lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not
use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. Please
refer to the Novell International Trade Services Web page (http://www.novell.com/info/exports/) for
more information on exporting Novell software. Novell assumes no responsibility for your failure to
obtain any necessary export approvals.
Copyright © 2010 Novell, Inc. All rights reserved. No part of this publication may be reproduced,
photocopied, stored on a retrieval system, or transmitted without the express written consent of the
publisher.
Novell, Inc. has intellectual property rights relating to technology embodied in the product that is
described in this document. In particular, and without limitation, these intellectual property rights
may include one or more of the U.S. patents listed on the Novell Legal Patents Web page (http://
www.novell.com/company/legal/patents/) and one or more additional patents or pending patent
applications in the U.S. and in other countries.
novdocx (en) 19 February 2010
For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/
company/legal/trademarks/tmlist.html).
All third-party trademarks are the property of their respective owners.
20 Novell Sentinel Log Manager 1.0.0.5 Release Notes
Loading...