Sentinel 7.1.0.2 was released on February 14, 2014. It is designed for
customers who need to go through significant change control processes
before upgrading to 7.1.1.2, which is currently the most recent patch.
Here is a list of the new enhancements and fixes included in this
hotfix. (For the list of software fixes and enhancements in previous
releases, see the 'Sentinel 7.1 Documentation Web site'
(http://www.netiq.com/documentation/sentinel71).)


ADMINISTRATOR CAN CHOOSE THE NAME AND MESSAGE FIELD DISPLAY FOR THE
CORRELATED EVENTS

The Sentinel administrator can now choose from the two display options
for the name and message fields for a correlated event. The default
display option (introduced in Sentinel 7.1.0.1) for the name field is to
show the name of the correlation rule and for the message field is to
show the description of the correlation rule. The alternative (used in
Sentinel 7.1.0.0 and previous versions) is the name field set to the
default value CorrelatedEvent and message to show the message field of
the original triggering event.
To change the name and message field display for the correlation events
back to the Sentinel 7.1.0.0 standard:

- Add the following property in the
$ESEC_CONFIG_HOME/config/configuration.properties file:
sentinel.correlation.eventformat=7.1
- Restart the Sentinel server.

NOTE:If you set sentinel.correlation.eventformat to anything other than
7.1, the system will default to the 7.1.0.1 behavior.

THE COPY PROCESS TRUNCATES FILES OVER 2 GB

Issue: In Sentinel 7.1.0.0 and 7.1.0.1, the copy process that moves
parsed event data partitions from primary storage to secondary storage
can truncate files larger than 2 GB. The copy process copies the first 2
GB successfully, but does not copy the remainder of the file and does
not report any error. (BUG 860845)

This issue does not occur if secondary storage is disabled. This issue
is unlikely to occur if the event rate is low (less than 500 events per
second) or if there are multiple data retention policies in effect
(which increases the number of event partitions and therefore decreases
the probability that any individual event partition is larger than 2
GB). This issue does not affect raw (unparsed) data. For more
information on this issue, see TID 7014515 in the Novell Support
Knowledge Base.

Fix: Sentinel now uses a different copy process to avoid this error.
After copying an event data file to secondary storage, Sentinel runs
data checks automatically to verify that the copy completed
successfully. If the file check fails, Sentinel automatically retries
the copy. The default data check is a quick verification of file size to
detect file truncation. Sentinel also provides an alternate check that
compares strong checksums (hashes) of the source file and its copy to
detect file truncation and additionally many forms of data corruption.
However, the alternate check requires significant I/O and will impact
the system performance.

To enable the alternate check:

- Log in to the Sentinel server.
- Open the etc/opt/novell/sentinel/config/configuration.properties
file in an editor.
- Set the partition.archiver.quickintegritycheck property to false as
follows:
partition.archiver.quickintegritycheck=false
- Restart the Sentinel server.

LOCAL SEARCH RESULTS WITH MORE THAN 50,000 EVENTS CANNOT BE EXPORTED TO
A FILE

Issue: You cannot export local search results with more than 50,000
events to a file. (BUG 844532)

Fix: You can now export local search results up to 200,000 events to a
file.

THE VIEW TRIGGERS OPTION PROVIDES INVALID INFORMATION

Issue: The View Triggers option displays events that did not trigger the
correlation event. (BUG 848523)

Fix: The View Triggers option now displays only events that triggered
the correlation event.

SENTINEL LOGS ERRORS WHEN YOU CREATE A SECURITY INTELLIGENCE DASHBOARD

Issue: When you create a Security Intelligence dashboard and use filters
where the event fields are not enclosed in quotes or filters that
contain wildcard characters (for example, * or ?), Sentinel logs several
errors. (BUG 847504)

Fix: Sentinel no longer logs errors when you create the Security
Intelligence dashboard.

SOME CORRELATION RULES INITIATE A LARGE NUMBER OF SIMULTANEOUS SEARCHES

Issue: Some correlation rules generate a large number of correlated
events. As a result, Sentinel services initiate multiple simultaneous
searches to get the list of events that generated the correlated events.
These non-user initiated simultaneous searches consume all open files
and causes Sentinel to run out of memory. (BUG 861397)

Fix: This hotfix improves the system availability by limiting the number
of non-user initiated simultaneous searches to five.

SENTINEL DISPLAYS ERROR WHEN DOWNLOADING RAW DATA

Issue: When you try to download raw data files from the Sentinel Web
console, Sentinel displays the error Action Failed 500 The call failed
on the server.(BUG 847496)

Fix: You can now download raw data files from Sentinel successfully.

SENTINEL PLUG-INS ARE DOWNGRADED WHILE UPGRADING SENTINEL

Issue: While upgrading Sentinel server, the installer updates some of
the Sentinel plug-ins. If a newer version of the plug-in is already
installed, the installer downgrades the plug-in to the version included
with the installer. (BUG 861392)

Fix: Sentinel plug-ins are no longed downgraded while upgrading
Sentinel.

SENTINEL REPEATEDLY LOGS AN ERROR AFTER RAW DATA CLEANUP

Issue: Sentinel automatically performs raw data cleanup every four
hours. After performing the raw data cleanup, Sentinel closes the writer
stream, which is required to write the raw event data into the file.
Therefore, Sentinel can no longer write the raw event data into the
files and repeatedly logs the error, Writer not initialized: unable to
write in the server logs. This results in large amount of memory
utilization. (BUG 846976)

Fix: Sentinel no longer closes the writer stream after raw data cleanup
and Sentinel continues to write raw event data into the files.

SENTINEL LOGS AN ERROR WHEN SYNCHRONIZING EVENT DATA WITH THE DATABASE

Issue: When synchronizing event data with the database, if the database
table contains the event fields, ModifiedBy and Createdby, Sentinel logs
the errors, Invalid Event Attribute ModifiedBy and Invalid Event
Attribute CreatedBy in the server logs. The event fields ModifiedBy and
Createdby appear blank in the database table. (BUG 848144)

Fix: The event fields ModifiedBy and Createdby are restricted for
internal use only and are no longer part of the database table creation
window for data synchronization. For the existing database tables, no
values appear for the event fields in the tables. Sentinel no longer
logs the error while synchronizing event data with the database


--
CeeDubbVA
------------------------------------------------------------------------
CeeDubbVA's Profile: https://forums.netiq.com/member.php?userid=4538
View this thread: https://forums.netiq.com/showthread.php?t=50311