Hello!

MicroFocus release a new Preview-Version of the "SUSE Linux Enterprise Server Collector 2011.1r3:

Download: https://www.netiq.com/support/sentin...review.clz.zip
Documentation: https://www.netiq.com/support/sentin...37-preview.pdf

Release Notes 2011.1r3:

  • To avoid any misinterpretation of the event, if there is no Source and Target host information from the event source, the Collector no longer copies the Observer host information to the Source and Target host fields.
  • Fixed sshd PAM event to parse the SourceHostName/SourceIP properly in Sentinel. (Bug# 973420)
  • Fixed ssh login event parsing issues for laf events. (Bug# 972170)
  • Fixed parsing issues for postfix events. (Bug# 970487)
  • Fixed parsing issues for failed login-user not known event. (Bug# 948218)
  • Fixed parsing issues for sshd connection terminated before authentication event. (Bug# 943003)
  • Kernel messages will be loaded as unsupported events without being dropped. (Bug# 954768)
  • Fixed IP parsing issue for ssh termination event. (Bug# 889064)


A significant change is the decision that the Collector no longer copies the Observer host information to the Source and Target host fields. That means, every SSHD or WTMP-Event is incomplete. Of course it is right that the information about the Traget host is not provided by the forwarded event.

On the other hand MicroFocus copies the TargetUsername (dun) to the InitiatorUsername (sun) field.

Example: Connecting with putty from a Windows Workstation with the logged on User "Jane Doe" to a Linux Server with username "root" results in the paresed event that user "root" comes from a Windows Workstation and connecets withe username "root" to the Linux Server ... that's realy wrong.

In my humble opinion it's better to copies the Observer host information to the Source and Target host field as copying the TargetUserName to the InitiatorUserName field.

Or, another possibility, copies the Observer host information to the Source and Target host field and tag this fact so a security analyst can realize this.

What do you think?

Sincerely Jan