Issue: When a correlation event is linked to an incident, and you select View Triggers for that correlation event in Sentinel Control Center (SCC), the Sentinel Web interface displays an exception before displaying events. (BUG 846198)

Fix: The Sentinel Web interface now displays the triggers without causing an exception.

Issue: The Sentinel Web interface becomes unresponsive when there are a large number of user identities to be displayed. (BUG 895636)

Fix: Sentinel now displays a fixed number of user identities per search. To narrow down your identities search results, refine your search query by specifying any of the identity parameters in the Find People field or use the Advanced Search option.

Issue: When you launch SCC from two different Sentinel servers, the Sentinel proxy certificate of the first Sentinel server, which you used to launch SCC, is overwritten with the second Sentinel server proxy certificate. (BUG 887468)

Fix: Sentinel now stores the certificates with the IP addresses of the Sentinel servers you use to log in to SCC, and does not prompt for the certificate in those servers where you have already logged in once.

Issue: When the Sentinel Agent Manager database receives attributes from a large number of agents over a given time period, these attributes are not synchronized to the Sentinel database. (BUG 926763)

Fix: Sentinel now has a fine-tuned synchronization mechanism between Sentinel database and Sentinel Agent Manager database.

Issue: When the maximum event source nodes limit is exceeded, Sentinel does not generate summary based reports, and writes exceptions to log files when you try to run these reports. (BUG 928211)

Fix: Sentinel now handles large number of event source nodes efficiently.

Issue: Sentinel might not process and store event data correctly, if the data buffer locations contain user-created files. (BUG 930827)

Fix: Sentinel now deletes all user-created files in the data buffer locations periodically, and processes and stores event data correctly.

Issue: If you have set your browser language to a language other than English, some elements in the Sentinel Web interface might not appear correctly. (BUG 932663 and BUG 940674)

Fix: Sentinel Web interface displays all the elements correctly in all supported languages.

Issue: If you are using Firefox 37.0.4 or a later version, Sentinel displays an error while logging out. However, there is no impact on the functionality because of this error. (BUG 935309)

Fix: Sentinel Web interface handles the logout request correctly and does not display any error while logging out.

Issue: Sentinel does not let you remove string elements from dynamic lists in SCC or through a correlation action. (BUG 939244)

Fix: Sentinel now removes the string elements from the dynamic list files.

Issue: Search results are incomplete when you perform search with date range by using scheduled saved searches. (BUG 940604)

Fix: Sentinel displays the entire search results for saved searches for all time ranges.

Issue: You cannot edit the scheduled report jobs for reports that you created by using Create Report in the Sentinel Web interface. Sentinel displays an error message when you try to edit those scheduled report jobs. (BUG 940785)

Fix: You can now edit scheduled report jobs for reports you created by using Create Report in the Sentinel Web interface.

Issue: Correlation rules do not allow event fields with names that contain the underscore character (_). (BUG 940829)

Fix: Correlation rules allow event fields with names that contain the underscore character.

Issue: During upgrade, Sentinel overwrites the custom configuration values of some properties in the server.conf file, such as wrapper.java.additional.49. (BUG 941071)

Fix: You can now save your custom configuration information by performing the following procedure before the upgrade:

Issue: If lengthy correlation rules with a large number of filter evaluation expressions are available in the deployed state in your Sentinel system before upgrade, Sentinel server, Web interface, and Remote Correlation Engine do not start after you upgrade Sentinel to version 7.3.1.

Fix: The Sentinel server and other components now start successfully after the upgrade, even if complex correlation rules are present. You can now create and deploy complex correlation rules.

Issue: Sentinel server might run out of memory and shut down when you run searches that span across a large number of days, and the number of search results is less than 50000. (BUG 943943)

Fix: Sentinel 7.3.2 improves memory utilization during searches that span across a large number of days.

Issue: Data synchronization between Sentinel and the Oracle database fails if any event contains invalid date range, for example, a future date such as year 22015. (BUG 925772)

Fix: Data synchronization takes place seamlessly. If any events with an invalid date range are encountered, Sentinel logs those events in a log file, and processed with the next batch of events for synchronization.

Issue: An idle timeout period with the default value of 15 minutes is configured in Sentinel for report generation process. Often, reports with huge data, such as in an environment where several tenants are present, do not complete in 15 minutes, and report jobs are cancelled abruptly. (BUG 941612)

Fix: You can configure the idle timeout period value for report generation by performing the following procedure:

Issue: The report generation process stops if the report query contains the string over. For example, creation of report with the query (evt:"recovery") fails. (BUG 939902)

Fix: Reports generate correctly even if the report query contains the string over.

Issue: If you create a correlation rule that depends on a map and deploy it on a remote correlation engine, Sentinel logs the following warning message when the map changes:

Fix: Sentinel does not log the warning message for correlation rules that depend on a map.

Issue: When you specify a refined event search query in event search, such as last 30 days, Sentinel does not display any event data. (BUG 947867)

Fix: Sentinel now displays correct data for refined event searches.

Issue: Mappings created by using event field mapping do not work after you upgrade Sentinel to version 7.3.1. (BUG 944251)

Fix: Sentinel regenerates all maps created before upgrade to version 7.3.1, and event mapping works correctly after upgrade to version 7.3.1.

Issue: Solution Designer displays a null pointer exception error when you go to the Content Palette window and select the correlation rules that contain an inlist term that is not surrounded by parentheses. (BUG 938039)

Fix: Correlation rules that contain an inlist term that is not surrounded by parentheses are handled properly.

Issue: Sentinel fails to display results when you use Polish letters to search in the People browser. (BUG 943261)

Fix: Sentinel now recognizes the Polish letters in the People search and displays results accordingly.

Issue: After you upgrade Sentinel to version 7.3.1, it does not display any list elements in dynamic lists in SCC and the Web interface even though list elements are present in dynamic lists. (BUG 947622)

Fix: Sentinel now displays the dynamic list elements in the Web interface and SCC correctly.

Issue: In the Correlation navigation panel, there is inconsistent spacing between the parenthesis and the number that indicates the number of correlation rules. (BUG 948088)

Fix: Spacing is now consistent in the Correlation navigation panel.

Issue: Changes introduced in Sentinel 7.3.1 to improve the handling of a large number of maps resulted in Collector Manager utilizing significantly more CPU than in previous versions. This may cause the CPU to be overloaded after the upgrade to Sentinel 7.3.1, and the EPS to go down. (BUG 933409)

Fix: Mapping service now utilizes considerably less CPU, so the Collector Manager performance is now much closer to the performance of Sentinel versions prior to 7.3.1.

Issue: Sentinel Control Center and Solution Designer do not launch in computers that contain Java version JRE 8 update 60. Sentinel displays the following error:

Fix: You can now launch Sentinel Control Center and Solution Designer in computers that contain Java version JRE 8 update 60.

Issue: The security vulnerability fixes included in Sentinel 7.3.1 involved changes to the communication mechanism for a secured connection. These changes are not compatible with Sentinel UNIX Agent 7.4. Therefore, Sentinel cannot receive events from Sentinel UNIX Agent 7.4. (BUG 953990)

Workaround: There is no workaround at this time. This issue will be resolved when a compatible version of Sentinel UNIX Agent is made available.

Issue: Sentinel alert views and alert dashboards do not display alerts that have IPv6 addresses in IP address fields. (BUG 924874)

Workaround: To view alerts with IPv6 addresses in Sentinel, perform the steps mentioned in NetIQ Knowledgebase Article 7016555.

Issue: Sentinel displays an error when you try to configure NFS as secondary storage location after you Sentinel appliance to version 7.3.1 and later. (BUG 934851)

Workaround: After upgrading the Sentinel appliance, restart the SLES operating system using the following command:

Issue: When you upgrade Sentinel and start the Sentinel server, you might see the following exception in the server log:

Workaround: Ignore the exception. There is no impact to Sentinel performance because of this exception.

Issue: Sentinel uses the Diffie-Hellman protocol to communicate with Secure Configuration Manager. As part of fixing the Logjam vulnerability, the certificate key size for the Diffie-Hellman protocol in Sentinel has been increased to 2048. However, Secure Configuration Manager uses the default certificate key size; that is, 1024. Because of this mismatch, Secure Configuration Manager can no longer communicate with Sentinel. (BUG 935987)

Workaround: Until a fix is available from Secure Configuration Manager, you can perform the following steps:

Issue: As part of fixing the Bar Mitzvah vulnerability, Sentinel disabled the RC4 ciphers on SSL ports enabled for the Web server. However, Change Guardian uses RC4 ciphers to communicate with Sentinel. Therefore, Change Guardian can no longer communicate with Sentinel. (BUG 935401)

Workaround: Until a fix is available from Change Guardian, you can perform the following steps:

Issue: When Sentinel is integrated with Change Guardian 4.1, it does not display Change Guardian delta attached information, in spite of being configured to receive Change Guardian events. (BUG 936704)

Workaround: Upgrade Change Guardian to version 4.1.1 or later.

Issue: The Bar Mitzvah security vulnerability exists in Sentinel Link Connector. Sentinel Link Connector uses the RC4 algorithm in SSL and TSL protocols, which might allow plaintext recovery attacks against the initial bytes of a stream. For more information, see CVE-2015-2808. (BUG 933741)

Workaround: The Sentinel Link Connector version 2011.1r4 and later resolve this issue. Until it is officially released on the Sentinel Plug-ins website, you can download the Connector from the Previews section.

Issue: The Agent Manager Connector version 2011.1r3 does not set the CONNECTION_MODE property in the events if the Collector parsing the events supports multiple connection modes. (BUG 880564)

Workaround: The Agent Manager Connector version 2011.1r5 and later resolve this issue. Until it is officially released on the Sentinel Plug-ins website, you can download the Connector from the Previews section.

Issue: Sentinel Agent Manager ignores the value specified in RawDataTapFileSize attribute in the SMServiceHost.exe.config file for the raw data file size configuration, and stops writing to the raw data file when the file size reaches 10 MB. (BUG 867954)

Workaround: Manually copy the content of the raw data file into another file and clear it when the file size reaches 10 MB, so that Sentinel Agent Manager can write new data into it.

Issue: In upgraded installations of Sentinel 7.3, when you search for alert attributes in the Tips table in the Web interface, the search does not return the complete list of alert fields. However, alert fields display correctly in the Tips table if you clear the search. (BUG 914755)

Workaround: There is no workaround at this time.

Issue: Data synchronization fails when you try to synchronize IPv6 address fields in a human readable format to external databases. For information about configuring Sentinel to populate the IP address fields in human readable dot notation format, see Creating a Data Synchronization Policy in the NetIQ Sentinel Administration Guide. (BUG 913014)

Workaround: To fix this issue, manually change the maximum size of the IP address fields to at least 46 characters in the target database, and re-synchronize the database.

Issue: If run an event search when your role's security filter is blank and your role does not have event viewing permissions, the search does not complete. The search does not display any error message about the invalid event viewing permissions. (BUG 908666)

Workaround: Update the role with one of the following options:

Issue: When editing a saved search upgraded from Sentinel 7.2 to a later version, the Event fields panel, used to specify output fields in the search report CSV, is missing in the schedule page. (BUG 900293)

Workaround: After upgrading Sentinel, recreate and reschedule the search to view the Event fields panel in the schedule page.

Issue: Sentinel does not return any correlated events when you search for all correlated events that were generated after the rule was deployed or enabled, by clicking the icon next to Fire count in the Activity statistics panel in the Correlation Summary page for the rule. (BUG 912820)

Workaround: Change the value in the From field in the Event Search page to a time earlier than the populated time in the field and click Search again.

Issue: Sentinel running in FIPS 140-2 mode does not display Change Guardian delta attached information when you search for Change Guardian events and click the Change Guardian icon, in spite of being configured to receive Change Guardian events. Change Guardian releases prior to version 4.2 do not support sending events in FIPS 140-2-compatible mode. (BUG 912230)

Workaround: There is no workaround at this time.

Issue: Upgrading to Sentinel 7.3 causes data collection and data synchronization with the DB2 database to fail, because the upgrade removes the IBM DB2 JDBC driver. (BUG 909343)

Workaround: After upgrading to Sentinel 7.3, add the correct JDBC Driver and configure it for data collection and data synchronization, by performing the following steps:

Issue: When you click Select All in alerts views to select alerts, deselect few alerts, and modify them, new incoming alerts are also selected in the refreshed alert views. This results in wrong count of alerts selected for modification, and also it appears as if you are modifying new incoming alerts too. However, only the originally selected alerts are modified. (BUG 904830)

Workaround: No new alerts will appear in the alert view if you create the alert view with a custom time range.

Issue: Historical Security Intelligence (SI) data takes a long time to load in Sentinel systems that have a high Events Per Second (EPS) load. (BUG 908599)

Workaround: If you are creating a security intelligence dashboard with historical data, plan to deploy the dashboard when the load on your system is lower, if possible. There is no other workaround at this time.

Issue: During Security Intelligence baseline regeneration, the start and finish dates for the baseline are incorrect and display 1/1/1970. (BUG 912009)

Workaround: The correct dates are updated after the baseline regeneration is complete.

Issue: Sentinel server shuts down when you run a search if there are a large number of events indexed in a single partition. (BUG 913599)

Workaround: Create retention policies in such a way that there are at least two partitions open in a day. Having more than one partition open helps reduce the number of events indexed in partitions.

Issue: Sentinel displays an error when you use the report_dev_setup.sh script to configure Sentinel ports for firewall exceptions. (BUG 914874)

Workaround: Configure Sentinel ports for firewall exceptions through the following steps:

Issue: Sentinel Generic Collector performance degrades when Generic Hostname Resolution Service Collector is enabled on Microsoft Active Directory and Windows Collector. EPS decreases by 50% when remote Collector Managers send events. (BUG 906715)

Workaround: There is no workaround at this time.

Issue: When you install Sentinel in FIPS 140-2 mode, connector to Security Intelligence database fails to start, and Sentinel cannot access Security Intelligence, Netflow, and alert data. (BUG 915241)

Workaround: Restart Sentinel after installing and configuring in FIPS 140-2 mode.

Issue: When you upgrade to Sentinel 7.3 from a custom installation of Sentinel that was installed by a non-root user and was configured in FIPS 140-2 mode, Security Intelligence database and Alert Dashboard occasionally do not start. (BUG 916285)

Workaround: Perform the following steps:

Issue: When installing Sentinel Appliance, the network interface is not configured by default. (BUG 867013)

Workaround: To configure the network Interface:

Issue: When exporting search results in Sentinel, the Web browser might display an error if you modify the operating system language settings. (BUG 834874)

Workaround: To export search results properly, perform either of the following:

Issue: If the number of days of data that secondary storage can hold is less than the number of days of data that primary storage holds, Sentinel does not use the disk space in primary storage efficiently. Partitions removed from secondary storage to free up space will also be removed from primary storage. (BUG 860888)

Workaround: Allocate enough space in secondary storage to hold data for the total number of days you want to keep online (searchable).

Issue: On systems with more than 2 TB disk space, Sentinel might not start automatically after the installation. (BUG 846296)

Workaround: As a one-time activity, start the Sentinel services manually by specifying the following command:

Issue: In Sentinel appliance installations, if you configure Kerberos authentication in the Kerberos module, the console displays a confirmation message that the Kerberos client configuration was successful. When you view the Kerberos module again, however, the Enable Kerberos Authentication option is deselected. (BUG 843623)

Workaround: There is no workaround at this time.

Issue: When you install a remote Collector Manager, if you specify a password that contains special characters, such as ‘$’, ‘"‘, ‘\’, or ‘/’, the installation fails with errors. (BUG 812111)

Workaround: Do not use special characters in the remote Collector Manager password.

Issue: When you restart a remote Collector Manager appliance, the Syslog event sources connected on the UDP port lose connection. (BUG 795057)

Workaround: There is no workaround available at this time.

Issue: While you wait for one report result PDF to open, particularly report results of 1 million events, if you click another report result PDF to view, the report result is not displayed. (BUG 804683)

Workaround: Click the second report result PDF again to view the report result.

Issue: When FIPS 140-2 mode is enabled in your Sentinel environment, using Windows authentication for Agent Manager causes synchronization with the Agent Manager database to fail. (BUG 814452)

Workaround: Use SQL authentication for Agent Manager when FIPS 140-2 mode is enabled in your Sentinel environment.

Issue: If FIPS 140-2 mode is enabled, the Sentinel High Availability installation displays the following error:

Workaround: There is no fix or workaround available at this time. Although the installer displays the error, the Sentinel High Availability configuration works successfully in FIPS 140-2 mode.

Issue: The Sentinel High Availability installation in non-FIPS 140-2 mode completes successfully but displays the following error twice:

Workaround: There is no fix or workaround available at this time. Although the installer displays the error, the Sentinel High Availability configuration works successfully in non-FIPS 140-2 mode.

Issue: Appliance update from versions prior to Sentinel 7.2 fails because the vendor for the update packages has changed from Novell to NetIQ. (BUG 780969)

Workaround: Use the zypper command to upgrade the appliance. For more information, see Upgrading the Appliance by Using zypper in the NetIQ Sentinel Installation and Configuration Guide.

Issue: Solution Manager does not install correlation rules when a correlation rule with an identical name already exists on the system. A NullPointerException error is logged in the console. (BUG 713962)

Workaround: Ensure that all correlation rules have a unique name.

Issue: When you execute a Sentinel Link action from the Web interface Sentinel displays a success message even though the Sentinel Link Connector integrator test failed from the Sentinel Control Center. (BUG 710305)

Workaround: There is no workaround at this time.

Issue: When a Security Intelligence dashboard and an anomaly definition have identical names, the dashboard link is disabled on the Anomaly Details page. (BUG 715986)

Workaround: Ensure you use unique names when creating dashboards and anomaly definitions.

Issue: The Sentinel Web interface displays negative numbers in the Active Search Job Duration and Accessed columns when the Sentinel Web interface computer clock is behind the Sentinel server clock. For example, the Duration and Accessed columns display negative numbers when the Sentinel Web interface clock is set to 1:30 PM and the Sentinel server clock is set to 2:30 PM. (BUG 719875)

Workaround: Ensure the time on the computer you use to access the Sentinel Web interface is the same as or later than the time on the Sentinel server computer.

Issue: When you log in to the security dashboard and perform a search for IssueSAMLToken audit event, the IssueSAMLToken audit event displays incorrect hostname (InitiatorUserName) or (IP address) SourceIP. (BUG 870609)

Workaround: There is no workaround at this time.

Issue: Sentinel Control Center does not launch when the NetIQ Identity Manager Designer is installed on the client computer and Designer uses the system JRE. Designer needs to add some supporting jar files like xml-apis.jar to the lib/endorsed directory. Some of the classes in the xml-apis.jar file override the corresponding classes in the system JRE that is used by the Sentinel Control Center. (BUG 888085)

Workaround: Configure Designer to use its own JRE.

Issue: While collecting event data, Sentinel Agent Manager does not capture the Windows Insertion String fields with null values. (BUG 838825)

Workaround: There is no workaround at this time.