re Security Manager 6.5.2 Release Notes
 

NetIQ Security Manager

Version 6.5.2

Release Notes

Date Published: May 2010

 
 

 

This version of the NetIQ Security Manager product (Security Manager) provides several new features. This version also improves usability and resolves several previous issues. Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure our products meet all your needs. You can post feedback in the Security Manager forum on Qmunity, our community Web site that also includes product notifications, blogs, and product user groups.

This document outlines why you should install this version and identifies known issues. For more information about installing Security Manager, see the Installation Guide for NetIQ Security Manager.

For more information about this release and for the latest Release Notes, see the Security Manager Suite Documentation web site.

Why Install This Version?

NetIQ Security Manager is the most comprehensive security incident management solution for today's heterogeneous enterprise environments. By consolidating security data from across the enterprise and utilizing advanced correlation, intrusion protection, powerful visualization, and advanced reporting (including trending and forensics capabilities), NetIQ Security Manager enables a rapid identification and response to key security incidents — all through a central security console. The following sections outline the key features and functions provided by this version, as well as issues resolved in this release.

Provides Support for Windows Server 2008 and Windows 7 Computers

Security Manager 6.5.2 provides support for installing and using the following components on computers using Microsoft Windows Server 2008:

  • Central computer
  • Log archive server
  • Database server
  • Reporting server

Note
NetIQ recommends you install all central computers, log archive servers, database servers, and reporting servers in a configuration group on computers using the same version of Microsoft Windows.

In addition, this version includes existing support for deploying agents on Windows Server 2008, Windows Server 2008 R2, and Windows 7 computers and installing user interfaces on Windows Server 2008 and Windows 7 computers. Security Manager 6.5.2 does not support installing components other than agents on computers using Windows Server 2008 Server Core.

Resolves Issue with Monitoring User or Group Accounts in Change Guardian for Active Directory

Security Manager 6.5.2 resolves an issue where a user can enter a maximum of 500 characters to the Authorized Accounts, High-Profile User Accounts, or High-Profile Group Accounts lists in the Change Guardian for Active Directory pages of the Configuration Wizard. Because of this character limit, users can add only roughly 30 user or group accounts to the Configuration Wizard. Users can now enter up to 6000 characters in the lists of monitored user or group accounts in the Configuration Wizard. (ENG282914)

Resolves Forensic Analysis Query Permissions Issue

Security Manager 6.5.2 resolves an issue where you cannot run Forensic Analysis queries using an account other than the Security Manager service account. You can now run Forensic Analysis queries using any account that belongs to the OnePointOp Reporting group. (ENG281371)

Resolves Reporting Cube Depot Installation Issue

Security Manager 6.5.2 resolves an issue where if you try to install Security Manager Reporting components but do not specify the name of the SMCubeDepot server, the setup program cannot complete the installation process. The setup program now replaces any database names left blank with the name of the local computer. (ENG276695)

Resolves Managed Agent Upgrade Issue

Security Manager 6.5.2 resolves an issue where the Agent Manager cannot upgrade managed agents in certain environments because Agent Manager is unable to install the latest version of the required Microsoft Visual C++ redistributable package on managed agent computers. The Agent Manager can now successfully install the redistributable package and upgrade managed agents. (ENG278401)

Resolves Remote Performance Counter Monitoring Issue

Security Manager 6.5.2 resolves an issue where if you upgrade an agent from Security Manager 5.6 to Security Manager 6.5, you cannot use Performance Monitor to remotely monitor performance counters on the agent computer. This issue applies not only to Security Manager counters on the agent computer but to counters of any type. Performance Monitor can now add all performance counters from the remote agent computer.

Resolves Log Archive Server Installation Issue

Security Manager 6.5.2 resolves an issue where the Log Archive Server did not install correctly if the log archive data directory path contained spaces. The Log Archive Server now correctly installs regardless of spacing in the data directory path. (ENG278511)

Resolves Web Console Re-Installation Issue

Security Manager 6.5.2 resolves an issue where you cannot re-install the Web Console after uninstalling it from a computer with the Security Manager Control Center installed. The setup program now correctly re-installs the Web Console if you have previously removed it. (ENG273525)

Resolves Previous Aegis Installation Issue

Security Manager 6.5.2 resolves an issue where the setup program encounters an unexpected error when you install Security Manager components on a computer where NetIQ Aegis had been previously installed. The setup program now installs Security Manager correctly on computers with previous Aegis installations. (ENG284305)

Resolves Forensic Analysis Query View Issue

Security Manager 6.5.2 resolves an issue where if you select a completed Forensic Analysis report in the Security Manager Control Center and select View Query, you cannot use scroll bars on any of the tabs of the Forensic Analysis Query Properties window. You can now use scroll bars on the Forensic Analysis Query Properties window, whether viewing or editing a query. (ENG283396)

Resolves Domain-Less Computer or Device Display Issue

Security Manager 6.5.2 resolves an issue where if you deploy computers or devices that do not belong to a domain and then open the Configuration Wizard, the Configuration Wizard displays each domain-less computer or device as being a member of a separate blank domain tree in the existing computers list. The Configuration Wizard now displays all computers or devices that do not belong to a domain in a single blank domain tree. (ENG281308)

Resolves Issue with Control Center Views in Non-English Environments

Security Manager 6.5.2 resolves an issue where selecting alert or event views in the Security Manager Control Center causes an error in non-English environments. Security Manager now correctly displays alert or event views in non-English environments. (ENG283409)

Resolves Agent Authorization and Registration Event Issue

Security Manager 6.5.2 resolves an issue where if you install a new agent, when that agent starts and attempts to communicate with the central computer for the first time, Security Manager logs events warning that the agent is not registered or authorized, even if the agent is valid. Security Manager now logs events regarding agent registration or authorization only when a previously registered or authorized agent changes to an unauthorized or unregistered state. (ENG283433)

Resolves Upgrade Password Issue

Security Manager 6.5.2 resolves an issue where if you try upgrade your Security Manager 6.0 installation and input the configuration group password, the setup program displays an error even when the password is correct. The setup program now correctly recognizes the configuration group password. (ENG283128)

Resolves Agent Communication Alert Description Issue

Security Manager 6.5.2 resolves an issue in larger environments with multiple agents where the alert indicating a heartbeat failure (event ID number 2030) does not list the specific agents experiencing failures. The alert now accurately lists all agents experiencing failures and the type of failure experienced. (ENG283045)

Resolves UNIX and iSeries Real Time Event Timestamp Issue

Security Manager 6.5.2 resolves an issue where the timestamp stored in the Security Manager event table is not the same as the agent event timestamp. The description of the event in the Control Center shows the original timestamp of the event. The Security Manager event table now properly displays the timestamps of real-time events. (ENG203028)

Resolves Log Archive Indexing Issue

Security Manager 6.5.2 resolves an issue where, in environments where the log archive server receives a large, continuous amount of data, the indexer can become overwhelmed by incoming messages. When this happens, the log archive can sometimes mark a received message as invalid and stop the NetIQ Security Managed Log Archive service unexpectedly.

Note
Security Manager installations experience this issue very rarely, and only when the log archive server receives a very large flow of data.

The log archive server now handles large amounts of incoming data without stopping the service or flagging valid messages as invalid. (ENG282730)

Return to Top

System Requirements

For the most recently updated list of supported application versions, see the Security Manager Supported Products Web page.

If you want to upgrade an existing Security Manager installation, this version requires one of the following to be installed on all computers before starting the upgrade process:

  • NetIQ Security Manager 6.0 Service Pack 4
  • NetIQ Security Manager 6.5
  • NetIQ Security Manager 6.5 Service Pack 1

Before installing this version on a computer, ensure the computer has a minimum of 400 MB of disk space available for use by the setup program. Because the setup program functionality includes an option to roll back the installation if an error occurs, the setup program copies all Security Manager component files before updating. After the installation finishes, the setup program deletes all temporary copies of the updated files.

Ensure you close all open applications, including the Alert Sentry, before upgrading to Security Manager 6.5.2. If an application is running, the Security Manager setup program may fail to complete the upgrade procedure successfully. To close the Alert Sentry, right-click the Alert Sentry icon in the system tray, and then click Exit. NetIQ also recommends you apply all appropriate security updates for your environment.

Return to Top

Known Issues

NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.

Administrator Access Required in Windows Server 2008, Windows Vista, and Windows 7 Environments

On computers using Windows Server 2008, Windows Vista, or Windows 7, if you have User Account Control (UAC) enabled, some Security Manager functions require you use an account that is a member of the local Administrators group on the Security Manager computer, either by launching the user interface using an account with local Administrator permissions or running the user interface as administrator.

The following functions or interfaces require that you use an account that is a member of the local Administrators group:

  • Starting and using the Configuration Group Connections utility
  • Starting and using the Log Archive Configuration utility
  • Starting and using the Access Configuration utility
  • Starting and using the Development Console

The following functions or interfaces require that you run as administrator, using an account that is a member of the local Administrators group:

  • Installing or upgrading Security Manager components other than managed agents
  • Uninstalling Security Manager components other than managed agents
  • Changing your configuration group password
  • Starting and using the Log Archive Data Viewer tool (part of Log Archive Resource Kit, installed separately from Security Manager)

You can use all other Security Manager functions or interfaces normally without local Administrator permissions, using an account that belongs to the appropriate OnePointOp groups.

Installing Security Manager Control Center in a Non-Default Location

If you install the Security Manager Control Center on computers running Windows Server 2008, Windows XP, or Windows Vista, and specify a non-default location to install the user interface components, you must manually grant all Control Center users who are not already members of the local Administrators group Write access to the installation folder.

If users do not have Write access to the folder where the Control Center is installed and try to open the Control Center, Security Manager displays an error. (ENG283440)

Installing Security Manager Requires Complete Installation Package

Before installing Security Manager central computer components, ensure the installation computer has access to the complete Security Manager installation package, including all modules. If you copy only the contents of the Intel folder from the installation package to the installation computer and try to install a central computer, the setup program cannot complete the installation process.

Configuration Group Connections Tool Requires Administrator Access

To run the Configuration Group Connections tool, you must use an account that is a member of the OnePointOp ConfgAdms group on both the local and remote configuration group central computers. In addition, the account must also be a member of the Administrators group on the local computer.

If you use an account that is not a member of the local Administrators group, Security Manager incorrectly displays an error message that the service account must be a member of the OnePointOp TrustedServiceAccounts group on the remote central computer. (ENG217656)

Restarting Agents After Upgrade

When you upgrade managed or unmanaged agents, Security Manager installs or replaces the Microsoft Visual C++ redistributable package. If another application or service is using the existing redistributable package, you may need to restart the agent computer after upgrading.

When you upgrade a managed agent, the Agent Manager logs an event in the Application event log on the central computer, warning you that you need to restart the managed agent computer for the agent to function properly. When you upgrade an unmanaged agent, the setup program prompts you to restart the unmanaged agent computer at the end of the installation process.

Module Installation Folder Changed

When you upgrade Security Manager, the setup program moves all existing module files to an application data folder on the central computer. On computers running Windows Server 2003, the setup program moves the files to the following folder:

C:\Documents and Settings\All Users\Application Data\NetIQ Security Manager\OnePoint

On computers running Windows Server 2008, the setup program moves the files to the following folder:

C:\ProgramData\NetIQ\Security Manager OnePoint

If you install any subsequent modules, the Module Installer installs the new module files to the same respective folders. (ENG284329)

Reports Display Extra Characters in Computer Names

In certain environments, a Microsoft Windows error causes Security Manager Forensic Analysis reports and Summary reports to display the names of source computers in report data incorrectly, with an extraneous special character added at the end of the name. This issue only occurs when Security Manager receives NT Lan Manager (NTLM) logon events with event ID 680. To resolve this issue, you can download and install a Microsoft hotfix from the following link on the Microsoft support site:

http://support.microsoft.com/kb/936182

After you install the hotfix on your Windows Server 2003 central computers, Forensic Analysis and Summary reports no longer display the extra characters in computer names. (ENG284345)

Incorrect Agent Installation Error in Windows Server 2008 R2 Environments

When you install or deploy an agent on a computer using Windows Server 2008 R2 that does not already have the Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package prerequisite installed, the setup program logs a SideBySide error event in the Application event log on the agent computer. However, the setup program successfully installs the agent after logging the error event. You can safely ignore this error. (ENG287319)

Alert Processing Response Scripts May Not Run in Windows Server 2008 R2 Server Core Environments

When you install an agent on a computer using Windows Server 2008 R2 Server Core, some alert processing rules deployed to the agent may not function properly. If an alert processing rule runs a response script that uses one or more Windows Management Instrumentation (WMI) objects, the response script stops unexpectedly when trying to use the WMI object and logs error Events 9100 and 21245 in the Application log. Event processing rules and response scripts that do not use WMI objects run in Windows Server 2008 R2 Server Core environments without encountering this issue. (ENG288696)

Module Installer Does Not Overwrite Customized Rules

When the Module Installer looks for a new version of a module, the utility uses the date and time the module rules were last modified or updated to determine if newer versions of those rules exist. If the Module Installer finds a date/time stamp from a later date or time than the standard date/time stamp of any of the rules, the utility assumes you have already updated that rule to the latest version available and does not attempt to install a newer version of the rule when it installs the new version of the module.

If you modify or customize a default rule included in a module, the Module Installer does not check to see if the date/time stamp is earlier than the date/time stamp of the most recent rule version, but instead sees any difference in the date/time stamp as a flag that the rule has already been updated. The Module Installer does not overwrite the customized rules with the latest available versions of those rules, even if the latest versions are significantly newer than the original, un-customized rules. (ENG269487)

Event Views Inconsistent When Displaying More Events Than Maximum

If a selected view returns more than the configured maximum number of events, the Security Manager Control Center may not consistently display the same set of events each time a user accesses the view. If you want to view a consistent set of events, increase the maximum number of events displayed in the view (up to 10000 events), use specific criteria to enable the view to return a more focused set of events, or shorten the time range of the configured time period criterion for the view.

Installing Modules on User Interface Computers with Managed Agents Deployed

If you install Security Manager user interface components on a computer and then deploy a managed agent to that computer before upgrading from Security Manager 6.0 Service Pack 4 or Security Manager 6.5, the Agent Manager removes the regobj.dll file. If you then use the Module Installer to import a new module on the user interface computer, Security Manager attempts to install the missing file, which no longer exists, and does not allow you to import the module.

This version of Security Manager prevents the Agent Manager from removing the regobj.dll file from any computers on which you want to install Security Manager user interface components after installing Security Manager 6.5.2. However, Security Manager 6.5.2 does not fix existing computers that experience this issue. To enable Security Manager to import new modules, copy the regobj.dll file from another computer in your configuration group and install the file in the WINDOWS\system32 folder on the user interface computer. (ENG275798)

Upgrading Multiple Configuration Groups that Use the Same Agents

When upgrading multiple configuration groups from Security Manager 6.0 to version 6.5.2, ensure all Windows agents are used by only one configuration group at a time during the upgrade process. If multiple configuration groups use the same agent, you must remove that agent from one of the configuration groups before you upgrade the central computer of either group. Security Manager cannot function properly if an agent is sending data to two different central computers running different versions of Security Manager.

Using New Syslog Rules with Legacy Agents

If you create a new syslog provider and custom rules using Security Manager 6.5, Security Manager 6.5 Service Pack 1, or Security Manager 6.5.2, you should not associate your new syslog rules with a computer group that includes one or more legacy agents. Legacy agents do not contain the new syslog provider and instead return repeated error events and alerts after you associate the rules with the computer group.

Legacy agents are version 6.0 and earlier. (ENG243700)

Syslog Provider Does Not Support Log Archival Filter Rules

If you create a new syslog provider using Security Manager 6.5, Security Manager 6.5 Service Pack 1, or Security Manager 6.5.2, you cannot create log archival filter rules to filter syslog data sent by the syslog provider. You can create log archival collection rules for syslog data, but the syslog provider ignores any criteria specified. If you want to filter syslog data or collect only specific events, you must configure the parse map for your syslog provider to process syslog data. (ENG269678)

Installing New Log Manager Modules Causes Repeating Events on Legacy Agents

If you upgrade to Security Manager 6.5.2 but do not upgrade all agents, and then you install a new Log Manager module and force Security Manager to send configuration changes to your agents, any legacy agents that do not need the new Log Manager module generate a repeating configuration change event (event ID 21270) every five minutes. To allow your legacy agents to ignore the new module, modify any agent configuration setting. The configuration change takes effect at the next agent heartbeat.

To send new Log Manager module information to legacy agents:

  1. Open the Security Manager Development Console.
  2. In the left pane, expand Configuration.
  3. Click Global Settings.
  4. On the Action menu, click Edit Agent Settings.
  5. Modify any agent setting.
  6. Click OK.

(ENG262913)

Configuring Number of Log Archive Server Indexing Jobs

When you install the Security Manager log archive server component, the setup program configures the log archive server to use a number of indexing jobs equal to the number of cores on the computer by default. However, if you do not use a dedicated log archive server computer, this configuration can cause the log archive server to consume a disproportionate amount of resources.

If you want to install the log archive server on a computer with other Security Manager components, NetIQ recommends reducing the number of indexing jobs to half the number of cores on the computer.

You can change the number of indexing jobs by modifying the LogArchiveConfiguration.config file. On log archive servers running Windows Server 2003, the file is located in the following folder:

C:\Documents and Settings\All Users\Application Data\NetIQ\Security Manager

On log archive servers running Windows Server 2008, the file is located in the following folder:

C:\ProgramData\NetIQ\Security Manager

Change the IndexJobCount setting to a value other than default. If your log archive server computer uses Windows Server 2008, ensure you edit the LogArchiveConfiguration.config file using an account that is a member of the local Administrators group.

Central Computer Uses Local Time for Real-Time UNIX/iSeries Event Date/Time Stamps

When the central computer receives real-time events from a UNIX or iSeries agent, Security Manager uses the local time of the central computer to create a date/time stamp for the received events. The event description displays the original date/time stamp, while the Control Center displays the central computer date/time stamp. (ENG203028)

Application Log Provider Cannot Parse UTF-8 Encoded Event Data

The Security Manager application log provider cannot properly handle the encoding of special characters in UTF-8 log files. When Security Manager receives event data from the IIS Application Log - FTP provider that includes special characters, the event data represents those special characters incorrectly. (ENG249121)

Setup Program Incorrectly Validates a Specified Destination Folder

When installing Security Manager, if you click Browse on the Destination Folders window, specify an incorrect path, and then click Cancel, the setup program incorrectly displays the following error message:

Error 1314. The specified path Type is unavailable.

Click OK, specify a correct path, and then click Cancel to cancel the change. (ENG255151)

Control Center Cannot Display All Trend Analysis Field Criteria

By default, the Security Manager Control Center can display a maximum of 32,000 check box items in a particular Trend Analysis filter. For example, if you want to filter a Severity Analysis report by target user but have 40,000 users in your environment, the filter list only displays 32,000 of your users in the Target User column in the table control window.

However, you can save a Trend Analysis report and manually modify the saved report to display more than 32,000 items without selecting using the table control window filters.

To create a customized Trend Analysis report that includes more than 32,000 items:

  1. Open the Security Manager Control Center.
  2. In the Navigation pane, click Trend Analysis.
  3. Click the report you want to customize.
  4. In the table control window, drag and drop the field you want to modify in the customized report into the data view so the report displays the field items.
  5. Click the field and clear at least two of the displayed items.
  6. On the Tasks menu, click Save Report As.
  7. Specify a report name and click Save.
  8. Click OK.
  9. Close the Control Center.
  10. Navigate to Documents and Settings\UserName\Local Settings\Application Data\NetIQ\Security Manager\Trend Analysis, where UserName is the name of the account you used to log in to the local computer.
  11. Open Trend.Config using a text editor.
  12. Search for the name of your saved report.
  13. In the saved report XML, search for the field you modified.
  14. Within the field XML tag, copy the <DATA>TEXT</DATA> line as necessary and substitute the data you want to include in the report for TEXT.
  15. Save and close Trend.Config.
  16. Open the Control Center and navigate to the saved Trend Analysis report.

(ENG241433)

Alert Views May Not Display Full Descriptions for Events

In an alert view in the Control Center, if you double-click an event in the Source Events tab for a particular alert, the Event Properties window may not display the full text of the Description property for some events, instead truncating the displayed description. You can view the complete description for an event in an event view and can create a temporary event view displaying only the specific event.

To view the complete description for a particular event:

  1. In the Event Properties window, note the event ID for the event with the truncated description.
  2. On the Tasks menu, click Global Tasks > Find Events.
  3. In the View Properties window, select with event ID of a specified number.
  4. In the View description pane, click a specified number.
  5. Specify the event ID for the event you want to view.
  6. Click OK.
  7. Click Finish.
  8. In the Event Properties pane, click the Event Details tab and review the Description field.

(ENG243140)

Control Center Incorrectly Displays the Category of Events Received from Windows Server 2008 Agentless Monitored Computers

When you configure agentless monitoring for a Microsoft Windows Server 2008 computer, Security Manager does not properly display events received from the agentless computer. The Control Center displays the Category for each event received from the agentless monitored Windows Server 2008 computer using a number, instead of the name of the category itself. (ENG248333)

Internet Explorer Enhanced Security Can Block Control Center Help

If you have Microsoft Internet Explorer Enhanced Security Configuration enabled on your Control Center computer, Internet Explorer may display a warning message when you click the Help button in a Control Center window or wizard. To view the Help, click Add and follow the steps to add the Help location to your Trusted sites zone or configure your Internet Explorer security settings to disable the warning message. (ENG253330)

Security Manager Synchronizes Temporary Storage Data Directory Settings

If you modify the global temporary storage data directory settings for either your central computers or your agents using the Development Console, Security Manager automatically updates the corresponding other data directory setting to use the same value. (ENG231909)

Security Manager Displays Fully Qualified Domain Name of Unmanaged Agent without Valid Certificate

If you install an unmanaged agent without a valid agent authentication certificate and specify a central computer on which agent authentication is enabled, Security Manager displays the fully qualified domain name of the unmanaged agent, rather than the NetBIOS name, in the Agent Summary View of the Agent Administrator and the Pending Computers view of the Control Center.

The different name format does not affect Security Manager functionality in any way. As with managed agents, the central computer cannot communicate with the unmanaged agent until you either install a valid agent authentication certificate on the agent or disable agent authentication on the central computer. You can then remove the fully qualified domain name entry from the Agent Summary View and Pending Computers view by selecting the entry in the Agent Summary View and clicking Delete. This behavior does not occur on managed agents.

Cannot Add Users to Some Security Manager Roles in a Workgroup Installation

If you have a Security Manager workgroup installation, and you try to add users to the OnePointOp Operators, OnePointOp Users, or OnePointOp Reporting role, an error appears stating that no locations can be found. To add users to these roles, you can use the computer management utility for the operating system and then use the Access Configuration utility to repair the added user accounts. (ENG266200)

Cannot Use Development Console to Edit Knowledge Base on Windows Vista Computers

If you install Security Manager user interfaces on a computer running Microsoft Windows Vista, you cannot edit your custom Knowledge Base for a processing rule using the Development Console. When editing the Knowledge Base on a Windows Vista computer, use the Security Manager Control Center instead of the Development Console. To edit the Knowledge Base for a rule, select an alert generated by the rule and click Alert Tasks > Update Knowledge on the Tasks menu. (ENG247254)

Cannot Upgrade Agent After Changing the Default Agent Install Share Folder

If you change the default Agent Install Share folder after you deploy an agent, Agent Manager uses the new share when you upgrade the agent, and an error message appears. If you use the default Windows installation folder, the error does not occur. (ENG261406)

Security Manager May Not Update Provider Instance When You Update a Module

If you download a module update containing a provider instance with a save date that precedes the last date you altered your installed provider instance, Security Manager does not update the provider instance. You can perform the following steps to import the updated module and override any changes made to the installed provider instance by installing the rules and providers from the from the imported module.

To import a custom module:

  1. Open the Security Manager Development Console.
  2. Select the Processing Rule Groups node.
  3. On the Action menu, click Restore NetIQ Module.
  4. Click Browse to locate and select the Security Manager custom module (.nqm file).
  5. Select Merge, and always use the rules defined in the module, and then click Import.

(ENG237853)

Installing Additional Components on an Existing Security Manager Computer

If you install one or more Security Manager components on a computer and then decide to install other components on the same computer at a later time, you must install the additional components on the same drive where you installed the existing components. The setup program now automatically checks if an installation computer already has Security Manager components installed and installs the additional components in the same location.

Configuring Permissions for Default Central Computer Authentication

By default, when you install a Security Manager central computer, the setup program creates a self-signed certificate and installs the certificate and corresponding private key in the LocalMachine > NetIQ Security Manager certificate store. Members of the Administrators group on the local computer can access the private keys of certificates installed in the LocalMachine store.

In order for Security Manager to function properly, the service account used to run Security Manager must be a member of the local Administrators group on the central computer or otherwise have access to the private key of the self-signed certificate. If the service account cannot access the private key for the default Security Manager certificate, the NetIQ Security Manager service cannot start, and the central computer generates an event 21337 in the Application event log.

To resolve this issue, review the access control list (ACL) of the key container file to ensure the service user has Read and Execute permissions, at minimum. The event 21337 description identifies the key container file name. Check the ACL of the key container file located in the %ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\RSA\MachineKeys folder to ensure the Security Manager service account has at least Read and Execute permissions. For more information about key containers, see the following article on the Microsoft support site:

http://msdn.microsoft.com/en-us/library/bb204778(VS.85).aspx

Note: The Security Manager agent can experience a similar issue when custom certificates are deployed for agent authentication. If the agent is configured to use an authentication certificate and is unable to access the associated private key, the agent service fails to start and the agent computer generates an event 21334 in the Application event log.

Installing Office Web Components Prerequisite on 64-bit Windows Server 2003 and 2008 Computers

When preparing a computer running the 64-bit version of Microsoft Windows Server 2003 Standard Edition R2 or Microsoft Windows Server 2008 for installation of Security Manager central computer or user interface components, ensure you install the .NET Framework 2.0 prerequisite before installing the Microsoft Office 2003 Web Components prerequisite. If you install the Office Web Components prerequisite first on a computer with that version of Windows Server 2003 installed or with Windows Server 2008 installed, the Control Center cannot display Trend Analysis reports, even when the reporting server exists and contains data.

To resolve this issue, download and reinstall Microsoft Office 2003 Web Components on the affected computer. You can download Office Web Components from www.microsoft.com/downloads. Computers running other versions of Windows or Windows Server are not affected by this issue. (ENG269226)

Disabling NTFS Indexing on Log Archive Servers

When preparing a computer for installation of Security Manager log archive server components, NetIQ recommends you disable the Windows Indexing Service. To disable indexing, navigate to the local drive on which you want to install Security Manager, select the drive, and click Properties in the File menu. Clear Allow Indexing Service to index this disk for fast file searching and click OK.

Granting Permission to Run Forensic Queries on Computers in a Custom Computer Group

If you want to grant specific users permissions to run forensic queries on computers that have security set through custom computer groups, you must assign those custom computer groups to the processing rule group from which you want to pull archival data. For more information about computer groups and processing rule groups, see the Programming Guide for NetIQ Security Manager.

Setup Program Temporarily Requires SQL Server sa Account

Before installing Security Manager, ensure the SQL Server sa account exists on your database server computer and has not been renamed. The setup program requires the sa account exist to install Security Manager components. After the installation completes, you can remove or rename the sa account on the database server. (ENG269671)

Upgrading Custom Time Periods

If you have previously configured custom time periods for Security Manager using the Monitor Console, to view data properly after upgrading to Security Manager 6.5.2, you must re-configure the time periods. For more information about configuring Security Manager time periods, see the Installation Guide for NetIQ Security Manager.

Legacy Configuration Wizard Pages Remain Until Module Is Updated

If you upgrade from a previous version of Security Manager to Security Manager 6.5.2, two legacy pages, Specify Central Computer for Trend Analysis and Configure Log Databases, remain in the Configuration Wizard until the Log Manager for Windows module is updated. Users can use the Configure Log Databases page to associate existing log databases with central computers, but should not use the inactive Specify Central Computer for Trend Analysis page. Updating the Log Manager for Windows module removes these two pages from the Configuration Wizard. (ENG225969)

Installing Unmanaged Agents From a Mapped Drive

To install a Security Manager 6.5.2 unmanaged agent on a Windows 2000 computer from a ManualAgent.msi file located on a mapped drive, either copy the file to a local drive or connect to the share using the Universal Naming Convention (UNC) path. For example, \\servername\folder. For more information about this issue, see the Microsoft support site. (ENG226797)

Disabling Active Directory Integration with Message Queuing

Security Manager 6.5.2 requires that you install the Message Queuing Windows component on a computer before installation of some Security Manager components. However, unless you actively use the Active Directory Integration sub-component of the Message Queuing Windows component, NetIQ recommends you disable Active Directory Integration. You can either disable Active Directory Integration when installing Message Queuing or disable it after installation.

Note
In Windows Server 2008, the Active Directory Integration sub-component is called Directory Services Integration.

To disable Active Directory Integration on Windows Server 2003 computers after installing Message Queuing:

  1. Open the Add or Remove Programs Control Panel.
  2. Click Add/Remove Windows Components.
  3. Select Application Server and click Details.
  4. Select Message Queuing and click Details.
  5. Clear the Active Directory Integration check box.
  6. Click OK.
  7. Click OK.
  8. Click Next. The Windows Component Wizard configures Message Queuing.
  9. Click Finish.
  10. Close the Control Panel.

To disable Directory Services Integration on Windows Server 2008 computers after installing Message Queuing:

  1. Open the Server Manager.
  2. In the left pane, click Features.
  3. In the right pane, click Remove Features.
  4. Expand Message Queuing > Message Queuing Services.
  5. Clear the Directory Service Integration check box.
  6. Click Next.
  7. Click Remove. The Remove Features Wizard removes the Directory Service Integration feature.
  8. Click Close.
  9. Close the Server Manager.

Removing and Re-adding UNIX or iSeries Agents

If you remove and re-add a UNIX or iSeries agent, Security Manager 6.5.2 assigns it a new computer identifier, and data previously associated with this computer may not be accessible in Forensic Analysis reports. You can continue to review the prior data for this computer in real-time views, Summary reports, and Trend Analysis reports. (ENG228555)

Cannot View Exported Trend Analysis Report Data in an Offline Cube

In Security Manager 6.5.2, you can export Trend Analysis report data for both online and offline viewing. However, if you export Trend Analysis data to an offline cube file, users cannot view the cube file using Microsoft Excel, due to a Microsoft Excel issue. For more information about this issue, contact Microsoft Technical Support. (ENG228594)

Reporting Cube Processing Job Fails when Service Account Privileges Are Modified

Microsoft SQL Server does not require sysadmin privileges to run the SSIS reporting cube processing job. However, if you install Security Manager 6.5.2 using a service account and then remove sysadmin privileges from that account, the reporting cube processing job fails.

To restore sysadmin rights to the service account:

  1. Log on to the reporting server computer using an account that has SQL Administrator privileges.
  2. Open Microsoft SQL Server Management Studio.
  3. Connect to the Database Engine.
  4. Expand SQL Server Agent > Proxies > SSIS Package Execution.
  5. Right-click the service account and select Properties.
  6. Click Principals.
  7. Click Add.
  8. Under Available principals, select the service account.
  9. Click OK.
  10. Click OK.

(ENG227108)

Uploading Preconfigured Summary Reports to the Report Manager Website

In addition to creating custom Summary reports using SQL Server Business Intelligence Development Studio, you can also deploy preconfigured Summary reports provided with Security Manager 6.5.2. You can find the preconfigured Summary reports in the Reports folder in the installation kit. For information about uploading all provided report files (.rdl files) to the Report Manager Website, see the ReadMe.txt file located in the Reports folder. For information about uploading one report at a time, see the User Guide for NetIQ Security Manager.

Digital Certificate Revocation Does Not Take Effect Immediately

If you revoke a previously valid digital certificate being used to sign log archive data in Security Manager 6.5.2, Security Manager continues to use the certificate until Windows updates the local Certificate Revocation List (CRL). Microsoft Windows certificate management caches the CRL locally for a predetermined amount of time, typically a week, after which Windows updates the local CRL and effectively revokes the certificate. Until Windows updates the CRL, you can use a revoked digital certificate to sign log archive data in Security Manager. For more information about this issue, see the Microsoft TechNet Website. (ENG224666)

Control Center Automatically Saves Changes to Trend Analysis Reports

If you filter or modify dimensions in a Trend Analysis report and then navigate to another Trend Analysis report in the Control Center, the Control Center automatically saves all changes made to the report. You then cannot restore the report to its default state until you close and re-open the Control Center. This issue occurs both with the standard set of Trend Analysis reports provided in the Control Center and with any custom saved reports. In either case, you can remove any filters or modified dimensions manually. (ENG228976)

Changing SQL Server Service Accounts

If you want to change the service account used to run Microsoft SQL Server 2005, do not modify the account using the Services administrative tool. To change service accounts, use the SQL Server Configuration Manager, located in the Microsoft SQL Server 2005 program group. For more information about changing service accounts for Microsoft SQL Server 2005, see the Microsoft SQL Server documentation and the Microsoft Web site at www.microsoft.com.

Filtering Forensic Analysis Report Data by Date and Time

When you try to filter Forensic Analysis report data on either the Event Timestamp (UTC) or Event TimeStamp Local (UTC-5) column, you can only select from a series of dates with no timestamps displayed. Selecting a date displays the events that occurred at a particular second, not all events that occurred on a particular day. In addition, when you select Custom to use the Custom AutoFilter window to filter events by date, the filter returns no data.

To filter events by date, click the field at the top of the column and type the date, in M/D/YYYY format. To filter events by hour or minute, type part or all of the timestamp in the field after the date, in HH:MM:SS format. The Forensic Analysis report displays only events that match the criteria in the field. (ENG228210)

Enabling Messaging Between Central Computer and Log Archive Server

If you use different service accounts on the central computer and the log archive server in the same configuration group, ensure the central computer service account is a member of the OnePointOp System group on the log archive server. If the central computer service account does not have sufficient access to the log archive server, it cannot send MSMQ messages from the central computer to the log archive.

Named Pipes Networking Protocol Not Supported

Security Manager 6.5.2 does not support the Named Pipes protocol for performance reasons. Use the TCP/IP protocol as the primary protocol for all Security Manager components, including the database server and reporting server. (ENG229235)

Upgrading All User Interfaces

After upgrading central components for Security Manager to version 6.5.2, immediately upgrade all user interfaces. Users attempting to start an earlier version of the user interfaces will encounter functionality problems.

Module Installer Continues to Try to Install Modules After Installation Error

If the Module Installer cannot install a module, it displays an error indicating the module installation failed. However, the Module Installer continues to make additional attempts to install the module and may succeed at a later point.

To verify whether the Module Installer could not install one or more modules, view the Status column in the Module Installer window. If the Module Installer could not install a module, try again. In the Module Installer window, select the module, and then click Install. (ENG203258)

Installing on NetIQ Secure Configuration Manager or NetIQ Aegis Computers Not Recommended

Installing Security Manager central computer components or the database server on a computer with a NetIQ Secure Configuration Manager or NetIQ Aegis core component already installed is not recommended for performance reasons.

Installing User Interface Components on Agent Computers

You can install Security Manager user interfaces on a managed agent computer. However, they must be in the same installation folder. To avoid problems, install user interfaces and the agent to the default folder.

You cannot install Security Manager user interfaces and an unmanaged agent on the same computer. (ENG203075, ENG177246)

Using NetBIOS Names

Security Manager uses NetBIOS names when specifying Windows domain and computer names in the Agent Administrator and Configuration Wizard. Although Security Manager accepts both NetBIOS names and fully qualified domain names (FQDNs), using two naming conventions can cause Security Manager to create separate identifiers for the same computer, which may cause Security Manager to generate duplicate alerts.

In the Configuration Wizard, use IP addresses to specify iSeries and UNIX computers and devices. (ENG202592)

Disabling or Removing a Remote Configuration Group Connection

To disable a remote configuration group connection, open the Control Center and clear the Active Configuration check box for that connection in the Configuration Groups window. If you want to remove a remote configuration group connection completely, use the Configuration Group Connections utility. (ENG218173)

Adding an Account to the OnePointOp TrustedServiceAccounts Group

Add only service accounts to the OnePointOp TrustedServiceAccounts group. If you add a user account to the TrustedServiceAccounts group, that account no longer has access to the Control Center, even if it is also a member of another OnePointOp group. The TrustedServiceAccounts group is strictly for use in establishing configuration group connections.

In addition, add only remote service accounts to the OnePointOp TrustedServiceAccounts group. If you add a local service account to the TrustedServiceAccounts group on the local central computer, NetIQ Security Manager does not function properly. For more information about configuring multiple configuration group monitoring, see the User Guide for NetIQ Security Manager. (ENG217939)

Changing Credentials for Monitoring a Remote Configuration Group

If you change the account used to create a configuration group connection, restart the NetIQ Security Manager Core service for the changes to take effect. (ENG217989)

Resuming Groomed Alerts

If you suspend an alert in the Control Center, you can only resume that alert if the alert has not been groomed. Alerts that are groomed out of the OnePoint database are no longer displayed in alert views in the Control Center. To resume a groomed alert, open the Development Console and re-enable the rule that generated the alert. (ENG216095)

Alert Sentry Link to Control Center Not Working

If you enable the Alert Sentry on a computer that does not have the Control Center installed, the link to launch the Control Center from the Alert Sentry is enabled but does not work. (ENG217506)

Using a Service Account to Access the Control Center

Do not use the service account to start the Control Center. Using the service account to start the Control Center limits your ability to connect to multiple configuration groups. Instead, log on to the Control Center using a Windows user account that is a member of the appropriate OnePointOp groups. For more information about permissions, see the User Guide for NetIQ Security Manager. (ENG217531)

Cannot Add MOM Snap-ins to the Security Manager Development Console

If you have Security Manager and Microsoft Operations Manager (MOM) consoles on the same computer, you cannot create a custom MMC interface to include snap-ins for both products.

Saving Forensic Analysis Queries

Log Manager saves Forensic Analysis queries on the Control Center computer on which they were created. You can share saved Forensic Analysis queries by copying them to another Control Center computer. Log Manager saves Forensic Analysis queries as .xml files in the installation folder, by default Program Files\NetIQ Security Manager\OnePoint\VSOC\config\ForensicQueries. Copy these .xml files to the same folder on another Control Center computer to use the queries in that Control Center.

If you uninstall user interfaces, Forensic Analysis queries are removed as well. (ENG148424, ENG153832)

Immediately Making a Newly Installed Agent a Proxy Agent

If you install an agent on a computer and want to make that agent a proxy agent, the agent might not be immediately available. The agent may take up to 30 minutes before it is ready to select as a proxy agent.

To determine whether the agent is ready to use as a proxy agent:

  1. Log on to a Security Manager Control Center computer as a member of the OnePointOp Users group.
  2. In the Navigation pane, click Infrastructure Components > Agents.
  3. In the Results window, look for the proxy agent computer. If the number in the Group Count column is greater than 0, the agent is ready to use as a proxy agent.

(ENG202550)

Deploying Managed Agents on Previously Monitored Computers

If you are deploying a managed agent on a computer previously monitored by a proxy agent or on which you uninstalled an agent and you clicked Deploy Now to initiate agent installation, Security Manager does not scan the agent. To work around the issue, manually scan the computer after clicking Deploy Now. For more information about manually running a managed computer scan, see the User Guide for NetIQ Security Manager, which is located on the user interfaces computer in the Documentation folder of the NetIQ Security Manager program group. (ENG203047)

Discovery Identifies Computers the Service Account Can Manage

If you run a Light Directory Access Protocol (LDAP) query in Active Directory Users and Computers, it may return more computers than when you run a discovery rule containing the same query. Security Manager discovers only computers where the Security Manager service account is a member of the local Administrators group.

Trend Analysis and Summary Require Processing Before Generating the First Reports

You cannot view a Trend Analysis or Summary report until log archive data is uploaded to the reporting cube. Wait until the first time the reporting cube processing job runs and then view the report. The processing job runs every three hours by default. (ENG203621)

Restart Web Sites Following Windows Upgrade

If you install the Security Manager on a Windows 2000 computer and then upgrade the operating system to Windows Server 2003 or Windows Server 2008, the upgrade may disable the Web Console and other Web sites running on Internet Information Services (IIS). Restart the Web Console and any other Web sites. (ENG203344)

Foreign Language Support

This version of Security Manager supports Microsoft Windows in English and Western European languages for non-database components. Security Manager supports Microsoft SQL Server installations, including the reporting server and database server, in English only. (ENG148568)

Return to Top

Previous Releases

Security Manager 6.5.2 also includes enhancements added in Security Manager 6.5 Service Pack 1, Hotfix 71933, Hotfix 71864, Hotfix 71829, and Hotfix 71643.

Allows Users to Add Non-Windows Computers or Devices to Computer Groups

Security Manager 6.5.2 allows you to manually add non-Windows computers or devices into computer groups in the Pending Computers view in the Control Center. This feature enables you to create a custom provider for non-Windows computers or devices and view data received by that provider in the Control Center.

Unlike NetIQ modules, which use the Configuration Wizard to add devices or computers to computer groups, custom providers typically do not include Configuration Wizard functionality. Because Security Manager does not automatically assign non-Windows computers or devices to Windows computer groups, Security Manager security filtering automatically filters out event data received from custom non-Windows providers.

For example, if you create a custom provider to receive data from a firewall device not monitored by an existing Security Manager module, you can now open the Control Center, go to the Infrastructure Components > Pending Computers view, select the firewall device, and click Add to Computer Groups. Specify a computer group to which you want to add the firewall and click OK. Any user configured to be able to view the computer group can then view data received using the Control Center. (ENG270262)

Improves Web Console Security

Security Manager 6.5.2 improves security in the Web Console by addressing previously existing cross-site scripting and SQL injection vulnerabilities that could allow a malicious user to access the Web Console server. The Web Console now blocks attacks that exploit cross-site scripting and SQL injection vulnerabilities. (ENG275012, ENG275200, ENG275059, ENG274837)

Enables Usage of Fully-Qualified Domain Names in Syslog Provider

Security Manager 6.5.2 enables the use of fully-qualified domain names when you create a new custom syslog provider using the Development Console. (ENG274136)

Optimizes Agent Configuration Time

Security Manager 6.5.2 optimizes the amount of time required to deploy and configure managed agents on both server and workstation computers. Security Manager previously required three heartbeats for a newly deployed agent to receive configuration information from the central computer and the central computer to add the new agent to a computer group.

For Windows server agents, this process could take up to 20 minutes using the default heartbeat interval setting, depending on the timing of the heartbeats themselves. For workstation agents with the Security Manager scalability multiplier enabled, the process could take several hours.

Security Manager now requires only two heartbeats for a central computer to configure and provide computer group membership to a new agent, significantly shortening the amount of time between deployment and communication from an agent.

In addition, workstation agents now use the server heartbeat interval setting when the central computer provides initial configuration information to the agent. After the central computer configures the workstation agent for the first time, the agent uses the workstation heartbeat interval setting. (ENG276382)

Improves Correlation Rule Maintenance

Security Manager 6.5.2 prevents the Correlation Engine from unnecessarily evaluating events by removing any orphaned correlation collection rules that belong to a deleted correlation rule. (ENG278999)

Improves Control Center Event and Alert View Performance

Security Manager 6.5.2 improves performance of alert and event views in the Security Manager Control Center, as well as the Source Events tab of the Alert Properties window for a specific alert. The Control Center now returns data much more quickly when you click an alert or event view or the Source Events tab. (ENG274253)

Improves Deletion of Saved Trend Analysis Reports

Security Manager 6.5.2 allows you to delete saved Trend Analysis reports using the Control Center without waiting for the report to load. (ENG271396)

Allows Deleting or Renaming of Forensic Analysis Query Folders

Security Manager 6.5.2 allows you to delete or rename existing Forensic Analysis query folders in the Control Center. (ENG220206)

Allows Users to Modify Read Status of Multiple Forensic Analysis Reports

Security Manager 6.5.2 resolves an issue where if you select a series of completed Forensic Analysis reports that include reports with both Read and Unread statuses, the Read/Unread statuses of those reports cannot be changed as a group. You can now select multiple completed Forensic Queries and mark them as Read or Unread, regardless of their current Read status. (ENG272057)

Expands Syslog Provider Parameter Support

Security Manager 6.5.2 adds syslog provider support for using more than 20 parameters in a syslog regular expression. Security Manager now allows you to specify a maximum of 100 parameters. (ENG275369)

Enables Searching in Processing Rule Group Subgroups

Security Manager 6.5.2 resolves an issue where the Development Console does not allow you to search a specific processing rule group hierarchy for a processing rule using the Rule Search wizard. The Rule Search wizard now allows you to search in all subgroups in a specified processing rule group hierarchy, in addition to searching in the top-level processing rule group itself. (ENG209560)

Improves Log Archive Index Validation

Security Manager 6.5.2 improves the log archive indexing process, enabling the log archive server to check a partition before closing to ensure the partition index is complete. If the partition index is incomplete and is missing index entries, the log archive server now reindexes and closes the partition. (ENG264498)

Improves Handling of Invalid Log Archive Data

Security Manager 6.5.2 improves handling of invalid data in the log archive message queue. The log archive server now properly disregards data that is invalid or corrupted and continues to process valid data. (ENG274131)

Optimizes Log Archive Importing and Indexing

Security Manager 6.5.2 optimizes log archive indexing in environments where the log archive server receives large numbers of events. In some environments, the volume of events stored in a log archive can grow so large the log archive server cannot index events quickly enough and becomes backed up, possibly causing performance issues on the log archive server.

Security Manager now imports events into a log archive until the number of events to be indexed reaches a specified threshold. If the number of events stored in the index_data folder on the log archive server exceeds that threshold, Security Manager pauses importing new events until the indexing process catches up and the number of events to be indexed falls below the threshold. When this occurs, Security Manager temporarily stores incoming events and logs an event in the log archive server event log warning that the indexing process cannot process events quickly enough.

Allows Use of Authenticated SMTP for Email Notifications

Security Manager 6.5.2 allows you to use SMTP with outgoing authentication to send email to notification groups when an alert or rule match occurs. You can also use Secure Sockets Layer (SSL) encryption for outgoing email authentication.

Improves Parse Exception Logging

Security Manager 6.5.2 improves Security Manager parse exception logging. If Security Manager cannot parse all data for a particular event, Security Manager now displays the parseable data for the event and ignores the unparseable data.

Adds Configurable Thread Count for File Monitoring

Security Manager 6.5.2 allows you to configure the number of threads in the thread pool the Security Manager Core Service uses to monitor log files. To enable this setting, add the following text to the SMServiceHost.exe.config file on the central computer:

	<ServiceInitializer name="Log Watcher" type="NetIQ.SM.LogWatcher.LogWatcher,
	NetIQ.SM.LogWatcher">
	<ServiceConfig>
	<Settings threadPoolSize="20" />
	</ServiceConfig>
	</ServiceInitializer>
	

Removes Unnecessary Folder From Unmanaged Agent Computer

Security Manager 6.5.2 resolves an issue where the unmanaged Windows agent setup program creates an empty Public Keys folder in the root-level folder on the hard drive of the agent computer. Because this folder is no longer used by the setup program, the setup program now no longer creates the Public Keys folder. (ENG278555)

Resolves UNIX Agent Communication Issue

Security Manager 6.5.2 resolves an issue where once you configure a UNIX agent to send data to a central computer, Security Manager does not properly close the connection between the agent and the central computer after receiving data, whether the agent sends real-time events or heartbeats. In a configuration group with multiple UNIX agent computers, you may see a large number of partially closed connections and experience problems with communication between your UNIX agents and the central computer. Security Manager now closes connections to UNIX agents when no longer needed and properly handles UNIX agent communication. (ENG276218)

Resolves Central Computer Agent Scan Issue

Security Manager 6.5.2 resolves an issue where if the agent manager cannot successfully scan an existing agent, Security Manager does not use the agent computer group configuration stored in the OnePoint database. Security Manager instead overwrites the agent computer group configuration, removing the agent from all computer groups.

Security Manager now uses the configuration stored in the OnePoint database when the agent manager cannot contact an agent. (ENG261037)

Resolves Legacy Agent Correlation Issue

Security Manager 6.5.2 resolves an issue where Security Manager does not correlate events sent to the central computer by a legacy agent (version 6.0 and earlier). Security Manager now correlates any event matching a correlation rule, whether generated by a current or legacy agent. (ENG274394)

Resolves Correlation Collection Rule Event Type Issue

Security Manager 6.5.2 resolves an issue where the Development Console does not correctly display the Event Type used in a custom correlation collection rule when the rule uses Event Type as a criterion. The Collection Rule Properties window now properly displays the Event Type for a correlation collection rule. (ENG255412)

Resolves Correlation Wizard Event Criteria Issue

Security Manager 6.5.2 resolves an issue where the Correlation Wizard allows you to add an event criterion using an invalid operator for the selected field and then closes unexpectedly without adding the criterion to the list of events to add to the correlation rule. The Correlation Wizard now limits event criteria to only those operators that apply to the criteria field. (ENG273626)

Resolves Agents View Refresh Issue

Security Manager 6.5.2 resolves an issue where if you select an agent in the Infrastructure Components > Agents view in the Security Manager Control Center and click Ignore Agent Status Forever, Ignore Agent Status until Agent Reconnects, or Stop Ignoring Agent Status, the Control Center does not immediately refresh the view to display the updated status of the agent. The Control Center now immediately updates the status of an agent if you click any of the three specified tasks. (ENG271849)

Resolves Find Event/Alert Criterion Selection Issue

Security Manager 6.5.2 resolves an issue where if you try to find an event or alert in the Control Center, the Criteria window automatically selects the first criterion option when you click another option in the criteria list. The Control Center now correctly selects only the specified criterion. (ENG276867, ENG276869)

Resolves Issue with Alerting on Events in Foreign-Language Environments

Security Manager 6.5.2 resolves an issue in some foreign-language environments where if you try to alert on a specific event in the Control Center, the Control Center does not open the Alert On Event window. The Control Center now properly opens the Alert On Event window. (ENG278827)

Resolves Issue with Undoing User Actions

Security Manager 6.5.2 resolves an issue where if you suspend an alert in the Security Manager Control Center and then click Undo User Actions, select the suspended alert, and click Undo, Security Manager displays an error message and does not resume the suspended alert. Security Manager now properly undoes the Stop Alerting action and resumes the suspended alert. (ENG273567)

Resolves Saved Trend Analysis Reports Issue

Security Manager 6.5.2 resolves an issue where if you save a custom Trend Analysis report, you cannot rename the saved report at a later time. The Control Center now allows you to rename saved Trend Analysis reports. (ENG246222)

Resolves Trend Analysis Report Print Error on Windows Vista Computers

Security Manager 6.5.2 resolves an issue where when you view a Trend Analysis report in the Control Center on a Windows Vista computer and click Print Report, Security Manager displays an error saying that the file PrintOut.htm could not be found. The Control Center now allows you to print Trend Analysis reports on Windows Vista computers. (ENG228995)

Resolves Reporting Server Dimension Size Issue

Security Manager 6.5.2 resolves an issue where the size of the Target Service Dimension when uploading data to the reporting cube does not match the size allowed for processing uploaded data. The dimension sizes for both uploading and processing data now match. (ENG270368)

Resolves Reporting Data Uploading Issue

Security Manager 6.5.2 resolves an issue where Security Manager cannot upload exported data to the cube depot because the data file source_name field contains more than 256 characters. Security Manager now limits the number of characters of the source_name fields of all exported data files to 256 and properly uploads data to the cube depot. (ENG277488)

Resolves New Module Forensic Analysis Query Issue

Security Manager 6.5.2 resolves an issue where when you install a new Security Manager module with the Control Center open, you must close and reopen the Control Center to view or use any new Forensic Analysis queries included in the module. You can now install a new module with the Control Center open and click View > Refresh to use any new Forensic Analysis functionality in the module. (ENG266210)

Resolves Forensic Report Multi-Line Formatting Issue

Security Manager 6.5.2 resolves an issue where Forensic Analysis reports do not properly display multi-line event descriptions. The Control Center now properly displays multi-line event descriptions in Forensic Analysis reports. (ENG222630)

Resolves Proxy Agent Settings Issue

Security Manager 6.5.2 resolves an issue where if you use the Agent Administrator to set up an agentless monitored computer and configure the settings for the proxy agent so the proxy only monitors one type of event log, then reopen the Agent Administrator and view your agentless monitored computer settings, the Agent Administrator incorrectly displays only the default settings. While the Agent Administrator displays the default settings, the proxy agent uses the configured settings. The Agent Administrator now displays the correct proxy agent settings when the proxy monitors one type of log. (ENG269201)

Resolves Agentless Monitored Computer Event Formatting Issue

Security Manager 6.5.2 resolves an issue where Security Manager proxy agents installed on Microsoft Windows Server 2003 computers incorrectly format events from monitored agentless computers before sending those events to the central computer. Windows proxy agents now correctly format events from monitored agentless computers. (ENG275876)

Resolves Agent GUID Caching Issue

Security Manager 6.5.2 resolves an issue where if you remove a computer from your configuration group using the Agent Administrator, Security Manager does not reload the internal cache of computer names and globally unique identifiers (GUIDs). If the central computer then receives an event or alert from a computer using the same name as the removed computer, Security Manager associates the incoming event or alert with the GUID of the removed computer. However, because Security Manager has deleted the computer from the database server, the Control Center displays the received event or alert without a computer name or domain. Security Manager now correctly handles all removed computers and cached computer names and GUIDs. (ENG234766, ENG228275)

Resolves Agent Deployment Issue on User Interface Computers

Security Manager 6.5.2 resolves an issue where if you install Security Manager user interface components on a computer and then deploy a managed agent to the user interface computer, the Agent Manager removes the regobj.dll file. After deploying the agent, each time you use the Module Installer to import a new module, the Security Manager setup program then starts and attempts to install the missing file. The Agent Manager now does not automatically remove the regobj.dll file when deploying managed agents. (ENG275798)

Resolves Issue with Agent Communication Using Multiple NICs

Security Manager 6.5.2 resolves an issue where if you install two network interface controllers (NICs) on a central computer and then upgrade to Security Manager 6.5, the central computer can receive data only from agents using the primary NIC. Security Manager now configures central computers to receive data using all NICs by default.

To configure your central computer to use a specific network interface, modify the following registry entry on the central computer using the Registry Editor:

HKEY_LOCAL_MACHINE\SOFTWARE\NetIQ\Security Manager\Configurations\ConfigurationGroupName\Operations\Consolidator\SocketServer = NetworkInterfaceIPAddress

Where ConfigurationGroupName is the name of your configuration group and NetworkInterfaceIPAddress is the IP address of the specific network interface you want to use. The default value is 0.0.0.0.

Warning
Be careful when editing your Windows Registry. If there is an error in your Registry, your computer may become nonfunctional. If an error occurs, you can restore the Registry to its state when you last successfully started your computer. For more information about editing the registry, see the Help for the Windows Registry Editor.

(ENG277957)

Resolves Multiple GUID Resolution Issue

Security Manager 6.5.2 resolves an issue where the NetIQ Security Manager service on an agent computer in some environments stops unexpectedly when resolving multiple globally unique identifiers (GUIDs) from received events. Security Manager now properly handles receiving and resolving multiple GUIDs. (ENG277594)

Resolves Syslog Module Configuration Issue

Security Manager 6.5.2 resolves an issue where if you manually add an agent using the syslog module windows of the Configuration Wizard and you use the equals criteria to select a computer, the computer name appears on the Included Computers tab of the computer group properties but does not appear in the database. Because the computer name is not added to the database, the Configuration Wizard does not actually add the computer. The Configuration Wizard now correctly adds the computer. (ENG266799)

Resolves Syslog Event Time Zone Issue

Security Manager 6.5.2 resolves an issue where the Control Center displays the time for events received from a syslog provider using coordinated universal time (UTC). The Control Center now displays the time for events received from a syslog provider using the local time zone. (ENG277028)

Resolves Processing Rule Scheduling Issue

Security Manager 6.5.2 resolves an issue where if you create a custom "Detect Missing Event" real-time event processing rule and specify Sunday as the timeframe in which you expect the event to occur, the NetIQ Security Manager service begins to use all the CPU capacity on any agents or central computers on which you run the processing rule. Security Manager now correctly configures any "Detect Missing Event" rules with Sunday as the specified timeframe and does not use inordinate amounts of CPU capacity. (ENG271545)

Resolves Performance Processing Rule Criteria Issue

Security Manager 6.5.2 resolves an issue where the performance processing rule in the Development Console does not output the appropriate alert without additional criteria input by the user. The performance processing rule now properly outputs alerts without requiring additional user criteria. (ENG270127)

Resolves UNIX Computer GUID Caching Issue

Security Manager 6.5.2 resolves an issue where if you remove a UNIX computer from your configuration group using the Agent Administrator, Security Manager does not reload the internal cache of computer names and globally unique identifiers (GUIDs). The next time the central computer receives an alert, Security Manager associates the incoming alert with the GUID of the removed UNIX computer, and the NetIQ Security Manager service stops unexpectedly. Security Manager now correctly handles all removed computers and cached computer names and GUIDs. (ENG273429)

Resolves UNIX Agent Registration Issue

Security Manager 6.5.2 resolves an issue where if you remove an installed UNIX agent and then try to install the same agent again using the same name but in a different case, Log Manager for UNIX assigns two separate GUIDs to the same agent computer. For example, if you install a UNIX agent using the name Server1, remove the agent, and then reinstall the agent using the name SERVER1, Log Manager assigns each computer name a GUID, even though both names and GUIDs refer to the same computer. Because the computer has multiple GUIDs, Security Manager does not include event data from that computer in Forensic Analysis report results. Log Manager for UNIX now properly stores removed agents' names in lower case by default. (ENG251965)

Resolves iSeries Agent Timestamp Issue

Security Manager 6.5.2 resolves an issue where iSeries agents occasionally send incorrectly formatted timestamps. For example, 2009-09-17 08:23:7Z, instead of 2009-09-17 08:23:07Z. When this occurs, Security Manager does not recognize the timestamp formatting and returns an error.

When Security Manager cannot parse a datetime string, Security Manager now repairs the formatting if necessary and re-parses the string. If the error persists after Security Manager fixes the formatting, Security Manager enters the current time for the timestamp.

Resolves UNIX and iSeries Central Computer Data Collection Issue

Security Manager 6.5.2 resolves an issue where one central computer accesses information stored on the database server that a different central computer collected from a UNIX or iSeries agent. The central computer that collected the data then can no longer access the data on the database server. To ensure central computers access only their own data, Security Manager now logs the name of the central computer that collected the data in the idmefCollection table of the OnePoint database, under the CentralComputerName heading.

Resolves License Expiration Warning Issue

Security Manager 6.5.2 resolves an issue where if your Security Manager license expires, the Control Center cannot receive data and you cannot open the Development Console, but Security Manager does not log an event that the license has expired. Security Manager now logs an application log event on the central computer when your Security Manager license expires. (ENG272705)

Resolves Issue with Applying Licenses to Unlicensed Installations

Security Manager 6.5.2 resolves an issue where if you try to open the Security Manager Control Center or Development Console in an environment where Security Manager is installed but has no license applied, Security Manager does not allow you to apply a license. Now when you try to open one of the user interfaces without a license applied, Security Manager allows you to select a Security Manager license to apply without opening the Control Center or Development Console. After applying a valid license, you can open both user interfaces. (ENG274290)

Resolves OnePoint Database Installation Size Issue

Security Manager 6.5.2 resolves an issue where Security Manager uses the value specified for the starting size of the OnePoint database during installation as the maximum size for the database. Security Manager now properly uses "Starting Size" as the actual starting size for the OnePoint database and allows the database to grow as large as necessary.

Resolves Log Archive Query Tool Issue

Security Manager 6.5.2 resolves an issue where if you try to use the Log Archive Resource Kit Log Archive Query tool to query very large amounts of log archive data, the Log Archive Query tool runs out of memory and stops unexpectedly. The Log Archive Query tool can now successfully query large amounts of log archive data. (ENG259647)

Resolves Log Archive Server Installation Issue

Security Manager 6.5.2 resolves an issue where after installation of Security Manager 6.5, the log archive indexer and NetIQ Security Manager Log Archive service stop repeatedly, due to a misconfiguration of the indexer during installation. The setup program now configures the indexer correctly, and both the indexer and Log Archive service start properly after installation. (ENG271612)

Resolves Performance Counter Provider Creation Issue

Security Manager 6.5.2 resolves an issue where if you create a new Windows NT Performance Counter provider, the Development Console unexpectedly closes if you select Remote Computer in the Counter definitions from option, specify a computer other than the default, and click OK. Security Manager now allows you to create a new Windows NT Performance Counter provider that uses counter definitions from a remote computer. (ENG275409)

Resolves Central Computer Response Script Issue

Security Manager 6.5.2 resolves an issue where Security Manager cannot run a script on a central computer in response to an event on an agent computer. Security Manager now properly runs scripts on a central computer in response to events either on the central computer or on an agent, as configured. (ENG279562)

Resolves Issue with Running Multiple Simultaneous Responses

Security Manager 6.5.2 resolves an issue where if a Security Manager agent installed on a multi-core computer runs the same response on multiple response threads, the NetIQ Security Manager service on the agent computer can stop unexpectedly. Security Manager now properly runs responses on multiple threads. (ENG262533)

Resolves CGGP Configuration Change Issue

Before you install Security Manager 6.5.2, when you apply Change Guardian for Group Policy configuration changes for a Windows Server 2003 or 2008 domain controller, the NetIQ Security Manager service on the domain controller stops unexpectedly.

After you install Security Manager 6.5.2, the Security Manager agent properly updates Change Guardian for Group Policy configuration changes, and the NetIQ Security Manager service no longer stops unexpectedly. (ENG277149)

Resolves an Issue with Upgrading from Security Manager 6.0 SP4 to Version 6.5

Security Manager 6.5.2 resolves an issue where upgrading from Security Manager 6.0 SP4 to Security Manager 6.5.2 causes the central computer to not install the most recent version of the libexpat.dll file on all managed Windows agents in your configuration group.

The central computer sends upgrade information to your agents, causing the NetIQ Security Manager service on your agent computers to stop and fail to restart. After you install this version, Security Manager upgrades the required file and enables the central computer to properly upgrade your managed agents. (ENG276446)

Resolves Alert Grooming Issue

Security Manager 6.5.2 resolves an issue where if you configure database server grooming to resolved alerts older than 30 days, all alerts older than 30 days are groomed, regardless of resolution state. Security Manager now grooms alerts as configured in your database grooming settings. (ENG274017)

Return to Top

Contact Information

Please contact us with your questions and comments. We look forward to hearing from you.

For detailed contact information, see the Support Contact Information Web site.

For interactive conversations with your peers and NetIQ experts, become an active member of Qmunity, our community Web site that offers product forums, product notifications, blogs, and product user groups.

Return to Top

Legal Notice

Return to Top