re
NetIQ Security Manager |
Version 6.5.2 |
Release Notes |
Date Published: May 2010 |
|
This version of the NetIQ Security Manager product (Security Manager) provides several new features. This version also improves usability and resolves several previous issues. Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure our products meet all your needs. You can post feedback in the Security Manager forum on Qmunity, our community Web site that also includes product notifications, blogs, and product user groups. This document outlines why you should install this version and identifies known issues. For more information about installing Security Manager, see the Installation Guide for NetIQ Security Manager. For more information about this release and for the latest Release Notes, see the Security Manager Suite Documentation web site. Why Install This Version?NetIQ Security Manager is the most comprehensive security incident management solution for today's heterogeneous enterprise environments. By consolidating security data from across the enterprise and utilizing advanced correlation, intrusion protection, powerful visualization, and advanced reporting (including trending and forensics capabilities), NetIQ Security Manager enables a rapid identification and response to key security incidents — all through a central security console. The following sections outline the key features and functions provided by this version, as well as issues resolved in this release.
Provides Support for Windows Server 2008 and Windows 7 ComputersSecurity Manager 6.5.2 provides support for installing and using the following components on computers using Microsoft Windows Server 2008:
In addition, this version includes existing support for deploying agents on Windows Server 2008, Windows Server 2008 R2, and Windows 7 computers and installing user interfaces on Windows Server 2008 and Windows 7 computers. Security Manager 6.5.2 does not support installing components other than agents on computers using Windows Server 2008 Server Core. Resolves Issue with Monitoring User or Group Accounts in Change Guardian for Active DirectorySecurity Manager 6.5.2 resolves an issue where a user can enter a maximum of 500 characters to the Authorized Accounts, High-Profile User Accounts, or High-Profile Group Accounts lists in the Change Guardian for Active Directory pages of the Configuration Wizard. Because of this character limit, users can add only roughly 30 user or group accounts to the Configuration Wizard. Users can now enter up to 6000 characters in the lists of monitored user or group accounts in the Configuration Wizard. (ENG282914) Resolves Forensic Analysis Query Permissions IssueSecurity Manager 6.5.2 resolves an issue where you cannot run Forensic Analysis queries using an account other than the Security Manager service account. You can now run Forensic Analysis queries using any account that belongs to the OnePointOp Reporting group. (ENG281371) Resolves Reporting Cube Depot Installation IssueSecurity Manager 6.5.2 resolves an issue where if you try to install Security Manager Reporting components but do not specify the name of the SMCubeDepot server, the setup program cannot complete the installation process. The setup program now replaces any database names left blank with the name of the local computer. (ENG276695) Resolves Managed Agent Upgrade IssueSecurity Manager 6.5.2 resolves an issue where the Agent Manager cannot upgrade managed agents in certain environments because Agent Manager is unable to install the latest version of the required Microsoft Visual C++ redistributable package on managed agent computers. The Agent Manager can now successfully install the redistributable package and upgrade managed agents. (ENG278401) Resolves Remote Performance Counter Monitoring IssueSecurity Manager 6.5.2 resolves an issue where if you upgrade an agent from Security Manager 5.6 to Security Manager 6.5, you cannot use Performance Monitor to remotely monitor performance counters on the agent computer. This issue applies not only to Security Manager counters on the agent computer but to counters of any type. Performance Monitor can now add all performance counters from the remote agent computer. Resolves Log Archive Server Installation IssueSecurity Manager 6.5.2 resolves an issue where the Log Archive Server did not install correctly if the log archive data directory path contained spaces. The Log Archive Server now correctly installs regardless of spacing in the data directory path. (ENG278511) Resolves Web Console Re-Installation IssueSecurity Manager 6.5.2 resolves an issue where you cannot re-install the Web Console after uninstalling it from a computer with the Security Manager Control Center installed. The setup program now correctly re-installs the Web Console if you have previously removed it. (ENG273525) Resolves Previous Aegis Installation IssueSecurity Manager 6.5.2 resolves an issue where the setup program encounters an unexpected error when you install Security Manager components on a computer where NetIQ Aegis had been previously installed. The setup program now installs Security Manager correctly on computers with previous Aegis installations. (ENG284305) Resolves Forensic Analysis Query View IssueSecurity Manager 6.5.2 resolves an issue where if you select a completed Forensic Analysis report in the Security Manager Control Center and select View Query, you cannot use scroll bars on any of the tabs of the Forensic Analysis Query Properties window. You can now use scroll bars on the Forensic Analysis Query Properties window, whether viewing or editing a query. (ENG283396) Resolves Domain-Less Computer or Device Display IssueSecurity Manager 6.5.2 resolves an issue where if you deploy computers or devices that do not belong to a domain and then open the Configuration Wizard, the Configuration Wizard displays each domain-less computer or device as being a member of a separate blank domain tree in the existing computers list. The Configuration Wizard now displays all computers or devices that do not belong to a domain in a single blank domain tree. (ENG281308) Resolves Issue with Control Center Views in Non-English EnvironmentsSecurity Manager 6.5.2 resolves an issue where selecting alert or event views in the Security Manager Control Center causes an error in non-English environments. Security Manager now correctly displays alert or event views in non-English environments. (ENG283409) Resolves Agent Authorization and Registration Event IssueSecurity Manager 6.5.2 resolves an issue where if you install a new agent, when that agent starts and attempts to communicate with the central computer for the first time, Security Manager logs events warning that the agent is not registered or authorized, even if the agent is valid. Security Manager now logs events regarding agent registration or authorization only when a previously registered or authorized agent changes to an unauthorized or unregistered state. (ENG283433) Resolves Upgrade Password IssueSecurity Manager 6.5.2 resolves an issue where if you try upgrade your Security Manager 6.0 installation and input the configuration group password, the setup program displays an error even when the password is correct. The setup program now correctly recognizes the configuration group password. (ENG283128) Resolves Agent Communication Alert Description IssueSecurity Manager 6.5.2 resolves an issue in larger environments with multiple agents where the alert indicating a heartbeat failure (event ID number 2030) does not list the specific agents experiencing failures. The alert now accurately lists all agents experiencing failures and the type of failure experienced. (ENG283045) Resolves UNIX and iSeries Real Time Event Timestamp IssueSecurity Manager 6.5.2 resolves an issue where the timestamp stored in the Security Manager event table is not the same as the agent event timestamp. The description of the event in the Control Center shows the original timestamp of the event. The Security Manager event table now properly displays the timestamps of real-time events. (ENG203028) Resolves Log Archive Indexing Issue
Security Manager 6.5.2 resolves an issue where, in environments where the log archive server receives a large, continuous amount of data, the indexer can become overwhelmed by incoming messages. When this happens, the log archive can sometimes mark a received message as invalid and stop the
The log archive server now handles large amounts of incoming data without stopping the service or flagging valid messages as invalid. (ENG282730) System RequirementsFor the most recently updated list of supported application versions, see the Security Manager Supported Products Web page. If you want to upgrade an existing Security Manager installation, this version requires one of the following to be installed on all computers before starting the upgrade process:
Before installing this version on a computer, ensure the computer has a minimum of 400 MB of disk space available for use by the setup program. Because the setup program functionality includes an option to roll back the installation if an error occurs, the setup program copies all Security Manager component files before updating. After the installation finishes, the setup program deletes all temporary copies of the updated files. Ensure you close all open applications, including the Alert Sentry, before upgrading to Security Manager 6.5.2. If an application is running, the Security Manager setup program may fail to complete the upgrade procedure successfully. To close the Alert Sentry, right-click the Alert Sentry icon in the system tray, and then click Exit. NetIQ also recommends you apply all appropriate security updates for your environment. Known IssuesNetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.
Administrator Access Required in Windows Server 2008, Windows Vista, and Windows 7 EnvironmentsOn computers using Windows Server 2008, Windows Vista, or Windows 7, if you have User Account Control (UAC) enabled, some Security Manager functions require you use an account that is a member of the local Administrators group on the Security Manager computer, either by launching the user interface using an account with local Administrator permissions or running the user interface as administrator. The following functions or interfaces require that you use an account that is a member of the local Administrators group:
The following functions or interfaces require that you run as administrator, using an account that is a member of the local Administrators group:
You can use all other Security Manager functions or interfaces normally without local Administrator permissions, using an account that belongs to the appropriate OnePointOp groups. Installing Security Manager Control Center in a Non-Default LocationIf you install the Security Manager Control Center on computers running Windows Server 2008, Windows XP, or Windows Vista, and specify a non-default location to install the user interface components, you must manually grant all Control Center users who are not already members of the local Administrators group Write access to the installation folder. If users do not have Write access to the folder where the Control Center is installed and try to open the Control Center, Security Manager displays an error. (ENG283440) Installing Security Manager Requires Complete Installation Package
Before installing Security Manager central computer components, ensure the installation computer has access to the complete Security Manager installation package, including all modules. If you copy only the contents of the Configuration Group Connections Tool Requires Administrator Access
To run the Configuration Group Connections tool, you must use an account that is a member of the
If you use an account that is not a member of the local Administrators group, Security Manager incorrectly displays an error message that the service account must be a member of the Restarting Agents After UpgradeWhen you upgrade managed or unmanaged agents, Security Manager installs or replaces the Microsoft Visual C++ redistributable package. If another application or service is using the existing redistributable package, you may need to restart the agent computer after upgrading. When you upgrade a managed agent, the Agent Manager logs an event in the Application event log on the central computer, warning you that you need to restart the managed agent computer for the agent to function properly. When you upgrade an unmanaged agent, the setup program prompts you to restart the unmanaged agent computer at the end of the installation process. Module Installation Folder ChangedWhen you upgrade Security Manager, the setup program moves all existing module files to an application data folder on the central computer. On computers running Windows Server 2003, the setup program moves the files to the following folder:
On computers running Windows Server 2008, the setup program moves the files to the following folder:
If you install any subsequent modules, the Module Installer installs the new module files to the same respective folders. (ENG284329) Reports Display Extra Characters in Computer NamesIn certain environments, a Microsoft Windows error causes Security Manager Forensic Analysis reports and Summary reports to display the names of source computers in report data incorrectly, with an extraneous special character added at the end of the name. This issue only occurs when Security Manager receives NT Lan Manager (NTLM) logon events with event ID 680. To resolve this issue, you can download and install a Microsoft hotfix from the following link on the Microsoft support site:
After you install the hotfix on your Windows Server 2003 central computers, Forensic Analysis and Summary reports no longer display the extra characters in computer names. (ENG284345) Incorrect Agent Installation Error in Windows Server 2008 R2 Environments
When you install or deploy an agent on a computer using Windows Server 2008 R2 that does not already have the Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package prerequisite installed, the setup program logs a Alert Processing Response Scripts May Not Run in Windows Server 2008 R2 Server Core EnvironmentsWhen you install an agent on a computer using Windows Server 2008 R2 Server Core, some alert processing rules deployed to the agent may not function properly. If an alert processing rule runs a response script that uses one or more Windows Management Instrumentation (WMI) objects, the response script stops unexpectedly when trying to use the WMI object and logs error Events 9100 and 21245 in the Application log. Event processing rules and response scripts that do not use WMI objects run in Windows Server 2008 R2 Server Core environments without encountering this issue. (ENG288696) Module Installer Does Not Overwrite Customized RulesWhen the Module Installer looks for a new version of a module, the utility uses the date and time the module rules were last modified or updated to determine if newer versions of those rules exist. If the Module Installer finds a date/time stamp from a later date or time than the standard date/time stamp of any of the rules, the utility assumes you have already updated that rule to the latest version available and does not attempt to install a newer version of the rule when it installs the new version of the module. If you modify or customize a default rule included in a module, the Module Installer does not check to see if the date/time stamp is earlier than the date/time stamp of the most recent rule version, but instead sees any difference in the date/time stamp as a flag that the rule has already been updated. The Module Installer does not overwrite the customized rules with the latest available versions of those rules, even if the latest versions are significantly newer than the original, un-customized rules. (ENG269487) Event Views Inconsistent When Displaying More Events Than MaximumIf a selected view returns more than the configured maximum number of events, the Security Manager Control Center may not consistently display the same set of events each time a user accesses the view. If you want to view a consistent set of events, increase the maximum number of events displayed in the view (up to 10000 events), use specific criteria to enable the view to return a more focused set of events, or shorten the time range of the configured time period criterion for the view. Installing Modules on User Interface Computers with Managed Agents DeployedIf you install Security Manager user interface components on a computer and then deploy a managed agent to that computer before upgrading from Security Manager 6.0 Service Pack 4 or Security Manager 6.5, the Agent Manager removes the regobj.dll file. If you then use the Module Installer to import a new module on the user interface computer, Security Manager attempts to install the missing file, which no longer exists, and does not allow you to import the module. This version of Security Manager prevents the Agent Manager from removing the regobj.dll file from any computers on which you want to install Security Manager user interface components after installing Security Manager 6.5.2. However, Security Manager 6.5.2 does not fix existing computers that experience this issue. To enable Security Manager to import new modules, copy the regobj.dll file from another computer in your configuration group and install the file in the WINDOWS\system32 folder on the user interface computer. (ENG275798) Upgrading Multiple Configuration Groups that Use the Same AgentsWhen upgrading multiple configuration groups from Security Manager 6.0 to version 6.5.2, ensure all Windows agents are used by only one configuration group at a time during the upgrade process. If multiple configuration groups use the same agent, you must remove that agent from one of the configuration groups before you upgrade the central computer of either group. Security Manager cannot function properly if an agent is sending data to two different central computers running different versions of Security Manager. Using New Syslog Rules with Legacy AgentsIf you create a new syslog provider and custom rules using Security Manager 6.5, Security Manager 6.5 Service Pack 1, or Security Manager 6.5.2, you should not associate your new syslog rules with a computer group that includes one or more legacy agents. Legacy agents do not contain the new syslog provider and instead return repeated error events and alerts after you associate the rules with the computer group. Legacy agents are version 6.0 and earlier. (ENG243700) Syslog Provider Does Not Support Log Archival Filter RulesIf you create a new syslog provider using Security Manager 6.5, Security Manager 6.5 Service Pack 1, or Security Manager 6.5.2, you cannot create log archival filter rules to filter syslog data sent by the syslog provider. You can create log archival collection rules for syslog data, but the syslog provider ignores any criteria specified. If you want to filter syslog data or collect only specific events, you must configure the parse map for your syslog provider to process syslog data. (ENG269678) Installing New Log Manager Modules Causes Repeating Events on Legacy AgentsIf you upgrade to Security Manager 6.5.2 but do not upgrade all agents, and then you install a new Log Manager module and force Security Manager to send configuration changes to your agents, any legacy agents that do not need the new Log Manager module generate a repeating configuration change event (event ID 21270) every five minutes. To allow your legacy agents to ignore the new module, modify any agent configuration setting. The configuration change takes effect at the next agent heartbeat. To send new Log Manager module information to legacy agents:
(ENG262913) Configuring Number of Log Archive Server Indexing JobsWhen you install the Security Manager log archive server component, the setup program configures the log archive server to use a number of indexing jobs equal to the number of cores on the computer by default. However, if you do not use a dedicated log archive server computer, this configuration can cause the log archive server to consume a disproportionate amount of resources. If you want to install the log archive server on a computer with other Security Manager components, NetIQ recommends reducing the number of indexing jobs to half the number of cores on the computer. You can change the number of indexing jobs by modifying the LogArchiveConfiguration.config file. On log archive servers running Windows Server 2003, the file is located in the following folder:
On log archive servers running Windows Server 2008, the file is located in the following folder:
Change the IndexJobCount setting to a value other than default. If your log archive server computer uses Windows Server 2008, ensure you edit the LogArchiveConfiguration.config file using an account that is a member of the local Administrators group. Central Computer Uses Local Time for Real-Time UNIX/iSeries Event Date/Time StampsWhen the central computer receives real-time events from a UNIX or iSeries agent, Security Manager uses the local time of the central computer to create a date/time stamp for the received events. The event description displays the original date/time stamp, while the Control Center displays the central computer date/time stamp. (ENG203028) Application Log Provider Cannot Parse UTF-8 Encoded Event DataThe Security Manager application log provider cannot properly handle the encoding of special characters in UTF-8 log files. When Security Manager receives event data from the IIS Application Log - FTP provider that includes special characters, the event data represents those special characters incorrectly. (ENG249121) Setup Program Incorrectly Validates a Specified Destination FolderWhen installing Security Manager, if you click Browse on the Destination Folders window, specify an incorrect path, and then click Cancel, the setup program incorrectly displays the following error message: Error 1314. The specified path Type is unavailable. Click OK, specify a correct path, and then click Cancel to cancel the change. (ENG255151) Control Center Cannot Display All Trend Analysis Field CriteriaBy default, the Security Manager Control Center can display a maximum of 32,000 check box items in a particular Trend Analysis filter. For example, if you want to filter a Severity Analysis report by target user but have 40,000 users in your environment, the filter list only displays 32,000 of your users in the Target User column in the table control window. However, you can save a Trend Analysis report and manually modify the saved report to display more than 32,000 items without selecting using the table control window filters. To create a customized Trend Analysis report that includes more than 32,000 items:
(ENG241433) Alert Views May Not Display Full Descriptions for EventsIn an alert view in the Control Center, if you double-click an event in the Source Events tab for a particular alert, the Event Properties window may not display the full text of the Description property for some events, instead truncating the displayed description. You can view the complete description for an event in an event view and can create a temporary event view displaying only the specific event. To view the complete description for a particular event:
(ENG243140) Control Center Incorrectly Displays the Category of Events Received from Windows Server 2008 Agentless Monitored ComputersWhen you configure agentless monitoring for a Microsoft Windows Server 2008 computer, Security Manager does not properly display events received from the agentless computer. The Control Center displays the Category for each event received from the agentless monitored Windows Server 2008 computer using a number, instead of the name of the category itself. (ENG248333) Internet Explorer Enhanced Security Can Block Control Center HelpIf you have Microsoft Internet Explorer Enhanced Security Configuration enabled on your Control Center computer, Internet Explorer may display a warning message when you click the Help button in a Control Center window or wizard. To view the Help, click Add and follow the steps to add the Help location to your Trusted sites zone or configure your Internet Explorer security settings to disable the warning message. (ENG253330) Security Manager Synchronizes Temporary Storage Data Directory SettingsIf you modify the global temporary storage data directory settings for either your central computers or your agents using the Development Console, Security Manager automatically updates the corresponding other data directory setting to use the same value. (ENG231909) Security Manager Displays Fully Qualified Domain Name of Unmanaged Agent without Valid CertificateIf you install an unmanaged agent without a valid agent authentication certificate and specify a central computer on which agent authentication is enabled, Security Manager displays the fully qualified domain name of the unmanaged agent, rather than the NetBIOS name, in the Agent Summary View of the Agent Administrator and the Pending Computers view of the Control Center. The different name format does not affect Security Manager functionality in any way. As with managed agents, the central computer cannot communicate with the unmanaged agent until you either install a valid agent authentication certificate on the agent or disable agent authentication on the central computer. You can then remove the fully qualified domain name entry from the Agent Summary View and Pending Computers view by selecting the entry in the Agent Summary View and clicking Delete. This behavior does not occur on managed agents. Cannot Add Users to Some Security Manager Roles in a Workgroup InstallationIf you have a Security Manager workgroup installation, and you try to add users to the OnePointOp Operators, OnePointOp Users, or OnePointOp Reporting role, an error appears stating that no locations can be found. To add users to these roles, you can use the computer management utility for the operating system and then use the Access Configuration utility to repair the added user accounts. (ENG266200) Cannot Use Development Console to Edit Knowledge Base on Windows Vista ComputersIf you install Security Manager user interfaces on a computer running Microsoft Windows Vista, you cannot edit your custom Knowledge Base for a processing rule using the Development Console. When editing the Knowledge Base on a Windows Vista computer, use the Security Manager Control Center instead of the Development Console. To edit the Knowledge Base for a rule, select an alert generated by the rule and click Alert Tasks > Update Knowledge on the Tasks menu. (ENG247254) Cannot Upgrade Agent After Changing the Default Agent Install Share FolderIf you change the default Agent Install Share folder after you deploy an agent, Agent Manager uses the new share when you upgrade the agent, and an error message appears. If you use the default Windows installation folder, the error does not occur. (ENG261406) Security Manager May Not Update Provider Instance When You Update a ModuleIf you download a module update containing a provider instance with a save date that precedes the last date you altered your installed provider instance, Security Manager does not update the provider instance. You can perform the following steps to import the updated module and override any changes made to the installed provider instance by installing the rules and providers from the from the imported module. To import a custom module:
(ENG237853) Installing Additional Components on an Existing Security Manager ComputerIf you install one or more Security Manager components on a computer and then decide to install other components on the same computer at a later time, you must install the additional components on the same drive where you installed the existing components. The setup program now automatically checks if an installation computer already has Security Manager components installed and installs the additional components in the same location. Configuring Permissions for Default Central Computer AuthenticationBy default, when you install a Security Manager central computer, the setup program creates a self-signed certificate and installs the certificate and corresponding private key in the LocalMachine > NetIQ Security Manager certificate store. Members of the Administrators group on the local computer can access the private keys of certificates installed in the LocalMachine store. In order for Security Manager to function properly, the service account used to run Security Manager must be a member of the local Administrators group on the central computer or otherwise have access to the private key of the self-signed certificate. If the service account cannot access the private key for the default Security Manager certificate, the NetIQ Security Manager service cannot start, and the central computer generates an event 21337 in the Application event log. To resolve this issue, review the access control list (ACL) of the key container file to ensure the service user has Read and Execute permissions, at minimum. The event 21337 description identifies the key container file name. Check the ACL of the key container file located in the %ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\RSA\MachineKeys folder to ensure the Security Manager service account has at least Read and Execute permissions. For more information about key containers, see the following article on the Microsoft support site:
Note: The Security Manager agent can experience a similar issue when custom certificates are deployed for agent authentication. If the agent is configured to use an authentication certificate and is unable to access the associated private key, the agent service fails to start and the agent computer generates an event 21334 in the Application event log. Installing Office Web Components Prerequisite on 64-bit Windows Server 2003 and 2008 ComputersWhen preparing a computer running the 64-bit version of Microsoft Windows Server 2003 Standard Edition R2 or Microsoft Windows Server 2008 for installation of Security Manager central computer or user interface components, ensure you install the .NET Framework 2.0 prerequisite before installing the Microsoft Office 2003 Web Components prerequisite. If you install the Office Web Components prerequisite first on a computer with that version of Windows Server 2003 installed or with Windows Server 2008 installed, the Control Center cannot display Trend Analysis reports, even when the reporting server exists and contains data. To resolve this issue, download and reinstall Microsoft Office 2003 Web Components on the affected computer. You can download Office Web Components from www.microsoft.com/downloads. Computers running other versions of Windows or Windows Server are not affected by this issue. (ENG269226) Disabling NTFS Indexing on Log Archive ServersWhen preparing a computer for installation of Security Manager log archive server components, NetIQ recommends you disable the Windows Indexing Service. To disable indexing, navigate to the local drive on which you want to install Security Manager, select the drive, and click Properties in the File menu. Clear Allow Indexing Service to index this disk for fast file searching and click OK. Granting Permission to Run Forensic Queries on Computers in a Custom Computer GroupIf you want to grant specific users permissions to run forensic queries on computers that have security set through custom computer groups, you must assign those custom computer groups to the processing rule group from which you want to pull archival data. For more information about computer groups and processing rule groups, see the Programming Guide for NetIQ Security Manager. Setup Program Temporarily Requires SQL Server sa AccountBefore installing Security Manager, ensure the SQL Server sa account exists on your database server computer and has not been renamed. The setup program requires the sa account exist to install Security Manager components. After the installation completes, you can remove or rename the sa account on the database server. (ENG269671) Upgrading Custom Time PeriodsIf you have previously configured custom time periods for Security Manager using the Monitor Console, to view data properly after upgrading to Security Manager 6.5.2, you must re-configure the time periods. For more information about configuring Security Manager time periods, see the Installation Guide for NetIQ Security Manager. Legacy Configuration Wizard Pages Remain Until Module Is UpdatedIf you upgrade from a previous version of Security Manager to Security Manager 6.5.2, two legacy pages, Specify Central Computer for Trend Analysis and Configure Log Databases, remain in the Configuration Wizard until the Log Manager for Windows module is updated. Users can use the Configure Log Databases page to associate existing log databases with central computers, but should not use the inactive Specify Central Computer for Trend Analysis page. Updating the Log Manager for Windows module removes these two pages from the Configuration Wizard. (ENG225969) Installing Unmanaged Agents From a Mapped DriveTo install a Security Manager 6.5.2 unmanaged agent on a Windows 2000 computer from a ManualAgent.msi file located on a mapped drive, either copy the file to a local drive or connect to the share using the Universal Naming Convention (UNC) path. For example, \\servername\folder. For more information about this issue, see the Microsoft support site. (ENG226797) Disabling Active Directory Integration with Message QueuingSecurity Manager 6.5.2 requires that you install the Message Queuing Windows component on a computer before installation of some Security Manager components. However, unless you actively use the Active Directory Integration sub-component of the Message Queuing Windows component, NetIQ recommends you disable Active Directory Integration. You can either disable Active Directory Integration when installing Message Queuing or disable it after installation.
To disable Active Directory Integration on Windows Server 2003 computers after installing Message Queuing:
To disable Directory Services Integration on Windows Server 2008 computers after installing Message Queuing:
Removing and Re-adding UNIX or iSeries AgentsIf you remove and re-add a UNIX or iSeries agent, Security Manager 6.5.2 assigns it a new computer identifier, and data previously associated with this computer may not be accessible in Forensic Analysis reports. You can continue to review the prior data for this computer in real-time views, Summary reports, and Trend Analysis reports. (ENG228555) Cannot View Exported Trend Analysis Report Data in an Offline CubeIn Security Manager 6.5.2, you can export Trend Analysis report data for both online and offline viewing. However, if you export Trend Analysis data to an offline cube file, users cannot view the cube file using Microsoft Excel, due to a Microsoft Excel issue. For more information about this issue, contact Microsoft Technical Support. (ENG228594) Reporting Cube Processing Job Fails when Service Account Privileges Are ModifiedMicrosoft SQL Server does not require sysadmin privileges to run the SSIS reporting cube processing job. However, if you install Security Manager 6.5.2 using a service account and then remove sysadmin privileges from that account, the reporting cube processing job fails. To restore sysadmin rights to the service account:
(ENG227108) Uploading Preconfigured Summary Reports to the Report Manager WebsiteIn addition to creating custom Summary reports using SQL Server Business Intelligence Development Studio, you can also deploy preconfigured Summary reports provided with Security Manager 6.5.2. You can find the preconfigured Summary reports in the Reports folder in the installation kit. For information about uploading all provided report files (.rdl files) to the Report Manager Website, see the ReadMe.txt file located in the Reports folder. For information about uploading one report at a time, see the User Guide for NetIQ Security Manager. Digital Certificate Revocation Does Not Take Effect ImmediatelyIf you revoke a previously valid digital certificate being used to sign log archive data in Security Manager 6.5.2, Security Manager continues to use the certificate until Windows updates the local Certificate Revocation List (CRL). Microsoft Windows certificate management caches the CRL locally for a predetermined amount of time, typically a week, after which Windows updates the local CRL and effectively revokes the certificate. Until Windows updates the CRL, you can use a revoked digital certificate to sign log archive data in Security Manager. For more information about this issue, see the Microsoft TechNet Website. (ENG224666) Control Center Automatically Saves Changes to Trend Analysis ReportsIf you filter or modify dimensions in a Trend Analysis report and then navigate to another Trend Analysis report in the Control Center, the Control Center automatically saves all changes made to the report. You then cannot restore the report to its default state until you close and re-open the Control Center. This issue occurs both with the standard set of Trend Analysis reports provided in the Control Center and with any custom saved reports. In either case, you can remove any filters or modified dimensions manually. (ENG228976) Changing SQL Server Service AccountsIf you want to change the service account used to run Microsoft SQL Server 2005, do not modify the account using the Services administrative tool. To change service accounts, use the SQL Server Configuration Manager, located in the Microsoft SQL Server 2005 program group. For more information about changing service accounts for Microsoft SQL Server 2005, see the Microsoft SQL Server documentation and the Microsoft Web site at www.microsoft.com. Filtering Forensic Analysis Report Data by Date and TimeWhen you try to filter Forensic Analysis report data on either the Event Timestamp (UTC) or Event TimeStamp Local (UTC-5) column, you can only select from a series of dates with no timestamps displayed. Selecting a date displays the events that occurred at a particular second, not all events that occurred on a particular day. In addition, when you select Custom to use the Custom AutoFilter window to filter events by date, the filter returns no data. To filter events by date, click the field at the top of the column and type the date, in M/D/YYYY format. To filter events by hour or minute, type part or all of the timestamp in the field after the date, in HH:MM:SS format. The Forensic Analysis report displays only events that match the criteria in the field. (ENG228210) Enabling Messaging Between Central Computer and Log Archive ServerIf you use different service accounts on the central computer and the log archive server in the same configuration group, ensure the central computer service account is a member of the OnePointOp System group on the log archive server. If the central computer service account does not have sufficient access to the log archive server, it cannot send MSMQ messages from the central computer to the log archive. Named Pipes Networking Protocol Not SupportedSecurity Manager 6.5.2 does not support the Named Pipes protocol for performance reasons. Use the TCP/IP protocol as the primary protocol for all Security Manager components, including the database server and reporting server. (ENG229235) Upgrading All User InterfacesAfter upgrading central components for Security Manager to version 6.5.2, immediately upgrade all user interfaces. Users attempting to start an earlier version of the user interfaces will encounter functionality problems. Module Installer Continues to Try to Install Modules After Installation ErrorIf the Module Installer cannot install a module, it displays an error indicating the module installation failed. However, the Module Installer continues to make additional attempts to install the module and may succeed at a later point. To verify whether the Module Installer could not install one or more modules, view the Status column in the Module Installer window. If the Module Installer could not install a module, try again. In the Module Installer window, select the module, and then click Install. (ENG203258) Installing on NetIQ Secure Configuration Manager or NetIQ Aegis Computers Not RecommendedInstalling Security Manager central computer components or the database server on a computer with a NetIQ Secure Configuration Manager or NetIQ Aegis core component already installed is not recommended for performance reasons. Installing User Interface Components on Agent ComputersYou can install Security Manager user interfaces on a managed agent computer. However, they must be in the same installation folder. To avoid problems, install user interfaces and the agent to the default folder. You cannot install Security Manager user interfaces and an unmanaged agent on the same computer. (ENG203075, ENG177246) Using NetBIOS NamesSecurity Manager uses NetBIOS names when specifying Windows domain and computer names in the Agent Administrator and Configuration Wizard. Although Security Manager accepts both NetBIOS names and fully qualified domain names (FQDNs), using two naming conventions can cause Security Manager to create separate identifiers for the same computer, which may cause Security Manager to generate duplicate alerts. In the Configuration Wizard, use IP addresses to specify iSeries and UNIX computers and devices. (ENG202592) Disabling or Removing a Remote Configuration Group ConnectionTo disable a remote configuration group connection, open the Control Center and clear the Active Configuration check box for that connection in the Configuration Groups window. If you want to remove a remote configuration group connection completely, use the Configuration Group Connections utility. (ENG218173) Adding an Account to the OnePointOp TrustedServiceAccounts GroupAdd only service accounts to the OnePointOp TrustedServiceAccounts group. If you add a user account to the TrustedServiceAccounts group, that account no longer has access to the Control Center, even if it is also a member of another OnePointOp group. The TrustedServiceAccounts group is strictly for use in establishing configuration group connections. In addition, add only remote service accounts to the OnePointOp TrustedServiceAccounts group. If you add a local service account to the TrustedServiceAccounts group on the local central computer, NetIQ Security Manager does not function properly. For more information about configuring multiple configuration group monitoring, see the User Guide for NetIQ Security Manager. (ENG217939) Changing Credentials for Monitoring a Remote Configuration GroupIf you change the account used to create a configuration group connection, restart the NetIQ Security Manager Core service for the changes to take effect. (ENG217989) Resuming Groomed AlertsIf you suspend an alert in the Control Center, you can only resume that alert if the alert has not been groomed. Alerts that are groomed out of the OnePoint database are no longer displayed in alert views in the Control Center. To resume a groomed alert, open the Development Console and re-enable the rule that generated the alert. (ENG216095) Alert Sentry Link to Control Center Not WorkingIf you enable the Alert Sentry on a computer that does not have the Control Center installed, the link to launch the Control Center from the Alert Sentry is enabled but does not work. (ENG217506) Using a Service Account to Access the Control CenterDo not use the service account to start the Control Center. Using the service account to start the Control Center limits your ability to connect to multiple configuration groups. Instead, log on to the Control Center using a Windows user account that is a member of the appropriate OnePointOp groups. For more information about permissions, see the User Guide for NetIQ Security Manager. (ENG217531) Cannot Add MOM Snap-ins to the Security Manager Development ConsoleIf you have Security Manager and Microsoft Operations Manager (MOM) consoles on the same computer, you cannot create a custom MMC interface to include snap-ins for both products. Saving Forensic Analysis QueriesLog Manager saves Forensic Analysis queries on the Control Center computer on which they were created. You can share saved Forensic Analysis queries by copying them to another Control Center computer. Log Manager saves Forensic Analysis queries as .xml files in the installation folder, by default Program Files\NetIQ Security Manager\OnePoint\VSOC\config\ForensicQueries. Copy these .xml files to the same folder on another Control Center computer to use the queries in that Control Center. If you uninstall user interfaces, Forensic Analysis queries are removed as well. (ENG148424, ENG153832) Immediately Making a Newly Installed Agent a Proxy AgentIf you install an agent on a computer and want to make that agent a proxy agent, the agent might not be immediately available. The agent may take up to 30 minutes before it is ready to select as a proxy agent. To determine whether the agent is ready to use as a proxy agent:
(ENG202550) Deploying Managed Agents on Previously Monitored ComputersIf you are deploying a managed agent on a computer previously monitored by a proxy agent or on which you uninstalled an agent and you clicked Deploy Now to initiate agent installation, Security Manager does not scan the agent. To work around the issue, manually scan the computer after clicking Deploy Now. For more information about manually running a managed computer scan, see the User Guide for NetIQ Security Manager, which is located on the user interfaces computer in the Documentation folder of the NetIQ Security Manager program group. (ENG203047) Discovery Identifies Computers the Service Account Can ManageIf you run a Light Directory Access Protocol (LDAP) query in Active Directory Users and Computers, it may return more computers than when you run a discovery rule containing the same query. Security Manager discovers only computers where the Security Manager service account is a member of the local Administrators group. Trend Analysis and Summary Require Processing Before Generating the First ReportsYou cannot view a Trend Analysis or Summary report until log archive data is uploaded to the reporting cube. Wait until the first time the reporting cube processing job runs and then view the report. The processing job runs every three hours by default. (ENG203621) Restart Web Sites Following Windows UpgradeIf you install the Security Manager on a Windows 2000 computer and then upgrade the operating system to Windows Server 2003 or Windows Server 2008, the upgrade may disable the Web Console and other Web sites running on Internet Information Services (IIS). Restart the Web Console and any other Web sites. (ENG203344) Foreign Language SupportThis version of Security Manager supports Microsoft Windows in English and Western European languages for non-database components. Security Manager supports Microsoft SQL Server installations, including the reporting server and database server, in English only. (ENG148568) Previous ReleasesSecurity Manager 6.5.2 also includes enhancements added in Security Manager 6.5 Service Pack 1, Hotfix 71933, Hotfix 71864, Hotfix 71829, and Hotfix 71643.
Allows Users to Add Non-Windows Computers or Devices to Computer GroupsSecurity Manager 6.5.2 allows you to manually add non-Windows computers or devices into computer groups in the Pending Computers view in the Control Center. This feature enables you to create a custom provider for non-Windows computers or devices and view data received by that provider in the Control Center. Unlike NetIQ modules, which use the Configuration Wizard to add devices or computers to computer groups, custom providers typically do not include Configuration Wizard functionality. Because Security Manager does not automatically assign non-Windows computers or devices to Windows computer groups, Security Manager security filtering automatically filters out event data received from custom non-Windows providers. For example, if you create a custom provider to receive data from a firewall device not monitored by an existing Security Manager module, you can now open the Control Center, go to the Infrastructure Components > Pending Computers view, select the firewall device, and click Add to Computer Groups. Specify a computer group to which you want to add the firewall and click OK. Any user configured to be able to view the computer group can then view data received using the Control Center. (ENG270262) Improves Web Console SecuritySecurity Manager 6.5.2 improves security in the Web Console by addressing previously existing cross-site scripting and SQL injection vulnerabilities that could allow a malicious user to access the Web Console server. The Web Console now blocks attacks that exploit cross-site scripting and SQL injection vulnerabilities. (ENG275012, ENG275200, ENG275059, ENG274837) Enables Usage of Fully-Qualified Domain Names in Syslog ProviderSecurity Manager 6.5.2 enables the use of fully-qualified domain names when you create a new custom syslog provider using the Development Console. (ENG274136) Optimizes Agent Configuration TimeSecurity Manager 6.5.2 optimizes the amount of time required to deploy and configure managed agents on both server and workstation computers. Security Manager previously required three heartbeats for a newly deployed agent to receive configuration information from the central computer and the central computer to add the new agent to a computer group. For Windows server agents, this process could take up to 20 minutes using the default heartbeat interval setting, depending on the timing of the heartbeats themselves. For workstation agents with the Security Manager scalability multiplier enabled, the process could take several hours. Security Manager now requires only two heartbeats for a central computer to configure and provide computer group membership to a new agent, significantly shortening the amount of time between deployment and communication from an agent. In addition, workstation agents now use the server heartbeat interval setting when the central computer provides initial configuration information to the agent. After the central computer configures the workstation agent for the first time, the agent uses the workstation heartbeat interval setting. (ENG276382) Improves Correlation Rule MaintenanceSecurity Manager 6.5.2 prevents the Correlation Engine from unnecessarily evaluating events by removing any orphaned correlation collection rules that belong to a deleted correlation rule. (ENG278999) Improves Control Center Event and Alert View PerformanceSecurity Manager 6.5.2 improves performance of alert and event views in the Security Manager Control Center, as well as the Source Events tab of the Alert Properties window for a specific alert. The Control Center now returns data much more quickly when you click an alert or event view or the Source Events tab. (ENG274253) Improves Deletion of Saved Trend Analysis ReportsSecurity Manager 6.5.2 allows you to delete saved Trend Analysis reports using the Control Center without waiting for the report to load. (ENG271396) Allows Deleting or Renaming of Forensic Analysis Query FoldersSecurity Manager 6.5.2 allows you to delete or rename existing Forensic Analysis query folders in the Control Center. (ENG220206) Allows Users to Modify Read Status of Multiple Forensic Analysis ReportsSecurity Manager 6.5.2 resolves an issue where if you select a series of completed Forensic Analysis reports that include reports with both Read and Unread statuses, the Read/Unread statuses of those reports cannot be changed as a group. You can now select multiple completed Forensic Queries and mark them as Read or Unread, regardless of their current Read status. (ENG272057) Expands Syslog Provider Parameter SupportSecurity Manager 6.5.2 adds syslog provider support for using more than 20 parameters in a syslog regular expression. Security Manager now allows you to specify a maximum of 100 parameters. (ENG275369) Enables Searching in Processing Rule Group SubgroupsSecurity Manager 6.5.2 resolves an issue where the Development Console does not allow you to search a specific processing rule group hierarchy for a processing rule using the Rule Search wizard. The Rule Search wizard now allows you to search in all subgroups in a specified processing rule group hierarchy, in addition to searching in the top-level processing rule group itself. (ENG209560) Improves Log Archive Index ValidationSecurity Manager 6.5.2 improves the log archive indexing process, enabling the log archive server to check a partition before closing to ensure the partition index is complete. If the partition index is incomplete and is missing index entries, the log archive server now reindexes and closes the partition. (ENG264498) Improves Handling of Invalid Log Archive DataSecurity Manager 6.5.2 improves handling of invalid data in the log archive message queue. The log archive server now properly disregards data that is invalid or corrupted and continues to process valid data. (ENG274131) Optimizes Log Archive Importing and IndexingSecurity Manager 6.5.2 optimizes log archive indexing in environments where the log archive server receives large numbers of events. In some environments, the volume of events stored in a log archive can grow so large the log archive server cannot index events quickly enough and becomes backed up, possibly causing performance issues on the log archive server. Security Manager now imports events into a log archive until the number of events to be indexed reaches a specified threshold. If the number of events stored in the index_data folder on the log archive server exceeds that threshold, Security Manager pauses importing new events until the indexing process catches up and the number of events to be indexed falls below the threshold. When this occurs, Security Manager temporarily stores incoming events and logs an event in the log archive server event log warning that the indexing process cannot process events quickly enough. Allows Use of Authenticated SMTP for Email NotificationsSecurity Manager 6.5.2 allows you to use SMTP with outgoing authentication to send email to notification groups when an alert or rule match occurs. You can also use Secure Sockets Layer (SSL) encryption for outgoing email authentication. Improves Parse Exception LoggingSecurity Manager 6.5.2 improves Security Manager parse exception logging. If Security Manager cannot parse all data for a particular event, Security Manager now displays the parseable data for the event and ignores the unparseable data. Adds Configurable Thread Count for File MonitoringSecurity Manager 6.5.2 allows you to configure the number of threads in the thread pool the Security Manager Core Service uses to monitor log files. To enable this setting, add the following text to the SMServiceHost.exe.config file on the central computer:
<ServiceInitializer name="Log Watcher" type="NetIQ.SM.LogWatcher.LogWatcher, NetIQ.SM.LogWatcher"> <ServiceConfig> <Settings threadPoolSize="20" /> </ServiceConfig> </ServiceInitializer> Removes Unnecessary Folder From Unmanaged Agent ComputerSecurity Manager 6.5.2 resolves an issue where the unmanaged Windows agent setup program creates an empty Public Keys folder in the root-level folder on the hard drive of the agent computer. Because this folder is no longer used by the setup program, the setup program now no longer creates the Public Keys folder. (ENG278555) Resolves UNIX Agent Communication IssueSecurity Manager 6.5.2 resolves an issue where once you configure a UNIX agent to send data to a central computer, Security Manager does not properly close the connection between the agent and the central computer after receiving data, whether the agent sends real-time events or heartbeats. In a configuration group with multiple UNIX agent computers, you may see a large number of partially closed connections and experience problems with communication between your UNIX agents and the central computer. Security Manager now closes connections to UNIX agents when no longer needed and properly handles UNIX agent communication. (ENG276218) Resolves Central Computer Agent Scan IssueSecurity Manager 6.5.2 resolves an issue where if the agent manager cannot successfully scan an existing agent, Security Manager does not use the agent computer group configuration stored in the OnePoint database. Security Manager instead overwrites the agent computer group configuration, removing the agent from all computer groups. Security Manager now uses the configuration stored in the OnePoint database when the agent manager cannot contact an agent. (ENG261037) Resolves Legacy Agent Correlation IssueSecurity Manager 6.5.2 resolves an issue where Security Manager does not correlate events sent to the central computer by a legacy agent (version 6.0 and earlier). Security Manager now correlates any event matching a correlation rule, whether generated by a current or legacy agent. (ENG274394) Resolves Correlation Collection Rule Event Type IssueSecurity Manager 6.5.2 resolves an issue where the Development Console does not correctly display the Event Type used in a custom correlation collection rule when the rule uses Event Type as a criterion. The Collection Rule Properties window now properly displays the Event Type for a correlation collection rule. (ENG255412) Resolves Correlation Wizard Event Criteria IssueSecurity Manager 6.5.2 resolves an issue where the Correlation Wizard allows you to add an event criterion using an invalid operator for the selected field and then closes unexpectedly without adding the criterion to the list of events to add to the correlation rule. The Correlation Wizard now limits event criteria to only those operators that apply to the criteria field. (ENG273626) Resolves Agents View Refresh IssueSecurity Manager 6.5.2 resolves an issue where if you select an agent in the Infrastructure Components > Agents view in the Security Manager Control Center and click Ignore Agent Status Forever, Ignore Agent Status until Agent Reconnects, or Stop Ignoring Agent Status, the Control Center does not immediately refresh the view to display the updated status of the agent. The Control Center now immediately updates the status of an agent if you click any of the three specified tasks. (ENG271849) Resolves Find Event/Alert Criterion Selection IssueSecurity Manager 6.5.2 resolves an issue where if you try to find an event or alert in the Control Center, the Criteria window automatically selects the first criterion option when you click another option in the criteria list. The Control Center now correctly selects only the specified criterion. (ENG276867, ENG276869) Resolves Issue with Alerting on Events in Foreign-Language EnvironmentsSecurity Manager 6.5.2 resolves an issue in some foreign-language environments where if you try to alert on a specific event in the Control Center, the Control Center does not open the Alert On Event window. The Control Center now properly opens the Alert On Event window. (ENG278827) Resolves Issue with Undoing User ActionsSecurity Manager 6.5.2 resolves an issue where if you suspend an alert in the Security Manager Control Center and then click Undo User Actions, select the suspended alert, and click Undo, Security Manager displays an error message and does not resume the suspended alert. Security Manager now properly undoes the Stop Alerting action and resumes the suspended alert. (ENG273567) Resolves Saved Trend Analysis Reports IssueSecurity Manager 6.5.2 resolves an issue where if you save a custom Trend Analysis report, you cannot rename the saved report at a later time. The Control Center now allows you to rename saved Trend Analysis reports. (ENG246222) Resolves Trend Analysis Report Print Error on Windows Vista ComputersSecurity Manager 6.5.2 resolves an issue where when you view a Trend Analysis report in the Control Center on a Windows Vista computer and click Print Report, Security Manager displays an error saying that the file PrintOut.htm could not be found. The Control Center now allows you to print Trend Analysis reports on Windows Vista computers. (ENG228995) Resolves Reporting Server Dimension Size IssueSecurity Manager 6.5.2 resolves an issue where the size of the Target Service Dimension when uploading data to the reporting cube does not match the size allowed for processing uploaded data. The dimension sizes for both uploading and processing data now match. (ENG270368) Resolves Reporting Data Uploading IssueSecurity Manager 6.5.2 resolves an issue where Security Manager cannot upload exported data to the cube depot because the data file source_name field contains more than 256 characters. Security Manager now limits the number of characters of the source_name fields of all exported data files to 256 and properly uploads data to the cube depot. (ENG277488) Resolves New Module Forensic Analysis Query IssueSecurity Manager 6.5.2 resolves an issue where when you install a new Security Manager module with the Control Center open, you must close and reopen the Control Center to view or use any new Forensic Analysis queries included in the module. You can now install a new module with the Control Center open and click View > Refresh to use any new Forensic Analysis functionality in the module. (ENG266210) Resolves Forensic Report Multi-Line Formatting IssueSecurity Manager 6.5.2 resolves an issue where Forensic Analysis reports do not properly display multi-line event descriptions. The Control Center now properly displays multi-line event descriptions in Forensic Analysis reports. (ENG222630) Resolves Proxy Agent Settings IssueSecurity Manager 6.5.2 resolves an issue where if you use the Agent Administrator to set up an agentless monitored computer and configure the settings for the proxy agent so the proxy only monitors one type of event log, then reopen the Agent Administrator and view your agentless monitored computer settings, the Agent Administrator incorrectly displays only the default settings. While the Agent Administrator displays the default settings, the proxy agent uses the configured settings. The Agent Administrator now displays the correct proxy agent settings when the proxy monitors one type of log. (ENG269201) Resolves Agentless Monitored Computer Event Formatting IssueSecurity Manager 6.5.2 resolves an issue where Security Manager proxy agents installed on Microsoft Windows Server 2003 computers incorrectly format events from monitored agentless computers before sending those events to the central computer. Windows proxy agents now correctly format events from monitored agentless computers. (ENG275876) Resolves Agent GUID Caching IssueSecurity Manager 6.5.2 resolves an issue where if you remove a computer from your configuration group using the Agent Administrator, Security Manager does not reload the internal cache of computer names and globally unique identifiers (GUIDs). If the central computer then receives an event or alert from a computer using the same name as the removed computer, Security Manager associates the incoming event or alert with the GUID of the removed computer. However, because Security Manager has deleted the computer from the database server, the Control Center displays the received event or alert without a computer name or domain. Security Manager now correctly handles all removed computers and cached computer names and GUIDs. (ENG234766, ENG228275) Resolves Agent Deployment Issue on User Interface ComputersSecurity Manager 6.5.2 resolves an issue where if you install Security Manager user interface components on a computer and then deploy a managed agent to the user interface computer, the Agent Manager removes the regobj.dll file. After deploying the agent, each time you use the Module Installer to import a new module, the Security Manager setup program then starts and attempts to install the missing file. The Agent Manager now does not automatically remove the regobj.dll file when deploying managed agents. (ENG275798) Resolves Issue with Agent Communication Using Multiple NICsSecurity Manager 6.5.2 resolves an issue where if you install two network interface controllers (NICs) on a central computer and then upgrade to Security Manager 6.5, the central computer can receive data only from agents using the primary NIC. Security Manager now configures central computers to receive data using all NICs by default. To configure your central computer to use a specific network interface, modify the following registry entry on the central computer using the Registry Editor: HKEY_LOCAL_MACHINE\SOFTWARE\NetIQ\Security Manager\Configurations\ConfigurationGroupName\Operations\Consolidator\SocketServer = NetworkInterfaceIPAddress Where ConfigurationGroupName is the name of your configuration group and NetworkInterfaceIPAddress is the IP address of the specific network interface you want to use. The default value is 0.0.0.0.
(ENG277957) Resolves Multiple GUID Resolution IssueSecurity Manager 6.5.2 resolves an issue where the NetIQ Security Manager service on an agent computer in some environments stops unexpectedly when resolving multiple globally unique identifiers (GUIDs) from received events. Security Manager now properly handles receiving and resolving multiple GUIDs. (ENG277594) Resolves Syslog Module Configuration IssueSecurity Manager 6.5.2 resolves an issue where if you manually add an agent using the syslog module windows of the Configuration Wizard and you use the equals criteria to select a computer, the computer name appears on the Included Computers tab of the computer group properties but does not appear in the database. Because the computer name is not added to the database, the Configuration Wizard does not actually add the computer. The Configuration Wizard now correctly adds the computer. (ENG266799) Resolves Syslog Event Time Zone IssueSecurity Manager 6.5.2 resolves an issue where the Control Center displays the time for events received from a syslog provider using coordinated universal time (UTC). The Control Center now displays the time for events received from a syslog provider using the local time zone. (ENG277028) Resolves Processing Rule Scheduling IssueSecurity Manager 6.5.2 resolves an issue where if you create a custom "Detect Missing Event" real-time event processing rule and specify Sunday as the timeframe in which you expect the event to occur, the NetIQ Security Manager service begins to use all the CPU capacity on any agents or central computers on which you run the processing rule. Security Manager now correctly configures any "Detect Missing Event" rules with Sunday as the specified timeframe and does not use inordinate amounts of CPU capacity. (ENG271545) Resolves Performance Processing Rule Criteria IssueSecurity Manager 6.5.2 resolves an issue where the performance processing rule in the Development Console does not output the appropriate alert without additional criteria input by the user. The performance processing rule now properly outputs alerts without requiring additional user criteria. (ENG270127) Resolves UNIX Computer GUID Caching IssueSecurity Manager 6.5.2 resolves an issue where if you remove a UNIX computer from your configuration group using the Agent Administrator, Security Manager does not reload the internal cache of computer names and globally unique identifiers (GUIDs). The next time the central computer receives an alert, Security Manager associates the incoming alert with the GUID of the removed UNIX computer, and the NetIQ Security Manager service stops unexpectedly. Security Manager now correctly handles all removed computers and cached computer names and GUIDs. (ENG273429) Resolves UNIX Agent Registration IssueSecurity Manager 6.5.2 resolves an issue where if you remove an installed UNIX agent and then try to install the same agent again using the same name but in a different case, Log Manager for UNIX assigns two separate GUIDs to the same agent computer. For example, if you install a UNIX agent using the name Server1, remove the agent, and then reinstall the agent using the name SERVER1, Log Manager assigns each computer name a GUID, even though both names and GUIDs refer to the same computer. Because the computer has multiple GUIDs, Security Manager does not include event data from that computer in Forensic Analysis report results. Log Manager for UNIX now properly stores removed agents' names in lower case by default. (ENG251965) Resolves iSeries Agent Timestamp IssueSecurity Manager 6.5.2 resolves an issue where iSeries agents occasionally send incorrectly formatted timestamps. For example, 2009-09-17 08:23:7Z, instead of 2009-09-17 08:23:07Z. When this occurs, Security Manager does not recognize the timestamp formatting and returns an error. When Security Manager cannot parse a datetime string, Security Manager now repairs the formatting if necessary and re-parses the string. If the error persists after Security Manager fixes the formatting, Security Manager enters the current time for the timestamp. Resolves UNIX and iSeries Central Computer Data Collection IssueSecurity Manager 6.5.2 resolves an issue where one central computer accesses information stored on the database server that a different central computer collected from a UNIX or iSeries agent. The central computer that collected the data then can no longer access the data on the database server. To ensure central computers access only their own data, Security Manager now logs the name of the central computer that collected the data in the idmefCollection table of the OnePoint database, under the CentralComputerName heading. Resolves License Expiration Warning IssueSecurity Manager 6.5.2 resolves an issue where if your Security Manager license expires, the Control Center cannot receive data and you cannot open the Development Console, but Security Manager does not log an event that the license has expired. Security Manager now logs an application log event on the central computer when your Security Manager license expires. (ENG272705) Resolves Issue with Applying Licenses to Unlicensed InstallationsSecurity Manager 6.5.2 resolves an issue where if you try to open the Security Manager Control Center or Development Console in an environment where Security Manager is installed but has no license applied, Security Manager does not allow you to apply a license. Now when you try to open one of the user interfaces without a license applied, Security Manager allows you to select a Security Manager license to apply without opening the Control Center or Development Console. After applying a valid license, you can open both user interfaces. (ENG274290) Resolves OnePoint Database Installation Size IssueSecurity Manager 6.5.2 resolves an issue where Security Manager uses the value specified for the starting size of the OnePoint database during installation as the maximum size for the database. Security Manager now properly uses "Starting Size" as the actual starting size for the OnePoint database and allows the database to grow as large as necessary. Resolves Log Archive Query Tool IssueSecurity Manager 6.5.2 resolves an issue where if you try to use the Log Archive Resource Kit Log Archive Query tool to query very large amounts of log archive data, the Log Archive Query tool runs out of memory and stops unexpectedly. The Log Archive Query tool can now successfully query large amounts of log archive data. (ENG259647) Resolves Log Archive Server Installation IssueSecurity Manager 6.5.2 resolves an issue where after installation of Security Manager 6.5, the log archive indexer and NetIQ Security Manager Log Archive service stop repeatedly, due to a misconfiguration of the indexer during installation. The setup program now configures the indexer correctly, and both the indexer and Log Archive service start properly after installation. (ENG271612) Resolves Performance Counter Provider Creation IssueSecurity Manager 6.5.2 resolves an issue where if you create a new Windows NT Performance Counter provider, the Development Console unexpectedly closes if you select Remote Computer in the Counter definitions from option, specify a computer other than the default, and click OK. Security Manager now allows you to create a new Windows NT Performance Counter provider that uses counter definitions from a remote computer. (ENG275409) Resolves Central Computer Response Script IssueSecurity Manager 6.5.2 resolves an issue where Security Manager cannot run a script on a central computer in response to an event on an agent computer. Security Manager now properly runs scripts on a central computer in response to events either on the central computer or on an agent, as configured. (ENG279562) Resolves Issue with Running Multiple Simultaneous ResponsesSecurity Manager 6.5.2 resolves an issue where if a Security Manager agent installed on a multi-core computer runs the same response on multiple response threads, the NetIQ Security Manager service on the agent computer can stop unexpectedly. Security Manager now properly runs responses on multiple threads. (ENG262533) Resolves CGGP Configuration Change IssueBefore you install Security Manager 6.5.2, when you apply Change Guardian for Group Policy configuration changes for a Windows Server 2003 or 2008 domain controller, the NetIQ Security Manager service on the domain controller stops unexpectedly. After you install Security Manager 6.5.2, the Security Manager agent properly updates Change Guardian for Group Policy configuration changes, and the NetIQ Security Manager service no longer stops unexpectedly. (ENG277149) Resolves an Issue with Upgrading from Security Manager 6.0 SP4 to Version 6.5Security Manager 6.5.2 resolves an issue where upgrading from Security Manager 6.0 SP4 to Security Manager 6.5.2 causes the central computer to not install the most recent version of the libexpat.dll file on all managed Windows agents in your configuration group. The central computer sends upgrade information to your agents, causing the NetIQ Security Manager service on your agent computers to stop and fail to restart. After you install this version, Security Manager upgrades the required file and enables the central computer to properly upgrade your managed agents. (ENG276446) Resolves Alert Grooming IssueSecurity Manager 6.5.2 resolves an issue where if you configure database server grooming to resolved alerts older than 30 days, all alerts older than 30 days are groomed, regardless of resolution state. Security Manager now grooms alerts as configured in your database grooming settings. (ENG274017) Contact InformationPlease contact us with your questions and comments. We look forward to hearing from you. For detailed contact information, see the Support Contact Information Web site. For interactive conversations with your peers and NetIQ experts, become an active member of Qmunity, our community Web site that offers product forums, product notifications, blogs, and product user groups. Legal NoticeNetIQ Security Manager is protected by United States Patent No: 05829001. THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A NON-DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLY SET FORTH IN SUCH LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT, NETIQ CORPORATION PROVIDES THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW DISCLAIMERS OF EXPRESS OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE, THIS STATEMENT MAY NOT APPLY TO YOU. This document and the software described in this document may not be lent, sold, or given away without the prior written permission of NetIQ Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of NetIQ Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data. This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time. © 2010 NetIQ Corporation. All rights reserved. U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the government's rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement. Check Point, FireWall-1, VPN-1, Provider-1, and SiteManager-1 are trademarks or registered trademarks of Check Point Software Technologies Ltd. ActiveAudit, ActiveView, Aegis, AppManager, Change Administrator, Change Guardian, Compliance Suite, the cube logo design, Directory and Resource Administrator, Directory Security Administrator, Domain Migration Administrator, Exchange Administrator, File Security Administrator, Group Policy Administrator, Group Policy Guardian, Group Policy Suite, IntelliPolicy, Knowledge Scripts, NetConnect, NetIQ, the NetIQ logo, PSAudit, PSDetect, PSPasswordManager, PSSecure, Secure Configuration Manager, Security Administration Suite, Security Manager, Server Consolidator, VigilEnt, and Vivinet are trademarks or registered trademarks of NetIQ Corporation or its subsidiaries in the USA. All other company and product names mentioned are used only for identification purposes and may be trademarks or registered trademarks of their respective companies. For purposes of clarity, any module, adapter or other similar material ("Module") is licensed under the terms and conditions of the End User License Agreement for the applicable version of the NetIQ product or software to which it relates or interoperates with, and by accessing, copying or using a Module you agree to be bound by such terms. If you do not agree to the terms of the End User License Agreement you are not authorized to use, access or copy a Module and you must destroy all copies of the Module and contact NetIQ for further instructions. | ||||||||||
Template date: March 5, 2010 |