TIBCO LogLogic Log Management Intelligence (LMI) Release Notes

TIBCO LogLogic Log Management Intelligence (LMI) Software Release 5.6.0 March 2015 Two-Second Advantage

Important Information SOME TIBCO SOFTWARE EMBEDS OR BUNDLES OTHER TIBCO SOFTWARE. USE OF SUCH EMBEDDED OR BUNDLED TIBCO SOFTWARE IS SOLELY TO ENABLE THE FUNCTIONALITY (OR PROVIDE LIMITED ADD-ON FUNCTIONALITY) OF THE LICENSED TIBCO SOFTWARE. THE EMBEDDED OR BUNDLED SOFTWARE IS NOT LICENSED TO BE USED OR ACCESSED BY ANY OTHER TIBCO SOFTWARE OR FOR ANY OTHER PURPOSE. USE OF TIBCO SOFTWARE AND THIS DOCUMENT IS SUBJECT TO THE TERMS AND CONDITIONS OF A LICENSE AGREEMENT FOUND IN EITHER A SEPARATELY EXECUTED SOFTWARE LICENSE AGREEMENT, OR, IF THERE IS NO SUCH SEPARATE AGREEMENT, THE CLICKWRAP END USER LICENSE AGREEMENT WHICH IS DISPLAYED DURING DOWNLOAD OR INSTALLATION OF THE SOFTWARE (AND WHICH IS DUPLICATED IN THE LICENSE FILE) OR IF THERE IS NO SUCH SOFTWARE LICENSE AGREEMENT OR CLICKWRAP END USER LICENSE AGREEMENT, THE LICENSE(S) LOCATED IN THE LICENSE FILE(S) OF THE SOFTWARE. USE OF THIS DOCUMENT IS SUBJECT TO THOSE TERMS AND CONDITIONS, AND YOUR USE HEREOF SHALL CONSTITUTE ACCEPTANCE OF AND AN AGREEMENT TO BE BOUND BY THE SAME. This document contains confidential information that is subject to U.S. and international copyright laws and treaties. No part of this document may be reproduced in any form without the written authorization of TIBCO Software Inc. TIBCO, Two-Second Advantage, and LogLogic are either registered trademarks or trademarks of TIBCO Software Inc. in the United States and/or other countries. All other product and company names and marks mentioned in this document are the property of their respective owners and are mentioned for identification purposes only. THIS SOFTWARE MAY BE AVAILABLE ON MULTIPLE OPERATING SYSTEMS. HOWEVER, NOT ALL OPERATING SYSTEM PLATFORMS FOR A SPECIFIC SOFTWARE VERSION ARE RELEASED AT THE SAME TIME. SEE THE README FILE FOR THE AVAILABILITY OF THIS SOFTWARE VERSION ON A SPECIFIC OPERATING SYSTEM PLATFORM. THIS DOCUMENT IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. THIS DOCUMENT COULD INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS. CHANGES ARE PERIODICALLY ADDED TO THE INFORMATION HEREIN; THESE CHANGES WILL BE INCORPORATED IN NEW EDITIONS OF THIS DOCUMENT. TIBCO SOFTWARE INC. MAY MAKE IMPROVEMENTS AND/OR CHANGES IN THE PRODUCT(S) AND/OR THE PROGRAM(S) DESCRIBED IN THIS DOCUMENT AT ANY TIME. THE CONTENTS OF THIS DOCUMENT MAY BE MODIFIED AND/OR QUALIFIED, DIRECTLY OR INDIRECTLY, BY OTHER DOCUMENTATION WHICH ACCOMPANIES THIS SOFTWARE, INCLUDING BUT NOT LIMITED TO ANY RELEASE NOTES AND "READ ME" FILES. Copyright 2002-2015 TIBCO Software Inc. ALL RIGHTS RESERVED. TIBCO Software Inc. Confidential Information

1 Check the TIBCO Product Support web site at https://support.tibco.com for product information that was not available at release time. Entry to this site requires a username and password. If you do not have a username, you can request one. You must have a valid maintenance or support contract to use this site. Topics Release 5.6.0, page 2 What s New in Release 5.6.0, page 3 Changes in Functionality, page 5 Supported Platforms, Browsers, and Settings, page 6 Known Issues, page 9 Fixed Issues, page 11 Connecting with TIBCO Resources, page 16

2 Release 5.6.0 TIBCO LogLogic Appliance Release 5.6.0 is a feature update to previous releases. You can upgrade from Release 5.5.0 with HF3 and 5.5.1 with HF1 to Release 5.6.0 using instructions in the LogLogic Configuration and Upgrade Guide, which is available for download from the TIBCO support website or the TIBCO Software Product Download Site. If you are running a release prior to 5.3, you must first upgrade to Release 5.3, 5.3.1, 5.4, 5.4.1, or 5.4.2; run the Post Upgrade Script, and then upgrade to Release 5.6.0. If you do not run the Post Upgrade Script, you will lose some of the reports data. After upgrading from 5.5.0 or 5.5.1 you must run the Post Upgrade Script rundbm which is under /loglogic/bin/directory.. Table 1 LMI Upgrade Matrix LMI 5.4.0 5.4.1 5.4.2 5.5.0 5.5.1 5.6.0 5.4 5.4.1 5.4.2 5.5.0 5.5.1 Table 2 LMI LSP Compatibility Matrix LSP 5.4.0 5.4.1 5.4.2 5.5.0 5.5.1 5.6.0 25 26 27 27.1 28 29

What s New in Release 5.6.0 3 What s New in Release 5.6.0 TIBCO LogLogic Release 5.6.0 contains the following improvements and updates since the previous feature release: IPv6 Support TIBCO LogLogic Log Management Intelligence now supports collection, storage, search, and forwarding functionality for native IPv6 networks as well as hybrid environments consisting of IPv4 and IPv6 devices. In the configuration CLI there is only partial support for both IPv4 and IPv6 on the same interface. For this release it is recommended to use separate appliances. In HA configuration, the node identifier of each machine is derived from the last byte of the machine s IP address (the address specified to be used for HA replication during HA setup). Care must be taken that the last byte differs for both members of a cluster. When configuring SAN in HA, the identity of each node is still internally assumed to be an IPv4 address. Care must be taken that the last 4 bytes of each node s IP address differ (note that this is implied by the previous rule). IPv6 addresses not supported for: Network Policy Alert rules Compliance Manager 2.1.0 Management Station does not support IPv6 addresses for remote appliances Replay because of dependency on Management Station CheckPoint devices Parsing of address strings within log messages Centerra Archival Cisco IPS

4 Table 3 IPv6 Support Matrix Log Source address LMI Supported LMI version IPv4 IPv4 v5.5.0 and below IPv6 IPv6 v5.6.0 IPv4 IPv4 + IPv6 v5.6.0 Increased Device Count TIBCO LogLogic Log Management Intelligence is now certified to work with up to 100,000 devices. This increased support includes device groups as well as individual devices on an appliance. Minimum Hardware Requirements for 100K Devices on EVA CPU Intel Compatible (2 GHz minimum) Memory 12 GB minimum Cores - 8 Network Adapter 1 minimum; up to 6 Disk 500 GB; 20 GB for the evaluation version VM Controller LSI Logic RAID VM Hard Drive SCSI type Appliance models recommended for 100K Devices support: ST4025 LX4025 MX4025 ST2025 SAN

Changes in Functionality 5 Changes in Functionality The following platforms and browsers are no longer supported: H3 Appliances Microsoft IE 9.x

6 Supported Platforms, Browsers, and Settings This TIBCO LogLogic release supports specific LogLogic Appliance models, and can be used with supported web browsers on systems using the recommended display settings. Table 4 Supported Platforms for H4 Appliance Models LX Appliances ST Appliances MX Appliances LX825 ST1025 MX3025 LX1025 ST2025 SAN MX4025 LX4025 ST4025 Table 5 Supported Browsers Browser Version Google Chrome 23.x, 31.x, 41.x Microsoft Internet Explorer 10.x, 11.x Mozilla Firefox 3.6.x, 16.x, 25.x, 26.x, 36.x Table 6 Display Settings Monitor Recommended settings Minimum settings Display Resolution 1280 x 1024 pixels or higher 1024 x 768 pixels Colors 32-bit colors 16-bit colors

LogLogic Documentation 7 LogLogic Documentation This release includes the following documentation, available on the TIBCO Product Documentation website https://docs.tibco.com LogLogic Hardware Installation Guide Describes how to get started with the LogLogic Appliance, and includes details about the Appliance hardware. LogLogic Configuration and Upgrade Guide Describes how to configure and upgrade a LogLogic Appliance software. LogLogic Administration Guide Describes how to administer the LogLogic solution including managing users, managing log data storage, and managing new log sources (devices). LogLogic Management Appliance Guide Describes how to manage multiple distributed Appliances using the LogLogic Management Appliance. LogLogic User Guide Describes how to use the LogLogic solution, including managing reports, managing alerts, and performing searches. LogLogic Enterprise Virtual Appliance Quick Start Guide Describes how to install the LogLogic Enterprise Virtual Appliance (EVA) in the VMware environment. LogLogic Log Source Configuration Guides Describe how to support log data from various log sources. There is a separate manual for each supported log source. These documents include documentation on LogLogic Collectors as well as documentation on how to configure log sources to work with the LogLogic solution. LogLogic Collector Guides Describe how to implement support for using a LogLogic Collector for specific log sources such as IBM i5/os and ISS SiteProtector. LogLogic Log Source Report Mapping Guide This guide provides a set of tables listing Log Source Reports by Device Type, sorted by UI Categories: Access Control, Database Activity, Enterprise Content Management, HP NonStop Audit, IBM i5/os Activity, Mail Activity, Network Activity, Operational, Policy Reports, Storage Systems Activity, and Threat Management. LogLogic Web Services API Implementation Guide Describes how to implement the LogLogic Web Services APIs to manage reports, manage alerts, perform searches, and administrate the system. LogLogic Syslog Alert Message Format Quick Reference Guide Describes the LogLogic Syslog alert message format.

8 XML Import Guide Describes how to manually import, export, and edit XML files into and from the Appliance when not using the Appliance UI. LogLogic Online Help Describes the Appliance user interface, including descriptions for each screen, tab, and element in the Appliance.

Known Issues 9 Known Issues The following issues are known to exist in the current release: Setting up encrypted forwarding via LLTCP or TCP syslog causes the root account key of the source appliance to become authorized by the destination appliance. Resulting in the password-less ssh access by root from source appliance to destination, in addition to allowing log forwarding. (LLLM-1817) EVA product comes out of the box with a default SSH signature. This signature should be changed to maintain proper security measures once installation is complete. (LLLM-1816) Distributed regex searches are cancelled by LMI if they execute for more than 5 minutes on Management Stations. Contact Support for the workaround. (LLLM-1790) Greek characters within usernames cause LDAP authentication to fail. (LLLM-1660) Can not collect the logs forwarded by UC when domain have 256 characters. (LLLM-1713) Three failures are reported from the OEL65 init scripts. These messages do not indicate any malfunction. The services which do not start are either already started or unnecessary. (LLLM-2376) Unable to export 100k devices using the export feature. (LLLM-2699) Work around: Export less than 60K devices at a time. Depending on the type of model, importing large numbers of devices can take some time (hours). (LLLM-2548) An error is displayed when the User Last Activity PCI report is run. (LLLM-2783) Work around: Edit the report, run it and resave it. GUI cannot redirect to login page after restore if eth0 is configured with default IP 10.0.0.11 and IPv6 is configured on any other NIC. (LLLM-2853) Work around: Unset the default eth0 configuration or configure eth0 with real network information. Unable to use verify peer functionality with SSL when performing HTTP push from Bluecoat device to LMI. (LLLM-2859)

10 SNMP of upgraded appliance does not work on IPv6. Works for fresh install. (LLLM-2881) Work around: To make SNMP work on IPv6, the snmpd.conf file (located in /loglogic/update) needs to be appended with the lines given below for LX and ST appliances. For LX: agentaddress udp:161,udp6:161 rocommunity6 public default For ST: agentaddress udp:161,udp6:161 rocommunity6 public default If the community string for IPv6 used is not public then that string needs to be replaced in these lines. For example, for IPv4 if the existing community string is LOGLOGIC then the corresponding entry in the snmpd.conf will be: rocommunity LOGLOGIC Replace the string:rocommunity6 public default with rocommunity6 LOGLOGIC default

Fixed Issues 11 Fixed Issues The following issues were fixed in this release: Aborted connection error message is no longer seen when the rtstatus binary does not properly close a shared mysql connection handle. (LLLM-2855) OVA certificate had expired. (LLLM-2846) A failure to rotate the mysql error log file caused mysql to fail. (LLLM-2834) Bluecoat configuration to a LogLogic appliance with SSL authentication for HTTPS continuous upload did not work. (LLLM-2768) Multiple OpenJDK and Bash shellshock vulnerabilities reported. (LLLM-2766) Login failed for accounts with many groups. (LLLM-2723) Unable to collect Microsoft SQL server logs and Oracle Server logs on LX appliance. (LLLM-2603) Alert history and alert email notification contained truncated log message originating from an SNMP trap. (LLLM-2596) Multiple index search warnings prevented conversion from html to pdf. (LLLM-2580) Errors generated in logs when using Management Station through WSAPI. (LLLM-2577) Errors generated in logs after configuring SCP backup to SCP server. (LLLM-2576) Device count was wrong in data retention. (LLLM-2575) The engine_archive did not archive enough to maintain archive threshold. (LLLM-2546) Update of a data retention rule was not applied. (LLLM-2448) User not able to export Custom reports from any 5.4.x version of LMI appliance and import it another appliance or version. (LLLM-2099) Index Search should search IPv6 addresses for every text representation. (LLLM-1963) User Authentication Reports timed out or took longer than expected. This only occurred when filters were selected against columns which had no indexes. (LLLM-1791) Server supported client-initiated renegotiation. (LLLM-1627) The default admin account was present on all installations. (LLLM-1598)

12 256-bit ciphers were not supported. (LLLM-1597) The RSA key exchange in SSL did not support Forward Secrecy. (LLLM-1595) The mysql version was outdated. (LLLM-1581) Security vulnerabilities from 5.4 security scan. (LLLM-912) The version of stunnel (and OpenSSL) utilized by the engine_uldpcollector (when secure ULDP was enabled) process was outdated and vulnerable. (LLLM-890) Multiple patch vulnerabilities resulting from LMI 5.4 security scan. (LLLM-781) OpenSSH vulnerability with GSSAPI ELSA-2011-2029. (LLLM-775) Ability to self-modify user name in web UI. (LLLM-758) CGI Generic Cross-Site Request Forgery Detection (potential vulnerability). (LLLM-613) Non absolute directory entries in PATH. (LLLM-439) Performing drill down of reports on Compliance Manager took longer than expected. (LLLM-1428) LMI version 5.4 and above did not support TLS 1.2 after IE 9.x. (LLLM-742) CiscoVPN3000 logs containing empty username with double quotes caused LX parser to crash with a segmentation fault resulting in reboot and engines disabled on start. (LLLM-2792) Hotfixes Incorporated The following hotfixes were merged into this release: LMI 5.4.2 Hotfixes 5.4.2-HF3 Results were retrieved only from devices that were sending logs to Management Station and not from devices sending logs to Managed Station when WSAPI for v5.4 or higher was used. (LLCE-566) Old filedata indices were not being removed due to bad a SQL statement. (LLCE-656) Keystore and truststore files were not included in LMI config backup. (LLCE-668)

Fixed Issues 13 Message Signature Validate screen showed a message match, however using the Message Signature tags in an Index Search did not find corresponding messages or showed inconsistent results. (LLCE-673) ReportService->getReport method->filters did not work. (LLCE-675) Phantom searches were found with Distributed RegEx. (LLCE-682) The engine_backup failed when it could not find files or directories. (LLCE-683) Regex filter based alert failed for incoming SNMP messages. (LLCE-707) Update installation instructions in hotfixe readme. (LLCE-710) The unreadable codes of French characters were seen when a saved Message Signature was edited. (LLCE-715) The number of the matching messages in the Validation tab of the Message signature Pattern Editor was not the same as the search results in Index Search. (LLCE-723) UTF8 regex alerting with non UTF8 characters inside RAW data. (LLCE-730) 5.4.2-HF4 All Message Routing failed or stoppedwhen one destination was unavailable. (LLCE-717) Log Source Data Trend File Transfer Logs - last 24 hours pane did not reporting the correct number of messages indexed. (LLCE-719) Messages that containesd French characters did not match with the Regex even though the Regex was created according to the message. (LLCE-724) Advanced Option for Log Source Status name filter did not filter log source names correctly. (LLCE-728) Scheduled index report from MS and RA did not include logs. (LLCE-731) Index-Remove process created a lock on index files on NAS and caused it to hang the remove and relocate processes during failover. (LLCE-735) Index search report from LogLogic appliance to CM2.1, log message was truncated after 238 characters. (LLCE-740) Update of a data retention rule was not applied. (LLCE-747) HA synchronization transferd more data than needed. (LLCE-749) Index Search did not match IPv6 addresses properly. (LLCE-752) Alert triggered too early. (LLCE-765)

14 TCP Syslog forwarding rule did not use keep-alive. (LLCE-768) Distributed RegEx search did not work if the RegEx pattern had backslash in it. (LLCE-809) 5.4.2-HF-LLCE-812 Engine engine_archive did not archive enough to maintain the archive threshold. (LLLM-2546) 5.4.2-HF-LLCE-992-993 Ghost glibc vulnerability. (LLLM-2775) NTP daemon contained multiple vulnerabilities. (LLLM-2710) LMI 5.5.0 Hotfixes 5.5.0-HF1 HA synchronization transfered more data than needed. (LLCE-750) Engine_LX_parser repeatedly crashed. (LLCE-769) LMI5.5.0 User creation with the firstname. (LLCE-771) Index Search did not match IPv6 addresses properly. (LLCE-776) Regex filter based alert failed for incoming SNMP messages. (LLCE-782) Message Signature Validate screen showed message match, however using the Message Signature tags in an Index Search did not find or show inconsistency results. (LLCE-787) Index-Remove process write.locks on index files on NAS and hangs the remove and relocate processes. (LLCE-789) Results were retrieved only from devices that were sending logs to Management Station and not from devices sending logs to Managed Station when WSAPI for v5.4 or higher was used. (LLCE-790) Engine_backup failed when it could not find files or directories. (LLCE-793) 5.5.0-HF2 User Access Reports were blank for more than 12 hours even when there was data. (LLCE-807) Tomcat crashed with out of memory java exception. (LLCE-815)

Fixed Issues 15 5.5.0-HF-LLCE-883 GNU bash shell was vulnerable to multiple security vulnerabilities (CVE-2014-6271, CVE-2014-7169, CVE-2014-6277, CVE-2014-6278, CVE-2014-7186, CVE-2014-7187). (LLLM-2259) 5.5.0-HF-LLCE-902 Tomcat Web UI and OpenSSL HTTPS and WSS were vulnerable to POODLE security vulnerability (CVE-2014-3566). (LLCE-902) 5.5.0-HF3 Engine_LX_parser repeatedly crashed following upgrade to 5.5. from 5.4.0, (LLCE-795) 5.5.0-HF-LLCE-972-988 NTP daemon was vulnerable to multiple security vulnerabilities (CVE-2014-9298, CVE-2014-9297, CVE-2014-9293, CVE-2014-9294, CVE-2014-9295, CVE-2014-9296). (LLCE-972)

16 Connecting with TIBCO Resources How to Join TIBCOmmunity TIBCOmmunity is an online destination for TIBCO customers, partners, and resident experts. It is a place to share and access the collective experience of the TIBCO community. TIBCOmmunity offers forums, blogs, and access to a variety of resources. To register, go to http://www.tibcommunity.com. How to Access TIBCO Documentation You can access TIBCO documentation here: https://docs.tibco.com How to Contact TIBCO Support For comments or problems with this manual or the software it addresses, contact TIBCO Support as follows: For an overview of TIBCO Support, and information about getting started with TIBCO Support, visit this site: http://www.tibco.com/services/support If you already have a valid maintenance or support contract, visit this site: https://support.tibco.com Entry to this site requires a user name and password. If you do not have a user name, you can request one.