Environment
NetIQ Sentinel 7.3.x Real Time Alert Views
NetIQ Change Guardian 4.1
NetIQ Change Guardian 4.2
Situation
Alerts containing IPv6 data are not shown in the Alert views.
The Alerts are correctly generated and can be seen in the mongoDB however they do not show up in the alert views WebUI. This is due to the fact that elasticsearch "currently" only supports IPv4 data.
The Alerts are correctly generated and can be seen in the mongoDB however they do not show up in the alert views WebUI. This is due to the fact that elasticsearch "currently" only supports IPv4 data.
Resolution
**Note: Once you enable the index for IPv6 data you will no longer be able to do "Range Query" searches on the IP fields. Please decide if viewing alerts with IPv6 Data is more important than the ability to use IP Range Queries before changing the index. **
Modify your elasticsearch index to account for IPv6 Data. This can be done by modifying the indexing for elasticsearch with the following steps:
1. Delete the existing elasticsearch index using the following command from the server:
curl -XDELETE 'http://127.0.0.1:9200/alerts.alerts'
2. Stop Sentinel
rcsentinel stop
3. Backup the existing index template file:
cp -a /etc/opt/novell/sentinel/3rdparty/elasticsearch/templates/alerts.alerts.json /home/novell/alerts.alerts.json.bak
4. Edit the template file to substitute all values of "type":"ip" to be "type":"string"
vim /etc/opt/novell/sentinel/3rdparty/elasticsearch/templates/alerts.alerts.json
4a. Use the following command to find all instances of "type":"ip" and replace it with "type":"string"
: %s/"type":"ip"/"type":"string"/g
**Ensure that the file is still owned by novell:novell **
5. Delete the following file so that indexes will be rebuilt using the new template on server startup
rm /opt/novell/sentinel/3rdparty/mongoconnector/config.txt
6. Start Sentinel
rcsentinel restart
Once this is done, you should be able to see alerts with IPv6 data as well as IPv4 Data.
Modify your elasticsearch index to account for IPv6 Data. This can be done by modifying the indexing for elasticsearch with the following steps:
1. Delete the existing elasticsearch index using the following command from the server:
curl -XDELETE 'http://127.0.0.1:9200/alerts.alerts'
2. Stop Sentinel
rcsentinel stop
3. Backup the existing index template file:
cp -a /etc/opt/novell/sentinel/3rdparty/elasticsearch/templates/alerts.alerts.json /home/novell/alerts.alerts.json.bak
4. Edit the template file to substitute all values of "type":"ip" to be "type":"string"
vim /etc/opt/novell/sentinel/3rdparty/elasticsearch/templates/alerts.alerts.json
4a. Use the following command to find all instances of "type":"ip" and replace it with "type":"string"
: %s/"type":"ip"/"type":"string"/g
**Ensure that the file is still owned by novell:novell **
5. Delete the following file so that indexes will be rebuilt using the new template on server startup
rm /opt/novell/sentinel/3rdparty/mongoconnector/config.txt
6. Start Sentinel
rcsentinel restart
Once this is done, you should be able to see alerts with IPv6 data as well as IPv4 Data.
Cause
The original elasticsearch index template looked for values of type
ip where IPv6 data is in Hexadecimal format so the index could not
read the data as it was expecting IP type data.