IBM Support

QRadar: 'General Failure' error in the user interface due to 'Divide by zero' in Java (IJ04325)

Troubleshooting


Problem

QRadar users might see 'General Failure. Please try again' messages in the search or offense views in the user interface due to a Java divide by zero error.

Cause

This issue is logged as APAR IJ04325. NOTE: This APAR is being published and might take up to 24 hours to be visible using the provided link.

Environment

QRadar systems with Java 8 installed that use QRadar v7.2.8, v7.3.0, or v7.3.1 software.

Diagnosing The Problem

Symptoms


The error message ‘java.lang.ArithmeticException: divide by zero’ is reported in /var/log/qradar.log file and generate 'General Failure' user interface messages when searching or viewing offenses. The presence of the ‘divide by zero’ message, combined with various QRadar usage errors/behaviors, indicate the QRadar deployment is affected.
  • This issue might cause event collection/processing stops occurring on an appliance.
  • 'General Failure. Please try again.' message in the User Interface when attempting to view the events associated with an offense.
  • 'General Failure. Please try again.' message in the User Interface when attempting to perform Log Activity searches.
  • A red message: ‘The server encountered an error reading one or more files’ in the User Interface when a Log Activity search is run.
  • No new offenses being created in combination with System Notification messages similar to: “Magistrate: Unable to persist offense updates”.
  • Rules stop updating Offense names.


How to diagnose this issue
  1. Log in to the QRadar Console.
  2. Click the Log Activity tab.
  3. Select Advanced Search from the search bar.
  4. Type the following advanced search query:

    select sourceip, UTF8(payload), LOGSOURCENAME(logsourceid) from events where TEXT SEARCH 'java.lang.ArithmeticException: divide by zero' AND LOGSOURCENAME(logsourceid) like 'System Notification%' LAST 168 HOURS

    Results
    Any results returned by this search indicate that you are experiencing APAR IJ04325 administrators should review the Resolving the problem section below to contact QRadar Support. If the search does not run or you experience a 'General Failure. Please try again' error, then review the Resolving the problem section below to contact QRadar Support.

How to monitor this issue in your deployment


A content pack has been created to help users diagnose this issue and generate a system notification to alert administrators and assist with monitoring their deployment. The content pack APAR_IJ04325.zip contains one rule and one custom event property to help administrators monitor for the divide by zero errors in their deployment.

TypeNameDefault value
Custom RuleArithmeticException NotificationEnabled after installing APAR_04325.zip
Custom Event PropertyServiceNameEnabled after installing APAR_04325.zip

Procedure

  1. Download the attached content pack to your workstation or laptop. Do not extract the downloaded file. It must be uploaded as APAR_IJ04325.zip to QRadar.
    APAR_IJ04325.zipAPAR_IJ04325.zip

    md5sum: 1e26df4590580ba4cbe86cc1431f9e3d
    sha1sum: 2bd7f37fd23d3d33cae74d142da888a7a03a0559
  2. Log in to the QRadar Console as an administrator.
  3. Click the Admin tab, then click Extensions Management.
  4. To upload an extension, click Add and select the zip file downloaded from Step 1.
  5. Select the Install immediately check box and click Add.
  6. Select Overwrite when prompted to add the new data to your QRadar appliance.
  7. After the content pack is installed, administrators can monitor for QRadar System Notifications for 'General Information Message' notifications.


    Results
    Any results returned by this search indicate that you are experiencing APAR IJ04325 administrators should review the Resolving the problem section below to contact QRadar Support.

Resolving The Problem

Administrators who experience the 'divide by zero' error messages should contact QRadar Support for assistance. It is also recommended that administrators subscribe to updates in APAR IJ04325 to receive a notice for changes related to this issue.

What to do


To verify this issue, the QRadar Support representative will request a memory dump to validate the 'divide by zero' error. This will require a meeting with the support representative to ensure that the debug modes are enabled and disabled properly.

  1. Navigate to https://www.ibm.com/mysupport.
  2. Sign in using your IBMid.
  3. Open a ticket with QRadar Support and reference APAR IJ04325 - Divide by Zero in your case description.
  4. A support representative will contact you to discuss how to collect the memory dump from the impacted QRadar appliance.
  5. Additional information will be communicated through your QRadar Support case.



Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Operating System","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3.1;7.3;7.2.8","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
10 May 2019

UID

swg22013920

Page Feedback