QRADAR APARS 101
QRadar information related to known issues, important alerts and problem resolutions.
What are APARs?
QRadar uses Authorized Program Analysis Reports (APARs) to track issues reported by users. These problem reports include the status of the issue for the end user, either as an ONGOING or CLOSED problem. This page is intended to help users locate known issues who have not yet subscribed to IBM My Notifications or to view alerts on APARs that QRadar Support feels are important.
Searching the APAR table
The QRadar Support team created this QRadar APARs 101 page to make APARs more searchable for users and administrators. The search field in the table below allows you to search for specific versions or keywords. Administrators who want to filter by a specific version can use a combination of keywords or use the version buttons and sort by keyword using the Search bar.
Component | Number | Description | Status | More information | Date |
---|---|---|---|---|---|
REPORTS | IJ44087 | CHROME AND EDGE BROWSERS CUT OFF THE BOTTOM EDGE OF THE REPORT WIZARD | CLOSED | Resolved in QRadar 7.5.0 Update Pack 4 (7.5.0.20221129155237) Workaround Maximize the report wizard page. Issue When customers use the report wizard, they might notice the bottom edge of the report wizard is not visible. This can happen when Chrome or Edge browsers are used. Steps to reproduce
|
13 December 2022 |
BUILDING BLOCKS | IJ44480 | MODIFIED SYSTEM BUILDING BLOCKS STOP MATCHING ANY EVENTS UNTIL ECS-EP SERVICE IS RESTARTED | CLOSED | Resolved in QRadar 7.5.0 Update Pack 4 (7.5.0.20221129155237) Workaround Restart ecs-ep on the host(s) that are processing events from the affected Building Blocks. To Restart the ecs-ep service:
OR Initiate a Full Deploy on the QRadar Console.
Issue System Building Block(s) stop working after being modified. This is commonly seen in the “BB:FalsePositive: All Default False Positive BBs” Building Block which is frequently used by administrators to filter false positives on their system. When a building block is modified it creates a new overide which will have a new UUID, the old system UUID’s are still being referenced and because they are not in the map the following error is observed. [ecs-ep.ecs-ep] [fcfa6359-f3a6-4f85-8bac-2f5b1bdc380b/SequentialEventDispatcher] com.q1labs.semsources.cre.tests.RuleMatch_Test: [ERROR] [NOT:0000003000][IPADDR/- -] [-/- -]rule_id was not found for UUID = SYSTEM-1263 Note: Depending on what system building blocks were modified it will report a different UUID. |
13 December 2022 |
LOG SOURCE MANAGEMENT APP | IJ43984 | QRADAR LOG SOURCE MANAGEMENT 7.0.7 DISPLAYS BLANK PAGE WHEN ACCESSED FROM THE FILTER PANEL ON THE ADMIN PAGE | CLOSED | Resolved in QRadar 7.5.0 Update Pack 4 (7.5.0.20221129155237) Workaround Do not use the filter from the Admin navigation menu to launch the QRadar Log Source Management application. Users can scroll down the page and click on the QRadar Log Source Management icon to launch the application. Issue When customers use the report wizard, they might notice the bottom edge of the report wizard is not visible. This can happen when Chrome or Edge browsers are used. Steps to reproduce
|
13 December 2022 |
ANALYST WORKFLOW APP | IJ43902 | ANALYST WORKFLOW 2.31.4 DISPLAYS INTERNAL SERVER ERROR WHEN DEFAULT LOCALE IS CHANGED | CLOSED | Resolved in QRadar 7.5.0 Update Pack 4 (7.5.0.20221129155237) Workaround If you are unable to upgrade, contact QRadar Support for a possible workaround that might address this issue in some instances. Issue After changing a users default locale an “Internal Server Error” message is displayed when accessing the Analyst Workflow app or launching the app with the “Try New UI” button. The following messages can be seen in the stderror log file. Error: Default namespace not found at /opt/app-root/app/public/static/locales/en_us/common.json at createConfig (/opt/app-root/app/node_modules/next-i18next /dist/commonjs/config/createConfig.js:165:19) at _callee$ (/opt/app-root/app/node_modules/next-i18next/dis t/commonjs/serverSideTranslations.js:201:53) at tryCatch (/opt/app-root/app/node_modules/next-i18next/nod e_modules/@babel/runtime/helpers/regeneratorRuntime.js:86:17) at Generator._invoke (/opt/app-root/app/node_modules/next-i1 8next/node_modules/@babel/runtime/helpers/regeneratorRuntime.js:66:24) at Generator.next (/opt/app-root/app/node_modules/next-i18ne xt/node_modules/@babel/runtime/helpers/regeneratorRuntime.js:117:21) at asyncGeneratorStep (/opt/app-root/app/node_modules/next-i 18next/node_modules/@babel/runtime/helpers/asyncToGenerator.js:3:24) at _next (/opt/app-root/app/node_modules/next-i18next/node_m odules/@babel/runtime/helpers/asyncToGenerator.js:25:9) at processTicksAndRejections (node:internal/process/task_queues:96:5) |
13 December 2022 |
USER ROLES | IJ43936 | AFTER AN UPGRADE ON QRADAR ON CLOUD TO 7.5.0 UP3 ADMINISTRATOR ARE NOT ABLE TO SAVE USER ROLE CHANGES OR ADD NEW USER ROLES | CLOSED | Resolved in QRadar 7.5.0 Update Pack 4 (7.5.0.20221129155237) Workaround If you are unable to upgrade, contact QRadar Support for a possible workaround that might address this issue in some instances. Issue After an upgrade to QRadar on Cloud version 7.5.0 UP3, administrators are not able to save user role changes or add new user roles. This issue does not affect new installations, only systems that were updated from a previous version to QRadar 7.5.0 UP3. The following error can be found in /var/log/qradar.error: [tomcat.tomcat] [XXXXXXX@(1471) /console/JSON-RPC/QRadar.saveRole QRadar.saveRole] com.q1labs.core.ui.servlet.RemoteJavaScript: [WARN] [NOT:0000004000]The user XXXXX does not have access to the method saveRole in application QRadar |
13 December 2022 |
OFFENSES | IJ43426 | SORTING BY COLUMN IN THE OFFENSES TAB REMOVES SEARCH FILTERS | CLOSED | Resolved in QRadar 7.5.0 Update Pack 4 (7.5.0.20221129155237) Workaround To sort by columns, and not see the hidden or closed offenses, create an Advanced Search.
Issue In the Offenses tab, sorting by any column removes any predefined search parameters, making it harder to search for offenses. Steps to reproduce
|
13 December 2022 |
USER INTERFACE | IJ41613 | TIMEZONE CANNOT BE CHANGED FROM UI AND SYSTEM TIME SETTINGS UI TAB MIGHT FAIL TO LOAD | CLOSED | Resolved in QRadar 7.5.0 Update Pack 4 (7.5.0.20221129155237) Workaround Users can change the time zone using the CLI:https://www.ibm.com/support/pages/node/549259. If the workaround does not solve the issue, contact support. for a possible workaround that might address this issue in some instances. Issue In QRadar 7.5.0 Update Package 2, When the timezone is changed in the System Time Settings tab from the System and License Management window in the UI, the change is not saved. After the attempted change, the timezone_id becomes invalid and as a result, the System Time Setting tab fails to load. Errors similar to the following appear in /var/log/qradar.log: [Python tool]: [INFO] 'Setting the system time and timezone configuration. ' [Python tool]: [INFO] 'Setting the time zone America/Halifax in /etc/localtime' [Python tool]: [INFO] Failed to perform the task. [Python tool]: [INFO] |
13 December 2022 |
QRADAR VULNERNABIITY MANAGER | IJ41028 | QRADAR VULNERNABIITY MANAGER SCAN RESULTS SCREEN DISPLAYS ‘COULD NOT RECEIVE MESSAGE’ ERROR | CLOSED | Resolved in QRadar 7.5.0 Update Pack 4 (7.5.0.20221129155237) Workaround If you are unable to upgrade, contact QRadar Support for a possible workaround that might address this issue in some instances. Issue When the QRadar Vulnerability Manager processor is running on the console, a message similar to “An error occurred Could not receive message” can appear after 60 seconds when either Scan Results or Scan Profiles is selected, and the screen will not load. |
13 December 2022 |
DEPLOY CHANGES | IJ41234 | DEPLOY CHANGES CAN ERROR OUT IF THE SERVER TABLE HAS A NON FULLY QUALIFIED DOMAIN NAME | CLOSED | Resolved in QRadar 7.5.0 Update Pack 4 (7.5.0.20221129155237) Workaround If you are unable to upgrade, contact QRadar Support for a possible workaround that might address this issue in some instances. Issue If the server host table on any appliance has a short name and not a fully qualified domain name (FQDN), deploy changes may fail. This happens mostly with HA appliances. An example of a FQDN in the serverhost file would be 192.168.x.x associated with myserver.example.com. When this issues happen you can see in the severhost file an entry such as 192.168.x.x rather than a FQDN. When this occurs look for similar messages in /var/log/qradar.error: [hostcontext.hostcontext] [/SequentialEventDispatcher] Caused by: [hostcontext.hostcontext] [/SequentialEventDispatcher] com.q1labs.hostcontext.exception.HostContextConfigException: Failed to download and process global set [hostcontext.hostcontext] [/SequentialEventDispatcher] at com.q1 labs.hostcontext.configuration.ConfigSetUpdater.downloadAndApply Configuration(ConfigSetUpdater.java:380) [hostcontext.hostcontext] [/SequentialEventDispatcher] at com.q1 labs.hostcontext.configuration.ConfigSetUpdater.startDownloadAnd ApplyConfiguration(ConfigSetUpdater.java:222) [hostcontext.hostcontext] [/SequentialEventDispatcher] ... 6 more [hostcontext.hostcontext] [/SequentialEventDispatcher] Caused by: [hostcontext.hostcontext] [/SequentialEventDispatcher] com.q1labs.hostcontext.exception.HostContextConfigException: Failed to build local configuration set [hostcontext.hostcontext] [/SequentialEventDispatcher] at com.q1 labs.hostcontext.configuration.ConfigSetUpdater.runLocalTransfor mers(ConfigSetUpdater.java:581) [hostcontext.hostcontext] [/SequentialEventDispatcher] at com.q1 labs.hostcontext.configuration.ConfigSetUpdater.downloadAndApply Configuration(ConfigSetUpdater.java:299) [hostcontext.hostcontext] [/SequentialEventDispatcher] ... 7 more [hostcontext.hostcontext] [/SequentialEventDispatcher] Caused by: [hostcontext.hostcontext] [/SequentialEventDispatcher] com.q1labs.hostcontext.exception.HostContextConfigException: Failed to build local configuration set [hostcontext.hostcontext] [/SequentialEventDispatcher] at com.q1 labs.hostcontext.configuration.ConfigSetUpdater.transformLocalCo nfiguration(ConfigSetUpdater.java:878) [hostcontext.hostcontext] [/SequentialEventDispatcher] at com.q1 labs.hostcontext.configuration.ConfigSetUpdater.runLocalTransfor mers(ConfigSetUpdater.java:530) [hostcontext.hostcontext] [/SequentialEventDispatcher] ... 8 more [hostcontext.hostcontext] [/SequentialEventDispatcher] Caused by: [hostcontext.hostcontext] [/SequentialEventDispatcher] com.q1labs.configservices.common.ConfigServicesException: Failed to build configuration set for host com.q1labs.configserv ices.schemaext.HostCapabilitiesTypeExt@2b24xxxx [hostcontext.hostcontext] [/SequentialEventDispatcher] at com.q1 labs.configservices.config.localset.LocalSetBuilder.buildConfigS ets(LocalSetBuilder.java:80) [hostcontext.hostcontext] [/SequentialEventDispatcher] at com.q1labs.hostcontext.configura tion.ConfigSetUpdater.transformLocalConfiguration(ConfigSetUpdater.java:873) [hostcontext.hostcontext] [/SequentialEventDispatcher] ... 9 more [hostcontext.hostcontext] [/SequentialEventDispatcher] Caused by: [hostcontext.hostcontext] [/SequentialEventDispatcher] java.util.MissingFormatArgumentException: Format specifier '%s' |
13 December 2022 |
OFFENSES | IJ40712 | APPLICATION ERROR ON DESTINATION IP VALIDATION FOR INCORRECT FORMAT OF IP ADDRESS | CLOSED | Resolved in QRadar 7.5.0 Update Pack 4 (7.5.0.20221129155237) Workaround No workaround available. APARs identified as ‘No workaround available’ require a software delivery to resolve. Administrators can subscribe to the APAR to receive updates when software releases are published for this issue. Issue Validation is not enforced for “Destination IP” on the offense search page. When entering an invalid format for an IP, the console instead returns an application error. It should instead display a message stating “Invalid IP provided”. The following error can be displayed in qradar.error: [tomcat.tomcat] [admin@x.x.x.x (4743) /console/do/sem/offensesearch] com.q1labs.uiframeworks.action.ExceptionHandler: [ERROR] Chained SQL Exception [2/2]: ERROR: invalid input syntax for type inet: "12.34" [tomcat.tomcat] [admin@x.x.x.x (4743) /console/do/sem/offensesearch] com.q1labs.uiframeworks.action.ExceptionHandler: [ERROR] [NOT:0000003000][x.x.x.x/- -] [-/- -]An exception occurred while processing the request: [tomcat.tomcat] [admin@x.x.x.x (4743) /console/do/sem/offensesearch] org.apache.openjpa.lib.jdbc.ReportingSQLException: ERROR: invalid input syntax for type inet: "12.34" {prepstmnt -567847484 SELECT offense_id FROM offense_remote_targets ort JOIN offense_properties op ON ort.offense_id=op.id JOIN offense o ON ort.offense_id=o.id WHERE (INET(?) >>= ANY(targets)) AND op.dismissed_code < 1} [tomcat.tomcat] [admin@x.x.x.x (4743) /console/do/sem/offensesearch] at org.apache.openjpa.lib.jdb c.LoggingConnectionDecorator.wrap(LoggingConnectionDecorator.java:218) [tomcat.tomcat] [admin@x.x.x.x (4743) /console/do/sem/offensesearch] at org.apache.openjpa.lib.jdb c.LoggingConnectionDecorator.wrap(LoggingConnectionDecorator.java:202) [tomcat.tomcat] [admin@x.x.x.x (4743) /console/do/sem/offensesearch] at org.apache.openjpa.lib.jdb c.LoggingConnectionDecorator.access$700(LoggingConnectionDecorator.java:58) [tomcat.tomcat] [admin@x.x.x.x (4743) /console/do/sem/offensesearch] at org.apache.openjpa.lib.jdb c.LoggingConnectionDecorator$LoggingConnection$LoggingPreparedS tatement.executeQuery(LoggingConnectionDecorator.java:1117) [tomcat.tomcat] [admin@x.x.x.x (4743) /console/do/sem/offensesearch] at org.apache.openjpa.lib.jdb c.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:268) [tomcat.tomcat] [admin@x.x.x.x (4743) /console/do/sem/offensesearch] at org.apache.openjpa.jdbc.sq l.PostgresDictionary$PostgresPreparedStatement.executeQuery(PostgresDictionary.java:1011) [tomcat.tomcat] [admin@x.x.x.x (4743) /console/do/sem/offensesearch] at org.apache.openjpa.lib.jdb c.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:268) [tomcat.tomcat] [admin@x.x.x.x (4743) /console/do/sem/offensesearch] at org.apache.openjpa.jdbc.ke rnel.JDBCStoreManager$CancelPreparedStatement.executeQuery(JDBCStoreManager.java:1800) [tomcat.tomcat] [admin@x.x.x.x (4743) /console/do/sem/offensesearch] at org.apache.openjpa.lib.jdb c.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:268) [tomcat.tomcat] [admin@x.x.x.x (4743) /console/do/sem/offensesearch] at org.apache.openjpa.lib.jdb c.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:258) [tomcat.tomcat] [admin@x.x.x.x (4743) /console/do/sem/offensesearch] at com.q1labs.frameworks.sess ion.PreparedStatementWrapper.executeQuery(PreparedStatementWrapper.java:270) [tomcat.tomcat] [admin@x.x.x.x (4743) /console/do/sem/offensesearch] at com.q1labs.core.shared.sem .OffenseSearchSupport.getOffenseIdsForRemoteTargets(OffenseSearchSupport.java:767) [tomcat.tomcat] [admin@x.x.x.x (4743) /console/do/sem/offensesearch] at com.q1labs.core.shared.sem .OffenseSearchSupport.getWhereClause(OffenseSearchSupport.java:219) [tomcat.tomcat] [admin@x.x.x.x (4743) /console/do/sem/offensesearch] at com.q1labs.sem.ui.semservi ces.UISemServices.getWhereClauseForSearch(UISemServices.java:3867) [tomcat.tomcat] [admin@x.x.x.x (4743) /console/do/sem/offensesearch] at com.q1labs.core.ui.action. SearchGenericList.addSearchInProcessor(SearchGenericList.java:103) [tomcat.tomcat] [admin@x.x.x.x (4743) /console/do/sem/offensesearch] at com.q1labs.core.ui.action. SearchGenericList.execute(SearchGenericList.java:70) |
13 December 2022 |
QRADAR INCIDENT FORENSICS | IJ40494 | HTTP PATCH REQUEST DOES NOT RETURN INFORMATION REQUESTED BY QNI/QIF | CLOSED | Resolved in QRadar 7.5.0 Update Pack 4 (7.5.0.20221129155237) Workaround No workaround available. APARs identified as ‘No workaround available’ require a software delivery to resolve. Administrators can subscribe to the APAR to receive updates when software releases are published for this issue. Issue When QRadar Incident Forensics tries to generate a local copy using an HTTP PATCH request, the request does not return all the necessary information to complete the process and generates a blank file. This issue is not observed in QNI 7.5.0+ but does affect QIF in all releases. |
13 December 2022 |
INSTALL | IJ41102 | “FAILED TO RUN QRADAR_NETSETUP” ERROR WHEN INSTALLING QRADAR FROM ISO AND ENTERING ACTIVATION KEY | CLOSED | Resolved in QRadar 7.5.0 Update Pack 4 (7.5.0.20221129155237) Workaround No workaround available. APARs identified as ‘No workaround available’ require a software delivery to resolve. Administrators can subscribe to the APAR to receive updates when software releases are published for this issue. Issue When installing QRadar 7.5.0 UP1 from an ISO on RHEL 7.9, when inputing the activation key using CTRL + K instead of the GUI menu, the script crashes. The following error is displayed in /var/log/qradar.error: ERROR: Failed to run qradar_netsetup! |
13 December 2022 |
AUDIT LOGS | IJ40516 | UPDATED RULE RESPONSE IS MARKED BLANK IF MODIFYING ALL RESPONSES | CLOSED | Resolved in QRadar 7.5.0 Update Pack 4 (7.5.0.20221129155237) Workaround Avoid modifying all the responses at the same time, instead modify the responses individually. Issue The sim audit log for the modified rule should mention the changes done to the rule in “Updated Rule Response” parameter. The issue is impacting the capability for tracking rule changes. For example, when modifying an existing rule where we enable notify parameter in the rule window, the expected audit log should be: Updated rule response="Notify=yes"However, if you modify all responses, the payload parameter is: Updated rule response= " " (empty) |
13 December 2022 |
ASSETS | IJ40308 | DUPLICATE SERVER TYPES IN SERVER DISCOVERY ASSETS MENU | CLOSED | Resolved in QRadar 7.5.0 Update Pack 4 (7.5.0.20221129155237) Workaround Duplicate options contain the same values so users may ignore the issue and use either duplicate. Restarting tomcat removes duplicate options. Issue In the Server Discovery settings of the Assets menu, after creating or editing a definition, duplicates of the same server type might appear. |
13 December 2022 |
QRADAR RISK MANAGER | IJ40208 | “SCHEDULED ADAPTER BACKUP FOR DEVICE” ERROR MESSAGE WHEN DEVICE ADDED TO RISK MANAGER WITH BACKUP OPTION | CLOSED | Resolved in QRadar 7.5.0 Update Pack 4 (7.5.0.20221129155237) Workaround The error message can be ignored and treated as an INFO message. Issue When a device is added to the Risk Manager and “Backup now” is selected, the following message is logged on the QRM server in /var/log/qradar.error: [tomcat-rm.tomcat-rm] [Device Add Job] com.q1labs.simulator.jobframework.logging.JobLogger: [ERROR] [NOT:0000003000][XXX/- -] [-/- -]Scheduled adapter backup for device: XXX |
13 December 2022 |
FORWARDED EVENTS | IJ41248 | CUSTOM PROPERTY AND AQL PROPERTIES ON FORWARDING PROFILES ARE NOT CHECKED FOR IF THEY ARE IN USE BEFORE DELETION | CLOSED | Resolved in QRadar 7.5.0 Update Pack 4 (7.5.0.20221129155237) Workaround After deleting a Custom Property, delete the value from Forwarding Profile that use the property. Issue When working with Forwarding Profiles, the validation for a Custom Property only works as expected when the Forwarding Profile is used in the Forwarding Destination. When a custom property is deleted, the system will not check if the property is assigned to a Forwarding Profile, unless the Forwarding Profile is assigned to a Forwarding Destination. |
13 December 2022 |
APPLICATION FRAMEWORK | IJ39614 | BUTTONS ADDED TO THE USER INTERFACE BY QRADAR APPS DO NOT RESPOND | CLOSED | Resolved in QRadar 7.5.0 Update Pack 4 (7.5.0.20221129155237) Workaround If you are unable to upgrade, contact QRadar Support for a possible workaround that might address this issue in some instances. Issue If strict certificate checking is enabled, installed apps (such as QRadar Functions for SOAR or Use Case Manager) UI buttons might not work. When the buttons are clicked, the UI does not respond. [tomcat.tomcat] [admin@x.x.x.x (908) /console/JSON-RPC/1556.escalateButtonData1556.escalateButtonData] com.q1labs.frameworks.crypto.trustmanager.Q1X509TrustManager: [INFO] [NOT:0000006000][x.x.x.x/- -] [-/- -]Audit logging msg:(tomcat) Server Certificate Validation failed. chain:[0]X509Certificate : { SubjectDN : CN=console.example.com, IssuerDN : CN=QRadar Local CA}, exception:java.security.cert.CertificateException: No subject alternative DNS name Matching localhost found. |
13 December 2022 |
LOG SOURCES | IJ39620 | PERFORMANCE ISSUES CAN OCCUR WHEN QRADAR ATTEMPS A RELOAD OF SENSOR DEVICES WHEN LOG SOURCES EXCEED 2 MILLION | CLOSED | Resolved in QRadar 7.5.0 Update Pack 4 (7.5.0.20221129155237) Workaround If you are unable to upgrade, contact QRadar Support for a possible workaround that might address this issue in some instances. Issue When QRadar attemps a reload of sensor devices in an environment where there are over 2 million log sources present, performance issues can cause out-of-memory errors. When this issue occurs, the following error can display in /var/log/qradar.log: [ecs-ep.ecs-ep] [ECS Runtime Thread] com.eventgnosis.ecs: [ERROR] [NOT:0000003000][x.x.x.x/- -] [-/- -]Error attempting to load site.com:ecs-ep/EP/Processor2/EventCRE Error : java.lang.OutOfMemoryError: Java heap space Since there isn’t a configuration error handler defined, the original error is wrapped in a new RuntimeException. [ecs-ep.ecs-ep] [ECS Runtime Thread] java.lang.OutOfMemoryError: Java heap space [ecs-ep.ecs-ep] [ECS Runtime Thread] at java.lang.String.{init}(String.java:687) [ecs-ep.ecs-ep] [ECS Runtime Thread] at org.postgresql.core. OptimizedUTF8Encoder.charDecode(OptimizedUTF8Encoder.java:71) [ecs-ep.ecs-ep] [ECS Runtime Thread] at org.postgresql.core. CharOptimizedUTF8Encoder.decode(CharOptimizedUTF8Encoder.java:22) [ecs-ep.ecs-ep] [ECS Runtime Thread] at org.postgresql.core.Encoding.decode(Encoding.java:252) [ecs-ep.ecs-ep] [ECS Runtime Thread] at org.postgresql.jdbc.PgResultSet.getString(PgResultSet.java:1926) [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.mchange.v2.c3p0. impl.NewProxyResultSet.getString(NewProxyResultSet.java:3316) [ecs-ep.ecs-ep] [ECS Runtime Thread] at org.apache.openjpa.l ib.jdbc.DelegatingResultSet.getString(DelegatingResultSet.java:121) [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.q1labs.core.shar ed.qidmap.QidMapFactory.reloadSensorDeviceMaps(QidMapFactory.java:1227) [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.q1labs.core.shar ed.qidmap.QidMapFactory.doInitialQidMapLoad(QidMapFactory.java:425) [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.q1labs.core.shar ed.qidmap.QidMapFactory.onInit(QidMapFactory.java:167) [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.q1labs.framework s.naming.FrameworksNaming.initializeNewComponent(FrameworksNaming.java:916) [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.q1labs.framework s.naming.FrameworksNaming.getApplicationScopedComponent(FrameworksNaming.java:897) [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.q1labs.framework s.core.FrameworksContext.getSingletonInstance(FrameworksContext.java:1372) [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.q1labs.core.shar ed.qidmap.QidMapServices.onInit(QidMapServices.java:31) [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.q1labs.framework s.naming.FrameworksNaming.initializeNewComponent(FrameworksNaming.java:916) [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.q1labs.framework s.session.SessionContext.objectCreated(SessionContext.java:1865) [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.q1labs.framework s.naming.NamingCacheDecorator.fireObjectCreatedEvent(NamingCacheDecorator.java:272) [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.q1labs.framework s.naming.NamingCacheDecorator.createObject(NamingCacheDecorator.java:197) [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.q1labs.framework s.naming.NamingCacheDecorator.createObject(NamingCacheDecorator.java:209) |
13 December 2022 |
DATA GATEWAY | IJ39539 | HOST KEY VERIFICATION FAILED AND KNOWN_HOST NOT UPDATING IN ENCRYPTED DEPLOYMENT AFTER MOVING GATEWAY TO NEW EVENT PROCESSOR | CLOSED | Resolved in QRadar 7.5.0 Update Pack 4 (7.5.0.20221129155237) Workaround Run the following on the console after the deploy completes: /opt/qradar/bin/deploy_known_hosts.sh Issue Moving a connection from one event processor to another can cause the tunnel to fail in encrypted deployments. |
13 December 2022 |
RULES | IJ39790 | RULES CONTAINING TESTS AGAINST GEOGRAPHIC LOCATION CAN SOMETIMES CAUSE ISSUES WITH CRE PIPELINE PERFORMANCE | CLOSED | Resolved in QRadar 7.5.0 Update Pack 4 (7.5.0.20221129155237) Workaround Administrators can find more information on how to find and disable expensive rule(s) at the following: Troubleshooting Custom Rule performance with findExpensiveCustomRules. If the issue persists, contact Support for a possible workaround that might address this issue in some instances. Issue It has been identified that Custom Rule Engine (CRE) rules configured to use a large number of “NetworkView” tests can sometimes see pipeline performance issues. For example, rules containing: “when source IP is part of any of the following (Africa, Asia, CentralAmerica, Europe, NorthAmerica, Oceania, SouthAmerica). |
13 December 2022 |
INSTALL | IJ39235 | SERIAL CONSOLE INSTALLATIONS CREATE DUPLICATE ENTRIES IN GRUB | CLOSED | Resolved in QRadar 7.5.0 Update Pack 4 (7.5.0.20221129155237) Workaround If you are unable to upgrade, contact QRadar Support for a possible workaround that might address this issue in some instances. Issue When patching to QRadar 7.5.0 UP1+ using a serial console, the process will fail with the following DrQ message: Grub Files Check Ensures grub files and settings are correct [FAILURE] File /etc/default/grub has an unexpected value for the field 'GRUB_SERIAL_COMMAND'. This field is expected to have the following keys: '-unit=', 'speed=', 'word=', 'parity=', '-stop=' [REMEDIATION] None Provided |
13 December 2022 |
QRADAR RISK MANAGER | IJ39549 | /QRM/SRM_UPDATE_1138.SQL CAN CAUSE 7.5.0 UP1 UPGRADE TO FAIL ON HOSTS WHERE REQUIRED INDEX DOESN’T EXIST | CLOSED | Resolved in QRadar 7.5.0 Update Pack 4 (7.5.0.20221129155237) Workaround If you are unable to upgrade, contact QRadar Support for a possible workaround that might address this issue in some instances. Issue Patching to 7.5.0 UP1 can fail on hosts where firewall_ziptie_rules_ruleid_index does not exist in the QRM DB prior to patching with the following error in patched.log: [DEBUG](patchmode) Running SQL: f=$(cat /media/updates/opt/qrad ar/conf/templates/qrm/srm_update_1138.sql);echo "SET TRANSACTION ISTICS AS TRANSACTION READ WRITE ; $f" | /usr/pgsql-11/bin/psql -Uqradar -p15432 -d patch_test_qradar -v ON_ERROR_STOP=1 -L /var/log/setup-2021.6.1.20220215133427/patches.log.sql [WARN](patchmode) WARNING: SET TRANSACTION can only be used in transaction blocks [WARN](patchmode) ERROR: relation "firewall_ziptie_rules_ruleid_index" does not exist |
13 December 2022 |
REPORTS | IJ39552 | REPORTS FAIL TO GENERATE WITH NO ERROR IN UI | CLOSED | Resolved in QRadar 7.5.0 Update Pack 4 (7.5.0.20221129155237) Workaround No workaround available. APARs identified as ‘No workaround available’ require a software delivery to resolve. Administrators can subscribe to the APAR to receive updates when software releases are published for this issue. Issue Reports can fail to generate when run with no UI error, but the following errors in the debug logs: [tomcat.tomcat] [admin@x.x.x.x (6664) /console/do/core/genericsearchlist] com.q1labs.reporting.ReportServices: [DEBUG] SQLSubreport chart: Form field 'ipAddress_operator' was not found. [tomcat.tomcat] [admin@x.x.x.x (6664) /console/do/core/genericsearchlist] com.q1labs.reporting.ReportServices: [DEBUG] SQLSubreport chart: Form field 'sub_ipAddress_operator' was not found ... [report_runner] [main] org.apache.openjpa. lib.jdbc.ReportingSQLException: ERROR: column reference "ipaddress" is ambiguous Position: 15595 {prepstmnt 1641450167 SELECT "assetid" || '_' ||questionid AS assetpolicykey, "assetid" || '_' ||ruleid AS assetrulekey, "ipaddress", "domainname", [report_runner] [main] at org.apache.openjpa.lib.jdbc.Loggi ngConnectionDecorator.wrap(LoggingConnectionDecorator.java:218) [report_runner] [main] at org.apache.openjpa.lib.jdbc.Loggi ngConnectionDecorator.wrap(LoggingConnectionDecorator.java:202) [report_runner] [main] at org.apache.openjpa.lib.jdbc.Loggin gConnectionDecorator.access$700(LoggingConnectionDecorator.java:58) [report_runner] [main] at org.apache.openjpa.lib.jdbc.Loggi ngConnectionDecorator$LoggingConnection$LoggingPreparedStatemen t.executeQuery(LoggingConnectionDecorator.java:1117) [report_runner] [main] at org.apache.openjpa.lib.jdbc.Delega tingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:268) [report_runner] [main] at org.apache.openjpa.jdbc.sql.Postgr esDictionary$PostgresPreparedStatement.executeQuery(PostgresDictionary.java:1011) [report_runner] [main] at org.apache.openjpa.lib.jdbc.Deleg atingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:268) [report_runner] [main] at org.apache.openjpa.jdbc.kernel.JDB CStoreManager$CancelPreparedStatement.executeQuery(JDBCStoreManager.java:1800) [report_runner] [main] at org.apache.openjpa.lib.jdbc.Deleg atingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:268) [report_runner] [main] at org.apache.openjpa.lib.jdbc.Delega tingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:258) [report_runner] [main] at com.q1labs.reporting.charts.Asset ComplianceChart.getData(AssetComplianceChart.java:201) [report_runner] [main] at com.q1labs.reporting.Chart.getXML(Chart.java:246) Steps to reproduce:
|
13 December 2022 |
AUTHENTICATION | IJ39256 | BIND CREDENTIAL FOR LDAP REPOS CLEARS IF SAVED WITHOUT SUCCESSFUL CONNECTION TEST | CLOSED | Resolved in QRadar 7.5.0 Update Pack 4 (7.5.0.20221129155237) Workaround Perform a successful Test Connection for all repositories in the LDAP module before saving the module and deploying changes resolves the issue. Issue It is possible to experience authentication issues when using mulitple LDAP repos. This issue occurs when the authentication module is tested, saved, and deployed for one container. Any other container that were not tested will no longer work. This issue has also been observed with a single repo when opening the Authentication window in the Admin tab and selecting Save Authentication Module. |
13 December 2022 |
LOG SOURCE MANAGEMENT APP | IJ38079 | LOG SOURCE MANAGEMENT APP MIGHT DISPLAY PROTOCOL UPDATE ALERT WHEN THE PROTOCOL IS ALREADY THE LATEST VERSION | CLOSED | Resolved in QRadar 7.5.0 Update Pack 4 (7.5.0.20221129155237) Workaround No workaround available. APARs identified as ‘No workaround available’ require a software delivery to resolve. Administrators can subscribe to the APAR to receive updates when software releases are published for this issue. Issue The Log Source Management app can display repetitive messages to administrators advising them to update to a newer protocol version, even when the latest version is installed. After a weekly auto update completes, administrators can experience an issue where alerts are generated to update their protocol versions incorrectly. To replicate this issue:
|
13 December 2022 |
OFFENSES | IJ38918 | THE “TOP 5 SOURCE IPS” OFFENSE EMAILS DO NOT CONTAIN THE COUNTRY NAME | CLOSED | Resolved in QRadar 7.5.0 Update Pack 4 (7.5.0.20221129155237) Workaround If you are unable to upgrade, contact QRadar Support for a possible workaround that might address this issue in some instances. Issue Country name is not being shown in the Top 5 Source IPs in the offense response e-mail. When this issue occurs, the network name is substituted incorrectly for the country name. Expected result for Top 5 Source IPs: (Description, Magnitude, Location, User) – x.x.x.x, 0, Italy, exampleuser – x.x.x.x, 0, Poland, exampleuser Actual result for Top 5 Source IPs when this issue occurs: (Description, Magnitude, Location, User) – x.x.x.x, 0, networkname, exampleuser – x.x.x.x, 0, other, exampleuser |
13 December 2022 |
RULES | IJ41135 | RULE_ID WAS NOT FOUND FOR UUID = SYSTEM-1151 | CLOSED | Resolved in QRadar 7.5.0 Update Pack 4 (7.5.0.20221129155237) Workaround No workaround available. APARs identified as ‘No workaround available’ require a software delivery to resolve. Administrators can subscribe to the APAR to receive updates when software releases are published for this issue. Issue Unexpected error log entries occur around the use of QVM Building Block/Custom rules. For example, using ‘BB:HostDefinition: VA Scanner Source IP’ will throw the error as the rule cannot resolve the UUID for SYSTEM-1151. The following error is displayed in /var/log/qradar.error: [ecs-ep.ecs-ep] [xxxxx-xxxx-xxxx-xxxxxxxxxx/SequentialEventDispatcher] com.q1labs.semsources.cre.tests.RuleMatch_Test: [ERROR] [NOT:0000003000][x.x.x.x/- -] [-/- -]rule_id was not found for UUID = SYSTEM-1151 |
13 December 2022 |
REPORTS | IJ38147 | DAILY OR WEEKLY REPORTS GENERATED DURING DAYLIGHTS SAVINGS END 1 HOUR EARLY | CLOSED | Resolved in QRadar 7.5.0 Update Pack 4 (7.5.0.20221129155237) Workaround If you cannot upgrade, review daily or weekly reports that run during a daylight savings time (DST) change. Reports impacted by this issue can be run manually by the administrator to regenerate the report data. Users affected by this issue might need to manually run a daily or weekly report when a time change occurs. An upcoming example is USA daylight savings changes on 13 March 2022. Issue As an effect of the transition from daylight savings time to winter time, daily reports might not include a full 24 hour time frame. For example, on 31 October 2021 users experienced an issue where daily reports generated for 31 October were missing an hour. The completed report consisted of 23 hours of data starting on 31 October 00:00 and ended on 31 October 23:00, instead of 1 November 00:00 as expected. This issue can affect both daily and weekly reports that run during a time zone change, such as Daylight Savings Time. To replicate this issue:
|
13 December 2022 |
HIGH AVAILABILITY (HA) | IJ35806 | HIGH AVAILABILITY (HA) PAIRING FAILS WHEN THE IP ADDRESS OF THE SECONDARY IS THE SAME AS A DELETED MANAGED HOST | CLOSED | Resolved in QRadar 7.5.0 Update Pack 4 (7.5.0.20221129155237) Workaround If you are unable to upgrade, contact QRadar Support for a possible workaround that might address this issue in some instances. Issue QRadar High Availability (HA) pairing process fails if the secondary IP is the same as a previously deleted/removed Managed Host in the managedhost database table. Messages in /var/log/qradar.error display “unable to add host” from the HA wizard and in /var/log/setup-xxxx/qradar_hasetup.log displays that a remote access check failed to the secondary. The pairing process fails after /opt/qradar/bin/mergeHostsFiles.sh is run and displays logging similar to: [HA Setup (P-M----)] ESC[35m[DEBUG] Log /etc/hosts file before run /opt/qradar/bin/mergeHostsFiles.shESC[m 127.0.0.1 localhost.localdomain localhost::1 localhost6.localdomain6 localhost6 localhost.localdomain localhost x.x.x.x8 example-primary.test.com example-primary x.x.x.x0 example-secondary.test.com example-secondary x.x.x.x3 example.test.com example [HA Setup (P-M----)] ESC[35m[DEBUG] Log /etc/hosts file after run /opt/qradar/bin/mergeHostsFiles.shESC[m 127.0.0.1 localhost.localdomain localhost x.x.x.3 example.test.com example 22ac4c87f40c0f8f6f2b.localdeployment console.localdeployment::1 localhost6.localdomain6 localhost6 localhost.localdomain localhost x.x.x.x8 example-primary.test.com example-primary |
13 December 2022 |
ASSETS | IJ35775 | VULNERABILITY RECORDS CAN BECOME ORPHANED FOR SCANNED ASSETS THAT DO NOT HAVE CLEAN VULN PORTS CONFIGURED | CLOSED | Resolved in QRadar 7.5.0 Update Pack 4 (7.5.0.20221129155237) Workaround Select one of the following options:
Scanners configured with no option to clean vulnerability ports can leave records behind in the vulnerabilities tables if the number of scanned assets per scanner and scanner config is greater than the number of automatically purged items (3) and there were different vulnerabilities detected over time for those assets. When a manual clean of vulnerabilities is completed via the User Interface for that scanner, these items are not all cleaned. |
13 December 2022 |
RULES | IJ35137 | A CUSTOM PROPERTY CALLED ‘HOSTNAME’ CHANGES TO ‘HOST NAME’ WHEN USED AS A RESPONSE LIMITER IN THE RULE WIZARD | CLOSED | Resolved in QRadar 7.5.0 Update Pack 4 (7.5.0.20221129155237) Workaround Where possible, create a Custom Event Property with a different name than “Hostname”. Issue When using a Custom Event Property as a response limiter in the QRadar Rule Wizard, attempting to use ‘Hostname (custom)’ changes to ‘Host Name’ after saving the rule. Example when in the Rule Wizard:
|
13 December 2022 |
CUSTOM EVENT PROPERTIES | IJ34818 | XML CUSTOM EVENT PROPERTIES FAIL TO WORK AS EXPECTED FOR PAYLOADS THAT CONTAIN A BYTE ORDER MARK | CLOSED | Resolved in QRadar 7.5.0 Update Pack 4 (7.5.0.20221129155237) Workaround No workaround available. APARs identified as ‘No workaround available’ require a software delivery to resolve. Administrators can subscribe to the APAR to receive updates when software releases are published for this issue. Issue XML Custom Event Properties fail to work as expect with payloads that contain a byte order mark prior to the XML structure in the payload. For example, the DSM unit tests for McAfee EPO, contain a payload that has a byte order mark prior to the XML start: <feff><?xml version=\\\"1.0\\\" encoding= |
13 December 2022 |
DOMAINS | IJ34589 | UNABLE TO ADD AN ADDITIONAL LOG SOURCE TO DOMAIN AFTER 100 LOG SOURCES ARE PRESENT | CLOSED | Resolved in QRadar 7.5.0 Update Pack 4 (7.5.0.20221129155237) Workaround If required to add groups and more than 100 Log Sources into a domain, add the Log Sources to a group and then add the group to the domain. Issue When adding an additional Log Source to a domain where 100 Log Sources are already present, the name of the group is displayed again in the position of the 101 Log Source in the edit page list. The 101 Log Source is not added into the domain after pressing Save. No error is generated to show that it did not add. Note: This issue only occurs when there are one or more groups in the domain. |
13 December 2022 |
USER ROLES | IJ33761 | THE DELEGATED ADMIN ROLE IS BEING CREATED WITHOUT GIVING PERMISSION FOR THE LOG SOURCE MANAGEMENT APP | CLOSED | Resolved in QRadar 7.5.0 Update Pack 4 (7.5.0.20221129155237) Workaround Add the Log Source Management App to the Delegated administrator User Role. Procedure
Issue When creating ‘Delegated administrator’ roles in the User Role UI, the ‘log activity’ section must be selected. The Delegated administrator is not by default given access to the Log Source Management app. With the current behavior a delegated administrator will click on ‘Log Sources’ in the admin tab, and a prompt is displayed that tells them to use the Log Source Management app, but they do not have access to it. |
13 December 2022 |
INSTALL | IJ33655 | A QRADAR “SOFTWARE INSTALL” CAN UNEXPECTEDLY ATTEMPT TO RUN AN OLDER ISO INSTALLATION AFTER REBOOT | CLOSED | Resolved in QRadar 7.5.0 Update Pack 4 (7.5.0.20221129155237) Workaround No workaround available. APARs identified as ‘No workaround available’ require a software delivery to resolve. Administrators can subscribe to the APAR to receive updates when software releases are published for this issue. Issue QRadar “Software Installs” can sometimes have si-qinit installed and can result in a mounted QRadar ISO incorrectly running and attempting to reinstall an older QRadar version after a reboot occurs. The installation attempt fails, but during the process can cause issues with installed RPMs. For example,
|
13 December 2022 |
EVENT COLLECTORS | IJ33040 | QRADAR PATCH FAILS AFTER RUNNING THE GLUSTERFS_MIGRATION_MANAGER ON REQUIRED EVENT COLLECTORS | CLOSED | Resolved in QRadar 7.5.0 Update Pack 4 (7.5.0.20221129155237) Workaround
Issue Migrating Event Collectors off of glusterfs using a newer version of the migration tool from Fix Central can cause issues during the QRadar patching process if the patch uses a different version of the glusterfs_migration_manager. This issue occurs as a report is created during the migration of the managed hosts during the running of the glusterfs_migration_manager. During the patch, a specific version of glusterfs_migration_manager is then called. The report attempts to verify the sha256 of a nonexistent file (due to the differing versions) on the Managed Hosts and results in a patch error. For example,
|
13 December 2022 |
JDBC PROTOCOL | IJ30412 | MYSQL LOG SOURCES USING THE JDBC PROTCOL AND TLS CAN STOP WORKING AFTER 2:00AM | CLOSED | Resolved in QRadar 7.5.0 Update Pack 4 (7.5.0.20221129155237) Workaround
Issue MySQL Log Sources using the JDBC Protocol and are configured to use TLS can stop working after 2:00AM until the ecs-ec-ingress service is restarted. This behavior has been identified as being caused when a temporary keystore file is incorrectly removed by the QRadar disk maintenance script. Messages similar to the following might be visible in var/log/qradar.log when this issue occurs: [ecs-ec-ingress.ecs-ec-ingress] MySQL//[mysql@IPADDR com.q1labs.semsources.sources.jdbc.JdbcEventConnector: [WARN] [NOT:0000004000][IPADDR/- -] [-/- -]Cannot open JKS [/storetmp/ecs-ec-ingress/keystore3747616715109128189q1labs (No such file or directory)] on MySQL//mysql@IPADDR [ecs-ec-ingress.ecs-ec-ingress] MySQL//[mysql@IPADDR com.mysql.jdbc.exceptions.jdbc4.MySQLNonTransientConnectionException: Cannot open JKS [/storetmp/ecs-ec-ingress/keystore3747616715109128189q1labs (No such file or directory)] |
13 December 2022 |
GEOGRAPHIC DATA | IJ31089 | A VALUE OF ‘NULL’ CAN SOMETIMES BE INCORRECTLY DISPLAYED IN NETWORK ACTIVITY FOR GEOGRAPHIC COUNTRY/REGION COLUMN | CLOSED | Resolved in QRadar 7.5.0 Update Pack 4 (7.5.0.20221129155237) Workaround
Issue The value of “null” can sometimes be incorrectly displayed in Network Activity tab for the Geographic Country/Region column. |
13 December 2022 |
FORWARDED EVENTS | IJ30068 | STORED EVENTS THAT ARE FORWARDED USING ONLINE FORWARDING GO TO ‘SIM GENERIC’ LOG SOURCE ON THE RECEIVING QRADAR SYSTEM | CLOSED | Resolved in QRadar 7.5.0 Update Pack 4 (7.5.0.20221129155237) Workaround If you are unable to upgrade, select one of the following options:
Issue When using online forwarding to send normalized events that are not parsed correctly and marked as stored, they go to the SIM Generic Log Source on the receiving (target) QRadar system. |
13 December 2022 |
OFFENSES | IJ29592 | ‘APPLICATION ERROR’ OCCURS AFTER AN EXTENDED PERIOD OF TIME WHEN ATTEMPTING TO LOAD THE OFFENSE PAGE | CLOSED | Resolved in QRadar 7.5.0 Update Pack 4 (7.5.0.20221129155237) Workaround If you are unable to upgrade, contact QRadar Support for a possible workaround that might address this issue in some instances. Issue The QRadar User Interface Offense page can fail to open and generate an “Application Error’ after 20-30 minutes. This can be caused by an sql query that does not complete. Note: This issue only occurs when there are one or more groups in the domain. |
13 December 2022 |
RULES | IJ29374 | OFFENSE RULE USING ‘AND WHEN THE DESTINATION LIST INCLUDES ANY OF THE FOLLOWING A.B.C.D/E’ TEST WITH PUBLIC IP DOES NOT TRIGGER | CLOSED | Resolved in QRadar 7.5.0 Update Pack 4 (7.5.0.20221129155237) Workaround The public IP that is in the Destination test list could be added to the network hierarchy. Note: If the workaround is completed, the IP is considered local and can affect other rules and aspects of how events/flows are handled by QRadar when that IP is identified. For more information on Network Hierarchy functions in QRadar, see Network hierarchy. Issue When an Offense rule is created using the rule test “and when the destination list includes any of the following A.B.C.D/E” using a public IP, the rule does not trigger. |
13 December 2022 |
SEARCH | IJ23025 | FLOW ID SUPER INDEX CONSUMES A LARGE AMOUNT OF STORAGE SPACE | CLOSED | Resolved in QRadar 7.5.0 Update Pack 4 (7.5.0.20221129155237) Workaround If you are unable to upgrade, disable the FlowID index via Admin > Index Management. Note: If the workaround is completed, the IP is considered local and can affect other rules and aspects of how events/flows are handled by QRadar when that IP is identified. For more information on Network Hierarchy functions in QRadar, see Network hierarchy. Issue Flow ID super index consumes a large amount of storage space on QRadar appliances. Note: QRadar disk sentry check runs every 60 seconds and looks for high disk usage across monitored partitions. If one of those partitions fills up above 95%, QRadar critical services are stopped. |
13 December 2022 |
SYSTEM NOTIFICATIONS | IJ30092 | CLICKING THE HELP ICON RESULTS IN “PAGE NOT FOUND” FOR SYSTEM NOTIFICATION: “THE ACCUMULATOR HAS FALLEN BEHIND…” | CLOSED | Resolved in QRadar 7.5.0 Update Pack 4 (7.5.0.20221129155237) Workaround No workaround available. APARs identified as ‘No workaround available’ require a software delivery to resolve. Administrators can subscribe to the APAR to receive updates when software releases are published for this issue. Issue When a System Notification is generated for “The accumulator has fallen behind. See Aggregated Data Management for details”, clicking the Help icon results in ‘page not found’. |
13 December 2022 |
APP HOST | IJ44447 | APP HOST DOES NOT COMMUNICATE WITH CONSOLE CORRECTLY WHEN CONNECTION IS ENCRYPTED AND HAS TO PASS A FIREWALL | CLOSED | Resolved in QRadar 7.5.0 Update Pack 4 (7.5.0.20221129155237) Workaround Remove encryption to the apphost and open ports 514 (syslog), 443 (https), 5000 docker registry and 9000 (conman) from apphost to the console on any firewall in between. Issue While migrating the apps to the App Host before configuration, the user gets a blank screen with an error. When the App Host is on the same network as the Console, the user can configure apps on the App Host. The user is unable to update apps when they are not on the same network as the Console. |
13 December 2022 |
SECURITY BULLETIN | A vulnerability in IBM Java SDK and IBM Java Runtime affects IBM QRadar SIEM | CLOSED | Resolved in QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022) QRadar 7.4.3 Fix Pack 7 (7.4.3.20220927164102) Affected versions
|
05 October 2022 | |
SECURITY BULLETIN | IBM QRadar SIEM includes components with multiple known vulnerabilities | CLOSED | Resolved in QRadar 7.5.0 Update Pack 3 (7.5.0.20220215133427) QRadar 7.4.3 Fix Pack 7 (7.4.3.20220307203834) Affected versions
|
05 October 2022 | |
SECURITY BULLETIN |
|
IBM QRadar SIEM includes components with multiple known vulnerabilities | CLOSED | Resolved in QRadar 7.5.0 Update Pack 3 (7.5.0.20220215133427) QRadar 7.4.3 Fix Pack 7 (7.4.3.20220307203834) Affected versions
|
05 October 2022 |
DEPLOY CHANGES | IJ42066 | DEPLOYMENTS WITH A LARGE NUMBER OF HA HOSTS, HOSTCONTEXT PROCESSES MIGHT NOT COMPLETE DUE TO THE NUMBER OF MANAGED HOST | CLOSED | Resolved in 7.5.0 Update Pack 4 (7.5.0.20221129155237) 7.5.0 Update Pack 3 Interim Fix 2 (7.5.0.20220930210008) Note: This issue has a duplicate, which is IJ40761 and both issues are resolved in 7.5.0 UP3 IF2. Workaround No workaround available. APARs identified as ‘No workaround available’ require a software delivery to resolve. Administrators can subscribe to the APAR to receive updates when software releases are published for this issue. Issue In deployments with a large number of HA hosts, adding a new managed host might time out due to the number of HA host status update requests. The following error message is displayed in /var/log/qradar.log: [tomcat.tomcat] [pool-209-thread-1] com.q1labs.configservices.capabilities.AddHostManager: [ERROR] [NOT:0000003000][{IP}/- -] [-/- -]Timed out while waiting for status file: File '/storetmp/addHost_{host IP}1/status.txt' does not exist |
05 October 2022 |
DATA NODE | IJ42183 | REBALANCE CAN LEAD TO A DESTINATION HOST REACHING SERVICE SHUTDOWN DUE TO DISK SPACE USAGE THRESHOLD EXCEEDED | CLOSED | Resolved in 7.5.0 Update Pack 4 (7.5.0.20221129155237) 7.5.0 Update Pack 3 Interim Fix 2 (7.5.0.20220930210008) Workaround If you are unable to upgrade, contact QRadar Support for a possible workaround that might address this issue in some instances. Issue In some instances during a rebalance procedure a destination host may exceed disk usage threshold when there is a large number of hourly directories already exist on lowest usage cluster member leading to service shutdown on destination and rebalance fail message. The fail error message is displayed in /var/log/qradar.log: [ariel.ariel_query_server] [agt0_3:events] com.ibm.si.ariel.dcs.databalancing.DTClient: [INFO] [NOT:0000006000][x.x.x.x/- -] [-/- -]DataBlockBegin to x.x.x.x:32006 (101 -> 102, Path: BlockInfo [fInfo=/store/ariel/ events/records/yyyy/mm/dd/hh[yy-mm-dd,hh:mm:ss],attrs={}]) DNSt usableSpace=20236057202688, totalSpace=49111457857536, volume=/dev/drbd0, storeInfo/store (/dev/drbd0)] [ariel.ariel_query_server] [agt0_4:events] com.ibm.si.ariel.dcs.databalancing.DTClient: [INFO] [NOT:0000006000][x.x.x.x/- -] [-/- -]DataBlockBegin to x.x.x.x:32006 (101 -> 102, Path: BlockInfo [fInfo=/store/ariel/ events/records/yyyy/mm/dd/hh[yy-mm-dd,hh:mm:ss],attrs={}]) DNSt usableSpace=20236057202688, totalSpace=49111457857536, volume=/dev/drbd0, storeInfo/store (/dev/drbd0)] |
05 October 2022 |
DEPLOY CHANGES | IJ40761 | HOSTCONTEXT TIMEOUT DUE TO “FILE /STORETMP/ADDHOST_{HOST IP}1/STATUS.TXT DOES NOT EXIST” ERROR | DUPLICATE | Resolved in QRadar 7.5.0 Update Pack 4 (7.5.0.20221129155237) 7.5.0 Update Pack 3 Interim Fix 2 (7.5.0.20220930210008) Note: This issue is a duplicate of IJ42066. Workaround No workaround available. APARs identified as ‘No workaround available’ require a software delivery to resolve. Administrators can subscribe to the APAR to receive updates when software releases are published for this issue. Issue In deployments with a large number of HA hosts, adding a new managed host might time out due to the number of HA host status update requests. The following error message is displayed in /var/log/qradar.log: [tomcat.tomcat] [pool-209-thread-1] com.q1labs.configservices.capabilities.AddHostManager: [ERROR] [NOT:0000003000][{IP}/- -] [-/- -]Timed out while waiting for status file: File '/storetmp/addHost_{host IP}1/status.txt' does not exist |
05 October 2022 |
CUSTOM PROPERTIES | IJ40307 | EVENT PROCESSOR CRE THREAD UNEXPECTEDLY SHUTDOWN DUE TO AQL CUSTOM PROPERTY WITH THE SAME NAME AS EXISTING REGEX CUSTOM PROPERTY | CLOSED | Resolved in QRadar 7.5.0 Update Pack 4 (7.5.0.20221129155237) 7.5.0 Update Pack 3 Interim Fix 3 (7.5.0.20221025192938) Workaround If you are unable to upgrade, contact QRadar Support for a possible workaround that might address this issue in some instances. Issue If a user creates an AQL custom event property with the same name as an existing Regex based custom event property, and that AQL custom property uses an AQL value that is the same name as the AQL property; when the AQL property is used in a rule and the regex is based custom property is disabled,the event processor custom rule processing threads quit. The following can be seen in the /var/log/qradar.error: [ecs-ep.ecs-ep] [CRE Processor [1462]] com.q1labs.semsources.cre.CREThreadUncaughtExceptionHandler: [WARN] [NOT:0000004000][X.X.X.X/- -] [-/- -]CRE Thread CRE Processor [1462] shut down unexpectedly. A replacement one was created. Check to ensure all CRE Processor threads are running using the commandline: [ /opt/qradar/support/threadTop.sh -p 7799 -e 'CRE Processor' ] If CRE Processor threads are not running, you need to restart ecs-ep by running the following command: [ systemctl stop ecs-ep && systemctl start ecs-ep ] [ecs-ep.ecs-ep] [CRE Processor [1463]] com.q1labs.semsources.cre.CREThreadUncaughtExceptionHandler: [WARN] [NOT:0000004000][X.X.X.X/- -] [-/- -]CRE Thread CRE Processor [1463] shut down unexpectedly. A replacement one was created. Check to ensure all CRE Processor threads are running using the commandline: [ /opt/qradar/support/threadTop.sh -p 7799 -e 'CRE Processor' ] If CRE Processor threads are not running, you need to restart ecs-ep by running the following command: [ systemctl stop ecs-ep && systemctl start ecs-ep ] [ecs-ep.ecs-ep] [CRE Processor [1464]] com.q1labs.semsources.cre.CREThreadUncaughtExceptionHandler: [WARN] [NOT:0000004000][X.X.X.X/- -] [-/- -]CRE Thread CRE Processor [1464] shut down unexpectedly. A replacement one was created. Check to ensure all CRE Processor threads are running using the commandline: [ /opt/qradar/support/threadTop.sh -p 7799 -e 'CRE Processor' ] If CRE Processor threads are not running, you need to restart ecs-ep by running the following command: [ systemctl stop ecs-ep && systemctl start ecs-ep ] [ecs-ep.ecs-ep] [CRE Processor [1465]] com.q1labs.semsources.cre.CREThreadUncaughtExceptionHandler: [WARN] [NOT:0000004000][X.X.X.X/- -] [-/- -]CRE Thread CRE Processor [1465] shut down unexpectedly. A replacement one was created. Check to ensure all CRE Processor threads are runningusing the commandline: [ /opt/qradar/support/threadTop.sh -p 7799 -e 'CRE Processor' ] If CRE Processor threads are notrunning, you need to restart ecs-ep by running the following command: [ systemctl stop ecs-ep && systemctl start ecs-ep ] [ecs-ep.ecs-ep] [CRE Processor [1466]] com.q1labs.semsources.cre.CREThreadUncaughtExceptionHandler: [WARN] [NOT:0000004000][X.X.X.X/- -] [-/- -]CRE Thread CRE Processor [1466] shut down unexpectedly. A replacement one was created. Check to ensure all CRE Processor threads are running using the commandline: [ /opt/qradar/support/threadTop.sh -p 7799 -e 'CRE Processor' ] If CRE Processor threads are not running, you need to restart ecs-ep by running the following command: [ systemctl stop ecs-ep && systemctl start ecs-ep ] |
15 November 2022 |
MANAGED HOSTS | IJ37275 | TIME SYNCHRONIZATION CAN FAIL ON MANAGED HOSTS | OPEN | Resolved in 7.5.0 Update Pack 4 (7.5.0.20221129155237) 7.5.0 Update Pack 3 Interim Fix 3 (7.5.0.20221025192938) Note: This known issue is resolved in 7.5.0 UP3 IF3, but the status is listed in the OPEN state as the fix is waiting on another software release. Workaround Restart the chronyd-socat service on the Console.
It has been identified that a silent failure of the chronyd-socat service can cause time synchronization between managed hosts to fail until the service is manually restarted. Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs. [time_sync]: [ERROR] [NOT:0150003100] Time Synchronization to Console has failed - chrony error [time_sync]: [ERROR] [NOT:0150003100] Time Synchronization to Console has failed - chrony error |
15 November 2022 |
ADVANCED SEARCH (AQL) | IJ36281 | ‘GLOBALVIEW’ AQL (ADVANCED SEARCH) FUNCTION CAN SOMETIMES FAIL TO RETURN RESULTS | CLOSED | Resolved in 7.5.0 Update Pack 4 (7.5.0.20221129155237) 7.5.0 Update Pack 3 Interim Fix 3 (7.5.0.20221025192938) Note: This known issue is resolved in 7.5.0 UP3 IF3, but the status is listed in the OPEN state as the fix is waiting on another software release. Workaround No workaround available. APARs identified as ‘No workaround available’ require a software delivery to resolve. Administrators can subscribe to the APAR to receive updates when software releases are published for this issue. Issue When using the GLOBALVIEW AQL function, if the Reference id for that search does not exist in the searchReferenceIdCache the search can fail when there is an issue querying the cache, as QRadar does not fall back to the database. Running POST for the following example search: Select * FROM GLOBALVIEW('Event Rate (EPS)','HOURLY') last 5 hours On the API, messages similar to the following might be visible when this issue occurs: [ariel_proxy.ariel_proxy_server] [ariel_client /IPADDR:53540] com.q1labs.frameworks.nio.exceptions.ExtendedRuntimeException: Error calling function com.q1labs.cve.aql.GlobalViewFunction(Event Rate (EPS), HOURLY): java.lang.NullPointerException [ariel_proxy.ariel_proxy_server] [ariel_client /IPADDR:53540] at com.q1labs.ariel.metadata.Metadata$ScalarFunctionBase.createException(Metadata.java:132) [ariel_proxy.ariel_proxy_server] [ariel_client /IPADDR:53540] at com.q1labs.ariel.metadata.Metadata$ScalarFunctionBase.call(Metadata.java:103) [ariel_proxy.ariel_proxy_server] [ariel_client /IPADDR:53540] at com.q1labs.ariel.ql.parser.ScalarFunctionInfo.initializeAndCall(ScalarFunctionInfo.java:786) [ariel_proxy.ariel_proxy_server] [ariel_client /IPADDR:53540] at com.q1labs.ariel.ql.parser.ScalarFunctionInfo.createLiteral(ScalarFunctionInfo.java:709) [ariel_proxy.ariel_proxy_server] [ariel_client /IPADDR:53540] at com.q1labs.ariel.ql.parser.ScalarFunctionInfo.create(ScalarFunctionInfo.java:730) [ariel_proxy.ariel_proxy_server] [ariel_client /IPADDR:53540] at com.q1labs.ariel.ql.parser.ScalarFunctionInfo.create(ScalarFunctionInfo.java:716) [ariel_proxy.ariel_proxy_server] [ariel_client /IPADDR:53540] at com.q1labs.ariel.ql.parser.ScalarFunctionInfo.create(ScalarFunctionInfo.java:636) [ariel_proxy.ariel_proxy_server] [ariel_client /IPADDR:53540] at com.q1labs.ariel.ql.parser.ParserBase.processScalarFunction(ParserBase.java:218) [ariel_proxy.ariel_proxy_server] [ariel_client /IPADDR:53540] at com.q1labs.ariel.ql.parser.ParserBase.processExpression(ParserBase.java:356) [ariel_proxy.ariel_proxy_server] [ariel_client /IPADDR:53540] at com.q1labs.ariel.ql.parser.ParserBase.processExpression(ParserBase.java:322) [ariel_proxy.ariel_proxy_server] [ariel_client /IPADDR:53540] at com.q1labs.ariel.ql.parser.ParserBase.processLiteralExpression(ParserBase.java:314) [ariel_proxy.ariel_proxy_server] [ariel_client /IPADDR:53540] at com.q1labs.ariel.ql.parser.ParserBase.getCatalog(ParserBase.java:149) [ariel_proxy.ariel_proxy_server] [ariel_client /IPADDR:53540] at com.q1labs.ariel.ql.parser.ParserBase.processQueryContext(ParserBase.java:477) [ariel_proxy.ariel_proxy_server] [ariel_client /IPADDR:53540] at com.q1labs.ariel.ql.parser.ParserBase.createQueryParams(ParserBase.java:1412) [ariel_proxy.ariel_proxy_server] [ariel_client /IPADDR:53540] at com.q1labs.ariel.ql.parser.ParserBase.parseBatch(ParserBase.java:1650) [ariel_proxy.ariel_proxy_server] [ariel_client /IPADDR:53540] at com.q1labs.ariel.ql.parser.Parser.parseStatement(Parser.java:156) [ariel_proxy.ariel_proxy_server] [ariel_client /IPADDR:53540] at com.q1labs.ariel.ql.parser.Parser.executeStatement(Parser.java:66) [ariel_proxy.ariel_proxy_server] [ariel_client /IPADDR:53540] at com.q1labs.ariel.ConnectedClient.processStatement(ConnectedClient.java:367) [ariel_proxy.ariel_proxy_server] [ariel_client /IPADDR:53540] at com.q1labs.ariel.ConnectedClient.processMessage(ConnectedClient.java:308) [ariel_proxy.ariel_proxy_server] [ariel_client /IPADDR:53540] at com.q1labs.ariel.ConnectedClient.run(ConnectedClient.java:136) [ariel_proxy.ariel_proxy_server] [ariel_client /IPADDR:53540] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160) |
25 November 2021 |
PERFORMANCE | IJ41321 | PERFORMANCE DEGRADATION CAUSED BY AQL PROPERTIES PARSING ON EVERY QUERY | CLOSED | Resolved in QRadar 7.5.0 Update Pack 4 (7.5.0.20221129155237) 7.5.0 Update Pack 3 Interim Fix 2 (7.5.0.20220930210008) Workaround This procedure restarts services. Administrators can complete this workaround during a scheduled maintenance window or should alert users to a service restart before you apply the workaround. Events are still collected, but this procedure restart ecs-ep, which restarts the custom rule engine.
Issue ArielWriter can experience performance issues when it attempts to parse AQL values against every incoming event. This issue is caused by a normalization of properties across QRadar 7.4.3 and later. Evaluating every AQL value can cause the system to route events to storage when the rule engine attempts to collect events for enabled AQL custom event properties. |
13 December 2022 |
Advanced Search (AQL) | IJ37931 | AQL REFERENCESETCONTAINS FUNCTION DOES NOT USE INDEXES WHEN REFERENCE SET IS ALPHANUMERIC | CLOSED | Resolved in QRadar 7.5.0 Update Pack 4 (7.5.0.20221129155237) 7.5.0 Update Pack 3 Interim Fix 2 (7.5.0.20220930210008) Workaround Administrators who experience an issue where an alphanumeric AQL query are not using indexes as required can create the search with the Add Filter option in the user interface. Issue Advanced search queries (AQL) that use the “ReferenceSetContains” for alphanumeric values within a reference set do not use indexes when the search query runs. When a user runs an AQL query with ReferenceSetContains against a reference set with a known value, the Index File Count returns 0. When a search does not use indexes, the system returns results slower than expected. This issue only affects Advanced Searches (AQL), but this issue does not affect searches run with filters. If the user clicks Add Filter, then adds a ReferenceSetContains filter and creates a search using filters, the indexes are leveraged when the search runs. To replicate this issue:
|
13 December 2022 |
AUTHENTICATION | IJ41753 | AFTER UPGRADING TO 7.5.0 UP2, GROUP-BASED LDAP AUTHENTICATION WITH ACTIVE DIRECTORY MIGHT STOP WORKING | CLOSED | Resolved in QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022) Workaround No workaround available. APARs identified as ‘No workaround available’ require a software delivery to resolve. Administrators can subscribe to the APAR to receive updates when software releases are published for this issue. Issue After upgrading to 7.5.0 UP2, login to QRadar by group-based LDAP using Active Directory may no longer work. |
06 September 2022 |
LOG SOURCE | IJ41064 | UNABLE TO EDIT OR ENABLE/DISABLE LOG SOURCE EXTENSIONS ON 7.5.0 UP2 | CLOSED | Resolved in QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022) Workaround If you are unable to upgrade, contact QRadar Support for a possible workaround that might address this issue in some instances. Issue On QRadar 7.5.0 Update Pack 2, the UI displays a blank extension edit page when attempting to edit, enable, or disable log source extensions. Steps to reproduce:
|
06 September 2022 |
QRADAR INCIDENT FORENSICS | IJ41029 | FORENSICS ANALYSIS ACTIONS NOT PERFORMING ON A STANDALONE QRADAR INCIDENT FORENSICS 7.4.3 FP6 AND 7.5.0 UP2 | CLOSED | Resolved in QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022) QRadar 7.4.3 Fix Pack 7 (7.4.3.20220927164102) Workaround If you are unable to upgrade, contact QRadar Support for a possible workaround that might address this issue in some instances. Issue On a standalone QRadar Incident Forensics appliance (6100) running 7.4.3 Fix Pack 6 or 7.5.0 Update Pack 2, the forensics analysis feature stops functioning. The link and file analysis is stuck on the “Performing Link Analysis. 0 of x Documents Processed. Please Wait…” message. Image analysis works but displaying entropy images will fail. For more information about the analysis function in QRadar Incident Forensics, see https://ibm.biz/forensicsanalysis. |
06 September 2022 |
USER INTERFACE | IJ41043 | QRADAR TABS MIGHT BE SLOW DUE TO CACHE CHANGES IN QRADAR 7.3.3 FP12, 7.4.3 FP6, AND 7.5.0 UP2 | CLOSED | Resolved in QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022) QRadar 7.4.3 Fix Pack 7 (7.4.3.20220927164102) Workaround If you are unable to upgrade, contact QRadar Support for a possible workaround that might address this issue in some instances. Issue Users might notice a significant slow down in loading QRadar tabs every time they are loaded. This is due to a change introduced in QRadar versions: 7.3.3 FP12, 7.4.3 FP6, AND 7.5.0 UP2, which misconfigured the cache setting related to loading the tabs. |
06 September 2022 |
OFFENSES | IJ41136 | OFFENSES SUMMARY PAGE LOADS SLOW IN 7.5.0 UP1 AND HIGHER | CLOSED | Resolved in QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022) Workaround If you are unable to upgrade, contact QRadar Support for a possible workaround that might address this issue in some instances. Issue Loading the offense summary pages can experience a slowdown if there are a large number of offenses that contribute to the naming of the associated offenses in QRadar 7.5.0 UP1 or higher. |
06 September 2022 |
USERS | IJ41096 | UNABLE TO LOAD USER MANAGEMENT IN NON-ENGLISH LOCALES | CLOSED | Resolved in QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022) Workaround If you are unable to upgrade, contact QRadar Support for a possible workaround that might address this issue in some instances. Issue User Management page cannot be loaded in non-English locales. The application works with English locales. When the issue occurs, the User Management screen appears blank.
|
06 September 2022 |
UPGRADE | IJ42203 | DSM AND PROTOCOL RPMS MIGHT NOT BE INSTALLED DUE TO INCOMPATIBLE VERSION ERROR WHEN UPDATING FROM 7.3.X TO 7.5.0 UP2 | CLOSED | Resolved in QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022) Workaround Important: You cannot upgrade directly from QRadar V7.3.x to V7.5.0 Update Pack 2. First upgrade from 7.3.x to 7.4.3 (latest), complete a manual auto update, then install QRadar V7.5.0 Update Pack 2. If you attempted to update from 7.3.x to 7.5.0 Update Pack 2 directly and experience issues with log sources, contact QRadar Support for a workaround for this issue. Issue Users who attempt to update from QRadar 7.3.2 or 7.3.3 to 7.5.0 Update Pack 2 can experience an issue where RPMs for DSM, protocols, and scanners are not updated as expected. When this issue occurs, the Console software update completes successful, but the DSM, protocol, and scanner RPMs are not updated and remain at 7.3.3 versions. This leads to issues where users cannot view, add, or modify log source configurations in QRadar after the software update to 7.5.0 Update Pack 2. Affected upgrade paths:
Error: Incompatible version, this PROTOCOL requires build version 7.4.x.x, exiting error: %pre(PROTOCOL-Common-7.4-20210914195614.noarch) scriptlet failed, exit status 5 Error in PREIN scriptlet in rpm package PROTOCOL-Common-7.4.20210914195614.noarch error: PROTOCOL-Common-7.4-20210914195614.noarch: install failed |
06 September 2022 |
UPGRADE | IJ40655 | POSTGRES V11 UPDATE IN QRADAR 7.5.0 UP2 CAN FAIL DUE TO A TYPE DIFFERENCE ON THE LOCAL HOST | CLOSED | Resolved in QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022) QRadar 7.4.3 Fix Pack 7 (7.4.3.20220927164102) Workaround If you are unable to upgrade, contact QRadar Support for a possible workaround that might address this issue in some instances. Issue During an upgrade to QRadar 7.5.0 Upgrade Pack 2, a database change is applied for Postgres v11. The Postgres migration fails if the lc_ctype value in the upgrade script does not match the value of the local Postgres database. The lc_ctype mismatch causes the Postgres update to fail and prevents the software upgrade from continuing with a ‘Failed to pass the migration check for qradar database’ error message. The following errors are displayed in /var/log/patches.log: [DEBUG](patchmode) lc_ctype values for database "postgres" do not match: old " |
06 September 2022 |
X-FORCE THREAT INTELLIGENCE | IJ40606 | SCASERVER THREADS REDUCED TO 15 AFTER 7.5.0 UP2 UPGRADE | CLOSED | Resolved in QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022) Workaround Administrators who experience this issue can review the technical note to apply a workaround to correct the sca server thread count. For more information, see https://www.ibm.com/support/pages/node/6593537. Issue The scaserver threads can be incorrectly reduced to 15 after patching to or installing 7.5.0 UP2. This can impact the performance of X-Force searches and rules. |
06 September 2022 |
RULES | IJ40522 | ANOMALY ISSUE IN 7.5.0 UP2 PREVENT RULES WIZARD FROM LAUNCHING AND AFFECTS OFFENSE CREATION | CLOSED | Resolved in QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022) Workaround Anomaly rules without a link_uuid value can be set to null to prevent this issue. To apply a workaround for this issue, run the following command on the QRadar Console: psql -U qradar -c "update custom_rule set link_uuid = null where link_uuid not in (select uuid from custom_rule );" Issue After upgrading to 7.5.0 FP2, a mismatch of rules can cause the rule wizard page to be unavailable and offenses to not be created. This occurs when the link_uuid for a rule is not present. |
06 September 2022 |
MANAGED HOSTS | IJ40862 | DATABASE REBUILD ON MANAGED HOST FAILS DUE TO MULTIPLE POSTGRESQL VERSIONS EXISTING | CLOSED | Resolved in QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022) QRadar 7.4.3 Fix Pack 7 (7.4.3.20220927164102) Workaround If you are unable to upgrade, contact QRadar Support for a possible workaround that might address this issue in some instances. Issue In deployments with managed hosts patched to 7.5.0 Update Pack 2, RPMs for postgresql 9.6 are not uninstalled or removed from /store/rpms, causing rebuild failures on a managed host whenever host services triggers a rebuild. This issue will occur only on managed hosts either after patching to 7.4.3 Fix Pack 6 or after patching to 7.5.0 Update Pack 2 from a version 7.5.0 GA or earlier. The error will not happen on systems already patched to 7.5.0 Fix Pack 1. |
06 September 2022 |
QRADAR VULNERABILITY MANAGER | IJ40422 | QVM EXCEPTION SCREEN DOES NOT LOAD FROM THE HISTORY PAGE | CLOSED | Resolved in QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022) Workaround Mark a vulnerability as an exception from any screen other than the history screen. Issue On a deployment with a QVM license, it is not possible to mark a vulnerability as an exception from the vulnerability instance history page. The following errors are displayed in /var/log/qradar.error: tomcat[21077]: [user@x.x.x.x (9823) /console/do/assetprofile/MaintainExceptionRule] WARN org.apache.struts2.dispatcher.Dispatcher - Could not find action or result: /console/do/assetprofile/MaintainExceptionRule?dispatch=newExceptionRule tomcat[21077]: No result defined for action com.q1labs.assetprofile.bean.action.struts2.MaintainExceptionRuleand result input -B-INF/struts/struts.xml:1461:151 tomcat[21077]: at com.opensymphony.xwork2.DefaultActionInvocation.executeResult(DefaultActionInvocation.java:377) tomcat[21077]: at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:279) tomcat[21077]: at com.opensymphony.xwork2.validator.ValidationInterceptor.doIntercept(ValidationInterceptor.java:263) tomcat[21077]: at org.apache.struts2.interceptor.validation.AnnotationValidationInterceptor.doIntercept(AnnotationValidationInterceptor.java:49) tomcat[21077]: at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:99) tomcat[21077]: at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249) tomcat[21077]: at com.opensymphony.xwork2.interceptor.ConversionErrorInterceptor.doIntercept(ConversionErrorInterceptor.java:142) tomcat[21077]: at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:99) tomcat[21077]: at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249) tomcat[21077]: at com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:140) tomcat[21077]: at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:99) tomcat[21077]: at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249) tomcat[21077]: at com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:140) tomcat[21077]: at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:99) tomcat[21077]: at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249) tomcat[21077]: at com.opensymphony.xwork2.interceptor.StaticParametersInterceptor.intercept(StaticParametersInterceptor.java:201) tomcat[21077]: at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249) tomcat[21077]: at org.apache.struts2.interceptor.MultiselectInterceptor.intercept(MultiselectInterceptor.java:67) |
06 September 2022 |
API | IJ39788 | REFERENCE_DATA_COLLECTIONS API DOES NOT CLOSE CONNECTION TO POSTGRES LEADING TO “TOO MANY CLIENTS” ERRORS | CLOSED | Resolved in QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022) QRadar 7.4.3 Fix Pack 7 (7.4.3.20220927164102) Workaround If you are unable to upgrade, contact QRadar Support for a possible workaround that might address this issue in some instances. Issue If a scenario occurs where a data record cannot be converted to UTF8, the API generates an exception but does not properly close the connection to postgres. Over time these connections will exceed the max connections allowed resulting in a “too many clients” error. When this issue occurs, an error similar to the following can display in /var/log/qradar.log: [tomcat.tomcat] [api@ Note: The encoding error may vary depending on the data record being processed. |
06 September 2022 |
ROUTING RULES | IJ39393 | ROUTING RULE DISPLAYS A BLANK PAGE WHEN THE INSTALL IS A SOFTWARE APPLIANCE ON 7.5.0 UP1 | REOP | Note: This issue is reopened as it was determined that the issue is NOT fixed in QRadar 7.5.0 UP3. Workaround If you are unable to upgrade, contact QRadar Support for a possible workaround that might address this issue in some instances. Issue Routing Rule window does not display as expected when the QRadar install is a ‘software appliance’ and the version is 7.5.0 Upgrade Pack 1. When this issue occurs, the web server (Tomcat) generates an error on RoutingRules.jsp and the page loads the appliance type information. This leads to the Routing Rules page displaying blank and administrators cannot configure or edit values in the user interface. The following error displays when the Routing Rules interface attempts to load: tomcat[25826]: Error including jsp /qradar/jsp/RoutingRules.jsp tomcat[25826]: org.apache.jasper.JasperException: An exception occurred processing [/qradar/jsp/RoutingRules.jsp] at line [23] tomcat[25826]: 20: String firstRecord = ""; tomcat[25826]: 21: tomcat[25826]: 22: boolean isLogAggregation = LicenseKeyManager.getInstance().isApplicationLicensed( LicenseKeys.LOGAGGREGATION_LICENSED ); tomcat[25826]: 23: boolean isQRoC = LicenseKeyManager.getInstan ce().getHardwareApplianceType().equals("3178"); tomcat[25826]: 24: String selectedId = HTMLUtils.escapeHTMLAttr(request.getParameter("selectedId")); tomcat[25826]: 25: tomcat[25826]: 26: // get the suppressLogOnlyWarning flag.. have to do this because when creating new routing rule, there is no default form value from the server side. tomcat[25826]: Stacktrace: tomcat[25826]: at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:831) tomcat[25826]: at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1650) tomcat[25826]: at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) tomcat[25826]: at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) tomcat[25826]: at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) tomcat[25826]: at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) tomcat[25826]: at java.lang.Thread.run(Thread.java:825) tomcat[25826]: Caused by: java.lang.NullPointerException tomcat[25826]: at org.apache.jsp.qradar.jsp.RoutingRules_jsp._jspService(RoutingRules_jsp.java:152) tomcat[25826]: at org.apache.jasper.runtime.HttpJspBase.service (HttpJspBase.java:70) tomcat[25826]: at javax.servlet.http.HttpServlet.service(HttpServlet.java:764) tomcat[25826]: at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:465) |
06 September 2022 |
NETWORK | IJ39550 | UNABLE TO CREATE BONDED INTERFACE ON QRADAR 7.5.0 | CLOSED | Resolved in QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022) Workaround If you are unable to upgrade, contact QRadar Support for a possible workaround that might address this issue in some instances. Issue Users can encounter the following error in the UI that prevents them from creating bonded interfaces: "Failed to save the network interface due to a server error. Try later." The following stack is visible in /var/log/qradar.log: Task CreateBondedNetworkInterfaceTask 338 is about to run [Python tool]: [INFO] Failed to run ethtool ens224 [Python tool]: [INFO] Steps to reproduce:
|
06 September 2022 |
HIGH AVAILABILITY (HA) | IJ39521 | LARGE /STORE FILESYSTEMS CAN CAUSE HIGH AVAILABILITY 7.5.0 GA INSTALLS TO IMPROPERLY SET UP THE PARTITION LAYOUT | CLOSED | Resolved in QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022) Important: This issue has been closed as builds using the QRadar 7.5.0 Update Package 3 ISO will not encounter this issue. If you are encountering this issue and your system is built with the QRadar 7.5.0 GA ISO, please contact support for a potential workaround. Workaround If you are unable to upgrade, contact QRadar Support for a possible workaround that might address this issue in some instances. Issue Installing High Availability (HA) on 7.5.0 GA can cause the partition layout to be built incorrectly. The prepare_ha.sh does not run properly when /store is greater than 2TB. Installing or rebuilding can cause the prepare_ha.sh script to generate an error, which prevents the secondary HA appliance from being added to the deployment without manual intervention. When this issue occurs, the following error displays in /var/log/setup_7.5.0.20211220195207/ha_setup.log: "Operation refused. Command 'drbdmeta 0 v08 /dev/mapper/storerhel-store internal create-md' terminated with exit code 40" |
06 September 2022 |
RULES | IJ39258 | SPECIAL CHARACTERS IN RULE NAMES CAN CAUSE 'CHECKING DISABILITY' WHEN ADDING AS TEST TO ANOTHER RULE | CLOSED | Resolved in QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022) Workaround Update rules to ensure they do not use special characters in the rule or building block names. Issue When a user has a rule name that contains a special character, the browser can display 'Checking disability' when you attempt to add a rule test. This issue can occur on either rules or building blocks when values contain special characters. The browser must validate the input change and confirm the value can be added to the rule test. When a test references a rule with special characters, the browser changes the 'Add' button to 'Checking disability' and appears to hang indefinitely. Steps to reproduce
|
06 September 2022 |
INSTALL | IJ39554 | PRETEST FAILS WHEN RUNNING /MEDIA/UPDATES/INSTALLER -T BECAUSE MKS FILES NOT PUSHED | CLOSED | Resolved in QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022) QRadar 7.4.3 Fix Pack 7 (7.4.3.20220927164102) Workaround This error can be ignored as the MKS files are not pushed from the console until the patch is run. Issue When running the /media/updates/installer -t, to test the managed hosts before patching, pretest can fail because the MKS files are not pushed from the console. The managed hosts can display errors similar to the following: [QRADAR-9104] [pretest:Error] [ERROR] MKS files are not staged in /opt/qradar/conf/mks/mh/ Run the following command on the console before patching this host: /opt/qradar/bin/mks_integration.sh -p ERROR: [pretest] [QRADAR-9104] MKS files are not staged in /opt/qradar/conf/mks/mh/ Run the following command on the console before patching this host: /opt/qradar/bin/mks_integration.sh -p [ERROR](-i-testmode) Pretest failed: "/media/updates/scripts/QRADAR-6181.install --mode pretest" [ERROR](-i-testmode) Failed pretests [DEBUG](-i-testmode) returning code 4 |
06 September 2022 |
API | IJ38961 | DELETING ELEMENTS FROM REFERENCE MAPS WITH THE API OR REFERENCE DATA MGMT APP CAN FAIL WITH AN ERROR | CLOSED | Resolved in QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022) Workaround Administrators with root access to the Console can use the ReferenceDataUtil.sh utility to delete or update reference sets. For more information, see https://ibm.biz/referencedatautil. Issue The deletion of an entry from a reference map using the API or Reference Data Management app can fail to complete when the reference map is large. This issue occurred when a user attempted to delete a single entry from a reference map that contained more than 80,000 entries. The following message was displayed when the deletion failed: "Map {map name} does not contain key {key name}" When this issue occurs, the following message can display in the logs: [tomcat.tomcat] [host@x.x.x.x (373) /console/restapi/api/refere nce_data/maps/map_name/www.domain.com]com.q1labs.core.api.v3_0.r [DEBUG] ReferenceDataAPI_Maps.removeMapValue() entered. Name: map_name key: map _key value: 71700 [tomcat.tomcat] [host@x.x.x.x (373) /console/restapi/api/refere nce_data/maps/map_name/www.domain.com]com.q1labs.core.api.v3_0.r [DEBUG] ReferenceDataAPI_Maps.removeMapValue()Map {map_name} does not contain key map_key |
06 September 2022 |
APPLICATION FRAMEWORK | IJ41206 | APP INSTALL FAILS DURING DOCKER BUILD WITH "AN EXCEPTION OCCURRED WHILE WAITING FOR TASK TO COMPLETE" ERROR | CLOSED | Resolved in QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022) Workaround If you are unable to upgrade, contact QRadar Support for a possible workaround that might address this issue in some instances. Issue On QRadar 7.4.3 Fix Pack 4, when trying to install an app, the install might fail with a timeout error at the build stage. The "docker build" command takes longer than 900 seconds and times out. An error similar to the following appears in /var/log/qradar.log: [tomcat.tomcat] [pool-1-thread-1] com.q1labs.uiframeworks.application.api.service.builders.shared.AsyncBuildStageTask: [ERROR] [IPADDRESS/- -][-/- -]An exception occurred while building app asynchronously. Triggering rollback. [tomcat.tomcat] [pool-1-thread-1] com.q1lab s.restapi_annotations.content.exceptions.endpointExceptions.Serv erProcessingException: An exception occurred while waiting for task to complete. [tomcat.tomcat] [pool-1-thread-1] at com.q1lab s.configservices.task.AbstractTaskPoller.getFinishedTaskState(AbstractTaskPoller.java:41) [tomcat.tomcat] [pool-1-thread-1] at com.q1labs.configservices.task.AbstractTaskPoller.getFinishedTaskState(AbstractTaskPoller.java:22) [tomcat.tomcat] [pool-1-thread-1] at com.q1labs.uiframeworks.application.api.ser vice.builders.shared.DockerBuildProcessor.process(DockerBuildProcessor.java:94) [tomcat.tomcat] [pool-1-thread-1] at com.q1labs. uiframeworks.application.api.service.builders.shared.Conditional HostTypeDecorator.process(ConditionalHostTypeDecorator.java:60) [tomcat.tomcat] [pool-1-thread-1] at com.q1labs.uiframeworks.app lication.api.service.builders.shared.AsyncBuildStageTask.runTask(AsyncBuildStageTask.java:231) [tomcat.tomcat] [pool-1-thread-1] at com.ibm.si.frameworks.taskmanagement.Task.run(Task.java:108) [tomcat.tomcat] [pool-1-thread-1] at java.util .concurrent.Executors$RunnableAdapter.call(Executors.java:522) [tomcat.tomcat] [pool-1-thread-1] at java.util.concurrent.FutureTask.run(FutureTask.java:277) [tomcat.tomcat] [pool-1-thread-1] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160) [tomcat.tomcat] [pool-1-thread-1] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) [tomcat.tomcat] [pool-1-thread-1] at java.lang.Thread.run(Thread.java:822) [tomcat.tomcat] [pool-1-thread-1] Caused by: [tomcat.tomcat] [pool-1-thread-1] java.util.concurrent.ExecutionException: com.q1labs.configservices.task.TaskTimeoutException: Task has not completed and file at [/var/log/qradar/app/docker_build/docker_build.log.0] was not updated within [900] attempts |
06 September 2022 |
UPGRADE | IJ38842 | REPLICATION FAILS WITH SECURE BOOT STATUS ERROR AFTER AN UPGRADE TO QRADAR 7.5.0 UP1 | CLOSED | Resolved in QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022) Workaround If you are unable to upgrade, contact QRadar Support for a workaround to update the myver utility. Issue After patching to QRadar 7.5.0 update pack 1, replication can fail. Users can encounter the following error after patching: "Secure boot status: 'This system doesn't support Secure Boot'" [hostcontext.hostcontext] [0bc4934b-31f8-4273-8577-608a0d79cf30/SequentialEventDispatcher] com.q1labs.hostcontext.replication.MHReplication: [INFO] [NOT:0000006000][IPADDRESS/- -] Timer expired. Attempting to download updates [hostcontext.hostcontext] [0bc4934b-31f8-4273-8577-608a0d79cf30/SequentialEventDispatcher] com.q1labs.hostcontext.replication.MHReplication: [INFO] [NOT:0000006000][IPADDRESS/- -] Downloading updates request starting... [hostcontext.hostcontext] [Thread-777] ComponentOutput: [ERROR] [NOT:0000003000][IPADDRESS/- -] [-/- -]ErrorStream replication: Bareword found where operator expected at (eval 74) line 42, near "'This system doesn't" hostcontext.hostcontext] [Thread-777] ComponentOutput: [ERROR] [NOT:0000003000][IPADDRESS/- -] [-/- -]ErrorStream replication: (Missing operator before t?) ip-XXX-XXX replication[9007]: Using XXX.XX.XXX.XXX as our local IP. ip-XXX-XXX replication[9007]: Downloading and applying latest database dumps from the console. ip-XXX-XXX replication[9007]: No new database updates to apply. ip-XXX-XXX replication[9007]: Replication download timing: Downloading: 2628 ms Overall: 2628 ms Note: This APAR applies to upgrades of existing appliances to QRadar 7.5.0 UP1. If you are installing a new virtual machine or installing software from an ISO, secure boot must be disabled and your issue is not related to this APAR. For more information, see Creating your virtual machine. |
06 September 2022 |
RULES | IJ38934 | DELETED LOG SOURCE TYPE IS STILL VISIBLE IN RULE WIZARD | CLOSED | Resolved in QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022) Workaround No workaround available. Users can ignore the deleted log source in the Rule Wizard and subscribe to this APAR to receive an alert when this issue is resolved. Issue Deleted log source types may still be visible in the Rule Wizard when creating rules using conditions such as: when the event(s) were detected by one or more of these log source types |
06 September 2022 |
OFFENSES | IJ37124 | OFFENSES ARE NOT RENAMED WITHIN THE WINDOW CONFIGURED IN THE RULE RESPONSE LIMITER | CLOSED | Resolved in QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022) QRadar 7.4.3 Fix Pack 7 (7.4.3.20220927164102) Workaround No workaround available. Users can ignore the deleted log source in the Rule Wizard and subscribe to this APAR to receive an alert when this issue is resolved. Issue When a rule response limiter is set, offense renaming can fail to work as expected within the limiter window. For example:
|
06 September 2022 |
APPLICATION FRAMEWORK | IJ37866 | APPLICATIONS CAN STOP AND REPORT FREE DATA ISSUES DUE TO DEVICEMAPPER DRIVER | CLOSED | Resolved in QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022) Workaround Contact QRadar Support for a possible workaround that might address this issue in some instances. Uninstalling or reinstalling applications does not resolve this issue as space is not properly allocated by the devicemapper and requires QRadar Support assistance. Issue It has been identified that applications can be stopped in the appliance framework when the devicemapper driver does not believe there is enough thin provision space for the docker container. When this issue occurs the applications are installed, but no applications are running in the user interface. When the command, docker ps is run, the output shows that containers do not exist and are not running (Column H lists the failure). When the administrator runs docker info, the Data Space Available reported is smaller than the Thin Pool Minimum Free Space required by docker. Messages similar to the following might be visible when this issue occurs: ERRO[1691] Error waiting for container: container {containerID}: driver "devicemapper" failed to remove root filesystem: failed to remove device {deviceID}: devicemapper: Error running DeleteDevice dm_task_run failed |
06 September 2022 |
SERVICES | IJ37217 | EVENTS CAN STOP BEING WRITTEN TO DISK UNEXPECTEDLY FOLLOWING MAXMIND GEODATA UPDATES | CLOSED | Resolved in QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022) Workaround Disable updates of the maxmind/geographic data file using these steps:
It has been identified that events can unexpectedly stop being written to disk following geodata updates. This issue can occur due to a SIGBUS exception during the deploy process. Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs: [ecs-ep.ecs-ep] Ariel Writer#events java.lang.InternalError: SIGBUS [ecs-ep.ecs-ep] Ariel Writer#events at java.nio.DirectByteBuffer.get(DirectByteBuffer.java:252) [ecs-ep.ecs-ep] Ariel Writer#events at com.maxmind.db.Reader.readNode(Reader.java:219) [ecs-ep.ecs-ep] Ariel Writer#events at com.maxmind.db.Reader.findAddressInTree(Reader.java:174) [ecs-ep.ecs-ep] Ariel Writer#events at com.maxmind.db.Reader.get(Reader.java:146) [ecs-ep.ecs-ep] Ariel Writer#events at com.maxmind.geoip2.DatabaseReader.get(DatabaseReader.java:151) [ecs-ep.ecs-ep] Ariel Writer#events at com.maxmind.geoip2.DatabaseReader.city(DatabaseReader.java:202) [ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.core.shared.l ocation.LocationUtils.lookup(LocationUtils.java:524) [ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.core.shared.l ocation.LocationUtils.lookup(LocationUtils.java:377) [ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.core.shared.l ocation.LocationUtils.lookup(LocationUtils.java:329) [ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.core.types.ev ent.NormalizedEventProperties$SourceGeographicLocation.createKe y(NormalizedEventProperties.java:108) [ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.core.types.ev ent.NormalizedEventProperties$SourceGeographicLocation.createKey (NormalizedEventProperties.java:94) [ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.ariel.Index.add(Index.java:267) [ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.ariel.io.Buck etWriter.writeRecord(BucketWriter.java:67) [ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.ariel.io.Abst ractDatabaseWriter.put(AbstractDatabaseWriter.java:114) [ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.ariel.Databas eWriterAsync.processRecord(DatabaseWriterAsync.java:131) [ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.ariel.Scatter ingDatabaseWriter.access$401(ScatteringDatabaseWriter.java:30) [ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.ariel.Scatter ingDatabaseWriter$Node.writeRecord(ScatteringDatabaseWriter.java:87) [ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.ariel.Scatter ingDatabaseWriter$Node.processRecord(ScatteringDatabaseWriter.java:55) [ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.ariel.Scatter ingDatabaseWriter$Node.access$1100(ScatteringDatabaseWriter.java:32) [ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.ariel.Scatter ingDatabaseWriter$DataNodes.processRecord(ScatteringDatabaseWriter.java:247) [ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.ariel.Scatter ingDatabaseWriter.processRecord(ScatteringDatabaseWriter.java:450) [ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.ariel.Databas eWriterAsync.run(DatabaseWriterAsync.java:115) [ecs-ep.ecs-ep] Ariel Writer#events at java.lang.Thread.run(Thread.java:822) |
06 September 2022 |
LOG SOURCES | IJ41200 | THE CERTIFICATE PINNING VALIDATION DOES NOT TAKE INTO ACCOUNT PROPERTY FILE SETTINGS | CLOSED | Resolved in QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022) Workaround No workaround available. Users can ignore the deleted log source in the Rule Wizard and subscribe to this APAR to receive an alert when this issue is resolved. Issue Administrators can experience configuration issues in the Log Source Management app or the Test button functionality with repeated check certificate pinning failed error messages. This issue is due to the values of the properties file, which are not appropriately applied. The following error is repeatedly displayed in /var/log/qradar.log: com.q1labs.frameworks.crypto.trustmanager.CertificateValidator: [ERROR] [NOT:0000003000][IPADDRESS/- -] [-/--]checkCertificatePinning failed. |
06 September 2022 |
ADVANCED SEARCH (AQL) | IJ35136 | "UNABLE TO CREATE FUNCTION: 'INOFFENSE' NULL" RESPONSE WHEN USING AQL FUNCTION | CLOSED | Resolved in QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022) QRadar 7.4.3 Fix Pack 7 (7.4.3.20220927164102) Workaround If you are unable to upgrade, contact QRadar Support for a workaround that might address this issue in some instances. Issue A message similar to "Unable to create function:'inoffense' null" can be generated when attempting to use the "INOFFENSE" AQL function on some offenses. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470] com.q1labs.ariel.ql.parser.Parser: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Failed to instantiate function 'inoffense' [ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470] java.lang.reflect.InvocationTargetException [ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470] at sun.reflect.GeneratedConstructorAccessor77.newInstance(UnknownSource) [ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470] at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(De legatingConstructorAccessorImpl.java:57) [ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470] at java.lang.reflect.Constructor.newInstance(Constructor.java:437) [ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470] at com.q1labs.ariel.ql.parser.ScalarFunctionInfo.constructFunction(ScalarFunctionInfo.java:474) [ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470] at com.q1labs.ariel.ql.parser.ScalarFunctionInfo.create(ScalarFunctionInfo.java:557) [ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470] at com.q1labs.ariel.ql.parser.ParserBase.processScalarFunction(ParserBase.java:218) [ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470] at com.q1labs.ariel.ql.parser.ParserBase.processBooleanExpression(ParserBase.java:1176) [ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470] at com.q1labs.ariel.ql.parser.ParserBase.createQueryParams(ParserBase.java:1436) [ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470] at com.q1labs.ariel.ql.parser.ParserBase.parseBatch(ParserBase.java:1650) [ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470] at com.q1labs.ariel.ql.parser.Parser.parseStatement(Parser.java:156) [ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470] at com.q1labs.ariel.ql.parser.Parser.executeStatement(Parser.java:66) [ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470] at com.q1labs.ariel.ConnectedClient.processStatement(ConnectedClient.java:367) [ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470] at com.q1labs.ariel.ConnectedClient.processMessage(ConnectedClient.java:308) [ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470] at com.q1labs.ariel.ConnectedClient.run(ConnectedClient.java:136) [ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160) [ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) [ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470] at java.lang.Thread.run(Thread.java:822) [ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470] Caused by: [ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470] java.lang.IllegalArgumentException: Invalid interval [ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470] at com.q1labs.ariel.Interval.{init}(Interval.java:165) [ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470] at com.q1labs.ariel.Expression.{init}(Expression.java:40) [ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470] at com.q1labs.ariel.Expression.add(Expression.java:128) [ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470] at com.q1labs.ariel.util.TimeIntervals.addInterval(TimeIntervals.java:21) [ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470] at com.q1labs.core.types.networkevent.NetworkEventMPCPredicate.addEPs(NetworkEventMPCPredicate.java:208) [ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470] at com.q1labs.core.aql.Base.{init}(OffenseFunctions.java:64) [ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470] at com.q1labs.core.aql.OffenseFunctions$OffenseEvents.{init}OffenseFunctions.java:122) [ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470] ... 17 more |
06 September 2022 |
API | IJ34638 | API SEARCHES USING LOCAL_DESTINATION_ADDRESS CAN FAIL ON ASSETS WITH A LARGE NUMBER OF VULNERABILITIES | CLOSED | Resolved in QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022) Workaround If you are unable to upgrade, contact QRadar Support for a workaround that might resolve this issue in some instances. Issue API searches using local_destination_address can fail in environments where there are assets with a large number of vulnerabilities generating a magnitude of 32,767 or more. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [tomcat.tomcat] [user@127.0.0.1(2560) /console/restapi/api/siem/local_destination_addresses] com.q1la bs.restapi_annotations.content.exceptions.APIMappedException:Pro [tomcat.tomcat] [user@127.0.0.1 (2560) /console/restapi/api/siem/local_destination_addresses] at com.q 1abs.restapi_annotations.content.exceptions.APIMappedException. init(APIMappedException.java:132) [tomcat.tomcat] [user@127.0.0.1(2560) /console/restapi/api/siem/local_destination_addresses] at com.q 1labs.restapi.exceptionmapper.ExceptionMapper.mapException(ExceptionMapper.java:141) [tomcat.tomcat][user@127.0.0.1(2560) /console/restapi/api/siem/local_destination_addresses] Caused by: [tomcat.tomcat] [user@127.0.0.1 (2560) /console/restapi/api/siem/local_destination_addresses] org.postgresql.util.PSQLException: Bad value for type short : 32976.8000000000029 |
06 September 2022 |
LOG SOURCES | IJ33638 | FILTERING AND SEARCHING BY LOG SOURCE TYPE FILTER CAN FAIL AFTER CHANGES ARE MADE USING LSM APP | CLOSED | Resolved in QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022) Workaround Option 1: Perform a restart of the ECS-EP service from an SSH session to the QRadar Console: systemctl restart ecs-ep Option 2: systemctl restart tomcat Issue After changing a log source type using the Log Source Management (LSM) app, realtime or historical searches and filtering using the Log Source type filter can fail to work as expected (no events are displayed). |
06 September 2022 |
APPLICATION FRAMEWORK | IJ41515 | APP CONTAINER FAILS BECAUSE APP HEALTH CHECK FAILURE THRESHOLD INCORRECTLY SET TO 1 | CLOSED | Resolved in QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022) Workaround No workaround available. APARs identified as 'No workaround available' require a software delivery to resolve. Administrators can subscribe to the APAR to receive updates when software releases are published for this issue. Issue In QRadar 7.5.0 consoles with applications installed, the Health Check Failure Threshold may exit after a single attempt when it should execute ten times. The correct value of 10 should be taken from the livenessprobe, but if the liveness probe check fails, the value defaults to 1. This incorrect value results in the following comnan error in /var/log/qradar.log: conwrap[1048]: time="2022-03-20T06:45:21Z" level=error msg="Health status polling has ended as the count of 1 has been hit." |
06 September 2022 |
REFERENCE DATA | IJ33799 | REFERENCEDATAUTIL.SH SCRIPT FAILS TO UPDATE SOME DATABASE TABLES AS EXPECTED | CLOSED | Resolved in QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022) Workaround No workaround available. APARs identified as 'No workaround available' require a software delivery to resolve. Administrators can subscribe to the APAR to receive updates when software releases are published for this issue. Issue The script /opt/qradar/bin/ReferenceDataUtil.sh allows users to run the 'update' option to update the following parameters:
|
06 September 2022 |
ROUTING RULES | IJ33185 | NORMALIZED FLOW FORWARDING USING ROUTING RULES DOES NOT FORWARD FLOW PAYLOADS | CLOSED | Resolved in QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022) QRadar 7.4.3 Fix Pack 7 (7.4.3.20220927164102) Workaround Configure Flow Forwarding using the section "Forwarding Flows Using Flow Source Configuration" from: https://www.ibm.com/support/pages/node/543807. Issue Normalized Flows that are forwarded using routing rules do not contain the flow payloads at the destination site. At the source, payloads for the source or destination are visible on the Network Activity page. At the destination, the payload does not display but the payload bytes counts shows its values. |
06 September 2022 |
BACKUP AND RESTORE | IJ30069 | RESTORING A CONFIGURATION BACKUP FAILS IF THE BACKUP ARCHIVE IS ALSO PRESENT IN THE /STORETMP/ DIRECTORY | CLOSED | Resolved in QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022) Workaround Move the backup archive files from /storetmp and do not put backup archive files there. Issue Restoring a configuration backup does not work if the backup archive being restored has also been placed into /storetmp/ directory. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: root: tar: /storetmp/backup.nightly.naming_53.13_01_2020.config.1608181708813.tgz: Cannot open: Not a directory |
06 September 2022 |
QRADAR VULNERABILITY MANAGER | IJ29536 | ESTIMATED TIME TO PROCESS RESULTS OF SCAN INCREASES IF NO ASSETS ARE DETECTED IN THE SCAN | CLOSED | Resolved in QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022) Workaround No workaround available. APARs identified with no workaround require a software delivery to resolve. Issue When a QRadar Vulnerability Manager scan is run that discovers no assets, the scan completes, but the estimated time to process results continues to increase. |
06 September 2022 |
QRADAR VULNERABILITY MANAGER | IJ42185 | ERROR EXPORTING DATA WHEN FILTERING FROM THE MANAGE VULNERABILITES LIST | CLOSED | Resolved in QRadar 7.5.0 Update Pack 4 (7.5.0.20221129155237) Workaround No workaround available. APARs identified with no workaround require a software delivery to resolve. Issue Users who click the Vulnerabilities tab, then use a filter from the Manage Vulnerabilities sidebar can experience a null pointer exception when you attempt to export data. Users who filter 'By Network, By Asset, By Vulnerability, or By Open Service', then select Actions > Export see the progress indicator display momentarily, then disappear from the user interface. When this issue occurs, vulnerabilities are not exported and the following error is displayed in /var/log/qradar.log: [ERROR] [NOT:0000003000][IPADD/- -] [-/- -]Error exporting data java.lang.NullPointerException at com.q1labs.core.ui.util.QueryUtils.getQVMQuery(QueryUtils.java:1481) at com.q1labs.core.ui.util.QueryUtils.prepareQueryString(QueryUtils.java:1194) at com.q1labs.core.ui.util.QueryUtils.getQueryCount(QueryUtils.java:583) at com.q1labs.core.ui.util.QueryUtils.getQueryCount(QueryUtils.java:562) at com.q1labs.core.ui.coreservices.export.ExportJobProcessor.exportJDBCSearchQRadarQuery(ExportJobProcessor.java:387) at com.q1labs.core.ui.coreservices.export.ExportJobProcessor.run(ExportJobProcessor.java:206) |
07 September 2022 |
USER PREFERENCES | IJ34850 | COLLATION ERRORS IN QRADAR LOGGING OCCUR WHEN QRADAR IS SET TO SOME LOCALES | CLOSED | Resolved in QRadar 7.5.0 Update Pack 4 (7.5.0.20221129155237) Workaround For more information on this issue, see https://www.ibm.com/support/pages/node/6596983. Issue Collation errors can be observed in QRadar logging when using a locale setting that is not found in the pg_collation database table. For example, having the locale set to "polski" can generate messages similar to the following in /var/log/qradar-sql.log: hostname postgres[26685]: [182-1] ERROR: collation "pl" for encoding "UTF8" does not exist at character 11 hostname postgres[26685]: [182-2] STATEMENT: SELECT '' COLLATE "pl" |
13 December 2022 |
SECURITY BULLETIN | IBM QRADAR SIEM IS AFFECTED BY A REMOTE CODE EXECUTION IN SPRING FRAMEWORK | CLOSED | Resolved in QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137) QRadar 7.4.3 Fix Pack 6 (7.4.3.20220531120920) QRadar 7.3.3 Fix Pack 11 Interim Fix 1 (7.3.3.20201018191117) Affected versions
|
24 June 2022 | |
SECURITY BULLETIN | Apache HTTP Server as used by IBM QRadar SIEM is vulnerable to buffer overflow and denial of service | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) QRadar 7.4.3 Fix Pack 5 (7.4.3.20220307203834) QRadar 7.3.3 Fix Pack 11 (7.3.3.20220318161607) Affected versions
|
28 April 2022 | |
RULES | IJ40380 | NEXT BUTTON IN RULE AND REPORT WIZARD DISABLED FOR CHROME 102.0.5005.61 | CLOSED | Resolved in QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022) QRadar 7.5.0 Update Pack 2 Interim Fix 1 (7.4.3.20220609203147) QRadar 7.4.3 Fix Pack 7 (7.4.3.20220927164102) QRadar 7.3.3 Fix Pack 11 Interim Fix 1 (7.3.3.20220517151911) Workaround Users who experience this issue can use an alternate browser to complete rule changes. For more information, see QRadar supported browsers. Issue For Chrome version 102.0.5005.61, the next button on the Rule/Report Wizard is disabled and titles such as 'Rule Wizard' and 'Report Wizard' do not display. This issue has also been reported for users on other Chromium-based browsers, such as Microsoft Edge version 102.0.1245.33. |
20 June 2022 |
RULES | IJ33244 | RULES WITH NETWORK TESTS CAN SOMETIMES FAIL TO WORK AS EXPECTED | CLOSED | Resolved in QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137) QRadar 7.4.3 Fix Pack 6 (7.4.3.20220531120920) Workaround No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported is resolved in an existing software upgrade pack. Issue Rules that are configured with network tests (eg. Apply test on flows which are detected by the Local system, and NOT when the flow context is Local to Local) can sometimes fail to fire when expected due to an issue where the Custom Rule Engine loads threads in an incorrect order. |
20 June 2022 |
USER INTERFACE | IJ34633 | TCPV6 SOCKET LEAK FROM REAL-TIME STREAMING CAUSING TOMCAT OUTAGES | CLOSED | Resolved in QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137) QRadar 7.4.3 Fix Pack 6 (7.4.3.20220531120920) Workaround During a maintenance window restart the tomcat web service.
Issue Administrators might notice occurrences of "Application Error" popups when attempting to access their UI. When this is happening administrators can look in /var/log/qradar.log on the Console or Managed hosts for similar messages: [tomcat.tomcat] [ReceiverServer(0.0.0.0:7801)] com.q1labs.core.shared.ariel.streaming.StreamConsumer$Receiver 0.0.0.0:7801: [INFO] [NOT:0000006000][x.x.x.x/- -] [-/- -]2021-06-13 12:37:44.0601 Info: /x.x.x.x:59036 : Inactivity : Connection reset by peer [31] [tomcat.tomcat] [ReceiverServer(0.0.0.0:7800)] com.q1labs.core.shared.ariel.streaming.StreamConsumer$Receiver 0.0.0.0:7800: [WARN] [NOT:0000004000][x.x.x.x/- -] [-/- -]Error: /x.x.x.x:50194 : IOException : Broken pipeThis issue can occur between a unencrypted Managed host and the Console. Administrators can also run this script to confirm that the issue is being caused by tomcat holding on to TCPv6 File descriptors. while true; do echo $(date +"%T") | tee -a /root/lsof-mon.txt && lsof -p $(systemctl status tomcat | grep "Main PID" | awk '{print $3}') | grep 'protocol: TCPv6' | wc -l 2>&1 | tee -a /root/lsof-mon.txt; sleep 5; done;Note: If you are hitting this issue the file /root/lsof-mon.txt will continually grow. Press CTRL-C to stop the script and remove the file once troubleshooting is complete. |
20 June 2022 |
SYSTEM NOTIFICATIONS | IJ35015 | SYSTEM NOTIFICATION FOR EXPENSIVE CUSTOM PROPERTIES FAILS TO WORK AS EXPECTED IN QRADAR 7.4.2 AND NEWER | CLOSED | Resolved in QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137) QRadar 7.4.3 Fix Pack 6 (7.4.3.20220531120920) Workaround No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported is resolved in an existing software upgrade pack. Issue The find expensive custom property function in the QRadar DSM Filter does not work as expected after the change in QRadar 7.4.2 that switched mbean measurements to nano seconds. There is no System Notification generated for expensive custom properties when encountered by QRadar due to this change. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [ecs-ec.ecs-ec] [Timer-18] com.ibm.si.ec.filters.normalize.DSMFilter: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Failed to get MBean value for "Average". javax.management.AttributeNotFoundException: No such attribute: Average |
20 June 2022 |
SERVICES | IJ36277 | QRADAR CAN FAIL TO PASS EVENTS FROM ECS-EC-INGRESS COLLECTION PROCCESS TO THE ECS-EC PROCESS | CLOSED | Resolved in QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137) QRadar 7.4.3 Fix Pack 6 (7.4.3.20220531120920) Workaround Restart the ecs-ec-ingress service using the following command from an SSH session to the QRadar Console: systemctl restart ecs-ec-ingress Or from the QRadar User Interface:
In some instances a ConcurrentModificationException can cause the StreamListener thread to die. When this occurs, events stop flowing between the ecs-ec-ingress process to ecs-ec process causing event rates to drop to zero. This has been observed in environments where there is a very high event rate or a very large event backlog to process. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [ecs-ec-ingress.ecs-ec-ingress] [StreamListenerThread] com.q1labs.frameworks.core.ThreadExceptionHandler: [ERROR] [NOT:0000003000][X.X.X.X/- -] [-/- -]Exception was uncaught in thread: StreamListenerThread [ecs-ec-ingress.ecs-ec-ingress] [StreamListenerThread] java.util.ConcurrentModificationException [ecs-ec-ingress.ecs-ec-ingress] [StreamListenerThread] at java.util.HashMap$HashIterator.nextNode(HashMap.java:1456) [ecs-ec-ingress.ecs-ec-ingress] [StreamListenerThread] at java.util.HashMap$KeyIterator.next(HashMap.java:1480) [ecs-ec-ingress.ecs-ec-ingress] [StreamListenerThread] at com.q1labs.frameworks.nio.loadbalancing.AbstractLoadBalancer.addClient(AbstractLoadBalancer.java:88) [ecs-ec-ingress.ecs-ec-ingress] [StreamListenerThread] at com.q1labs.sem.nio.network.StreamingServer.run(StreamingServer.java:108) [ecs-ec-ingress.ecs-ec-ingress] [StreamListenerThread] at java.lang.Thread.run(Thread.java:822) |
20 June 2022 |
USER INTERFACE | IJ38930 | SYSTEM RULES MIGHT NOT DISPLAY CHANGES AS EXPECTED FROM THE UI OR API | CLOSED | Resolved in QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137) QRadar 7.4.3 Fix Pack 6 (7.4.3.20220531120920) Workaround Users who make a rule edit can confirm the changes were successfully made or that a rule is enabled by editing the rule in the Rule Wizard. Issue When a user updates a system rule from the API or the user interface Action menu, the state change might not be properly captured. This issue was observed by development for V7.4.3 Fix Pack 5 when a user enables, then disables a rule. The system rule is expected to update the Status column to True, but the user interface is not refreshed properly with the state change and still displays False to the user. Steps to replicate this issue:
|
20 June 2022 |
RULES | IJ38314 | REFERENCE RULE RESPONSE STOPS WORKING AFTER ALL DOMAINS REMOVED | CLOSED | Resolved in QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137) QRadar 7.4.3 Fix Pack 6 (7.4.3.20220531120920) Workaround Users can manually edit the rule to save the reference data as shared. Issue When all domains are removed and tomcat is restarted, rule response writing domain specific data does not write to reference set. When this issue occurs, the following error is displayed in /var/log/qradar.log: [tomcat.tomcat][ReferenceDataUpdateServiceThread_1] com.q1labs.core.shared.referencedata.ReferenceDataManager: [ERROR] [NOT:0000003000][/- -] [-/--]ReferenceDataManager.addToReferenceDataCollection() rdata=name=UBA : Users Last Country size=24 {domain 0:[{data}... [tomcat.tomcat][ReferenceDataUpdateServiceThread_1] com.q1labs.core.shared.referencedata.ReferenceDataUpdateServiceThread: [ERROR] [NOT:0000003-]ReferenceDataUpdateServiceThread An unexpected exception was encountered processing name=UBA : Users Last Country size=24 {domain 0:[{data}... [tomcat.tomcat][ReferenceDataUpdateServiceThread_1] com.q1labs.core.dao.referencedata.light.RefDataDomainRestrictionException:Can't use domain domains. [tomcat.tomcat][ReferenceDataUpdateServiceThread_1] at com.q1labs.core.dao.referencedata.RefDataDomainRestrictions.verifyWriteAccess(RefDataDomainRestrictions.java:176) [tomcat.tomcat][ReferenceDataUpdateServiceThread_1] at com.q1labs.core.dao.referencedata.light.RefDataDomainProtection.addElement(RefDataDomainProtection.java:54) [tomcat.tomcat][ReferenceDataUpdateServiceThread_1] at com.q1labs.core.dao.referencedata.RefDataDomainRestrictions.verifyWriteAccess(RefDataDomainRestrictions.java:188) [tomcat.tomcat][ReferenceDataUpdateServiceThread_1] at com.q1labs.core.shared.referencedata.ReferenceDataManager.addToReferenceDataCollection(ReferenceDataManager.java:825) [tomcat.tomcat][ReferenceDataUpdateServiceThread_1] at com.q1labs.core.shared.referencedata.ReferenceDataUpdateServiceThread.run(ReferenceDataUpdateServiceThread.java:100) To replicate this issue:
|
20 June 2022 |
DEPLOY CHANGES | IJ39425 | FIPS APPLIANCES WITH IMQ PASSWORDS CONTAINING '$' CAN EXPERIENCE ADD HOST OR DEPLOY ISSUES | CLOSED | Resolved in QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137) QRadar 7.4.3 Fix Pack 6 (7.4.3.20220531120920) Workaround If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances. Issue Administrators with FIPS appliances who set an IMQ password to the same value as the JPA password with /opt/qradar/imq/bin/setup-imq.sh --password, can experience issues where part of the saved password in /opt/qradar/conf/frameworks.properties is truncated after the '$' character. The truncated value prevents administrators from adding managed hosts as the '$' character is treated as a variable in bash. The password issue causes the services to fail to connect to the DB after the initial deploy. This issue can occur on any QRadar version where FIPs is enabled. This APAR is associated to issue IJ37865. |
20 June 2022 |
QRADAR ON CLOUD | IJ40310 | DATA GATEWAY APPLIANCES CANNOT SUCCESSFULLY ADD TO THE DEPLOYMENT DUE TO A SETUP ISSUE | CLOSED | Resolved in QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137) QRadar 7.4.3 Fix Pack 6 (7.4.3.20220531120920) Workaround QRadar on Cloud administrators must contact contact QRadar Support to resolve this issue as the workaround requires console command line access. Issue Administrators who attempt to add a Data Gateway appliance with the "/opt/qradar/bin/setup_qradar_host.py mh_setup interactive -p" command are not prompted for the root password during setup as a decryption error occurs. This leads to issues where the Console cannot establish an SSH session to the Data Gateway to properly add the host to the QRadar on Cloud Console. When this issue occurs, the Data Gateway fails to successfully add to the QRadar on Cloud Console. The following error is reported on the Data Gateway appliance in /var/log/qradar.log: Failed to run command 'mh_setup': Failed to add host 'xx.xxx.xxx.xxx' to deployment 'xxxxxxconsole.qradar.ibm.com': Failed to add host to deployment: Check console logs for details. The QRadar on Cloud Console can display a connection refused error for the Data Gateway appliance. The error is only visible to QRadar Support as the information is displayed in /var/log/qradar.log on the Console. Administrators who experience Data Gateway issues can confirm the following error through a case opened with QRadar Support: com.q1labs.configservices.common.ConfigServicesException: Failed to connect to xx.xxx.xxx.xxx password may be invalid or the connection was refused. |
20 June 2022 |
UPGRADE | IJ38185 | RERUNNING A FAILED UPGRADE ON V7.5.0 UPGRADE PACK 1 CAN LEAD TO CONFIGURATION ERROR QRADAR-6666.INSTALL | CLOSED | Resolved in QRadar 7.4.3 Fix Pack 6 (7.4.3.20220531120920) Workaround Do not attempt to run a QRadar 7.5.0 Upgrade Pack 1 installation a second time as running the installation again can cause the Postgres RPM issue described in this APAR. If you experience a failed QRadar 7.5.0 UP1 upgrade, contact QRadar Support for assistance and a workaround to this issue. Issue Administrators who attempt to rerun a previously failed upgrade on a managed host or Console from V7.4.x to QRadar 7.5.0 Upgrade Pack 1 (UP1) can experience a Postgres RPM installation issues that fail to roll back as expected. The upgrade attempts to rollback the database and restore the configuration. However, due to an issue in the QRADAR-6666.install utility, the rollback does not successfully complete. The failed rollback can leave the system without a Postgres configuration. This issue can occur on a reinstall attempt for a Console or a managed host.
Examining /media/updates/repo//postgresql11-contrib-11.14-1PGDG .rhel7.x86_64.rpm:postgresql11-contrib-11.14-1PGDG.rhel7.x86_64 /media/updates/repo//postgresql11-contrib-11.14-1PGDG.rhel7.x86_64.rpm: does not update installed package. Error: Nothing to do [DEBUG](-i-patchmode) ERROR: Failed to install new postgresql rpms. (1) a[DEBUG](-i-patchmode) Error running 270: /media/updates/scripts/QRADAR-6666.install --mode presql; Got error code of 1. [ERROR](-i-patchmode) Error running 270: /media/updates/scripts/QRADAR-6666.install --mode presql |
20 June 2022 |
UPGRADE | IJ38233 | UPGRADES TO 7.5.0 UP1 CAN EXPERIENCE HOSTCONTEXT ISSUES DUE TO UNRESTRICTED JCE JAR FILES | CLOSED | Resolved in QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137) QRadar 7.4.3 Fix Pack 6 (7.4.3.20220531120920) Workaround Administrators with unrestricted JCE policy files installed can confirm these files are installed with the following command: /opt/qradar/support/all_servers.sh -Ck "ls -1 /opt/ibm/java-x86_64-80/jre/lib/security/*.jar" If the output on any host reports the following files, you are affected by this issue and must remove your JCE policy files before you upgrade to QRadar 7.5.0 UP1 avoid this issue: /opt/ibm/java-x86_64-80/jre/lib/security/local_policy.jar /opt/ibm/java-x86_64-80/jre/lib/security/US_export_policy.jar If the all_servers command returns the following output, you are ls: cannot access /opt/ibm/java-x86_64-80/jre/lib/security/*.jar: No such file or directory Issue Administrators who upgrade to QRadar 7.5.0 Upgrade Pack 1 (UP1) can experience an issue where the hostcontext service does not start properly after the upgrade completes due to signing issues in the JCE Policy files. This issue only applies to administrators who install the unrestricted JCE policy files on appliances that require advanced encryption ciphers. Order of operations:
[hostcontext.hostcontext] [main] com.q1labs.frameworks.core.FrameworksContext: [INFO] [NOT:0000006000][IPADDRESS/- -] [-/- -]Initializing resource loggers: [com.q1labs.frameworks.core.IFrameworksContext$ResourceLogger;e03cd69c [hostcontext.hostcontext] [main] com.q1labs.frameworks.core.FrameworksContext: [INFO] [NOT:0000006000][IPADDRESS/- -] [-/- -]Frameworks instance name: hostcontext.hostcontext [hostcontext.hostcontext] [main] com.q1labs.frameworks.core.FrameworksContext: [INFO] [NOT:0000006000][IPADDRESS/- -] [-/- -]Initializing with URL: file:/opt/qradar/conf/ [hostcontext.hostcontext] [main] com.q1labs.frameworks.core.FrameworksContext: [INFO] [NOT:0000006000][IPADDRESS/- -] [-/- -]Frameworks booting - logging, loader complete [hostcontext.hostcontext] [main] com.q1labs.frameworks.core.FrameworksContext: [INFO] [NOT:0000006000][IPADDRESS/- -] [-/- -]Loading frameworks.properties [hostcontext.hostcontext] [main] com.q1labs.frameworks.util.NamedThreadFactory: [INFO] [NOT:0000006000][IPADDRESS/- -] [-/- -]Thread factory created: Spillover Cache Vacuum [hostcontext.hostcontext] [main] com.q1labs.frameworks.core.FrameworksContext: [INFO] [NOT:0000006000][IPADDRESS/- -] [-/- -]Frameworks global cache manager was initialized using: /opt/qradar/conf/ehcache.xml [hostcontext.hostcontext] [main] com.q1labs.frameworks.core.JMXHelper: [INFO] [NOT:0000006000][IPADDRESS/- -] [-/- -]Initializing JMX for RMI [hostcontext.hostcontext] [main] com.q1labs.frameworks.core.JMXHelper: [INFO] [NOT:0000006000][IPADDRESS/- -] [-/- -]Constructing mbean server at: service:jmx:rmi://IPADDRESS:7778/jndi/rmi://IPADDRESS:7778/jmxrmi [hostcontext.hostcontext] [main] com.q1labs.frameworks.logging.LogManagementAgent: [INFO] [NOT:0000006000][IPADDRESS/- -] [-/- -]Log management agent started. [hostcontext.hostcontext] [main] com.q1labs.frameworks.core.FrameworksContext: [INFO] [NOT:0000006000][IPADDRESS/- -] [-/- -]Initializing jpa helipad hostcontext[21113]: Destroying HostContext |
20 June 2022 |
UPGRADE | IJ39768 | QRADAR PATCHING TO VERSION 7.5.0 OR NEWER CAN FAIL ON MANAGED HOSTS WITH "ERROR: COULD NOT CREATE UNIQUE INDEX..." | CLOSED | Resolved in QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137) QRadar 7.4.3 Fix Pack 6 (7.4.3.20220531120920) Workaround If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances. Issue Patching to QRadar 7.5.0 can fail on Managed Hosts due to an index that causes an SQL query to fail on duplicate data. Messages similar to the following might be visible during patching when this issue occurs: [ERROR](-i-patchmode) Error applying script [14/87] '/media/upd ates/opt/qradar/conf/templates/db_update_247342.ref_set_import1 .sql'for Test_qradar database.; details: WARNING: SET TRANSACTI can only be used in transaction blocks NOTICE: index "reference_data_element_unique_rdata1" does not exist, skipping ERROR: could not create unique index "reference_data_element_unique_rdata1" DETAIL: Key (md5((rdk_id::text || '_'::text) || data))=(0139237e0f70a8400c8 |
20 June 2022 |
UPGRADE | IJ39786 | ISSUE REPORTED WHEN UPGRADING TO QRADAR 7.5.0 UP1 IF THE PATCH FAILS IN PATCHMODE | CLOSED | Resolved in QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137) QRadar 7.4.3 Fix Pack 6 (7.4.3.20220531120920) Workaround If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances. Issue Issues were reported when an upgrade to QRadar 7.5.0 UP1 fails during patchmode. This is an extension to what is seen in IJ38185. The following error message can be seen in /var/log/patches.log: [DEBUG](patchmode) Checking that tomcat is running and ready: (attempt 2/120) (24 seconds) Exception in thread "main" java.lang.NoClassDefFoundError: javax.persistence.EntityManagerFactory at com.q1labs.hostcontext.backup.core.BackupUtils.main(BackupUtils.java:2771) Caused by: java.lang.ClassNotFoundException: javax.persistence.EntityManagerFactory at java.net.URLClassLoader.findClass(URLClassLoader.java:610) at java.lang.ClassLoader.loadClassHelper(ClassLoader.java:942) at java.lang.ClassLoader.loadClass(ClassLoader.java:887) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:349) at java.lang.ClassLoader.loadClass(ClassLoader.java:870) |
20 June 2022 |
UPGRADE | IJ39259 | UPGRADES ON MANAGED HOSTS CAN FAIL DUE TO SCRIPT CONNECTION TIMEOUT | CLOSED | Resolved in QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137) QRadar 7.4.3 Fix Pack 6 (7.4.3.20220531120920) Workaround If error has already occurred, contact support for a possible workaround that might address this issue in some instances. The work around involves a sfs repackage or time setting change, and manually applying the patch to each host individually. If the issue has not yet occurred, you can work around the issue prior to error encounter using parallel upgrade steps: QRadar: How to Update Appliances in Parallel. Issue During an upgrade, when the All option is selected, managed hosts can fail to update due to a timeout error. The Console upgrade completes successfully, but individual managed hosts in the deployment fail during their upgrade. When this issue occurs, the connection is closed by the remote managed host and a "Could not apply patch on HOSTNAME at IPADDRESS" error displays. For example: [Connection [OK Applying presql script: (127/139) [Connection to x.x.x.x closed by remote host. [ERROR](patchingHost:x.x.x.x) Could not apply patch on HOSTNAME at x.x.x.x [DEBUG](patchingHost:x.x.x.x) report='Could not apply patch on HOSTNAME at x.x.x.x |
20 June 2022 |
QRADAR VULNERABILITY MANAGER | IJ39606 | QRADAR VULNERABILITY MANAGER: SCHEDULED SCANS DO NOT RUN AFTER UPGRADING TO 7.5.0 UP1 | CLOSED | Resolved in QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137) QRadar 7.4.3 Fix Pack 6 (7.4.3.20220531120920) Workaround Re-apply the scan profile cron settings by navigating through the following menus: Vulnerabilities tab > Administrative > Scan Profiles > When to scan > Advanced > Cron. For more information, see Scan scheduling Issue After upgrading to QRadar 7.5.0 Update Package 1, scan profiles that are scheduled by using a cron expression will not run. This is caused by the ugprade removing cron expressions from scan profiles. |
20 June 2022 |
UPGRADE | IJ39789 | POSTGRES RE-INSTALL ON MANAGED HOST CAN FAIL AFTER PATCHING TO 750 UPDATE PACKAGE 1 | CLOSED | Resolved in QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137) QRadar 7.4.3 Fix Pack 6 (7.4.3.20220531120920) Workaround If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances. Issue Hostservices can fail to start if issues occur that require a Managed Host to attempt a reinstall of the postgres RPMs. When this issue occurs, the following error can display: systemd[1]: Starting hostservices alias script... hostservices.sh[6708]: Job for postgresql-qrd.service failed because the control process exited with error code. See "systemctl status postgresql-qrd.service" and "journalctl -x hostservices.sh[6708]: Job for postgresql-qrd.service failed because the control process exited with error code. See "systemctl status postgresql-qrd.service" and "journalctl -x hostservices.sh[6708]: Job for postgresql-qrd.service failed because the control process exited with error code. See "systemctl status postgresql-qrd.service" and "journalctl -x hostservices.sh[6708]: Job for postgresql-qrd.service failed because the control process exited with error code. See "systemctl status postgresql-qrd.service" and "journalctl -x hostservices.sh[6708]: Job for postgresql-qrd.service failed because the control process exited with error code. See "systemctl status postgresql-qrd.service" and "journalctl -x hostservices.sh[6708]: Job for postgresql-qrd.service failed because the control process exited with error code. See "systemctl status postgresql-qrd.service" and "journalctl -x init_script[10300]: [/opt/qradar/systemd/bin/hostservices.sh] [WARN] 'postgresql-qrd' failed to start. Will try 4 more times. hostservices.sh[6708]: Job for postgresql-qrd.service failed because the control process exited with error code. See "systemctl status postgresql-qrd.service" and "journalctl -x init_script[10390]: [/opt/qradar/systemd/bin/hostservices.sh] [WARN] 'postgresql-qrd' failed to start. Will try 3 more times. hostservices.sh[6708]: Job for postgresql-qrd.service failed because the control process exited with error code. See "systemctl status postgresql-qrd.service" and "journalctl -x hostservices.sh[6708]: Job for postgresql-qrd.service failed because the control process exited with error code. See "systemctl status postgresql-qrd.service" and "journalctl -x hostservices.sh[6708]: Job for postgresql-qrd.service failed because the control process exited with error code. See "systemctl status postgresql-qrd.service" and "journalctl -x hostservices.sh[6708]: Re-installing postgresql RPMs: tr: when not truncating set1, string2 must be non-empty hostservices.sh[6708]: error: package postgresql-contrib is not installed hostservices.sh[6708]: error: package postgresql-server is not installed hostservices.sh[6708]: error: package postgresql-libs is not installed hostservices.sh[6708]: error: package postgresql is not installed hostservices.sh[6708]: FAILED hostservices.sh[6708]: Could not re-install postgresql rpms. |
20 June 2022 |
QRADAR INCIDENT FORENSICS | IJ38824 | FORENSIC RECOVERY FAILS WHEN LIMITING RESULTS BY IP ADDRESS | OPEN | Workaround Run a forensics recovery search for raw data that includes both a port and an IP address. If you continue to experience issues, contact support for a workaround that might address this issue in certain scenarios. Issue Users who attempt to run a forensics recovery to search the raw packet capture for an IP address can encounter a "There was an error running Forensic Recovery" message in the user interface. This issue prevents users from targeting a specific IP when they click 'Run recovery' if they do not select a port. Steps to reproduce:
|
26 March 2022 |
QRADAR INCIDENT FORENSICS | IJ39551 | QRADAR INCIDENT FORENSICS UPGRADE PATCH TEST FAILS WITH UNABLE TO EXPORT SOLR DATA ERROR | OPEN | Workaround Contact support for a possible workaround that might address this issue in some instances. Issue Exporting of large SOLR documents during QRadar Incident Forensics upgrade can cause the patch test to fail. During a pretest when patching a QRadar Incident Forensics appliance, the /media/updates/scripts/.install --mode precheck runs and if there are many large SOLR documents to be exported, the script runs out of memory causing the patch pretest to fail with the following errors: [predown:Error] [ERROR] Unable to export SOLR data: code 1 [WARN](-i-testmode) ERROR: [predown] QRADAR-4105 Unable to export SOLR data: code 1 [DEBUG](-i-testmode) Error running 26: /media/updates/scripts/QRADAR-4105.install --mode predown; Got error code of 255. |
25 April 2022 |
REFERENCE DATA | IJ40269 | LARGE REFERENCE DATA SETS MIGHT RETURN UNEXPECTED RESULTS BASED ON THE SPILLOVER CACHE SIZE | OPEN | Workaround Contact support for a possible workaround that might address this issue in some instances. Issue Users with queries that contains a reference data lookup might not return the expected result when the results exist outside of the in-memory cache. Large reference sets or small spillover caches on appliances can cause partial results to occur as the data resides outside of the ChainAppendCache lookup. This issue can occur during a search or when a rule test attempts to complete a lookup on a reference data set that exceeds the existing spillover cache of the software install or appliance. It is expected that the ChainAppendCache is able to retrieve data additional from disk to extend to potential results on disk when the query exceeds the existing spillover cache size. |
26 May 2022 |
ROUTING RULES | IJ30016 | ROUTING RULE TEST 'IS N/A' DOES NOT WORK AS EXPECTED IF THE STRING IS NOT NULL | OPEN | Workaround Use this filter instead: - Username matches any of expression \A\z** Issue The routing rule test 'is N/A' does not work for empty strings. For example, configuring a routing rule to drop when the username is N/A. The rule does not work as expected if the payload of the events has an empty username. An empty username will be shown as N/A in the User Interface but the rule does not drop the event because it tests for 'username is null'. |
06 January 2021 |
VULNERABILITY SCANNERS | IJ39637 | AFTER PATCHING TO 7.5.0 UP1, VULNERABILITY ASSESSMENT (VA) SCANNERS NO LONGER WORK | CLOSED | Resolved in QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137) Workaround If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances. Issue After patching to 7.5.0 UP1, the VA Scanners (e.g Qualys) are in a "New" or "Pending" state and no longer work. The following error can be observed when facing this issue: "[Pending] This scan job was detected to be in an inconsistent state". com.q1labs.vis.messages.VisRequestMessageEnum$1.process(VisRequestMessageEnum.java:42) [vis] [Scanner Manager] at com.q1labs.vis.ScannerManager.run(ScannerManager.java:152) [vis] [Scanner Manager] at java.lang.Thread.run(Thread.java:825) [vis] [Scanner Manager] Caused by: [vis] [Scanner Manager] java.lang.ClassNotFoundException: com.ctc.wstx.stax.WstxInputFactory# Temporary workaround for - enable crl check on select processes only |
30 May 2022 |
RULES | IJ11541 | DOUBLE MATCH COUNT FLOW RULES CAN MISFIRE DUE TO IPV6 ADDRESSES BEING EVALUATED IN RULES BEFORE IPV4 ADDRESSES | CLOSED | Resolved in QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137) Workaround No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported is resolved in an existing software upgrade pack. Issue It has been identified that double match count flow rules can sometimes misfire due to IPv6 addresses being prioritized in rules prior to IPv4 address evaluation. When this occurs, false positive offense generation can be observed. |
30 May 2022 |
AUTHENTICATION | IJ39020 | LDAP GROUP AUTHENTICATION CAN FAIL WITH SPECIAL CHARACTERS IN USERNAMES | CLOSED | Resolved in QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137) Workaround No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported is resolved in an existing software upgrade pack. Issue Users using group-based LDAP authentication "by member" or "by query" are unable to login if the group member field on the LDAP server contains certain special characters such as an asterisk "*". For example, a user that attempts to authenticate with wildcard characters (*) in the username cannot log in successfully. Username: test*contractor*user Password: password When this issue occurs, the following error is displayed in /var/log/qradar.java.debug: executeQuery(): Attempting to execute ldap query [(uid=test*contractor*user)] executeQuery(): Found [1] search results. executeQuery(): Attempting to execute ldap query [(memberUid=test*contractor*user)] executeQuery(): Found [0] search results. executeQuery(): Attempting to execute ldap query [(memberUid=uid=test*CONTRACTOR*user,dc=example,dc=org)] executeQuery(): Found [0] search results. Note: Debug is not enabled by default and might require QRadar Support to confirm the error message. |
30 May 2022 |
UPGRADE | IJ40241 | PATCH INSTALLER FAILS WITH ERROR MESSAGE "DISCOVERED EXTRA DATABASES WHICH MUST BE REMOVED BEFORE CONTINUING" | CLOSED | Resolved in QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137) Workaround No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported is resolved in an existing software upgrade pack. Issue When an administrator tries to patch a console in 7.3.3 FP10 to 7.5.0, the patch will fail with the error message:"Discovered extra databases which must be removed before continuing". The following error messages are displayed in the /var/log/patches.log: ERROR: Discovered extra databases which must be removed before continuing. ERROR: If you would like to preserve the contents, backup the database before removing it. ERROR: Make sure the database instance service is running before removing the extra database. ERROR: The extra databases are: * 'patch_test_qradar' in PostgreSQL instance 'postgresql-qrd'. To remove, run: psql -U postgres -p 5432 -c 'drop database patch_test_qradar'. * 'patch_test_fusionvm' in PostgreSQL instance 'postgresql-qvm'. To remove, run: psql -U postgres -p 15433 -c 'drop database patch_test_fusionvm'. * 'patch_test_qradar' in PostgreSQL instance 'postgresql-rm'. To remove, run: psql -U postgres -p 15432 -c 'drop database patch_test_qradar'. [ERROR](testmode) Pretest failed: "/media/updates/scripts/QRADAR-6666.install --mode pretest" [ERROR](testmode) Failed pretests [ERROR](testmode) Pre Patch Testing shows a configuration issue. Patching this host cannot continue. [INFO](testmode) Waiting for hostcontext to fully start [INFO](testmode) Set ip-xx-xx status to 'Patch Test Failed' [ERROR](testmode) Patching can not continue [ERROR] Failed to apply patch on localhost, not checking any managed hosts. An error was encountered attempting to process patches. Please contact customer support for further assistance. |
30 May 2022 |
DEPLOYMENT | IJ37288 | DELETED MANAGED HOSTS WITH AN INCORRECT STATUS IN THE QRADAR DATABASE CAN CAUSE PATCHES TO COMPLETE SUCCESSFULLY BUT WITH ERRORS | CLOSED | Resolved in QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137) Workaround If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances. Issue It has been identified that deleted managed hosts not set to status = 14 in the serverhost table can cause patches to complete successfully, but with errors. This occurs when the patching process attempts to update SSH keys for deleted hosts not in status 14. Messages similar to the following might be visible in/var/log/setup-#####/patches.log: [mks_integration] [get_ssh_ip DeletedWed] IPDeletedWed is reachable. ssh: Could not resolve hostname deletedwed: Name or service not known |
30 May 2022 |
QRADAR RISK MANAGER | IJ36915 | EVENTS AND OFFENSES BUTTONS ARE NOT HIGHLIGHTED ON THE DEVICE SUMMARY TOOLBAR PREVENTING SEARCHES | CLOSED | Resolved in QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137) Workaround Use a search on the Log Activity or Offenses tab. Issue In QRadar Risk Manager, the Events and Offenses buttons on the device summary toolbar are not highlighted when a device is mapped to a log source. When this occurs, it prevents searches from being launched from the window. |
30 May 2022 |
QRADAR USE CASE MANAGER APP | IJ36907 | DELETING A RULE IN THE USE CASE MANAGER (UCM) APP DOES NOT CREATE AN APPROPRIATE AUDIT EVENT | CLOSED | Resolved in QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137) Workaround Use the legacy QRadar rule interface to delete rules:
Issue When deleting a rule in the Use Case Manager (UCM) app, there is no associated audit log that states the specific rule was deleted. |
30 May 2022 |
APPLICATION FRAMEWORK | IJ36275 | QRADAR APP INSTALL FAILS WITH 'NO TOKEN HEADER PRESENT IN REQUEST...' ERROR AFTER 30 MINUTES | CLOSED | Resolved in QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137) Workaround Ensure the values in /opt/qradar/conf/nva.conf for these variables are as follows prior to QRadar app installation:
Issue QRadar app installations can fail during installation after 30 minutes (timeout) with message similar to "No token header present in request. Please provide it. You may also use BASIC authentication parameters if this host supports it. e.g. 'Authorization: Basic base64Encoding'." This has been observed when one or both of the following /opt/qradar/conf/nva.conf variables have been increased from their defaults of 10 and 50 respectively: APPFW_HEALTH_CHECK_DELAY_SECONDS APPFW_HEALTH_CHECK_RETRY_LIMIT Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [tomcat.tomcat] [pool-1-thread-7] com.q1labs.uiframeworks.appli cation.api.service.builders.shared.AsyncBuildStageTask:[ERROR] [ thrown during the execution of task: 84434 .... [tomcat.tomcat] [pool-1-thread-7] at com.q1labs.uiframeworks.application.api.service.builders.SimpleBuildProcessor.trigger Rollback(SimpleBuildProcessor.java:240) [tomcat.tomcat] [pool-1-thread-7] at com.q1labs.uiframeworks.application.api.service.builders.shared.AsyncBuildStageTask.runTask(AsyncBuildStageTask.java:236) [tomcat.tomcat] [pool-1-thread-7] at com.ibm.si.frameworks.taskmanagement.Task.run(Task.java:108) [tomcat.tomcat] [pool-1-thread-7] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:522)[tomcat.tomcat] java.util.concurrent.FutureTask.run(FutureTask.java:277) [tomcat.tomcat] [pool-1-thread-7] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160) [tomcat.tomcat] [pool-1-thread-7] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)[tomcat java.lang.Thread.run(Thread.java:822) [tomcat.tomcat] [pool-1-thread-7] Caused by: [tomcat.tomcat] [pool-1-thread-7] {openjpa-2.4.3-r422266:1833086 fatal store error} org.apache.openjpa.persistence.RollbackException: This connection has been closed. [tomcat.tomcat] [pool-1-thread-7] at org.apache.openjpa.persistence.EntityManagerImpl.commit(EntityManagerImpl.java:595) [tomcat.tomcat] [pool-1-thread-7] at com.q1labs.frameworks.session.SessionContext.commitTransaction(SessionContext.java:10 39)[tomcat.tomcat] [pool-1-thread-7] ... 9 more [tomcat.tomcat] [pool-1-thread-7] Caused by: [tomcat.tomcat] [pool-1-thread-7] {openjpa-2.4.3-r422266:1833086 fatal general error} org.apache.openjpa.persistence.PersistenceException: This connection has been closed. ..... [tomcat.tomcat] [pool-1-thread-7] Caused by: [tomcat.tomcat] [pool-1-thread-7] org.postgresql.util.PSQLException: This connection has been closed. |
30 May 2022 |
OFFENSES | IJ36054 | OFFENSE 'SAVE CRITERIA' DIALOG BOX DOES NOT WORK DUE TO SPECIFIC INTERVAL VALUE BEING 'NULL' | CLOSED | Resolved in QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137) Workaround If the specific interval is null, click "Cancel" and repeat the Save Criteria. Issue If the Offense "Save Criteria" dialog box is large relative to the parent page, it causes the specific interval to be 'null'. For example:
|
30 May 2022 |
HIGH AVAILABILITY (HA) | IJ35704 | HIGH AVAILABILITY APPLIANCE JOIN CAN FAIL WHEN THE /STORE PARTITION ON THE SECONDARY APPLIANCE IS BUSY | CLOSED | Resolved in QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137) Workaround If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances. Issue When attempting to create a High Availability (HA) pair, the process can fail when the /store partition on the Secondary appliance is unexpectedly in a busy state and unable to be accessed. Messages similar to the following might be visible in the qradar_hasetup.log file when this issue is occurring: Tue Jul 27 16:15:29 CDT 2021 /dev/mapper/storerhel-store is corrupted. Fixing it by running xfs_repair Tue Jul 27 16:15:29 CDT 2021 Running 'xfs_repair /dev/mapper/storerhel-store' in '/root' xfs_repair: /dev/mapper/storerhel-store contains a mounted filesystem xfs_repair: /dev/mapper/storerhel-store contains a mounted and writable filesystem fatal error ? couldn't initialize XFS library Tue Jul 27 16:15:29 CDT 2021 ERROR: Failed to repair /dev/mapper/storerhel-store with return code: 1 |
30 May 2022 |
ASSETS | IJ35017 | ASSET LIST CAN FAIL TO LOAD WHEN A NULL POINTER EXCEPTION OCCURS | CLOSED | Resolved in QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137) Workaround If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances. Issue The list of Assets can fail to load or display when a Null Pointer Exception occurs during the loading of cached data when empty ipaddress values are present in the asset.asset.view database table. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [ecs-ep.ecs-ep] [CRE Processor [2]] com.q1labs.core.assetprofile.dao.light.Asset: [ERROR] [NOT:0000003000][X.X.X.X/- -] [-/- -] unable to pre-load asset IPs [ecs-ep.ecs-ep] [CRE Processor [2]] java.lang.NullPointerException [ecs-ep.ecs-ep] [CRE Processor [2]] at com.google.common.net.InetAddresses.ipStringToBytes(InetAddresses.java:164) [ecs-ep.ecs-ep] [CRE Processor [2]] at com.google.common.net.InetAddresses.forString(InetAddresses.java:139) [ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.core.platform.Qip.of(Qip.java:108) [ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.core.assetprofile.dao.light.Asset.lambda$preload$0(Asset.java:632) [ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.core.assetprofile.dao.light.Asset$$Lambda$102/0x00000000e000f680.call(UnknownSource) [ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.core.shared.util.SqlUtil.runQuery(SqlUtil.java:202) [ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.core.assetprofile.dao.light.Asset.preload(Asset.java:627) [ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.core.assetprofile.dao.light.Asset.lazyNotificationInit(Asset.java:704) [ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.core.assetprofile.dao.light.Asset.findByNetwork(Asset.java:405) [ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.jstl.test.Jstl.hostAsset(Jstl.java:950) [ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.jstl.test.Jstl.targetHostAsset(Jstl.java:980) [ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.jstl.gen.OptJstl.targetHostAsset(OptJstl.java:728) [ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.semsources.cre.tests.ExternalEventTests.targetHostAsset(ExternalEventTests.java:633) [ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.semsources.cre.tests.gen.targetAssetValue_lt.test(targetAssetValue_lt.java) [ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.semsources.cre.tests.IntCompare_Test.test(IntCompare_Test.java:44) [ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.semsources.cre.gen.TestExecutor_0_2.test(TestExecutor_0_2.java) [ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.semsources.cre.CustomRule.test(CustomRule.java:524) [ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.semsources.cre.CustomRule.test(CustomRule.java:477) [ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.semsources.cre.CustomRuleSetExecutor.testRule(CustomRuleSetExecutor.java:342) [ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.semsources.cre.CustomRuleSetExecutor.test(CustomRuleSetExecutor.java:210) [ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.semsources.cre.LocalRuleExecutor.processEventInPropertyMode(LocalRuleExecutor.java:229) [ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.semsources.cre.LocalRuleExecutor.processEvent(LocalRuleExecutor.java:158) [ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.semsources.cre.CREEventProcessor.processEvent(CustomRuleEngine.java:544) [ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.semsources.cre.CREEventProcessor.run(CustomRuleEngine.java:484) Or messages similar to: [ecs-ep.ecs-ep] [ECS Runtime Thread] com.q1labs.core.assetprofile.dao.light.Asset: [ERROR] [NOT:0000003000][X.X.X.X/- -] [-/- -] unable to pre-load asset IPs [ecs-ep.ecs-ep] [ECS Runtime Thread] java.lang.NullPointerException [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.google.common.net.InetAddresses.ipStringToBytes(InetAddresses.java:164) [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.google.common.net.InetAddresses.forString(InetAddresses.java:139) [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.q1labs.core.platform.Qip.of(Qip.java:108) [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.q1labs.core.assetprofile.dao.light.Asset.lambda$preload$0(Asset.java:632) [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.q1labs.core.assetprofile.dao.light.Asset$$Lambda$88/0x0000000024ed6df0.call(UnknownSource) [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.q1labs.core.shared.util.SqlUtil.runQuery(SqlUtil.java:202) [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.q1labs.core.assetprofile.dao.light.Asset.preload(Asset.java:627) [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.q1labs.core.assetprofile.dao.light.Asset.lazyNotificationInit(Asset.java:704) [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.q1labs.core.assetprofile.dao.light.Asset.assetExists(Asset.java:377) [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.ibm.si.mpc.magi.OffenseManagerDelegate.preloadCaches(OffenseManagerDelegate.java:816) [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.ibm.si.mpc.magi.OffenseManagerDelegate.configure(OffenseManagerDelegate.java:365) [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.ibm.si.mpc.filters.OffenseManagerFilter.setVars(OffenseManagerFilter.java:90) [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.eventgnosis.system.SystemObject.installChildByName(SystemObject.java:296) [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.eventgnosis.system.SystemObject.installChildByName(SystemObject.java:232) [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.eventgnosis.filters.FilterStack.createContainedFilters(FilterStack.java:71) [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.eventgnosis.filters.FilterStackManager.create(FilterStackManager.java:219) [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.eventgnosis.filters.FilterStackManager.doWork(FilterStackManager.java:90) [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.eventgnosis.system.SystemObject$DoWork.doIt(SystemObject.java:886) [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.eventgnosis.system.SystemObject.doForAllMembers(SystemObject.java:864) [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.eventgnosis.system.SystemObject.doWork(SystemObject.java:905) [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.eventgnosis.system.RuntimeController.doWork(RuntimeController.java:227) [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.eventgnosis.system.RuntimeController.run(RuntimeController.java:527) [ecs-ep.ecs-ep] [ECS Runtime Thread] at java.lang.Thread.run(Thread.java:822) |
30 May 2022 |
BACKUP AND RESTORE | IJ34657 | AFTER PATCHING TO 743 THE CONFIGURED BACKUP REPOSITORY PATH MIGHT BE RESET TO /STORE/BACKUP | CLOSED | Resolved in QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137) Workaround No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates. Issue Administrators who are not using the default path of /store/backup for their backups might notice that after patching to 7.4.3 the path is defaulted back to /store/backup. This will cause backups to fail. When trying to reset the backup path, you may observe messages similar to: The backup repository path must contain a valid directory. The directory you specify must not be a system directory |
30 May 2022 |
ASSETS | IJ34594 | ASSETS CAN FAIL TO BE UPDATED WITH FLOW DATA AS EXPECTED | CLOSED | Resolved in QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137) Workaround Set the HOST_PROFILE_REPORT_INTERVAL to be greater than 60 in Admin > System Settings. Issue In some instances flow data can fail to update appropriate Asset data. This can occur when the host_profiler component fails to initialize as expected due to the HOST_PROFILE_REPORT_INTERVAL being set to 60 causing an issue starting the host_profiler thread as the profiler thread starts after 60s at a random time between 60s and the report_interval value. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [ecs-ep.ecs-ep] [ECS Runtime Thread] at java.lang.Thread.run(Thread.java:822) [ecs-ep.ecs-ep] [ECS Runtime Thread] Caused by: java.lang.IllegalArgumentException: bound must be positive [ecs-ep.ecs-ep] [ECS Runtime Thread] at java.util.Random.nextInt(Random.java:399) [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.ibm.si.ep.filters.hp.HostProfiler.initTimeStamps(HostProfiler.java:335) [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.ibm.si.ep.filters.hp.HostProfiler.onInit(HostProfiler.java:292) [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.q1labs.frameworks.naming.FrameworksNaming.initializeNewComponent(FrameworksNaming.java:916) |
30 May 2022 |
DOMAINS & TENANTS | IJ34846 | THE OPTION TO REMOVE DOMAIN INFORMATION FROM NORMALIZED EVENT FORWARDING IS NOT HONORED | CLOSED | Resolved in QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137) Workaround No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates. Issue When forwarding normalized events, the option to remove domain information from events before forwarding is not honored causing Domain ID data to be forwarded as part of forwarded normalized events. |
30 May 2022 |
USER INTERFACE | IJ34392 | CANNOT ACCESS REMOTE NETWORKS AND SERVICES CONFIGURATION FROM THE LEFT TREE MENU | CLOSED | Resolved in QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137) Workaround Do not use the left pane menu. Instead scroll down and directly click Remote Networks and Services. Issue QRoC Security Administrator or on-prem user of the "Remote Networks and Services Configuration" role cannot use left pane in Admin tab to access "Remote Networks and Services". This issue affects both QRoC and QRadar on-prem. Steps to reproduce the issue:
|
30 May 2022 |
QRADAR VULNERABILITY MANAGER | IJ33798 | QRADAR VULNERABILITY MANAGER SCANS ARE NOT DISPLAYED ON THE SCHEDULED SCANS SCREEN | CLOSED | Resolved in QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137) Workaround No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates. Issue Scheduled scan profiles which use a cron expression do not appear on the Scheduled Scans screen after a QRadar domain, which includes a QVM scanner, is renamed. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [tomcat.tomcat] [admin@127.0.0.1(6796) /console/JSON-RPC/QVM.getCronScanProfilesQVM.getCronScanProfiles] com.q1labs.core.ui.servlet.RemoteJavaScript: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]An exception occurred while executing the remote method 'getCronScanProfiles' [tomcat.tomcat] [admin@127.0.0.1(6796) /console/JSON-RPC/QVM.getCronScanProfilesQVM.getCronScanProfiles] org.springframework.dao.IncorrectResultSizeDataAccessException: Incorrect result size: expected 1, actual 2 [tomcat.tomcat] [admin@127.0.0.1(6796) /console/JSON-RPC/QVM.getCronScanProfiles QVM.getCronScanProfiles] at org.springframework.dao.support.DataAccessUtils.nullableSingleResult(DataAccessUtils.java:100) [tomcat.tomcat] [admin@127.0.0.1(6796) /console/JSON-RPC/QVM.getCronScanProfilesQVM.getCronScanProfiles] at org.springframework.jdbc.core.JdbcTemplate.queryForObject(JdbcTemplate.java:777) [tomcat.tomcat] [admin@127.0.0.1(6796) /console/JSON-RPC/QVM.getCronScanProfiles QVM.getCronScanProfiles] at org.springframework.jdbc.core.JdbcTemplate.queryForObject(JdbcTemplate.java:799) [tomcat.tomcat] [admin@127.0.0.1(6796) /console/JSON-RPC/QVM.getCronScanProfiles QVM.getCronScanProfiles] at com.q1labs.qvm.workflow.processor.dao.scanprofile.CronSchedulerDAO.getCronSchedules(CronSchedulerDAO.java:384) [tomcat.tomcat] [admin@127.0.0.1(6796) /console/JSON-RPC/QVM.getCronScanProfiles QVM.getCronScanProfiles] at com.q1labs.qvm.workflow.processor.ws.scanprofile.ScanProfileServiceImpl.getCronSchedules(ScanProfileServiceImpl.java:2008) [tomcat.tomcat] [admin@127.0.0.1(6796) /console/JSON-RPC/QVM.getCronScanProfiles QVM.getCronScanProfiles] at com.q1labs.qvm.service.UIScheduledScansService.getCronScanProfiles(UIScheduledScansService.java:72) |
30 May 2022 |
BACKUP AND RESTORE | IJ32857 | OFFENSES NO LONGER GENERATED AFTER RESTORING A DEPLOYMENT CONFIG BACKUP AND OFFENSE DATA FROM DIFFERENT DATES | CLOSED | Resolved in QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137) Workaround Restore Deployment config and Data config from the same backup date. Issue In instances where a QRadar Deployment config restore and Offense data restore are done from backups with different dates, it is possible Offense generation can stop. Messages similar to the following might be visibile when this issue occurs: [ecs-ep.ecs-ep] [ECS Runtime Thread] com.eventgnosis.ecs: [ERROR] [NOT:0000003000][x.x.x.x/- -] [-/- -] Error attempting to load console.ibm.com:ecs-ep/MPC/Magistrate1/MPC Error: java.lang.RuntimeException: Failed to configure Offense Manager Since there isn't a configuration error handler defined, the original error is wrapped in a new RuntimeException [ecs-ep.ecs-ep] [ECS Runtime Thread] java.lang.RuntimeException: Failed to configure Offense Manager [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.ibm.si.mpc.filters.OffenseManagerFilter.setVars(OffenseManagerFilter.java:94) [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.eventgnosis.system.SystemObject.installChildByName(SystemObject.java:296) [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.eventgnosis.system.SystemObject.installChildByName(SystemObject.java:232) [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.eventgnosis.filters.FilterStack.createContainedFilters(FilterStack.java:71) [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.eventgnosis.filters.FilterStackManager.create(FilterStackManager.java:219) [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.eventgnosis.filters.FilterStackManager.doWork(FilterStackManager.java:90) [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.eventgnosis.system.SystemObject$DoWork.doIt(SystemObject.java:876) [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.eventgnosis.system.SystemObject.doForAllMembers(SystemObject.java:854) [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.eventgnosis.system.SystemObject.doWork(SystemObject.java:895) [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.eventgnosis.system.RuntimeController.doWork(RuntimeController.java:227) [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.eventgnosis.system.RuntimeController.run(RuntimeController.java:527) [ecs-ep.ecs-ep] [ECS Runtime Thread] at java.lang.Thread.run(Thread.java:818) [ecs-ep.ecs-ep] [ECS Runtime Thread] Caused by: java.lang.IllegalArgumentException: Invalid domain ID: 1 [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.q1labs.core.util.domain.DomainCache.requireValidDomainID(DomainCache.java:749) [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.q1labs.core.platform.QipSet.add(QipSet.java:168) [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.q1labs.core.dao.sem.light.Attacker.preloadCreatedCache(Attacker.java:966) [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.q1labs.core.dao.sem.light.Attacker.preloadCaches(Attacker.java:949) [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.ibm.si.mpc.magi.OffenseManagerDelegate.preloadCaches(OffenseManagerDelegate.java:763) [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.ibm.si.mpc.magi.OffenseManagerDelegate.configure(OffenseManagerDelegate.java:365) [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.ibm.si.mpc.filters.OffenseManagerFilter.setVars(OffenseManagerFilter.java:90) [ecs-ep.ecs-ep] [ECS Runtime Thread] ... 11 more |
30 May 2022 |
DATA GATEWAY APPLICANCE | IJ32852 | PYTHON EXCEPTIONS GENERATED WHILE ATTEMPTING TO ADD A DATA GATEWAY | CLOSED | Resolved in QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137) Workaround If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances. Issue Python exceptions similar to those displayed below can sometimes be generated during the addition of a Data Gateway. When this occurs, the Data Gateway can become in a state where the console IP can be populated in nva.conf and nva.hostcontext.conf causing repeated failures due to the Console and Data Gateway being in a mismatched state in the deployment model. The Data Gateway attempts to remove the host from the deployment but fails as it does not exist on the Console. Failed to run command 'mh_setup': Failed to add host 'XX.XX.XX.XX' to deployment 'console-XXXXX.qradar.ibmcloud.com': Failed to add host to deployment: Check console logs for details File "/opt/qradar/lib/python/qradar/command_line.py", line 179, in executeCommand self.cmd.execute(self.opts, self.args, self.parser) File "/opt/qradar/bin/setup_qradar_host.py", line 399, in setup input_obj.proxy_port, input_obj.proxy_username, input_obj.proxy_password) File "/opt/qradar/bin/setup_qradar_host.py", line 443, in setupImpl if addToDeploymentImpl(existing_server, server_host, token, private_ip, public_ip, nat_id, encrypt, compress, host_password, skip_deploy=True) is True: File "/opt/qradar/bin/setup_qradar_host.py", line 534, in addToDeploymentImpl addHostToDeployment(deployment, private_ip, public_ip, nat_id, encrypt, compress, host_password) File "/opt/qradar/bin/setup_qradar_host.py", line 1240, in addHostToDeployment raise SystemException(error_message, exit_code) |
30 May 2022 |
REPORTS | IJ32677 | TIME SERIES REPORTS AND DASHBOARDS NOT DISPLAYING DATA AFTER THE ACCUMULATOR FAILS TO LOAD A GLOBALVIEW | CLOSED | Resolved in QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137) Workaround If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances. Issue The QRadar accumulator stops working as expected after hitting an error when accumulating data for a globalview whose saved search is valid but its aggregated keys and mappings have an incompatible format. When this issue occurs, time series reports and dashboards stop displaying data due to the accumulator experiencing an error in one of its pre-processor threads. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [accumulator.accumulator] [Preprocessor(events)_2] com.q1labs.cve.accumulation.ObjectArrayAccessors: [ERROR] [NOT:0000003000][xxx.xx.xx/- -] [-/- -]Unexpected error while building record [accumulator.accumulator] [Preprocessor(events)_2] at com.q1labs.cve.aggregation.props.AggregatedRecordPropertyBase.createKey(AggregatedRecordPropertyBase.java:17) [accumulator.accumulator] [Preprocessor(events)_2] java.lang.ClassCastException: com.q1labs.core.types.event.NormalizedEvent incompatible with java.util.Map$Entry [accumulator.accumulator] [Preprocessor(events)_2] at com.q1labs.cve.accumulation.ObjectArrayAccessors$ObjectArrayAccessor.getKey(ObjectArrayAccessors.java:355) [accumulator.accumulator] [Preprocessor(events)_2] at com.q1labs.cve.accumulation.ObjectArrayAccessors.getKey(ObjectArrayAccessors.java:265) [accumulator.accumulator] [Preprocessor(events)_2] at com.q1labs.cve.accumulation.ObjectArrayAccessors.buildRecord(ObjectArrayAccessors.java:233) [accumulator.accumulator] [Preprocessor(events)_2] at com.q1labs.cve.accumulation.Preprocessor$PreprocessTask.run(Preprocessor.java:26) [accumulator.accumulator] [Preprocessor(events)_2] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160) [accumulator.accumulator] [Preprocessor(events)_2] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) [accumulator.accumulator] [Preprocessor(events)_2] at java.lang.Thread.run(Thread.java:818) |
30 May 2022 |
EVENT FORWARDING | IJ34583 | ONLINE FORWARDING CAN LEAVE BEHIND STALE TCP SOCKETS IF THE CONNECTION IS RESET BY THE PEER | CLOSED | Resolved in QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137) Workaround Switch to offline forwarding and fix whatever is causing the connection resets to the remote end. Or Disable the forwarding profile causing the connection resets. Then during a maintenance window run: systemctl restart ecs-ec. Issue Customers might experience stale sockets left behind when using forwarding if the connection is reset by the peer. These can build up over time resulting in the maximum file handles for the process being hit and "Too many open files" messages in journalctl. To diagnose if you are being affected by this issues, use journalctl to look for "Too many open files" messages or look for WARN messages similar to this in /var/log/qradar.error: [ecs-ec.ecs-ec] [SFCT_1247137] com.q1labs.sem.selectiveforwarding. SelectiveForwardingCommunicatorThread:[WARN] [NOT:0000004000][xxx.xxx.xxx.xxx [Global SOC_Forwarding Win:xxx.xxx.xxx.xxx:5003] Event Processing Error (SocketTimeoutException) [1]. [ecs-ec.ecs-ec] [SFCT_1247137] com.q1labs.sem.selectiveforwarding.SelectiveForwardingCommunicatorThread:[WARN] [NOT:0000004000][xxx.xxx.xxx.xxx 19:25:59.0715 [Global SOC_Forwarding Win:xxx.xxx.xxx.xxx:5003] Unable to retry event[Queue Full], dropping event[104361]. |
30 May 2022 |
USER INTERFACE | IJ30933 | 'APPLICATION ERROR' IS DISPLAYED WHEN ACCESSING THE ADMIN TAB WHEN THERE IS AN EMPTY FILE IN /OPT/QRADAR/CONF/LICENSEKEY | CLOSED | Resolved in QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137) Workaround
Issue If an empty file is present in /opt/qradar/conf/licensekey a message similar to the following is displayed on the left side of the browser when opening the Admin tab of the QRadar user interface: Application Error An error has occourred. Return and attempt the action again. If the Problem persists, please contact customer support for assistance. |
30 May 2022 |
DSM EDITOR | IJ30104 | USING THE DSM EDITOR TO MODIFY A CONFIGURATION PROPERTY FOR A SPECIFIC EVENT COLLECTOR DOES NOT SAVE THE CHANGE | CLOSED | Resolved in QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137) Workaround If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances. Issue When using the DSM Editor to modify a configuration property of a DSM for a specific Event Collector, the new value is not saved or displayed when the DSM Editor is re-opened due to missing parameters in /opt/qradar/conf/templates/replication.sql No error is observed or written to QRadar logging when this occurs. |
30 May 2022 |
CONTENT MANAGEMENT TOOL (CMT) | IJ29327 | LOG SOURCES IMPORTED USING THE CONTENT MANAGEMENT TOOL CAN FAIL DUE TO PASSWORD DECRYPTION ISSUES | CLOSED | Resolved in QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137) Workaround If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances. Issue When Log Sources are imported into QRadar using the Content Management Tool (CMT), the passwords are not re-encrypted with the keys of the destination. As a result, undecryptable passwords are placed in the database that cause QRadar to error in any product area that attempts to read these passwords (For example: The legacy Log Source UI, the Log Source Mangement API, running protocols, etc). Messages similar to the following might be visible when this issue occurs: /console/restapi/api/config/event_sources/log_source_management/log_sources/595412] javax.crypto.BadPaddingException: Given final block not properly padded /console/restapi/api/config/event_sources/log_source_management/log_sources/595412] at com.ibm.crypto.provider.AbstractBufferingCipher.a(UnknownSource) /console/restapi/api/config/event_sources/log_source_management/log_sources/595412] at com.ibm.crypto.provider.AbstractBufferingCipher.engineDoFinal(Unknown Source) /console/restapi/api/config/event_sources/log_source_management/log_sources/595412] at javax.crypto.Cipher.doFinal(Unknown source) /console/restapi/api/config/event_sources/log_source_management/log_sources/595412] java.lang.RuntimeException: com.q1labs.frameworks.crypto.DecryptException: com.ibm.si.mks.CryptoException: Failed to decrypt data /console/restapi/api/config/event_sources/log_source_management/log_sources/595412] at com.q1labs.core.dao.qidmap.SensorProtocolConfigParameters.decrypt(SensorProtocolConfigParameters.java:212) /console/restapi/api/config/event_sources/log_source_management/log_sources/595412] at com.q1labs.core.dao.qidmap.SensorProtocolConfigParameters.getValue(SensorProtocolConfigParameters.java:135) /console/restapi/api/config/event_sources/log_source_management/log_sources/595412] at com.q1labs.core.dao.qidmap.SensorDevice.getProtocolParameterValue(SensorDevice.java:1407) /console/restapi/api/config/event_sources/log_source_management/log_sources/595412] at com.ibm.si.data_ingestion.api.impl.logsource.model.LogSource.{init}(LogSource.java:88) /console/restapi/api/config/event_sources/log_source_management/log_sources/595412] at com.ibm.si.data_ingestion.api.impl.logsource.LogSourceUpdater.updateAndFetch(LogSourceUpdater.java:116) /console/restapi/api/config/event_sources/log_source_management/log_sources/595412] at com.ibm.si.data_ingestion.api.v13_0.logsource.LogSourceAPI.update(LogSourceAPI.java:717) /console/restapi/api/config/event_sources/log_source_management/log_sources/595412] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) |
30 May 2022 |
AUTHENTICATION | IJ29105 | LDAP AUTH CAN FAIL WHEN LDAP GROUP NAME HAS A SPECIAL CHARACTER AND MULTIPLE GROUPS ASSIGNED TO SAME SECURITY PROFILE AND USER ROLE | CLOSED | Resolved in QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137) Workaround Create a separate security profile or user role for each LDAP group. Issue Multiple LDAP groups cannot be assigned to the same security profile or user role correctly if the group name contains special characters (example: a space). LDAP Authentication can fail for users in these instances. For example:
|
30 May 2022 |
RULES | IJ28581 | USING A LOCALE OTHER THAN ENGLISH, COUNTRIES ARE NOT DISPLAYED IN ALPHABETICAL ORDER WHEN MODIFYING GEOGRAPHIC RULE CONDITIONS | CLOSED | Resolved in QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137) Workaround If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances. Issue When users select a locale other than English, countries are not displayed in alphabetical order when editing a geographic condition. This makes editing geopraphic conditions difficult for administrators and users not using an English locale.
|
30 May 2022 |
ERROR LOGS | IJ28474 | REPEATED SSH DEBUG MESSAGES CAN BE OBSERVED IN /VAR/LOG/MESSAGES | CLOSED | Resolved in QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137) Note: APAR IJ28474 was initially closed as a permanent restriction and resolved in 7.5.0 UP2. Workaround From an SSH session to the QRadar Console, paste the following command, press 'Enter' to take off '-v' option and restart tunnel_manager: sed -i 's/ssh -N -T -v/ssh -N -T/g' \/etc/systemd/system/managed-tunnel\@.service; systemctl \daemon-reload; systemctl restart tunnel_manager Issue Repeated SSH debug messages can be observed in /var/log/messages when a Managed Host connection is encrypted. For example: hostname ssh[5759]: debug1: channel 6: connected to localhost port 443 hostname ssh[3083]: debug1: client_input_channel_open: ctype forwarded-tcpip rchan 12 win 2097152 max 32768 hostname ssh[3083]: debug1: client_request_forwarded_tcpip: listen localhost port 443, originator 127.0.0.1 port 39748 hostname ssh[3083]: debug1: connect_next: host localhost ([127.0.0.1]:443) in progress, fd=14 hostname ssh[3083]: debug1: channel 10: new [127.0.0.1] hostname ssh[3083]: debug1: confirm forwarded-tcpip hostname ssh[3083]: debug1: channel 10: connected to localhost port 443 hostname ssh[3132]: debug1: client_input_global_request: rtype ***@openssh.com want_reply 1 hostname ssh[3163]: debug1: client_input_channel_req: channel 0 rtype ***@openssh.com reply1 hostname ssh[3151]: debug1: client_input_channel_req: channel 0 rtype ***@openssh.com reply1 hostname ssh[2936]: debug1: channel 14: free: 127.0.0.1, nchannels 16 |
30 May 2022 |
SEARCH | IJ21678 | ARIEL SEARCHES IN QRADAR CAN TAKE LONGER THAN EXPECTED TO COMPLETE WHEN USING A LOG SOURCE TYPE FILTER | CLOSED | Resolved in QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137) Workaround If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances. Issue: Searches can take longer than expected to complete when using a Log Source type filter in an Ariel search. This has been identified as being caused by ariel becoming single threaded in some instances. |
30 May 2022 |
UPGRADE | IJ36926 | QRADAR PATCHING CAN FAIL IF DUPLICATE IP ADDRESSES ARE PRESENT IN DATABASE TABLE | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) QRadar 7.4.3 Fix Pack 5 (7.4.3.20220307203834) Workaround No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates. Issue The QRadar patching process from version 7.3.x to 7.4.3 FP3 or 7.4.3 FP4 can fail if duplicate ip addresses are present in the database due to new lines implemented in db_update_offense.inet.0.sql file. Messages similar to the following might be visible in the applicable /var/log/setup-xxxx/patches.log) when this issue occurs: Error applying script [31/136] '/media/updates/opt/qradar/conf/ templates/db_update_offense.inet.0.sql'for Test_qradar database. WARNING: SET TRANSACTION can only be used in transaction blocks NOTICE: Finding duplicate IP addresses in ... NOTICE: Duplicate IP addresses found in ... |
23 February 2022 |
UPGRADE | IJ36269 | QRADAR "PATCH SUCCESSFUL WITH ERRORS" FAILING ON "...9804.INSTALL" FILE | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) QRadar 7.4.3 Fix Pack 5 (7.4.3.20220307203834) Workaround The "patch was successful with errors" in these instances is benign and can be safely ignored. Issue The QRadar patching process can complete but fail on '...9804.install' ("Patch successful with errors") when a Managed Host is removed from the deployment prior to patching as there is a deleted record in the database that the 9804.install file is expecting during the patching process. The error is benign and can be safely ignored in these instances. |
23 February 2022 |
DSM EDITOR | IJ36376 | EVENT PAYLOADS FAIL TO PARSE CORRECTLY WHEN THE PAYLOAD ENDS IN A QUOTATION MARK PRECEDED BY A SPACE | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) Workaround No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates. Issue Logs for Custom DSMs are parsed and mapped correctly in the DSM Editor but are marked and displayed as Stored in Log Activity when the payload ends in a " (quotation mark) character preceded by a blank space character. |
23 February 2022 |
RULES | IJ35847 | AQL CUSTOM EVENT PROPERTIES IN EMAIL TEMPLATES DISPLAY AS 'N/A' AFTER PATCHING TO QRADAR 7.4.3 OR NEWER | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) QRadar 7.4.3 Fix Pack 5 (7.4.3.20220307203834) Workaround If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances. Issue AQL Custom event properties within the email template are displaying as 'N/A' after patching to QRadar version 7.4.3 or newer. This is caused by the deprecation of the ariel_aql_property database table. |
23 February 2022 |
QRADAR NETWORK INSIGHTS (QNI) | IJ35752 | HIGHER THAN EXPECTED CPU USAGE ON QRADAR NETWORK INSIGHTS OR QRADAR INCIDENT FORENSICS HOSTS | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) Workaround If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances. Issue QRadar Network Insights hosts running on the Advanced inspection level or QRadar Incident Forensics hosts can experience high CPU consumption by the decapper process due to the regular expression for email address suspect content descriptions. |
23 February 2022 |
APPLICATION FRAMEWORK | IJ35002 | UNINSTALLING A CONTENT PACK CAN CAUSE RULES TO NOT FUNCTION AS EXPECTED | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) QRadar 7.4.3 Fix Pack 5 (7.4.3.20220307203834) Workaround No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates. Issue After uninstalling a QRadar content pack, rules can fail to function as expected. This can occur when the content pack uninstall process removes items (example: Custom Event Properties) that it should not remove. |
23 February 2022 |
QRADAR RISK MANAGER | IJ34908 | QRADAR RISK MANAGER CAN DISPLAY A CONFIRMATION MESSAGE DURING DEVICE IMPORT WHEN THE DEVICES ARE NOT IMPORTED | CLOSED | Resolved in 7.5.0 Update Pack 4 (7.5.0.20221129155237) QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) QRadar 7.4.3 Fix Pack 5 (7.4.3.20220307203834) Workaround No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates. Issue In QRadar Risk Manager, when devices are imported from a CSV file, the Device Import application can sometimes display the confirmation message similar to "Your devices have been imported successfully.", but the devices are not imported. |
23 February 2022 |
UPGRADE | IJ34734 | QRADAR PATCHING PROCESS CAN FAIL ON DESTINATION SITE WHEN THE DATA SYNC APP IS INSTALLED | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) Workaround
The QRadar patching process can fail to complete when using the Data Sync app. This is due to a problem that occurs when hostcontext and its managed processes are attempting to startup on a Destination site that is not in an active state. |
23 February 2022 |
QRADAR INCIDENT FORENSICS | IJ34838 | QRADAR INCIDENT FORENSICS RECOVERY SEARCHES FAIL AFTER A QRADAR DEPLOY FUNCTION IS PERFORMED | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) Workaround From an SSH session restart the solr service: systemctl restart solrIssue QRadar Incident Forensics recovery searches can fail after a QRadar deploy function as the solr service is not stopped during the deploy function processes. |
23 February 2022 |
RULES | IJ34847 | DEPENDENT RULES ARE NOT DISPLAYED WHEN REFERENCE SETS ARE USED IN AN AQL OR ARIEL FILTER TEST IN A CUSTOM RULE | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) Workaround From an SSH session restart the solr service: systemctl restart solrIssue When reference sets are used in an AQL (Advanced Search) or ariel filter test in a custom rule, the Reference Set Management interface does not indicate that rule as dependent on the reference set. For example:
|
23 February 2022 |
QRADAR VULNERABILITY MANAGER | IJ34318 | QRADAR VULNERABILITY MANAGER REPORT IN XLS FORMAT CAN FAIL DUE TO 'NUMBERFORMATEXCEPTION' | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) QRadar 7.4.3 Fix Pack 5 (7.4.3.20220307203834) Workaround Select another a report output format that is not .xls. Issue QRadar Vulnerability Manager reports that are configured to output in .xls format can fail. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [report_runner] [main] com.q1labs.reporting.ReportServices: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]REPORT [MANUAL#^ #admin#$#9ec2259b-df99-4b5e-a8ea-087c1a704b99#^#1625732490790]:A [MANUAL#^#admin#$#9ec2259b-df99-4b5e-a8ea-087c1a704b99#^#162573 2490790].java.lang.NumberFormatException:For input string: "4.54 [report_runner] [main] com.q1labs.reporting.ReportServices: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]REPORT [MANUAL#^ #admin#$#9ec2259b-df99-4b5e-a8ea-087c1a704b99#^#1625732490790]:R admin#$#9ec2259b-df99-4b5e-a8ea-087c1a704b99.xml [report_runner] [main] java.lang.RuntimeException: REPORT [MANUAL#^ #admin#$#9ec2259b-df99-4b5e-a8ea087c1a704b99#^#1625732490790]:Failed to generate report version. [report_runner] [main] at com.q1labs.reporting.Report.process(Report.java:623) [report_runner] [main] at com.q1labs.reporting.ReportRunner.main(ReportRunner.java:284) [report_runner] [main] com.q1labs.reporting.ReportRunner: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- ]Run report "admin#$#9ec2259b-df99-4b5e-a8ea-087c1a704b99" Error [report_runner] [main] java.lang.RuntimeException: REPORT [MAN UAL#^#admin#$#9ec2259b-df99-4b5e-a8ea-087c1a704b99#^#1625732490 790]:Failed to run using template admin#$#9ec2259b-df99-4b5e-a8ea-087c1a704b99.xml. |
23 February 2022 |
INSTALL | IJ34367 | SHUTTING DOWN THE SYSTEM ON A NEW ISO INSTALL BEFORE THE LICENCE AGREEMENT CAUSES SETUP TO FAIL WHEN THE SYSTEM IS POWERED UP | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) Workaround If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances. Issue During setup or when running qchange_netsetup you may receive the error "The script cannot determine if this IP has been reused." contact support for further help. This is caused by shutting down the system on a new ISO install at the login before the license agreement, causing setup to fail when the system is powered back on and the install continues. Look for similar error messages in /var/log/setup-<QRadar_build>/qradar_netsetup.log: qradar_netsetup.py[6638]: ibm_logging error [ERROR] The script cannot determine if this IP has been reused. Jun 25 05:03:35 qradar_netsetup.py[6638]: qradar_netsetup finalBlock [ERROR] Exceptions: Jun 25 05:03:35 qradar_netsetup.py[6638]: qradar_netsetup finalBlock [ERROR] Traceback (most recent call last): Jun 25 05:03:35 qradar_netsetup.py[6638]: qradar_netsetup finalBlock [ERROR] File "/opt/qradar/bin/qradar_netsetup.py", line 3969, in main Jun 25 05:03:35 qradar_netsetup.py[6638]: qradar_netsetup finalBlock [ERROR] qradarNetsetup.doJob() Jun 25 05:03:35 qradar_netsetup.py[6638]: qradar_netsetup finalBlock [ERROR] File "/opt/qradar/bin/qradar_netsetup.py", line 961, in doJob |
23 February 2022 |
ASSETS | IJ33757 | ASSET PROFILER CONFIGURATION 'USE ADVANCED' OPTION CHANGES NEW INPUT VALUES TO A VALUE OF ZERO (0) | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) QRadar 7.4.3 Fix Pack 5 (7.4.3.20220307203834) Workaround If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances. Issue In the Asset Profiler Configuration > Use advanced settings, new retention period values input are not saved and are instead reset to 0. For example
Messages in /var/log/audit.log similar to the following might be visible when this issue occurs: admin@127.0.0.1 (5437) /console/JSON-RPC/QRadar.saveChangesAssetProfiler QRadar.saveChangesAssetProfiler | [Action] [QRadarSystemSettings] [SystemSettingsChange] admin changed 'Enable Client Application Profiling' from '0' to '13' ( initiating-user="admin" ) admin@127.0.0.1 (5437) /console/JSON-RPC/QRadar.saveChangesAssetProfiler QRadar.saveChangesAssetProfiler | [Action] [QRadarSystemSettings] [SystemSettingsChange] admin changed 'Enable Client Application Profiling' from '13' to '0' ( initiating-user="admin" ) |
23 February 2022 |
RULES | IJ34348 | RULE OWNER CAN FAIL TO BE REASSIGNED AFTER A USER IS DELETED | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) QRadar 7.4.3 Fix Pack 5 (7.4.3.20220307203834) Workaround Recreate the deleted user, and reassign rule ownership prior to deletion. Issue When deleting a QRadar user, rules owned by that user are sometimes not re-assigned to the current active user as expected. For example,
|
23 February 2022 |
CERTIFICATES | IJ34632 | HOSTCONTEXT OUT OF MEMORY CAN OCCUR WHEN A LARGE CERTIFICATE REVOCATION LIST EXISTS | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) Workaround If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances. Issue The QRadar Hostcontext service can experience an Out Of Memory occurrence when there is a large certificate revocation list file stored under cached_crls. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: 3a30ea5c-e061-4a00-bb0f-2ea592d148f2/SequentialEventDispatcher at java.io.ByteArrayOutputStream.grow(I)V (ByteArrayOutputStream.java(Compiled Code)) at java.io.ByteArrayOutputStream.write([BII)V (ByteArrayOutputStream.java:164(Compiled Code)) at java.io.OutputStream.write([B)V (OutputStream.java:86(Compiled Code)) at com.ibm.security.util.DerValue.toByteArray()[B (DerValue.java:1034(Compiled Code)) at com.ibm.security.x509.X509CRLEntryImpl.parse(Lcom/ibm/secur ity/util/DerValue;)V(X509CRLEntryImpl.java:609(Compiled Code)) at com.ibm.security.x509.X509CRLEntryImpl. |
23 February 2022 |
EVENT COLLECTORS | IJ33795 | GLUSTERFS MIGRATION MANAGER CAN FAIL DURING RSYNC OF DATA BACK TO THE /STORE PARTITION | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) Workaround Prior to running the migration tool steps, stop crond by using the following command from and SSH session to the appliance: systemctl stop crondAfter the migration tool is completed, restart crond using: systemctl start crondNOTE: IF the issue has already occurred, contact support for assistance. Issue The glusterfs_migration_manager can fail during the rsync of data back to store as crond is running. This can occur as crond runs a task every 1 minute in the time between the /store partition is mounted after it was reformated and the rsync restores the symlink for /store/tmp. |
23 February 2022 |
CUSTOM EVENT PROPERTIES | IJ34598 | "OPTIMIZED" CUSTOM EVENT PROPERTY WITH DIFFERENT EXPRESSION TYPES DO NOT PROPERLY PARSE | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) Workaround Where possible, remove the "optimize" option for the Custom Event Property (disable the "Enable for use in Rules..." parameter). NOTE: This is a limited workaround as the optimize option can be required for proper QRadar performance and functionality. Issue When a log source type has two or more "optimized" CEPs with different expression types (eg; one has Generic List expression, the other has Name-Value Pair expression), they both get correct property values when using the DSM editor event parsing preview. When the events are viewed in the log activity tab, one of the properties will have an incorrect value or "N/A" (value is missing). |
23 February 2022 |
EVENT COLLECTORS | IJ34167 | GLUSTERFS MIGRATION TOOL FAILS WHEN THE /STORE PARTITION ENCOUNTERED IS IN EXT4 FORMAT | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) Workaround No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates. Issue The Glusterfs migration tool fails when it encounters a /store partition that is currently in ext4 format. |
23 February 2022 |
DATA OBFUSCATION | IJ34597 | CEP PARSING BREAKS WHEN OBFUSCATION IS ACTIVATED AND THE CEP HAS FORCE PARSED ENABLED | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) QRadar 7.4.3 Fix Pack 5 (7.4.3.20220307203834) Workaround Uncheck the option under the Custom Event Property, Enable for use in Rules, Forwarding Profiles and Search Indexing. Issue Customers who use a regular expression based obfuscation profile and have checked the force parse option: "Enable for use in Rules, Forwarding Profiles and Search Indexing" might notice that event parsing using that Custom Event Property is broken. Steps to reproduce this issue:
|
23 February 2022 |
LICENSE | IJ33284 | QNI AND QIF ATTEMPT TO CONNECT TO LICENSE.XFORCE-SECURITY.COM AFTER A DECAPPER RAN OUT OF MEMORY | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) Workaround No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates. Issue For environments where there is QRadar Incident Forensics or QRadar Network Insights, when a decapper Out Of Memory occurs and it is restarted, a connection attempt is made to license.xforce-security.com. When this occurs, it can be blocked by a customer installed firewall generating alert messages. |
23 February 2022 |
OFFENSES | IJ33893 | THE OFFENSE API UPDATES THE OFFENSE IN THE DATABASE BUT THE OFFENSE MANAGER IS NOT AWARE OF IT | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) QRadar 7.4.3 Fix Pack 2 (7.4.3.20210810221124) QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826) Workaround No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates. Issue Updates to the offense API endpoint /api/siem/offenses/{id} updates the database, but the Offense Manager is not aware of the update. An attempt to close an offense from the API appears to succeed, for example, curl -S -X POST -u admin -H 'Version: 17.0' -H 'Accept:application/json' 'https://x.x.x.x/api/siem/offenses/111?status=CLOSED'The API sets offense closed in DB; however, the Event Processor and Magistrate Processor Core still think that the offense is opened and continue update it. |
23 February 2022 |
RULES | IJ33438 | CORRUPT REFERENCE DATA TABLE CAN CAUSE THE RULE WIZARD TO FAIL TO WORK AS EXPECTED | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) Workaround
Corrupt reference data (database table) can stop the rule wizard from working as expected. Users are unable to see Rule enable and Rule limiter options in Rule Wizard, and unable to edit or add rules. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [tomcat.tomcat] [user@127.0.0.1(4521) /console/do/rulewizard] org.apache.jsp.sem.jsp.ruleWizard.RuleWizard_002daction_jsp: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]An error occurred in the _jspService method for org.apache.jsp.sem.jsp.ruleWizard. RuleWizard_002daction_jsp: null [tomcat.tomcat] [user@127.0.0.1(4521) /console/do/rulewizard] java.lang.NullPointerException [tomcat.tomcat] [user@127.0.0.1(4521) /console/do/rulewizard] at org.apache.jsp.sem.jsp.ruleWizard.RuleWizard_002daction_jsp._js pService(RuleWizard_002daction_jsp.java:2104)[tomcat.tomcat] [us com.q1labs.uiframeworks.jsp.HttpJspBase.service(HttpJspBase.java:148) [tomcat.tomcat] [user@127.0.0.1(4521) /console/do/rulewiza javax.servlet.http.HttpServlet.service(HttpServlet.java:733) [tomcat.tomcat] [user@127.0.0.1(4521) /console/do/rulewizard] at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:476) [tomcat.tomcat] [user@127.0.0.1(4521) /console/do/org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:386) [tomcat.tomcat] [user@127.0.0.1(4521) /console/do/ruleworg.apache.jasper.servlet.JspServlet.service(JspServlet.java:33 0)[tomcat.tomcat] [user@127.0.0.1(4521) /console/do/rulewizard] javax.servlet.http.HttpServlet.service(HttpServlet.java:733) [tomcat.tomcat] [user@127.0.0.1(4521) /console/do/rulewizard] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) |
23 February 2022 |
QRADAR NETWORK INSIGHTS | IJ37173 | SOURCE AND DESTINATION PAYLOADS FOR ICMP TRAFFIC FAIL TO BE CAPTURED BY QRADAR NETWORK INSIGHTS | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) Workaround No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates. Issue QRadar Network Insights identifies ICMP traffic, but it does not capture source and destination payloads for ICMP traffic even when available. |
23 February 2022 |
ASSETS | IJ32925 | ASSET PROFILER TREATS HOSTNAMES WITH DIFFERENT CASES (UPPER AND LOWER) AS SEPARATE ASSETS | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) Workaround No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates. Issue The QRadar asset profiler can create separate assets for the same asset due to differences in the case (upper and lower) of the hostname when events are processed by QRadar. For example,
|
23 February 2022 |
RULES | IJ32783 | RULE RESPONSE EMAIL FAILS TO BE SENT DUE TO "&" (AMPERSAND) SYMBOL IN EMAIL ADDRESS BEING CHANGED TO "&" | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) Workaround No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates. Issue When a Rule Response is configured for email and the email address contains an "&" (ampersand) symbol, the Rule Response email is not generated as the symbol is changed to "&" by QRadar. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [ecs-ep.ecs-ep] [[type=com.eventgnosis.system.ThreadedEventTerminator][parent=hostname:ecs-ep/EP/Emai lDestination]]com.q1labs.sem.util.EmailSender: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -] Exception attempting to send email: Illegal semicolon, not in group [ecs-ep.ecs-ep] [[type=com.eventgnosis.system.ThreadedEventTerminator][parent=hostname:ecs-ep/EP/EmailDestination]]org.ap [ecs-ep.ecs-ep] [[type=com.eventgnosis.system.ThreadedEventTerminator][parent=hostname:ecs-ep/EP/EmailDestination]]at org.apache.commons.mail.Email.createIn va:605)[ecs-ep.ecs-ep] [[type=com.eventgnosis.system.ThreadedEve inator][parent=hostname:ecs-ep/EP/EmailDestination]]at org.apache.commons.mail.Email.addTo(Email.java) [ecs-ep.ecs-ep] [[type=com.eventgnosis.system.ThreadedEventTerminator][parent=hostname:ecs-ep/EP/Emai lDestination]]at org.apache.commons.mail.Email.addTo(Email.java: [ecs-ep.ecs-ep] [[type=com.eventgnosis.system.ThreadedEventTerminator][parent=hostname:ecs-ep/EP/Emai lDestination]]at org.apache.commons.mail.Email.addTo(Email.java) [ecs-ep.ecs-ep] [[type=com.eventgnosis.system.ThreadedEventTerminator][parent=hostname:ecs-ep/EP/Emai lDestination]]at com.q1labs.sem.util.EmailSender.send(EmailSende [ecs-ep.ecs-ep] [[type=com.eventgnosis.system.ThreadedEventTerminator][parent=hostname:ecs-ep/EP/Emai lDestination]]at com.ibm.si.ep.destinations.EmailDestination.outDestination.java:42) [ecs-ep.ecs-ep] [[type=com.eventgnosis.syst inator][parent=hostname:ecs-ep/EP/EmailDestination]]at com.eventgnosis.system.ThreadedEventTerminator. ventTerminator.java:51)[ecs-ep.ecs-ep] [[type=com.eventgnosis.sy inator][parent=hostname:ecs-ep/EP/EmailDestination]]at java.lang.Thread.run(Thread.java:822) |
23 February 2022 |
RULES | IJ32782 | RULES CAN FAIL TO WORK AS EXPECTED DUE TO THE ACCUMULATOR PROCESS FAILING TO CONNECT TO ECS-EP PROCESS | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) Workaround Restarting the accumulator process can correct this issue. Run the following command from an SSH session to the QRadar Console: systemctl restart accumulator Issue In some instances, the connection from the accumulator to ecs-ep processes cannot be established once it has been disconnected by the channelActivitCheckTimer. When this occurs, rules (example: threshold rules) can fail to work as expected because of the failed connection between the processes. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [accumulator.accumulator] [SentryAlertProcessor] com.q1labs.cve.sentryengine.AlertProcessor: [WARN] [NOT:0000004000][IP/- -] [-/- -][localhost:32005] Unable to connect to: "localhost/127.0.0.1:32005". java.net.ProtocolException: Wrong protocol from java.nio.channels.SocketChannel[connected local=/127.0.0.1:59414 remote=localhost/127.0.0.1:32005] |
23 February 2022 |
REPORTS | IJ32641 | SCHEDULED REPORTS CAN RUN ON RAW DATA CAUSING THEM TO FAIL OR TAKE LONGER THAN EXPECTED TO COMPLETE | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) QRadar 7.4.3 Fix Pack 5 (7.4.3.20220307203834) Workaround No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates. Issue QRadar deployments running version 7.4.1 or newer can experience an issue where scheduled reports are running on raw data. When this occurs, searches take longer than expected to complete causing the reports to take longer than expected to complete or cause them to fail. |
23 February 2022 |
BACKUP AND RESTORE | IJ32734 | RESTORE FAILS WHEN DEPLOYMENT CONFIGURATION IS NOT AUTO SELECTED WHEN ASSET DATA IS BEING RESTORED | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) Workaround No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates. Issue When Asset Data is being restored from backup, the Deployment Configuration should automatically be selected but is not. The restore fails in situations where an Asset restore is attempted without Deployment Configuration. Messages similar to the following might be visible in /var/log/qradar.log when the backup is performed in this manner: [hostcontext.hostcontext] [BackupServices_restore] com.q1labs.configservices.hostcontext.exception.RestoreException: No host id mapping supplied with asset restore [hostcontext.hostcontext] [BackupServices_restore] at com.q1labs.hostcontext.backup.core.HostRemappingUtils.remapScannerHostIds(HostRemappingUtils.java:372) [hostcontext.hostcontext] [BackupServices_restore] at com.q1labs.hostcontext.backup.core.HostRemappingUtils.remap(HostRemappingUtils.java:439) [hostcontext.hostcontext] [BackupServices_restore] at com.q1 labs.hostcontext.backup.BackupRecoveryEngine.doDbRestore(BackupRecoveryEngine.java:3068) [hostcontext.hostcontext] [BackupServices_restore] ... 5 more |
23 February 2022 |
GEOGRAPHIC DATA | IJ20467 | UNABLE TO RETRIEVE MAXMIND GEOLITE2-CITY.MMDB UPDATES USING A CONFIGURED PROXY IN QRADAR | CLOSED | Resolved in QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137) QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) Workaround If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances. Issue It has been identified that the geodata database within QRadar is not getting updated when a proxy is correctly configured in the User Interface (Admin > Auto Updates > Change Settings > Advanced) due to an issue found within AutoUpdateProxyUtil.sh. Messages similar to the following might be visible in /var/log/qradar.log when this issue is occuring: 500 Can't connect to proxy_ip_address:proxy_port at /opt/qradar/bin/geoipupdate-pureperl.pl line 180, <STDIN> line 1. |
30 May 2022 |
SEARCH | IJ30759 | ERROR MESSAGE GENERATED IN THE UI WHEN A SECURITY ADMIN ATTEMPS TO VIEW ANOTHER USER'S SAVED SEARCH RESULTS | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) QRadar 7.4.3 Fix Pack 5 (7.4.3.20220307203834) Workaround No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates. Issue When trying to view another user's saved search results as a security administrator, the following error message is displayed: This query has timed out, and is no longer valid. Please use the search to perform a new query." |
23 February 2022 |
FLOWS | IJ30102 | FLOWS CAN STOP BEING RECEIVED BY QRADAR WHEN THE 'FLOWGOVERNOR' EXPERIENCES A BLOCK WHILE TRYING TO CONNECT TO ECS-EC PROCESS | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) Workaround Performing a service restart from an SSH session to the QRadar Console can resolve this issue: systemctl restart ecs-ec-ingressThen type, the following command: # systemctl restart ecs-ecNote: Event collection is interrupted when the ecs-ec-ingress service is restarted Issue Flows can fail to be received by QRadar when the Flow Governor experiences a NullPopinterException. When this occurs, no flows are streamed to the QRadar User Interface and users are unable to see recent flows in searches. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [ecs-ec.ecs-ec] [FlowGovernerProcessor] com.q1labs.frameworks.core.ThreadExceptionHandler: [ERROR] [NOT:0000003000][/- -] [-/- -]Exception was uncaught in thread: FlowGovernerProcessor [ecs-ec.ecs-ec] [FlowGovernerProcessor] java.lang.NullPointerException [ecs-ec.ecs-ec] [FlowGovernerProcessor] at com.ibm.si.ec.filters.FlowGoverner$FlowProcessor.run(FlowGoverner.java:345)Note: This issue has been identifed as most likely to occur after a QRadar patch is applied. |
23 February 2022 |
CERTIFICATES | IJ29956 | HTTPD SERVICE CAN FAIL TO START IF AN ISSUE OCCURS WHILE INSTALLING A NEW CERTIFICATE USING INSTALL-SSL-CERT.SH | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) Workaround Manually start the httpd service from a command line SSH session on the QRadar Console: systemctl start httpdIssue The httpd service can sometimes fail to start after the install of a new ssl certificate via /opt/qradar/bin/install-ssl-cert.sh script. It is possible for the install-ssl-cert.sh script to restore a backup of the last configuration which attempts to reload the httpd service. The httpd service does not start successfully. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: Restoring previous SSL configuration ... (OK) Reloading httpd configuration: (SKIPPED): httpd not running Mon Nov 30 17:23:27 GTM 2020 [install-ssl-cert.sh] ERROR: Could not update SSL certificate - previous config restored |
23 February 2022 |
HIGH AVAILABILITY (HA) | IJ29684 | BENIGN MESSAGE WRITTEN TO QRADAR LOGGING ON HA SECONDARY: "[WARN] HA IS ACTIVE BUT THIS IS NOT THE ACTIVE BOX. EXITING..." | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) Workaround If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances. Issue A benign message similar to the following can sometimes be observed in the QRadar logging on a High Availability (HA) Secondary appliance: [WARN] HA is active but this is not the active box. Exiting..." NOTE: This is caused by the /opt/qvm/assetupdates/run-qvm-assetupdates.sh script (activated via cron) on the Secondary. This a benign message and can be safely ignored. |
23 February 2022 |
ASSETS | IJ29376 | BLANK OPERATING SYSTEM (OS) FIELD DISPLAYED FOR IMPORTED ASSETS WHERE THE OS IS UNKNOWN TO QRADAR | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) Workaround No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates. Issue When importing an asset that has an Operating System (OS) unknown to QRadar, the Asset tab displays the asset's OS as a blank field when it should dsplay it as 'unknown'. This behavior can also be observed in the Edit Asset Profile > Operating System field. |
23 February 2022 |
FLOWS | IJ29508 | QFLOW PROCESS FAILS TO START WHEN THE RPM DATABASE CONTAINS CORRUPTION | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) Workaround If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances. Issue When corruption occurs in the QRadar RPM database causing RPM commands to fail to respond, the qflow process fails to start. When this occurs, flows are not processed by QRadar. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: Job for qflow.service failed because a timeout was exceeded. See "systemctl status qflow.service" and "journalctl -xe" for details. |
23 February 2022 |
HIGH AVAILABILITY (HA) | IJ28804 | HIGH AVAILABILITY SECONDARY IN 'OFFLINE' STATE WHEN IT IS REBOOTED A FEW MINUTES AFTER THE PRIMARY DURING PATCH PROCESS | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) Workaround On the affected Secondary appliance:
If during the patching process, a QRadar High Availability (HA) Secondary appliance reboot is performed a few minutes later than the Primary appliance, the HA Secondary can be in "offline" state after the reboot completes. |
23 February 2022 |
LOG SOURCE MANAGEMENT APP | IJ28767 | AN API ERROR IS GENERATED WHILE USING THE LOG SOURCE MANAGEMENT APP WHEN CONFIGURED TO USE THE 'NORSK (NORGE)' LOCALE IN QRADAR | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) Workaround Use the other available Norwegian locales:
Issue Setting the QRadar locale to 'norsk (Norge)' can cause an API error when using the Log Source Managment (LSM) app. For example, |
23 February 2022 |
MANAGED HOSTS | IJ28804 | INTERMITTENT QRADAR SYSTEM NOTIFICATIONS 'TIME SYNCRONIZATION HAS FAILED - SOCAT FAILED TO INITIALIZE' WHEN ENCRYPTION ENABLED | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) Workaround No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates. Issue Intermittent System Notifications similar to the following can sometimes be observed in QRadar environments where encryption to Managed Hosts (Encypt Host Connections) is enabled: "Time Synchronization to Console has failed - socat failed to initialize." |
23 February 2022 |
RULES | IJ05418 | ANOMALY DETECTION ENGINE (ADE) RULES CAN CONTINUE TO FIRE AFTER BEING DISABLED AND/OR DELETED IN THE USER INTERFACE | CLOSED | Resolved in None. Closed as suggestion for future release. Workaround No workaround available. Issue It has been identified that some Anomaly Detection Engine (ADE) rules can continue to function after they have been disabled or deleted from the QRadar User Interface. For example, on some occasions users reported that the User Behavior Analytics (UBA) app is uninstalled. However, the anomaly rules can still be functioning in the QRadar backend (database) even if no longer displayed in the User Interface (UI) and/or if they are showing in the UI and are not able to be disabled or deleted. |
10 June 2019 |
DATA OBFUSCATION | IJ27704 | REGEX BASED DATA OBSFUSCATION ONLY OBFUSCATES THE FIRST DATA MATCH, NOT ALL DATA MATCHES | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) QRadar 7.4.3 Fix Pack 5 (7.4.3.20220307203834) Workaround No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates. Issue In situations where regex based data obfuscation is used and there are multiple pieces of data that match the regex, only the first one will be obfuscated leaving any other matches in plain text. Expected behavior is that all data matches by the regex would be obfuscated, not just the first match. |
23 February 2022 |
ROUTING RULES | IJ25912 | ROUTING RULE FILTERS DROP DOWN LIST DOES NOT RELOAD APPROPRIATE OPTIONS WHEN TOGGLING BETWEEN ONLINE AND OFFLINE | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) Workaround Refresh the User Interface page prior to selecting the Routing Rule filters drop down. Issue Some offense properties do not appear in the Routing Rule Filters dropdown list after toggling between online and offline mode in the Routing Rule editor. For example:
|
23 February 2022 |
QRADAR VULNERABILITY MANAGER | IJ24185 | SYSTEM NOTIFICATION STATING QVM PROCESSOR FAILURE TO START CAN BE CAUSED BY CHECKQRMLICENSETRIGGER IN DB TABLE | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) Workaround If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances. Issue QRadar System Notifications stating that the qvmprocessor has failed to start can be generated when checkQRMLIcenceTrigger data is unexpectedly existing in within a database table. [ProcessMonitor] com.q1labs.hostcontext.processmonitor.ProcessManager: [ERROR] [NOT:0150114103][ip_address/- -] [-/- -]Process qvmprocessor.qvm has failed to start for 6606 intervals. Continuing to try to start... Messages similar to the following might be visible using journalctl when this issue occurs for the qvmprocessor process: qvmprocessor[29794]: Error creating bean with name 'cronSchedulerDAO' defined in class path resource [scheduler.spring.xml]: Cannot resolve reference to bean 'quartzScheduler' while setting bean property 'scheduler'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'quartzScheduler' defined in class path resource [sqlagents.spring.xml]: Invocation of init method failed; nested exception is org.quartz.JobPersistenceException: Couldn't retrieve trigger: No record found for selection of Trigger with key: 'qvmScheduling.checkQRMLicenseTrigger' and statement: SELECT * FROM quartz.SIMPLE_TRIGGERS WHERE SCHED_NAME = 'qvmScheduler' AND TRIGGER_NAME = ? AND TRIGGER_GROUP = ? [See nested exception: java.lang.IllegalStateException: No record found for selection of Trigger with key: 'qvmScheduling.checkQRMLicenseTrigger' and statement: SELECT * FROM quartz.SIMPLE_TRIGGERS WHERE SCHED_NAME = 'qvmScheduler' AND TRIGGER_NAME = ? AND TRIGGER_GROUP = ?] org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'cronSchedulerDAO' defined in class path resource [scheduler.spring.xml]: Cannot resolve reference to bean 'quartzScheduler' while setting bean property 'scheduler'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'quartzScheduler' defined in class path resource [sqlagents.spring.xml]: Invocation of init method failed; nested exception is org.quartz.JobPersistenceException: Couldn't retrieve trigger: No record found for selection of Trigger with key: 'qvmScheduling.checkQRMLicenseTrigger' and statement: SELECT * FROM quartz.SIMPLE_TRIGGERS WHERE SCHED_NAME = 'qvmScheduler' AND TRIGGER_NAME = ? AND TRIGGER_GROUP = ? [See nested exception: java.lang.IllegalStateException: No record found for selection of Trigger with key: 'qvmScheduling.checkQRMLicenseTrigger' and statement: SELECT * FROM quartz.SIMPLE_TRIGGERS WHERE SCHED_NAME = 'qvmScheduler' AND TRIGGER_NAME = ? AND TRIGGER_GROUP = ?] ... qvmprocessor[29794]: Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'quartzScheduler' defined in class path resource [sqlagents.spring.xml]: Invocation of init method failed; nested exception is org.quartz.JobPersistenceException: Couldn't retrieve trigger: No record found for selection of Trigger with key: 'qvmScheduling.checkQRMLicenseTrigger' and statement: SELECT * FROM quartz.SIMPLE_TRIGGERS WHERE SCHED_NAME = 'qvmScheduler' AND TRIGGER_NAME = ? AND TRIGGER_GROUP = ? [See nested exception: java.lang.IllegalStateException: No record found for selection of Trigger with key: 'qvmScheduling.checkQRMLicenseTrigger' and statement: SELECT * FROM quartz.SIMPLE_TRIGGERS WHERE SCHED_NAME = 'qvmScheduler' AND TRIGGER_NAME = ? AND TRIGGER_GROUP = ?] ... qvmprocessor[29794]: Caused by: org.quartz.JobPersistenceException: Couldn't retrieve trigger: No record found for selection of Trigger with key: 'qvmScheduling.checkQRMLicenseTrigger' and statement: SELECT * FROM quartz.SIMPLE_TRIGGERS WHERE SCHED_NAME = 'qvmScheduler' AND TRIGGER_NAME = ? AND TRIGGER_GROUP = ? [See nested exception: java.lang.IllegalStateException: No record found for selection of Trigger with key: 'qvmScheduling.checkQRMLicenseTrigger' and statement: SELECT * FROM quartz.SIMPLE_TRIGGERS WHERE SCHED_NAME = 'qvmScheduler' AND TRIGGER_NAME = ? AND TRIGGER_GROUP = ?] How to use journalctl: https://www.ibm.com/support/pages/qradar-using-journalctl-command-view-logs-qradar-services |
23 February 2022 |
RULES | IJ28545 | WHEN MODIFYING GEOGRAPHIC RULE CONDITIONS UNDER THE SPANISH LOCALE BELARUS IS SHOWN AS BRASIL INSTEAD OF BIELORRUSIA | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) Workaround To correct this issue,
Issue When using the Spanish locale and modifying a geographic rule condition it appears as though Brazil has been put in "Europe" by mistake. However, it can also be seen in South America. The issue is that under the Spanish locale Belarus has been given the name "Brasil" instead of "Bielorrusia". For example:
|
23 February 2022 |
SEARCH | IJ22497 | OFFENSES WITHOUT NAMING CANNOT BE SEARCHED BY DESCRIPTION | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) Workaround The Offense can be searched by the Offense Id. Issue When the search option is used to find an Offense using the "Description" field under "Offenses" tab, no results are displayed when there is no naming. For example,
|
23 February 2022 |
BACKUP AND RESTORE | IJ06104 | THE HEALTH METRICS LOG SOURCE NAME FROM A CONFIGURATION BACKUP OVERWRITES THE NEW CONSOLE'S HOSTNAME IN THE LOG SOURCE | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) QRadar 7.4.3 Fix Pack 5 (7.4.3.20220307203834) Workaround If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances. Issue It has been identified that when a Configuration Backup is restored onto a QRadar Console that has a different hostname, the Health Metrics log source name continues to be displayed as the old hostname (ie. the Console's hostname contained within the config backup from the originating Console). |
23 February 2022 |
SYSTEM NOTIFICATIONS | IJ24564 | A QRADAR SYSTEM NOTIFICATION IS GENERATED WHEN THE AUTOGENERATED QRADAR_SAML CERTIFICATE CANNOT BE RENEWED | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) Workaround No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates. Issue A System Notification similar to the following can be generated when the autogenerated QRadar_SAML cert cannot be renewed: com.q1labs.hostcontext.KeyStoreExpiryMonitor: [WARN] NOT:0030004104][127.0.0.1/- -] [-/- -]The certificate named QRadar_SAML will expire on Sun Dec 01 02:06:40 AST 2019. Please update the certificate soon. The autogenerated QRadar_SAML cert cannot be renewed for users not using SAML 2.0 authentication. This autogenerated certificate isn't needed unless: - the console is configured for SAML 2.0 authentication - the QRadar_SAML certificate is the certificate used |
23 February 2022 |
AUTHORIZED SERVICE TOKENS | IJ37935 | AUTHORIZED SERVICES WITH SPACES IN NAMES CAUSE 'FAILED TO DECRYPT' ERRORS DURING UPGRADE | OPEN | Workaround No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates. Issue It has been identified that authorized services with spaces in the name can can generate a 'Failed to decrypt' error message when administrators upgrade to QRadar 7.5.0 UP1 versions. When the authorized service token fails to decrypt successfully, this can lead to grouped data (FGroups) with incorrect names, which can affect users trying to view the data after the upgrade completes. An FGroup is a group of content such as a log source group, reporting group, or search group in QRadar. When this issur occurs, patches.log for the upgrade can display the following error messages: Jan 20 14:47:48 2022: Jan 20 14:47:48 2022:[DEBUG](-ni-patchmode) Running script /media/updates/scripts/QRADAR-9108.install --mode mainpatch Jan 20 14:47:53 2022: Jan 20 14:47:53 2022: [WARN](-ni-patchmode) ERROR: Failed to decrypt Jan 20 14:47:55 2022: Jan 20 14:47:55 2022: [WARN](-ni-patchmode) ERROR: Failed to decrypt Jan 20 14:48:00 2022: Jan 20 14:48:00 2022: [WARN](-ni-patchmode) ERROR: Failed to decrypt Jan 20 14:48:01 2022: Jan 20 14:48:01 2022: [WARN](-ni-patchmode) ERROR: Failed to decrypt Jan 20 14:48:03 2022: Jan 20 14:48:03 2022: [WARN](-ni-patchmode) ERROR: Failed to decrypt Jan 20 14:48:07 2022: Jan 20 14:48:07 2022: [WARN](-ni-patchmode) ERROR: Failed to decrypt Jan 20 14:48:09 2022: Jan 20 14:48:09 2022: [WARN](-ni-patchmode) ERROR: Failed to decrypt |
04 March 2022 |
USER INTERFACE | IJ37604 | FAILURE TO DECRYPT A CONFIG RESTORE IN 7.4.3 FIX PACK 4 CAN CAUSE USER INTERFACE ISSUES | CLOSED | Resolved in QRadar 7.4.3 Fix Pack 5 (7.4.3.20220307203834) Workaround A flash notice is available with an attached support utility to resolve this issue for administrators. To review the flash notice and download ConfigRestore_IJ37604.sh, see https://www.ibm.com/support/pages/node/6554538 Issue Administrators who attempt to restore a configuration on QRadar 7.4.3 Fix Pack 4 (Build 20211109160104) or 7.4.3 Fix Pack 4 Interim Fix 2 (Build 20211217105419) can experience an error when the configuration restore file cannot be decrypted. When a configuration restore fails, a 'CryptoException: Failed to decrypt data' message displays in the logs and the configuration restore does not complete successfully. This issue can lead to the user interface being unavailable after the configuration restore fails as passwords cannot be properly decrypted from the configuration, requiring QRadar Support assistance. Scenarios that can lead to a key decryption issue in QRadar 7.4.3 Fix Pack 4:
The following message is written to /var/log/qradar.log when a configuration restore fails to decrypt: com.q1labs.frameworks.crypto.DecryptException: com.ibm.si.mks.CryptoException: Failed to decrypt data [hostcontext.hostcontext] [pool-2-thread-1] at com.q1labs.frame works.crypto.CryptoUtils.decrypt(CryptoUtils.java:56) [hostcontext.hostcontext] [pool-2-thread-1] com.ibm.si.mks.CryptoException: Failed to decrypt data [hostcontext.hostcontext] [pool-2-thread-1] at com.ibm.si.mks.KeyStoreCrypto.decrypt(KeyStoreCrypto.java:385) [hostcontext.hostcontext] [pool-2-thread-1] at com.ibm.si.mks.Crypto.decrypt(Crypto.java:70) [hostcontext.hostcontext] [pool-2-thread-1] at com.q1labs.frame works.crypto.CryptoUtils.decrypt(CryptoUtils.java:53) [hostcontext.hostcontext] [pool-2-thread-1] at javax.crypto.Cipher.a(Unknown Source) [hostcontext.hostcontext] [pool-2-thread-1] at javax.crypto.Cipher.init(Unknown Source) [hostcontext.hostcontext] [pool-2-thread-1] at javax.crypto.Cipher.init(Unknown Source) [hostcontext.hostcontext] [pool-2-thread-1] at com.ibm.si.mks.KeyStoreCrypto.decrypt(KeyStoreCrypto.java:376) java.io.IOException: Integrity check failed: java.security.UnrecoverableKeyException: Failed PKCS12 integrity checking |
16 March 2022 |
SECURITY BULLETIN | OPENSSL AS USED BY IBM QRADAR SIEM IS VULNERABLE TO INFORMATION DISCLOSURE | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) QRadar 7.4.3 Fix Pack 4 Interim Fix 4 (7.4.3.20220211142137) QRadar 7.3.3 Fix Pack 10 Interim Fix 2 (7.3.3.20220203193207) Affected versions
OpenSSL could allow a remote attacker to obtain sensitive information, caused by an out-of-bounds read when processing ASN.1 strings. By sending specially crafted data, an attacker could exploit this vulnerability to read contents of memory on the system or perform a denial of service attack. CVSS Base score: 6.5 |
18 February 2022 | |
SECURITY BULLETIN | Polkit as used by IBM® QRadar SIEM is vulnerable to privilege escalation | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) QRadar 7.4.3 Fix Pack 4 Interim Fix 4 (7.4.3.20220211142137) QRadar 7.3.3 Fix Pack 10 Interim Fix 2 (7.3.3.20220203193207) Affected versions
Polkit could allow a local authenticated attacker to gain elevated privileges on the system, caused by incorrect handling of the argument vectors in the pkexec utility. By crafting environment variables in a specific way, an attacker could exploit this vulnerability to execute commands with root privileges. CVSS Base score: 7.8 |
18 February 2022 | |
SECURITY BULLETIN | Apache HTTP Server as used by IBM QRadar SIEM is vulnerable to buffer overflow and denial of service | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) QRadar 7.4.3 Fix Pack 4 Interim Fix 4 (7.4.3.20220211142137) QRadar 7.3.3 Fix Pack 10 Interim Fix 2 (7.3.3.20220203193207) Affected versions
|
18 February 2022 | |
APPLICATION FRAMEWORK | IJ34380 | QRADAR APPS CAN FAIL TO REINSTALL AFTER THEY ARE UNINSTALLED WHEN USING AN APPHOST | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 Fix Pack 2 (7.4.3.20210810221124) Workaround Prior to attempting to reinstall the app:
Issue In some instances, a QRadar user is unable to reinstall a QRadar App after uninstalling it from an Apphost in the deployment when a "manifest unknown" error is generated. |
2 February 2022 |
QRADAR NETWORK INSIGHTS (QNI) | IJ34582 | THE NAPATECH FIRMWARE FOR THE 1910 (6300) APPLIANCES DELIVERED IN THE ISO IS INCORRECT | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 (7.4.3.20210517144015) QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826) Workaround No workaround available. Issue The firmware for the Napatech card in the 1901 (6300) QRadar Network Insights (QNI) appliances is packaged in the ISO. The original firmware delivered from Napatech was incorrect. This results in the Napatech card not starting. |
2 February 2022 |
DEPLOYMENT | IJ35113 | EVENT OR FLOW PROCESSORS CAN RUN OUT OF AVAILABLE FILE HANDLES IN ENCRYPTED DEPLOYMENTS AND PORT TO CONSOLE DROPS | CLOSED | Resolved in QRadar 7.5.0 GA (7.5.0.20211220195207) QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104) Workaround Admninistrators have two options to resolve the file handle issue util a software update can be released to resolve this issue: Option 1
Administrators can disable encrpyption on the managed host:
Issue QRadar deployments can experience Event Processors or Flow Processors that can run out of file handles if they have encrypted tunnels and are generating offenses if the Console port they are connecting to is down. |
2 February 2020 |
API | IJ34378 | QRADAR API 16.0 CAN RETURN UNEXPECTED RESULTS IN SOME INSTANCES | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 (7.4.3.20210517144015) Workaround Use an API version prior to 16.0 (eg. 15.x) by accessing the QRadar interactive API documentation. Issue The QRadar API 16.0 can return unexpected results when using Range Header parameter versus the expected output when using an earlier version of the QRadar API (eg. 15.x). |
2 February 2020 |
DEPLOY CHANGES | IJ30810 | DEPLOY CHANGES FUNCTION CAUSES IN PROGRESS SEARCHES TO ERROR WHEN AN ENCRYPTED MANAGED HOST IS IN THE QRADAR DEPLOYMENT | OPEN | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the Subscribe button on the right side of this page or ask a question about this APAR in our Support Forums. https://ibm.biz/qradarforums Issue When performing a Deploy Changes function (not a Deploy Full Configuration), any search that is in progress is interrupted and goes into error as the ariel proxy service restarts when the deployment has an encrypted Managed Host. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [tomcat.tomcat] [x.x.x.x] com.q1labs.configservices.config.globalset.platform.GlobalArielServerListTransformer: [INFO] [NOT:0000006000][x.x.x.x/- -] [-/--]Ariel list transformer has changed the deployment file. | 2 February 2020 |
QFLOW | IJ33435 | QFLOW CAN SOMETIMES STOP PROCESSING IPFIX PACKETS SENT FROM QRADAR NETWORK INSIGHTS | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) QRadar 7.5.0 GA (7.5.0.20211220195207) QRadar 7.4.3 Fix Pack 5 (7.4.3.20220307203834) Workaround Restarting the Qflow service can temporarily correct the issue, but it can occur again in the future until a software release is availabe to resolve the error. Type the following from an SSH session to the QRadar Console: systemctl restart qflow Issue Qflow can stop processing flows when there is increase in the amount of flows from QRadar Network Insights (QNI). This issue occurs when QNI is set to enriched and the communication between QNI and Qflow service is configured for UDP. |
2 February 2020 |
QFLOW | IJ32496 | INTERNAL API CALLS FAIL WHEN A CONSOLE FQDN IS ALL CAPITALS EVEN WHEN IT IS IN A NO_PROXY LIST | CLOSED | Resolved in QRadar 7.5.0 GA (7.5.0.20211220195207) Workaround Add the console FQDN in lower case letters to the APP_PROXY_NO_PROXY_LIST in the nva.conf file:
For more information on Deploy Changes, see https://www.ibm.biz/qradardeploy Issue QRadar Apps and or other internal API calls continue to attempt to route through a proxy, even when the hostname is in a no_proxy list, and fails due to the console Fully Qualified Domain Name (FQDN) being in all capital letters. For example:
|
2 February 2020 |
UPGRADE | IJ35458 | HTTPD.JSON FILE CAN BE OVERWRITTEN DURING THE QRADAR PATCHING PROCESS CAUSING CUSTOM CERTS TO BE REPLACED | CLOSED | Resolved in QRadar 7.5.0 GA (7.5.0.20211220195207) Workaround No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported issue is under considered for a future release and administrators can subscribe to the APAR to get updates. Issue In some instances, the qradarca RPM is updated during the QRadar patching process and overwrites the /opt/qradar/ca/conf.d/httpd.json file. This can cause values such as CertSkip and CertMonitorThreshold to be lost, in turn causing custom httpd certs to be replaced by certs generated by the local CA during the patch. |
2 February 2020 |
RULE | IJ31110 | ADDING "EVENT PROCESSOR" AS A RESPONSE TO A REFERENCE DATA RULE DOES NOT WORK AS EXPECTED | CLOSED | Resolved in QRadar 7.5.0 GA (7.5.0.20211220195207) Workaround Create an AQL property of HOSTNAME(processorid) and use that to obtain the required data: http://ibm.biz/aqlfunctions Issue When Event Processor is added to the response for a Reference Data response, a ClassNotFoundException occurs and the rule response does not work. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [ecs-ep.ecs-ep] [CRE Processor [3]] com.q1labs.semsources.cre.responses.ReferenceDataResponse: [ERROR] [NOT:0000003000][QRADARIP/- -] [-/- -]Failed to get values from event: property="eventProcessorId", key1Val="127.0.0.1", key2Val=null, doSend=true, unRollFlow=false [ecs-ep.ecs-ep] [CRE Processor [3]] java.lang.RuntimeException: java.lang.ClassNotFoundException: com.q1labs.ariel.ui.formatters.EventProcessorIdFormatter [ecs-ep.ecs-ep] [CRE Processor [3]] at com.q1labs.core.shared.ariel.ArielUtils.getFormatter(ArielUtils.java:933) [ecs-ep.ecs-ep] [CRE Processor [3]] at com.q1labs.semsources.cre.responses.AbstractReferenceDataResponse.getValuesFromEvent(AbstractReferenceDataResponse.java:253) [ecs-ep.ecs-ep] [CRE Processor [3]] at com.q1labs.semsources.cre.responses.AbstractReferenceDataResponse.extractValuesFromEventAndSend(AbstractReferenceDataResponse.java:223) [ecs-ep.ecs-ep] [CRE Processor [3]] at com.q1labs.semsources.cre.responses.AbstractReferenceDataResponse.performResponse(AbstractReferenceDataResponse.java:360) [ecs-ep.ecs-ep] [CRE Processor [3]] at com.q1labs.semsources.cre.CustomRule.performResponses(CustomRule.java:1049) [ecs-ep.ecs-ep] [CRE Processor [3]] at com.q1labs.semsources.cre.CustomRule.test(CustomRule.java:578) [ecs-ep.ecs-ep] [CRE Processor [3]] at com.q1labs.semsources.cre.CustomRule.test(CustomRule.java:496) [ecs-ep.ecs-ep] [CRE Processor [3]] at com.q1labs.semsources.cre.CustomRuleSetExecutor.testRule(CustomRuleSetExecutor.java:342) [ecs-ep.ecs-ep] [CRE Processor [3]] at com.q1labs.semsources.cre.CustomRuleSetExecutor.test(CustomRuleSetExecutor.java:210) [ecs-ep.ecs-ep] [CRE Processor [3]] at com.q1labs.semsources.cre.LocalRuleExecutor.processEventInPropertyMode(LocalRuleExecutor.java:229) [ecs-ep.ecs-ep] [CRE Processor [3]] at com.q1labs.semsources.cre.LocalRuleExecutor.processEvent(LocalRuleExecutor.java:158) [ecs-ep.ecs-ep] [CRE Processor [3]] at com.q1labs.semsources.cre.CREEventProcessor.processEvent(CustomRuleEngine.java:544) [ecs-ep.ecs-ep] [CRE Processor [3]] at com.q1labs.semsources.cre.CREEventProcessor.run(CustomRuleEngine.java:484) [ecs-ep.ecs-ep] [CRE Processor [3]] Caused by: java.lang.ClassNotFoundException: com.q1labs.ariel.ui.formatters.EventProcessorIdFormatter [ecs-ep.ecs-ep] [CRE Processor [3]] at java.lang.Class.forNameImpl(Native Method) [ecs-ep.ecs-ep] [CRE Processor [3]] at java.lang.Class.forName(Class.java:337) [ecs-ep.ecs-ep] [CRE Processor [3]] at com.q1labs.core.shared.ariel.ArielUtils.getFormatter(ArielUtils.java:927) [ecs-ep.ecs-ep] [CRE Processor [3]] ... 12 more Feb 26 12:03:55 ::ffff:9.180.234.72 [ecs-ep.ecs-ep] [CRE Processor [3]] at com.q1labs.semsources.cre.responses.AbstractReferenceDataResponse.performResponse(AbstractReferenceDataResponse.java:360) Feb 26 12:03:55 ::ffff:9.180.234.72 [ecs-ep.ecs-ep] [CRE Processor [3]] at com.q1labs.semsources.cre.CustomRule.performResponses(CustomRule.java:1049) Feb 26 12:03:55 ::ffff:9.180.234.72 [ecs-ep.ecs-ep] [CREProcessor [3]] at com.q1labs.semsources.cre.CustomRule.test(CustomRule.java:578) Feb 26 12:03:55 ::ffff:9.180.234.72 [ecs-ep.ecs-ep] [CRE Processor [3]] at com.q1labs.semsources.cre.CustomRule.test(CustomRule.java:496) Feb 26 12:03:55 ::ffff:9.180.234.72 [ecs-ep.ecs-ep] [CRE Processor [3]] at com.q1labs.semsources.cre.CustomRuleSetExecutor.testRule(CustomRuleSetExecutor.java:342) Feb 26 12:03:55 ::ffff:9.180.234.72 [ecs-ep.ecs-ep] [CRE Processor [3]] at com.q1labs.semsources.cre.CustomRuleSetExecutor.test(CustomRuleSetExecutor.java:210) Feb 26 12:03:55 ::ffff:9.180.234.72 [ecs-ep.ecs-ep] [CRE Processor [3]] at com.q1labs.semsources.cre.LocalRuleExecutor.processEventInPropertyMode(LocalRuleExecutor.java:229) Feb 26 12:03:55 ::ffff:9.180.234.72 [ecs-ep.ecs-ep] [CRE Processor [3]] at com.q1labs.semsources.cre.LocalRuleExecutor.processEvent(LocalRuleExecutor.java:158) Feb 26 12:03:55 ::ffff:9.180.234.72 [ecs-ep.ecs-ep] [CRE Processor [3]] at com.q1labs.semsources.cre.CREEventProcessor.processEvent(CustomRuleEngine.java:544) Feb 26 12:03:55 ::ffff:9.180.234.72 [ecs-ep.ecs-ep] [CRE Processor [3]] at com.q1labs.semsources.cre.CREEventProcessor.run(CustomRuleEngine.java:484) Feb 26 12:03:55 ::ffff:9.180.234.72 [ecs-ep.ecs-ep] [CRE Processor [3]] Caused by: java.lang.ClassNotFoundException: com.q1labs.ariel.ui.formatters.EventProcessorIdFormatter Feb 26 12:03:55 ::ffff:9.180.234.72 [ecs-ep.ecs-ep] [CRE Processor [3]] at java.lang.Class.forNameImpl(Native Method) Feb 26 12:03:55 ::ffff:9.180.234.72 [ecs-ep.ecs-ep] [CRE Processor [3]] at java.lang.Class.forName(Class.java:337) Feb 26 12:03:55 ::ffff:9.180.234.72 [ecs-ep.ecs-ep] [CRE Processor [3]] at com.q1labs.core.shared.ariel.ArielUtils.getFormatter(ArielUtils.java:927) Feb 26 12:03:55 ::ffff:9.180.234.72 [ecs-ep.ecs-ep] [CRE Processor [3]] ... 12 more |
2 February 2020 |
QRADAR INCIDENT FORENSICS | IJ30070 | USER SAVE FUNCTION CAN FAIL WITH AN ERROR WRITTEN TO QRADAR-SQL.LOG | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) Workaround No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported issue is under considered for a future release and administrators can subscribe to the APAR to get updates. Issue The user 'Save' function can fail with an error written to qradar-sql.log. For example,
|
2 February 2020 |
QFLOW | IJ30100 | QRADAR CONFIG FILE IPFIXFIELDS.CONF CONTAINS TLV (TIME-LENGTH-VALUE) DATA THAT CAN AFFECT PAYLOADS | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) Workaround Contact support if you need help administering the following workaround. Always make a backup of a file if you plan to alter it.
Issue There are several newer TLVs (type-length-value) that are not excluded from payload mode in the IPFIXFields.conf. These internal properties can fill up the payload block. A flow can have it's payload filled with an incorrect property when this occurs instead of the true payload. |
2 February 2020 |
QRADAR INCIDENT FORENSICS | IJ30020 | QRADAR INCIDENT FORENSICS UPLOAD CAN FAIL WHEN THERE ARE SPECIAL CHARACTERS CONTAINED IN THE DATABASE PASSWORD | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) Workaround No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported issue is under considered for a future release and administrators can subscribe to the APAR to get updates. Issue Error similar to "There was an error running the forensics recovery." is observed while attempting to run a Forensics recovery on the Console when there is a database password containing special characters. [tomcat.tomcat] [HttpServletRequest-87-Idle] com.ibm.qradar.wfObjects.wfDBConnect: [ERROR] Database error: SQLException: FATAL: password authentication failed for user "qradar" SQLState: 28P01 VendorError: 0 -- Checking the postgresql-qrd service in the Console it still shows this connection failures. x.x.x.x.ent postgres[173526]: [3-3] Connection matched pg_hba.conf line 54: "host all all 127.0.0.1 255.255.255.255 md5" x.x.x.x.ent postgres[173909]: [3-1] FATAL: password authentication failed for user "qradar" x.x.x.x.ent postgres[173909]: [3-2] DETAIL: Password does not match for user "qradar". x.x.x.x.ent postgres[173909]: [3-3] Connection matched pg_hba.conf line 54: "host all all 127.0.0.1 255.255.255.255 md5" x.x.x.x.ent postgres[173914]: [3-1] FATAL: password authentication failed for user "qradar" x.x.x.x.ent postgres[173914]: [3-2] DETAIL: Password does not match for user "qradar". x.x.x.x.ent postgres[173914]: [3-3] Connection matched pg_hba.conf line 54: "host all all 127.0.0.1 255.255.255.255 md5" x.x.x.x.ent postgres[173929]: [3-1] FATAL: password authentication failed for user "qradar" x.x.x.x.ent postgres[173929]: [3-2] DETAIL: Password does not match for user "qradar". x.x.x.x.ent postgres[173929]: [3-3] Connection matched pg_hba.conf line 54: "host all all 127.0.0.1 255.255.255.255 md5" |
2 February 2020 |
UPGRADE | IJ30097 | MIGRATION FROM GLUSTERFS TO DRBD DURING EVENT COLLECTOR UPGRADE TO 7.4.2.X FOR HIGH AVAILABILITY CAN WIPE /STORE | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) Workaround Contact support for additional assistance as an appliance rebuild(s) is required if /store on the 15xx appliance in HA has been wiped during the migration/upgrade. Issue Upgrading to 7.4.2.X, QRadar Event Collector (EC) appliances (type 15xx) configured for High Availability (HA)are required to move from glusterfs to DRBD. The upgrade process requires manually running a script to perform that migration on 15xx appliances in HA. The script can be incorrectly be configured to use /store as its backup directory. If /store is configured in the script for backup (of the /store partition), the prepare_ha script used to prepare the environments wipes /store, therefore deleting the backup. 7.4.2 upgrade information: https://www.ibm.com/support/knowledgecenter/SS42VS_7.4/com.ibm.qradar.doc/t_qradar_up_ugrad_sys.html |
2 February 2020 |
QRADAR INCIDENT FORENSICS | IJ30018 | CASE CANNOT BE UPLOADED IN QRADAR INCIDENT FORENSICS WHEN THE FTPMONITOR CANNOT CONNECT TO THE DATABASE | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) Workaround No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported issue is under considered for a future release and administrators can subscribe to the APAR to get updates. Issue Cases cannot be uploaded into QRadar Incident Forensics when an ftp user has not been properly updated as the Forensics ftpmonitor fails the database connection. Messages similar to the following might be visible in QRadar logging when this issue occurs: 127.0.0.1 [Timer-0] com.ibm.qradar.forensics.watcher.watchers.UserChecker: [ERROR] Failed to get users 127.0.0.1 com.ibm.qradar.forensics.watcher.utils.Database$DatabaseException: Failed to retrieve console host. 127.0.0.1 at com.ibm.qradar.forensics.watcher.utils.Database.getFTPUsernameList(Database.java:198) 127.0.0.1 at com.ibm.qradar.forensics.watcher.watchers.UserChecker.getFTPUsernameList(UserChecker.java:92) 127.0.0.1 at com.ibm.qradar.forensics.watcher.watchers.UserChecker.processFTPUsers(UserChecker.java:107) 127.0.0.1 at com.ibm.qradar.forensics.watcher.watchers.UserChecker.run(UserChecker.java:58) 127.0.0.1 at java.util.TimerThread.mainLoop(Timer.java:566) 127.0.0.1 at java.util.TimerThread.run(Timer.java:516) 127.0.0.1 Caused by: org.postgresql.util.PSQLException: FATAL: password authentication failed for user "username" 127.0.0.1 at org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:514) 127.0.0.1 at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:141) 127.0.0.1 at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192) 127.0.0.1 at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49) 127.0.0.1 at org.postgresql.jdbc.PgConnection. |
2 February 2020 |
APPLICATION FRAMEWORK | IJ28790 | A QRADAR APP CAN FAIL TO AUTOMATICALLY RESTART IF THE APP HAS BEEN STOPPED AND IS IN AN ERROR STATE | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) Workaround Use the qappmanager utility to put the App back into RUNNING state: https://www.ibm.com/support/pages/qradar-about-qappmanager-support-utility Issue When a QRadar App is in ERROR state, the RestartAppAsyncTask attempts to restart the affected App. In some instances, an exception can occur that blocks the affected App from starting properly. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [tomcat.tomcat] [pool-1-thread-7] com.q1labs.restapi_annotations.content.exceptions.endpointExcept ions.ServerProcessingException: An error occurred setting app status to [STOPPED]. Task state found to be [EXCEPTION]. [tomcat.tomcat] [pool-1-thread-7] at com.q1labs.uiframeworks.application.api.service.status.tasks.RestartAppAsyncTask.stopAppInstance(RestartAppAsyncTask.java:149) [tomcat.tomcat] [pool-1-thread-7] at com.q1labs.uiframeworks.application.api.service.status.tasks.RestartAppAsyncTask.runTask(RestartAppAsyncTask.java:112) [tomcat.tomcat] [pool-1-thread-7] at com.ibm.si.frameworks.taskmanagement.Task.run(Task.java:108) [tomcat.tomcat] [pool-1-thread-7] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:522) [tomcat.tomcat] [pool-1-thread-7] at java.util.concurrent.FutureTask.run(FutureTask.java:277) [tomcat.tomcat] [pool-1-thread-7] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160) [tomcat.tomcat] [pool-1-thread-7] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) [tomcat.tomcat] [pool-1-thread-7] at java.lang.Thread.run(Thread.java:818) |
2 February 2020 |
CUSTOM EVENT PROPERTY | IJ27841 | CUSTOM EVENT PROPERTY NAME THAT CONTAINS A PLUS SYMBOL "+" CANNOT BE SELECTED IN A RULE WIZARD RULE STACK | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) Workaround Where possible, do not use a plus symbol "+" in the name of a Custom Event Property. Issue When a Custom Event Property name contains a plus symbol "+", that CEP cannot be selected in the rule test stack. For example, AQL property name such as URI-Domain+Path+Query When saved, navigate to Rule Wizard (event rule) with the following condition and when any of these event properties are contained in any of these reference sets. Attempting to select URI-Domain+Path+Query generates an exception in /var/log/qradar.log similar to the following: [tomcat.tomcat] [x(3588) /console/do/rulewizard/saveCustomizeConditionParameter] com.q1labs.sem.ui.util.RuleConditionUtils: [WARN] [NOT:0000004000][/- -] [-/- -]No lookup results found for user selection(s) URI-Domain+Path+Query for method com.q1labs.sem.ui.semservices.UISemServices.getEventDatabaseFields |
2 February 2020 |
QRADAR VULNERABILITY MANAGER | IJ29848 | 'USE CENTRALIZED CREDENTIALS' IN QRADAR VULNERABILITY MANAGER BECOMES DESELECTED WHEN EDITING A SCAN PROFILE | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the Subscribe button on the right side of this page or ask a question about this APAR in our Support Forum. shttps://ibm.biz/qradarforums Issue When editing a Scan Profile the use centralized credentials checkbox becomes unchecked in the QRadar User Interface. For example:
|
2 February 2020 |
LICENSE | IJ24030 | EXPIRED LICENSE ALLOCATED TO A DELETED MANAGED HOST CAN GENERATE A NOTIFICATION MESSAGE | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) Workaround If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances. Issue When a QRadar deployment has an expired license(s) allocated to a deleted Managed Host(s), an incorrect notification is raised stating the license will expire soon even though it is already expired. The notification message is similar to: 'License {name}', allocated to host '{hostname}' will expire soon. Its expiration date is '{date}'Note: The date displayed in the error can already be expired. |
2 February 2020 |
LOG SOURCE MANAGEMENT APP | IJ25045 | THE LOG SOURCE MANAGEMENT APP CAN SOMETIMES DISPLAY INCORRECT TARGET EVENT COLLECTOR | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) Workaround No workaround available. Issue The QRadar Log Source Management (LSM) app can sometimes display the incorrect Target Event Collector when filtering by Target Event Collector. |
2 February 2020 |
GEOGRAPHIC DATA | IJ28623 | THE COUNTRY ESWATINI DISPLAYS AS SWAZILAND WITHIN QRADAR | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) Workaround If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances. Issue The country "Swaziland" is displayed in QRadar country options even though the country was been renamed to eSwatini. For example: When configuring a rule condition with geographic data, in the country list options is "Swaziland" instead of "eSwatini". |
2 February 2020 |
QRADAR NETWORK INSIGHTS | IJ30094 | QRADAR NETWORK INSIGHTS: FLOWS OVER PORT 80 ARE MISCLASSIFIED AS 'SSH' CAUSING FALSE POSITIVES IN RULES | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) Workaround No workaround available as a software update is required to resolve this issue. Issue Flows on port 80 are misclassified by the Forensic Inspector as 'SSH'. When this occurs, false positives can be experienced during rule processing. |
2 February 2020 |
RULES | IJ25504 | QRADAR CUSTOM RULE ENGINE FIRES AN EMAIL NOTIFICATION BUT AN ASSOCIATED OFFENSE IS NOT GENERATED | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) Workaround No workaround available as a software update is required to resolve this issue. Issue In some instances, an email notification can be generated by the QRadar Custom Rule Engine, but the associated Offense that should be created is not. Messages similar to the following (event-errs: {digit}) might be visible in /var/log/qradar.log when this issue occurs: [ecs-ep.ecs-ep] [MPC/PersisterThread@0000778355] com.ibm.si.mpc.magi.contrib.ModelPersister: [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Processed 39 commands in 0:00:00.023 including offense: 2, attacker: 1, target: 1, network: 2, cat: 2, off-cre-agg: 2, off-cat-sum: 4, annot: 2, device: 1, user: 1, offenseEP: 2, mac: 0, qid: 0, appId: 0, host: 0, asset: 0, port: 0, rule: 0, ipv6: 0, asn: 0, regex: 0, calculated: 0, mpcQueryReq: 0. New Load: 0.00 [ecs-ep.ecs-ep] [[type=com.eventgnosis.system.ThreadedEventProcessor] [parent=hostname:ecs-ep/MPC/Magistrate1/MPC]] com.ibm.si.mpc.magi.schedule.EventScheduler: [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Scheduling 1 of 1 offenses. (events-rcvd: 10, event-errs: 6, events-rejected: 0, MT-recs: 4, MT-recs-rejected: 0 (eq: 0), capDropped: 0, off-create-err: 0, off-contrib-err: 0, schd: 4, wait: 0, bytes-sched: 0.00MB, bytes-wait: 0.00MB, total rcvd: 1144987). init-sched: 0, dorm-sched: 0, def-sched: 0, def: 0, active: 4, dormant: 53, Load: 0.00, Throughput: 100.00% |
2 February 2020 |
AGGREGATE DATA MANAGEMENT | IJ12235 | 'AN ERROR OCCURRED FOR INPUT STRING...' MESSAGE CAN BE GENERATED WHEN SORTING IN AGGREGATED DATA WINDOW | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) Workaround No workaround available as a software update is required to resolve this issue. Issue It has been identified that a message similar to "An error occurred For input string: "21622231248" " (the input string value varies) is generated when viewing Aggregated Data Management in the QRadar User Interface, looking at "Display: Aggregated Data View" and then performing a sort by "Data Written". For example:
Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [tomcat.tomcat] [admin@127.0.0.1 (268) /console/JSON-RPC/QRadar.getListPortion QRadar.getListPortion] com.q1labs.core.ui.servlet.RemoteJavaScript: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]An exception occurred while executing the remote method 'getListPortion' [tomcat.tomcat] [admin@127.0.0.1 (268) /console/JSON-RPC/QRadar.getListPortion QRadar.getListPortion] java.lang.NumberFormatException: For input string: "2198937739" [tomcat.tomcat] [admin@127.0.0.1 (268) /console/JSON-RPC/QRadar.getListPortion QRadar.getListPortion] at java.lang.NumberFormatException.forInputString(NumberFormatException.java:76) [tomcat.tomcat] [admin@127.0.0.1 (268) /console/JSON-RPC/QRadar.getListPortion QRadar.getListPortion] at java.lang.Integer.parseInt(Integer.java:595) [tomcat.tomcat] [admin@127.0.0.1 (268) /console/JSON-RPC/QRadar.getListPortion QRadar.getListPortion] at java.lang.Integer.parseInt(Integer.java:627) [tomcat.tomcat] [admin@127.0.0.1 (268) /console/JSON-RPC/QRadar.getListPortion QRadar.getListPortion] at com.q1labs.gvmanagement.ui.services.GVStats$GVStatsComparator.compare(GVStats.java:86) [tomcat.tomcat] [admin@127.0.0.1 (268) /console/JSON-RPC/QRadar.getListPortion QRadar.getListPortion] at com.q1labs.gvmanagement.ui.services.GVStats$GVStatsComparator.compare(GVStats.java:40) [tomcat.tomcat] [admin@127.0.0.1 (268) /console/JSON-RPC/QRadar.getListPortion QRadar.getListPortion] at java.util.TimSort.binarySort(TimSort.java:307) [tomcat.tomcat] [admin@127.0.0.1 (268) /console/JSON-RPC/QRadar.getListPortion QRadar.getListPortion] at java.util.TimSort.sort(TimSort.java:250) [tomcat.tomcat] [admin@127.0.0.1 (268) /console/JSON-RPC/QRadar.getListPortion QRadar.getListPortion] at java.util.Arrays.sort(Arrays.java:1856) [tomcat.tomcat] [admin@127.0.0.1 (268) /console/JSON-RPC/QRadar.getListPortion QRadar.getListPortion] at java.util.ArrayList.sort(ArrayList.java:1473) [tomcat.tomcat] [admin@127.0.0.1 (268) /console/JSON-RPC/QRadar.getListPortion QRadar.getListPortion] at java.util.Collections.sort(Collections.java:186) ........ [tomcat.tomcat] [admin@127.0.0.1 (268) /console/JSON-RPC/QRadar.getListPortion QRadar.getListPortion] at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) [tomcat.tomcat] [admin@127.0.0.1 (268) /console/JSON-RPC/QRadar.getListPortion QRadar.getListPortion] at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:800) [tomcat.tomcat] [admin@127.0.0.1 (268) /console/JSON-RPC/QRadar.getListPortion QRadar.getListPortion] at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1471) [tomcat.tomcat] [admin@127.0.0.1 (268) /console/JSON-RPC/QRadar.getListPortion QRadar.getListPortion] at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat.tomcat] [admin@127.0.0.1 (268) /console/JSON-RPC/QRadar.getListPortion QRadar.getListPortion] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160) [tomcat.tomcat] [admin@127.0.0.1 (268) /console/JSON-RPC/QRadar.getListPortion QRadar.getListPortion] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) [tomcat.tomcat] [admin@127.0.0.1 (268) /console/JSON-RPC/QRadar.getListPortion QRadar.getListPortion] at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat.tomcat] [admin@127.0.0.1 (268) /console/JSON-RPC/QRadar.getListPortion QRadar.getListPortion] at java.lang.Thread.run(Thread.java:811) |
2 February 2020 |
UPGRADE | IJ36035 | QRADAR DEPLOY FUNCTION CAN FAIL DURING AND AT THE END OF PATCH PROCESS WITH SOME INSTALL AND PATCH PATHS | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) Workaround If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances. Issue The QRadar deploy function can fail during and after a QRadar patch has been applied. This has been attributed to instances where auCrypto.pm is retained from pre-743 in some upgrade paths. Fpr example: QRadar 7.4.0 Fix Pack 4 (20200629201233) ISO > QRadar 7.4.1 Fix Pack 1 (20201112005343) SFS > QRadar 7.4.3 Fix Pack 1 (20210708143944) SFS Messages similar to the following might be visible in /var/log/setupxxxxx/patches.log when this issue occurs: AES: Datasize not exactly blocksize (16 bytes) at /opt/qradar/lib/Q1/auCrypto.pm line 79. Oct 28 18:20:49 2021: Oct 28 18:20:49 2021:[ERROR](patchmode) deploy failed. |
2 February 2020 |
CUSTOM PROPERTIES | IJ36006 | SOME CUSTOM EVENT PROPERTIES CAN BE RENAMED DURING QRADAR PATCHING PROCESS TO VERSION 7.4.3 OR NEWER | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) Workaround If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances. Issue The QRadar patching process (to version 7.4.3 or newer) can change Custom Event Property names. When this occurs, rules and/or Reference Sets can be displayed incorrectly including in QRadar Apps (example: Use Case Manager). For more information, see Alias properties created for custom properties |
2 February 2020 |
UPGRADE | IJ35457 | SOME CONTENT PACK PROPERTIES CAN FAIL DURING AND AFTER PATCHING TO QRADAR 7.4.3 | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 Fix Pack 5 (7.4.3.20220307203834) Workaround If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances. Issue During the patching process to QRadar version 7.4.3 and newer, changes are made to the name of some content pack properties. No pre-check is performed to verify if the properties with the new name already exist causing the patch to not update the conflicting properties. This can also cause future install failures with content packs after the patch completes. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [WARN](patchmode) (date) 16:37:09,517 - WARNING - CustomPropertiesScript - process_searches_preload - Custom property Target Process Name exists, but not with system id 7453f3f4-58b3-4e08-aa35-372e2a029deb. Skipping custom-data. [tomcat.tomcat] [admin@127.0.0.1] com.ibm.si.data_ingestion.api .impl.cmt.tasks.InstallExtensionTask:[ERROR] [NOT:0000003000][12 extension with id = 74 failed: Detected a conflict while importing a custom property. [tomcat.tomcat] [admin@127.0.0.1] java.lang.Exception: Detected a conflict while importing a custom property. [tomcat.tomcat] [admin@127.0.0.1] com.ibm.si.content_management.ContentCustom: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Property with id [DEFAULTCUSTOMEVENT8] already exists but has a different name [tomcat.tomcat] [admin@127.0.0.1] com.ibm.si.content_management.ContentManager: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Failed to import content file [/store/tmp/cmt/out/20210823183050/CustomProperties_Micros oftWindows.xml] [tomcat.tomcat] [admin@127.0.0.1] com.ibm.si.content_management.ContentManager: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Failed to import content file [/store/tmp/cmt/out/MicrosoftWindows-CustomProperties-1/Cu stomProperties_MicrosoftWindows.xml] [tomcat.tomcat] [admin@127.0.0.1] com.ibm.si.data_ingestion.api .impl.cmt.tasks.InstallExtensionTask:[ERROR] [NOT:0000003000][12 extension with id = 75 failed: Detected a conflict while importing a custom property. [tomcat.tomcat] [admin@127.0.0.1] java.lang.Exception: Detected a conflict while importing a custom property. |
2 February 2020 |
CONTENT MANAGEMENT TOOL (CMT) | IJ35138 | CONTENT MANAGEMENT TOOL (CMT) EXPORT CAN FAIL ON RULES WITH A LOG SOURCE TEST CONTAINING AN EMPTY VALUE | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 Fix Pack 5 (7.4.3.20220307203834) Workaround If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances. Issue A Content Management Tool export of data can fail with Null Pointer Exception during the export when a rule with a log source test where an empty value exists. A message similar to the following might be visible when this issue occurs: java.lang.NullPointerException at com.ibm.si.content_management.ContentParser.getCustomRuleLogSource(ContentParser.java:5150) at com.ibm.si.content_management.ContentParser.getParsed(ContentParser.java:149) at com.ibm.si.content_management.Content.exportContent(Content.java:2853) at com.ibm.si.content_management.Content.exportContent(Content.java:3388) at com.ibm.si.content_management.Content.exportContent(Content.java:3277) at com.ibm.si.content_management.Content.exportContent(Content.java:3388) at com.ibm.si.content_management.Content.exportContent(Content.java:3277) at com.ibm.si.content_management.Content.exportContent(Content.java:3388) at com.ibm.si.content_management.Content.exportContent(Content.java:3277) at com.ibm.si.content_management.Content.exportContent(Content.java:3388) at com.ibm.si.content_management.Content.exportContent(Content.java:3277) at com.ibm.si.content_management.Content.exportContent(Content.java:3388) at com.ibm.si.content_management.ContentManager.exportContent(ContentManager.java:1310) at com.ibm.si.content_management.ContentManager.doExport(ContentManager.java:3495) at com.ibm.si.content_management.ContentManager.doExport(ContentManager.java:3455) at com.ibm.si.content_management.ContentManager.doExport(ContentManager.java:3539) at com.ibm.si.content_management.CommandLineManager.processExport(CommandLineManager.java:323) at com.ibm.si.content_management.CommandLineManager.main(CommandLineManager.java:149) |
2 February 2020 |
UPGRADE | IJ36198 | PATCH PRETEST FAILS WHEN DUPLICATE NAMED CUSTOM PROPERTIES ARE PRESENT IN MULTIPLE DATATBASES | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 Fix Pack 5 (7.4.3.20220307203834) Workaround Upgrade to a version where this issue is resolved or review instructions for correcting the duplicate named custom event properties prior to re-running the QRadar patch process: Duplicate custom property names. Issue The QRadar patch pretest can fail when custom event properties with the same name but in different databases (event/flow) are present. |
2 February 2020 |
QRADAR NETWORK INSIGHTS | IJ35676 | QRADAR DEPLOY FUNCTION CAN FAIL TO QRADAR NETWORK INTERFACE (QNI) APPLIANCES AFTER PATCHING | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) QRadar 7.5.0 (7.5.0.20211220195207) Workaround Performing a subsequent QRadar deploy function after the failed deploy can correct this issue when it occurs. Issue After patching to QRadar version 7.5.0 GA, the QRadar deploy function can fail for QRadar Network Interface (QNI) appliances. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: Caused by: com.q1labs.configservices.common.ConfigServicesException: Unable to get properties to build the forensics_config.xml file at com.q1labs.configservices.config.localset.forensics.ForensicsRealtimeConfigTransformer.buildThreatAnalyticsConfigFile(ForensicsRealtimeConfigTransformer.java:199) at com.q1labs.configservices.config.localset.forensics.ForensicsRealtimeConfigTransformer.configure(ForensicsRealtimeConfigTransformer.java:87) at com.q1labs.configservices.config.localset.forensics.ForensicsRealtimeConfigTransformer.buildConfig(ForensicsRealtimeConfigTransformer.java:71) at com.q1labs.configservices.config.AbstractComponentConfigBuilder.buildComponentConfig(AbstractComponentConfigBuilder.java:65) at com.q1labs.configservices.config.localset.component.ComponentTransformerManager.processComponent(ComponentTransformerManager.java:206) at com.q1labs.configservices.config.localset.component.ComponentTransformerManager.buildConfiguration(ComponentTransformerManager.java:117) ... 9 more |
2 February 2020 |
UPGRADE | IJ33797 | PATCH PRETEST TO QRADAR 7.4.3 GA CAN FAIL ON CHECK FOR DUPLICATE CUSTOM EVENT PROPERTIES | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) Workaround No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates. Issue A QRadar patch pretest that checks for duplicate properties in the ariel_regex_property table can cause the pretest to fail as a result of the presence of facade properties. |
2 February 2020 |
CONTENT MANAGEMENT TOOL (CMT) | IJ35707 | CONTENT MANAGEMENT TOOL (CMT) CHANGES RULE RESPONSE DURING CMT IMPORT | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 Fix Pack 5 (7.4.3.20220307203834) Workaround Manually update the affected rule response after using CMT import. Issue The Content Management Tool (CMT) import function is incorrectly changing the behavior of the Sensitive File Directories rule in QRadar: Before CMT import Rule Response of Files in Sensitive File Directories rule - Add the Filename of the event or flow payload to the Reference Set: Files in Sensitive Directories - AlphaNumeric After CMT import Rule Response of Files in Sensitive File Directories rule - Add the Filename of the event or flow payload to the Reference Set: Asset Reconciliation DNS Blacklist - AlphaNumeric (Ignore Case). |
2 February 2020 |
UPGRADE | IJ35026 | QRADAR PATCHING CAN FAIL ON APPLIANCES USING EFI FIRMWARE | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) QRadar 7.5.0 (7.5.0.20211220195207) Workaround If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances. Issue The QRadar patching process can fail when using EFI firmware. Messages similar to the following might be visible when this issue occurs: Grub Files Check Ensures grub files and settings are correct [FAILURE] The symlink /etc/grub2-efi.cfg does not have the correct target. Found: /boot/efi/EFI/grub/grub.cfg Expected: ../boot/efi/EFI/redhat/grub.cfg [REMEDIATION] Delete /etc/grub2-efi.cfg (if it exists) using 'rm /etc/grub2-efi.cfg', then re-create the symlink by running 'ln -s ../boot/efi/EFI/redhat/grub.cfg /etc/grub2-efi.cfg' |
2 February 2020 |
SECURITY BULLETIN | A vulnerability in IBM Java SDK and IBM Java Runtime affects IBM QRadar SIEM | CLOSED | Resolved in QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104) QRadar 7.3.3 Fix Pack 10 (7.3.3.20211125190208) QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337) Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users. Affected versions
CVE-2021-20400: IBM QRadar uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. CVSS Base score: 5.9 |
30 November 2021 | |
SECURITY BULLETIN | A vulnerability in IBM Java SDK and IBM Java Runtime affects IBM QRadar SIEM | CLOSED | Resolved in QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104) QRadar 7.3.3 Fix Pack 10 (7.3.3.20211125190208) QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337) Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users. Affected versions
CVE-2021-2161: An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality impact, high integrity impact, and no availability impact. CVSS Base score: 5.9 |
30 November 2021 | |
SECURITY BULLETIN | IBM QRadar SIEM Performs Key Exchange Without Entity Authentication on Inter-Host Communications | CLOSED | Resolved in QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104) QRadar 7.3.3 Fix Pack 10 (7.3.3.20211125190208) QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337) Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users. Affected versions
CVE-2021-29779: IBM QRadar could allow an attacker to obtain sensitive information due to the server performing key exchange without entity authentication on inter-host communications using man in the middle techniques. CVSS Base score: 5.9 |
30 November 2021 | |
SECURITY BULLETIN | Linux Kernel as used by IBM QRadar SIEM contains multiple vulnerabilities | CLOSED | Resolved in QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104) QRadar 7.3.3 Fix Pack 10 (7.3.3.20211125190208) QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337) Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users. Affected versions
|
30 November 2021 | |
SECURITY BULLETIN | PostgreSQL as used by IBM QRadar SIEM is vulnerable to information disclosure | CLOSED | Resolved in QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104) QRadar 7.3.3 Fix Pack 10 (7.3.3.20211125190208) QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337) Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users. Affected versions
|
30 November 2021 | |
SECURITY BULLETIN | Apache PDFBox as used by IBM QRadar SIEM is vulnerable to denial of service | CLOSED | Resolved in QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104) QRadar 7.3.3 Fix Pack 10 (7.3.3.20211125190208) QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337) Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users. Affected versions
|
30 November 2021 | |
SECURITY BULLETIN | Apache CXF as used by IBM QRadar SIEM is vulnerable to denial of service (DOS) | CLOSED | Resolved in QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104) QRadar 7.3.3 Fix Pack 10 (7.3.3.20211125190208) QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337) Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users. Affected versions
CVE-2021-30468: Apache CXF is vulnerable to a denial of service, caused by an infinite loop flaw in the JsonMapObjectReaderWriter function. By sending a specially-crafted JSON to a web service, a remote attacker could exploit this vulnerability to consume available CPU resources. CVSS Base score: 7.5 |
30 November 2021 | |
SECURITY BULLETIN | IBM QRadar SIEM is vulnerable to cross-site scripting (XSS) | CLOSED | Resolved in QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104) QRadar 7.3.3 Fix Pack 10 (7.3.3.20211125190208) QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337) Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users. Affected versions
CVE-2021-29849: IBM QRadar SIEM is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. CVSS Base score: 5.4 |
30 November 2021 | |
SECURITY BULLETIN | IBM QRadar SIEM is vulnerable to server side request forgery (SSRF) | CLOSED | Resolved in QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104) QRadar 7.3.3 Fix Pack 10 (7.3.3.20211125190208) QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337) Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users. Affected versions
CVE-2021-29863: IBM QRadar SIEM is vulnerable to server side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. This vulnerability is due to an incomplete fix for CVE-2020-4786. CVSS Base score: 5.4 |
30 November 2021 | |
SECURITY BULLETIN | IBM QRadar SIEM Application Framework Base Image is vulnerable to using components with Known Vulnerabilities | CLOSED | Resolved in QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104) QRadar 7.3.3 Fix Pack 10 (7.3.3.20211125190208) QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337) Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users. Affected versions
|
30 November 2021 | |
SECURITY BULLETIN | IBM QRadar SIEM is vulnerable to using components with know vulnerabilities | CLOSED | Resolved in QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104) QRadar 7.3.3 Fix Pack 10 (7.3.3.20211125190208) QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337) Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users. Affected versions
|
30 November 2021 | |
UPGRADE | IJ35114 | QRADAR PATCH PROCESS CAN HANG FOR AN EXTENDED DURATION DURING A CONTENT MANAGEMENT EXPORT IN THE PATCHING PROCESS | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 Fix Pack 5 (7.4.3.20220307203834) QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104) Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. Issue The QRadar patching process can hang for a longer than expected time due to the running of a content management export from 257644.install. This has been identified in QRadar environments that have a large number of searches (thousands) prior to patching. NOTE: The process needs to complete successfully, do not interrupt the QRadar patch. Support can determine if this issue is causing the QRadar patch process to hang |
14 November 2021 |
RULES | IJ34276 | RULES WITH EMAIL RESPONSES WILL CAUSE THE CRE THREADS TO GET STUCK IN A DEADLOCK | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104) QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337) Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users. Workaround Disable email responses on rules and restart ECS-EP by using the following command: systemctl restart ecs-ep Important: Restarting ECS-EP might result in services not being available, schedule a maintenance period before preforming this step. Issue Rules with email responses will cause the CRE threads to slowly get stuck in a deadlock, resulting in the CRE no longer processing events and sending them to storage if the deployment has any AQL CEP's with "Enable for use in Rules, Forwarding Profiles and Search Indexing" enabled. When this happens look for a similar stack trace in threads.txt that is generated by running the command: /opt/qradar/support/threadTop.sh -p 7799 --full > threads.txt at sun.misc.Unsafe.park(Native Method) at java.util.concurrent.locks.LockSupport.park(LockSupport.java:186) at java.util.concurrent.locks.AbstractQueuedSynchronizer.parkAndCheckInterrupt (AbstractQueuedSynchronizer.java:847) at java.util.concurrent.locks.AbstractQueuedSynchronizer.doAcquireShared( AbstractQueuedSynchronizer.java:978) at java.util.concurrent.locks.AbstractQueuedSynchronizer.acquireShared(Abstract QueuedSynchronizer.java:1294) at java.util.concurrent.locks.ReentrantReadWriteLock$ReadLock.lock(ReentrantReadWriteLock .java:738) at com.q1labs.core.shared.ariel.CustomPropertyServices.parseAllProperties(Custom PropertyServices.java:166) at com.q1labs.semsources.cre.responses.templates.CustomAlertFieldsManager.replace CustomPropertiesNullValues(CustomAlertFieldsManager.java:536) at com.q1labs.semsources.cre.responses.templates.CustomAlertFieldsManager.build ResponseFromXML(CustomAlertFieldsManager.java:351) at com.q1labs.semsources.cre.responses.templates.CustomAlertFieldsManager.loadTemplate (CustomAlertFieldsManager.java:145) at com.q1labs.semsources.cre.responses.Email_Response.performResponse(Email_Response.java:51) at com.q1labs.semsources.cre.CustomRule.performResponses(CustomRule.java:1049) at com.q1labs.semsources.cre.CustomRule.test(CustomRule.java:578) at com.q1labs.semsources.cre.CustomRule.test(CustomRule.java:496) at com.q1labs.semsources.cre.CustomRuleSetExecutor.testRule(CustomRuleSetExecutor.java:342) at com.q1labs.semsources.cre.CustomRuleSetExecutor.test(CustomRuleSetExecutor.java:210) at com.q1labs.semsources.cre.CRERuleExecutor.processEventInAllMode(CRERuleExecutor.java:177) at com.q1labs.semsources.cre.GlobalRuleExecutor.processEvent(GlobalRuleExecutor.java:207) at com.q1labs.semsources.cre.CREEventProcessor.processEvent(CustomRuleEngine.java:544) at com.q1labs.semsources.cre.CREEventProcessor.run(CustomRuleEngine.java:484) |
2 February 2020 |
BACKUP AND RESTORE | IJ35436 | 'TEST HOST ACCESS' CAN FAIL TO WORK AS EXPECTED WHEN RESTORING A BACKUP ARCHIVE | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104) QRadar 7.3.3 Fix Pack 10 (7.3.3.20211125190208) QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337) Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users. Workaround If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances. Issue When restoring a backup archive created on a different Console (with Managed Host), the Test Host Access does not work as expected on the "Restore a Backup (Managed Hosts Accessibility)" window even if the iptables is stopped on the Managed Host. It displays "No Access" in the "Access Status" column. Continuing with the restore completes with "Console cannot access the host" message. |
2 February 2020 |
QRADAR NETWORK INSIGHTS | IJ33201 | ICMPV6 FLOWS CAN BE MISSING IPV6 FIELD DATA | CLOSED | Resolved in QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104) QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337) Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users. Workaround If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances. Issue When viewing ICMPv6 traffic in the QRadar User Interface, some fields are missing for flows and ICMPv6 traffic from QRadar Network Insights or IPFIX exporters. These fields include IPV6 addresses (they display as 0:0:0:0:0:0:0:0), all tagged fields, QoS, ASN, IF Index, and flowid. When this issue occurs, searches performed for these fields in ICMPv6 traffic do not work as expected. |
14 November 2021 |
EVENT AND FLOW RETENTION | IJ20880 | 'COMPRESSION' COLUMN IS DISPLAYED ON THE EVENT/FLOW RETENTION SCREEN AND UNABLE TO EDIT EXISITING RETENTION BUCKETS | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104) QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337) Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users. Workaround When editing a retention bucket, set the Compression value to Never. Issue It has been identified that a "Compression" column can be observed on the Event/Flow Retention window. When this issue is occuring, editing an existing retention policy fails with an error in the QRadar User Interface. Messages similar to the following might be visible in /var/log/qradar.log when this issue is occurring: [tomcat.tomcat] [USER@IP2 (5852) /console/do/qradar/retention] com.q1labs.qradar.ui.action.Retention: [ERROR] [NOT:0000003000][IP/- -] [-/- -]Retention Bucket save failed [tomcat.tomcat] [USER@IP2 (5852) /console/do/qradar/retention] java.lang.NumberFormatException: For input string: "" [tomcat.tomcat] [USER@IP2 (5852) /console/do/qradar/retention] at java.lang.NumberFormatException.forInputString(NumberFormatException.java:76) [tomcat.tomcat] [USER@IP2 (5852) /console/do/qradar/retention] at java.lang.Integer.parseInt(Integer.java:604) [tomcat.tomcat] [USER@IP2 (5852) /console/do/qradar/retention] at java.lang.Integer.parseInt(Integer.java:627) [tomcat.tomcat] [USER@IP2 (5852) /console/do/qradar/retention] at com.google.gson.JsonPrimitive.getAsInt(JsonPrimitive.java:260) [tomcat.tomcat] [USER@IP2 (5852) /console/do/qradar/retention] at com.q1labs.qradar.ui.bean.RetentionForm$1.deserialize(RetentionForm.java:97) [tomcat.tomcat] [USER@IP2 (5852) /console/do/qradar/retention] at com.q1labs.qradar.ui.bean.RetentionForm$1.deserialize(RetentionForm.java:79) [tomcat.tomcat] [USER@IP2 (5852) /console/do/qradar/retention] at com.google.gson.internal.bind.TreeTypeAdapter.read(TreeTypeAdapter.java:69) [tomcat.tomcat] [USER@IP2 (5852) /console/do/qradar/retention] at com.google.gson.internal.bind.TypeAdapterRuntimeTypeWrapper.read (TypeAdapterRuntimeTypeWrapper.java:41) |
14 November 2021 |
Advanced Search (AQL) | IJ32889 | AQL SEARCHES CAN BECOME CORRUPTED AFTER A CONTENT MANAGEMENT TOOL IMPORT | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104) QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337) Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users. Workaround Manually edit the affected AQL searches to remove the extra quotes from all effected searches where the extra quotes appear. For example, ""Bytes Sent"(GB)" In this example, the user can remove the interior (second and third) quotation marks, which are underlined and bolded. Issue AQL saved searches can become corrupted during the Content Management Tool (CMT) import after the DataExfiltration-ContentExtension-1.0.4.zip is added to QRadar causing an invalid AQL query. Affected searches can not be used. For example, some searches containing a specific AQL string pattern are affected: SELECT DOUBLE(sum("BytesSent")) / 1073741824 As "Bytes Sent(GB)" FROM events When a highlighted string is used as a custom column name, the AQL search becomes corrupted. This also includes name variations with the key part being Bytes Sent followed by the brackets, such as "Bytes Sent(Megabytes)" Components that use the affected search, like reports and accumulation, are also likely to be affected as the search(es) do not complete. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766] com.q1labs.ariel.ql.parser.Parser: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Parse error: missing FROM at 'Bytes' [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766] com.q1labs.ariel.ql.parser.AQLParserException: Parse error: missing FROM at 'Bytes') / 1073741824 As ""Bytes Sent"(GB)" From^ [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766] at com.q1labs.ariel.ql.parser.AQLErrorListener.syntaxError(ParserUtils.java:84) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766] at org.antlr.v4.runtime.ProxyErrorListener.syntaxError(ProxyErrorListener.java:65) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766] at org.antlr.v4.runtime.Parser.notifyErrorListeners(Parser.java:564) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766] at org.antlr.v4.runtime.DefaultErrorStrategy.reportMissingToken(DefaultErrorStrategy.java:407) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766] at org.antlr.v4.runtime.DefaultErrorStrategy.singleTokenInsertion(DefaultErrorStrategy.java:510) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766] at org.antlr.v4.runtime.DefaultErrorStrategy.recoverInline(DefaultErrorStrategy.java:474) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766] at org.antlr.v4.runtime.Parser.match(Parser.java:227) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766] at com.q1labs.ariel.ql.parser.antlr.AQLParser.query(AQLParser.java:725) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766] at com.q1labs.ariel.ql.parser.antlr.AQLParser.batch(AQLParser.java:404) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766] at com.q1labs.ariel.ql.parser.ParserUtils.parse(ParserUtils.java:413) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766] at com.q1labs.ariel.ql.parser.ParserBase.parseBatch(ParserBase.java:1623) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766] at com.q1labs.ariel.ql.parser.Parser.parseStatement(Parser.java:172) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766] at com.q1labs.ariel.ql.parser.Parser.executeStatement(Parser.java:67) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766] at com.q1labs.ariel.ConnectedClient.processStatement(ConnectedClient.java:367) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766] at com.q1labs.ariel.ConnectedClient.processMessage(ConnectedClient.java:308) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766] at com.q1labs.ariel.ConnectedClient.run(ConnectedClient.java:136) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766] at java.lang.Thread.run(Thread.java:822) |
14 November 2021 |
SEARCH | IJ32741 | REAL TIME EVENT STREAMING CAN STOP WHEN A "JAVA.IO.EXCEPTION: BROKEN PIPE" ERROR OCCURS AFTER A TOMCAT PROCESS RESTART | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104) QRadar 7.3.3 Fix Pack 10 (7.3.3.20211125190208) QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337) Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users. Workaround Select one of the following workaround options: A. Perform a restart of the ecs-ep process on the QRadar deployment from an SSH session to the QRadar Console: /opt/qradar/support/all_servers.sh -C "systemctl restart ecs-ep" OR B. Perform a Deploy Full Configuration from the Console: Admin > Advanced > Deploy Full Configuration. Issue In some instances where tomcat is restarted on the QRadar Console, a "java.io.exception error: Broken pipe" error can occur after which real time event streaming in the QRadar User Interface can stop functioning. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [tomcat.tomcat] [ReceiverServer(0.0.0.0:7801)] com.q1labs.core.shared.ariel.streaming.StreamConsumer$Receiver 0.0.0.0:7801: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/--] Error: /127.0.0.1:49432 : IOException : Broken pipe [tomcat.tomcat] [ReceiverServer(0.0.0.0:7801)] java.io.IOException: Broken pipe [tomcat.tomcat] [ReceiverServer(0.0.0.0:7800)] com.q1labs.core.shared.ariel.streaming.StreamConsumer$Receiver 0.0.0.0:7800: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/- -]Error: /127.0.0.1:52834 : IOException : Broken pipe [tomcat.tomcat] [ReceiverServer(0.0.0.0:7800)] java.io.IOException: Broken pipe |
14 November 2021 |
FLOWS | IJ33511 | THE NETWORK ACTIVITY FLOW SOURCE TYPE FIELD DISPLAYS N/A | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104) QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337) Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users. Workaround No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates. Issue In the Network Activity tab, it has been observed in some instances that N/A is being displayed in the Flow Source field. The Flow Source field should not be displaying N/A. |
2 February 2022 |
QRADAR NETWORK INSIGHTS | IJ29680 | NON-ADMIN USERS CANNOT OPEN THE EXTRACT PROPERTIES TAB WHEN A LARGE NUMBER OF LOG SOURCES EXIST | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104) QRadar 7.3.3 Fix Pack 10 (7.3.3.20211125190208) QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337) Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users. Workaround If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances. Issue Non-admin QRadar users can experience a time out after a longer than expected period of wait time while trying to open the extract properties tab when using Log Source Management. This issue occurs when there are a large number of Log Sources as a permission check of all devices occurs one at a time. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: "user@127.0.0.1 (4918) /console/do/qradar/arielProperties" Id=1835698 in RUNNABLE at org.postgresql.core.PGStream.receive(PGStream.java:467) at org.postgresql.core.PGStream.receiveTupleV3(PGStream.java:422) at org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:2146) at org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:308) - locked org.postgresql.core.v3.QueryExecutorImpl@cdad6869 at org.postgresql.jdbc.PgStatement.executeInternal(PgStatement.java:441) at org.postgresql.jdbc.PgStatement.execute(PgStatement.java:365) at org.postgresql.jdbc.PgPreparedStatement.executeWithFlags(PgPreparedStatement.java:143) at org.postgresql.jdbc.PgPreparedStatement.executeQuery(PgPreparedStatement.java:106) at com.mchange.v2.c3p0.impl.NewProxyPreparedStatement.executeQuery(NewProxyPreparedStatement.java:76) at org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:270) at org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator$LoggingConnection$LoggingPreparedStatement.executeQuery(LoggingConnection Decorator.java:1115) at org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:268) at org.apache.openjpa.jdbc.sql.PostgresDictionary$PostgresPreparedStatement.executeQuery(PostgresDictionary.java:1011) at org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:268) at org.apache.openjpa.jdbc.kernel.JDBCStoreManager$CancelPreparedStatement.executeQuery(JDBCStoreManager.java:1800) at org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:268) at org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:258) at com.q1labs.frameworks.session.PreparedStatementWrapper.executeQuery(PreparedStatementWrapper.java:270) at com.q1labs.core.shared.util.SqlUtil.runQuery(SqlUtil.java:177) at com.q1labs.core.shared.util.SqlUtil.runQuery(SqlUtil.java:162) at com.q1labs.core.util.sensors.SensorDeviceUtil.getAllLogSources(SensorDeviceUtil.java:27) at com.q1labs.core.shared.util.UserUtils.getUserDeviceIds(UserUtils.java:803) at com.q1labs.core.shared.util.UserUtils.userHasDevices(UserUtils.java:741) at com.q1labs.core.shared.util.UserUtils.userHasDevices(UserUtils.java:1080) at com.q1labs.sem.ui.semservices.UISemServices.getSensorDevicesByDe viceType(UISemServices.java:3302) at com.q1labs.ariel.ui.action.ArielProperty.prepareDefaultRequestOpions(ArielProperty.java:120) at com.q1labs.ariel.ui.action.ArielProperty.executeEdit(ArielProperty.java:793) at com.q1labs.uiframeworks.actions.DispatchAction.edit(DispatchAction.java:253) at sun.reflect.GeneratedMethodAccessor2973.invoke(UnknownSource) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55) at java.lang.reflect.Method.invoke(Method.java:508) |
14 November 2021 |
QRADAR NETWORK INSIGHTS | IJ28760 | QNI DATA CAN FAIL TO BE RECEIVED BY THE QRADAR CONSOLE USING DTLS DUE TO A MISSING CERTIFICATE ON THE QRADAR NETWORK INSIGHTS APPLIANCE | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104) QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337) Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users. Workaround On the QRadar Network Insights appliance, copy the certificate from: /store/configservices/staging/globalconfig/dtlspkito: /opt/qradar/conf/dtls/client/ Issue The DTLS connection between an encrypted, natted, QRadar Network Insights (QNI) appliance and the Console can fail if the required certificate does not get copied to the correct directory during the connection setup on the QNI appliance. The needed certificate resides on the QNI appliance in: /store/configservices/staging/globalconfig/dtlspki, but can fail to be copied during connection setup to: /opt/qradar/conf/dtls/client/ |
14 November 2021 |
REPORTS | IJ26321 | REPORTS CAN FAIL TO COMPLETE DUE TO A LOCK ON THE QRADAR DATABASE PREVENTING REPORT TEMPLATES FROM LOADING | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104) QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337) Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users. Workaround Administrators can restart the reporting executor service, which allows the report templates to reload and creates a new transaction session.
Issue In some instances, QRadar report templates can fail to load due to a lock that is applied to the QRadar database preventing the database transaction from retrieving report templates. The database fails to connect as the session connection is already considered dead or previously used and closed. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [reporting_executor.reporting_executor] [Report Queue] com.q1labs.reporting.ReportServices: [INFO] [NOT:0000006000][xx.xx.xx.xx/- -] [-/- -]Reporting Scheduler is enabled [reporting_executor.reporting_executor] [Report Queue] com.q1labs.reporting.ReportServices: [ERROR] [NOT:0000003000][xx.xx.xx.xx/- -] [-/- -]Lock to templates folder is acquired by another process, skipping templates reload. [reporting_executor.reporting_executor] [Report Queue] com.q1labs.core.shared.ariel.CustomKeyCreator: [ERROR] [NOT:0000003000][xx.xx.xx.xx/- -] [-/- -]Exception loading custom property ID ed1cbe38-1f8a-4621-a838-8a6400c61384 [reporting_executor.reporting_executor] [Report Queue] {openjpa-2.4.3-r422266:1833086 fatal general error} org.apache.openjpa.persistence.PersistenceException: This connection has been closed. {SELECT t0.id, t0.autodiscovered, t0.creationdate, t0.database, t0.datepattern, t0.description, t0.description_id, t0.editdate, t0.forceparse, t0.languagetag, t0.propertyname, t0.sequenceid, t0.tenant_id, t0.propertytype, t0.username FROM ariel_regex_property t0 WHERE (t0.id = ?)} {code=0, state=08003} FailedObject: SELECT a FROM ArielRegexProperty a WHERE a.id = ?1 [java.lang.String] [reporting_executor.reporting_executor] [Report Queue] at org.apache.openjpa.jdbc.sql.DBDictionary.narrow(DBDictionary.jav a:5003) .. [reporting_executor.reporting_executor] [Report Queue] Caused by: [reporting_executor.reporting_executor] [Report Queue] org.apache.openjpa.lib.jdbc.ReportingSQLException: This connection has been closed. {SELECT t0.id, t0.autodiscovered, t0.creationdate, t0.database, t0.datepattern, t0.description, t0.description_id, t0.editdate, t0.forceparse, t0.languagetag, t0.propertyname, t0.sequenceid, t0.tenant_id, t0.propertytype, t0.username FROM ariel_regex_property t0 WHERE (t0.id = ?)} |
14 November 2021 |
DATA SYNCHRONIZATION APP | IJ33228 | DESTINATION SITE AUTH TOKENS FAIL TO WORK PROPERLY AFTER A RESTORE IS PERFORMED USING THE QRADAR DATA SYNCHRONIZATION APP | CLOSED | Resolved in QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104) QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337) Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users. Workaround
Issue After restoring a backup using the Data Synchronization app, the Destination site auth tokens are unusable and error messages similar to the following can be observed in the app logs identifying that the QRadar APIs are no longer retrieving results: [ERROR] [Fri May 07 2021 13:12:44 GMT-0300 (Atlantic Daylight Time)] 'An error occured retrieving backups from QRadar API: No SEC header present in request. Please provide it via "SEC: token". You may also use BASIC authentication parameters if this host supports it. e.g. "Authorization: Basic base64Encoding"', [ERROR] [Fri May 07 2021 13:12:44 GMT-0300 (Atlantic Daylight Time)] toString: ^Function: toString] } |
14 November 2021 |
MANAGED HOSTS | IJ33650 | 'ERRORSTREAM FLUSH-KEY-FOR-IPADDRESS' ERROR MESSAGES BEING WRITTEN TO QRADAR LOGGING | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) Workaround No workaround available. APARs identified with no workaround require a software delivery to resolve. Issue Repeating "ErrorStream" messages can sometimes be observed in /var/log/qradar.log as well as Managed Hosts attempting to connect to other Managed Hosts over port 22. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [hostcontext.hostcontext] [Thread-1913] ComponentOutput: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream flush-key-for-ipaddress: # ipaddress:22 SSH-2.0-OpenSSH_7.4 May 13 10:14:28 ::ffff:127.0.0.1 [hostcontext.hostcontext] [Thread-1917] ComponentOutput: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream flush-key-for-ipaddress: # ipaddress:22 SSH-2.0-OpenSSH_7.4 May 13 10:14:28 ::ffff:127.0.0.1 [hostcontext.hostcontext] [Thread-1919] ComponentOutput: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream flush-key-for-ipaddress: # ipaddress:22 SSH-2.0-OpenSSH_7.4 May 13 10:14:28 ::ffff:127.0.0.1 [hostcontext.hostcontext] [Thread-1921] ComponentOutput: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream flush-key-for-ipaddress: # ipaddress:22 SSH-2.0-OpenSSH_7.4 May 13 10:14:29 ::ffff:127.0.0.1 [hostcontext.hostcontext] [Thread-1923] ComponentOutput: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream flush-key-for-ipaddress: # ipaddress:22 SSH-2.0-OpenSSH_7.4 May 13 10:14:30 ::ffff:127.0.0.1 [hostcontext.hostcontext] [Thread-1925] ComponentOutput: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream flush-key-for-ipaddress: # ipaddress:22 SSH-2.0-OpenSSH_7.4 |
2 February 2022 |
UPGRADE | IJ32896 | QRADAR PATCH PRE-TEST CAN FAIL DUE TO CHECK_YUM.SH ISSUES WHEN WINCOLLECT 7.3.1-16 INSTALLED | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) QRadar 7.4.3 Fix Pack 5 (7.4.3.20220307203834) Workaround To work around this issue, clean the yum cache to allow the patch to run successfully.
Issue The QRadar patch pre-test can fail when the check_yum.sh pretest does not clean out the old yum cache. This can occur when WinCollect 7.3.1-16 has been installed prior to the QRadar patch attempt. Messages similar to the following might be visible when this issue occurs: [INFO](testmode) Not using downloaded qradar-upgrade-local/repomd.xml because it is older than what we have: Current : Wed Apr 28 16:45:33 2021 Downloaded: Tue Mar 23 18:56:37 2021 |
23 February 2022 |
HIGH AVAILABILITY (HA) | IJ34628 | INCORRECT STATUS FOR NETWORK INTERFACES CAN BE DISPLAYED FOR HIGH AVAILABILITY HOST | CLOSED | Resolved in 7.5.0 Update Pack 4 (7.5.0.20221129155237) Workaround Contact support for a possible workaround that might address this issue in some instances. Issue An incorrect status for network interfaces can be observed (example: network interface shows as down) for a High Availability (HA) host in the "Network Interfaces" tab of the "System and License Management" window when the secondary is active. |
13 December 2022 |
UPGRADE | IJ36052 | HOSTCONTEXT CAN FAIL TO START ON MANAGED HOSTS AFTER PATCHING QRADAR | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) Workaround Contact support for a possible workaround that might address this issue in some instances. Issue In some instances, Managed Hosts can fail to start the hostcontext service after patching: Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [main] java.lang.NullPointerException [main] at com.q1labs.hostcontext.HostContext.destroy(HostContext.java:1168) [main] at com.q1labs.hostcontext.HostContext.main(HostContext.java:1319) hostcontext[131454]: at com.mchange.v2.sql.SqlUtils.toSQLException(SqlUtils.java:106) hostcontext[131454]: at com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool.checkoutPooledConnection(C3P0PooledConnectionPool.java:529) hostcontext[131454]: at com.mchange.v2.c3p0.impl.AbstractPoolBackedDataSource.getConnection(AbstractPoolBackedDataSource.java:128) |
2 February 2022 |
UDP MULTILINE SYSLOG PROTOCOL | IJ35316 | EVENTS THAT HAVE BEEN COMBINED IN A GATEWAY CAN BECOME UNCOMBINED | OPEN | Workaround No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported issue will be considered for a future release of the UDP Mutliline Syslog Protocol. Issue Events that have been combined in a gateway can become uncombined when parsed by a syslog log source with a matching Log Source Identifier (LSI). When Open LDAP UDP Multiline events are collected with the 'Use As A Gateway Log Source' on its own port, they are combined correctly as configured and display as Sim Generic events. If there is a syslog log source also created that matches the LSI of these generic combined events, the events are parsed with that log source and some of them uncombine. This only occurs with specific payloads and caused by a parsing issue with the UDPMultiline protocol. |
8 October 2021 |
OFFENSES | IJ29371 | OFFENSE DETAILS REPORT IN PDF FORMAT CAN CAUSE REPORT_RUNNER TO GO OUT OF MEMORY | CLOSED | Resolved in QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022) Workaround
Issue The QRadar report_runner process can go out of memory when running an Offense Details report that is configured for PDF output. This out of memory occurs when there is too much data for the PDF rendering to handle (example: over month of data). When this occurs, the report fails to generate. |
06 September 2022 |
tbd | IJ34320 | QRADAR USER INTERFACE DISPLAYS 'NULL' AND OR 'KEY NOT FOUND' IN MULTIPLE UI FIELDS | OPEN |
Workaround Correct the permissions on the files/directories when this issue occurs. This issue has been identified with /opt/qradar/conf/localization From an SSH session to the QRadar console, use the chmod command to set the correct permissions for /opt/qradar/conf/localization to 775: # chmod 775 /opt/qradar/conf/localization Issue In some instances, lineChange.sh can cause incorrect file permissions to be set on required file/folders. When this issue occurs, the QRadar User Interface can display "null" and or "key not found" across multiple UI fields. |
13 August 2021 |
AQL | IJ21739 | 'PAYLOAD CONTAINS' AQL FILTER FROM A BASIC SEARCH CAN GENERATE AN ILLEGAL ARGUMENT EXCEPTION AND INCORRECT RESULTS | OPEN | Workaround Enable store payload in the Log Sources. Issue Using the 'Payload Contains' AQL filter generated from a basic search generates an illegal argument exception and has incorrect search results when compared with the results of the basic search. For example:
Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: com.q1labs.frameworks.nio.exceptions.ExtendedRuntimeException: Error calling function com.q1labs.ariel.ql.parser.ICU4jSearch([B@e6bc0507): java.lang.IllegalArgumentException at com.q1labs.frameworks.util.Utils.icu4jSearch(Utils.java:672) at com.q1labs.frameworks.util.Utils.icu4jSearch(Utils.java:647) at com.q1labs.ariel.ql.parser.ICU4jSearch.calculate(Functions.java:799) at com.q1labs.ariel.ql.parser.ICU4jSearch.calculate(Functions.java:774) |
31 December 2021 |
WINCOLLECT | IJ33117 | MAXIMUM OF THREE (3) WINCOLLECT AGENTS ARE DISPLAYED WHEN USING THE LOG SOURCE MANAGEMENT APP | OPEN | Workaround Manually type the WinCollect Agent name to find it in the list. Issue When using the Log Source Management (LSM) app, the drop-down menu of WinCollect Agents displays a maximum of three (3) agents. For example:
|
17 June 2021 |
QRADAR NETWORK INSIGHTS | IJ32209 | INCIDENT RESULTS WINDOW CAN TAKE LONGER THAN EXPECTED TO LOAD | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) Workaround If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances. Issue The Incident Results window populates from a forensics database table that is not purged even when cases are deleted through Case Management. All entries on all pages must have a Solr request sent to determine the document count for the page which can sometimes cause the Incident Results window to take longer than expected to load. |
28 April 2021 |
AQL | IJ33665 | AQL REFERENCETABLE TABLE FUNCTION USING 'LOWER' AND 'GROUP' CAN FAIL TO WORK AS EXPECTED | OPEN | Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates. Issue Using the AQL REFERENCETABLE function with LOWER and GROUP clause can result in inconsistent query results. Example query containing both LOWER and GROUP: select REFERENCETABLE('test','number',LOWER(username)) as 'number',REFERENCETABLE('test','test',LOWER(username)) as 'test', username from events GROUP BY username,'numOfParts','SHA256' ORDER BY username,'number','test' DESC last 1 HOURS Removing either LOWER() or GROUP clause provides correct query results. |
18 July 2021 |
APPLICATION FRAMEWORK | IJ24325 | INSTALLING A NEW VERSION OF AN APP CAN LEAVE THE OLD VERSION STILL INSTALLED AND RUNNING | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) Workaround Remove the older QRadar App version manually from Extension Management in Admin tab of the QRadar User Interface. Issue Installing a newer version of a QRadar App can sometimes result in being left with both the old and new version running simultaneously. This is to say the old version does not get removed properly and is left running. Messages similar the the following might be visible in /var/log/qradar.log when this issue occurs: [tomcat.tomcat] [configservices@127.0.0.1(4359) /console/restapi/api/gui_app_framework/applications/1101] com.q1labs.restapi_annotations.content.exceptions.APIMappedExcep tion: Unable to process request because Container Manager service is unavailable [tomcat.tomcat] [configservices@127.0.0.1(4359) /console/restapi/api/gui_app_framework/applications/1101] at com.q1labs.restapi.exceptionmapper.ExceptionMapper.mapException( ExceptionMapper.java:141) [tomcat.tomcat] [configservices@127.0.0.1(4359) /console/restapi/api/gui_app_framework/applications/1101] at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(T askThread.java:61) ... [tomcat.tomcat] [configservices@127.0.0.1(4359) /console/restapi/api/gui_app_framework/applications/1101] at java.lang.Thread.run(Thread.java:812) [tomcat.tomcat] [configservices@127.0.0.1(4359) /console/restapi/api/gui_app_framework/applications/1101] Caused by: [tomcat.tomcat] [configservices@127.0.0.1(4359) /console/restapi/api/gui_app_framework/applications/1101] com.q1labs.restapi_annotations.content.exceptions.endpointExcept ions.ServerProcessingException: Unable to process request because Container Manager service is unavailable [tomcat.tomcat] [configservices@127.0.0.1(4359) /console/restapi/api/gui_app_framework/applications/1101] at com.q1labs.uiframeworks.application.api.service.DefaultApplicati onAPIService.abortIfConManIsUnavailable(DefaultApplicationAPISer vice.java:556) [tomcat.tomcat] [configservices@127.0.0.1(4359) /console/restapi/api/gui_app_framework/applications/1101] at com.q1labs.uiframeworks.application.api.service.DefaultApplicati onAPIService.deleteApp(DefaultApplicationAPIService.java:577) [tomcat.tomcat] [configservices@127.0.0.1(4359) /console/restapi/api/gui_app_framework/applications/1101] at com.q1labs.uiframeworks.application.api.v10_0.ApplicationsAPI.de leteApplication(ApplicationsAPI.java:423) [tomcat.tomcat] [configservices@127.0.0.1(4359) /console/restapi/api/gui_app_framework/applications/1101] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [tomcat.tomcat] [configservices@127.0.0.1(4359) /console/restapi/api/gui_app_framework/applications/1101] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessor Impl.java:90) [tomcat.tomcat] [configservices@127.0.0.1(4359) /console/restapi/api/gui_app_framework/applications/1101] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod AccessorImpl.java:55) [tomcat.tomcat] [configservices@127.0.0.1(4359) /console/restapi/api/gui_app_framework/applications/1101] at java.lang.reflect.Method.invoke(Method.java:508) [tomcat.tomcat] [configservices@127.0.0.1(4359) /console/restapi/api/gui_app_framework/applications/1101] at com.q1labs.restapi.servlet.utilities.APIRequestHandler.invokeMet hod(APIRequestHandler.java:1031) [tomcat.tomcat] [configservices@127.0.0.1(4359) /console/restapi/api/gui_app_framework/applications/1101] at com.q1labs.restapi.servlet.utilities.APIRequestHandler.redirectR equest(APIRequestHandler.java:399) [tomcat.tomcat] [configservices@127.0.0.1(4359) /console/restapi/api/gui_app_framework/applications/1101] ... 61 more [tomcat.tomcat] [com@127.0.0.1] com.ibm.si.content_management.utils.AppFrameworkAPIClient: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Delete failed for app 1101 |
23 February 2022 |
DATA SYNCHRONIZATION APP | IJ34687 | UNABLE TO COMPLETE FAIL BACK PROCESS DUE TO 'FAIL BACK TO MAIN SITE' OPTION NOT SELECTABLE IN DATA SYNC APP | OPEN | Workaround
Issue In instances where the 'Reactivate Main Site' option is selected prior to a fail back being completed, the IBM QRadar Data Syncronization app option for 'Fail back to main site' becomes permanently un-selectable (option is greyed out) on the destination site. |
29 August 2021 |
OFFENSES | IJ34730 | EVENTS MATCHING A RULE CAN SOMETIMES FAIL TO BE ASSOCIATED WITH AN OFFENSE OR GENERATE A NEW OFFENSE | OPEN | Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates. Issue In some instances after an offense is closed, new events that match a rule are neither associated with the offense nor generate a new offense as expected due to a race condition that can occur. |
26 August 2021 |
SEARCH | IJ19107 | SEARCHES USING A CUSTOM PROPERTY CAN BE SLOWER TO COMPLETE THAN EXPECTED | CLOSED | Resolved in 7.5.0 Update Pack 4 (7.5.0.20221129155237) 7.5.0 Update Pack 3 Interim Fix 2 (7.5.0.20220930210008) Note: This known issue is fixed in the QRadar 7.5.0 UP3 IF2 release, but the APARs is waiting on another core software release before it is transitioned to CLOSED. Workaround Contact Support if you are experiencing slower that expected search results when using Custom Properties. Issue It has been identified that searches using a Custom Property can be slower than expected to return results when some ariel threads are slow to complete. Performing an evaluation of a threaddump using the threadTop.sh command can determine if this issue is affecting your QRadar searches. A "BLOCKED" worker thread in an ariel thread dump indicates this issue is affecting your QRadar searches. For Example - Only one should be in running state and others (executing the same code) should be blocked on that one. In the below example, thread qw_2 is in the synchronized block and qw_3 is blocked on it: "qw_2:2500ba82-b58c-4906-b20b-04f05fbed185" Id=188 in RUNNABLE at com.q1labs.core.shared.ariel.CustomKeyCreator.createKey(CustomKeyCreator.java:95) at com.q1labs.core.shared.ariel.CustomKeyCreator.createKey(CustomKeyCreator.java:30) at com.q1labs.ariel.IndexPredicate$ExpressionPredicate.evaluate(IndexPredicate.java:50) at com.q1labs.ariel.IndexPredicate.evaluate(IndexPredicate.java:247) at com.q1labs.frameworks.util.predicate.AndPredicate.evaluate(AndPredicate.java:15) at com.q1labs.ariel.searches.service.ids.FilteredSource.next(FilteredSource.java:40) at com.q1labs.ariel.searches.tasks.QueryWorker.execute(QueryWorker.java:53) at com.q1labs.ariel.searches.tasks.ServiceTaskBase.runTask(ServiceTaskBase.java:89) at com.q1labs.ariel.searches.tasks.ServiceTask.runTask(ServiceTask.java:69) at com.q1labs.ariel.searches.tasks.ServiceTaskBase$Runner.run(ServiceTaskBase.java:32) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) at java.lang.Thread.run(Thread.java:812) "qw_3:2500ba82-b58c-4906-b20b-04f05fbed185" Id=241 in BLOCKED on lock=com.q1labs.core.shared.ariel.CustomKeyCreator@e58ce78d owned by qw_2:2500ba82-b58c-4906-b20b-04f05fbed185 Id=188 at com.q1labs.core.shared.ariel.CustomKeyCreator.createKey(CustomKeyCreator.java:95) at com.q1labs.core.shared.ariel.CustomKeyCreator.createKey(CustomKeyCreator.java:30) at com.q1labs.ariel.IndexPredicate$ExpressionPredicate.evaluate(IndexPredicate.java:50) at com.q1labs.ariel.IndexPredicate.evaluate(IndexPredicate.java:247) at com.q1labs.frameworks.util.predicate.AndPredicate.evaluate(AndPredicate.java:15) at com.q1labs.ariel.searches.service.ids.FilteredSource.next(FilteredSource.java:40) at com.q1labs.ariel.searches.tasks.QueryWorker.execute(QueryWorker.java:53) at com.q1labs.ariel.searches.tasks.ServiceTaskBase.runTask(ServiceTaskBase.java:89) at com.q1labs.ariel.searches.tasks.ServiceTask.runTask(ServiceTask.java:69) at com.q1labs.ariel.searches.tasks.ServiceTaskBase$Runner.run(ServiceTaskBase.java:32) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) at java.lang.Thread.run(Thread.java:812) |
25 September 2019 |
CUSTOM PROPERTIES | IJ30032 | UNABLE TO SAVE CHANGES TO DEFAULT CUSTOM EVENT PROPERTY (CEP): "OBJECT TYPE(S)" | OPEN | Workaround Create a new CEP without the characters outlined in the error message. For more information on creating a custom property, see https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc/t_qradar_create_cust_property.html. Issue A message similar to: "Property name cannot contain following characters: \ , . & ', " ( )" is generated when attempting to save changes to the Custom Event Property (CEP) "Object Type(s)". To replicate this issue:
|
5 January 2021 |
JDBC PROTOCOL | IJ30026 | HOSTNAME STARTING WITH NUMBER OR SPECIAL CHARACTER FAILS VALIDATION WHEN CREATING A LOG SOURCE USING THE JDBC PROTOCOL | OPEN | Workaround
Issue "IP or Hostname must be a valid IPv4 address or hostname" message can be observed when attempting to create a Log Source using the JDBC protocol when the configured hostname begins with a number or special character. |
5 January 2021 |
CUSTOM PROPERTIES | IJ32194 | LEADING WHITESPACE NOT BEING DISPLAYED CAN CAUSE RULES BASED ON CUSTOM EVENT PROPERTIES TO NOT WORK AS EXPECTED | OPEN | Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates. Issue The QRadar Log Activity page does not display the leading whitespace for a custom event property that has a whitespace at the beginning of its characters. Views within the DSM editor can also fail to properly display a leading whitespace where they exist. This can cause false visibility during rule creation due to not being able to see the blank space paresd within custom event properties. |
30 April 2021 |
RULES | IJ30033 | DEVICE STOP SENDING EMAIL RULE RESPONSES CAN CONTINUE FROM THE BACKUP HOST AFTER QRADAR DATA SYNCRONIZATION APP IS CONFIGURED | OPEN | Workaround Manually stop the postfix service on the backup host using the command: # systemctl stop postfix Issue After completing the configuration of the QRadar Data Syncronization app, any rules configured "device stop sending events" can continue to send emails from the Backup host if using email as response is configured. |
5 January 2021 |
APP HOST APPLIANCE | IJ28640 | DUPLICATE ENTRIES WITHIN IPTABLES ON AN APP HOST CAN BE GENERATED AFTER QRADAR APPS ARE STOPPED AND STARTED | OPEN | Workaround From a command line (SSH session), restart docker on the App Host to reset the iptables entries: # systemctl restart docker Issue When QRadar Apps are stopped and started with the API, the firewall (iptables) on an App Host is appended with duplicate entries. The issue is caused due to the firewall (Iptables) being appended with the entries to the NAT rule when starting the app without first checking if the existing rule has already been placed in the firewall. |
11 October 2020 |
ASSETS | IJ01985 | SOME ASSET IDENTITY DATABASE INFORMATION IS NOT CLEANED UP AFTER ASSETS ARE UPDATED | OPEN | Workaround No workaround available. Issue It has been identified that in some instances, residual identity data associated to an Asset can be left in the QRadar database after the Asset is updated. When this occurs, incorrect identity/username information associated with an Asset can sometimes be observed in generated Offenses. An example of when this issue occurs: View the Offense Summary screen (Offenses -> All Offenses). When the Offense Source Summary includes a username this does not correlate to the offense detected, it is based on the what is known about the asset. This does not represent the actual user(s) that contributed to the offense. To get the details for the username associated with the offense, on the right choose Event/Flow count -> X events, the next pop up displays the captured details. |
23 March 2018 |
NETWORK | IJ29953 | IPTABLES FIREWALL RULES CAN FAIL TO UPDATE PROPERLY AFTER ADDING AN ADDITIONAL IPV4 OR IPV6 INTERFACE | OPEN | Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates. Issue After adding an additional interface as IPv4 on an IPv6 environment or adding an additional IPv6 interface with IPv4 as a management interface, the iptables firewall rule is not updated, even after a Deploy Full Configuration is performed. |
20 December 2020 |
FLOWS | IJ34731 | FLOW SOURCE FILTERS WITH RANDOM INVALID CHARACTERS CAN BE DISPLAYED IN THE QRADAR USER INTERFACE | OPEN | Workaround Contact Support for a possible workaround that might address this issue in some instances. Issue In some instances, Flow Source filters with random invalid characters for a name can be displayed in the QRadar User Interface. This can occur as some entries are not properly validated and then can be populated when overflow records (and sometimes host info and domain info) are invalid as they are read from an overflow buffer. |
29 August 2021 |
tbd | IJ34719 | UNABLE TO LOGIN AFTER ADDING A SECOND LDAP GROUP MAPPING CONTAINING A SPACE IN THE NAME | OPEN | Workaround Contact Support for a possible workaround that might address this issue in some instances. Issue Adding a second LDAP group to a mapping with a group that has a space in the name causes logins to stop working. This is caused by the space being escaped incorrectly resulting in the space being replaced with '%2520' instead of '%20' and no longer mapping correctly. For example:
|
29 August 2021 |
DATA NODE | IJ28324 | DATA NODE STAYS AT 'WAITING FOR REBALANCING' STATUS WHEN DIRECTLY ADDED TO A QRADAR DEPLOYMENT IN 'ARCHIVE' MODE | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) Workaround From an SSH session to the QRadar Console:
Issue Upon deploying a data node into the QRadar deployment directly into archive mode, it continuously displays "Waiting for Rebalancing" for it's rebalancing status. For example:
|
2 February 2022 |
QRADAR RISK MANAGER | IJ34686 | RESULTS FROM A TOPOLOGY PATH SEARCH CAN DISPLAY INCORRECT PATH RESULTS | OPEN | Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates. Issue A topology path search that should traverse a directly-connected network on a network device which supports virtual routers, and has no routing protocol entry for the network in any of its routing tables, fails to find the correct path. Affected device types are Cisco IOS, Juniper Junos, and F5 BIG-IP. Messages similar to the following might be visible in the device backup log when this issue occurs: WARN: No Interfaces are assigned to routing-instance default |
25 August 2021 |
LOG SOURCES | IJ33664 | EVENTS CAN SOMETIMES FAIL TO BE DISPLAYED FOR A NEWLY AUTO DISCOVERED LOG SOURCE | OPEN | Workaround Disable auto detect for the affected log source using the DSM Editor, and create the log source manually. Issue In some instances a new log source can be successfully created by the auto discovery feature but no events are displayed for the log source. This has only been observed on a select few log source types. |
13 August 2021 |
QRADAR VULNERABILITY MANAGER | IJ33116 | QRADAR VULNERABILITY MANAGER SCAN RESULT EXPORT CAN INCLUDE ALL SCANNED ASSETS | CLOSED | Resolved in QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137) Workaround Add the vulnerability or service to an asset or vulnerability search and then export the results. Issue When assets which have a specific vulnerability or open service are exported from the Scan Results screen in QRadar Vulnerability Manager, the export contains all assets that were scanned. |
30 May 2022 |
OFFENSES | IJ26094 | QRADAR USER INTERFACE AND API FUNCTIONS CAN BE SLOW TO RESPOND WHEN OFFENSES HAVE A LARGE AMOUNT OF ATTACKER/TARGET DATA | OPEN | Workaround Contact Support to help identify if QRadar UI or API function slowness is being caused by this issue. If so, perform a Hard Clean of the SIM Model. Note: Performing a Hard Clean purges all current and historical SIM data from the database, including protected offenses, source IP addresses, and destination IP addresses. Issue The QRadar User Interface (UI) and/or the QRadar API can become slow to respond when an Offense(s) accrues a very large amount (millions) of attacker/target data in it's data set. This slowness is caused by the amount of time being used to continually purge data by the QRadar MPC PersisterThread (used for Offenses) when these large attacker/target data sets exist in a QRadar environment. |
13 July 2020 |
UPGRADE | IJ30812 | 7.4.2 UPGRADE PRETEST OPTION CANNOT COMPLETE UNTIL EVENT COLLECTOR HIGH AVAILABILITY PAIRS HAVE MIGRATED TO DRBD | OPEN | Workaround Migrate the Event Collector pairs in the QRadar deployment from glusterfs to DRBD, then run the upgrade pretest option. See link for more information on the required migration: https://www.ibm.com/support/knowledgecenter/SS42VS_7.4/com.ibm.q radar.doc/t_qradar_up_ugrad_glusterfs_migration.html Issue The QRadar 7.4.2 upgrade pretest (/media/updates/installer -t) cannot be successfully completed until all Event Collector pairs in High Availability (HA) have completed the required glusterfs to DRBD migration. |
16 February 2021 |
QRADAR NETWORK INSIGHTS | IJ26733 | TWO QNI TIKA INSTANCES CAN START ON THE SAME PORT DUE TO A RACE CONDITION CAUSING REPEATED MESSAGES WRITTEN TO QRADAR LOGS | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) Workaround Find the TikaServer port number in the parenthesis of the qradar.log file (eg. 6690 in the case described above).
Issue A race condition can occur where the TikaServer and Tika watcher script result in two Tika instances being started and the second TikaServer fails because the port is already in use. The Tika watcher script identifies that the 2nd instance dies and attempts to restart it in an infinite loop. Due to an instance already running on the port, the decapper continues to process without issue. Repeated log messages are written every second which can flood the /var/log/qradar.log file and appear similar to the following: TikaServer (6690) Watcher - INFO - TikaServer (6690) is not running TikaServer (6690) - INFO - Starting TikaServer (6690) - INFO - Started |
23 February 2022 |
ASSETS | IJ29372 | NEW ASSETS BEING CREATED CAN HANG AT 'PENDING' IF AN ASSET IMPORT WITH INVALID IP ADDRESS HAS PREVIOULSY OCCURRED | OPEN | Workaround Clean out the spillover queue files using an SSH session to the QRadar Console:
Issue After importing a large number of assets with invalid IP addresses and then attempting to create assets, these asset creations can stall at "pending". When this occurs, a spillover queue can sometimes need to be cleaned out of flies to correct this behavior. |
18 November 2020 |
SEARCH | IJ30810 | DEPLOY CHANGES FUNCTION CAUSES IN PROGRESS SEARCHES TO ERROR WHEN AN ENCRYPTED MANAGED HOST IS IN THE QRADAR DEPLOYMENT | OPEN | Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates. Issue When performing a Deploy Changes function (not a Deploy Full Configuration), any search that is in progress is interrupted and goes into error as the ariel proxy service restarts when the deployment has an encrypted Managed Host. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: ::ffff:x.x.x.x [tomcat.tomcat] [rhc_x.x.x.x] com.q1labs.configservices.config.globalset.platform.GlobalArielS erverListTransformer: [INFO] [NOT:0000006000][x.x.x.x/- -] [-/- -]Ariel list transformer has changed the deployment file. |
16 February 2021 |
NETWORK PACKET CAPTURE | IJ32975 | "SYNTAX ERROR: INVALID SYNTAX" WHEN PERFORMING A NETWORK PACKET CAPTURE INSTALLATION ON CUSTOM HARDWARE | OPEN | Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates. Issue QRadar Network Packet Capture installations can only be performed on computer systems with hardware that matches IBM supplied appliances. Messages similar to the following might be visible when performing the installation on hardware that does not match: ./setup File "./setup", line 86 global NTADAPTER = napatech_adapters [0] SyntaxError: invalid syntax |
17 June 2021 |
SEARCH | IV87948 | SEARCH FILTERING FOR A CUSTOM EVENT PROPERTY THAT INCLUDES NON-ENGLISH CHARACTERS DOES NOT WORK AS EXPECTED | OPEN | Workaround No workaround available. This issue was reopened as a user reported that they experiences the error described in this APAR. Issue Adding search filters for a Customer Event Property (CEP) that includes non-English characters does not work. Event/Data with valid, matching values that should be returned is not, in these instances. |
7 August 2020 |
CUSTOM PROPERTIES | IJ34647 | UPGRADING TO QRADAR 743 RESULTS IN A LIST OF DEPRECATED CUSTOM EVENT PROPERTIES BEING DISPLAYED | OPEN | Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates. Issue Environments upgraded to 7.4.3 might see a list of deprecated custom event properties (CEP) being displayed in event details. In some cases this list can be long and confusing as the CEP's can not be found in the CEP UI. The administrator may not be able to identify them or they look like duplicates. |
27 August 2021 |
DSM EDITOR | IJ30347 | 'THERE WAS A PROBLEM SAVING THE LOG SOURCE TYPE CONFIGURATION' AFTER CLICKING SAVE ON THE DSM EDITOR PAGE | OPEN | Workaround Set Global autodetection to True:
Issue A messages similar to "There was a problem saving the Log Source Type configuration" can be displayed when clicking Save on the DSM Editor page when global autodetection has been disabled in QRadar settings: Admin > System and License Management > Edit Managed Host > Component Management > Event Collector > Autodetection Enabled-False Autodetection - Use Global settings -False |
23 January 2021 |
DEPLOY CHANGES | IJ30019 | DELEGATED ADMIN CAN PERFORM 'DEPLOY CHANGES' FUNCTION | OPEN | Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates. Issue Delegated admin users can perform a Deploy Changes function when they should not be able to perfrom this task. |
5 January 2021 |
IBM SECURITY IDENTITY MANAGER JDBC PROTOCOL | IJ30959 | : THE QRADAR IBM SECURITY IDENTITY MANAGER JDBC PROTOCOL CAN GENERATE OUT OF MEMORY ERRORS | OPEN | Workaround A protocol update to the IBM Security Identity Manager JDBC protocol is required to resolve this issue. Administrators can monitor for stopped collection from IBM Security Identity Manager log sources in the Log Activity tab or review for the logs for "OutOfMemoryError: Direct buffer memory" errors. If you experience issues with collection from your IBM Security Identity Manager JDBC protocol log sources, you can restart the ecs-ec-ingress service to restart event collection when you have a large event spike on your log source. To restart ecs-ec-ingress:
Issue An issue has been identified where the IBM Security Identity Manager JDBC protocol can experience a memory condition when it attempts to process events from the spillover cache. Administrators can experience this issue when an event burst (incoming EPS spike) for the IBM Security Identity Manager JDBC protocol is large enough, the IBMSIMJDBCEventConnector can run out of available memory. When the memory error occurs, the ecs-ec-ingress service cannot move events from the direct memory buffer for IBMSIMJDBCEventConnector to the event pipeline. Events expected to be viewable from the Log Activity tab might not return search results as they did not enter the event pipeline as expected from the ecs-ec-ingress service. Note: This issue only affects IBM Security Identity Manager JDBC protocol integrations, other QRadar integrations that use JDBC are not affected by this memory issue. When this issue occurs, the following message is displayed in in /var/log/qradar.log: [ecs-ec-ingress.ecs-ec-ingress] [com.q1labs. semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnector1954] java.lang.OutOfMemoryError: Direct buffer memory::Please use appropriate 'size' via -XX:MaxDirectMemorySize={size} [ecs-ec-ingress.ecs-ec-ingress] [ com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto r1954] at java.nio.Bits.reserveMemory(Bits.java:747) [ecs-ec-ingress.ecs-ec-ingress] [com.q1labs.semsources.sources.ibmsimjdbc. IBMSIMJDBCEventConnector1954] at java.nio.DirectByteBuffer.{init} (DirectByteBuffer.java:123) [ecs-ec-ingress.ecs-ec-ingress] [com.q1labs. semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnector1954] at java.nio.ByteBuffer.allocateDirect(ByteBuffer.java:311) [ecs-ec-ingress.ecs-ec-ingress] [com.q1labs.semsources.sources.ib msimjdbc.IBMSIMJDBCEventConnector1954] at com.q1labs.frameworks. cache.ResizableBufferPool.{init}(ResizableBufferPool.java:50) [ecs-ec-ingress.ecs-ec-ingress] [com.q1labs.semsources.sources.ibm simjdbc.IBMSIMJDBCEventConnector1954] at com.q1labs.frameworks.c ache.ResizableBufferPool.{init}(ResizableBufferPool.java:26) |
27 February 2021 |
LOG SOURCE MANAGEMENT APP | IJ28131 | LSM APP TEST FOR ORACLE LOG SOURCE IGNORES THE TIMEOUT AND KEEPS RUNNING | OPEN | Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates. Issue It has been identified that in some cases the Oracle log source protocol test ignores the test protocol timeout value and keeps running until the Log Source test query completes. |
22 September 2020 |
QRADAR INCIDENT FORENSICS | IJ30018 | CASE CANNOT BE UPLOADED IN QRADAR INCIDENT FORENSICS WHEN THE FTPMONITOR CANNOT CONNECT TO THE DATABASE | OPEN | Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates. Issue Cases cannot be uploaded into QRadar Incident Forensics when an ftp user has not been properly updated as the Forensics ftpmonitor fails the database connection. Messages similar to the following might be visible in QRadar logging when this issue occurs: 127.0.0.1 [Timer-0] com.ibm.qradar.forensics.watcher.watchers.UserChecker: [ERROR] Failed to get users 127.0.0.1 com.ibm.qradar.forensics.watcher.utils.Database$DatabaseException: Failed to retrieve console host. 127.0.0.1 at com.ibm.qradar.forensics.watcher.utils.Database.getFTPUsernameList(Database.java:198) 127.0.0.1 at com.ibm.qradar.forensics.watcher.watchers.UserChecker.getFTPUsernameList(UserChecker.java:92) 127.0.0.1 at com.ibm.qradar.forensics.watcher.watchers.UserChecker.processFTPUsers(UserChecker.java:107) 127.0.0.1 at com.ibm.qradar.forensics.watcher.watchers.UserChecker.run(UserChecker.java:58) 127.0.0.1 at java.util.TimerThread.mainLoop(Timer.java:566) 127.0.0.1 at java.util.TimerThread.run(Timer.java:516) 127.0.0.1 Caused by: org.postgresql.util.PSQLException: FATAL: password authentication failed for user "username" 127.0.0.1 at org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:514) 127.0.0.1 at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:141) 127.0.0.1 at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192) 127.0.0.1 at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49) 127.0.0.1 at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195) 127.0.0.1 at org.postgresql.Driver.makeConnection(Driver.java:454) 127.0.0.1 at org.postgresql.Driver.connect(Driver.java:256) 127.0.0.1 at java.sql.DriverManager.getConnection(DriverManager.java:675) 127.0.0.1 at java.sql.DriverManager.getConnection(DriverManager.java:281) 127.0.0.1 at com.ibm.qradar.forensics.watcher.utils.Database.connect(Database.java:59) 127.0.0.1 at com.ibm.qradar.forensics.watcher.utils.Database.getFTPUsernameList(Database.java:183) 127.0.0.1 ... 5 more |
5 January 2021 |
ASSETS | IV97179 | ATTEMPTING TO PERFORM A CLEAN VULNERABILITIES CAN FAIL DUE TO A TIMEOUT IN THE BACKEND | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) Workaround Contact Support for a possible workaround that might address this issue in some instances. Issue Assets tab -> Actions drop down -> Clean Vulnerabilities Attempting a "Clean Vulnerabilities" from the User Interface, Assets tab, can fail due to a backend timeout occurring. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [assetprofiler.assetprofiler] [AssetProfilePersister-BottomTier] com.q1labs.assetprofile.persistence.AssetProfilePersistenceWorkerThread: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Root cause: An I/O error occured while sending to the backend. [assetprofiler.assetprofiler] [AssetProfilePersister-BottomTier] com.q1labs.assetprofile.persistence.AssetProfilePersistenceWorkerThread: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -] Asset Profile Persister is rolling back its current transaction due to the above exceptions. |
23 February 2022 |
LOG SOURCE | IJ34691 | AUTO DISCOVERY LOG SOURCE NAMES ARE CASE SENSITIVE BUT THE LSM AND API LOG SOURCE NAME ARE NOT | OPEN | Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates. Issue Administrators might notice that Auto discovery can add two Log sources with the same name but one is upper case and the other is lower case. For example, server1 and SERVER1. When trying to do the same manually through the Log Source Management a Log Source name such as server1 can be added. When adding the Log Source name SERVER1, the second Log Source will fail with a message "The log source name must be unique" When trying to add the Log Sources by using the API, the second Log Source will fail with the error message "The 'name' parameter must be unique." when you try to create another Log Source as "SERVER1" |
29 August 2021 |
LICENSE | IV93531 | 'LICENSE POOL ALLOCATION' WINDOW CAN TAKE A LONGER THAN EXPECTED TIME TO LOAD IN LARGE QRADAR DEPLOYMENTS | OPEN | Workaround No workaround available. Issue It has been observed in large QRadar deployments that opening the 'License Pool Allocation' window can take a longer than expected time (multiple minutes). QRadar User Interface -> Admin tab -> System and License Management - > Licenses -> License Pool Allocation window. |
9 January 2019 |
WINCOLLECT | IJ33115 | WINCOLLECT AGENTS CAN FAIL TO UPDATE OR GET CONFIGURATION UPDATES WHEN USING CUSTOM HTTPD CERTIFICATE | OPEN | Workaround In a distributed QRadar deployment, and where possible, encrypt the required Managed Host used for the WinCollect agent. for more information, see https://www.ibm.com/docs/en/qsip/7.4?topic=hosts-configuring-managed-host. Issue WinCollect agents can fail to receive configuration updates or are unable to be updated when using custom httpd certificate and when the connection to console from Managed Host is not encrypted (when using a Managed Host for the agent). Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15] com.q1labs.frameworks.crypto.trustmanager.Q1X509TrustManager: [ERROR] [NOT:0000003000][(ConsoleIP)/- -] [-/- -]No subject alternative names matching IP address (ConsoleVIP) found [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15] java.security.cert.CertificateException: No subject alternative names matching IP address (ConsoleVIP) found [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15] at com.ibm.jsse2.util.b.b(b.java:29) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15] at com.ibm.jsse2.util.b.a(b.java:12) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15] at com.ibm.jsse2.aD.a(aD.java:209) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15] at com.ibm.jsse2.aD.a(aD.java:63) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15] at com.ibm.jsse2.aD.a(aD.java:134) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15] at com.ibm.jsse2.aD.checkServerTrusted(aD.java:144) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15] at com.q1labs.frameworks.crypto.trustmanager.Q1X509TrustManager .checkServerTrusted(Q1X509TrustManager.java:317) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15] at com.ibm.jsse2.E.a(E.java:145) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15] at com.ibm.jsse2.E.a(E.java:479) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15] at com.ibm.jsse2.D.s(D.java:286) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15] at com.ibm.jsse2.D.a(D.java:251) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15] at com.ibm.jsse2.av.a(av.java:788) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15] at com.ibm.jsse2.av.i(av.java:45) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15] at com.ibm.jsse2.av.a(av.java:637) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15] at com.ibm.jsse2.av.startHandshake(av.java:1020) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15] at com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java:1) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15] at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:72) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15] at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1582) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15] at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1510) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15] at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:491) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15] at com.ibm.net.ssl.www2.protocol.https.b.getResponseCode(b.java:81) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15] at com.q1labs.sem.semsources.wincollectconfigserver.util.WinCol lectConsole.Call(WinCollectConsole.java:281) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15] at com.q1labs.sem.semsources.wincollectconfigserver.requestproc essors.ConnectionEstablishmentVersion2Processor.onReceiveConnec tionEstablishmentRequest(ConnectionEstablishmentVersion2Processor.java:204) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15] at com.q1labs.sem.semsources.wincollectconfigserver.WinCollectConfigHandler.run (WinCollectConfigHandler.java:122) |
16 June 2021 |
API | IJ33667 | DOMAIN MANAGEMENT API FUNCTIONS DO NOT ALLOW FOR DISCONNECTED LOG COLLECTOR ASSOCIATION TO A DOMAIN | OPEN | Workaround Add the required domain association for the Disconnected Log Collector from admin > System Configuration section, Domain Management. Issue The domain management API functions do not allow for associating a Disconnected Log Collector to a domain. |
18 July 2021 |
ASSETS | IJ29159 | SOME INSTALLED WINDOWS PATCHES (KB) ARE NOT DISPLAYED FOR ASSETS IN QRADAR | OPEN | Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates. Issue In some instances, patches that have been applied to Windows systems are not updated with the latest KBs installed on scanned systems in Assets -> Asset -> Display -> Windows Patches. This has been identified as occurring when an installed KB for an affected Windows computer system asset does not get added to a QRadar database table (extrefvalue). |
17 November 2021 |
UPGRADE | IJ32784 | QRADAR DOES NOT AUTOMATICALLY CLEAN UP FAILED REPLICATION FILES IN /STORE/REPLICATION/FAILED | CLOSED | Resolved in QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137) Workaround Delete files in /store/replication/failed from the affected QRadar appliance and attempt the patch again: From an SSH session, run the following command: rm -f /store/replication/failed/failed* Issue The QRadar patching process can fail when /store has insufficient space due to files located in /store/replication/failed that are not cleaned up automatically by QRadar. |
30 May 2022 |
JDBC PROTOCOL | IJ29367 | SOPHOS LOG SOURCES USING JDBC CAN CAUSE AN ECS-EC-INGRESS SERVICE OUT OF MEMORY CAUSING AN EVENT COLLECTION OUTAGE | OPEN | Workaround Contact Support for a possible workaround that might address this issue in some instances. Issue Sophos Log Sources using the JDBC protocol can sometimes cause the ecs-ec-ingress service to go out of memory. The ecs-ec-ingress service is the QRadar event collection service (QRadar 7.3.1 and newer), therefore an out of memory in this service causes an interruption to event collection until the service recovers successfully. This out of memory issue can occur when there are a large number of rows to retrieve and the "EventTypeName" column has any of these values: "Device control", "Viruses/spyware", "Adware or PUA" or "Firewall". |
18 November 2020 |
FLOWS | IV98672 | MULTIPLE FLOW TYPES SENT FROM THE SAME IP CAN BE INCORRECTLY IDENTIFIED/LABELLED BY QRADAR | OPEN | Workaround No workaround available. Issue It has been observed that when two different flow types are sent from same IP on two different ports, QRadar creates an alias for the first flow type from that IP and the second flow type is reported as being the same as the first one. Example: Packeteer sent to Console and Jflow sent to QFlow managed host appliance from the same IP but on different ports. Flow Alias is created for Packeteer and the Jflows also get reported under that one. |
13 September 2017 |
UDP MULTILINE SYSLOG PROTOCOL | IJ26093 | LOG SOURCES USING UDP MULTILINE SYSLOG CAN STOP RECEIVING EVENTS AFTER AN ECS-EC-INGRESS SERVICE RESTART OCCURS | OPEN | Workaround An additional restart of the ecs-ec-ingress service can correct this issue. Please see this URL for details:https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.2/com.ibm.qradar.doc/t_qradar_adm_restart_ec_ingress.html. Note Event collection is briefly interrupted while the service restarts. Issue In some instances when the ecs-ec-ingress service (needed for event collection) restart occurs (eg. can occur after an autoupdate is applied), the UDP multiline syslog provider does not shutdown fast enough. When the provider attempts to start up, the old version of the provider is still locked to port 517, so the new instance cannot open the port. When this situation occurs, the provider cannot start and therefore cannot receive events as expected. |
13 July 2020 |
MSRPC PROTOCOL | IJ34656 | LOG SOURCES USING WINDOWS EVENT RPC PROTOCOL CAN INTERMITTENTLY STOP WORKING AS EXPECTED | OPEN | Workaround Toggling the affected Log Source to disabled, and then enable it again can temporarily correct this issue. Issue Log Sources that use the Windows Event RPC Protocol can intermittently stop collecting events when an exception occurs on the receipt of Windows Server 2019 events. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol Provider Thread: Windows Event Log RPC Provider 609] java.lang.ArrayIndexOutOfBoundsException [ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol Provider Thread: Windows Event Log RPC Provider 609] at jcifs.util.Encdec.dec_uint32le(Encdec.java:90) [ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol Provider Thread: Windows Event Log RPC Provider 609] at ndr.NdrBuffer.dec_ndr_long(NdrBuffer.java:135) [ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol Provider Thread: Windows Event Log RPC Provider 609] at ndr.Net workDataRepresentation.readUnsignedLong(NetworkDataRepresentati on.java:64) [ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol Provider Thread: Windows Event Log RPC Provider 609] at com.q1l abs.semsources.sources.windowseventrpc.ndr.util.NetworkDataRepr esentationAdapter.readUnsignedLong(NetworkDataRepresentationAda pter.java:34) [ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol Provider Thread: Windows Event Log RPC Provider 609] at com.q1l abs.semsources.sources.windowseventrpc.ndr.method.eventlog.msev en6.EvtRpcGetNextEventMetadata.readResult(EvtRpcGetNextEventMet adata.java:80) [ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol Provider Thread: Windows Event Log RPC Provider 609] at com.q1l abs.semsources.sources.windowseventrpc.ndr.BaseNdrObject.read(B aseNdrObject.java:28) [ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol Provider Thread: Windows Event Log RPC Provider 609] at ndr.NdrObject.decode(NdrObject.java:36) [ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol Provider Thread: Windows Event Log RPC Provider 609] at rpc.Con nectionOrientedEndpoint.call(ConnectionOrientedEndpoint.java:13 7) [ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol Provider Thread: Windows Event Log RPC Provider 609] at rpc.Stub.call(Stub.java:113) [ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol Provider Thread: Windows Event Log RPC Provider 609] at com.q1l abs.semsources.sources.windowseventrpc.eventsource.mseven6.Publ isherMetadataCache.getEventMetadata(PublisherMetadataCache.java :125) [ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol Provider Thread: Windows Event Log RPC Provider 609] at com.q1l abs.semsources.sources.windowseventrpc.eventsource.mseven6.Publ isherMetadataCache.cachePublisherInfo(PublisherMetadataCache.ja va:97) [ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol Provider Thread: Windows Event Log RPC Provider 609] at com.q1l abs.semsources.sources.windowseventrpc.eventsource.mseven6.Publ isherMetadataCache.getPublisherMetadata(PublisherMetadataCache. java:62) [ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol Provider Thread: Windows Event Log RPC Provider 609] at com.q1l abs.semsources.sources.windowseventrpc.eventsource.mseven6.Even tMessageAPIRenderer.renderMessage(EventMessageAPIRenderer.java: 46) [ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol Provider Thread: Windows Event Log RPC Provider 609] at com.q1l abs.semsources.sources.windowseventrpc.eventsource.mseven6.Even tMessageRenderer.renderMessage(EventMessageRenderer.java:40) [ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol Provider Thread: Windows Event Log RPC Provider 609] at com.q1l abs.semsources.sources.windowseventrpc.eventsource.mseven6.Even tLogIterator.processBuffer(EventLogIterator.java:78) [ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol Provider Thread: Windows Event Log RPC Provider 609] at com.q1l abs.semsources.sources.windowseventrpc.eventsource.mseven6.Even tLogIterator.getAll(EventLogIterator.java:42) [ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol Provider Thread: Windows Event Log RPC Provider 609] at com.q1l abs.semsources.sources.windowseventrpc.eventsource.mseven6.Wind owsEventLogImpl.read(WindowsEventLogImpl.java:323) [ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol Provider Thread: Windows Event Log RPC Provider 609] at com.q1l abs.semsources.sources.windowseventrpc.eventsource.RPCEventSour ce.getEvents(RPCEventSource.java:219) [ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol Provider Thread: Windows Event Log RPC Provider 609] at com.q1l abs.semsources.sources.windowseventrpc.eventsource.RPCEventSour ceMonitor.getEvents(RPCEventSourceMonitor.java:124) [ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol Provider Thread: Windows Event Log RPC Provider 609] at com.q1l abs.semsources.sources.windowseventrpc.WindowsEventRPCProvider. execute(WindowsEventRPCProvider.java:194) [ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol Provider Thread: Windows Event Log RPC Provider 609] at com.q1l abs.semsources.sources.base.SourceProvider.run(SourceProvider.j ava:195) |
29 August 2021 |
UPGRADE | IJ33887 | PATCHING FROM QRADAR 7.3 TO 7.4 WITH CISCO FIRE POWER THREAT DEFENSE DSM CAN BREAK EVENT PARSING | OPEN | Workaround install the 7.4 CiscoFirepowerThreatDefense DSM or run an autoupdate Issue Administrators who patch from 7.3 to 7.4 and have a configured Cisco Fire power Threat Defense DSM that was receiving events. When these are received post patch they can break Event Parsing causing all events to go to stored. Look for similar messages in /var/log/qradar.log/ Jun 14 16:09:41 ::ffff:IP [ecs-ec.ecs-ec] [Event Parser[3]] com.q1labs.frameworks.session.SessionContext: [INFO] [NOT:0000006000][IP/- -] [-/- -]Starting NON_BLOCKING dispatcher: 40c0afcb-4250-44c3-8613-94ca6d522889 Jun 14 16:09:42 ::ffff:X.X.X.X [ecs-ec.ecs-ec] [Event Parser[3]] com.q1labs.frameworks.core.ThreadExceptionHandler: [ERROR] [NOT:0000003000][IP/- -] [-/- -]Exception was uncaught in thread: Event Parser[3] Jun 14 16:09:42 ::ffff:X.X.X.X [ecs-ec.ecs-ec] [Event Parser[3]] java.lang.NoSuchFieldError: com/q1labs/sem/dsm/cisco/firewall/CiscoFirepowerThreatDefense.properties |
04 August 2021 |
LOG SOURCE MANAGEMENT APP | IJ26534 | 'AN UNEXPECTED API ERROR HAS OCCURED. PLEASE REFER TO THE QRADAR ERROR LOGS' WHEN USING LOG SOURCE MANAGEMENT APP | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates. Issue In instances where an unexpected non-numeric value is present in a database entry, the Log Source Managment app can fail to load with an error similar to: 'An unexpected API error has occured. Please refer to the QRadar error logs for additional information'. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [tomcat.tomcat] [user@x.x.x.x (6680) /console/restapi/api/config/event_sources/log_source_management/ log_source_statistics] com.q1labs.restapi.servlet.apidelegate.APIDelegate: [INFO] [NOT:0000006000][x.x.x.x/- -] [-/- -]Following message suppressed 1 times in 300000 milliseconds [tomcat.tomcat] [user@x.x.x.x (6680) /console/restapi/api/config/event_sources/log_source_management/ log_source_statistics] com.q1labs.restapi.servlet.apidelegate.APIDelegate: [ERROR] [NOT:0000003000][x.x.x.x/- -] [-/- -]Request Exception [tomcat.tomcat] [user@x.x.x.x (6680) /console/restapi/api/config/event_sources/log_source_management/ log_source_statistics] com.q1labs.restapi_annotations.content.exceptions.APIMappedException: Unable to retrieve log source statistics. [tomcat.tomcat] [user@x.x.x.x (6680) /console/restapi/api/config/event_sources/log_source_management/ log_source_statistics] at com.q1labs.restapi.exceptionmapper.ExceptionMapper.mapException(ExceptionMapper.java:141) [tomcat.tomcat] [user@x.x.x.x (6680) /console/restapi/api/config/event_sources/log_source_management/ log_source_statistics] at com.q1labs.restapi_annotations.content.exceptions.APIMappedExcep tion.<init>(APIMappedException.java:131) [tomcat.tomcat] [user@x.x.x.x (6680) /console/restapi/api/config/event_sources/log_source_management/ log_source_statistics] at com.q1labs.restapi.servlet.utilities.APIRequestHandler.processEn dpointException(APIRequestHandler.java:1417) [tomcat.tomcat] [user@x.x.x.x (6680) /console/restapi/api/config/event_sources/log_source_management/ log_source_statistics] at com.q1labs.restapi.servlet.utilities.APIRequestHandler.redirectR equest(APIRequestHandler.java:415) [tomcat.tomcat] [user@x.x.x.x (6680) /console/restapi/api/config/event_sources/log_source_management/ log_source_statistics] at com.q1labs.restapi.servlet.utilities.APIRequestHandler.handleReq uest(APIRequestHandler.java:244) [tomcat.tomcat] [user@x.x.x.x (6680) /console/restapi/api/config/event_sources/log_source_management/ log_source_statistics] at com.q1labs.restapi.servlet.apidelegate.APIDelegate.handleRequest (APIDelegate.java:341) [tomcat.tomcat] [user@x.x.x.x (6680) /console/restapi/api/config/event_sources/log_source_management/ log_source_statistics] at com.q1labs.restapi.servlet.apidelegate.APIDelegate.service(APIDe legate.java:259) [tomcat.tomcat] [user@x.x.x.x (6680) /console/restapi/api/config/event_sources/log_source_management/ log_source_statistics] at javax.servlet.http.HttpServlet.service(HttpServlet.java:742) [tomcat.tomcat] [user@x.x.x.x (6680) /console/restapi/api/config/event_sources/log_source_management/ log_source_statistics] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter (ApplicationFilterChain.java:231) [tomcat.tomcat] [user@x.x.x.x (6680) /console/restapi/api/config/event_sources/log_source_management/ log_source_statistics] at org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica tionFilterChain.java:166) [tomcat.tomcat] [user@x.x.x.x (6680) /console/restapi/api/config/event_sources/log_source_management/ log_source_statistics] at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) [tomcat.tomcat] [user@x.x.x.x (6680) /console/restapi/api/config/event_sources/log_source_management/ log_source_statistics] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter (ApplicationFilterChain.java:193) [tomcat.tomcat] [user@x.x.x.x (6680) /console/restapi/api/config/event_sources/log_source_management/ log_source_statistics] at org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica tionFilterChain.java:166) [tomcat.tomcat] [user@x.x.x.x (6680) /console/restapi/api/config/event_sources/log_source_management/ log_source_statistics] at com.q1labs.uiframeworks.servlet.AddUserHeaderFilter.doFilter(Add UserHeaderFilter.java:86) [tomcat.tomcat] [user@x.x.x.x (6680) /console/restapi/api/config/event_sources/log_source_management/ log_source_statistics] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter (ApplicationFilterChain.java:193) [tomcat.tomcat] [user@x.x.x.x (6680) /console/restapi/api/config/event_sources/log_source_management/ log_source_statistics] at org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica tionFilterChain.java:166) [tomcat.tomcat] [user@x.x.x.x (6680) /console/restapi/api/config/event_sources/log_source_management/ log_source_statistics] at com.q1labs.uiframeworks.servlet.ThreadNameFilter.doFilter(Thread NameFilter.java:53) ... [tomcat.tomcat] [user@x.x.x.x (6680) /console/restapi/api/config/event_sources/log_source_management/ log_source_statistics] Caused by: [tomcat.tomcat] [user@x.x.x.x (6680) /console/restapi/api/config/event_sources/log_source_management/ log_source_statistics] org.apache.openjpa.lib.jdbc.ReportingSQLException: ERROR: invalid input syntax for integer: "SYSTEM-DLP-2" {prepstmnt -1244260909 SELECT fgroup.id as value, count(*) as count FROM fgroup INNER JOIN fgroup_link ON (fgroup.id = fgroup_link.fgroup_id) INNER JOIN logsourcereader_temp temp ON (temp.id = CAST(fgroup_link.item_id AS INTEGER)) AND fgroup.type_id = 1 GROUP BY fgroup.id} [tomcat.tomcat] [user@x.x.x.x (6680) /console/restapi/api/config/event_sources/log_source_management/ log_source_statistics] at org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator.wrap(Logg ingConnectionDecorator.java:218) |
25 August 2020 |
REPORTS | IJ27158 | 'THE ATTACHMENT SIZE IS TOO LARGE' MESSAGE IS WRITTEN TO QRADAR LOGGING REGARDLESS OF A MAIL FAILURE REASON | CLOSED | Resolved in QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022) Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates. Issue The message "Unable to send email to: [email_address], the attachment size is too large. You can update the Max Email Attachment Size (KB) in the System Settings" is written to the QRadar error logs regardless of the mail failure reason. Messages similar to the following might be visible in /var/log/qradar.log when this issue has occurred: [report_runner] [main] com.q1labs.reporting.ReportRunner: [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Initializing Template: "test-email@test-email.com#$#2871c317-796f-4b43-834a-3ced048baae 6" [report_runner] [main] com.q1labs.reporting.ReportRunner: [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Report start: "2871c317-796f-4b43-834a-3ced048baae6" Title: "Qradar Daily Device Report" .... [report_runner] [main] com.q1labs.reporting.ReportServices: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Unable to send report "2871c317-796f-4b43-834a-3ced048baae6" to test-email@test-email.com [report_runner] [main] com.q1labs.frameworks.exceptions.FrameworksException: Unable to send email to: [test-email@test-email.com], the attachment size is too large. You can update the Max Email Attachment Size (KB) in the System Settings [report_runner] [main] Caused by: com.sun.mail.smtp.SMTPSendFailedException: 552 5.3.4 Error: message file too big |
06 September 2022 |
MANAGED HOST | IJ29029 | THE REMAP OPTION (COMPONENT ID) OPTION WHEN ADDING A HOST CAN FAIL TO COMPLETE ALL REQUIRED TASKS | OPEN | Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates. Issue When adding a host to a QRadar Deployment, if the remap option is selected and that option is missing a component in removed_deployment_components that the Mangeed Host needs to have remapped, the remap generates a Null Pointer Exception and all subsequent actions of the remap process fail to complete. When this situation happens, it leaves a partially remapped Managed Host or potentially a Managed Host that is not remapped at all depending on the order of how the components were being remapped. No messages are displayed in the QRadar User Interface indicating a problem has occured in these instances. Messages similar to the following might be visible is /var/log/qradar.log when this issue occurs: /console/JSON-RPC/QRadar.valdiationRemap QRadar.valdiationRemap] com.q1labs.core.ui.servlet.RemoteJavaScript: [ERROR] [NOT:0000003000][x.x.x.x/- -] [-/- -]An exception occurred while executing the remote method 'valdiationRemap' /console/JSON-RPC/QRadar.valdiationRemap QRadar.valdiationRemap] java.lang.NullPointerException /console/JSON-RPC/QRadar.valdiationRemap QRadar.valdiationRemap] at com.ibm.si.configservices.api.impl.DeploymentAPIHostHelper.testRemapAppliance(DeploymentAPIHostHelper.java:598) /console/JSON-RPC/QRadar.valdiationRemap QRadar.valdiationRemap] at com.q1labs.qradar.ui.qradarservices.UIDeploymentManagement.valdiationRemap(UIDeploymentManagement.java:227) /console/JSON-RPC/QRadar.valdiationRemap QRadar.valdiationRemap] at sun.reflect.GeneratedMethodAccessor1055.invoke(Unknown Source) /console/JSON-RPC/QRadar.valdiationRemap QRadar.valdiationRemap] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55) /console/JSON-RPC/QRadar.valdiationRemap QRadar.valdiationRemap] at java.lang.reflect.Method.invoke(Method.java:508) /console/JSON-RPC/QRadar.valdiationRemap QRadar.valdiationRemap] at com.q1labs.uiframeworks.application.ReflectiveExportedMethod.callWithContext(ReflectiveExportedMethod.java:170) /console/JSON-RPC/QRadar.valdiationRemap QRadar.valdiationRemap] at com.q1labs.uiframeworks.application.ReflectiveExportedMethod.call(ReflectiveExportedMethod.java:128) /console/JSON-RPC/QRadar.valdiationRemap QRadar.valdiationRemap] at com.q1labs.uiframeworks.application.ExportedMethod.call(ExportedMethod.java:146) /console/JSON-RPC/QRadar.valdiationRemap QRadar.valdiationRemap] at com.q1labs.core.ui.servlet.RemoteJavaScript.doGet(RemoteJavaScript.java:378) /console/JSON-RPC/QRadar.valdiationRemap QRadar.valdiationRemap] at com.q1labs.core.ui.servlet.RemoteJavaScript.doPost(RemoteJavaScript.java:619) /console/JSON-RPC/QRadar.valdiationRemap QRadar.valdiationRemap] at javax.servlet.http.HttpServlet.service(HttpServlet.java:660) /console/JSON-RPC/QRadar.valdiationRemap QRadar.valdiationRemap] at com.q1labs.uiframeworks.servlet.HttpServlet.service(HttpServlet.java:22) /console/JSON-RPC/QRadar.valdiationRemap QRadar.valdiationRemap] at javax.servlet.http.HttpServlet.service(HttpServlet.java:741) /console/JSON-RPC/QRadar.remapHost QRadar.remapHost] com.q1labs.core.ui.servlet.RemoteJavaScript: [ERROR] [NOT:0000003000][x.x.x.x/- -] [-/- -]An exception occurred while executing the remote method 'remapHost' /console/JSON-RPC/QRadar.remapHost QRadar.remapHost] java.lang.NullPointerException /console/JSON-RPC/QRadar.remapHost QRadar.remapHost] at com.ibm.si.configservices.api.impl.DeploymentAPIHostHelper.remap Appliance(DeploymentAPIHostHelper.java:753) /console/JSON-RPC/QRadar.remapHost QRadar.remapHost] at com.q1labs.qradar.ui.qradarservices.UIDeploymentManagement.remap Host(UIDeploymentManagement.java:236) /console/JSON-RPC/QRadar.remapHost QRadar.remapHost] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) /console/JSON-RPC/QRadar.remapHost QRadar.remapHost] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90) /console/JSON-RPC/QRadar.remapHost QRadar.remapHost] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55) /console/JSON-RPC/QRadar.remapHost QRadar.remapHost] at java.lang.reflect.Method.invoke(Method.java:508) /console/JSON-RPC/QRadar.remapHost QRadar.remapHost] at com.q1labs.uiframeworks.application.ReflectiveExportedMethod.cal lWithContext(ReflectiveExportedMethod.java:170) /console/JSON-RPC/QRadar.remapHost QRadar.remapHost] at com.q1labs.uiframeworks.application.ReflectiveExportedMethod.cal l(ReflectiveExportedMethod.java:128) /console/JSON-RPC/QRadar.remapHost QRadar.remapHost] at com.q1labs.uiframeworks.application.ExportedMethod.call(ExportedMethod.java:146) /console/JSON-RPC/QRadar.remapHost QRadar.remapHost] at com.q1labs.core.ui.servlet.RemoteJavaScript.doGet(RemoteJavaScript.java:378) /console/JSON-RPC/QRadar.remapHost QRadar.remapHost] at com.q1labs.core.ui.servlet.RemoteJavaScript.doPost(RemoteJavaScript.java:619) /console/JSON-RPC/QRadar.remapHost QRadar.remapHost] at javax.servlet.http.HttpServlet.service(HttpServlet.java:660) /console/JSON-RPC/QRadar.remapHost QRadar.remapHost] at com.q1labs.uiframeworks.servlet.HttpServlet.service(HttpServlet.java:22) /console/JSON-RPC/QRadar.remapHost QRadar.remapHost] at javax.servlet.http.HttpServlet.service(HttpServlet.java:741) |
02 November 2020 |
SYSTEM NOTIFICATIONS | IJ29983 | CLICKING THE HELP ICON FOR EVENT 'CRE: PROCESSOR THREAD(S) TERMINATED ABRUPTLY' (QID 38750144) RESULTS IN 'PAGE NOT FOUND' | OPEN | Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates. Issue When there is a System Notification generated for "CRE: Processor Thread(s) Terminated Abruptly", clicking the Help icon results in a "page not found". This is for event QID: 38750144. |
18 December 2020 |
API | IJ28323 | DATA CAN BE RETURNED SLOWER THAN EXPECTED WHEN QUERYING FROM THE QRADAR API API/CONFIG/EXTENSION_MANAGEMENT/EXTENSIONS | CLOSED | Resolved in QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022) Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates. Issue Querying data using the QRadar API api/config/extension_management/extensions can take longer than expected. This can also affect QRadar Apps that use the API to return this data (example: QRadar Assistant). |
06 September 2022 |
QRADAR INCIDENT FORENSICS | IJ30020 | QRADAR INCIDENT FORENSICS UPLOAD CAN FAIL WHEN THERE ARE SPECIAL CHARACTERS CONTAINED IN THE DATABASE PASSWORD | OPEN | Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates. Issue Error similar to "There was an error running the forensics recovery." is observed while attempting to run a Forensics recovery on the Console when there is a database password containing special characters. [tomcat.tomcat] [HttpServletRequest-87-Idle] com.ibm.qradar.wfObjects.wfDBConnect: [ERROR] Database error: SQLException: FATAL: password authentication failed for user "qradar" SQLState: 28P01 VendorError: 0 -- Checking the postgresql-qrd service in the Console it still shows this connection failures. x.x.x.x.ent postgres[173526]: [3-3] Connection matched pg_hba.conf line 54: "host all all 127.0.0.1 255.255.255.255 md5" x.x.x.x.ent postgres[173909]: [3-1] FATAL: password authentication failed for user "qradar" x.x.x.x.ent postgres[173909]: [3-2] DETAIL: Password does not match for user "qradar". x.x.x.x.ent postgres[173909]: [3-3] Connection matched pg_hba.conf line 54: "host all all 127.0.0.1 255.255.255.255 md5" x.x.x.x.ent postgres[173914]: [3-1] FATAL: password authentication failed for user "qradar" x.x.x.x.ent postgres[173914]: [3-2] DETAIL: Password does not match for user "qradar". x.x.x.x.ent postgres[173914]: [3-3] Connection matched pg_hba.conf line 54: "host all all 127.0.0.1 255.255.255.255 md5" x.x.x.x.ent postgres[173929]: [3-1] FATAL: password authentication failed for user "qradar" x.x.x.x.ent postgres[173929]: [3-2] DETAIL: Password does not match for user "qradar". x.x.x.x.ent postgres[173929]: [3-3] Connection matched pg_hba.conf line 54: "host all all 127.0.0.1 255.255.255.255 md5" |
05 January 2021 |
AKAMAI KONA | IJ26656 | LOG SOURCES USING THE AKAMAI KONA PROTOCOL CAN STOP PULLING EVENTS | OPEN | Workaround Toggling the Log Source experiencing the issue can correct this issue when it occurs: Perform a Disable and then Enable of the affected Log Source. Issue Log Sources configured to use the Akamai Kona RestAPI Protocol can stop pulling events when an "UnknownHostException" is received by the protocol (eg. DNS issue experienced during protocol query). Messages similar to the following might be visible in /var/log/qradar.log when this issue is occurs: ecs-ec-ingress.ecs-ec-ingress] [Akamai Kona REST API Protocol Provider Thread: class com.q1labs.semsources.sources.akamaikonarestapi.AkamaiKonaRESTAP IProvider3427] java.net.UnknownHostException: akab-uyyfbgxgw7ainbm3-wssxie3ldbia4l42.cloudsecurity.akamaiapis. net: akab-uyyfbgxgw7ainbm3-wssxie3ldbia4l42.cloudsecurity.akamaiapis. net: unknown error |
30 July 2020 |
tbd | IJ32192 | ERROR WRITTEN TO QRADAR LOGGING: "THERE WAS AN ERROR READING AUTHENTICATION.PROPERTIES. SETTINGS WILL NOT BE RELOADED" | OPEN | Workaround Copy "/opt/qradar/conf/securityModel/authentication.properties" from the Console to the Managed Hosts in the QRadar deployment: See the following link for information on how to use the QRadar all_servers.sh command: https://www.ibm.com/support/pages/qradar-using-allserverssh-command. Issue An error message containing "There was an error reading authentication.properties. Settings will not be reloaded" can be observed in QRadar logging when a login message has been previously configured and then QRadar is patched. Messages similar to the following can also be visible in /var/log/qradar.log when this issue occurs: com.ibm.si.security model.authentication.settings.InvalidAuthenticationSettingsFileC onfigurationException: Invalid value for Logon message found. securitymodel.authentication.logon.require_accept was set to true but securitymodel.authentication.logon.message empty. |
30 April 2021 |
ASSSETS | IJ28539 | UPDATING AN ASSET USING THE QRADR API WHEN THE ASSET HAS NO IP ADDRESS DEFINED FAILS WITH AN 'ILLEGAL ARGUMENT EXCEPTION' | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) Workaround Perform required asset update using the QRadar User Interface. Issue Deleting an asset's IP address results in the inability to update the asset through the API and generates an IllegalArgumentException. This is due to the verification process that determines whether the IP is in the security profile. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [tomcat.tomcat] [admin@127.0.0.1 (5792) /console/restapi/api/asset_model/assets/1460] com.q1labs.assetprofile.api.v3_1.AssetsAPI: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Could not verify if the current user has permission to access domainid: [0], ipaddress: [] [tomcat.tomcat] [admin@127.0.0.1 (5792) /console/restapi/api/asset_model/assets/1460] java.lang.IllegalArgumentException: Could not get domainId or ipAddress for asset [1460] ! [tomcat.tomcat] [admin@127.0.0.1 (5792) /console/restapi/api/asset_model/assets/1460] at com.q1labs.assetprofile.api.v3_1.impl.AssetsAPIImpl.canUserUpdat eAsset(AssetsAPIImpl.java:278) [tomcat.tomcat] [admin@127.0.0.1 (5792) /console/restapi/api/asset_model/assets/1460] at com.q1labs.assetprofile.api.v3_1.impl.AssetsAPIImpl.updateAsset(AssetsAPIImpl.java:69) [tomcat.tomcat] [admin@127.0.0.1 (5792) /console/restapi/api/asset_model/assets/1460] at com.q1labs.assetprofile.api.v3_1.AssetsAPI.updateAsset(AssetsAPI.java:140) [tomcat.tomcat] [admin@127.0.0.1 (5792) /console/restapi/api/asset_model/assets/1460] at sun.reflect.GeneratedMethodAccessor5608.invoke(Unknown Source) [tomcat.tomcat] [admin@127.0.0.1 (5792) /console/restapi/api/asset_model/assets/1460] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55) [tomcat.tomcat] [admin@127.0.0.1 (5792) /console/restapi/api/asset_model/assets/1460] at java.lang.reflect.Method.invoke(Method.java:508) [tomcat.tomcat] [admin@127.0.0.1 (5792) /console/restapi/api/asset_model/assets/1460] at com.q1labs.restapi.servlet.utilities.APIRequestHandler.invokeMet hod(APIRequestHandler.java:1038) [tomcat.tomcat] [admin@127.0.0.1 (5792) /console/restapi/api/asset_model/assets/1460] atcom.q1labs.restapi.servlet.utilities.APIRequestHandler.redirec tRequest(APIRequestHandler.java:406) [tomcat.tomcat] [admin@127.0.0.1 (5792) /console/restapi/api/asset_model/assets/1460] at com.q1labs.restapi.servlet.utilities.APIRequestHandler.handleReq uest(APIRequestHandler.java:244) [tomcat.tomcat] [admin@127.0.0.1 (5792) /console/restapi/api/asset_model/assets/1460] at com.q1labs.restapi.servlet.apidelegate.APIDelegate.handleRequest(APIDelegate.java:341) [tomcat.tomcat] [admin@127.0.0.1 (5792) /console/restapi/api/asset_model/assets/1460] at com.q1labs.restapi.servlet.apidelegate.APIDelegate.service(APIDelegate.java:259) [tomcat.tomcat] [admin@127.0.0.1 (5792) /console/restapi/api/asset_model/assets/1460] at javax.servlet.http.HttpServlet.service(HttpServlet.java:741) [tomcat.tomcat] [admin@127.0.0.1 (5792) /console/restapi/api/asset_model/assets/1460] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter (ApplicationFilterChain.java:231) [tomcat.tomcat] [admin@127.0.0.1 (5792) /console/restapi/api/asset_model/assets/1460] at org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica tionFilterChain.java:166) [tomcat.tomcat] [admin@127.0.0.1 (5792) /console/restapi/api/asset_model/assets/1460] at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) [tomcat.tomcat] [admin@127.0.0.1 (5792) /console/restapi/api/asset_model/assets/1460] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter (ApplicationFilterChain.java:193) [tomcat.tomcat] [admin@127.0.0.1 (5792) /console/restapi/api/asset_model/assets/1460] at org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica tionFilterChain.java:166) [tomcat.tomcat] [admin@127.0.0.1 (5792) /console/restapi/api/asset_model/assets/1460] at com.q1labs.uiframeworks.servlet.AddUserHeaderFilter: |
23 February 2022 |
LOG SOURCE MANAGEMENT APP | IJ32804 | A NON-ADMIN USER ROLE USER CANNOT REASSIGN OR MOVE A LOG SOURCE TO A DIFFERENT GROUP USING LOG SOURCE MANAGEMENT APP | OPEN | Workaround Perform the required change using: LSM app > Menu > Previous Log Source Interface > Edit Issue When a non-admin user attempts to change the Log Source Group using the Log Source Management app (version 6.1 and 7.0), the changes are not saved. For example:
|
28 May 2021 |
REPORTS | IJ29558 | THE VALUE OF 'MOST RECENT RESULTS' IN AN OFFENSE REPORT DISPLAYS AS A NEGATIVE WHEN USING A DIFFERENT USER ACCOUNT | OPEN | Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates. Issue The value of 'Most Recent Results' in an offense report is negative when viewing as a different user account. For example:
|
04 December 2020 |
DSM EDITOR | IJ29955 | MISSING DATE FORMAT IN THE LINUX OS DSM EDITOR CAUSES THE SIMULATION PARSING TO FAIL | OPEN | Workaround Uncheck (deselect) the box for "Override system behavior" for "Log Source Time". DSM Editor information: https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc/c_qradar_adm_dsm_ed_overview.html. Issue Missing date format in the Linux OS DSM Editor causes the simulation parsing to fail. The DSM Editor does not parse/show the events in Log Activity Preview if there is no Date format for the time type event property and a NullPointerException is thrown. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [tomcat.tomcat] [user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] com.q1labs.restapi_annotations.content.exceptions.endpointExceptions. ServerProcessingException: Unable to complete parsing simulation [tomcat.tomcat] [user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] at com.ibm.si.data_ingestion.api.impl.application.ApplicationAPIImpl.simulateParse (ApplicationAPIImpl.java:1070) [tomcat.tomcat] [user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] at com.ibm.si.data_ingestion.api.v7_0.application.ApplicationAPI.simulateParse (ApplicationAPI.java:410) [tomcat.tomcat] [user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] at sun.reflect.NativeMethodAccessorImpl.invoke0(NativeMethod) [tomcat.tomcat] [user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90) [tomcat.tomcat] [user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55) [tomcat.tomcat] [user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] at java.lang.reflect.Method.invoke(Method.java:508) [tomcat.tomcat] [user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] at com.q1labs.restapi.servlet.utilities.APIRequestHandler.invokeMet hod(APIRequestHandler.java:1038) [tomcat.tomcat] [user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] at com.q1labs.restapi.servlet.utilities.APIRequestHandler.redirectRequest(APIRequestHandler.java:406) [tomcat.tomcat] [user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] ... 61 more [tomcat.tomcat] [user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] Caused by: [tomcat.tomcat] [user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] java.lang.NullPointerException [tomcat.tomcat] [user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] at java.text.SimpleDateFormat.<init>(SimpleDateFormat.java:609) [tomcat.tomcat] [user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] at java.text.SimpleDateFormat.<init>(SimpleDateFormat.java:591) [tomcat.tomcat] [user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] at com.ibm.si.data_ingestion.dsm_simulator.parsers.DatePropertyParser.initialize Expression(DatePropertyParser.java:46) [tomcat.tomcat] [user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] at com.ibm.si.data_ingestion.dsm_simulator.parsers.PropertyParser.< init>(PropertyParser.java:34) [tomcat.tomcat] [user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] at com.ibm.si.data_ingestion.dsm_simulator.parsers.PropertyParser.< init>(PropertyParser.java:75) [tomcat.tomcat] [user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] at com.ibm.si.data_ingestion.dsm_simulator.parsers.DatePropertyPars er.<init>(DatePropertyParser.java:28) [tomcat.tomcat] [user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] at com.ibm.si.data_ingestion.dsm_simulator.parsers.PropertyParserFactory.getPropertyParser (PropertyParserFactory.java:39) [tomcat.tomcat] [user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] at com.ibm.si.data_ingestion.dsm_simulator.ParserSimulator.setPropertyParsers(ParserSimulator.java:120) [tomcat.tomcat] [user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] at com.ibm.si.data_ingestion.api.impl.application.ApplicationAPIImpl. simulateParse(ApplicationAPIImpl.java:1060) [tomcat.tomcat] [xxx@xxxxx /console/restapi/api/application/data_ingestion/simulate] ...68 more |
18 December 2020 |
QRADAR NETWORK INSIGHTS | IJ33716 | QNI PERFORMANCE DEGRADATION CAN OCCUR WHEN RUNNING IN ADVANCED MODE WITH AND A LARGE AMOUNT OF TLS TRAFFIC | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) Workaround On the console and each QNI host:
Issue QRadar Network Insights (QNI) performance degradation can occur when running in advanced mode and a large amount of TLS traffic in the network environment. This is due to the decapper processing every X509 certificate as a file and thereby all processed through Tika unnecessarily. |
2 February 2020 |
X-FORCE | IJ08964 | RIGHT CLICK FOR "X-FORCE EXCHANGE LOOKUP" IS NOT DISPLAYED ON URL ITEM FROM AN AQL QUERY SEARCH IN LOG ACTIVITY | OPEN | Workaround No workaround available. Issue It has been identified that plugin option for "X-Force Exchange Lookup" is not available in the case of an AQL Query result in Log Activity when a performing a right click on the URL item of the event. The "X-Force Exchange Lookup" right click option is available in the case of a normal search result. |
16 October 2018 |
DISCONNECTED LOG COLLECTOR (DLC) | IJ29148 | DISCONNECTED LOG COLLECTOR (DLC) CAN FAIL TO RECEIVE EVENTS AFTER AN INTERRUPTION IN NETWORK CONNECTIVITY | OPEN | Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates. Issue When there is an interruption in the network connectivity between a Disconnected Log Collector (DLC) and QRadar, some events can be missing due to way in which the disconnect and reconnect is handled in regards to handshake and socket monitoring. |
16 November 2020 |
NETWORK | IJ26509 | QCHANGE_NETSETUP FAILS WHEN AN APPLIANCE TIMEZONE IS SET WHERE NO CITY/REGION IS SELECTED | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) Workaround QRadar System and License Management: Set the timezone to include region and city (eg. "Europe/Dublin") for the affected appliance and run qchange_netsetup again. Issue Using the qchange_netsetup command from the QRadar command line (eg. To change an appliance hostname) can fail during the completion process when a timezone with no City/Region is selected for that appliance within System and License Management. Messages similar to the following might be displayed when this issue is occuring during the qchange_netsetup: May 27 17:27:35 qradar_netsetup.py[31813]: qradar_netsetup finalBlock [ERROR] KeyError: 'Eire' May 27 17:27:35 qradar_netsetup.py[31813]: ibm_logging error [ERROR] Failed. Exit code: 1. Case 1. |
2 February 2022 |
LOG ACTIVITY | IJ34165 | QRADAR APP LOGGING CAN CAUSE UNKNOWN SIM GENERIC EVENTS TO BE DISPLAYED IN THE USER INTERFACE | OPEN | Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates. Issue QRadar App logging can incorrectly direct events into the QRadar event pipeline. When this occurs, SIM Generic events can be generated and displayed in the User Interface. Example of messages that can be seen generated from the User Behavior Analytics app when this occurs: <14>1 2021-05-09T23:47:22+0000 7af7bf83d639e752 UserAnalytics 1803 - - [NOT:0000006000] Detected QRadar version: 742 <14>1 2021-05-09T23:47:00+0000 7af7bf83d639e752 UserAnalytics 1803 - - [NOT:0000006000] Post app configs to ML response: Token successfully updated <14>1 2021-05-09T23:46:59+0000 7af7bf83d639e752 UserAnalytics 1803 - - [NOT:0000006000] Calling qradar api on /console/plugins/1851/app_proxy/get_usecase_count returned status code 200 <14>1 2021-05-09T23:46:58+0000 7af7bf83d639e752 UserAnalytics 1803 - - [NOT:0000006000] ML Pipeline app id=1851, status=RUNNING <14>1 2021-05-09T23:46:58+0000 7af7bf83d639e752 UserAnalytics 1803 - - [NOT:0000006000] Checking appliance hardware (RAM) is > 2097152 <14>1 2021-05-09T23:46:56+0000 7af7bf83d639e752 UserAnalytics 1803 - - [NOT:0000006000] Checking if ML pipeline app present and getting appID. <14>1 2021-05-09T23:46:56+0000 7af7bf83d639e752 UserAnalytics 1803 - - [NOT:0000006000] SEC token main UBA app present. <14>1 2021-05-09T23:46:56+0000 7af7bf83d639e752 UserAnalytics 1803 - - [NOT:0000006000] An SEC Token has been configured |
05 August 2021 |
SERVICE | IJ34835 | QRADAR ECS-EC-INGRESS SERVICE CAN STOP PROCESSING EVENTS DUE TO A NULL EVENT | OPEN | Workaround Restart the QRadar event collection service: Admin tab > Advanced > Restart Event Collection Services. Issue The QRadar ecs-ec-ingress service can stop processing events when a null event is received. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [ecs-ec-ingress.ecs-ec-ingress] [Thread-45] com.q1labs.frameworks.core.ThreadExceptionHandler: [ERROR] [NOT:0000003000][10.153.24.147/- -] [-/- -]Exception was uncaught in thread: Thread-45 [ecs-ec-ingress.ecs-ec-ingress] [Thread-45] java.lang.NullPointerException [ecs-ec-ingress.ecs-ec-ingress] [Thread-45] at com.ibm.si.ecing ress.filters.QueuedEventThrottleFilter$ThrottleProcessor.run(Qu euedEventThrottleFilter.java:349) |
10 September 2021 |
SECURITY BULLETIN | IBM QRADAR SIEM IS VULNERABLE TO POSSIBLE INFORMATION DISCLOSURE IN A MULTI-DOMAIN DEPLOYMENT | CLOSED | Resolved in QRadar 7.4.3 Fix Pack 2 (7.4.3.20210810221124) Affected versions IBM QRadar 7.4.3 GA to 7.4.3 Fix Pack 1 (SFS files only) IMPORTANT FLASH NOTICE The QRadar Support team issued a flash notice for this issue for users on QRadar 7.4.3 and QRadar 7.4.3 Fix Pack 1 with domains enabled. For more information, see: https://www.ibm.com/support/pages/node/6480739. Issue IBM QRadar SIEM when using domains or multi-tenancy could be vulnerable to information disclosure between tenants by routing SIEM data to the incorrect domain. CVSS Base score: 5.3. |
12 August 2021 | |
SECURITY BULLETIN | IBM QRADAR SIEM USES WEAKER THAN EXPECTED CRYPTOGRAPHIC ALGORITHMS | CLOSED | Resolved in QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944) QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826) Affected versions
CVE-2021-20337: IBM QRadar uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. CVSS Base score: 5.9 |
23 July 2021 | |
SECURITY BULLETIN | IBM DISCONNECTED LOG COLLECTOR IS VULNERABLE TO USING COMPONENTS WITH KNOWN VULNERABILITIES | CLOSED | Resolved in Disconnected Log Collect (DLC) V1.6 Affected versions IBM Disconnected Log Collector V1.0 to V1.5 Issue
|
10 August 2021 | |
SECURITY BULLETIN | USER BEHAVIOR ANALYTICS APPLICATION ADD ON TO IBM QRADAR SIEM PERFORMS IMPROPER CSRF CHECKING FOR SOME COMPONENTS | CLOSED | Resolved in User Behavior Analytics V4.1.2 Affected versions All User Behavior Analytics versions Issue CVE-2021-29757: IBM QRadar User Behavior Analytics is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. CVSS Base score: 4.3 |
30 July 2021 | |
SECURITY BULLETIN | IBM QRADAR NETWORK PACKET CAPTURE IS VULNERABLE TO USING COMPONENTS WITH KNOWN VULNERABILITIES | CLOSED | Resolved in IBM QRadar Network Packet Capture 7.3.3 Patch 7 (Build 17) IBM QRadar Network Packet Capture 7.4.3 Fix Pack 1 (Build 1302) Affected versions
|
30 July 2021 | |
SECURITY BULLETIN | IBM QRADAR SIEM IS VULNERABLE TO USING COMPONENTS WITH KNOWN VULNERABILITIES | CLOSED | Resolved in QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944) QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826) Affected versions
|
27 July 2020 | |
SECURITY BULLETIN | IBM QRADAR SIEM IS VULNERABLE TO AN XML EXTERNAL ENTITY INJECTION (XXE) ATTACK | CLOSED | Resolved in QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944) QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826) Affected versions
CVE-2021-20399: IBM QRadar is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. CVSS Base score: 7.1 |
26 July 2021 | |
SECURITY BULLETIN | GRUB2 AS USED BY IBM QRADAR SIEM IS VULNERABLE TO ARBITRARY CODE EXECUTION | CLOSED | Resolved in QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944) QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826) Affected versions
|
26 July 2020 | |
SECURITY BULLETIN | IBM QRADAR SIEM IS VULNERABLE TO USING COMPONENTS WITH KNOWN VULNERABILITIES | CLOSED | Resolved in QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944) QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826) Affected versions
|
23 July 2020 | |
SECURITY BULLETIN | APACHE PDFBOX AS USED BY IBM QRADAR INCIDENT FORENSICS IS VULNERABLE TO DENIAL OF SERVICE | CLOSED | Resolved in QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944) QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826) Affected versions
|
23 July 2021 | |
SECURITY BULLETIN | IBM QRADAR SIEM USES LESS SECURE METHODS FOR SECURING DATA AT REST AND IN TRANSIT BETWEEN HOSTS | CLOSED | Resolved in QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944) QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138) Affected versions
CVE-2020-4980: IBM QRadar SIEM uses less secure methods for protecting data in transit between hosts when encrypt host connections is not enabled as well as data at rest. CVSS Base score: 5.3 |
15 July 2021 | |
SECURITY BULLETIN | IBM QRADAR SIEM USES LESS SECURE METHODS FOR SECURING DATA AT REST AND IN TRANSIT BETWEEN HOSTS | CLOSED | Resolved in Resolved in the 11 July 2021 QRadar weekly auto update. Administrtors who manually update RPM files might be required to install the following files from IBM Fix Central: PROTOCOL-RabbitMQ-7.3-20210505121416.noarch.rpm PROTOCOL-RabbitMQ-7.4-20210505121348.noarch.rpm Affected versions
CVE-2020-36282: JMS Client for RabbitMQ could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization flaw. By sending a specially-crafted StreamMessage data, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 |
18 July 2021 | |
SECURITY BULLETIN | IBM SECURITY QRADAR ANALYST WORKFLOW APP FOR IBM QRADAR SIEM IS VULNERABLE TO CACHEABLE SSL PAGES | CLOSED | Resolved in IBM Security QRadar Analyst Workflow V1.18.1 Affected versions IBM Security QRadar Analyst Workflow App V1.0 to V1.18.0 Issue CVE-2021-20396: IBM QRadar allows web pages to be stored locally which can be read by another user on the system. CVSS Base score: 4 |
10 June 2021 | |
SECURITY BULLETIN | IBM QRADAR ADVISOR WITH WATSON APP FOR IBM QRADAR SIEM IS VULNERABLE TO INFORMATION EXPOSURE | CLOSED | Resolved in IBM QRadar Advisor with Watson App V2.6.1 Affected versions IBM QRadar Advisor with Watson App V1.1 to V2.5 Issue CVE-2021-20380: IBM QRadar could allow a remote user to obtain sensitive information from HTTP requests that could aid in further attacks against the system. CVSS Base score: 5.3 |
02 June 2021 | |
SECURITY BULLETIN | USER BEHAVIOR ANALYTICS APPLICATION ADD ON TO IBM QRADAR SIEM IS VULNERABLE TO OVERLY PERMISSIVE CORS POLICY | CLOSED | Resolved in QRadar User Behavior Analytics V4.1.1 or later Affected versions QRadar User Behavior Analytics V1.0.0 to V4.1.0 Issue CVE-2021-20429: IBM QRadar User Behavior Analytics could disclose sensitive information due an overly permissive cross-domain policy. CVSS Base score: 3.7 |
13 May 2021 | |
SECURITY BULLETIN | USER BEHAVIOR ANALYTICS APPLICATION ADD ON TO IBM QRADAR SIEM IS VULNERABLE TO CROSS-SITE SCRIPTING | CLOSED | Resolved in QRadar User Behavior Analytics V4.1.0 or later Affected versions QRadar User Behavior Analytics V1.0.0 to V4.0.1 Issue CVE-2021-20392: IBM QRadar User Behavior Analytics is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. CVSS Base score: 6.1 |
13 May 2021 | |
SECURITY BULLETIN | USER BEHAVIOR ANALYTICS APPLICATION ADD ON TO IBM QRADAR SIEM IS VULNERABLE TO INFORMATION EXPOSURE | CLOSED | Resolved in QRadar User Behavior Analytics V4.1.1 or later Affected versions QRadar User Behavior Analytics V1.0.0 to V4.1.0 Issue CVE-2021-20393: IBM QRadar User Behavior Analytics could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. CVSS Base score: 5.3 |
13 May 2021 | |
SECURITY BULLETIN | USER BEHAVIOR ANALYTICS APPLICATION ADD ON TO IBM QRADAR SIEM IS VULNERABLE TO CACHEABLE SSL PAGES | CLOSED | Resolved in QRadar User Behavior Analytics V4.1.1 or later Affected versions QRadar User Behavior Analytics V1.0.0 to V4.1.0 Issue CVE-2021-20391: IBM QRadar User Behavior Analytics allows web pages to be stored locally which can be read by another user on the system. CVSS Base score: 4 |
13 May 2021 | |
HIGH AVAILABILITY (HA) | IJ32545 | HIGH AVAILABILITY (HA) JOIN PROCESS FAILS WHEN SECONDARY APPLIANCE IS MISSING /SSH DIRECTORY | CLOSED | Workaround
Issue In instances where a High Availability (HA) Secondary host does not have a .ssh directory, the HA pair creation process fails with messaging stating issues with the SSH keys, and to check the provided password. Messages similar to the following might be visible in found in /var/log/setup-XXX/qradar_hasetup.log when this issue occurs: /opt/qradar/ha/bin/ha_setup.sh: line 3257: /root/.ssh/authorized_keys: No such file or directory |
12 August 2021 |
UPGRADE | IJ33138 | QRADAR UPGRADE PRETEST CAN FAIL ON THE RAMCHECK DUE TO KB VALUE BEING RETURNED | CLOSED | Workaround Contact Support for a possible workaround that might address this issue in some instances. This issue is closed as permanent restriction. At this time, there is no current plan for this item but we will revisit if any further customer issues are raised. Issue The QRadar upgrade pretest can fail on the ramcheck when dmidecode -t 17 size returns in KB as the patch pretest is expecting a MB or GB value. This behavior has been seen when run on Hyper-V environments. Messages similar to the following might be visible when this issue occurs: Traceback (most recent call last): File "/media/updates/pretests/ramcheck.py", line 181, in |
12 August 2021 |
LOG SOURCE MANAGEMENT APP | IJ29050 | QRADAR NON-ADMIN USER CANNOT VIEW SOME LOG SOURCE GROUPS USING THE LOG SOURCE MANAGEMENT APP | CLOSED | Resolved in Log Source Management app v7.0.2 when installed on QRadar 7.3.3 FixPack 9, 7.4.2 FixPack 3, or 7.4.3 FixPack 1. Workaround Create a top level Log Source group for use with Security Profile assignment. Issue A QRadar non-admin user cannot view Log Source groups when the Security Profile is set to a nested Log Source group using the Log Source Mangement App. For example,
|
12 August 2021 |
RULES | IJ18492 | /VAR/LOG PARTITION CAN FILL WITH EXCEPTION THROWN WHEN USING 'CHAINED EXPLOIT FOLLOWED BY SUSPICIOUS EVENTS' RULE TEST | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826) Workaround No workaround available. Issue It has been identified that an exception is thrown during the test of the Custom Rule Engine rule "Chained Exploit Followed by Suspicious Events". As events are tested against rules, the following exception is thrown for every test and can quickly fill up the /var/log partition. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [ecs-ep.ecs-ep] [CRE Processor [4]] com.q1labs.semsources.cre.CustomRule: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Exception in rule 100106 - Chained Exploit Followed by Suspicious Events: Entry.next=null, data[removeIndex]={ipaddress}=package com.q1labs.semsources.cre.tests.gen.RuleSequence_SourceIP_In@a57 ddb4a previous={ipaddress}=package com.q1labs.semsources.cre.tests.gen.RuleSequence_SourceIP_In@a57 ddb4a key={ipaddress}value=package com.q1labs.semsources.cre.tests.gen.RuleSequence_SourceIP_In@af1 35446 size=25000 maxSize=25000 Please check that your keys are immutable, and that you have used synchronization properly. If so, then please report this to commons-dev@jakarta.apache.org as a bug. [ecs-ep.ecs-ep] [CRE Processor [4]] java.lang.IllegalStateException: Entry.next=null, data[removeIndex]={ipaddress}=package com.q1labs.semsources.cre.tests.gen.RuleSequence_SourceIP_In@a57 ddb4a previous={ipaddress}=package com.q1labs.semsources.cre.tests.gen.RuleSequence_SourceIP_In@a57 ddb4a key={ipaddress} value=package com.q1labs.semsources.cre.tests.gen.RuleSequence_SourceIP_In@af1 35446 size=25000 maxSize=25000 Please check that your keys are immutable, and that you have used synchronization properly. If so, then please report this to commons-dev@jakarta.apache.org as a bug. [ecs-ep.ecs-ep] [CRE Processor [4]] at org.apache.commons.collections.map.LRUMap.reuseMapping(LRUMap.java:301) [ecs-ep.ecs-ep] [CRE Processor [4]] at com.q1labs.frameworks.cache.LFUMap.reuseMapping(LFUMap.java:263) [ecs-ep.ecs-ep] [CRE Processor [4]] at org.apache.commons.collections.map.LRUMap.addMapping(LRUMap.java:267) [ecs-ep.ecs-ep] [CRE Processor [4]] at org.apache.commons.collections.map.AbstractHashedMap.put(AbstractHashedMap.java:284) [ecs-ep.ecs-ep] [CRE Processor [4]] at com.q1labs.frameworks.cache.LFUMap.put(LFUMap.java:226) [ecs-ep.ecs-ep] [CRE Processor [4]] at com.q1labs.semsources.cre.tests.DoubleSequenceFunction_Test.test(DoubleSequenceFunction_Test.java:237) [ecs-ep.ecs-ep] [CRE Processor [4]] at com.q1labs.semsources.cre.tests.CREStatefulEventTest.test(CREStatefulEventTest.java:81) [ecs-ep.ecs-ep] [CRE Processor [4]] at com.q1labs.semsources.cre.gen.TestExecutor_1_0.test(TestExecutor_1_0.java) [ecs-ep.ecs-ep] [CRE Processor [4]] at com.q1labs.semsources.cre.CustomRule.test(CustomRule.java:519) [ecs-ep.ecs-ep] [CRE Processor [4]] at com.q1labs.semsources.cre.CustomRule.test(CustomRule.java:476) [ecs-ep.ecs-ep] [CRE Processor [4]] at com.q1labs.semsources.cre.CustomRuleSetExecutor.testRule(CustomRuleSetExecutor.java:342) [ecs-ep.ecs-ep] [CRE Processor [4]] at com.q1labs.semsources.cre.CustomRuleSetExecutor.test(CustomRuleSetExecutor.java:210) [ecs-ep.ecs-ep] [CRE Processor [4]] at com.q1labs.semsources.cre.LocalRuleExecutor.processEventInPropertyMode(LocalRuleExecutor.java:229) [ecs-ep.ecs-ep] [CRE Processor [4]] at com.q1labs.semsources.cre.LocalRuleExecutor.processEvent(LocalRuleExecutor.java:158) [ecs-ep.ecs-ep] [CRE Processor [4]] at com.q1labs.semsources.cre.CREEventProcessor.processEvent(CustomRuleEngine.java:521) [ecs-ep.ecs-ep] [CRE Processor [4]] at com.q1labs.semsources.cre.CREEventProcessor.run(CustomRuleEngine.java:464) |
12 August 2021 |
RULES | IJ33794 | MATCH COUNT RULES DO NOT GENERATE AN OFFENSE RENAMING EVENT AFTER IT IS CLOSED IF IT IS RE-TRIGGERED | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944) QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826) Workaround No workaround available. Administrators can upgrade to a version where this issue is resolved if you experience offense renaming event generation issues. Issue Match count rules that have a response configured to send an Offense renaming event should trigger again if the Offense associated with that rule is closed and the rule is still triggering. |
06 August 2021 |
AUTO UPDATE | IJ33892 | AUTO UPDATE FOR 20 JULY 2021 CAN ROUTE EVENTS TO STORAGE AFTER A DSM COMMON RPM UPDATE | CLOSED | Resolved in This fix is available in the weekly auto update for 22 July 2021 (Build 1626984260) and in the following RPM on IBM Fix Central: DSM-DSMCommon-7.4-20210721162935.noarch.rpm. Administrators can run a QRadar auto update to resolve this issue described in the flash notice: Flash Notice for IJ33892. Workaround Administrators who experienced the issue described in IJ33892 received the updated DSM Common (codegen JAR) automatically from QRadar Auto Updates on 22 July 2021 as described in the Overview article for IJ33892. Issue The QRadar auto update released on 20 July 2021 introduced problem where the Traffic Analysis service that auto discovers and creates log sources is no longer working as expected due to a class loading issue. For customers with affected log sources configured on their QRadar appliances, the event pipeline can experience an uncaught exception, which causes events to be routed directly to storage. QRadar SIEM 7.4.x on-premise and QRadar on Cloud versions with DSMCommon-7.4-20210624145517.noarch.rpm installed from the 20 July 2021 auto update can experience this issue. The following DSMs can cause exceptions to be generated in the logs as described in the flash notice:
|
24 July 2021 |
RULES | IJ23172 | RULENAME (CREEVENTLIST): AQL FUNCTION IN A RULE CAN GENERATE AN UNCAUGHT EXCEPTION CAUSING RULE AND OFFENSE FAILURES | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944) QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826) Workaround Disable the rule or remove the RULENAME(creeventlist) aql function from the rule. Issue Having the RULENAME(creeventlist) aql function in a rule condition causes a custom rule read failure generating a uncaught exception error. When this issue occurs, rules fail fire and offenses fail to be created. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [ecs-ep.ecs-ep] [Thread-75] com.q1labs.frameworks.core.ThreadExceptionHandler: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Exception was uncaught in thread: Thread-75 [ecs-ep.ecs-ep] [Thread-75] java.lang.ExceptionInInitializerError [ecs-ep.ecs-ep] [Thread-75] at java.lang.J9VMInternals.ensureError(J9VMInternals.java:146) [ecs-ep.ecs-ep] [Thread-75] at java.lang.J9VMInternals.recordInitializationFailure(J9VMInternals.java:135) [ecs-ep.ecs-ep] [Thread-75] at com.q1labs.ariel.searches.subquery.CursorPredicate.initialize(DistinctScalarTransformer.java:57) [ecs-ep.ecs-ep] [Thread-75] at com.q1labs.frameworks.util.Utils.initialize(Utils.java:458) [ecs-ep.ecs-ep] [Thread-75] at com.q1labs.ariel.IndexPredicate.initialize(IndexPredicate.java:234) [ecs-ep.ecs-ep] [Thread-75] at com.q1labs.frameworks.util.Utils.initialize(Utils.java:458) [ecs-ep.ecs-ep] [Thread-75] at com.q1labs.semsources.cre.tests.AQL_Test.setParms(AQL_Test.java:73) [ecs-ep.ecs-ep] [Thread-75] at com.q1labs.semsources.cre.tests.CREEventTest.init(CREEventTest.java:121) [ecs-ep.ecs-ep] [Thread-75] at com.q1labs.semsources.cre.CustomRule.<init>(CustomRule.java:178) [ecs-ep.ecs-ep] [Thread-75] at com.q1labs.semsources.cre.CustomRuleReader.preProcessNewRules(CustomRuleReader.java:742) [ecs-ep.ecs-ep] [Thread-75] at com.q1labs.semsources.cre.CustomRuleReader.readRules(CustomRuleReader.java:332) [ecs-ep.ecs-ep] [Thread-75] at com.q1labs.semsources.cre.CustomRuleReader.run(CustomRuleReader.java:217) [ecs-ep.ecs-ep] [Thread-75] Caused by: [ecs-ep.ecs-ep] [Thread-75] java.lang.IllegalStateException: AccessManager instance is allowed only in the application ariel |
12 July 2021 |
UPGRADE | IJ25316 | QRADAR PATCHING CAN FAIL DUE TO A LARGE NUMBER OF SESSION SCOPE FILES | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944) QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826) Workaround Running the following command on QRadar appliances can determine if a very large number of session scope files exist (> 1000) prior to commencing a QRadar patch: find /run/systemd/system/ -name "session-*.scope" | wc -l Issue QRadar patches can fail when a very large number of session scope files exist. On appliances with greater than 1000 session scope files, an appliance reboot is recommended to clear the session files prior to commencing the QRadar patching process. |
12 July 2021 |
OFFENSES | IJ27803 | 'APPLICATION ERROR' CAN OCCUR WHEN SEARCHING MULTIPLE IP ADDRESSES IN "BY SOURCE/DESTINATION IP" IN OFFENSES | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944) QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826) Workaround Return to the search and ensure to not include spaces in comma separated lists when entering them into the UI: 1.1.1.1,2.2.2.2,127.0.0.1 Issue Under Offenses > New Search > By Source/Destination IP you can get an "Application Error" when searching multiple IPs in Source/Destination IP when the listed IP addresses have either trailing or leading spaces. To replicate this issue:
|
12 July 2021 |
NETWORK | IJ28218 | DNS VALUES MISSING FROM RESOLVE.CONF AND MYVER ON LENOVO M5 AND M6 QRADAR APPLIANCE INSTALLATIONS | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) Workaround This issue was reopened on 18 July 2021 as it was mistakenly closed. No workaround available. APARs identified with no workaround might require a software delivery to resolve. This reported issue will be considered fora future release. Issue During QRadar installations on Lenovo M5 and M6 appliances, DNS values are not set in the /opt/qradar/bin/myver and /etc/resolve.conf. This causes name resolution issues that are required for proper QRadar functionality. |
2 February 2022 |
NETWORK | IJ28643 | LARGE AMOUNT OF REVERSE DNS LOOKUPS CAN BE GENERATED FROM QRADAR DUE TO MISSING CONFIGURATION WHEN NO IPV6 NETWORK CONFIG | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944) QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826) Workaround
Issue A large of amount of reverse DNS lookups can sometimes be observed and traced to originating from QRadar. This behavior can occur when the QRadar appliance install is performed (or when a qchange_netsetup is performed) and the appliance is not configured with IPv6 settings. In these instances, the configuraton setting "::1" is removed for localhost under /etc/hosts.default. |
24 July 2021 |
QRADAR VULNERABILITY MANAGER | IJ29156 | "QVM PROCESSOR ALREADY EXISTS ON DEPLOYMENT..." WHEN ADDING A QVM PROCESSOR APPLIANCE. | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944) QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826) Workaround Disable the QVM processor (de-select Enable Proceesor) and deploy the changes. This will remove the processor and all QVM scanners from the deployment. Add the QVM processor appliance and all scanners that were removed, and deploy the changes. For more information on moving a QVM processor while performing steps to remove it first, see Moving your vulnerability processor to a managed host or console. Note This workaround assumes there is a valid QVM license applied. The workaround does not apply if you do not. Issue When attempting to add a QVM processor appliance, a message similar to "QVM Processor already exists on deployment. If you wish to continue, remove the existing processor first. [hostcontext.hostcontext][9d70a275-690d-4c5d-9b22-1044832065ab/SequentialEventDispatcher] com.q1labs.configservices.capabilities.AddHost: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]QVM Processor already exists on deployment. If you wish to continue, remove the existing processor first. The IP of the host is: x.x.x.x. [tomcat.tomcat] [Thread-164313] com.q1labs.configservices.capabilities.CapabilitiesHandler: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Removing host x.x.x.x from the deployment model, if present, due to add_host failure. [tomcat.tomcat] [Thread-164313] com.ibm.si.configservices.api.v3_0.deployment.DeploymentAPI: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]unable to add managed host: QVM Processor already exists on deployment. If you wish to continue, remove the existing processor first. [tomcat.tomcat] [Thread-164313] com.q1labs.restapi_annotations.content.exceptions.endpointExcept ions.ServerProcessingException: QVM Processor already exists on deployment. If you wish to continue, remove the existing processor first. [tomcat.tomcat] [Thread-164313] at com.ibm.si.configservices.api.impl.DeploymentAPIImpl.addManagedH ost(DeploymentAPIImpl.java:924) [tomcat.tomcat] [Thread-164313] at com.ibm.si.configservices.api.v3_0.deployment.DeploymentAPI$AddH ostThread.run(DeploymentAPI.java:1003) [tomcat.tomcat] [Thread-164313] com.q1labs.configservices.common.ConfigServicesException: QVM Processor already exists on deployment. If you wish to continue, remove the existing processor first. [tomcat.tomcat] [Thread-164313] at com.ibm.si.configservices.api.impl.DeploymentAPIImpl.addManagedH ost(DeploymentAPIImpl.java:893) |
12 July 2021 |
NETWORK | IJ29164 | RENAMING A NETWORK CAN BREAK RELATED RULES, SEARCHES, AND REPORTS | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944) QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826) Workaround Manually change the network name where it is not updated automatically by QRadar (Rules, Searches, Reports). Issue After renaming a network, the network name change is not reflected in all the areas of QRadar where that network name is used. The network renaming change is reflected in the Offenses tab but not within rules, searches, and reports. For example:
|
12 July 2021 |
ADVANCED SEARCH (AQL) | IJ29293 | USING "INOFFENSE()" WITHIN AN ADVANCED SEARCH (AQL) CAN BE SLOWER TO COMPLETE THAN EXPECTED | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944) Workaround No workaround available, you must upgrade to a QRadar version where this issue is resolved. Issue Using the option "inOffense(n)" in an Advanced Search (AQL) query where "n" has a large number of events, causes the query to be slower than expected to complete. This can also affect any QRadar Apps that use the same backend functionality to produce data/search results. |
12 July 2021 |
DISK SPACE | IJ30017 | DISKSPACE SENTINEL MONITORS DOCKER PARTITIONS AND CAN GENERATE DISK SENTRY NOTIFICATION MESSAGES | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944) QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826) Workaround If you are unable to upgrade to a version where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue in some instances. Issue The QRadar Disk Space sentinel monitors docker partitions and can therefore generate an error similar to the following: "Disk Sentry has detected that one or more storage partitions are not accessible." Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [hostcontext.hostcontext] [Thread-4076] com.q1labs.hostcontext.ds.DiskSpaceSentinel: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Error testing availability of partition /store/docker-data/engine/VMware-42-26-/containers/{containerid}/mounts/shm, assuming NOT available [hostcontext.hostcontext] [Thread-4076] java.io.IOException: No such file or directory [hostcontext.hostcontext] [Thread-4076] at java.io.UnixFileSystem.createFileExclusively(Native Method) [hostcontext.hostcontext] [Thread-4076] at java.io.File.createTempFile(File.java:2035) [hostcontext.hostcontext] [Thread-4076] at com.q1labs.hostcontext.ds.PartitionTester$PartitionTesterThread.run(PartitionTester.java:180) |
12 July 2021 |
UPGRADE | IJ30039 | QRADAR PATCHING TO 7.4.1 FP2 CAN FAIL AT HOSTNAME VALIDATION | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944) QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826) Workaround No workaround available, you must upgrade to a QRadar version where this issue is resolved. Issue The QRadar patching process to 7.4.1 FP 2 can fail due to hostname naming validation. If, while building a High Availability (HA) setup, the primary is named hostname-primary.domainname, when HA is added, the hostnames are:
|
12 July 2021 |
PERFORMANCE | IJ30512 | EVENT COLLECTOR SECONDARIES AND EVENT COLLECTOR SOFTWARE APPLIANCES CAN EXPERIENCE DEGRADED PERFORMANCE | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944) QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826) Workaround If you are unable to upgrade to a version where this issue is resolved, contact QRadar Support for a possible workaround if degraded performance is experienced on Event Collector Secondary (High Availability) appliances or Event Collector software appliances. Issue QRadar can experience degraded performance when running on Event Collector Secondary appliances or Event Collector software appliances compared to the Primary or standalone Event Collector appliances of the same hardware specifications due to a setting that is not properly applied from the apply_appliance_tuning.pl script. |
12 July 2021 |
QRADAR NETWORK INSIGHTS | IJ30678 | MP4PARSER WITHIN QRADAR NETWORK INSIGHTS CAN CAUSE THE /STORE/FORENSICS/TMP DIRECTORY TO FILL AND STOP SERVICES | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944) QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826) Workaround No workaround available, you must upgrade to a QRadar version where this issue is resolved. Issue When using QRadar Network Insights, the MP4parser can cause /store/forensics/tmp fill to up and cause services to stop as a result. |
12 July 2021 |
RULES | IJ30912 | RULES CAN SOMETIMES FAIL TO RENAME OFFENSES AS EXPECTED, USING INSTEAD THE LOW LEVEL CATEGORY OF THE CONTRIBUTING EVENT | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944) QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826) Workaround No workaround available, you must upgrade to a QRadar version where this issue is resolved. Issue In some instances where an Offense is closed, those rules that generate a subsequent Offense can fail to rename the rule as expected and the Offense is created again with a different name that usually corresponds to the Low Level Category (LLC) of the contributing event. For example:
|
12 July 2021 |
FLOWS | IJ33287 | ICMPV6 FLOW TRAFFIC DATA FROM QNI FAILS TO BE DISPLAYED AFTER PATCHING TO QRADAR 7.4.3 GA | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944) Workaround No workaround available, you must upgrade to a QRadar version where this issue is resolved. Issue ICMPv6 flow data from QRadar Network Insights fails to be displayed in QRadar searches after patching to QRadar 7.4.3 GA. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [ariel_proxy.ariel_proxy_server] [aqw_local_7:5ab5ee0a-e9e2-44bb-a0e6-856584e630f2] com.q1labs.ariel.searches.tasks.ArielQueryTaskBase: [ERROR][NOT:0000003000][127.0.0.1/- -] [-/- -]Exception processing file:/store/ariel/flows/records/2021/3/5/13/flows~18_0~d 3e271fa8ea44f9~bfeaa0b4316aba3c~0,skipped... executing query:Id:5ab5ee0a-e9e2-44bb-a0e6-856584e630f2, DB: |
12 July 2021 |
MANAGED HOSTS | IJ33703 | ENCRYPTED TUNNEL BETWEEN MANAGED HOSTS CAN FAIL TO START AFTER PATCHING TO QRADAR 7.4.3 FP1 OR NEWER | CLOSED | Resolved in 7.5.0 Update Pack 4 (7.5.0.20221129155237) Note: This APAR has been identified as a known issue in QRadar 7.4.3 Fix Pack 1 and later versions. Workaround If you are unable to upgrade, run the following command from an SSH session to the QRadar Console after the host(s) is added to the deployment: /opt/qradar/bin/deploy_known_hosts.sh Issue An encrypted tunnel between two Managed Hosts that have been installed at an earlier build and then patched independently to QRadar version 743 FP1 or newer can fail to start. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: hostname-primary.fqnd ssh[31216]: debug1: expecting SSH2_MSG_KEX_ECDH_REPLY hostname-primary.fqdn ssh[31216]: debug1: Server host key: ecdsa-sha2-nistp256 SHA256:9bmfZQ2qbj5zYrT3Fo5K04gKOevEic4S36baS1x4i6o hostname-primary.fqdn ssh[31216]: No ECDSA host key is known for (ipaddress) and you have requested strict checking. hostname-primary.fqdn ssh[31216]: Host key verification failed. hostname-primary.fqdn systemd[1]: managed-tunnel@1734707364450525150.service: main process exited, code=exited, status=255/n/a hostname-primary.fqdn systemd[1]: Unit managed-tunnel@1734707364450525150.service entered failed state. hostname-primary.fqdn systemd[1]: managed-tunnel@1734707364450525150.service failed. |
10 July 2021 |
CONTENT MANAGEMENT TOOL (CMT) | IJ32874 | CONTENT MANAGEMENT TOOL IMPORT CAN CHANGE SOME PROPERTIES CAUSING SAVED SEARCHES TO FAIL | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) Workaround Manually update the search, put the property through a type conversion function. In this example, replace sum("BytesSent") with sum(DOUBLE("BytesSent")) Before SELECT sum("BytesSent") / 1073741824 As "Bytes Sent(GB)" FROM events After SELECT sum(DOUBLE("BytesSent")) / 1073741824 As "Bytes Sent(GB)" FROM events Issue When the Content Management Tool (CMT) imports a property with a "bad" name it adds a "facade" property with that name instead and points the AQL expression to a property with a "good" name. Example AQL: SELECT DOUBLE(sum("BytesSent")) / 1073741824 As "Bytes Sent(GB)" FROM events Property "BytesSent" used to have a numeric property type. When CMT imports it, it is merged into a property with a good name "Bytes Sent" (property type is also numeric), but a replacement facade property "BytesSent" is added with the type string. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778] com.q1labs.ariel.ql.parser.Parser: [ERROR] [NOT:0000003000][127.0.0.1.73/- -] [-/- -]Expression "BytesSent" is not a Number [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778] com.q1labs.ariel.ql.parser.AQLParserException: Expression "BytesSent" is not a Number tinationip, DOUBLE(sum("BytesSent")) / 1^ [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778] at com.q1labs.ariel.ql.parser.ParserBase.createAggregateFunctionInfo(ParserBase.java:896) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778] at com.q1labs.ariel.ql.parser.ParserBase.processScalarFunction(ParserBase.java:198) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778] at com.q1labs.ariel.ql.parser.ParserBase.processExpression(ParserBase.java:357) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778] at com.q1labs.ariel.ql.parser.ParserBase.processScalarFunction(ParserBase.java:206) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778] at com.q1labs.ariel.ql.parser.ParserBase.processExpression(ParserBase.java:357) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778] at com.q1labs.ariel.ql.parser.ParserBase.processExpression(ParserBase.java:323) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778] at com.q1labs.ariel.ql.parser.ParserBase.processArithmeticExpression(ParserBase.java:226) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778] at com.q1labs.ariel.ql.parser.ParserBase.processExpression(ParserBase.java:372) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778] at com.q1labs.ariel.ql.parser.ParserBase.processExpression(ParserBase.java:323) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778] at com.q1labs.ariel.ql.parser.ParserBase.processColumnContext(ParserBase.java:432) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778] at com.q1labs.ariel.ql.parser.ParserBase.processQueryContext(ParserBase.java:494) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778] at com.q1labs.ariel.ql.parser.ParserBase.createQueryParams(ParserBase.java:1435) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778] at com.q1labs.ariel.ql.parser.ParserBase.parseBatch(ParserBase.java:1662) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778] at com.q1labs.ariel.ql.parser.Parser.parseStatement(Parser.java:173) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778] at com.q1labs.ariel.ql.parser.Parser.executeStatement(Parser.java:68) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778] at com.q1labs.ariel.ConnectedClient.processStatement(ConnectedClient.java:367) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778] at com.q1labs.ariel.ConnectedClient.processMessage(ConnectedClient.java:308) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778] at com.q1labs.ariel.ConnectedClient.run(ConnectedClient.java:136) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778] at java.lang.Thread.run(Thread.java:822) |
27 May 2021 |
UPGRADE | IJ33207 | "SESSION MUST BE IN THE BOUNDS OF A TRANSACTION TO ACCESS JPA/JDBC RESOURCES" MESSAGES IN QRADAR LOGGING | OPEN | Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the Subscribe button on the right side of this page or ask a question about this APAR in our Support Forums. Issue A benign message similar to the following might be visible in /var/log/qradar.log after patching to QRadar 7.4.3: [ecs-ec.ecs-ec] [ECS Runtime Thread] com.q1labs.frameworks.session.SessionContext: [ERROR] [NOT:0000003000][X.X.X.X/- -] [-/- -]Session must be in the bounds of a transaction to access jpa/jdbc resources. Session Id: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx [ecs-ec.ecs-ec] [ECS Runtime Thread] java.lang.IllegalStateException [ecs-ec.ecs-ec] [ECS Runtime Thread] at com.q1labs.frameworks.session.JPASessionDelegate. checkTX(JPASessionDelegate.java:307) [ecs-ec.ecs-ec] [ECS Runtime Thread] at com.q1labs.frameworks.session.JPASessionDelegate. checkTX(JPASessionDelegate.java:294) [ecs-ec.ecs-ec] [ECS Runtime Thread] at com.q1labs.frameworks.session.JPASessionDelegate. find(JPASessionDelegate.java:436) [ecs-ec.ecs-ec] [ECS Runtime Thread] at com.q1labs.frameworks.naming.NamingCacheDecorator. createPersistentObject(NamingCacheDecorator.java:95) [ecs-ec.ecs-ec] [ECS Runtime Thread] at com.q1labs.frameworks.session.SessionContext. createPersistentObject(SessionContext.java:1504) [ecs-ec.ecs-ec] [ECS Runtime Thread] at com.q1labs.core.dao.qidmap.DeviceExtension.get (DeviceExtension.java:42) [ecs-ec.ecs-ec] [ECS Runtime Thread] at com.ibm.si.ec.filters.property.creation.LogSourceExtensionProperty Exclusion.addToFilter(LogSourceExtensionPropertyExclusion.java:181) [ecs-ec.ecs-ec] [ECS Runtime Thread] at com.ibm.si.ec.filters.property.creation.LogSourceExtensionProperty Exclusion.loadLogSourceExtensionProperties(LogSourceExtensionPropertyExclusion.java:105) [ecs-ec.ecs-ec] [ECS Runtime Thread] at com.ibm.si.ec.filters.property.creation.LogSourceExtensionProperty Exclusion.init(LogSourceExtensionPropertyExclusion.java:75) [ecs-ec.ecs-ec] [ECS Runtime Thread] at com.ibm.si.ec.filters.property.creation.LogSourceExtensionProperty Exclusion.<init>(LogSourceExtensionPropertyExclusion.java:50) [ecs-ec.ecs-ec] [ECS Runtime Thread] at com.ibm.si.ec.filters.property.PropertyDiscoveryEngine.<init>(PropertyDiscoveryEngine.java:72) [ecs-ec.ecs-ec] [ECS Runtime Thread] at com.ibm.si.ec.filters.property.PropertyDiscoveryFilter.setVars(PropertyDiscoveryFilter.java:48) [ecs-ec.ecs-ec] [ECS Runtime Thread] at com.eventgnosis.system.SystemObject.installChildByName(SystemObject.java:296) [ecs-ec.ecs-ec] [ECS Runtime Thread] at com.eventgnosis.system.SystemObject.installChildByName(SystemObject.java:232) [ecs-ec.ecs-ec] [ECS Runtime Thread] at com.eventgnosis.filters.FilterStack.createContainedFilters(FilterStack.java:71) [ecs-ec.ecs-ec] [ECS Runtime Thread] at com.eventgnosis.filters.FilterStackManager.create(FilterStackManager.java:219) [ecs-ec.ecs-ec] [ECS Runtime Thread] at com.eventgnosis.filters.FilterStackManager.getFilterStack(FilterStackManager.java:149) [ecs-ec.ecs-ec] [ECS Runtime Thread] at com.eventgnosis.filters.FilterBase.createDestination(FilterBase.java:179) [ecs-ec.ecs-ec] [ECS Runtime Thread] at com.ibm.si.ec.filters.normalize.DSMFilter.setVars(DSMFilter.java:271) [ecs-ec.ecs-ec] [ECS Runtime Thread] at com.eventgnosis.system.SystemObject.installChildByName(SystemObject.java:296) [ecs-ec.ecs-ec] [ECS Runtime Thread] at com.eventgnosis.system.SystemObject.installChildByName(SystemObject.java:232) [ecs-ec.ecs-ec] [ECS Runtime Thread] at com.eventgnosis.filters.FilterStack.createContainedFilters(FilterStack.java:71) [ecs-ec.ecs-ec] [ECS Runtime Thread] at com.eventgnosis.filters.FilterStackManager.create(FilterStackManager.java:219) [ecs-ec.ecs-ec] [ECS Runtime Thread] at com.eventgnosis.filters.FilterStackManager.doWork(FilterStackManager.java:90) [ecs-ec.ecs-ec] [ECS Runtime Thread] at com.eventgnosis.system.SystemObject$DoWork.doIt(SystemObject.java:886) [ecs-ec.ecs-ec] [ECS Runtime Thread] at com.eventgnosis.system.SystemObject.doForAllMembers(SystemObject.java:864) [ecs-ec.ecs-ec] [ECS Runtime Thread] at com.eventgnosis.system.SystemObject.doWork(SystemObject.java:905) [ecs-ec.ecs-ec] [ECS Runtime Thread] at com.eventgnosis.system.RuntimeController.doWork(RuntimeController.java:227) [ecs-ec.ecs-ec] [ECS Runtime Thread] at com.eventgnosis.system.RuntimeController.run(RuntimeController.java:527) [ecs-ec.ecs-ec] [ECS Runtime Thread] at java.lang.Thread.run(Thread.java:822) |
18 June 2021 |
QRADAR RISK MANAGER | IV98938 | CLICKING THE RISKS TAB CAN GENERATE AN 'APPLICATION ERROR' IN SOME INSTANCES OF CONSOLE/QRM MANAGED HOST ENCRYPTION | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) Workaround Configure appropriate firewall to allow communication between the Console and Risk Manager appliance on ports 443 and 8082 when encryption is enabled between these appliances. Issue It has been identified that an 'Application Error' message is generated when the Risks tab is clicked in instances where encryption is used between the Console and Risk Manager appliance and a firewall between them blocks ports 443 and 8082. For example: Application Error An error has occurred. Refresh your browser (press F5) and attempt the action again. If the problem persists, please contact customer support for assistance. Messages in /var/log/qradar.log when port 443 is blocked: [tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology] com.q1labs.srmconsole.util.WSUtil$WebClientProxy: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Error invoking method isTopologyReloading on the appliance; full error details in appliance log [tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology] com.q1labs.uiframeworks.action.ExceptionHandler: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]An exception occurred while processing the request: [tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology] com.sun.xml.ws.client.ClientTransportException: HTTP transport error: java.net.SocketTimeoutException: connect timed out [tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology] at com.sun.xml.ws.transport.http.client.HttpClientTransport. getOutput(HttpClientTransport.java:132) [tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology] at com.sun.xml.ws.transport.http.client.HttpTransportPipe.process (HttpTransportPipe.java:153) [tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology] at com.sun.xml.ws.transport.http.client.HttpTransportPipe. processRequest(HttpTransportPipe.java:94) [tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology] at com.sun.xml.ws.transport.DeferredTransportPipe.processRequest (DeferredTransportPipe.java:89) [tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology] at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:598) [tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology] at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:557) [tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology] at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:542) [tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology] at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:439) [tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology] at com.sun.xml.ws.client.Stub.process(Stub.java:222) [tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology] at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:135) [tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology] at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler .java:109) [tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology] at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:89) [tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology] at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:118) [tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology] at com.sun.proxy.$Proxy114.isTopologyReloading(Unknown Source) [tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:95) [tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod AccessorImpl.java:56) [tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology] at java.lang.reflect.Method.invoke(Method.java:620) [tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology] at com.q1labs.srmconsole.util.WSUtil$WebClientProxy.invoke(WSUtil.java:68) [tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology] at com.sun.proxy.$Proxy114.isTopologyReloading(Unknown Source) [tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology] at com.q1labs.srmconsole.services.UINetworkTopologyServices. isTopologyReloading(UINetworkTopologyServices.java:165) And when port 8082 is blocked: [tomcat] [admin@127.0.0.1 (4480) /console/do/120/networkTopology] com.q1labs.simulator.device.DeviceServices: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -] Failed to query ziptie server for device list status check: [tomcat] [admin@127.0.0.1 (4480) /console/do/120/networkTopology] com.sun.xml.ws.client.ClientTransportException: HTTP transport error: java.net.ConnectException: Connection timed out (Connection timed out) [tomcat] [admin@127.0.0.1 (4480) /console/do/120/networkTopology] at com.sun.xml.ws.transport.http.client.HttpClientTransport.getOutput (HttpClientTransport.java:132) [tomcat] [admin@127.0.0.1 (4480) /console/do/120/networkTopology] at com.sun.xml.ws.transport.http.client.HttpTransportPipe.process (HttpTransportPipe.java:153) [tomcat] [admin@127.0.0.1 (4480) /console/do/120/networkTopology] at com.sun.xml.ws.transport.http.client.HttpTransportPipe.processRequest (HttpTransportPipe.java:94) [tomcat] [admin@127.0.0.1 (4480) /console/do/120/networkTopology] at com.sun.xml.ws.transport.DeferredTransportPipe.processRequest (DeferredTransportPipe.java:89) [tomcat] [admin@127.0.0.1 (4480) /console/do/120/networkTopology] at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:598) [tomcat] [admin@127.0.0.1 (4480) /console/do/120/networkTopology] at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:557) [tomcat] [admin@127.0.0.1 (4480) /console/do/120/networkTopology] at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:542) [tomcat] [admin@127.0.0.1 (4480) /console/do/120/networkTopology] at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:439) [tomcat] [admin@127.0.0.1 (4480) /console/do/120/networkTopology] at com.sun.xml.ws.client.Stub.process(Stub.java:222) [tomcat] [admin@127.0.0.1 (4480) /console/do/120/networkTopology] at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:135) [tomcat] [admin@127.0.0.1 (4480) /console/do/120/networkTopology] at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke (SyncMethodHandler.java:109) [tomcat] [admin@127.0.0.1 (4480) /console/do/120/networkTopology] at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke (SyncMethodHandler.java:89) [tomcat] [admin@127.0.0.1 (4480) /console/do/120/networkTopology] at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:118) [tomcat] [admin@127.0.0.1 (4480) /console/do/120/networkTopology] at com.sun.proxy.$Proxy110.getDevicesWithErrors(Unknown Source) |
24 May 2021 |
DEPLOY CHANGES | IJ00933 | DEPLOY CHANGES RESULTS IN ERROR "THERE IS ANOTHER DEPLOYMENT CURRENTLY IN PROGRESS PLEASE TRY AGAIN LATER" | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) Workaround If you are unable to upgrade to a release where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue. Issue When deploying changes some customers have seen an error "There is another deployment currently in progress, please try again later" or a search error "There was a problem connecting to the query server. Please try again later. " Administrators who experience deploy issues can review /var/log/qradar.error for a message similar to the following: [tomcat] [main] com.q1labs.core.shared.embeddedstaging.EmbeddedStagingManager: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Unable to initialise Embedded Staging Manager: com.q1labs.frameworks.exceptions.FrameworksNamingException: Failed to initialize component: EmbeddedStagingManager [tomcat] [main] com.q1labs.core.shared.permissions.PermissionsManager: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Failed to get an instance of the Embedded Staging Manager [tomcat] [configservices@127.0.0.1 (9181) /console/services/configservices] com.q1labs.configservices.core.ConfigurationServices: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Error synchronizing deployed components [tomcat] [configservices@127.0.0.1 (9181) /console/services/configservices] com.q1labs.configservices.common.ConfigServicesException: Error synchronizing deployed components [tomcat] [configservices@127.0.0.1 (9181) /console/services/configservices] at com.q1labs.configservices.config.globalset.platform.DeployedComp onentSynchronizer.buildConfiguration(DeployedComponentSynchronizer.java:82) |
24 May 2021 |
NETWORK CONFIGURATION | IJ05709 | FIREWALL CONFIGURATION CHANGES MADE IN THE QRADAR UI FOR CONSOLE RESTRICTING ACCESS TO PORT 443 CAN CAUSE ISSUES | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) Workaround
Issue It has been identified that adding IP/CIDR restrictions in the Console firewall settings for port 443 can cause multiple issues:
|
24 May 2021 |
NETWORK CONFIGURATION | IJ22716 | QCHANGE_NETSETUP FAILS WITH 'ERROR: DUPLICATE KEY VALUE VIOLATES UNIQUE CONSTRAINT 'MANAGEDHOST_IP_KEY' | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) Workaround If you are unable to upgrade to a release where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue. Issue The qchange_netsetup script fails when attempting to change a QRadar console's IP address to an IP that exists as a deleted Managed Host in the database. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [hostcontext.hostcontext] [main] Caused by: [hostcontext.hostcontext] [main] <openjpa-2.4.3-r422266:1833086 fatal store error> org.apache.openjpa.persistence.EntityExistsException: ERROR: duplicate key value violates unique constraint "managedhost_ip_key" Detail: Key (ip)=(127.0.0.1) already exists. {prepstmnt -1085858985 UPDATE ManagedHost SET ip = ? WHERE id = ?} FailedObject: com.q1labs.core.dao.platform.registry.ManagedHost-53 [hostcontext.hostcontext] [main] at org.apache.openjpa.jdbc.sql.DBDictionary.narrow(DBDictionary.java:4988) [hostcontext.hostcontext] [main] at org.apache.openjpa.jdbc.sql.DBDictionary.newStoreException(DBDictionary.java:4963) [hostcontext.hostcontext] [main] at org.apache.openjpa.jdbc.sql.SQLExceptions.getStore(SQLExceptions.java:133) [hostcontext.hostcontext] [main] at org.apache.openjpa.jdbc.sql.SQLExceptions.getStore(SQLExceptions.java:75) [hostcontext.hostcontext] [main] at org.apache.openjpa.jdbc.kernel.PreparedStatementManagerImpl.flushAndUpdate (PreparedStatementManagerImpl.java:144) [hostcontext.hostcontext] [main] at org.apache.openjpa.jdbc.kernel.BatchingPreparedStatementManagerI mpl.flushAndUpdate(BatchingPreparedStatementManagerImpl.java:79) [hostcontext.hostcontext] [main] at org.apache.openjpa.jdbc.kernel.PreparedStatementManagerImpl.flushInternal (PreparedStatementManagerImpl.java:100) [hostcontext.hostcontext] [main] at org.apache.openjpa.jdbc.kernel.PreparedStatementManagerImpl.flush (PreparedStatementManagerImpl.java:88) [hostcontext.hostcontext] [main] at org.apache.openjpa.jdbc.kernel.ConstraintUpdateManager.flush (ConstraintUpdateManager.java:550) [hostcontext.hostcontext] [main] at org.apache.openjpa.jdbc.kernel.ConstraintUpdateManager.flush (ConstraintUpdateManager.java:107) [hostcontext.hostcontext] [main] at org.apache.openjpa.jdbc.kernel.BatchingConstraintUpdateManager.flush (BatchingConstraintUpdateManager.java:59) [hostcontext.hostcontext] [main] at org.apache.openjpa.jdbc.kernel.AbstractUpdateManager.flush (AbstractUpdateManager.java:104) [hostcontext.hostcontext] [main] at org.apache.openjpa.jdbc.kernel.AbstractUpdateManager.flush (AbstractUpdateManager.java:77) [hostcontext.hostcontext] [main] at org.apache.openjpa.jdbc.kernel.JDBCStoreManager.flush(JDBCStoreManager.java:731) [hostcontext.hostcontext] [main] at org.apache.openjpa.kernel.DelegatingStoreManager.flush( DelegatingStoreManager.java:131) [hostcontext.hostcontext] [main] ... 13 more [hostcontext.hostcontext] [main] Caused by: [hostcontext.hostcontext] [main] org.apache.openjpa.lib.jdbc.ReportingSQLException: ERROR: duplicate key value violates unique constraint "managedhost_ip_key" Detail: Key (ip)=(127.0.0.1) already exists. {prepstmnt -1085858985 UPDATE ManagedHost SET ip = ? WHERE id = ?} [hostcontext.hostcontext] [main] at org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator.wrap(LoggingConnection Decorator.java:218) [hostcontext.hostcontext] [main] at org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator.wrap(LoggingConnection Decorator.java:194) [hostcontext.hostcontext] [main] at org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator.access$1000 (LoggingConnectionDecorator.java:58) [hostcontext.hostcontext] [main] at org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator$LoggingConnection $LoggingPreparedStatement.executeUpdate(LoggingConnectionDecorator.java:1133) [hostcontext.hostcontext] [main] at org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeUpdate (DelegatingPreparedStatement.java:275) [hostcontext.hostcontext] [main] at org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeUpdate (DelegatingPreparedStatement.java:275) [hostcontext.hostcontext] [main] at org.apache.openjpa.jdbc.kernel.JDBCStoreManager$CancelPreparedStatement. executeUpdate(JDBCStoreManager.java:1791) [hostcontext.hostcontext] [main] at org.apache.openjpa.jdbc.kernel.PreparedStatementManagerImpl.executeUpdate (PreparedStatementManagerImpl.java:268) [hostcontext.hostcontext] [main] at org.apache.openjpa.jdbc.kernel.PreparedStatementManagerImpl.flushAndUpdate (PreparedStatementManagerImpl.java:119) [hostcontext.hostcontext] [main] ... 23 more [hostcontext.hostcontext] [pool-1-thread-4] com.ibm.si.application.platform.exception.ApplicationPlatformServiceException: Unable to start application with id [qapp-1051] on host [8e634203e32e3588ed7c.localdeployment] with port [9000], responseCode [0], responseBody [null] [hostcontext.hostcontext] [pool-1-thread-4] at com.ibm.si.application.conman.v1.ConManPlatformService.processEx ception(ConManPlatformService.java:389) [hostcontext.hostcontext] [pool-1-thread-4] at com.ibm.si.application.conman.v1.ConManPlatformService.startApp( ConManPlatformService.java:554) [hostcontext.hostcontext] [pool-1-thread-4] at com.ibm.si.hostcontext.app.tasks.conman.PlatformStartAppTask.run Task(PlatformStartAppTask.java:54) [hostcontext.hostcontext] [pool-1-thread-4] at com.ibm.si.frameworks.taskmanagement.Task.run(Task.java:108) [hostcontext.hostcontext] [pool-1-thread-4] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:522) [hostcontext.hostcontext] [pool-1-thread-4] at java.util.concurrent.FutureTask.run(FutureTask.java:277) [hostcontext.hostcontext] [pool-1-thread-4] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160) [hostcontext.hostcontext] [pool-1-thread-4] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) [hostcontext.hostcontext] [pool-1-thread-4] at java.lang.Thread.run(Thread.java:812) [hostcontext.hostcontext] [pool-1-thread-4] Caused by: [hostcontext.hostcontext] [pool-1-thread-4] com.ibm.si.api.workload.v1.ApiException: java.net.UnknownHostException: 8e634203e32e3588ed7c.localdeployment [hostcontext.hostcontext] [pool-1-thread-4] at com.ibm.si.api.workload.v1.ApiClient.execute(ApiClient.java:844) [hostcontext.hostcontext] [pool-1-thread-4] at com.ibm.si.api.workload.v1.api.WorkloadsApi.showWorkloadByIdWith HttpInfo(WorkloadsApi.java:500) [hostcontext.hostcontext] [pool-1-thread-4] at com.ibm.si.api.workload.v1.api.WorkloadsApi.showWorkloadById(Wor kloadsApi.java:486) [hostcontext.hostcontext] [pool-1-thread-4] at com.ibm.si.application.conman.v1.ConManPlatformService.getAppsWo rkload(ConManPlatformService.java:348) [hostcontext.hostcontext] [pool-1-thread-4] at com.ibm.si.application.conman.v1.ConManPlatformService.buildWork load(ConManPlatformService.java:404) hostcontext.hostcontext] [pool-1-thread-4] at com.ibm.si.application.conman.v1.ConManPlatformService.buildWork load(ConManPlatformService.java:399) [hostcontext.hostcontext] [pool-1-thread-4] at com.ibm.si.application.conman.v1.ConManPlatformService.startApp( ConManPlatformService.java:527) [hostcontext.hostcontext] [pool-1-thread-4] ... 7 more [tomcat.tomcat] [gui_app_startup_thread] com.q1labs.uiframeworks.util.ApplicationStartupThread: [ERROR] [NOT:0000003000][127.0.0.1253.7.60/- -] [-/- -]Error occurred processing [QRadar Assistant] 1051 [tomcat.tomcat] [gui_app_startup_thread] com.q1labs.restapi_annotations.content.exceptions.endpointExcept ions.ServerProcessingException: An error occurred setting app status to [RUNNING]. Task state found to be [EXCEPTION]. [tomcat.tomcat] [gui_app_startup_thread] at com.q1labs.uiframeworks.application.api.service.status.handlers. RunningStatusHandler.handleStatus(RunningStatusHandler.java:99) [tomcat.tomcat] [gui_app_startup_thread] at com.q1labs.uiframeworks.application.api.service.DefaultApplicati onAPIService.updateAppStatus(DefaultApplicationAPIService.java:505) [tomcat.tomcat] [gui_app_startup_thread] at com.q1labs.uiframeworks.application.api.service.DefaultApplicati onAPIService.updateAppStatus(DefaultApplicationAPIService.java:462) [tomcat.tomcat] [gui_app_startup_thread] at com.q1labs.uiframeworks.util.ApplicationStartupThread.processRun ningApplication(ApplicationStartupThread.java:148) [tomcat.tomcat] [gui_app_startup_thread] at com.q1labs.uiframeworks.util.ApplicationStartupThread.processApp lications(ApplicationStartupThread.java:127) [tomcat.tomcat] [gui_app_startup_thread] at com.q1labs.uiframeworks.util.ApplicationStartupThread.run(Applic ationStartupThread.java:89) |
24 May 2021 |
SYSTEM TIME | IJ24182 | THE TZDATA DST RULES FOR AMERICA/SANTIAGO ARE OUT OF DATE AND HAVE THE INCORRECT DATE FOR SWITCHOVER TO DST | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) Workaround No workaround available. Administrators who experience issues with appliance timezone changes must upgrade to resolve this issue and get the latest tzdata RPM. Issue The tzdata DST (Daylight Savings Time) rules for America/Santiago are out of date. They do not accurately reflect the correct change over date for DST timz zones. |
24 May 2021 |
QRADAR NETWORK INSIGHTS | IJ24628 | REMOVING A FLOW PROCESSOR FROM A QRADAR DEPLOYMENT AFTER A QRADAR NETWORK INSIGHTS (QDI) OR FORENSICS HOST HAS BEEN REMOVED CAN FAIL | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) Workaround If you are unable to upgrade to a release where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue. Issue Removing a Flow Processor can fail if the deployment.xml file has remnants of a previously installed QNI or Forensics managed host. The QRadar Deploy function can continously fail after the failed Flow Processor removal. |
24 May 2021 |
BACKUP AND RESTORE | IJ25318 | PERFORMING A 'DEPLOYMENT CONFIGURATION' RESTORE REQUIRES RESTORING THE 'RULES' OPTION | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) Workaround Select the user interface option to restore Rules when you complete a 'Deployment Configuration" config restore. Issue Performing a config restore for "Deployment Configuration" does not include custom rules dependencies of reference data, therefore restoring "Rules" is also required. Messages similar to the following might be visible in /var/log/qradar.log when the Rules option is not selected during a "Deployment Configuration" restore: User@127.0.0.1[hostcontext.hostcontext] [BackupServices_restore] java.lang.Exception: unable to execute sql statement: ALTER TABLE public.reference_data_rules ADD CONSTRAINT reference_data_rules_rule_id_fkey FOREIGN KEY (rule_id) REFERENCES public.custom_rule(id) ON DELETE CASCADE; User@127.0.0.1[hostcontext.hostcontext] [BackupServices_restore] at com.q1labs.hostcontext.capabilities.PostgresAction.executeSql(Po stgresAction.java:668) User@127.0.0.1[hostcontext.hostcontext] [BackupServices_restore] at com.q1labs.hostcontext.capabilities.PostgresAction.applyConstrai nts(PostgresAction.java:287) User@127.0.0.1[hostcontext.hostcontext] [BackupServices_restore] at com.q1labs.hostcontext.backup.BackupRecoveryEngine.doDbRestore(B ackupRecoveryEngine.java:2974) User@127.0.0.1[hostcontext.hostcontext] [BackupServices_restore] ... 5 more |
24 May 2021 |
BACKUP AND RESTORE | IJ25505 | QRADAR BACKUP CAN HANG AND TIMEOUT WHEN A CONFIGURED NFS IS UNREACHABLE | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) Workaround Verify the network communication/connection to the configured NFS from QRadar. Issue A QRadar Backup can fail due to timeout when a configured NFS share is unreachable by QRadar. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [hostcontext.hostcontext] [Backup] com.q1labs.hostcontext.backup.BackupRecoveryEngine: [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Current backup was interrupted [hostcontext.hostcontext] [Backup] com.q1labs.hostcontext.backup.BackupRecoveryEngine: [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Current task: cleaning up [hostcontext.hostcontext] [Backup] com.q1labs.hostcontext.backup.core.BackupUtils: [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Following message suppressed 1 times in 300000 milliseconds [hostcontext.hostcontext] [Backup] com.q1labs.hostcontext.backup.core.BackupUtils: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Cannot execute 'ps -e -o pid -o ppid -o cmd' [hostcontext.hostcontext] [Backup] java.lang.InterruptedException [hostcontext.hostcontext] [Backup] at java.lang.Object.wait(Object.java:218) [hostcontext.hostcontext] [Backup] at java.lang.UNIXProcess.waitFor(UNIXProcess.java:458) [hostcontext.hostcontext] [Backup] at java.lang.Object.wait(Native Method) [hostcontext.hostcontext] [Backup] at com.q1labs.hostcontext.backup.core.BackupUtils. getPsProcesses(BackupUtils.java:2566) [hostcontext.hostcontext] [Backup] at com.q1labs.hostcontext.backup.BackupRecoveryEngine .cleanup(BackupRecoveryEngine.java:2544) [hostcontext.hostcontext] [Backup] at com.q1labs.hostcontext.backup.BackupRecoveryEngine $BackupThread.run(BackupRecoveryEngine.java:4949) [hostcontext.hostcontext] [Backup] com.q1labs.hostcontext.backup.BackupRecoveryEngine: [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Cancel process '/bin/bash /opt/qradar/bin/run_command.sh /opt/qradar/bin/determine_partition.sh <backup folder under NFS mount> /storetmp/backup/determine_partition' if exists |
24 May 2021 |
DISK SPACE | IJ25759 | LOG ROTATE CAN FAIL AFTER A PATCH BEING APPLIED CAUSING PARTITIONS TO FILL TO 100% | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) Workaround No workaround available. Administrators who experience this issue must upgrade to a software version where this issue is resolved. Issue A condition exists where during a QRadar patch being applied, cron is restarted and in some instances log rotate starts processing log files while the patch has requested and proceeds with a system shutdown. When this issue occurs, an uncompressed file remains in the olddir causing logrotate to fail. Log rotate failing to run can cause QRadar partitions to fill to 100% unexpectedly. Note: When QRadar partitions fill to past 95% usage, required QRadar services are shutdown. For more infortion on monitored partitions, seeQRadar: Troubleshooting disk space usage problems. |
24 May 2021 |
MANAGED HOST | IJ25799 | "RE-ADDING A MANAGED HOST" OPTION CAN FAIL TO BE DISPLAYED WHEN ADDING A NEW HOST TO A DEPLOYMENT USING THE SAME IP/HOSTNAME | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) Workaround If you are unable to upgrade to a release where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue. Issue When adding a new Managed Host to a QRadar deployment with the same IP address and hostname, the "Readding a managed host" option can sometimes fail to appear. When this occurs, the old IP from the drop down is not available for selection during the add process. This issue results in the add host creating new component IDs instead of using the original ones, causing historical searches to fail. |
24 May 2021 |
NETWORK HIERARCHY | IJ25874 | NETWORK HIERARCHY GROUPS NAMED WITH NON-ENGLISH NAMES ARE NOT VISIBLE AS A QUICK FILTER OPTION OR FROM A NEW SEARCH PAGE | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) Workaround Where possible, use English named Network groups. Issue Network Groups and Networks with non-English names (eg. Chinese, or Korean characters) are not visible as available options in the network filter drop down in quick filter or from new search page. For example:
|
24 May 2021 |
LOG SOURCE | IJ25884 | LOG SOURCE TYPE DROPDOWN CAN FAIL TO POPULATE AND GENERATE A TOMCAT OUT OF MEMORY WHEN OVER 1 MILLION LOG SOURCES EXIST | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) Workaround If you are unable to upgrade to a release where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue. Issue Opening the Log Source Type dropdown (filter) can fail to populate properly and lead to a Tomcat service Out of Memory in QRadar environments with more than 1 million log sources. Note: The QRadar User Interface is unavailable during a Tomcat Out Of Memory occurance until the affected services recover. |
24 May 2021 |
LOG SOURCE | IJ25885 | EVENT FOR SIM AUDIT QID 28250069 DOES NOT PROVIDE INFORMATION ON CHANGES THAT WERE MADE | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) Workaround No workaround available. Administrators who experience this issue must upgrade to a software version where this issue is resolved. Issue In the sim audit log event (QID 28250069), there is no information in the event about what modifications have been made. The event payload contains only the name of the user and an api call, not the modifications made. Previous versions of QRadar (eg 7.3.0, 7.3.1) provided additional event payload information. |
24 May 2021 |
QRADAR RISK MANAGER | IJ26074 | AUTOMATED RISK MANAGER QUERY CAN RUN LONGER THAN EXPECTED CAUSING AN APPLICATION ERROR ON THE RISKS TAB | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) Workaround No workaround available. Administrators who experience this issue must upgrade to a software version where this issue is resolved. Issue A query which runs periodically on the Risk Manager server to gather vulnerability statistics for the subnets on the Topology screen can sometimes take longer than ten minutes to complete. When this situation occurs, the tomcat-rm service is automatically restarted and an Application Error is generated on the Risks tab during the restart of the tomcat-rm service. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [tomcat-rm.tomcat-rm] [Statistics Collector Job] org.apache.openjpa.lib.jdbc.ReportingSQLException: ERROR: canceling statement due to user request {prepstmnt 1607360343 SELECT c.longname AS impact FROM qrm_asset qa INNER JOIN classificationitem ci ON qa.vulnid = ci.vulnid INNER JOIN classification c ON ci.classificationid=c.classificationid WHERE qa.vulnid IS NOT NULL AND (qa.domainid IN (0)) AND ( (qa.ipaddress << 'x.x.x./x') )} [code=0, state=57014] [tomcat-rm.tomcat-rm] [Statistics Collector Job] at org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator.wrap(Logg ingConnectionDecorator.java:218) [tomcat-rm.tomcat-rm] [Statistics Collector Job] at org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator.wrap(Logg ingConnectionDecorator.java:202) [tomcat-rm.tomcat-rm] [Statistics Collector Job] at org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator.access$70 0(LoggingConnectionDecorator.java:58) [tomcat-rm.tomcat-rm] [Statistics Collector Job] at org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator$LoggingCo nnection$LoggingPreparedStatement.executeQuery(LoggingConnectionDecorator.java:1117) [tomcat-rm.tomcat-rm] [Statistics Collector Job] at org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeQ uery(DelegatingPreparedStatement.java:268) [tomcat-rm.tomcat-rm] [Statistics Collector Job] at org.apache.openjpa.jdbc.sql.PostgresDictionary$PostgresPreparedS tatement.executeQuery(PostgresDictionary.java:1011) [tomcat-rm.tomcat-rm] [Statistics Collector Job] at org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeQ uery(DelegatingPreparedStatement.java:268) [tomcat-rm.tomcat-rm] [Statistics Collector Job] at org.apache.openjpa.jdbc.kernel.JDBCStoreManager$CancelPreparedSt atement.executeQuery(JDBCStoreManager.java:1800) [tomcat-rm.tomcat-rm] [Statistics Collector Job] at org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeQ uery(DelegatingPreparedStatement.java:268) [tomcat-rm.tomcat-rm] [Statistics Collector Job] at org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeQ uery(DelegatingPreparedStatement.java:258) [tomcat-rm.tomcat-rm] [Statistics Collector Job] at com.q1labs.simulator.util.LocalQRadarAPI.collectFromResult(LocalQRadarAPI.java:3256) [tomcat-rm.tomcat-rm] [Statistics Collector Job] at com.q1labs.simulator.util.LocalQRadarAPI.getImpactsinSubnet(LocalQRadarAPI.java:4987) [tomcat-rm.tomcat-rm] [Statistics Collector Job] at com.q1labs.simulator.ask.APIQRadarInterface.getImpactsinSubnet(A PIQRadarInterface.java:113) [tomcat-rm.tomcat-rm] [Statistics Collector Job] at com.q1labs.simulator.util.subnetcolor.StatisticsCollectorTask.co llectStatisticsForSubnet(StatisticsCollectorTask.java:166) [tomcat-rm.tomcat-rm] [Statistics Collector Job] at com.q1labs.simulator.util.subnetcolor.StatisticsCollectorTask.co llectStatisticsForAll(StatisticsCollectorTask.java:148) [tomcat-rm.tomcat-rm] [Statistics Collector Job] at com.q1labs.simulator.util.subnetcolor.StatisticsCollectorTask.co llectStatistics(StatisticsCollectorTask.java:58) [tomcat-rm.tomcat-rm] [Statistics Collector Job] at com.q1labs.simulator.jobs.StatisticsCollectorJob.process(StatisticsCollectorJob.java:42) [tomcat-rm.tomcat-rm] [Statistics Collector Job] at com.q1labs.simulator.jobframework.jobexecutioncontroller.schedul er.PeriodicJobScheduler$1.run(PeriodicJobScheduler.java:122) [tomcat-rm.tomcat-rm] [Statistics Collector Job] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:522) [tomcat-rm.tomcat-rm] [Statistics Collector Job] at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:319) [tomcat-rm.tomcat-rm] [Statistics Collector Job] at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFuture Task.access$301(ScheduledThreadPoolExecutor.java:191) [tomcat-rm.tomcat-rm] [Statistics Collector Job] at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFuture Task.run(ScheduledThreadPoolExecutor.java:305) [tomcat-rm.tomcat-rm] [Statistics Collector Job] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160) [tomcat-rm.tomcat-rm] [Statistics Collector Job] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) [tomcat-rm.tomcat-rm] [Statistics Collector Job] at java.lang.Thread.run(Thread.java:818) |
24 May 2021 |
LOG ACTIVITY | IJ26098 | 'AN IO ERROR OCCURRED ON SERVER(S)...' CAN OCCUR DURING SEARCHES AFTER A HOST HAS HAD ITS IP ADDRESS CHANGED | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) Workaround Using a command line tool such as vi, find and comment out or remove the entries for the old IP address in /etc/hosts on the QRadar Console. Attempt the search again. Issue Removing a non encrypted host from a QRadar deployment that has ariel running, changing it's IP address (using qchange_netsetup) and then re-adding the host to the QRadar deployment can result in ariel searches (eg. in the Log Activity tab) to that managed host reporting errors similar to: 'An IO error occurred on server(s) XXXXXX:ZZZZ. Please try again." (where XXXXX is the hostname of managed host that had its IP address changed and ZZZZ is the ariel port). Example steps that can identify this behavior occurs:
|
24 May 2021 |
ASSETS | IJ26163 | ASSET SEARCH CAN FAIL WHEN FILTERING BASED ON CONTENTS OF A REFERENCE SET WHERE MORE THAN ONE DOMAIN EXISTS | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) Workaround No workaround available. Administrators who experience this issue must upgrade to a software version where this issue is resolved. Issue An Asset Search can fail when filtering based on the contents of a reference set when more than one domain is added to the reference set. For example:
Administrators who experience this issue can confirm an ReportingSQLException similar to the following error in /var/log/qradar.error: [tomcat.tomcat] [admin@127.0.0.1 (8838) /console/do/assetprofile/SearchForm] com.q1labs.assets.ui.assetservices.UIAssetList: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Error running filter based asset list query for performance.org.apache.openjpa.lib.jdbc.ReportingSQLException: ERROR: more than one row returned by a subquery used as an expression {stmnt 669393640 select DISTINCT(asset.asset.id) from asset.asset where (1=1) AND asset.asset.id NOT IN (SELECT assetid FROM asset.pendingassetupdate WHERE action=3) AND asset.asset.id in (SELECT DISTINCT(asset.interface.assetid) FROM asset.interface LEFT OUTER JOIN asset.ipaddress ON asset.interface.id=asset.ipaddress.interfaceid WHERE (1=1) AND ( asset.ipaddress.ipaddress NOT IN ( SELECT convert_from(data,'UTF8')::inet AS ipv4address FROM public.reference_data_element WHERE public.reference_data_element.rdk_id = (SELECT id FROM public.reference_data_key WHERE public.reference_data_key.rd_id = (SELECT id FROM public.reference_data WHERE name LIKE $ItrXqTU$Steve2$ItrXqTU$)) ) ) )} [tomcat.tomcat] [admin@127.0.0.1 (8838) /console/do/assetprofile/SearchForm] com.q1labs.assets.ui.assetservices.UIAssetList: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/- -]Asset UI Performance optimization failing.:org.apache.openjpa.lib.jdbc.ReportingSQLException: ERROR: more than one row returned by a subquery used as an expression {stmnt 669393640 select DISTINCT(asset.asset.id) from asset.asset where (1=1) AND asset.asset.id NOT IN (SELECT assetid FROM asset.pendingassetupdate WHERE action=3) AND asset.asset.id in (SELECT DISTINCT(asset.interface.assetid) FROM asset.interface LEFT OUTER JOIN asset.ipaddress ON asset.interface.id=asset.ipaddress.interfaceid WHERE (1=1) AND ( asset.ipaddress.ipaddress NOT IN ( SELECT convert_from(data,'UTF8')::inet AS ipv4address FROM public.reference_data_element WHERE public.reference_data_element.rdk_id = (SELECT id FROM public.reference_data_key WHERE public.reference_data_key.rd_id = (SELECT id FROM public.reference_data WHERE name LIKE $ItrXqTU$Steve2$ItrXqTU$)) ) ) )} [tomcat.tomcat] [admin@127.0.0.1 (8838) /console/do/assetprofile/SearchForm] com.q1labs.core.sql.queryframework.QueryFramework: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/- -]SELECT * FROM ( SELECT 0 AS "assetid" FROM asset.pendingassetupdate WHERE (1=1) AND asset.pendingassetupdate.assetid IS NULL AND asset.pendingassetupdate.action != 3 AND asset.pendingassetupdate.updatedby = $pGISzQS$Steve$pGISzQS$ ) ASSET_PENDING_LIST_VIEW UNION ALL SELECT * FROM ( SELECT DISTINCT(asset.asset.id) AS "assetid" FROM asset.asset INNER JOIN asset.interface ON asset.interface.assetid = asset.asset.id INNER JOIN asset.ipaddress ON asset.ipaddress.interfaceid = asset.interface.id WHERE (1=1) AND asset.asset.id NOT IN (SELECT assetid FROM asset.pendingassetupdate WHERE action=3) AND ( asset.ipaddress.ipaddress NOT IN ( SELECT convert_from(data,'UTF8')::inet AS ipv4address FROM public.reference_data_element WHERE public.reference_data_element.rdk_id = (SELECT id FROM public.reference_data_key WHERE public.reference_data_key.rd_id = (SELECT id FROM public.reference_data WHERE name LIKE $eIQrWGn$Steve2$eIQrWGn$)) ) ) --Additional ordering/limits for any base SQL query type ) ASSET_LIST_VIEW OFFSET 0; [tomcat.tomcat] [admin@127.0.0.1 (8838) /console/do/assetprofile/SearchForm] com.q1labs.core.sql.queryframework.QueryFramework: [ERROR] Chained SQL Exception [1/2]: ERROR: current transaction is aborted, commands ignored until end of transaction block {stmnt -1679308538 SELECT * FROM ( SELECT 0 AS "assetid" FROM asset.pendingassetupdate WHERE (1=1) AND asset.pendingassetupdate.assetid IS NULL AND asset.pendingassetupdate.action != 3 AND asset.pendingassetupdate.updatedby = $pGISzQS$Steve$pGISzQS$ ) ASSET_PENDING_LIST_VIEW UNION ALL SELECT * FROM ( SELECT DISTINCT(asset.asset.id) AS "assetid" FROM asset.asset INNER JOIN asset.interface ON asset.interface.assetid = asset.asset.id INNER JOIN asset.ipaddress ON asset.ipaddress.interfaceid = asset.interface.id WHERE (1=1) AND asset.asset.id NOT IN (SELECT assetid FROM asset.pendingassetupdate WHERE action=3) AND ( asset.ipaddress.ipaddress NOT IN ( SELECT convert_from(data,'UTF8')::inet AS ipv4address FROM public.reference_data_element WHERE public.reference_data_element.rdk_id = (SELECT id FROM public.reference_data_key WHERE public.reference_data_key.rd_id = (SELECT id FROM public.reference_data WHERE name LIKE $eIQrWGn$Steve2$eIQrWGn$)) ) ) --Additional ordering/limits for any base SQL query type ) ASSET_LIST_VIEW OFFSET 0;} [tomcat.tomcat] [admin@127.0.0.1 (8838) /console/do/assetprofile/SearchForm] com.q1labs.core.sql.queryframework.QueryFramework: [ERROR] Chained SQL Exception [2/2]: ERROR: current transaction is aborted, commands ignored until end of transaction block [tomcat.tomcat] [admin@127.0.0.1 (8838) /console/do/assetprofile/SearchForm] com.q1labs.core.sql.queryframework.QueryFramework: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/--] QueryFramework.executeQuery(): Could not execute the above SQL statement. [tomcat.tomcat] [admin@127.0.0.1 (8838) /console/do/assetprofile/SearchForm] org.apache.openjpa.lib.jdbc.ReportingSQLException: ERROR: current transaction is aborted, commands ignored until end of transaction block {stmnt -1679308538 SELECT * FROM ( SELECT 0 AS "assetid" FROM asset.pendingassetupdate WHERE (1=1) AND asset.pendingassetupdate.assetid IS NULL AND asset.pendingassetupdate.action != 3 AND asset.pendingassetupdate.updatedby = $pGISzQS$Steve$pGISzQS$ ) ASSET_PENDING_LIST_VIEW UNION ALL SELECT * FROM ( SELECT DISTINCT(asset.asset.id) AS "assetid" FROM asset.asset INNER JOIN asset.interface ON asset.interface.assetid = asset.asset.id INNER JOIN asset.ipaddress ON asset.ipaddress.interfaceid = asset.interface.id WHERE (1=1) AND asset.asset.id NOT IN (SELECT assetid FROM asset.pendingassetupdate WHERE action=3) AND ( asset.ipaddress.ipaddress NOT IN ( SELECT convert_from(data,'UTF8')::inet AS ipv4address FROM public.reference_data_element WHERE public.reference_data_element.rdk_id = (SELECT id FROM public.reference_data_key WHERE public.reference_data_key.rd_id = (SELECT id FROM public.reference_data WHERE name LIKE $eIQrWGn$Steve2$eIQrWGn$)) ) ) --Additional ordering/limits for any base SQL query type ) ASSET_LIST_VIEW OFFSET 0;} [tomcat.tomcat] [admin@127.0.0.1 (8838) /console/do/assetprofile/SearchForm] at org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator.wrap(Logg ingConnectionDecorator.java:218) |
24 May 2021 |
QRADAR NETWORK INSIGHTS | IJ26167 | THE QRADAR NETWORK INSIGHTS (QNI) SMTP INSPECTOR CAN FAIL TO SHOW ALL RECIPIENT EMAIL ADDRESSES FOR SMTP CONTENT FLOWS | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) Workaround If you are unable to upgrade to a release where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue. Issue In unencrypted SMTP flows, the Recipient User field is shown as some variation of "undisclosed" which is derived from the mail header instead of the the recipient email address. This type of field in the mail header is used for both valid masking and malicious activities. The actual recipient (RCPT TO) in these instances can be viewed in the Standard Flow's Payload field provided it's position in the flow does not exceed that of the bytes in the payload that is extracted. |
24 May 2021 |
QRADAR VULNERABILITY MANAGER | IJ26525 | VULNERABILITY SCAN DISPLAYS 100% COMPLETION BUT NEVER FINISHES WHEN TOOLS ARE EXCLUDED FROM THE SCAN POLICY | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) Workaround No workaround available. Administrators who experience this issue must upgrade to a software version where this issue is resolved. Issue If either of the following tools are excluded in a QRadar Vulnerability Manager scan policy, the scan does not complete as expected:
|
24 May 2021 |
QRADAR NETWORK INSIGHTS | IJ26651 | SMTP CONTENT FLOWS ORIGINATING FROM QNI HAVE FIELDS THAT ARE LIMITED TO 64 CHARACTERS IN THE NETWROK ACTIVITY TAB | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) Workaround No workaround available. Administrators who experience this issue must upgrade to a software version where this issue is resolved. Issue SMTP Content Flows (originating from QNI) in the Network Activity tab can have certain fields that are limited to 64 characters. For example: Network Activity - SMTP Content Flows
|
24 May 2021 |
DSM EDITOR | IJ26665 | CEF EVENTID DOES NOT MAP TO A QID WHEN IT IS THE LAST KEY/VALUE IN THE PAYLOAD WHEN CONFIGURED USING DSM EDITOR/LSX | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) Workaround Use a Regular Expression (regex), instead of using a CEF key in the DSM Editor to parse a CEF name=value pair that is the last entry of the event payload. Issue If a CEF key is used to override the EventID for a log source using the DSM Editor/LSX, and it is the last key/value in the payload, it does not work as expected as it is not matched to a mapped QID in QRadar as a newline character "\n" is added to the parsed item. To recreate this issue: Add a CEF key as an override for a payload when the key/value pair is the last item in a payload. Results The Event ID is not able to match a QID as it will have a '\n' at the end. Note: If another key/value is added to the end of the payload it works as expected as the desired value no longer has the newline '\n' in it. |
24 May 2021 |
MANAGED HOST | IJ26729 | USING QCHANGE_NETSETUP IN NAT'D QRADAR ENVIRONMENTS CAN CAUSE EVENT COLLECTION TO FAIL AFTER A MANAGED HOST IS RE-ADDED | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 (7.4.3.20210517144015) Workaround If you are unable to upgrade to a release where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue. Issue When re-adding a Managed Host to a deployment after performing a qchange_netsetup to add a public IP (NAT'd), some QRadar components can fail to be remapped or created correctly on the Managed Host. In these instances, affected QRadar component services have been identified as hostcontext, ecs-ec and ecs-ep. When this issue occurs, event collection can stop working for these affected Managed Hosts and not allow hosts to be connected together in a QRadar deployment successfully (eg. connecting an Event Collector to an Event Processor, or a DataNode to an Event Processor) due to the missing component services. Messages similar to the following might be visible in /var/log/qradar.log on an affected Managed Host when this issue occurs: [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] com.q1labs.hostcontext.configuration.ConfigChangeObserver: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -] Failed to download and apply new configuration [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] com.q1labs.hostcontext.exception.HostContextConfigException: Unable to properly download and apply new configuration ... [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] Caused by: [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] com.q1labs.hostcontext.exception.HostContextConfigException: Failed to download and process global set .. [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] Caused by: [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] com.q1labs.hostcontext.exception.HostContextConfigException: Failed to build local configuration set ... [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] Caused by: [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] com.q1labs.hostcontext.exception.HostContextConfigException: Failed to build local configuration set ... [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] Caused by: ... [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] Caused by: [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] com.q1labs.configservices.common.ConfigServicesException: unable to transform components ... [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] Caused by: [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] com.q1labs.configservices.common.ConfigServicesException: Failed to create EC_Ingress.xml for component eventcollectoringress103. ... [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] Caused by: [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] java.lang.RuntimeException: Error merging velocity template and context ... [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] org.apache.velocity.exception.MethodInvocationException: Invocation of method 'getEventThreshold' in class com.q1labs.configservices.config.l ocalset.sem.ECIngressConfigBuilder threw exception java.lang.NumberFormatException: null at EC_Ingress.vm[line 498, column 79] ... [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] Caused by: [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] java.lang.NumberFormatException: null ... [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] com.q1labs.hostcontext.configuration.ConfigChangeObserver: [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -] Setting deployment status to Error |
24 May 2021 |
QRADAR VULNERABILITY MANAGER | IJ27020 | DUPLICATE ASSETS CAN BE CREATED BY AN 'EARLY WARNING' VULNERABILITY WHEN DOMAINS ARE CONFIGURED IN QRADAR | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) Workaround On the Assets tab, manually delete of the duplicate asset with the "Default Domain" if this issue occurs. Issue In QRadar environments where Domains are configured, an "Early Warning" vulnerability detected by a QRadar Vulnerability Manager scan can result in the creation of a duplicate Asset in the "Default Domain". |
24 May 2021 |
GEOGRAPHIC DATA | IJ27129 | GEO::DISTANCE IN AQL QUERIES DOES NOT CALCULATE DISTANCE CORRECTLY WHEN AN INTERNAL IP IS USED FOR THE SECOND ARGUEMENT | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) Workaround No workaround available. Administrators who experience this issue must upgrade to a software version where this issue is resolved. Issue Using GEO::DISTANCE in AQL queries does not calculate distance correctly if a internal IP address is used for the second argument in the query. For example, when using SELECT GEO::DISTANCE(sourceip, destinationip) in AQL gueries:
|
24 May 2021 |
ASSETS | IJ31040 | UPDATES TO ASSET IP ADDRESSES CAN SOMETIMES CAUSE THE ASSET PROFILER SERVICE TO STOP PROCESSING ASSETS | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944) QRadar 7.4.3 (7.4.3.20210517144015) Workaround If you are unable to upgrade to a release where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue. Issue Updates to Asset IP addresses that occur while the asset profiler is using the QRadar spillover cache can cause the asset profiler service to stop processing assets correctly. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: java.lang.ClassCastException: java.lang.String incompatible with java.lang.Integer at com.q1labs.assetprofile.persistence.AssetChangeEvent$ChangeValue .put(AssetChangeEvent.java:99) at com.q1labs.assetprofile.persistence.AssetChangeEvent.writeAffected Fields(AssetChangeEvent.java:324) at com.q1labs.assetprofile.persistence.AssetChangeEvent.put (AssetChangeEvent.java:306) at com.q1labs.assetprofile.persistence.AssetChangeEventSet$ AssetChangeEventSubset.put(AssetChangeEventSet.java:99) at com.q1labs.assetprofile.persistence.AssetChangeEventSet.writeSubsets (AssetChangeEventSet.java:480) at com.q1labs.assetprofile.persistence.AssetChangeEventSet.put (AssetChangeEventSet.java:539) at com.q1labs.assetprofile.persistence.AssetChangeEventSet.put (AssetChangeEventSet.java:34) at com.q1labs.frameworks.queue.SpilloverQueue$RecordSerializerWithSize.put (SpilloverQueue.java:1142) at com.q1labs.frameworks.queue.SpilloverQueue$FileBasedQueue. serialized_offer(SpilloverQueue.java:1249) at com.q1labs.frameworks.queue.SpilloverQueue$FileBasedQueue.offer (SpilloverQueue.java:1240) at com.q1labs.frameworks.queue.SpilloverQueue.offer(SpilloverQueue.java:706) at com.q1labs.assetprofile.changelistener.AssetChangeListenerLoader .offerBlocking(AssetChangeListenerLoader.java:365) at com.q1labs.assetprofile.changelistener.AssetChangeListenerLoader .offerThreaded(AssetChangeListenerLoader.java:339) at com.q1labs.assetprofile.changelistener.AssetChangeListenerLoader .publishToListener(AssetChangeListenerLoader.java:307) at com.q1labs.assetprofile.changepublisher.AssetChangePublisher. publishAssetChange(AssetChangePublisher.java:176) at com.q1labs.assetprofile.persistence.AssetProfilePersistenceManager .dispatchFromTopTier(AssetProfilePersistenceManager.java:417) at com.q1labs.assetprofile.persistence.AssetProfilePersistenceManager .dispatchBufferedEvents(AssetProfilePersistenceManager.java:357) at com.q1labs.assetprofile.persistence.AssetProfilePersistenceWorker Thread.commitCurrentTransactionAndFlushOutput (AssetProfilePersistenceWorkerThread.java:1037) And if the IP address update is sent to the spillover cache, the asset profiler stops processing any further asset updates and the following can be visible in /var/log/qradar.log: java.lang.ClassCastException: java.lang.String incompatible with java.lang.Integer at com.q1labs.assetprofile.persistence.AssetChangeEvent$ChangeValue.put (AssetChangeEvent.java:99) at com.q1labs.assetprofile.persistence.AssetChangeEvent.writeAffected Fields(AssetChangeEvent.java:324) at com.q1labs.assetprofile.persistence.AssetChangeEvent.put (AssetChangeEvent.java:306) at com.q1labs.assetprofile.persistence.AssetChangeEventSet$AssetChange EventSubset.put(AssetChangeEventSet.java:99) at com.q1labs.assetprofile.persistence.AssetChangeEventSet.writeSubsets (AssetChangeEventSet.java:480) at com.q1labs.assetprofile.persistence.AssetChangeEventSet .put(AssetChangeEventSet.java:539) at com.q1labs.assetprofile.persistence.AssetChangeEventSet .put(AssetChangeEventSet.java:34) at com.q1labs.frameworks.queue.SpilloverQueue$RecordSerializerWithSize .put(SpilloverQueue.java:1142) at com.q1labs.frameworks.queue.SpilloverQueue$FileBasedQueue .serialized_offer(SpilloverQueue.java:1249) at com.q1labs.frameworks.queue.SpilloverQueue$FileBasedQueue .offer(SpilloverQueue.java:1240) at com.q1labs.frameworks.queue.SpilloverQueue.offer(SpilloverQueue.java:706) at com.q1labs.assetprofile.changelistener.AssetChangeListenerLoader .offerBlocking(AssetChangeListenerLoader.java:365) at com.q1labs.assetprofile.changelistener.AssetChangeListenerLoader .offerThreaded(AssetChangeListenerLoader.java:339) at com.q1labs.assetprofile.changelistener.AssetChangeListenerLoader .publishToListener(AssetChangeListenerLoader.java:307) at com.q1labs.assetprofile.changepublisher.AssetChangePublisher .publishAssetChange(AssetChangePublisher.java:176) at com.q1labs.assetprofile.persistence.AssetProfilePersistenceManager .dispatchFromTopTier(AssetProfilePersistenceManager.java:417) at com.q1labs.assetprofile.persistence.AssetProfilePersistenceManager .dispatchBufferedEvents(AssetProfilePersistenceManager.java:357) at com.q1labs.assetprofile.persistence.AssetProfilePersistenceWorker Thread.commitCurrentTransactionAndFlushOutput(AssetProfilePersistence WorkerThread.java:1037) at com.q1labs.assetprofile.persistence.AssetProfilePersistenceWorker Thread.run(AssetProfilePersistenceWorkerThread.java:429) |
24 May 2021 |
DEPLOY CHANGES | IJ29047 | QRADAR MANAGED HOST(S) CAN FAIL TO DEPLOY AFTER COMPLETING THE PATCHING PROCESS AS THE QRADAR DATABASE HAS NOT DOWNLOADED | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 (7.4.3.20210517144015) Workaround
In instances where LOCAL_FALLBACK_DISABLED=true setting is contained within the nva.conf file, a QRadar Managed Host(s) can fail to download the QRadar database from the Console successfully after being patched. When this occurs, QRadar Deploy functions fail to affected Managed Hosts. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: org.apache.openjpa.lib.jdbc.ReportingSQLException: ERROR: cannot execute UPDATE in a read-only transaction {stmnt -490361463 UPDATE public.user_settings SET allow_system_authentication_fallback=false} at org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator.wrap (LoggingConnectionDecorator.java:218) at org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator.wrap (LoggingConnectionDecorator.java:202) at org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator.access $700(LoggingConnectionDecorator.java:58) at org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator$LoggingConnection $LoggingStatement.executeUpdate(LoggingConnectionDecorator.java:913) at org.apache.openjpa.lib.jdbc.DelegatingStatement.executeUpdate (DelegatingStatement.java:118) at org.apache.openjpa.jdbc.kernel.JDBCStoreManager$CancelStatement. executeUpdate(JDBCStoreManager.java:1689) at org.apache.openjpa.lib.jdbc.DelegatingStatement.executeUpdate (DelegatingStatement.java:118) at com.q1labs.core.shared.permissions.UserManager.updateAllowSystem AuthenticationFallback(UserManager.java:1737) |
24 May 2021 |
APPLICATION FRAMEWORK | IJ28648 | QRADAR APPS CAN FAIL TO LOAD DUE TO THE QRADARCA-MONITOR SERVICE BEING IN A STUCK STATE | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944) QRadar 7.4.3 (7.4.3.20210517144015) QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826) Workaround No workaround available. Administrators who experience this issue must upgrade to a software version where this issue is resolved. Issue QRadar Apps can fail to load if the qradarca-monitor service is in a stuck state of activating. This issue can also cause the failure of new app installations, app deletions, and app upgrades. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: bash[55538]: goroutine 1 [chan receive, 44478 minutes]: bash[55538]: path/pi/si-qradarca/vendor/golang.org/x/crypto/ssh.(*mux).openCh annel(0xc42018ccb0, 0x766c05, 0x7, 0x0, 0x0, 0x0, 0x20002, 0xc4201341e4, 0xc4201341e0) bash[55538]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/path/pi/si-q radarca/vendor/golang.org/x/crypto/ssh/mux.go:322 +0x1f2 bash[55538]: path/pi/si-qradarca/vendor/golang.org/x/crypto/ssh.(*mux).OpenCh annel(0xc42018ccb0, 0x766c05, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...) bash[55538]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/path/pi/si-q radarca/vendor/golang.org/x/crypto/ssh/mux.go:298 +0x64 bash[55538]: path/pi/si-qradarca/vendor/golang.org/x/crypto/ssh.(*Client).New Session(0xc42018f800, 0x3, 0xc4202888d0, 0x10) bash[55538]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/path/pi/si-q radarca/vendor/golang.org/x/crypto/ssh/client.go:130 +0x67 bash[55538]: path/pi/si-qradarca/localca.connectToHost(0x76616e, 0x4, 0xc420165119, 0xd, 0x4ae499, 0x3, 0xc42030c000, 0x65) bash[55538]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/path/pi/si-q radarca/localca/util.go:320 +0x356 bash[55538]: path/pi/si-qradarca/localca.CheckRemoteFileExists(0x76616e, 0x4, 0xc420163360, 0x20, 0xc420165119, 0xd, 0x0, 0x0, 0x0) bash[55538]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/path/pi/si-q radarca/localca/remote.go:63 +0x85 bash[55538]: path/pi/si-qradarca/localca.checkCertificateOnRemote(0xc42016511 9, 0xd, 0xc42015bce0, 0x9, 0xc420163340, 0x12, 0xc42015bcf0, 0x9, 0x7660ca, 0x4, ...) |
24 May 2021 |
SIM AUDIT | IJ26652 | 'USER ACCOUNT MODIFIED" EVENT GENERATED INSTEAD OF "USER PASSWORD CHANGE" WHEN PASSWORD CHANGE OCCURS | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) Workaround No workaround available. Administrators who experience this issue must upgrade to a software version where this issue is resolved. Issue A "User Account Modified" event (QID 28250069) is generated when a QRadar user password is changed from the QRadar User Interface instead of an expected "User Changed Password" event being generated. The same "Account Modified" is logged by the audit logs: test@127.0.0.1 (7179) /console/restapi/api/config/access/users/3 | [Configuration] [UserAccount] [AccountModified] test |
24 May 2021 |
DSM EDITOR | IJ25814 | DSM EXPORT FUNCTION FAILS WHEN AUTHOR FIELD IS LEFT BLANK | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) Workaround Ensure the Author field is populated when performing a DSM Export function. Issue When perfroming an DSM "Export" function, the Author field is not required, but if the field is blank (it is prefilled with Admin) the Export function fails and generates and error similar to: console/restapi/api/config/extension_management/extension_export_tasks] com.ibm.si.data_ingestion.api.v12_0.cmt.ExtensionManagementAPI: [ERROR][NOT:0000003000][127.0.0.1/- -] [-/- -]Export failed. Manifest Configuration should be valid. Name, Author, min_version and version should be valid. Note: After an upgrade to QRadar 7.4.3 GA or later, the DSM Editor displays, "The value is required" if you attempt to export a custom DSM without the author field populated. |
24 May 2021 |
AUTHENTICATION | IJ27713 | UNABLE TO LOGIN TO QRADAR USING ENCRYPTED LDAP WITH MICROSOFT AD SERVICES OVER STANDARD LDAP PORTS | CLOSED | Workaround Multiple workarounds available:
Issue Users are unable to log in when using encrypted LDAP with Microsoft Active Directory Services over standard LDAP ports TCP/389 and TCP/636 as LDAP referrals break communications over TLS encryption. When attempting to login, the LDAP authentication fails even while using the "Test Connection" button on the LDAP configuration page. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [tomcat.tomcat] [admin@127.0.0.1(3540) /console/JSON-RPC/QRadar.isLDAPConnectionAvailable QRadar.isLDAPConnectionAvailable] com.q1labs.core.shared.ldap.SimpleLdapClient: [ERROR] [NOT:0000003000][ipaddress/- -] [-/- -]Exception occurred when checking if ldap connection is available [tomcat.tomcat] [admin@127.0.0.1(3540) /console/JSON-RPC/QRadar.isLDAPConnectionAvailable QRadar.isLDAPConnectionAvailable] javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr: DSID-0C09127A, comment: TLS or SSL already in effect, data 0, v3839 |
04 February 2021 |
QRADAR RISK MANAGER | IJ00838 | ARC_BUILDER GOES OUT OF MEMORY GOES WHEN THE ASSET CEILING NUMBER IS SET TO 5 MILLION ASSETS | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) Workaround If you are unable to upgrade to a release where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue. Issue Arc_builder goes out of the memory in the managed host when the asset ceiling number is set to 5 million. If you have a large number of assets, review /var/log/qradar.log for Java heap space or load daemon messages related to ArcBuilder.init: QRADAR-primary arc_builder[22051]: Caused by: java.lang.Exception: java.lang.OutOfMemoryError: Java heap space QRADAR-primary arc_builder[22051]: at com.q1labs.semsources.filters.arc.ArcBuilder.init(ArcBuilder.java:240) QRADAR-primary arc_builder[22051]: ... 5 more QRADAR-primary arc_builder[22051]: Caused by: java.lang.OutOfMemoryError: Java heap space QRADAR-primary arc_builder[22051]: at gnu.trove.TLongHashSet.rehash(TLongHashSet.java:169) QRADAR-primary arc_builder[22051]: at gnu.trove.THash.postInsertHook(THash.java:359) QRADARprimary arc_builder[22051]: at gnu.trove.TLongHashSet.add(TLongHashSet.java:154) QRADAR-primary arc_builder[22051]: at com.q1labs.semsources.filters.arc.NetworkModelsServices.loadExis tingPortData(NetworkModelsServices.java:405) QRADAR-primary arc_builder[22051]: at com.q1labs.semsources.filters.arc.NetworkModelsServices.init(Net workModelsServices.java:215) QRADAR-primary arc_builder[22051]: at com.q1labs.semsources.filters.arc.ArcBuilder.init(ArcBuilder.java:164) QRADAR-primary arc_builder[22051]: at com.q1labs.semsources.filters.arc.ArcBuilder.init(ArcBuilder.java:235) QRADAR-primary arc_builder[22051]: ... 5 more QRADAR-primary arc_builder[22051]: 09/04/2017 22:06:18 22052 arc_builder error: Cannot load daemon |
12 August 2020 |
DATA SYNCHRONIZATION APP | IJ32756 | DESTINATION SITE AUTH TOKENS FAIL TO WORK PROPERLY AFTER A RESTORE IS PERFORMED USING THE QRADAR DATA SYNCHRONIZATION APP | OPEN | Workaround After a cross-site restore completes from the QRadar Data Snychronization app:
Issue After completing a cross-site restore through the Data Sync App, the following error massages can display, which suggest that the QRadar APIs are no longer retrieving results: [ERROR] [Fri May 07 2021 13:12:44 GMT-0300 (Eastern Daylight Time)] 'An error occured retrieving backups from QRadar API: No SEC header present in request. Please provide it via "SEC: token". You may also use BASIC authentication parameters if this host supports it. e.g. "Authorization: Basic base64Encoding"', [ERROR] [Fri May 07 2021 13:12:44 GMT-0300 (Eastern Daylight Time)] toString: [Function: toString] } |
24 May 2021 |
USER INTERFACE | IJ23859 | 'APPLICATION ERROR' POP UP CAN OCCUR WHEN DISABLING A USER THAT HAS DEPENDENCIES (E.G. CEP, SAVED SEARCH) | CLOSED | Resolved in None. Closed as Permanent restriction. Workaround After initiating the user delete process, reassign all dependencies and then cancel the delete process. Issue An "Application Error" can be generated in the user interface after a user is disabled who owns dependencies (e.g. Custom Event Properties or Saved Searches). The following error can be displayed on the Log Activity tab or Network Activity tab when a value (custom property, reference set, saved search, etc) owned by a disabled users attempts to render. Messages similar to the following might be generated in /var/log/qradar.log when this issue occurs: [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] com.q1labs.core.shared.ariel.AqlCustomKeyCreator: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Exception creating AQL key creator for property ID 58099b2f-d650-4b70-ac93-f5d770d24062 [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] com.q1labs.ariel.ql.parser.AQLParserException: Catalog "events" does not exist. concat(REFERENCEMAP('^ [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at com.q1labs.ariel.ql.parser.ParserBase.getCatalog(ParserBase.java:179) [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at com.q1labs.ariel.ql.parser.Parser.parseExpression(Parser.java:300) [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at com.q1labs.core.shared.ariel.AqlCustomKeyCreator.createKeyCreator(AqlCustomKeyCreator.java:145) [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at com.q1labs.core.shared.ariel.AqlCustomKeyCreator.initialize(AqlCustomKeyCreator.java:122) [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at com.q1labs.frameworks.util.Utils.initialize(Utils.java:459) [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at com.q1labs.events.ui.bean.EventForm.copyFromDAO(EventForm.java:782) [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at com.q1labs.ariel.ui.UIArielServices.getRecordBean(UIArielServices.java:5872) [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at com.q1labs.ariel.ui.action.ArielDetails.viewDetails(ArielDetails.java:36) [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at sun.reflect.GeneratedMethodAccessor1170.invoke(Unknown Source) [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55) [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at java.lang.reflect.Method.invoke(Method.java:508) [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at org.apache.struts.actions.DispatchAction.dispatchMethod(DispatchAction.java:280) [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at org.apache.struts.actions.DispatchAction.execute(DispatchAction.java:216) [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at com.q1labs.uiframeworks.actions.DispatchAction.execute(DispatchAction.java:64) [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:484) [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at com.q1labs.uiframeworks.action.RequestProcessor.processActionPerform(RequestProcessor.java:101) [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:275) [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1482) [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at com.q1labs.uiframeworks.action.ActionServlet.process(ActionServlet.java:122) [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:525) [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at javax.servlet.http.HttpServlet.service(HttpServlet.java:661) [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at javax.servlet.http.HttpServlet.service(HttpServlet.java:742) [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at com.q1labs.uiframeworks.encoding.AddEncodingToRequestFilter.doFilter(AddEncodingToRequestFilter.java:56) [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at com.q1labs.uiframeworks.servlet.DestroySessionFilter.doFilter(DestroySessionFilter.java:26) [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at com.q1labs.uiframeworks.servlet.AddHSTSHeaderFilter.doFilter(AddHSTSHeaderFilter.java:22) [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199) [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493) [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137) [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at com.q1labs.uiframeworks.valve.ErrorReportValve.invoke(ErrorReportValve.java:47) [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) [tomcat.tomcat] [admin@127.0.0.1(6637)/console/do/ariel/arielDetails] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:476) [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:808) [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498) [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160) [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at java.lang.Thread.run(Thread.java:812) [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] com.q1labs.uiframeworks.action.ExceptionHandler: [INFO] [NOT:0000006000] [127.0.0.1/- -] [-/- -]Following message suppressed 1 times in 300000 milliseconds |
09 March 2021 |
SALESFORCE REST API PROTOCOL | IJ29347 | QRADAR REQUIRES SECURITY TOKEN FOR SALESFORCE RESTAPI PROTOCOL CONNECTION | OPEN | Workaround Running the following command from an SSH session to the QRadar Console allows for connectivity without the use of a security token for Salesforce REstAPI Protocol connections: psql -U qradar -c "update sensorprotocolparameter set required = 'f' where id = 54030;" Issue Salesforce RestAPI Protocol configuration allows connections without using a Security Token, but within QRadar the Security Token is still required (see QRadar DSM Guide). This can cause connectivity issues between QRadar and the Salesforce source due to the variance in setup that can occur when configuring the protocol/connection. Messages similar to the following might be visible in /var/log/qradar.error when this issue is occurs: Response from auth attempt was not 200, response: 400: Bad Request [ecs-ec-ingress.ecs-ec-ingress] [Thread-8126] com.q1labs.semsources.sources.salesforcerestapi.SalesforceRESTAP IInstance: [ERROR] [NOT:0000003000][x.x.x.x/- -] [-/- -] {"error":"invalid_grant","error_description":"authentication failure"} |
19 November 2020 |
ROUTING RULES / FORWARDED EVENTS | IJ29718 | EVENTS CAN BE DROPPED WHEN A DROPPED CONNECTION FAILED TO RECONNECT USING ONLINE FORWARDING WITH 'TCP' OR 'TCP OVER SSL' | CLOSED | Resolution The development team is unable to reproduce this issue. If you contain to experience errors with forwarded events or routing rules Contact QRadar Support. Workaround No workaround available. APARs identified with no workaround require a software update to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums. Issue When using online forwarding with TCP or TCP over SSL, if a connection issue occurs, it can result in online forwarding not reconnecting to the configured Destination successfully. Events are not forwarded to the Destination until the forwarding rule is disabled and re-enabled to establish a proper connection. |
02 February 2021 |
RULES | IJ32591 | RULES CAN BE INCORRECTLY GENERATED IN DEPLOYMENTS WHERE DUAL STACK IS CONFIGURED AND A QRADAR PATCH HAS BEEN APPLIED | OPEN | Workaround Contact QRadar Support for a possible workaround that might address this issue. Issue Iptables and ip6tables rules can be incorrectly generated in QRadar deployments where dual stack is configured. Appliances with dual stack (IPv4 and IPv6) are configured so iptables and ip6tables are disabled and iptables_update.pl script is symlinked to /bin/true. When patching to a QRadar version where the hostcontext rpm is updated, this configuration is reverted and iptables is unexpectedly re-enabled. |
10 May 2021 |
RULES | IJ32591 | RULES CAN BE INCORRECTLY GENERATED IN DEPLOYMENTS WHERE DUAL STACK IS CONFIGURED AND A QRADAR PATCH HAS BEEN APPLIED | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) Workaround Contact QRadar Support for a possible workaround that might address this issue. Issue The Incident Results window populates from a forensics database table that is not purged even when cases are deleted through Case Management. All entries on all pages must have a Solr request sent to determine the document count for the page which can sometimes cause the Incident Results window to take longer than expected to load. |
29 April 2021 |
QRADAR NETWORK INSIGHTS | IJ32062 | QRADAR NETWORK INSIGHTS CANNOT ADD HOST TO THE DEPLOYMENT WHEN THE CONSOLE FAILS TO OPEN AN SFTP CHANNEL | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) Workaround
Issue QRadar Network Insights (QNI) hosts can fail to be added to a QRadar deployment due to the console failing to open an SFTP channel. These instances have been identified as being caused by changes made in sshd_config during previous QRadar upgrades of the QNI host. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [hostcontext.hostcontext] [a393ce8b-13c3-4a89-a9af-45b902ce90f4/SequentialEventDispatcher] com.q1labs.core.shared.cli.ssh.SshException: Failed to open an sftp channel |
29 April 2021 |
LOG SOURCE MANAGEMENT APP | IJ32519 | ALERT BOX 'ERRORFETCHINGCERTIFICATEDATATITLE' POP UP WHEN USING LOG SOURCE MANAGEMENT APP (LSM) V7.0.0 | CLOSED | Resolved in Log Source Management app v7.0.1 Workaround Close the Alert if it appears. The error message is benign and Log Source Management app continues to function as expected after the error message is closed. Issue The Log Source Management app (LSM) v7.0.0 can display an alert box similar to the following: This message is generated when an API call returns null and is not handled properly by the Log Source Management app. |
19 May 2021 |
UPGRADE | IJ32160 | PATCH PRE-TEST CAN FAIL WITH '[ERROR] THERE ARE X BACKUPS IN PROGRESS. PLEASE WAIT FOR THEM TO COMPLETE...' | CLOSED | Resolved in QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022) Workaround Follow these steps from an SSH session to the QRadar Console to update all backups marked "DELETING" to be 'FAILED':
The QRadar patch pre-test can fail with a message displayed similar to the following when the QRadar database has many backup records in status 'DELETING': [ERROR] There are X backups in progress. Please wait for them to complete or cancel via UI before restarting patch |
06 September 2022 |
LOG ACTIVITY | IJ32112 | "Q1CERTIFICATEEXCEPTION: CHECKCERTIFICATEPINNING FAILED" ERROR MESSAGES IN LOG ACTIVITY AS SIM GENERIC EVENTS | CLOSED | Resolved in QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022) Workaround Contact QRadar Support for a possible workaround that might address this issue. Issue "Q1CertificateException: checkCertificatePinning failed" error messages can sometimes be observed in Log Activity as Sim Generic events. Individual lines of the stack trace can be sent into the QRadar pipeline and when this occurs they are being parsed as Unknown SIM Generic events or in some instances as Stored events under a newly created Log Source. This error message is caused by the certificate being retrieved from the Log Source location that is not matching any of the stored certificates on the QRadar system. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: Caused by: com.q1labs.frameworks.crypto.trustmanager.exceptions.Q1CertificateException: checkCertificatePinning failed. at com.q1labs.frameworks.crypto.trustmanager.Q1X509TrustManager.checkCertificatesTrusted(Q1X509TrustManager.java:411) at com.q1labs.frameworks.crypto.trustmanager.CertificateValidator.validate(CertificateValidator.java:110) at com.ibm.jsse2.D.s(D.java:286) at com.q1labs.frameworks.crypto.trustmanager.CertificateValidator.checkCertificatePinning(CertificateValidator.java:547) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160) ... 25 more at com.ibm.jsse2.av.a(av.java:788) at com.q1labs.frameworks.crypto.trustmanager.Q1X509TrustManager.checkServerTrusted(Q1X509TrustManager.java:307) at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1352) at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1327) at com.ibm.jsse2.av.a(av.java:637) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) at com.ibm.jsse2.E.a(E.java:145) at java.lang.Thread.run(Thread.java:822) at com.ibm.jsse2.E.a(E.java:479) at com.q1labs.core.shared.jsonrpc.RPC.executeMethodWithTimeout(RPC.java:215) at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:319) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:191) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305) at com.q1labs.hostcontext.configuration.ConfigChangeObserver$ConfigChangeObserverTask.run(ConfigChangeObserver.java:662) at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:72) at com.ibm.jsse2.E.a(E.java:585) at com.ibm.jsse2.D.a(D.java:251) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:522) at com.q1labs.hostcontext.configuration.ConfigChangeObserver$CheckDeployRequestTimer.timeExpired(ConfigChangeObserver.java:401) at com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java:1) at com.q1labs.hostcontext.configuration.ConfigChangeObserver$CheckDeployRequestTimer.getActionRequest(ConfigChangeObserver.java:426) at com.ibm.jsse2.av.startHandshake(av.java:1020) at com.ibm.jsse2.D.a(D.java:121) at com.ibm.jsse2.k.a(k.java:43) at com.q1labs.core.shared.jsonrpc.RPC.executeMethod(RPC.java:359) at com.ibm.net.ssl.www2.protocol.https.b.getOutputStream(b.java:70) at com.ibm.jsse2.av.a(av.java:722) at com.q1labs.core.shared.jsonrpc.RPC.executeMethod(RPC.java:544) at com.ibm.jsse2.D.a(D.java:572) at com.ibm.jsse2.av.i(av.java:45) at com.q1labs.frameworks.crypto.trustmanager.Q1X509TrustManager.checkCertificatesTrusted(Q1X509TrustManager.java:411) at com.q1labs.frameworks.crypto.trustmanager.CertificateValidator.checkCertificatePinning(CertificateValidator.java:547) at com.q1labs.frameworks.crypto.trustmanager.CertificateValidator.validate(CertificateValidator.java:110) Caused by: com.q1labs.frameworks.crypto.trustmanager.exceptions.Q1CertificateException: checkCertificatePinning failed. at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:191) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:522) at com.ibm.jsse2.E.a(E.java:145) ... 25 more |
06 September 2022 |
HIGH AVAILABILITY (HA) | IJ32089 | HIGH AVAILABILITY FAILOVER DOES NOT WORK AS EXPECTED WHEN ISCSI AND MUTIPATH IS CONFIGURED | CLOSED | Workaround Closed as permanent restriction as this issue will not be fixed. Refer to the IBM Security QRadar Offboard Storage Guide for supported offboard storage configurations. Issue High Availability (HA) failovers do not work as expected when ISCSI is configured with multipath. The ha_setup.sh allows the multipath configuration to succeed, but HA failovers do not work as a bad symlink is created. |
20 July 2021 |
QRADAR NETWORK INSIGHTS | IJ32165 | MISCELLANEOUS FLOWS CAN BE GENERATED BY QRADAR NETWORK INSIGHTS WITH PAYLOADS SIMILAR TO "IBM(158)=HTTP;IBM(159)=1.0" | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) Workaround
Issue QRadar Network Insights can generate miscellaneous flows that include payloads that display similar to: "Apr 5, 2021, 4:04:54PM","false","Web.Web.Misc","Best Effort","6","false","0:0:0:0:0:0:0:0", "0","4","IBM(158)=HTTP;IBM(159)=1.0;IBM(158)=HTTP;IBM(159)=1.0;IBM(158)=HTTP;IBM(159)=1.0; IBM(158)=HTTP;IBM(159)=1.0;IBM(158)=HTTP;IBM(159)=1.0;IBM(158)=HTTP;IBM(159)=1.0; IBM(158)=HTTP;IBM(159)=1.0;IBM(158)=HTTP;IBM(159)=1.0;IBM(158)=HTTP;IBM(159)=1.0; IBM(158)=HTTP;IBM(159)=1.0;IBM(158)=HTTP;IBM(159)=1.0;","Web","18448","IBM(158)=HTTP; IBM(159)=1.0;IBM(158)=HTTP;IBM(159)=1.0;IBM(158)=HTTP;IBM(159)=1.0;IBM(158)=HTTP; IBM(159)=1.0;IBM(158)=HTTP;IBM(159)=1.0;IBM(158)=HTTP;IBM(159)=1.0;IBM(158)=HTTP; IBM(159)=1.0;IBM(158)=HTTP;IBM(159)=1.0;IBM(158)=HTTP;IBM(159)=1.0;IBM(158)=HTTP; IBM(159)=1.0;IBM(158)=HTTP;IBM(159)=1.0;","Apr 5,2021, 4:02:50 PM","Best Effort","L2L", "Web.HTTPWeb","61176","S,P,A","9999" |
2 February 2022 |
CUSTOM PROPERTIES | IJ32104 | AN EXCEPTION GENERATED BY THE AUTOMATIC PROPERTY DISCOVERY ENGINE CAN CAUSE EVENTS TO BE DROPPED FOR LOG SOURCES | OPEN | Workaround Contact QRadar Support for a possible workaround that might address this issue. Issue Property Autodetection can stop working if the threshold for bad properties is reached on a Managed Host as disablePropertyDiscoveryProfile can try to update the DB and fail as it is a read-only transaction. When this issue occurs, events can fail to be received into QRadar Log Sources. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [ecs-ec.ecs-ec] [Property Discovery Engine Thread] com.q1labs.frameworks.core.ThreadExceptionHandler: [ERROR] [NOT:0000003000][X.X.X.X/- -] [-/- -] Exception was uncaught in thread: Property Discovery Engine Thread [ecs-ec.ecs-ec] [Property Discovery Engine Thread] com.q1labs.frameworks. exceptions.FrameworksRuntimeException: Problem occurred committing transaction [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at com.q1labs.frameworks. session.SessionContext.commitTransaction(SessionContext.java:1079) [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at com.q1labs.frameworks. session.SessionContext.commitTransaction(SessionContext.java:1005) [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at com.ibm.si.ec.filters. property.cache.PropertyDiscoveryThreshold.disableProperty DiscoveryProfile(PropertyDiscoveryThreshold.java:159) [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at com.ibm.si.ec.filters.property. cache.PropertyDiscoveryThreshold.incrementThreshold(PropertyDiscoveryThreshold.java:92) [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at com.ibm.si.ec.filters. property.parser.PropertyParser.handleResults(PropertyParser.java:56) [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at com.ibm.si.ec.filters. property.parser.PropertyParserJSON.processEvent(PropertyParserJSON.java:54) [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at com.ibm.si.ec.filters. property.PropertyDiscoveryEngine$PropertyDiscoveryEngineThread.run (PropertyDiscoveryEngine.java:222) [ecs-ec.ecs-ec] [Property Discovery Engine Thread] Caused by: <openjpa-2.4.3-r422266:1833086 fatal store error> org.apache.openjpa.persistence.RollbackException: The transaction has been rolled back. See the nested exceptions for details on the errors that occurred. [ecs-ec.ecs-ec] [Property Discovery Engine Thread] FailedObject: com.q1labs.core.dao.qidmap.PropertyDiscoveryProfile-51 [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa. persistence.EntityManagerImpl.commit(EntityManagerImpl.java:595) [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at com.q1labs.frameworks. session.SessionContext.commitTransaction(SessionContext.java:1039) [ecs-ec.ecs-ec] [Property Discovery Engine Thread] ... 6 more [ecs-ec.ecs-ec] [Property Discovery Engine Thread] Caused by: <openjpa-2.4.3-r422266:1833086 fatal general error> org.apache.openjpa.persistence.PersistenceException: The transaction has been rolled back. See the nested exceptions for details on the errors that occurred. [ecs-ec.ecs-ec] [Property Discovery Engine Thread] FailedObject: com.q1labs.core.dao.qidmap.PropertyDiscoveryProfile-51 [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa. kernel.BrokerImpl.newFlushException(BrokerImpl.java:2374) [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa. kernel.BrokerImpl.flush(BrokerImpl.java:2211) [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa. kernel.BrokerImpl.flushSafe(BrokerImpl.java:2103) [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa. kernel.BrokerImpl.beforeCompletion(BrokerImpl.java:2021) [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa. kernel.LocalManagedRuntime.commit(LocalManagedRuntime.java:81) [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa. kernel.BrokerImpl.commit(BrokerImpl.java:1526) [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa. kernel.DelegatingBroker.commit(DelegatingBroker.java:932) [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa. persistence.EntityManagerImpl.commit(EntityManagerImpl.java:571) [ecs-ec.ecs-ec] [Property Discovery Engine Thread] ... 7 more [ecs-ec.ecs-ec] [Property Discovery Engine Thread] Caused by: <openjpa-2.4.3-r422266:1833086 fatal general error> org.apache.openjpa.persistence.PersistenceException: ERROR: cannot execute UPDATE in a read-only transaction {prepstmnt -722393899 UPDATE property_discovery_profile SET active = ? WHERE id = ?} [ecs-ec.ecs-ec] [Property Discovery Engine Thread] FailedObject: com.q1labs.core. dao.qidmap.PropertyDiscoveryProfile-51 [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc. sql.DBDictionary.narrow(DBDictionary.java:5003) [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc. sql.DBDictionary.newStoreException(DBDictionary.java:4963) [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc. sql.SQLExceptions.getStore(SQLExceptions.java:133) [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc. sql.SQLExceptions.getStore(SQLExceptions.java:75) [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc. kernel.PreparedStatementManagerImpl.flushAndUpdate(PreparedStatementManagerImpl.java:144) [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc. kernel.BatchingPreparedStatementManagerImpl.flushAndUpdate(BatchingPreparedStatementManagerImpl.java:79) [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc. kernel.PreparedStatementManagerImpl.flushInternal(PreparedStatementManagerImpl.java:100) [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc. kernel.PreparedStatementManagerImpl.flush(PreparedStatementManagerImpl.java:88) [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc. kernel.ConstraintUpdateManager.flush(ConstraintUpdateManager.java:550) [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc. kernel.ConstraintUpdateManager.flush(ConstraintUpdateManager.java:107) [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc. kernel.BatchingConstraintUpdateManager.flush(BatchingConstraintUpdateManager.java:59) [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc. kernel.AbstractUpdateManager.flush(AbstractUpdateManager.java:104) [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc. kernel.AbstractUpdateManager.flush(AbstractUpdateManager.java:77) [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc. kernel.JDBCStoreManager.flush(JDBCStoreManager.java:731) [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa. kernel.DelegatingStoreManager.flush(DelegatingStoreManager.java:131) [ecs-ec.ecs-ec] [Property Discovery Engine Thread] ... 14 more [ecs-ec.ecs-ec] [Property Discovery Engine Thread] Caused by: org.apache.openjpa.lib.jdbc.ReportingSQLException: ERROR: cannot execute UPDATE in a read-only transaction {prepstmnt -722393899 UPDATE property_discovery_profile SET active = ? WHERE id = ?} [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.lib.jdbc. LoggingConnectionDecorator.wrap(LoggingConnectionDecorator.java:218) [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.lib.jdbc. LoggingConnectionDecorator.wrap(LoggingConnectionDecorator.java:194) [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.lib.jdbc. LoggingConnectionDecorator.access$1000(LoggingConnectionDecorator.java:58) [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.lib.jdbc. LoggingConnectionDecorator$LoggingConnection$LoggingPreparedStatement.executeUpdate (LoggingConnectionDecorator.java:1133) [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.lib.jdbc. DelegatingPreparedStatement.executeUpdate(DelegatingPreparedStatement.java:275) [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.lib.jdbc. DelegatingPreparedStatement.executeUpdate(DelegatingPreparedStatement.java:275) [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc. kernel.JDBCStoreManager$CancelPreparedStatement.executeUpdate(JDBCStoreManager.java:1791) [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc. kernel.PreparedStatementManagerImpl.executeUpdate(PreparedStatementManagerImpl.java:268) [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc. kernel.PreparedStatementManagerImpl.flushAndUpdate(PreparedStatementManagerImpl.java:119) [ecs-ec.ecs-ec] [Property Discovery Engine Thread] ... 24 more |
29 April 2021 |
SEARCH | IJ32428 | UNABLE TO DELETE SAVED SEARCHES | OPEN | Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums. Issue When attempting to delete saved searches, the search can load as expected but then there is no option to delete it as the window with "confirm deletion" button does not appear. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] java.lang.ArrayIndexOutOfBoundsException [tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] at com.q1labs.cve.utils.CustomColumnDefinition.fromString(CustomColumnDefinition.java:386) [tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] at com.q1labs.ariel.ui.bean.ArielSearchForm.getColumns(ArielSearchForm.java:1391) [tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] at com.q1labs.ariel.ui.bean.ArielSearchForm.getColumns(ArielSearchForm.java:1296) [tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] at com.q1labs.ariel.ui.bean.ArielSearchForm.getOrderBy(ArielSearchForm.java:246) [tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] at org.apache.jsp.qradar.jsp.ArielSearch_jsp._jspService(ArielSearch_jsp.java:415) [tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] at com.q1labs.uiframeworks.jsp.HttpJspBase.service(HttpJspBase.java:148) [tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] at javax.servlet.http.HttpServlet.service(HttpServlet.java:733) [tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:476) [tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:386) [tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:330) [tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] at javax.servlet.http.HttpServlet.service(HttpServlet.java:733) [tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) [tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) [tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:713) [tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:462) [tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:387) [tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:315) |
01 May 2021 |
AUTHENTICATION | IJ32108 | THE USER INTERFACE ADMIN PASSWORD CAN FAIL TO BE SET CORRECTLY WHEN A REBOOT OCCURS DURING SYSTEM BUILD | OPEN | Workaround Set the User Interface admin password using the command line interface (CLI) script using these instructions: QRadar: Changing the admin account password from the UI or CLI Issue When a QRadar system is being built and a reboot occurs during the install configuration, the User Interface admin password can sometimes fail to be set correctly. |
01 May 2021 |
LOG SOURCE MANAGEMENT APP | IJ32240 | LOG SOURCE MANAGEMENT APP DOES NOT ALLOW THE PORT FIELD TO BE LEFT BLANK WHEN USING SOME JDBC PROTCOL CONFIGURATIONS | OPEN | Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums. Issue In the DSM Guide documentation on configuring parameters for the JDBC protocol, it states that "if a database instance is used with the MSDE database type, you must leave the Port field blank". This is also displayed in the LSM app under a "show more" button. However the LSM app does not allow you to leave the Port field blank and considers this field to be a "required field". |
01 May 2021 |
DSM EDITOR | IJ32103 | WINDOWS SECURITY LOG EVENTS CAN FAIL TO BE PARSED COMPLETLY BY THE DSM EDITOR WHILE WORKING AS EXPECTED IN LOG ACTIVITY | OPEN | Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums. Issue Microsoft Windows Security Events Logs (with AWS Kinesis) can fail to be parsed correctly in the DSM Editor while being parsed correctly in the Log Activity tab of the QRadar User Interface. For example: Tip: To view a larger version of the image, right-click and open the image in a new tab. |
01 May 2021 |
INDEX MANAGEMENT | IJ32111 | QUICK FILTER PROPERTY IN ADMIN > INDEX MANAGEMENT DISPLAYS AS "% OF SERACHES USING PROPERTY" AND HITS/MISSES STAY AT 0 | OPEN | Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums. Issue When looking at 'Quick Filter' property under Admin > Index Management, sometimes '% of Searches Using Property' is displayed along with hits/misses always as " 0 " even after many searches have been run during a selected timeframe. |
01 May 2021 |
PROTOCOLS | IJ27028 | LOG SOURCES CONFIGURED TO USE THE GOOGLE G SUITE ACTIVITY REPORTS RESTAPI PROTOCOL CAN BE MISSING SOME EVENTS | OPEN | Workaround No workaround available. APARs identified with no workaround might require a protocol update to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums. Issue Log Sources that are configured to use the Google G Suite Activity Reports REST API Protocol can be missing events. There have been multiple reasons identifed as being the cause for this issue.
|
15 August 2020 |
LOG SOURCE MANAGEMENT APP | IJ32222 | REPETITIVE /VAR/LOG/AUDIT.LOG MESSAGES BEING WRITTEN AFTER A FAILED PROTOCOL TEST USING LOG SOURCE MANAGEMENT (LSM) APP | OPEN | Workaround Performing an ecs-ec-ingress service restart corrects this issue until another failed protocol test is performed as above.
Issue Using the Log Source Management app to perform a protocol test can fail and sometimes causes repeating API messages similar to the following to be written every 5 seconds to /var/log/audit.log: Apr 12 17:31:52 ::ffff:127.0.0.1 configservices@ipaddress (6604) /console/restapi/api/system/task_management/tasks | [Action] [RestAPI] [APISuccess] [configservices] [1b76e3ae-d28f-4c1e-9b47-86940f613bea] [SECURE] | ContextPath=/console | Headers=[Version: 6.0][host: ipaddress][accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2][user-agent: Java/1.8.0_261] | Method=POST | PathInfo=/system/task_management/tasks | Protocol=HTTP/1.1 | Que ryString=message_local_info=%7B%7D&created=1618245112104&task_cl ass=com.q1labs.semsources.sources.base.testing.ProtocolTestTask& task_state=INITIALIZING&status_uuid=d6fe4a4d-6ed7-4deb-8533-66de 50bb2ede&created_by=admin&host_id=53&task_name_local_info=%7B%7D &delete_task_id=0&progress=0&maximum=0&modified=1618245112105&ta sk_type=ProtocolTestTask&app_id=ecs-ec-ingress&minimum=0&retenti on=2_HOURS | RemoteAddr=ipaddress | RemotePort=47952 Apr 12 17:31:52 ::ffff:127.0.0.1 configservices@ipaddress (6604) /console/restapi/api/system/task_management/tasks | [Action] [TaskManagement] [TaskAdded] StatusId=158 HostId=53 ApplicationId=ecs-ec-ingress CreatedBy=admin TaskType=ProtocolTestTask Apr 12 17:31:52 ::ffff:127.0.0.1 configservices@ipaddress (6606) /console/restapi/api/system/task_management/internal_tasks/158 | [Action] [RestAPI] [APISuccess] [configservices] [94ab9727-29f1-48d8-92e3-5e505ca3938e] [SECURE] | ContextPath=/console | Headers=[Version: 6.0][host: ipaddress][accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2][user-agent: Java/1.8.0_261] | Method=POST | PathInfo=/system/task_management/internal_tasks/158 | Protocol=HTTP/1.1 | QueryString=message_local_info=%7B%7D&create d=1618245112104&task_class=com.q1labs.semsources.sources.base.te sting.ProtocolTestTask&status_uuid=d6fe4a4d-6ed7-4deb-8533-66de5 0bb2ede&created_by=admin&host_id=53&task_name_local_info=%7B%7D& delete_task_id=0&progress=0&maximum=0&modified=1618245112622&is_ cancel_requested=false&task_type=ProtocolTestTask&app_id=ecs-ec- ingress&minimum=0&retention=2_HOURS | RemoteAddr=ipaddress | RemotePort=47956 |
29 April 2021 |
DATA NODE | IJ32123 | SEARCHES ON INDEXED FIELDS CAN BE SLOWER THAN EXPECTED AFTER ADDING A DATA NODE INTO THE QRADAR DEPLOYMENT | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944) QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826) Workaround If you are unable to upgrade to a version where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue in some instances. Issue Searches that are performed on indexed fields can be slower than expected to complete after a Data Node is added to a QRadar Deployment. This issue can be caused by a race condition during multi-source re-balancing that results in hourly folder(s) to be merged from different sources. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [ariel.ariel_query_server] [ariel_client/127.0.0.1:45750] com.ibm.si.ariel.dcs.databalancing.DestinationTransaction: [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Checking destination folder /store/ariel/events/records/2021/1/18/17 from source 104 [ariel.ariel_query_server] [ariel_client/127.0.0.1:45750] com.ibm.si.ariel.dcs.databalancing.DestinationTransaction: [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Data folder /store/ariel/events/records/2021/1/18/17 does not exist. Requested from source 104 [ariel.ariel_query_server][ariel_client /127.0.0.1:45750] com.ibm.si.ariel.dcs.databalancing.DestinationData: [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -] Path:/store/ariel/events/records/ibmTemp~events104/store/ariel/events/records/store/ariel/events/records/2021/1/18/17 does not exist [ariel.ariel_query_server] [ariel_client/127.0.0.1:45750] com.ibm.si.ariel.dcs.databalancing.DestinationData: [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -] Path:/store/ariel/events/records/ibmTemp~events8/store/ariel/events/records/store/ariel/events/records/2021/1/18/17 does not exist [ariel.ariel_query_server] [ariel_client/127.0.0.1:45750] com.ibm.si.ariel.dcs.databalancing.DestinationTransaction: [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Destination data accepted from source 104 [ariel.ariel_query_server][ariel_client /127.0.0.1:35228] com.ibm.si.ariel.dcs.databalancing.DestinationTransaction: [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Checking destination folder /store/ariel/events/records/2021/1/18/17 from source 8 [ariel.ariel_query_server] [ariel_client/127.0.0.1:35228] com.ibm.si.ariel.dcs.databalancing.DestinationTransaction: [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Data folder /store/ariel/events/records/2021/1/18/17 does not exist. Requested from source 8 [ariel.ariel_query_server] [ariel_client /127.0.0.1:35228] com.ibm.si.ariel.dcs.databalancing.DestinationData: [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -] Path:/store/ariel/events/records/ibmTemp~events104/store/ariel/events/records/store/ariel/events/records/2021/1/18/17 does not exist [ariel.ariel_query_server] [ariel_client /127.0.0.1:35228] com.ibm.si.ariel.dcs.databalancing.DestinationData: [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -] Path:/store/ariel/events/records/ibmTemp~events8/store/ariel/events/records/store/ariel/events/records/2021/1/18/17 does not exist [ariel.ariel_query_server] [ariel_client/127.0.0.1:35228] com.ibm.si.ariel.dcs.databalancing.DestinationTransaction: [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Destination data accepted from source 8 |
29 April 2021 |
SECURITY BULLETIN | IBM QRADAR SIEM IS VULNERABLE TO PATH TRAVERSAL | CLOSED | Resolved in QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312) QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138) Affected versions
IBM QRadar SIEM when decompressing or verifying signature of zip files processes data in a way that may be vulnerable to path traversal attacks. CVSS Base score: 4.9 |
04 May 2021 | |
SECURITY BULLETIN | IBM QRADAR SIEM IS VULNERABLE TO USING COMPONENTS WITH KNOWN VULNERABILITIES | CLOSED | Resolved in QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312) QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138) Affected versions
|
04 May 2021 | |
SECURITY BULLETIN | IBM QRADAR SIEM IS VULNERABLE TO CROSS SITE SCRIPTING (XSS) | CLOSED | Resolved in QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312) QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138) Affected versions
IBM QRadar SIEM is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. CVSS Base score: 5.4 |
04 May 2021 | |
SECURITY BULLETIN | IBM QRADAR SIEM IS VULNERABLE TO INSECURE INTER-DEPLOYMENT COMMUNICATION | CLOSED | Resolved in QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312) QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138) Affected versions
IBM QRadar SIEM is vulnerable to insecure inter-deployment communication. An attacker that is able to comprimise or spoof traffic between hosts may be able to execute arbitrary commands. CVSS Base score: 7.5 |
04 May 2021 | |
SECURITY BULLETIN | IBM QRADAR SIEM IS VULNERABLE TO CROSS DOMAIN INFORMATION DISCLOSURE | CLOSED | Resolved in QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312) QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138) Affected versions
IBM QRadar SIEM could disclose sensitive information about other domains which could be used in further attacks against the system. CVSS Base score: 4.3 |
04 May 2021 | |
SECURITY BULLETIN | APACHE TOMCAT AS USED BY IBM QRADAR SIEM IS VULNERABLE TO INFORMATION DISCLOSURE | CLOSED | Resolved in QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312) QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138) Affected versions
Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by a flaw when HTTP/2 client exceeded the agreed maximum number of concurrent streams for a connection. By sending a specially-crafted HTTP request, an attacker could exploit this vulnerability to see the responses for unexpected resources, and use this information to launch further attacks against the affected system. CVSS Base score: 5.3 |
04 May 2021 | |
SECURITY BULLETIN | IBM QRADAR SIEM IS VULNERABLE TO CROSS SITE SCRIPTING (XSS) | CLOSED | Resolved in QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312) QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138) Affected versions
IBM QRadar is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. CVSS Base score: 6.1 |
04 May 2021 | |
SECURITY BULLETIN | IBM QRADAR SIEM CONTAINS HARD-CODED CREDENTIALS | CLOSED | Resolved in QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312) QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138) Affected versions
|
04 May 2021 | |
SECURITY BULLETIN | IBM QRADAR SIEM MAY BE VULNERABLE TO A XML EXTERNAL ENTITY INJECTION ATTACK (XXE) | CLOSED | Resolved in QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312) QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138) Affected versions
IBM QRadar SIEM may vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. CVSS Base score: 7.1 |
04 May 2021 | |
WINCOLLECT | IJ29851 | WINCOLLECT 7.3.0 P1 AGENTS FAIL TO UPDATE OR GET CONFIGURATION UPDATES IN NAT'D ENVIRONMENTS | CLOSED | Resolved in WinCollect 7.3.1 (Build 16) (7.3.1.16) Workaround If you are unable to upgrade to a version where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue in some instances. Issue WinCollect 7.3.0 P1 Agents can fail to receive configuration updates or are unable to be updated due to connection timeouts occuring in NAT'd environments. Messages similar to the following might be visible when this issue occurs: [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] com.q1labs.sem.semsources.wincollectconfigserver.requestprocessors.ConnectionEstablishmentVersion2Processor: [ERROR] [NOT:0000003000][<IP Address >/- -] [-/- -]Agent XXXXXXX2069(127.0.0.1) caught exception [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] java.net.ConnectException: Connection timed out (Connection timed out) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:236) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:218) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:374) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at java.net.Socket.connect(Socket.java:682) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at com.ibm.jsse2.av.connect(av.java:453) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at com.ibm.jsse2.au.connect(au.java:98) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at sun.net.NetworkClient.doConnect(NetworkClient.java:192) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at sun.net.www.http.HttpClient.openServer(HttpClient.java:494) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at sun.net.www.http.HttpClient.openServer(HttpClient.java:589) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at com.ibm.net.ssl.www2.protocol.https.c.<init>(c.java:56) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at com.ibm.net.ssl.www2.protocol.https.c.a(c.java:222) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at com.ibm.net.ssl.www2.protocol.https.d.getNewHttpClient(d.java:25) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at sun.net.www.protocol.http.HttpURLConnection.plainConnect0 (HttpURLConnection.java:1206) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at sun.net.www.protocol.http.HttpURLConnection.plainConnect (HttpURL Connection.java:1068) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:78) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at sun.net.www.protocol.http.HttpURLConnection.getInputStream0 (HttpURLConnection.java:1582) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at sun.net.www.protocol.http.HttpURLConnection.getInputStream (HttpURLConnection.java:1510) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:491) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at com.ibm.net.ssl.www2.protocol.https.b.getResponseCode(b.java:40) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at com.q1labs.sem.semsources.wincollectconfigserver.requestprocessors. ConnectionEstablishmentVersion2Processor.onReceiveConnectionEstablishmentRequest (ConnectionEstablishmentVersion2Processor.java:235) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at com.q1labs.sem.semsources.wincollectconfigserver. WinCollectConfigHandler.run(WinCollectConfigHandler.java:121) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1160) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:635) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at java.lang.Thread.run(Thread.java:818) |
14 December 2020 |
WINCOLLECT | IJ27033 | WINCOLLECT CAN ASSIGN INCORRECT IP ADDRESSES FOR WINDOWS COMPUTERS DUE TO DNS LOOKUP REFRESH | CLOSED | Resolved in WinCollect 7.3.1 (Build 16) (7.3.1.16) Workaround No workaround available. Administrators must upgrade to a version where this issue is resolved. Issue WinCollect can assign incorrect IP addresses for Windows Computers due to issues with DNS Lookup refreshing. The 'OriginatingComputer=ipaddress' being written into the event by WinCollect can be incorrect. |
18 August 2020 |
WINCOLLECT | IJ26354 | WINCOLLECT AGENT 'STATUS' CONTINUES TO DISPLAY 'RUNNING' AFTER NOT RECEIVING HEARTBEAT FOR AN EXTENDED PERIOD OF TIME | CLOSED | Resolved in WinCollect 7.3.1 (Build 16) (7.3.1.16) Workaround No workaround available. Administrators must upgrade to a version where this issue is resolved. Issue The WinCollect agent "Status" displayed in the QRadar User Interface can continue to display "Running" and fail to update appropriately when QRadar has not received a heartbeat message for an extended period of time from the agent. |
31 July 2020 |
WINCOLLECT | IJ27800 | WINCOLLECT INSTALLER CANNOT PROPERLY USE A CERTIFICATE THAT IS GREATER THAN 2000 CHARACTERS IN LENGTH | CLOSED | Resolved in WinCollect 7.3.0 Fix Pack 1 (Build 41) (7.3.0.41) Workaround If you are unable to upgrade to a version where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue in some instances. Issue When a certificate greater than 2000 characters in length is pasted into the certificate field of the destination configuration page of the WinCollect installer, the certificate is cut to 2000 characters and successfully installs, but TLS communication fails. |
28 October 2020 |
WINCOLLECT | IJ26949 | WHEN WINCOLLECT 7.3.0 IS INSTALLED AND CONFIGURED FOR USE ON AN ENCRYPTED MANAGED HOST, AGENT/LOG SOURCE COMMUNICATION FAILS | CLOSED | Resolved in WinCollect 7.3.0 Fix Pack 1 (Build 41) (7.3.0.41) Workaround If you are unable to upgrade to a version where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue in some instances. Issue When WinCollect is configured for use on an encrypted Managed Host in a QRadar environment, the installation of WinCollect version 7.3.0 introduces communication problems between QRadar and the WinCollect Agents. Adding new WinCollect Agent/Log Sources into QRadar fails due to the failure in communication preventing Agent registration. Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs: [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] com.q1labs.frameworks.crypto.trustmanager.extended.Q1X509FullTru stManager: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Server Not Trusted No subject alternative names matching IP address 127.0.0.1 found [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] com.q1labs.sem.semsources.wincollectconfigserver.requestprocesso rs.ConnectionEstablishmentVersion2Processor: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Agent Agent-name(127.0.0.1) caught exception -- [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: java.security.cert.CertificateException: No subject alternative names matching IP address 127.0.0.1 found [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.k.a(k.java:37) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.av.a(av.java:422) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.D.a(D.java:70) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.D.a(D.java:164) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.E.a(E.java:249) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.E.a(E.java:731) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.D.r(D.java:486) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.D.a(D.java:244) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.av.a(av.java:608) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.av.i(av.java:282) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.av.a(av.java:1009) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.av.startHandshake(av.java:778) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java:239) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:60) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at sun.net.www.protocol.http.HttpURLConnection.getInputStream0 (HttpURLConnection.java:1582) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at sun.net.www.protocol.http.HttpURLConnection.getInputStream (HttpURLConnection.java:1510) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:491) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.net.ssl.www2.protocol.https.b.getResponseCode(b.java:40) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.q1labs.sem.semsources.wincollectconfigserver.requestprocessors. ConnectionEstablishmentVersion2Processor.onReceiveConnectionEstablishmentRequest(ConnectionEstablishmentVersion2Processor.jav a:234) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.q1labs.sem.semsources.wincollectconfigserver.WinCollectConfigHandler .run(WinCollectConfigHandler.java:153) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1160) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:635) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at java.lang.Thread.run(Thread.java:818) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] Caused by: java.security.cert.CertificateException: java.security.cert.CertificateException: No subject alternative names matching IP address 127.0.0.1 found [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.q1labs.frameworks.crypto.trustmanager.extended.Q1X509FullTrustManager. checkServerTrusted(Q1X509FullTrustManager.java:382) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.E.a(E.java:438) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] ... 18 more [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] Caused by: java.security.cert.CertificateException: No subject alternative names matching IP address 127.0.0.1 found [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.util.b.b(b.java:42) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.util.b.a(b.java:96) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.aD.a(aD.java:183) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.aD.a(aD.java:49) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.aD.a(aD.java:191) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.aD.checkServerTrusted(aD.java:34) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.q1labs.frameworks.crypto.trustmanager.extended. Q1X509FullTrustManager. checkServerTrusted(Q1X509FullTrustManager.java:377) [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] ... 19 more |
24 April 2021 |
WINCOLLECT | IJ27857 | WINDOWS 10 HOSTS UPDATED TO BUILD 2004 CAN RESET EVENTRECORDID VALUES TO 1 CAUSING WINCOLLECT ISSUES | CLOSED | Resolved in WinCollect 7.3.0 Fix Pack 1 (Build 41) (7.3.0.41) Workaround If you are unable to upgrade to a version where this issue is resolved, administrators can apply the following workaround:
Issue WinCollect agents installed on Microsoft Windows 10 hosts upgraded to build 2004 can experience an issue where the WinCollect agent stops sending events to QRadar. The issue was reported after administrators completed updates of Windows 10 from build 1909 to 2004. WinCollect agents track event collection with the EventRecordID value in the Event Viewer for each event type in C:\ProgramData\WinCollect\Data\PersistenceManager. The PersistenceManager directory includes a file for each event log type with a cursor entry, which indicates the next event in the Event Viewer WinCollect needs to parse and send. When Windows updates to Windows 10 build 2004, the operating system resets the EventRecordID values to 1 in the Event Viewer for all event log types. A reset in the EventRecordID results in WinCollect agents not sending events until the EventRecordID in the Event Viewer matches the last polled Cursor value in the WinCollect agent. This APAR is intended to alert administrators of this operating systems change in Windows 10 Feature Build 2004. All WinCollect agents at all versions are affected by the EventRecordID reset issue in Windows 10 build 2004. Administrators who plan to update the Windows 10 systems tofeature build 2004 ought to alert their teams to this EventRecordID reset issue. |
28 October 2020 |
WINCOLLECT | IJ32255 | WINCOLLECT 7.3.0 P1 (7.3.0-41) AGENTS THAT ARE NOT INSTALLED ON DRIVE C:\ OF THE WINDOWS COMPUTER CAN STOP SENDING EVENTS | OPEN | Workaround On the affected Microsoft Windows computer:
Issue On Microsoft Windows computers where the WinCollect agents are installed to a drive other than C:\, an upgrade to WinCollect 7.3.0 P1 (7.3.0-41) can cause the destination and log source information to be removed from the AgentConfig.xml file and the WinCollect agent stops sending events. Microsoft Windows computers where the WinCollect agent was installed to the C:\ drive are not affected. |
03 May 2021 |
ADAPTER / QRADAR RISK MANAGER | IJ28428 | "SHOW VLANS" CISCO IOS ADAPTER COMMAND DOES NOT RETURN RESULTS DUE TO THE EXPECTED COMMAND "SHOW VLAN" | CLOSED | Resolved in QRadar Risk Manager Adapter Bundle 17 (2021.04-09155130) Note: Adapter Bundle 17 (2021.04-09155130) requires QRadar 7.3.3 GA or later. For information on updating adapters, see: Installing adapters Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums. Issue "show vlans" command for Cisco IOS Adapter fails to return output as the command on that appliance (C2900 series) is "show vlan". (No 's' on the end). The adapter is expected to work for both command variations. Example of output with "show vlans" : 2020-05-06 20:55:50 [ZipTie::SSH] [SENDING] 2020-05-06 20:55:50 [ZipTie::SSH] show vlans 2020-05-06 20:55:50 [ZipTie::SSH] ---------------------------------------------------------------- 2020-05-06 20:55:50 [ZipTie::SSH] ---------------------------------------------------------------- 2020-05-06 20:55:50 [ZipTie::SSH] [WAITING 300 SECOND(S) FOR] 2020-05-06 20:55:50 [ZipTie::SSH] hostname[#>]\s*$|--More--\s*$ 2020-05-06 20:55:50 [ZipTie::SSH] ---------------------------------------------------------------- 2020-05-06 20:55:50 [ZipTie::SSH] ---------------------------------------------------------------- 2020-05-06 20:55:50 [ZipTie::SSH] [RESPONSE] 2020-05-06 20:55:50 [ZipTie::SSH]show vlans 2020-05-06 20:55:50 [ZipTie::SSH] Command authorization failed. 2020-05-06 20:55:50 [ZipTie::SSH] 2020-05-06 20:55:50 [ZipTie::SSH] hostname# |
18 May 2021 |
ADAPTER / QRADAR RISK MANAGER | IJ28512 | JUNIPER JUNOS DEVICE BACKUP FAILURE WHEN ACL REFERENCES A PREFIXLIST WHICH DOES NOT CONTAIN A LIST OF IP ADDRESSES | CLOSED | Resolved in QRadar Risk Manager Adapter Bundle 17 (2021.04-09155130) Note: Adapter Bundle 17 (2021.04-09155130) requires QRadar 7.3.3 GA or later. For information on updating adapters, see:Installing adapters Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums. Issue Administrators might notice that a Juniper JunOS device might fail to backup when an access control list references a prefix list which does not contain a list of IP addresses or CIDRs. Look for similar messages in /var/log/qradar.log: [tomcat-rm.tomcat-rm] [Adapter Backup Job] com.q1labs.simulator.jobs.DeviceAdapterBackupJob: [ERROR] [NOT:0000003000][9.175.220.190/- -] [-/- -]java.lang.Exception: Don't know how to nbits yet at /usr/share/ziptie-server/adapters /ziptie.adapters.juniper.junos_2020.04.08143009/scripts/ZipTie/Adapters/Juniper/JUNOS/Parsers.pm line 1637. at org.ziptie.server.job.AbstractAdapterTask.execute(AbstractAdapterTask.java:157) at org.ziptie.server.dispatcher.Operation.execute(Operation.java:100) at org.ziptie.server.dispatcher.OperationExecutor$JobThread.runJob(OperationExecutor.java:686) at org.ziptie.server.dispatcher.OperationExecutor$JobThread.run(OperationExecutor.java:563) Caused by: javax.xml.ws.soap.SOAPFaultException: Don't know how to nbits yet at /usr/share/ziptie-server/adapters/ ziptie.adapters.juniper.junos_2020.04.08143009/scripts/ZipTie/Adapters/Juniper/JUNOS/Parsers.pm line 1637. at com.sun.xml.ws.fault.SOAPFault.getProtocolException(SOAP11Fault.java:188) at com.sun.xml.ws.fault.SOAPFaultBuilder.createException(SOAPFaultBuilder.java:116) at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:119) at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:89) at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:118) at com.sun.proxy.$Proxy95.backup(Unknown Source) at org.ziptie.server.job.backup.BackupTask.performTask(BackupTask.java:74) at org.ziptie.server.job.AbstractAdapterTask.execute(AbstractAdapterTask.java:142) |
18 May 2021 |
ADAPTER / QRADAR RISK MANAGER | IJ28901 | INCORRECT DISPLAY OF 'ANY' IN DESTINATION SERVICE COLUMN FOR ACCESS CONTROL LIST RULE AFTER CISCO IOS DEVICE BACKUP | CLOSED | Resolved in QRadar Risk Manager Adapter Bundle 17 (2021.04-09155130) Note: Adapter Bundle 17 (2021.04-09155130) requires QRadar 7.3.3 GA or later. For information on updating adapters, see:Installing adapters Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums. Issue The Configuration Monitor -> Rules screen can incorrectly display a value of "any" in the Destination Service(s) column instead of the actual destination port for an extended access control list rule after Cisco IOS device backup is performed. |
18 May 2021 |
ADAPTER / QRADAR RISK MANAGER | IJ29954 | PERFROMING A DISCOVERY FROM A CISCO FIREPOWER MANAGEMENT CENTER CAN FAIL | CLOSED | Resolved in QRadar Risk Manager Adapter Bundle 17 (2021.04-09155130) Note: Adapter Bundle 17 (2021.04-09155130) requires QRadar 7.3.3 GA or later. For information on updating adapters, see:Installing adapters Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums. Issue Discovery from Cisco Firepower Management Center (FMC) fails when the user is not automatically placed in expert mode when logging to retrieve the list of network devices. The adapter currently ensures that export mode is gained when backing a discovered device, but not when discovering devices from the FMC. |
18 May 2021 |
ADAPTER / QRADAR RISK MANAGER | IJ30906 | CHECK POINT HTTPS DEVICE ADAPTER FAILS TO BACKUP DUE TO INCORRECT IP ADDRESS | CLOSED | Resolved in QRadar Risk Manager Adapter Bundle 17 (2021.04-09155130) Note: Adapter Bundle 17 (2021.04-09155130) requires QRadar 7.3.3 GA or later. For information on updating adapters, see:Installing adapters Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums. Issue A Check Point HTTPS device adapter backup fails when the IP address of the device's interface is the same as the IP address of the Check Point security management server from which it was discovered and not the main IP address of the device. When this issue occurs, the adapter backup log contains a message similar to the following: Check this device was not discovered from the multi-domain server IP. |
18 May 2021 |
ADAPTER / QRADAR RISK MANAGER | IJ31098 | A PAN-OS DEVICE BACKUP FAILS WHEN A STATIC ROUTE REFERENCES A NETWORK GROUP INSTEAD OF AN IP ADDRESS | CLOSED | Resolved in QRadar Risk Manager Adapter Bundle 17 (2021.04-09155130) Note: Adapter Bundle 17 (2021.04-09155130) requires QRadar 7.3.3 GA or later. For information on updating adapters, see:Installing adapters Workaround Ensure to configure the static route on the device to use an IP address instead of a network group. Issue A PAN-OS device backup will fail when a static route references a network group rather than an IP address. When this isue occurs, the logs contain a message similar to the following: ERROR: Backup failed for device (device name) at IP (IP address) with adapter type ZipTie::Adapters::PaloAlto::PANOS. [Failed to process device routing] |
18 May 2021 |
BOX RESTAPI PROTOCOL | IJ28431 | LOG SOURCES USING THE BOX RESTAPI PROTOCOL CAN STOP RECEIVING EVENTS WHEN THE EVENT QUEUE FILLS | OPEN | Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums. Issue Log Sources configured to use the Box RestAPI can stop receiving events when the event queue fills. Messages similar to the follwoing might be visible in /var/log/qradar.log when this issue is occurs: [ecs-ec-ingress.ecs-ec-ingress] [Box REST API Query Thread] com.q1labs.semsources.sources.boxrestapi.api.BoxRESTAPIInstance: [ERROR] [NOT:0000003000][EP IP] [-/- -]Unable to query for content. Terminating query thread for for Box API [ecs-ec-ingress.ecs-ec-ingress] [Box REST API Query Thread] java.util.IllegalFormatConversionException: d != java.lang.Double [ecs-ec-ingress.ecs-ec-ingress] [Box REST API Query Thread] at java.util.Formatter$FormatSpecifier.failConversion(Formatter.java:4313) [ecs-ec-ingress.ecs-ec-ingress] [Box REST API Query Thread] at java.util.Formatter$FormatSpecifier.printInteger(Formatter.java:2804) [ecs-ec-ingress.ecs-ec-ingress] [Box REST API Query Thread] at java.util.Formatter$FormatSpecifier.print(Formatter.java:2758) [ecs-ec-ingress.ecs-ec-ingress] [Box REST API Query Thread] at java.util.Formatter.format(Formatter.java:2531) [ecs-ec-ingress.ecs-ec-ingress] [Box REST API Query Thread] at java.util.Formatter.format(Formatter.java:2466) [ecs-ec-ingress.ecs-ec-ingress] [Box REST API Query Thread] at java.lang.String.format(String.java:4174) [ecs-ec-ingress.ecs-ec-ingress] [Box REST API Query Thread] at com.q1labs.frameworks.logging.Logger.warn(Logger.java:805) [ecs-ec-ingress.ecs-ec-ingress] [Box REST API Query Thread] at com.q1labs.semsources.sources.boxrestapi.BoxRESTAPIProvider.onRe ceiveMessage(BoxRESTAPIProvider.java:235) [ecs-ec-ingress.ecs-ec-ingress] [Box REST API Query Thread] at com.q1labs.semsources.sources.boxrestapi.api.BoxAPIQuery.queryCo ntent(BoxAPIQuery.java:237) |
12 October 2020 |
HIGH AVAILABILITY (HA) | IJ30674 | A HIGH AVAILABILITY (HA) FAILOVER CAN OCCUR DUE TO A FAILURE WITH THE MOUNT MONITOR | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 (7.4.3.20210517144015) QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428) QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138) Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums. Issue In instances where the QRadar mount monitor fails, an unexpected High Availability (HA) failover can occur. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: hostname-primary HA System Monitor: [ERROR] /store/docker-data/engine/VMware-42-26-70-33-66-fb-61-4c-f2-27-d e-b4-88-91-98-b9/devicemapper/mn t/88bbfc361142fe836845842fca3082f18c8962501a795252de51d81d224a8f 48-init is not mounted properly with read write permition 127.0.0.1 [ha_manager.ha_manager] [IPCWorkerThread] com.q1labs.ha.manager.ipc.IPCWorkerThread: [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]IPC service "sensor" = "1.0" hostname-primary HA System Monitor: Mount point check failed 127.0.0.1 [ha_manager.ha_manager] [HAManager] com.q1labs.ha.manager.StateMachine: [WARN][NOT:0000004000][127.0.0.1/- -] [-/- -] The "mount_status" sensor key is down, and is in position to cause failover. It is both enabled for failover, and has satisfied any time restrictions. Requesting switch to OFFLINE/MOUNT_MONITOR state (SMD001061/59903) 127.0.0.1 [ha_manager.ha_manager] [HAManager]com.q1labs.ha.manager.HAManager: [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Starting OFFLINE/MOUNT_MONITOR state |
26 February 2021 |
QRADAR VULNERABILITY MANAGER | IJ31842 | RUNNING API QUERIES AGAINST QVM SCANNERS CAN TIMEOUT AND FAIL WITH A RESPONSE CODE 500 | CLOSED | Resolved in QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312) QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138) Workaround Performing a hostcontext restart on the QRadar console can temporarily (for approximately 30 minutes) correct this issue. Note: Restarting hostcontext causes an interruption to some QRadar functionality. For more information, see: Hostcontext service and the impact of a service restart. Issue Attempting to run API queries against QRadar Vulnerability Manager (QVM) scanners can become unresponsive, timeout and fail with a response code of 500. For example: curl -S -X GET -u -H 'Version: 12.1' -H 'Accept: application/json' 'https:///api/scanner/profiles' { "http_response": { "code": 500, "message": "Unexpected internal server error" }, "code": 12, "description": "", "details": {}, "message": "Endpoint invocation returned an unexpected error" |
05 June 2020 |
SERVICES | IJ32110 | THE QRADAR PIPELINE CAN STOP RECEIVING ALL EVENTS DUE TO A STRINGOUTOUFBOUNDSEXCEPTION OCCURRING | OPEN | Workaround Perform a restart of the ecs-ingress service:
Issue In some instances, the QRadar pipeline can stop receiving all events when a stringoutofbounds exception occurs. Changes made in fix releases for APAR IJ28752 corrected the issue if the payload is cut off before the end of the full forwarded message ("Message forwarded from"), but the fix releases do not fix the issue if it gets cut off immediately after that part. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread] java.lang.StringIndexOutOfBoundsException: String index out of range: 43 [ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread] at java.lang.String.substring(String.java:2682) [ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread] at com.q1labs.sem.types.SyslogSourcePayload.parseLine(SyslogSourcePayload.java:196) [ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread] at com.q1labs.sem.types.SyslogSourcePayload.getSourceName(SyslogSourcePayload.java:159) [ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread] at com.q1labs.sem.types.SourcePayloadBase.put(SourcePayloadBase.java:331) [ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread] at com.q1labs.sem.types.SyslogSourcePayload.put(SyslogSourcePayload.java:412) |
22 April 2021 |
SALESFORCE REST API PROTOCOL | IJ32090 | LOG SOURCES CONFIGURED TO USE THE SALESFORCE PROTOCOL CAN GO INTO ERROR STATE DUE TO PROTOCOL PARSING ISSUE | OPEN | Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums. Issue Log Sources configured to use the Salesforce Protocol can go into Error status with error message "Event size is different from the schema size" due to a parsing issue with received events containing complex format that contains JSON object as part of the "URL" field. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: com.q1labs.semsources.sources.salesforcerestapi.eventformatter. EventFormatterException: Event size is different from the schema size, schema '....' payload '...' at com.q1labs.semsources.sourc es.salesforcerestapi.SalesforceRESTAPIProvider.processEventLogFi le(SalesforceRESTAPIProvider.java:550) at com.q1labs.semsources. sources.salesforcerestapi.eventformatter.EventLogFileFormatter.f ormatEventLogFile(EventLogFileFormatter.java:181) at com.q1labs. semsources.sources.salesforcerestapi.SalesforceRESTAPIProvider.p rocessEventLogFileAPIResults(SalesforceRESTAPIProvider.java:509) at com.q1labs.semsources.sources.salesforcerestapi.SalesforceRE STAPIProvider.getEvents(SalesforceRESTAPIProvider.java:407) at com.q1labs.semsources.sources.salesforcerestapi.SalesforceRESTAPI Provider.execute(SalesforceRESTAPIProvider.java:357) at com.q1labs.semsources.sources.base.SourceProvider.run(SourceProvider.java:195) |
22 April 2021 |
DATA GATEWAY APPLIANCE | IJ32138 | RESPONSIVENESS OF DATA GATEWAYS CAN BE SLOWER THAN EXPECTED WHEN /STORE IS LOW ON FREE SPACE | OPEN | Workaround No workaround available. IBM DevOps support for QRadar On Cloud is working on implementing an automated solution to address this issue. APARs identified with no workaround typically require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums. Issue Data Gateway responsiveness can be slower than expected when the /store partition on the Data Gateway is low on available free space. This can cause various QRadar performance related issues with the processes that require communication between the QRadar on Cloud Console and Data Gateways. |
22 April 2021 |
CENTRIFY REDROCK RESTAPI PROTOCOL | IJ30101 | LOG SOURCES USING CENTRIFYREDROCKRESTAPI PROTOCOL CAN STOP RECEIVING EVENTS WHEN UNABLE TO OBTAIN A THREAD CONNECTION | OPEN | Workaround Performing a manual stop/start of the affected log source should allow the connection to occur correctly. APARs identified with no workaround typically require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums. Issue Log Sources configured to use the CentrifyRedrockRESTAPI can stop collecting logs and not automatically recover a proper connection on it's own when an active thread connection cannot be obtained by the Protocol. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [Centrify Redrock REST API Provider Protocol Provider Thread: class com.q1labs.semsources.sources.centrifyredrockrestapi.CentrifyRed RockRESTAPIProvider54] com.q1labs.semsources.sources.centrifyredrockrestapi.CentrifyRed RockRESTAPIProvider: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -] Unable to find any active query threads. |
06 January 2021 |
QRADAR PULSE APP | IJ26452 | ORDER OF RETURNED AQL RESULTS DISPLAYED CAN VARY WHEN USING THE QRADAR PULSE APP | CLOSED | Resolved in QRadar Pulse App v2.2.6. Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums. Issue When using an AQL query within the Pulse App, and a parameter is changed, both searches (refresh time and parameter update) run at the same time. Both results get displayed one after the other and so the result that finishes running last is the one is displayed. This only occurs for AQL queries as these are the only data sources that support parameters. |
26 April 2021 |
LOG SOURCE MANAGEMENT APP | IJ20697 | UNABLE TO SAVE CHANGES TO WINCOLLECT LOG SOURCES WHEN USING THE LOG SOURCE MANAGEMENT APP | CLOSED | Resolved in QRadar Log Source Management app v7.0.0. Workaround Edit the WinCollect Log Source(s) using the legacy log source user interface. From the Admin tab, click the Log Sources icon. Issue It has been identified that in some instances, when editing a WinCollect log source using the Log Source Managment (LSM) app, clicking the Save button does nothing and no error is displayed. |
27 April 2021 |
QRADAR NETWORK INSIGHTS (QNI) | IJ29129 | RULE 'QNI: FILE EXTENSION/CONTENT TYPE VERIFICATION' FROM QNI CONTENT PACK V1.51 PARSES FILE EXTENSION INCORECTLY | CLOSED | Resolved in QRadar Network Insights Content pack V1.5.2. Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums. Issue False positive rule results can be experienced due to the rule "QNI: File Extension/Content Type Verification" from QNI Content Pack v1.5.1. Files with names containing more than one dot(.) are handled incorrectly by the rule. For example:
|
27 April 2021 |
DOCUMENTATION | IJ29297 | INSTALL OF QRADAR MARKETPLACE IMAGES FAIL WITH 'PANIC:RUNTIME ERROR: INDEX OUT OF RANGE' WHEN MORE THAN TWO DNS ENTRIES EXIST | CLOSED | Resolved in QRadar documentation was updated in the following chapters:
Ensure only a maximum of two DNS entries exist in /etc/resolve.conf prior to the setup of a QRadar marketplace image installation. Issue The installation of QRadar marketplace images fail when more than two DNS entries are present in /etc/resolve.conf. The error message generated at the file of installtion failure is similar to: panic: runtime error: index out of range. |
27 April 2021 |
MANAGED HOSTS | IJ26182 | QRADAR DATABASE REPLICATION REBUILD FUNCTION CAN SOMETIMES FAIL DUE TO A MISSING SQL FILE REFERENCE | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) Workaround If you are unable to upgrade to resolve this issue, contact QRadar Support for a possible workaround. Issue The QRadar database replication rebuild function to Managed Hosts can fail due to the sql script db_update_235970.add_backup_build_version.sql being omitted from the /opt/qradar/conf/templates/installation_ordering.txt file. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [hostcontext.hostcontext] [Thread-70] ComponentOutput: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream replication: psql:/store/replication/tx0000000000000241053.sql:14325693: ERROR: extra data after last expected column [hostcontext.hostcontext] [Thread-70] ComponentOutput: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream replication: CONTEXT: COPY backup, line 1 |
27 April 2021 |
ADVANCED SEARCH (AQL) | IJ27235 | THE 'REFERENCESETCONTAINS' AQL FUNCTION DOES NOT SEARCH INDEX FILES FOR QRADAR ON CLOUD | CLOSED | Resolved in QRadar on Cloud 7.4.1 Fix Pack 2 Interim Fix 1. Workaround Where possible, use the search functionality in the QRadar User Interface to perform the required searches. Issue AQL queries using referencesetcontains() lookups fail to search against index files when searching against indexed properties, only data files are searched. Performing the same searches using the QRadar User Interface works as expected. Messages similar to the following might be observed in /var/log/qradar.log when this issue occurs while performing related searches: ariel_client /127.0.0.1:47392 | [Action] [Search] [SearchExecuted] query starts, description="User:admin,Source:UI,Params:Id:ab137002-2aed-4433-9 5d4-baaf53d399f2, DB: Administrators should not that this issue does not generate an error, instead data from the search does not hit the indexes as expected as the query lists: indexFileCount=0 |
27 April 2021 |
QRADAR WORKFLOW ANALYST APP | IJ22582 | CHANGING THE DISPLAY (GROUP BY) OF AN EXISTING SEARCH CAN RETURN INACCURATE RESULTS UNTIL 'UPDATE' BUTTON SELECTED | CLOSED | Resolved in QRadar Analyst Workflow App v1.9.16. Workaround Click the Update button to see the correct search results after grouping by a specific category. Issue After executing a Search using filters and a "Results Limit", if the "Display" field is changed to a "group by" ("Low Level Category" for example), some search results are not returned until the Update button is selected/clicked. |
27 April 2021 |
QRADAR WORKFLOW ANALYST APP | IJ17196 | ADVANCED SEARCH (AQL) RETURNS ERROR 'REQUEST-URL TOO LARGE' | CLOSED | Resolved in QRadar Analyst Workflow App v1.9.16. Workaround Click the Update button to see the correct search results after grouping by a specific category. Issue It has been identified that an Advanced Search (AQL) can return a message after executing the following that is similar to: Request-URI Too Large Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856] org.antlr.v4.runtime.Parser: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Parse error: and (INCIDR('127.0.0.1/23', IP_source_... [ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856] com.q1labs.ariel.ql.parser.AQLParserException: Unrecognized context (Line: 1, Position: 130): " and (INCIDR('127.0.0.1/23', IP_source_..." [ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856] at com.q1labs.ariel.ql.parser.ParserBase.parseStatement(ParserBase.java:488) [ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856] at com.q1labs.ariel.ql.parser.Parser.processRequest(Parser.java:102) [ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856] at com.q1labs.ariel.ql.parser.Parser.executeStatement(Parser.java:93) [ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856] at com.q1labs.ariel.ConnectedClient.processStatement(ConnectedClient.java:361) [ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856] at com.q1labs.ariel.ConnectedClient.processMessage(ConnectedClient.java:306) [ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856] at com.q1labs.ariel.ConnectedClient.run(ConnectedClient.java:134) [ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec utor.java:1157) [ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe cutor.java:627) [ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856] at java.lang.Thread.run(Thread.java:798) |
27 April 2021 |
QRADAR WORKFLOW ANALYST APP | IJ28494 | QRADAR USERS WITHOUT "VIEW CUSTOM RULES" AND "MAINTAIN CUSTOM RULES" ACCESS CAN STILL SEE FULL LIST OF CUSTOM RULES UNDER LOG | CLOSED | Resolved in Analyst Workflow App v1.9.16. QRadar 7.4.3 Fix Pack 7 (7.4.3.20220927164102) Workaround No workaround available. Administrators must upgrade the application to resolve this issue. Issue QRadar users can access custom rules even when their access has not been granted to 'View Custom Rules' and 'Maintain Custom Rules' while searching in Log Activity. To recreate this issue:
|
27 April 2021 |
QRADAR WORKFLOW ANALYST APP | IJ24469 | ADVANCED SEARCH (AQL) RESULT 'CLIENT EXCEPTION OCCURRED WHILE HANDLING THE SERVER RESPONSE' WHEN USING \U | CLOSED | Resolved in QRadar Analyst Workflow App v1.9.16. Workaround Where possible: Using Wildcard character '_' (Matches any single character) in the AQL so that it can avoid Unicode escapes, match any single character(include backslash) followed by u. Issue When the AQL search contains backslash u (\u) character, the Log Activity Advanced Search (AQL) user interface returns the error: client exception occurred while handling the server response Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [tomcat.tomcat] [Token: ArcherBridge@127.0.0.1 (8425) /console/do/core/;jsessionid=99572ED7939336B1E986C7D45BE43B70] org.apache.struts.action.RequestProcessor: [ERROR] Invalid path /core/ was requested |
27 April 2021 |
DEPOLYMENT | IJ26156 | DUPLICATE DEPLOYMENT ARROWS CAN BE VISIBLE IN THE 'VIEW DEPLOYMENT' WINDOW WHEN A MANAGED HOST ID IS 128 OR HIGHER | CLOSED | Reason Closed as Permanent restriction. This issue is only graphical and doesn't affect event collection. Closing as won't fix. Workaround No workaround available. Issue A Managed Host id of 128 or greated can cause duplicate deployment arrows to be visible in the "View Deployment" window of the QRadar User Interface. Note: This issue is only graphical and does not affect event collection. |
27 April 2021 |
NETWORK | IJ04296 | CONFIGURING THE 169.154 CIDR FOR QRADAR APPLIANCE INTERFACES CAN CAUSE QRADAR APPS (DOCKER) TO FAIL | CLOSED | Reason Closed as Permanent restriction. This issue will not be fixed. Workaround Contact QRadar Support for a possible workaround that might address this issue in some instances. Issue Configuring QRadar Appliance interfaces to use IPs within the 169.154 CIDR causes QRadar Apps to fail when there is a conflict with the Docker IPs that are used from within that CIDR. |
27 April 2021 |
UPGRADE | IJ28895 | HOSTCONTEXT SERVICE FAILS TO START AFTER PATCHING OR UPGRADE FROM 7.3.X TO 7.4.X | CLOSED | Resolved in This fix is available in the weekly auto update starting on 09 March 2021. Administrators who manually update RPM can download and install the following file from IBM Fix Central: DSM-RadwareDefensePro-7.3-20210218181623.noarch.rpm Workaround
A technical note is available with more information for administrators on APAR IJ28895. Issue After patching or upgrading from QRadar 7.3.x to 7.4.x, the hostcontext service can fail to start on the QRadar Console. This issue has been determined to be caused by a QRadar Autoupdate bundle installation, specifically with the guava-28.0-jre.jar file that is installed as part of the QRadar patch/upgrade process. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [main] java.lang.NoClassDefFoundError: com.google.common.cache.CacheBuilder [main] at com.q1labs.core.dao.qidmap.SensorProtocolConfigParameters.<clinit>(SensorProtocolConfigParameters.java:37) [main] at sun.misc.Unsafe.ensureClassInitialized(Native Method) [main] at sun.reflect.UnsafeFieldAccessorFactory.newFieldAccessor(UnsafeFi eldAccessorFactory.java:55) [main] at sun.reflect.ReflectionFactory.newFieldAccessor(ReflectionFactory.java:154) [main] at java.lang.reflect.Field.acquireFieldAccessor(Field.java:1103) [main] at java.lang.reflect.Field.getFieldAccessor(Field.java:1079) [main] at java.lang.reflect.Field.set(Field.java:774) [main] at com.q1labs.frameworks.naming.FrameworksNaming.checkNameConstant(FrameworksNaming.java:412) [main] at com.q1labs.frameworks.naming.FrameworksNaming.loadClasses(FrameworksNaming.java:323) [main] at com.q1labs.frameworks.naming.FrameworksNaming.loadNaming(FrameworksNaming.java:171) [main] at com.q1labs.frameworks.naming.FrameworksNaming.loadClasses(FrameworksNaming.java:270) [main] at com.q1labs.frameworks.naming.FrameworksNaming.loadNaming(FrameworksNaming.java:171) [main] at com.q1labs.frameworks.naming.FrameworksNaming.loadNaming(FrameworksNaming.java:105) [main] at com.q1labs.frameworks.naming.FrameworksNaming. |
28 April 2021 |
VULNERABILITY SCANNER | IJ31088 | QRADAR CAN SOMETIMES CONTINUE TO ATTEMPT TO DOWNLOAD A CERT FOR A SCANNER THAT HAS BEEN REMOVED | CLOSED | Reason Closed as Permanent restriction. We have identified this issue as a permanent restriction for this integration. A fix for this issue will not be provided. Workaround
Issue QRadar can sometimes try to download a VA Scanner certificate even if scanner configuration was removed from QRadar. This is due to a cached value written in a temporary file. System Notifications similar to the following might be visible in /var/log/qradar.log when this issue occurs: generateNotification: An attempt to download the server certificate for [IP ADDRESS:443] to [/opt/qradar/conf/trusted_certificates/IP_443.crt] has failed |
28 April 2021 |
TLS SYSLOG PROTOCOL | IJ25789 | TLS SYSLOG LOG SOURCE CAN FAIL TO WORK AFTER USING INCORRECT PRIVATE KEY AT SETUP EVEN AFTER IT HAS BEEN CORRECTED | CLOSED | Reason Closed as Permanent restriction. We have identified this issue as a permanent restriction for this integration. A fix for this issue will not be provided. Workaround
Results The log source should then work and retrieve events as expected. Issue A TLS Syslog Log Source can fail to ingest events when initially configured with an incorrect private key even after the private key has been corrected. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [ecs-ec-ingress.ecs-ec-ingress] [Thread-26717] com.q1labs.semsources.sources.tlssyslog.TLSSecurityManager: [ERROR] Error adding key to TLS keystore. [ecs-ec-ingress.ecs-ec-ingress] [Thread-26717] java.security.spec.InvalidKeySpecException: Inappropriate key specification: PrivateKeyInfo parsing error. [ecs-ec-ingress.ecs-ec-ingress] [Thread-26717] at com.ibm.crypto.provider.RSAKeyFactory.engineGeneratePrivate(Unknown Source) [ecs-ec-ingress.ecs-ec-ingress] [Thread-26717] at java.security.KeyFactory.generatePrivate(KeyFactory.java:383) [ecs-ec-ingress.ecs-ec-ingress] [Thread-26717] at com.q1labs.semsources.sources.tlssyslog.TLSSecurityManager.addKe yToKeyStore(TLSSecurityManager.java:408) [ecs-ec-ingress.ecs-ec-ingress] [Thread-26717] at com.q1labs.semsources.sources.tlssyslog.TLSSyslogProvider.setupS erverKeyStore(TLSSyslogProvider.java:487) [ecs-ec-ingress.ecs-ec-ingress] [Thread-26717] at com.q1labs.semsources.sources.tlssyslog.TLSSyslogProvider.preExe cuteConfigure(TLSSyslogProvider.java:94) [ecs-ec-ingress.ecs-ec-ingress] [Thread-26717] at com.q1labs.semsources.sources.base.SourceProvider.run(SourceProv ider.java:181) |
28 April 2021 |
PROTOCOL | IJ29518 | SMBTAILPROTOCOL LOG SOURCES CAN FUNCTION NORMALLY BUT DISPLAY IN 'ERROR' STATE WHEN A JNQEXCEPTION OCCURS | CLOSED | Resolved in This fix is dependent upon the QRadar version and is available in the following RPMs on IBM Fix Central: Version 7.3.x: Version 7.4.x: Workaround No workaround available. Administators must install the RPM files where this issue is resolved from IBM Fix Central. These files are NOT included through QRadar Auto Updates. Issue Log Sources using the SMBTail Protocol display in an error state when a jNQ exception is thrown, but the Log Source continues to function as expected. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [ecs-ec-ingress.ecs-ec-ingress] [Folder Monitor [127.0.0.1][smb://127.0.0.1/dhcplog/]] com.q1labs.semsources.sources.smbtail.io.jnq.JNQException: Unable to create/open - j50.log status = -1073741757 (0xc0000043) (0xC0000043) [ecs-ec-ingress.ecs-ec-ingress] [Folder Monitor [127.0.0.1][smb://127.0.0.1/dhcplog/]] com.q1labs.semsources.sources.windowsdhcp.WindowsDHCPTailProvide r: [ERROR] [NOT:0000003000][IP ADDRESS/- -] [-/- -]TailingException: Unable to create/open - examplename.log status = -1073741757 (0xc0000043) (0xC0000043) |
28 April 2021 |
PROTOCOL | IJ26183 | ECS-EC-INGRESS PROCESS CAN SOMETIMES GO OUT OF MEMORY WHEN LOG SOURCES ARE USING THE WINDOWS IIS PROTOCOL | CLOSED | Resolved in This fix is available in the following RPMs on IBM Fix Central: The PROTOCOL-SmbTailProtocol release is also available in the weekly auto update for 25 April 2021 (Build 1619381033). The PROTOCOL-WindowsEventRPC RPM release is not included in automatic updates. Administrators must download and install the latest version of the Microsoft Windows Security Event Log over MSRPC RPM file on the Console using the YUM command. Workaround Contact QRadar Support for a possible workaround that might address this issue in some instances. Issue In some instances, the ecs-ec-ingress process (required for event collection) can experience out of memory occurences that are caused by Log Sources using the Windows IIS Protocol when an incorrect .jar file is referenced for use. Messages similar to the following that are referencing a Log Source connecting to an SMB Host might be visible in /var/log/qradar.log when this issue is occuring: [ecs-ec-ingress.ecs-ec-ingress] [Folder Monitor [x.x.x.x][smb://x.x.x.x/LogFiles/]] com.q1labs.semsources.sources.smbtail.io.SmbFileWithRetries: [ERROR] [NOT:0000003000][x.x.x.x/- -] [-/- -][smb://x.x.x.x/LogFiles/W3SVC13] exists(): Failed: Access error for file W3SVC13 status = -1073741790 (0xc0000022) (0xC0000022) |
28 April 2021 |
PROTOCOL | IJ28166 | LOG SOURCES CONFIGURED TO USE THE WINDOWS EVENT LOG RPC PROTOCOL CAN GO INTO ERROR STATE DISPLAYING 'INTERNAL ERROR' | CLOSED | Resolved in This fix is available in the following RPMs on IBM Fix Central: The PROTOCOL-SmbTailProtocol release is also available in the weekly auto update for 25 April 2021 (Build 1619381033). The PROTOCOL-WindowsEventRPC RPM release is not included in automatic updates. Administrators must download and install the latest version of the Microsoft Windows Security Event Log over MSRPC RPM file on the Console using the YUM command. Workaround No workaround available as this issue is closed as a vendor solution. Administrator must install the RPMs listed to resolve this issue or update to the latest version of the SMB Tail Protocol and Microsoft Windows Security Event Log over MSRPC protocol, if a newer version exist. Issue Some log source that are configured to use the Windows Event Log RPC Protocol can go into "Error" state with an "Internal Error". These instances have been identified as being caused when the jNQ jar file is required for use by the Protocol. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for host [127.0.0.1]] java.lang.ArrayIndexOutOfBoundsException [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for host [127.0.0.1]] at jcifs.util.Encdec.dec_uint32le(Encdec.java:90) [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for host [127.0.0.1]] at ndr.NdrBuffer.dec_ndr_long(NdrBuffer.java:135) [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for host [127.0.0.1]] at ndr.NetworkDataRepresentation.readUnsignedLong(NetworkDataRepres entation.java:64) [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for host [127.0.0.1]] at com.q1labs.semsources.sources.windowseventrpc.ndr.util.NetworkDa taRepresentationAdapter.readUnsignedLong(NetworkDataRepresentationAdapter.java:34) [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for host [127.0.0.1]] java.lang.NullPointerException [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for host [127.0.0.1]] at com.visuality.nq.client.rpc.Dcerpc.close(Dcerpc.java:901) [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for host [127.0.0.1]] at com.q1labs.semsources.sources.windowseventrpc.eventsource.common .EventLogWinRegistry.disconnectRemoteRegistry(EventLogWinRegistry.java:245) |
27 April 2021 |
QRADAR NETWORK INSIGHTS | IJ30955 | PERFORMING A FORENSICS RECOVERY CAN APPEAR TO SUCCEED WHEN THE TASK FAILED SILENTLY AND NEVER STARTED | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums. Issue Attempting to perform a Forensics Recovery can appear to succeed but the job never starts and there are no results in the Incident Recovery Grid when a user has over 25 characters. In these instances, messages in the logs indicate a postgres error if either of the username or submitter fields are greater than 25 characters. Example of error log written in /var/log/qradar.log when this issue occurs: [tomcat.tomcat] [HttpServletRequest-3016-Idle] com.ibm.qradar.wfObjects.wfDBConnect: [ERROR] Database error: SQLException: ERROR: value too long for type character varying(25) SQLState: 22001 VendorError: 0 |
23 February 2022 |
REPORTS | IJ30954 | AFTER REFRESHING PAGE AFTER CHANGES ARE MADE FOR SHARING REPORTING GROUPS THE CHANGES DO NOT APPEAR TO HAVE BEEN SAVED | CLOSED | Resolved in QRadar 7.5.0 Update Pack 4 (7.5.0.20221129155237) Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. Issue An issue has been identified in the Reports > Managed Groups > 'Share with Users Matching the following criteria' interface where sharing a report does not appear to save as expected. If a user shares a report group with specific user role and security profile, then clicks the refresh option the change does not appear to save. This is misleading to users as the report is saved succesfully and shared with the selected user, but does not display as shared correctly. If a recipient of the shared report logs in, they can see the shared reports as (Shared)Report name. |
13 December 2022 |
HIGH AVAILABILITY (HA) | IJ30664 | HIGH AVAILABILITY (HA) JOIN FAILS DUE TO INCORRECT SIZE OF /STORE AND /TRANSIENT PARTITION IN NON-CONSOLE BUILD | OPEN | Workaround Contact QRadar Support for a possible workaround that might address this issue in some instances. Issue In some instances, the /store partition on a High Availability (HA) Primary appliance can be larger and /transient partition smaller than expected on a software installation build of a non console QRadar appliance. When this occurs, the HA join process fails due to the incorrect and mismatched partition sizing between the Primary and Secondary appliances. The /var/log/setup-xxx/qradar_partsetup.log file displays similar messages as the following when this issue occurs: Wed Jul 31 03:31:24 +03 2019 [lvm_resize.sh] [InitLog] Log file set to /var/log/setup-7.3.2.20190410024210/qradar_partsetup.log Wed Jul 31 03:31:24 +03 2019 [lvm_resize.sh] [getopts] Pre-check argument passed Wed Jul 31 03:31:29 +03 2019 [lvm_resize.sh] [InitLog] Log file set to /var/log/setup-7.3.2.20190410024210/qradar_partsetup.log Wed Jul 31 03:31:29 +03 2019 [lvm_resize.sh] ERROR: Failed to unmount /store |
06 March 2021 |
DATA DEOBFUSCATION | IJ30950 | DATA DEOBFUSCATION DOES NOT WORK AS EXPECTED AFTER REASSIGNING A LOG SOURCE TO A DIFFERENT DOMAIN UNTIL PERFORMING FULL DEPLOY | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944) QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826) Workaround Perform a Deploy Full Configuration from the User Interface after moving a Log Source to a Log Source Group that is part of a different domain:
|
12 July 2021 |
ACCUMULATOR | IJ31082 | 'ACCUMULATOR FALLING BEHIND' NOTIFICATIONS AFTER DEFAULT GLOBAL VIEWS FOR EVENT RATE AND FLOW RATE HAVE BEEN RECREATED | OPEN | Workaround Contact QRadar Support for a possible workaround that might address this issue in some instances. Issue QRadar environments where the default Global Views for Event Rate (EPS) and Flow Rate (FPS) have been deleted and then recreated can experience Accumulator Falling Behind notifications during search processes. This is due to the addition of a locale which occurs in these instances that uses "contains" for its algorithm which is considerably slower for searches. |
05 March 2021 |
VULNERABILITY SCANNER | IJ31109 | TENABLE SCAN TASK CAN HANG AND NOT COMPLETE SUCCESSFULLY DUE TO A NULL KEY | OPEN | Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums. Issue Tenable IO is inserting a null key/element into spillOverCache, which causes the scan task to hang until it fails to complete successfully. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [vis] [Tenable.io-454-worker] com.q1labs.vis.exceptions.ScannerTaskException: This cache cannot accept null elements or null keys [vis] [Tenable.io-454-worker] at com.q1labs.vis.scanners.tenable.io.IOModule.scan(IOModule.java:187) [vis] [Tenable.io-454-worker] at com.q1labs.vis.scanners.base.ScannerModule.run(ScannerModule.jav a:221) |
05 March 2021 |
DOMAINS AND TENANTS | IJ31107 | TENENTQUEUEDEVENTTHROTTLEFILTER DOES NOT PERFORM AS EXPECTED WITH A LOW EPS LIMIT AND CAN CAUSE DROPPED EVENTS | OPEN | Workaround Contact QRadar Support for a possible workaround that might address this issue in some instances. Issue The TenantQueuedEventThrottleFilter does not perform as expected with a low EPS limit and can cause dropped events. As a result, it can be observed for a low tenant EPS limit configuration that the limit cannot be attained without dropping events. For example:
|
06 March 2021 |
PROTOCOLS | IJ31086 | LOG SOURCES USING RABBITMQ CAN SOMETIMES FAIL TO CONNECT AS EXPECTED DUE TO ROGUE CONNECTIONS CREATED | OPEN | Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums. Issue RabbitMQ can sometimes create new connections before the old one is removed. When this occurs, it can result in having multiple rogue connections on CiscoAMP causing events to not be received into QRadar. |
06 March 2021 |
UPGRADE | IJ31095 | QRADAR PATCHING TO VERSION 7.4.1 OR NEWER CAN FAIL ON MANAGED HOSTS WITH ''ERROR: COULD NOT CREATE UNIQUE INDEX..." | OPEN | Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums. Issue Patching to QRadar 7.4.1 or newer can fail on Managed Hosts due to an index that causes an SQL to fail on duplicate data. Messages similar to the following might be visible during patching when this issue occurs: 2 SQL script errors were detected; Error applying script [26/32] '/media/updates/opt/qradar/conf/templates/db_update_250323.ref_s et_import1.sql' for Test_qradar database.; details: WARNING: SET TRANSACTION can only be used in transaction blocks NOTICE: index "reference_data_element_unique_rdata1" does not exist, skipping ERROR: could not create unique index "reference_data_element_unique_rdata1" DETAIL: Key (md5((rdk_id::text || '_'::text) || data))=(af781b7cdfc258bf8698f03aa207f885) is duplicated.Error applying script [29/32] '/media/updates/opt/qradar/conf/templates/db_update_248240.ref_s et_import1.sql' for Test_qradar database.; details: WARNING: SET TRANSACTION can only be used in transaction blocks NOTICE: index "reference_data_element_unique_rdata1" does not exist, skipping ERROR: could not create unique index "reference_data_element_unique_rdata1" DETAIL: Key (md5((rdk_id::text || '_'::text) || data))=(af781b7cdfc258bf8698f03aa207f885) is duplicated. <hostname> : patch rolled back. |
05 March 2021 |
UPGRADE | IJ31096 | QRADAR MANAGED HOST PATCH COMPLETES SUCCESSFULLY BUT WITH ERRORS RUNNING "/MEDIA/UPDATES/SCRIPTS/QRADAR-2072.INSTALL" | OPEN | Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums. Issue QRadar Managed Hosts (MH) can patch successfully but with errors when the tomcat process on the Console appliance is unavailable during MH patching. A messages similar to the following can be displayed when this occurs: (hostname)-primary : patch test succeeded. (hostname)-secondary : patch test succeeded. Error running 143: /media/updates/scripts/QRADAR-2072.install --mode mainpatch In /var/log/setup-xxxxx/patches.log messages similar to the following can also be observed when this issue occurs: Feb 22 04:31:18 2021: Feb 22 04:31:18 2021:[DEBUG](-ni-patchmode) Running script /media/updates/scripts/QRADAR-2072.install --mode mainpatch Feb 22 04:31:18 2021: [QRADAR-2072] [mainpatch:Run] /opt/qradar/bin/generate_cert_from_csr.sh parse error: Invalid numeric literal at line 1, column 8 Feb 22 04:33:22 2021: Feb 22 04:33:22 2021:[DEBUG](-ni-patchmode) Error running 73: /media/updates/scripts/QRADAR-2072.install --mode mainpatch; Got error code of 1. Feb 22 04:33:22 2021: Feb 22 04:33:22 2021:[ERROR](-ni-patchmode) Error running 73: /media/updates/scripts/QRADAR-2072.install --mode mainpatch |
05 March 2021 |
PROTOCOLS | IJ31102 | LOG SOURCES CONFIGURED TO USE THE IBMSIMJDBC PROTOCOL CAN FAIL TO WORK AS EXPECTED DUE TO A JAR DEPENDENCY | OPEN | Workaround In the following path: /opt/ibm/si/services/ecs-ec-ingress/eventgnosis/lib/q1labs/IBMSIMJDBC/
Issue Log Sources configured to use the IBM Security Identity Manager Protocol can stop working with a 'NoClassDefFoundError' due to a jar dependency. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [ecs-ec-ingress.ecs-ec-ingress] [Thread-25] com.eventgnosis.ecs: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Error attempting to load (device):ecs-ec-ingress/EC_Ingress/Q1_I BMSIMJDBCEventSource Error : java.lang.NoClassDefFoundError: com.microsoft.sqlserver.jdbc.SQLServerException |
05 March 2021 |
LICENSE | IJ07953 | 'FAILED TO GET EPS FPM ALLOCATION VALUES' IN LOG ACTIVITY TAB OR 'FAILED TO LOAD DATA' IN LICENSE POOL MANAGEMENT | CLOSED | Resolved in QRadar 7.3.2 (7.3.2.20190201201121) QRadar 7.3.1 Fix Pack 7 (7.3.1.20181123182336) Workaround Administrators can upgrade to a release where this issue is resolved. For more information, review the following resources:
It has been identified in instances where manual database changes have been made to license_key and serverhosts table that the license pool management page sometimes does not load and displays error "Failed to load data". The message "Failed to Get EPS FPM allocation values" can also be observed in the Log Activity tab when this issue is occurring. Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs: [tomcat.tomcat] [admin@127.0.0.1 (2795) /console/restapi/api/config/deployment/license_pool] Caused by: [tomcat.tomcat] [admin@127.0.0.1 (2795) /console/restapi/api/config/deployment/license_pool] com.q1labs.restapi_annotations.content.exceptions.endpointExcept ions.ServerProcessingException: Failed to retrieve the deployed license pool [tomcat.tomcat] [admin@127.0.0.1 (2795) /console/restapi/api/config/deployment/license_pool] at com.ibm.si.configservices.api.impl.license_pool.LicensePoolGetIm pl.buildPool(LicensePoolGetImpl.java:42) [tomcat.tomcat] [admin@127.0.0.1 (2795) /console/restapi/api/config/deployment/license_pool] at com.ibm.si.configservices.api.impl.license_pool.LicensePoolGetIm pl.getLicensePool(LicensePoolGetImpl.java:18) [tomcat.tomcat] [admin@127.0.0.1 (2795) /console/restapi/api/config/deployment/license_pool] at com.q1labs.configservices.api.v8_0.license_pool.LicensePoolAPI.g etDeployedLicensePool(LicensePoolAPI.java:70) [tomcat.tomcat] [admin@127.0.0.1 (2795) /console/restapi/api/config/deployment/license_pool] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [tomcat.tomcat] [admin@127.0.0.1 (2795) /console/restapi/api/config/deployment/license_pool] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessor Impl.java:90) [tomcat.tomcat] [admin@127.0.0.1 (2795) /console/restapi/api/config/deployment/license_pool] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod AccessorImpl.java:55) [tomcat.tomcat] [admin@127.0.0.1 (2795) /console/restapi/api/config/deployment/license_pool] at java.lang.reflect.Method.invoke(Method.java:508) [tomcat.tomcat] [admin@127.0.0.1 (2795) /console/restapi/api/config/deployment/license_pool] at com.q1labs.restapi.servlet.utilities.APIRequestHandler.invokeMet hod(APIRequestHandler.java:1031) [tomcat.tomcat] [admin@127.0.0.1 (2795) /console/restapi/api/config/deployment/license_pool] at com.q1labs.restapi.servlet.utilities.APIRequestHandler.redirectR equest(APIRequestHandler.java:399) [tomcat.tomcat] [admin@127.0.0.1 (2795) /console/restapi/api/config/deployment/license_pool] ... 46 more [tomcat.tomcat] [admin@127.0.0.1 (2795) /console/restapi/api/config/deployment/license_pool] Caused by: [tomcat.tomcat] [admin@127.0.0.1 (2795) /console/restapi/api/config/deployment/license_pool] java.lang.NullPointerException [tomcat.tomcat] [admin@127.0.0.1 (2795) /console/restapi/api/config/deployment/license_pool] at com.q1labs.core.shared.license.LicenseKeyManager.getHostType(Lic enseKeyManager.java:4305) [tomcat.tomcat] [admin@127.0.0.1 (2795) /console/restapi/api/config/deployment/license_pool] at com.q1labs.core.shared.license.LicensePoolAllocationManager.getT otalCapacities(LicensePoolAllocationManager.java:652) [tomcat.tomcat] [admin@127.0.0.1 (2795) /console/restapi/api/config/deployment/license_pool] at com.q1labs.core.shared.license.LicensePoolAllocationManager.getT otalCapacities(LicensePoolAllocationManager.java:629) [tomcat.tomcat] [admin@127.0.0.1 (2795) /console/restapi/api/config/deployment/license_pool] at com.ibm.si.configservices.api.impl.license_pool.LicensePoolGetIm pl.buildPool(LicensePoolGetImpl.java:33) |
26 February 2019 |
QRADAR ON CLOUD | IJ32040 | QRADAR ON CLOUD USER INTERFACE CAN EXPERIENCE UNPOPULATED LIST BOXES OR ONES ONLY DISPLAYING AN "X" | OPEN | Workaround Contact QRadar Support for a possible workaround that might address this issue in some instances. Issue Some QRadar On Cloud instances on Akamai can experience User Interface (UI) display issues such as unpopulated list boxes or list boxes with only "X" being displayed. This UI display behavior can be intermittent. This behavior has been identified as being caused by downloads of CSS resources, such as dojo.css, failing authentication and getting redirected to login.ibm.com. As these static resource downloads do not handle the HTTP 302 redirection, the CSS is not downloaded and the UI is incomplete. |
16 April 2021 |
PROTOCOL | IJ32029 | LOG SOURCES CONFIGURED TO USE THE VMWARE PROTOCOL CAN STOP WORKING AFTER INSTALLING UPDATED PROTOCOL VERSION | OPEN | Workaround The workaround is QRadar version dependent. Note: Restarting the ecs-ec-ingress service stops event collection. For more information, see: Impact of restarting QRadar services. For QRadar 7.4.x:
For QRadar 7.3.x:
Issue Log Sources configured to use the VMware protocol can stop working and display "Invalid Credentials when initializing EMCVmWareProtocol" after installing a new EMCVmware protocol rpm manually or via the AutoUpdate feature in QRadar. Affected RPM versions:
Run the following command to identify the currently installed rpm version from an SSH session to the QRadar Console for verification of this identified issue: rpm -qa | grep -i emcvmwareprotocol Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [ecs-ec-ingress.ecs-ec-ingress] [Thread-246] Caused by: java.rmi.RemoteException: VI SDK invoke exception:java.rmi.RemoteException: VI SDK invoke exception:org.dom4j.DocumentException: org.dom4j.DocumentFactory incompatible with org.dom4j.DocumentFactory [ecs-ec-ingress.ecs-ec-ingress] [Thread-246] at com.vmware.vim25.ws.WSClient.invoke(Unknown Source) [ecs-ec-ingress.ecs-ec-ingress] [Thread-246] at com.vmware.vim25.ws.VimStub.retrieveServiceContent(Unknown Source) [ecs-ec-ingress.ecs-ec-ingress] [Thread-246] at com.vmware.vim25.mo.ServiceInstance.<init>(Unknown Source) [ecs-ec-ingress.ecs-ec-ingress] [Thread-246] at com.vmware.vim25.mo.ServiceInstance.<init>(Unknown Source) [ecs-ec-ingress.ecs-ec-ingress] [Thread-246] at com.q1la bs.semsources.sources.vmware.api.VmApi.init(VmApi.java:90) [ecs-ec-ingress.ecs-ec-ingress] [Thread-246] ... 4 more [ecs-ec-ingress.ecs-ec-ingress] [Thread-246] com.q1labs.semsources.sources.vmware.EMCVmWareProtocol: [DEBUG] EMC Vm Ware Protocol Provider 'class com.q1labs.semsources.sources.vmware.VmWareAPIProvider6' changed state from STARTING to STOPPED. |
16 April 2021 |
UPGRADE | IJ31972 | RESIDUAL JDBC PROTOCOL JAR FILES ARE LEFT BEHIND WHEN UPGRADING FROM QRADAR 7.3.X TO 7.4.X | OPEN | Workaround The residual .jar files from the 7.3.x JDBC protocol can be ignored. Issue When patching from QRadar 7.3.x to QRadar 7.4.x there are residual JDBC Protocol .jar files that are left behind from the older protocol version. These residual .jar files are benign and can be safely ignored. |
16 April 2021 |
ADVANCED SEARCH (AQL) | IJ31912 | DATA CONTAINED WITHIN "< >" FROM PAYLOADS IS MISSING IN CSV EXPORT FROM AN AQL ADVANCED SEARCH CONTAINING A GROUP BY | OPEN | Workaround Where possible, perform the AQL search without the GROUP BY condition. Issue When performing an AQL search with a GROUP BY condition, and exporting the visible columns to a CSV file, any priority headers contained in the event payloads (e.g. "<13>") are missing in the .csv export file. For example:
|
16 April 2021 |
PROTOCOL | IJ31913 | JDBC TIMEOUT VALUE CONFIGURED FOR ORACLE LOG SOURCES IS SET AT 1 MINUTE VS 5 MINUTES FOR MSDB LOG SOURCES | OPEN | Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums. Issue The JDBC timeout value used for Oracle Log Sources is set at 1 minute, but when JDBC is used for MSDB Log Sources it is set at 5 minutes. This can cause Oracle Log Sources to go into a failed state earlier than expected. Messages similar to the following might be visible in /var/log/qradar.log when the timeout occurs: [ecs-ec-ingress.ecs-ec-ingress] [*Oracle*//LxxxxxA@ipaddress Protocol Provider Thread: class com.q1labs.semsources.sources.jdbc.JdbcEventConnector5530] com.q1labs.semsources.sources.jdbc.JdbcEventConnector: [WARN] [NOT:0000004000][ipaddress/- -] [-/- -]IO Error: Socket read timed out on Oracle//LxxxxxA@ipaddress |
16 April 2021 |
MANAGED HOST / ADD HOST | IJ32092 | ADMIN USER WITH NO LOCALE CONFIGURED IS UNABLE TO ADD A MANAGED HOST TO THE QRADAR DEPLOYMENT | OPEN | Workaround
Issue The Add Host process fails with a message similar to "Cannot connect to the host. Check password and IP" for an admin user with no QRadar locale configured. Messages similar to the following might be visible in /var.log/qradar.log when this issue occurs: [tomcat.tomcat] [Thread-503] com.ibm.si.configservices.api.v3_0.deployment.DeploymentAPI: [ERROR] [NOT:0000003000][xx.xx.xx.xx/- -] [-/- -]unable to add managed host: null [tomcat.tomcat] [Thread-503] com.q1labs.resta pi_annotations.content.exceptions.endpointExceptions.ServerProcessingException [tomcat.tomcat] [Thread-503] at com.ibm.si.config services.api.impl.DeploymentAPIImpl.addManagedHost(DeploymentAPIImpl.java:924) [tomcat.tomcat] [Thread-503] at com.ibm.si.config services.api.v3_0.deployment.DeploymentAPI$AddHostThread.run(Dep loymentAPI.java:1003) [tomcat.tomcat] [Thread-503] at java.lang.Thread.run(Thread.java:822) [tomcat.tomcat] [Thread-503] Caused by: [tomcat.tomcat] [Thread-503] com.q1labs.configservices.common.ConfigServicesException: Unable to add managed host. [tomcat.tomcat] [Thread-503] at com. q1labs.configservices.capabilities.CapabilitiesHandler.addManage dHost(CapabilitiesHandler.java:2025) [tomcat.tomcat] [Thread-503] at com.ibm.si.configservices.api.impl.DeploymentAPI Impl.addManagedHost(DeploymentAPIImpl.java:893) [tomcat.tomcat] [Thread-503] ... 2 more |
16 April 2021 |
ROUTING RULES | IJ31911 | ROUTING RULES WITH A FILTER CONTAINING A TRAILING BACKSLASH ARE NOT EDITABLE ONCE SAVED | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums. Issue Routing Rules with a filter containing a trailing backslash are not editable once saved. For example:
|
23 February 2022 |
EVENT DATA | IJ31537 | MESSAGESIZEEXCEPTION CAN CAUSE THE QRADAR EVENT PIPELINE TO STOP FUNCTIONING AS EXPECTED | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944) Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums. Issue The QRadar event pipeline can stop working as expected when a message size exception is encountered causing a failure of events to be processed. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread] com.q1labs.sem.nio.network.StreamProcessor: [ERROR] [NOT:0000003000][x.x.x.x/- -] [-/- -]Cannot get the event from SpilloverQueue [ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread] com.q1labs.frameworks.nio.exceptions.MessageSizeException: Message size exceeds communication buffer capacity 131062 [ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread] at com.q1labs.frameworks.nio.network.protocol.CollectionHandler.put (CollectionHandler.java:66) [ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread] at com.ibm.si.ecingress.destinations.SECStoreForwardDestination.sen dEventFromQ(SECStoreForwardDestination.java:471) [ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread] at com.q1labs.sem.nio.network.StreamProcessor.sendMessage(StreamPro cessor.java:96) [ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread] at com.q1labs.sem.nio.network.StreamProcessor.run(StreamProcessor.java:55) [ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread] at java.lang.Thread.run(Thread.java:818) |
16 April 2021 |
LOG SOURCES | IJ31917 | LOG SOURCE IDENTIFIER COLUMN DISPLAYS "N/A" WHEN SELECTED IN A LOG ACTIVITY PAGE SEARCH | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) Workaround This issue only affects users in the legacy user inteface, this issue does not affect the Log Source Management app. The Log Source Management App displays the correct Log Source Identifier value. Where possible, use the Log Source Management app to view Log Source Identifier data. Issue The Log Source Identifier column displays N/A when it is selected in a search in Log Activity page of the QRadar User Interface. This prevents being able to group by Log Source Identifier. When opening a received event, the Log Source Identifier column displays the expected data within that view. |
23 February 2022 |
PROTOCOL | IJ32031 | LOG SOURCES CONFIGURED TO USE THE GOOGLE CLOUD PUB SUB PROTOCOL CAN INCORRECTLY DISPLAY ERROR STATUS | OPEN | Workaround
Issue Log Sources that are configured to use the Google Cloud Pub Sub Protocol can sometimes incorrectly display a status of "Error" when they are working correctly. |
16 April 2021 |
UPGRADE | IJ32030 | QRADAR PATCH PRETEST FAILS TO RUN ON MANAGED HOSTS UNTIL CONSOLE IS PATCHED | CLOSED | Resolved in QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137) Workaround Perform the QRadar pretest and complete the Console software update. After the Console patching is successfully completed, the pretest can be run on the remaining Managed Hosts in the deployment. Issue The QRadar patch pretest function cannot be run on a Managed Host when the QRadar Console has not yet been patched. This issue prevents a pretest of a complete QRadar deployment prior to performing the patching process until after the Console is patched. A message similar to the following might be visible when attempting to run the pretest function: [ERROR] Failed to determine the patch level of the Console. |
30 May 2022 |
UPGRADE | IJ32036 | LOG SOURCES CONFIGURED TO USE THE MQJMS PROTOCOL CAN STOP WORKING UNEXPECTEDLY | OPEN | Workaround Toggle the affected MQ JMS log source to disabled and then enable it again to correct the issue. Issue Log Sources that are configured to use the MQJMS Protocol stop working when a JMSWMQ1107 error occurs. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [ecs-ec-ingress.ecs-ec-ingress] [JMSCCThreadPoolWorker-32] com.q1labs.semsources.sources.mqjms.MQJMSErrorHandler: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Error Message: JMSWMQ1107: A problem with this connection has occurred. [ecs-ec-ingress.ecs-ec-ingress] [JMSCCThreadPoolWorker-32] com.ibm.msg.client.jms.DetailedIllegalStateException: JMSWMQ1107: A problem with this connection has occurred. [ecs-ec-ingress.ecs-ec-ingress] [JMSCCThreadPoolWorker-32] An error has occurred with the IBM MQ JMS connection. [ecs-ec-ingress.ecs-ec-ingress] [JMSCCThreadPoolWorker-32] Use the linked exception to determine the cause of this error. [ecs-ec-ingress.ecs-ec-ingress] [JMSCCThreadPoolWorker-32] at com.ibm.msg.client.wmq.common.inte rnal.Reason.reasonToException(Reason.java:489) [ecs-ec-ingress.e cs-ec-ingress] [JMSCCThreadPoolWorker-32] at com.ibm.msg.client. wmq.common.internal.Reason.createException(Reason.java:215) [ecs-ec-ingress.ecs-ec-ingress] [JMSCCThreadPoolWorker-32] at com.ib m.msg.client.wmq.internal.WMQMessageConsumer.checkJmqiCallSucces s(WMQMessageConsumer.java:217) [ecs-ec-ingress.ecs-ec-ingress] [JMSCCThreadPoolWorker-32] at com.ibm.msg.client.wmq.internal.WM QMessageConsumer.checkJmqiCallSuccess(WMQMessageConsumer.java:273) [ecs-ec-ingress.ecs-ec-ingress] [JMSCCThreadPoolWorker-32] at com.ibm.msg.client.wmq.internal.WMQAsyncConsumerShadow.consum er(WMQAsyncConsumerShadow.java:615) [ecs-ec-ingress.ecs-ec-ingre ss] [JMSCCThreadPoolWorker-32] at com.ibm.mq.jmqi.remote.impl.Re moteProxyQueue.callConsumer(RemoteProxyQueue.java:3616) [ecs-ec- ingress.ecs-ec-ingress] [JMSCCThreadPoolWorker-32] at com.ibm.mq .jmqi.remote.impl.RemoteDispatchThread.run(RemoteDispatchThread.java:269) [ecs-ec-ingress.ecs-ec-ingress] [JMSCCThreadPoolWorker-32] at com.ibm.msg.client.commonservices. workqueue.WorkQueueItem.runTask(WorkQueueItem.java:319) [ecs-ec- ingress.ecs-ec-ingress] [JMSCCThreadPoolWorker-32] at com.ibm.ms g.client.commonservices.workqueue.SimpleWorkQueueItem.runItem(Si mpleWorkQueueItem.java:99) [ecs-ec-ingress.ecs-ec-ingress] [JMSCCThreadPoolWorker-32] at com.ibm.msg.client.commonservices. workqueue.WorkQueueItem.run(WorkQueueItem.java:343) [ecs-ec-ingress.ecs-ec-ingress] [JMSCCThreadPoolWorker-32] at com.ibm.msg.cl ient.commonservices.workqueue.WorkQueueManager.runWorkQueueItem( WorkQueueManager.java:312) [ecs-ec-ingress.ecs-ec-ingress] [JMSCCThreadPoolWorker-32] at com.ibm.msg.client.commonservices. j2se.workqueue.WorkQueueManagerImplementation$ThreadPoolWorker.r un(WorkQueueManagerImplementation.java:1227) [ecs-ec-ingress.ecs -ec-ingress] [JMSCCThreadPoolWorker-32] Caused by: com.ibm.mq.MQException: JMSCMQ0001: IBM MQ call failed with compcode '2' ('MQCC_FAILED') reason '2202' ('MQRC_CONNECTION_QUIESCING'). |
16 April 2021 |
SECURITY BULLETIN | GOOGLE-API-CLIENT AS USED BY IBM QRADAR SIEM IS VULNERABLE TO AUTHORIZATION BYPASS | CLOSED | Resolved in 7.3.0-QRADAR-PROTOCOL-GoogleCommon-7.3-20210126200436 7.4.0-QRADAR-PROTOCOL-GoogleCommon-7.4-20210126200430 Affected versions
CVE-2020-7692: Google APIs google-oauth-java-client could allow a remote attacker to bypass security restrictions, caused by no PKCE support implemented. By executing a specially-crafted application, an attacker could exploit this vulnerability to obtain the authorization code, and gain authorization to the protected resource. CVSS Base score: 7.4 |
04 March 2021 | |
SERVICES | IJ31105 | POSTFIX SERVICE IN A BAD STATE CAN CAUSE HOSTCONTEXT TO HANG | OPEN | Workaround Contact QRadar Support for a possible workaround that might address this issue in some instances. Issue QRadar's hostcontext (responsible for multiple QRadar functions) can go into a hung state when the postfix service is not working correctly. Checking the status of postfix can help to identify that it may be in a bad state and can be perfomed via an SSH session to the QRadar Console: # systemctl status postfix postfix.service - Postfix Mail Transport Agent Loaded: loaded (/usr/lib/systemd/system/postfix.service; enabled; vendor preset: disabled) Drop-In: /etc/systemd/system/postfix.service.d 80-si-postfix.conf Active: active (running) since Tue 2021-02-23 14:14:49 EST; 1h 15min ago Main PID: 22618 (master) Tasks: 3 Memory: 3.1M CGroup: /system.slice/postfix.service 22618 /usr/libexec/postfix/master -w 22619 pickup -l -t unix -u 22620 qmgr -l -t unix -uFeb 23 15:26:02 (console) postfix/master[22618]: warning: /usr/libexec/postfix/smtpd: bad command startup -- throttling (console) postfix/smtpd[69654]: fatal: bad numerical configuration: unknown_local_recipient_reject_code = 550 relayhost = (console) postfix/master[22618]: warning: process /usr/libexec/postfix/smtpd pid 69654 exit status 1 (console) postfix/master[22618]: warning: /usr/libexec/postfix/smtpd: bad command startup -- throttling Feb 23 15:28:03 (console) postfix/smtpd[85954]: fatal: bad numerical configuration: unknown_local_recipient_reject_code = 550 relayhost = (console) postfix/master[22618]: warning: process /usr/libexec/postfix/smtpd pid 85954 exit status 1 (console) postfix/master[22618]: warning: /usr/libexec/postfix/smtpd: bad command startup -- throttling (console) postfix/smtpd[96641]: fatal: bad numerical configuration: unknown_local_recipient_reject_code = 550 relayhost = (console) postfix/master[22618]: warning: process /usr/libexec/postfix/smtpd pid 96641 exit status 1 (console) postfix/master[22618]: warning: /usr/libexec/postfix/smtpd: bad command startup -- throttlin More information on hostconext in QRadar, see: QRadar: Hostcontext service and the impact of a service restart |
31 March 2021 |
LOG SOURCES | IJ31534 | AUTODISCOVERED LOG SOURCES WITH A 127.0.0.1 IP ADDRESS CAN CAUSE SYSTEM EVENTS TO BE CATEGORIZED INCORRECT | OPEN | Workaround Update your parsing order for log sources to move the autodiscovered log sources below the QRadar system log sources. For more information, see: Adding a log source parsing order. Issue Autodiscovered log sources with an IP Address of 127.0.0.1 can have a higher value in the parsing order than the system based log sources. This can cause internal events (example SIM Audit) to be associated to the incorrect log source. To identifiy if this is the issue for incorrect Log Source association for internal events, check the parsing order:
|
31 March 2021 |
LOG SOURCES | IJ31840 | LOG SOURCES CONFIGURED FOR IBM SECURITY IDENTITY MANAGER JDBC CAN FAIL TO PARSE AS EXPECTED | OPEN | Workaround
Issue Log Sources configured for use with IBM Security Identity Manager JDBC can fail to work as expected. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [ecs-ec-ingress.ecs-ec-ingress] [DB2//ITIMDB@dbHost Protocol Provider Thread: class com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto r2018] com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto r: [INFO] [NOT:0000006000][epIp/- -] [-/- -]disconnected [ecs-ec-ingress.ecs-ec-ingress] [DB2//ITIMDB@dbHost Protocol Provider Thread: class com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto r2018] com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventSource: [INFO] [NOT:0000006000][epIp/- -] [-/- -]Provider 'class com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto r2018' stopped. [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021] com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto r: [INFO] [NOT:0000006000][epIp/- -] [-/- -]Polling interval in milliseconds = 30000 [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021] com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto r: [INFO] [NOT:0000006000][epIp/- -] [-/- -]jdbc session properties file already exists, loading its values [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021] com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto r: [WARN] [NOT:0000004000][epIp/- -] [-/- -]null on DB2//ITIMDB@dbHost [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021] java.lang.NullPointerException [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021] at com.q1labs.semsources.sources.jdbc.SourceDatabaseType$2.composeU rl(SourceDatabaseType.java:90) [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021] at com.q1labs.semsources.sources.jdbc.JdbcEventConnector.connect(Jd bcEventConnector.java:482) [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021] at com.q1labs.semsources.sources.jdbc.JdbcEventConnector.preExecute Configure(JdbcEventConnector.java:1060) [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021] at com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto r.preExecuteConfigure(IBMSIMJDBCEventConnector.java:483) [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021] at com.q1labs.semsources.sources.base.SourceProvider.run(SourceProv ider.java:179) [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021] com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto r: [ERROR] [NOT:0000003000][epIp/- -] [-/- -]Unable to obtain a comparable value for the RECERTIFICATIONLOG table! [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021] java.lang.NullPointerException [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021] at com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto r.preExecuteConfigure(IBMSIMJDBCEventConnector.java:500) [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021] at com.q1labs.semsources.sources.base.SourceProvider.run(SourceProv ider.java:179) [ecs-ec-ingress.ecs-ec-ingress] [DB2//ITIMDB@dbHost Protocol Provider Thread: class com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto r2018] com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventSource: [INFO] [NOT:0000006000][epIp/- -] [-/- -]IBMSIMJDBC provider 'class com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto r2018' config ok; now trying to run... [ecs-ec-ingress.ecs-ec-ingress] [a5a99e1b-3d31-4659-8586-b5dcbbe148c6/SequentialEventDispatcher] com.q1labs.semsources.sources.base.SourceConfigDB: [INFO] [NOT:0000006000][epIp/- -] [-/- -]Updating provider (id = 2018) because its parameters have changed. [ecs-ec-ingress.ecs-ec-ingress] [a5a99e1b-3d31-4659-8586-b5dcbbe148c6/SequentialEventDispatcher] com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventSource: [INFO] [NOT:0000006000][epIp/- -] [-/- -]Stopping provider 'class com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto r2018'. [ecs-ec-ingress.ecs-ec-ingress] [DB2//ITIMDB@dbHost Protocol Provider Thread: class com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto r2018] com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto r: [INFO] [NOT:0000006000][epIp/- -] [-/- -]disconnected |
31 March 2021 |
VULNERABILITY SCANNER | IJ30930 | QRADAR SCANS ARE CALLING DEPRECATED TENABLE ENDPOINTS | OPEN | Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums. Issue QRadar scans continue to call deprecated Tenable endpoints after updates have been made within the Tenable API. Changes within QRadar scanning are needed so that only the appropriate endoint fields are being parsed. |
05 March 2021 |
APPLICATION FRAMEWORK | IJ30953 | DRQ DIAGNOSTIC TEST RUNS ON ANY HOST CAPABLE OF RUNNING APPS (CONSOLE OR APPHOST) AND FAILS ON STANDBY HOSTS | OPEN | Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums. Issue The drq diagnostic test for docker runs on any QRadar app capable host (console or App Host). When it runs on a Standby host (High Availability), the drq test fails as docker is inactive on Standby hosts. This drq diagnostic test failure on Standby hosts is benign and can be safely ignored. Messages similar to the following might be visible when drq is run on Standy hosts: root@hostname-secondary ~]# drq DrQ version 1.4.1 (mode(s): checkup, tag(s): |
05 March 2021 |
UPGRADE | IJ31087 | PATCHING FROM A MOUNTED .SFS IN /STORE IS ALLOWED BY QRADAR BUT CAN CAUSE HIGH AVAILABILITY PATCHING TO FAIL | OPEN | Workaround Prior to a patch being run, ensure it is run from a mount of /tmp or /root (or another non High Availability filesytem). If the patching is in progress on an HA configured system from an .sfs mount point of /store and fails, please Contact QRadar Support. Issue QRadar patching via .sfs is allowed to be run when it's mounted in /store partition. If it's run from this location, patch failure can occur when run on High Availability (HA) appliances. |
05 March 2021 |
UPGRADE | IJ31084 | PATCHING TO QRADAR 7.3.3 FP7 CAN FAIL WITH DRACUT RPM DEPENDENCIES | OPEN | Workaround If the patches.log contains the above messages, then remove the required file(s) using the following command from an SSH session to the QRadar Console:
Issue Patching to QRadar 7.3.3 FP7 can fail with due to RPM dependencies. Messages simlar to the following might be visible in /var/log/setup-#####/patches.log: Feb 5 08:22:07 2021: Feb 5 08:22:07 2021:[ERROR](testmode) sql pretest errored, halting.[6/9] Install & Upgrade Packages failed to complete successfully. Errors: [6/9] Install & Upgrade Packages upgrading produced: Error: Package: dracut-config-generic-033-535.el7.x86_64 (installed) Requires: dracut = 033-535.el7 Removing: dracut-033-535.el7.x86_64 (installed) dracut = 033-535.el7 Updated By: dracut-033-564.el7.x86_64 (local)dracut = 033-564.el7 |
05 March 2021 |
UPGRADE | IJ31085 | GLUSTERFS TO DRBD MIGRATION FAILS WHEN HOSTNAME IS LONGER THAN 54 CHARACTERS | OPEN | Workaround Contact QRadar Support for a possible workaround that might address this issue in some instances. Issue The glusterfs to DRBD migration fails when the hostname it is being run on is longer than 54 characters. |
05 March 2021 |
UPGRADE | IJ31074 | QRADAR PATCHING PROCESS CAN HANG AT MESSAGE "UPDATING : SYSTEMD-219-78.EL7.X86_64" | CLOSED | Resolved in QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137) Workaround It is possible old heap dumps need to be removed from /store/jheap/<dir> prior to patching. If you require any assistance to identify and remove these old heap dumps, Contact QRadar Support. Issue The QRadar patching process can hang with a message similar to the following being displayed on screen: Feb 21 11:53:44 2021: Feb 21 11:53:44 2021: [INFO](patchmode) Updating : systemd-219-78.el7.x86_64 This issue can occur when there are dump files located in /store/jheap/ on a QRadar appliance being patched. |
30 May 2022 |
UPGRADE | IJ31079 | '[WARNING] ALL APPLICABLE HOSTS HAVE MIGRATED FROM GLUSTERFS TO DRBD. EXITING' WHEN RUNNING GLUSTERFS TO DRBD MIGRATION TOOL | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) Workaround If you experience issues with the glusterfs_migration_manager, move the report on the Console to another directory location, such as /store/ibm_support. For example:
Issue Running the glusterfs to DRBD migration in a QRadar Deployment with multiple affected hosts can fail to start again if one appliance fails the migration process. A message similar to the following might be visible when this issue occurs: [WARNING] All applicable hosts have migrated from GlusterFS to DRBD. Exiting. This is caused by the logic in glusterfs_migration_manager.py to check if all hosts are migrated and occurs if the report contains more than 1 host and the first host in the list has already completed migration. This then causes the system to call sys.exit(1) closing out the script saying all migration has completed. |
27 March 2021 |
VULNERABILITY SCANNER | IJ31088 | QRADAR CAN SOMETIMES CONTINUE TO ATTEMPT TO DOWNLOAD A CERT FOR A SCANNER THAT HAS BEEN REMOVED | OPEN | Workaround From an SSH session to the QRadar Console:
Issue QRadar can sometimes try to download a VA Scanner certificate even if scanner configuration was removed from QRadar. This is due to a cached value written in a temporary file. System Notifications similar to the following might be visible in /var/log/qradar.log when this issue occurs: generateNotification: An attempt to download the server certificate for [IP:443] to [/opt/qradar/conf/trusted_certificates/IP_443.crt] has failed |
05 March 2021 |
INDEX MANAGEMENT | IJ31090 | INDEX MANAGEMENT CAN DISPLAY ZEROS (0) ACROSS ALL COLUMNS WHEN A LARGE TIME RANGE IS CHOSEN | OPEN | Workaround Contact QRadar Support for a possible workaround that might address this issue in some instances. Issue Index management can show zeros (0) for every column of each index if a large time range is chosen. This occurs when a backend timeout happens due to the large amount of data processed. |
05 March 2021 |
SYSTEM SETTINGS | IJ31083 | GEOGRAPHIC SETTINGS CAN FAIL TO WORK AS EXPECTED WHEN AN INCORRECT USERID AS BEEN INPUT | CLOSED | Resolved in QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022) Workaround Verify that the correct UserId data is entered into the field. Issue Geographic updates can fail in QRadar if incorrect values are input for the UserId text box in the Geographic Settings section of the System Settings page. UserIds provided are only numbers, but a lack of data validation in the UserId field allows users to input any characters. When incorrect information for UserId is entered, this can cause the GeoIP.conf file to have bad values in it. |
05 March 2021 |
PROTOCOLS | IJ31080 | EVENTS COMING FROM THE SAME SOURCE CAN SOMETIMES BE PLACED WITH DIFFERENT GOOGLE PUB/SUB LOG SOURCES | OPEN | Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums. Issue An issue with with Google Pub/Sub log source auto-detection can occur when it sometimes randomly selects the last character of the regex "} and appends to the Log Source Identifier. When this occurs, events coming from the same source can be placed within different Log Sources. |
05 March 2021 |
DEPLOY CHANGES | IJ31081 | DEPLOY FUNCTION CAN FAIL ON SOME MANAGED HOSTS IF A LEGACY DEPLOYMENT.XML FILE REMAINS IN /STORE/CONFIGSERVICES/DEPLOYED/ | OPEN | Workaround Contact QRadar Support for a possible workaround that might address this issue in some instances. Issue The QRadar deploy function can fail on some Managed Hosts when there is a legacy deployment.xml file located in /store/configservices/deployed/. This deploy failure occurs when ECIngressConfigBuilder verifies if a file exists in the deployed folder, and only if not, then reads the staging folder. On a Managed Host that usually does not have a file in the deployed folder, this can result in deploy issues if a legacy file has been left there. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] com.q1labs.configservices.common.ConfigServicesException: Failed to create EC_Ingress.xml for component eventcollectoringress102. [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at com.q1labs.configservices.config.localset.sem.ECIngressConfigBui lder.buildConfig(ECIngressConfigBuilder.java:130) [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at com.q1labs.configservices.config.AbstractComponentConfigBuilder. buildComponentConfig(AbstractComponentConfigBuilder.java:54) [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at com.q1labs.configservices.config.localset.component.ComponentTra nsformerManager.processComponent(ComponentTransformerManager.java:206) [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at com.q1labs.configservices.config.localset.component.ComponentTra nsformerManager.buildConfiguration(ComponentTransformerManager.java:117) [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] ...22 more [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] Caused by: [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] java.lang.RuntimeException: Error merging velocity template and context [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at com.q1labs.configservices.config.VelocityFileProducer.createConf igFile(VelocityFileProducer.java:56) [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at com.q1labs.configservices.config.localset.sem.ECIngressConfigBui lder.buildConfig(ECIngressConfigBuilder.java:126) [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] ...25 more [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] Caused by: [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] org.apache.velocity.exception.MethodInvocationException: Invocation of method 'getEventThreshold' in class com.q1labs.configservices.config.localset.sem.ECIngressConfigBui lder threw exception java.lang.NumberFormatException: null at EC_Ingress.vm[line 498, column 79] [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at org.apache.velocity.runtime.parser.node.ASTMethod.handleInvocati onException(ASTMethod.java:243) [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at org.apache.velocity.runtime.parser.node.ASTMethod.execute(ASTMet hod.java:187) [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at org.apache.velocity.runtime.parser.node.ASTReference.execute(AST Reference.java:280) [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at org.apache.velocity.runtime.parser.node.ASTReference.render(ASTR eference.java:369) [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at org.apache.velocity.runtime.parser.node.ASTBlock.render(ASTBlock .java:72) [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at org.apache.velocity.runtime.parser.node.ASTIfStatement.render(AS TIfStatement.java:87) [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at org.apache.velocity.runtime.parser.node.SimpleNode.render(Simple Node.java:342) [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at org.apache.velocity.Template.merge(Template.java:356) [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at org.apache.velocity.Template.merge(Template.java:260) [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at com.q1labs.configservices.config.VelocityFileProducer.createConf igFile(VelocityFileProducer.java:50) [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] ...26 more [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] Caused by: [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] java.lang.NumberFormatException: null [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at java.lang.Long.parseLong(Long.java:564) [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at java.lang.Long.parseLong(Long.java:643) [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at com.q1labs.configservices.config.localset.sem.ECIngressConfigBui lder.getEPSThreshold(ECIngressConfigBuilder.java:315) [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at com.q1labs.configservices.config.localset.sem.ECIngressConfigBui lder.getEventThreshold(ECIngressConfigBuilder.java:307) [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessor Impl.java:90) [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod AccessorImpl.java:55) [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at java.lang.reflect.Method.invoke(Method.java:508) [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at org.apache.velocity.util.introspection.UberspectImpl$VelMethodIm pl.doInvoke(UberspectImpl.java:395) [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at org.apache.velocity.util.introspection.UberspectImpl$VelMethodIm pl.invoke(UberspectImpl.java:384) [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at org.apache.velocity.runtime.parser.node.ASTMethod.execute(ASTMet hod.java:173) [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] ...34 more |
05 March 2021 |
UPGRADE | IJ31092 | QRADAR PATCHING CAN FAIL DUE TO A FREE SPACE CHECK THAT FAILS | OPEN | Workaround Contact QRadar Support for a possible workaround that might address this issue in some instances. Issue QRadar patching can fail because of an invalid drq check. This check of /var/log/lastlog is not required and should not cause QRadar patching to fail. Messages similar to the following might be visible when this issue occurs: Available Space Checks Checks if /var/log has enough space [FAILURE] Not enough space in /var/log: Available Space: 14108 MB - File: /var/log/lastlog 99520 MB. This will cause logrotate to fail. [REMEDIATION] Free up space in /var/log. You need at least 99720 MB free. |
05 March 2021 |
CONTENT MANAGEMENT TOOL (CMT) | IJ30916 | HIDDEN CONTROL CHARACTERS CAN CAUSE A CONTENT MANAGEMENT TOOL (CMT) IMPORT TO FAIL | OPEN | Workaround Contact QRadar Support for a possible workaround that might address this issue in some instances. Issue Performing a Content Management Tool import can fail when there are hidden control characters in the import. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [ContentManager.cmt] [root@127.0.0.1:60778 (ContentManagementCLI)] javax.xml.bind.UnmarshalException [ContentManager.cmt] [root@127.0.0.1:60778 (ContentManagementCLI)] - with linked exception: [ContentManager.cmt] [root@127.0.0.1:60778 (ContentManagementCLI)] [org.xml.sax.SAXParseException: An invalid XML character (Unicode: 0x3) was found in the element content of the document.] |
05 March 2021 |
LOG SOURCES | IJ31577 | LOG FILE PROTOCOL STOPS PROCCESSING ANY FURTHER FILES WHEN AN EMPTY FILE IS READ IN A ZIPPED FILE | OPEN | Workaround
Issue When an empty file is encountered in a zipped file, Log File Protocol stops processing any further files and repeatedly proceses the last file that was not empty. For example: 3 files are in a .zip file as file1, file2, and file3 and in this instance, file2 is empty. The protocol stops when processing file2 to post events from file1 repeatedly and never reaches file3. |
31 March 2021 |
LOG SOURCES | IJ31868 | "THE FIELD MUST NOT EXCEED 2047 CHARACTERS" MESSAGE CAN BE GENERATED WHEN CONFIGURING A TLS SYSLOG PROTOCOL CERTIFICATE | OPEN | Workaround Close out of the Log Source interface if editing, and then change the allowable character limit using the following command from an SSH session to the QRadar Console: psql -U qradar -c "UPDATE sensorprotocolparameter SET maxlength = 4096 WHERE id = 22022 AND name = 'issuerPk';" Issue The TLS syslog protocol character limit for entering a Root/Intermediate Issuer's Certificate is set at 2047 and attempting to enter anything longer fails with a message similar to: The field must not exceed 2047 characters |
31 March 2021 |
DEPLOYMENT | IJ31762 | RE-ADD OF A MANAGED HOST CAN FAIL DUE TO INCORRECT STATUS OF THE MANANGED HOST IN THE QRADAR DATABASE | OPEN | Workaround From an SSH session to the QRadar console, identify the id number and set the affected Managed Host to "Deleted" in the managedhost database table:
Issue Re-adding a Managed Host can fail when the status of the Managed Host is not correct in the QRadar database. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [hostcontext.hostcontext] [8cba150a-4bc7-4405-b12f-03184d6332cf/SequentialEventDispatcher] com.q1labs.configservices.capabilities.AddHost: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]host already exists with that ip: (ipaddress) with status: ADD_FAILED_CHECK_LOGS [hostcontext.hostcontext] [8cba150a-4bc7-4405-b12f-03184d6332cf/SequentialEventDispatcher] com.q1labs.configservices.capabilities.AddHost: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Precheck: unable to mark host as being added [hostcontext.hostcontext] [8cba150a-4bc7-4405-b12f-03184d6332cf/SequentialEventDispatcher] com.q1labs.configservices.common.ConfigServicesException: Precheck: unable to mark host as being added [hostcontext.hostcontext] [8cba150a-4bc7-4405-b12f-03184d6332cf/SequentialEventDispatcher] at com.q1labs.configservices.capabilities.AddHost.add(AddHost.java:1241) [hostcontext.hostcontext] [8cba150a-4bc7-4405-b12f-03184d6332cf/SequentialEventDispatcher] at com.q1labs.configservices.capabilities.AddHost.addManagedHost(AddHost.java:324) [hostcontext.hostcontext] [8cba150a-4bc7-4405-b12f-03184d6332cf/SequentialEventDispatcher] at com.q1labs.hostcontext.core.executor.AddHostExecutor.addManagedH ost(AddHostExecutor.java:74) |
31 March 2021 |
EMC VMWARE PROTOCOL | IJ31531 | VCENTER LOG SOURCES USING THE EMCVMWARE PROTOCOL CAN FAIL TO CONNECT DUE TO IPADDRESS IN CONFIGURATION VERSUS A FQDN | OPEN | Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the Subscribe button on the right side of this page or ask a question about this APAR in our Support Forums. Issue VCenter Log Sources can fail to connect as the single sign-on (SSO) mechanism for VCenter 7.0 accepts only a server's fully qualified domain name (FQDN) under the https requests. As the accepted value of the VCenter Log Source address can be only be an IP address, the connection from QRadar to the VCenter server cannot be established. |
31 March 2021 |
BACKUP AND RESTORE | IJ31100 | QRADAR 7.4.X CONFIGURATION RESTORE FAILS DUE TO DUPLICATE ENTRIES IN THE ATTACKER_HISTORY DATABASE TABLE | OPEN | Workaround Contact QRadar Support for a possible workaround that might address this issue in some instances. Issue Restoring a config backup from QRadar 7.4.x fails due to duplicate entries in attacker_history database table. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [hostcontext.hostcontext] [Thread-355377] ComponentOutput: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream pg_restore: pg_restore: [archiver (db)] COPY failed for table "attacker_history": ERROR: duplicate key value violates unique constraint "attacker_history_ipaddress_key" [hostcontext.hostcontext] [Thread-355377] ComponentOutput: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream pg_restore: DETAIL: Key (ipaddress, domain_id)=(ip_address, 1) already exists. |
31 March 2021 |
AUTHENTICATION | IJ31665 | ATTEMPTING TO REMOVE A GROUP MAPPING FROM LDAP GROUP BASED AUTHENTICATION CAN FAIL TO WORK AS EXPECTED | OPEN | Workaround Option 1 When removing a group, and then adding a group, and then clicking save, the process works as expected. Option 2 Disable group based authentication, click save. Then before performing a deploy function, re-enable group mapping and configure it from the beginning. If this still does not correct the issue, contact Support for a an additional workaround that might address this issue in some instances. Issue While attempting to remove a group mapping in LDAP group based authentication from a Security role, the group can fail to be removed and is still displayed when navigating back to the configuration settings. For example:
|
31 March 2021 |
ASSETS | IJ31924 | THE CLEAN VULNERABILITES FUNCTION DOES NOT WORK AS EXPECTED FOR ASSETS THAT DO NOT HAVE AN IP ADDRESS CONFIGURED | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) Workaround Where possible, use one of the following methods to workaround the issue described above:
Issue When an asset has no IP address assigned to it, the clean vulnerabilities option does not remove the vulnerabilities from the asset. For Example: |
23 February 2022 |
QRADAR NETWORK INSIGHTS (QNI) | IJ30903 | SOME QRADAR NETWORK INSIGHTS (QNI) APPLIANCES CANNOT BE SETUP TO CONNECT TO QRADAR ON CLOUD (QRoC) ENVIRONMENTS | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944) Workaround Contact QRadar Support for a possible workaround that might address this issue in some instances. Issue Virtual QRadar Network Insights QNI (6500) and 1940/6600 40Gbps appliance types cannot be setup to connect to QRadar On Cloud (QRoC) due to variables within the setup_qradar_host.py script. Messages similar to the following might be visible when this issue occurs: Skipping apply VPN action: This host does not support VPN actions. |
12 July 2021 |
QRADAR PACKET CAPTURE | IJ32043 | NAPATECH CARD FIRMWARE INSTALLED IN PACKET CAPTURE APPLIANCES CAN BE AT AN OLDER VERSION THAN EXPECTED | OPEN | Workaround Contact QRadar Support for a possible workaround that might address this issue in some instances. Issue Some Napatech cards that were installed in QRadar Packet Capture appliances have a down level firmware version (9232-52-13). The Packet Capture software installation does not attempt detection and upgrade of the firmware to the expected version. To verify the Napatech firmware version, type the following command from an SSH session to the appliance: /opt/napatech3/bin/adapterinfo Result
|
15 April 2021 |
VULNERABILITY SCANNER | IJ26097 | MAXPATROL VULNERABILITY SCANNER CAN FAIL TO CONNECT TO QRADAR AS IT USES THE DEPRECATED MICROSOFT WINDOWS SMBV1 | OPEN | Workaround No workaround available. Issue The Positive Technologies MaxPatrol vulnerabilities scanner can fail to connect to QRadar as expected as it is configured to use the now deprecated Microsoft Windows SMBv1 network protocol. This protocol version is no longer installed by default on computer systems running Microsoft Windows. |
15 July 2020 |
USER INTERFACE | IJ31931 | QRRADAR RISK MANAGER: AN 'APPLICATION ERROR' CAN OCCUR WHEN OPENING THE RISKS TAB IN THE USER INTERFACE DUE TO IPV6 SETTINGS IN A CONFIGURATION FILE | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) Workaround
Issue An "Application Error" can be displayed on the Risks tab of the QRadar User Interface if Internet Protocol version 6 is disabled on the QRadar Risk Manager (QRM) server appliance. Messages similar to the following might be visible in /var/log/qradar.log on the QRadar Console when this issue occurs: [tomcat.tomcat] [admin@127.0.0.1 (6623) /console/do/120/networkTopology] com.q1labs.srmconsole.util.WSUtil$WebClientProxy: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Error invoking method isTopologyReloading on the appliance; full error details in appliance log [tomcat.tomcat] [admin@127.0.0.1 (6623) /console/do/120/networkTopology] com.q1labs.uiframeworks.action.ExceptionHandler: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]An exception occurred while processing the request: [tomcat.tomcat] [admin@127.0.0.1 (6623) /console/do/120/networkTopology] com.sun.xml.ws.client.ClientTransportException: The server sent HTTP status code 503: Service Unavailable Messages similar to the following might be visible in logging on the QRM server appliance when this issue occurs: Mar 26 13:33:28 hostname tomcat-rm[17470]: SEVERE: Failed to initialize connector [Connector[AJP/1.3-18009]] Mar 26 13:33:28 hostname tomcat-rm[17470]: org.apache.catalina.LifecycleException: Protocol handler initialization failed Mar 26 13:33:28 hostname tomcat-rm[17470]: at org.apache.catalina.connector.Connector.initInternal(Connector.java:1077) Mar 26 13:33:28 hostname tomcat-rm[17470]: at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) Mar 26 13:33:28 hostname tomcat-rm[17470]: at org.apache.catalina.core.StandardService.initInternal(StandardSe rvice.java:552) Mar 26 13:33:28 hostname tomcat-rm[17470]: at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) Mar 26 13:33:28 hostname tomcat-rm[17470]: at org.apache.catalina.core.StandardServer.initInternal(StandardSer ver.java:848) Mar 26 13:33:28 hostname tomcat-rm[17470]: at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) Mar 26 13:33:28 hostname tomcat-rm[17470]: at org.apache.catalina.startup.Catalina.load(Catalina.java:639) Mar 26 13:33:28 hostname tomcat-rm[17470]: at org.apache.catalina.startup.Catalina.load(Catalina.java:662) Mar 26 13:33:28 hostname tomcat-rm[17470]: at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) Mar 26 13:33:28 hostname tomcat-rm[17470]: at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessor Impl.java:90) Mar 26 13:33:28 hostname tomcat-rm[17470]: at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod AccessorImpl.java:55) Mar 26 13:33:28 hostname tomcat-rm[17470]: at java.lang.reflect.Method.invoke(Method.java:508) Mar 26 13:33:28 hostname tomcat-rm[17470]: at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:302) Mar 26 13:33:28 hostname tomcat-rm[17470]: at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:472) Mar 26 13:33:28 hostname tomcat-rm[17470]: Caused by: java.net.SocketException: Protocol family unavailable Mar 26 13:33:28 hostname tomcat-rm[17470]: at sun.nio.ch.Net.bind0(Native Method) Mar 26 13:33:28 hostname tomcat-rm[17470]: at sun.nio.ch.Net.bind(Net.java:460) Mar 26 13:33:28 hostname tomcat-rm[17470]: at sun.nio.ch.Net.bind(Net.java:452) Mar 26 13:33:28 hostname tomcat-rm[17470]: at sun.nio.ch.ServerSocketChannelImpl.bind(ServerSocketChannelImpl. java:253) Mar 26 13:33:28 hostname tomcat-rm[17470]: at sun.nio.ch.ServerSocketAdaptor.bind(ServerSocketAdaptor.java:86) Mar 26 13:33:28 hostname tomcat-rm[17470]: at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:221) Mar 26 13:33:28 hostname tomcat-rm[17470]: at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoin t.java:1118) Mar 26 13:33:28 hostname tomcat-rm[17470]: at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJss eEndpoint.java:222) Mar 26 13:33:28 hostname tomcat-rm[17470]: at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:587) Mar 26 13:33:28 hostname tomcat-rm[17470]: at org.apache.catalina.connector.Connector.initInternal(Connector.java:1075) Mar 26 13:33:28 hostname tomcat-rm[17470]: ... 13 more |
07 April 2021 |
WINCOLLECT | IJ31843 | WINCOLLECT 7.3.0 P1 AGENTS CAN STOP SENDING LOGS WHEN INFORMATION AND WARN EVENT TYPES ARE NOT SELECTED | OPEN | Workaround
Issue WinCollect 7.3.0 P1 agents can stop sending logs to QRadar when information and warn type events are not selected. When this issue occurs, affected WinCollect agent hosts can be checked for messages that include "Error code 15001: The specified query is invalid." when the host agent logs are placed into debug. To place a WinCollect agent host into debug, see: https://www.ibm.com/support/pages/node/6404330#localsrv Note: Ensure to disable Debug as soon as possible to prevent log bloat. |
13 April 2021 |
WINCOLLECT | IJ32028 | WINCOLLECT LOG SOURCE MANAGEMENT DISPLAYS MULTIPLE INCORRECT ENTRIES WHEN A MANAGED HOST IS REMOVED AND ADDED BACK | OPEN | Workaround Create a WinCollect destination in the WinCollect UI and configure the WinCollect log sources to use this destination instead: https://www.ibm.com/community/qradar/2019/06/11/wincollect-configure-local-collection-when-installing-agent/ Issue When a Managed Host is removed from a QRadar deployment and then added back with either the same or a new hostname and/or same or different IP address, the database does not get updated correctly. When this occurs it creates additional duplicate Target Internal Destination options in the Log Source Management App for WinCollect log sources that can be invalid. |
12 April 2021 |
WINCOLLECT | IJ31923 | STANDALONE WINCOLLECT CAN FAIL TO WORK WHEN USING TCP TLS CONFIGURATION AND A CERTIFICATE SIZE OVER 8000 CHARACTERS | OPEN | Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the Subscribe button on the right side of this page or ask a question about this APAR in our Support Forums: https://ibm.biz/wincollectforums Issue Standalone WinCollect fails to receive logs and work as expected when using TCP TLS configuration and a certificate with a character size over 8000 characters. When using a certificate that is too large, the deploy changes does not work to push out required deployconfiguration changes. |
12 April 2021 |
SCAN RESULTS | IJ32044 | QRADAR VULNERABILITY MANAGER (QVM) SCAN STATUS REMAINS AT 'OUTSIDE OPERATIONAL WINDOW' AFTER SCAN COMPLETES | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) Workaround Contact QRadar Support for a possible workaround that might address this issue in some instances. Issue When a scan uses operational windows, the scan status remains at "Outside Operational Window" after the scan completes. The asset model is updated, but the user is unable to open the scan results. |
23 February 2022 |
SECURITY BULLETIN | MULTIPLE VULNERABILITIES IN IBM JAVA SDK AND IBM JAVA RUNTIME AFFECT IBM QRADAR SIEM | CLOSED | Resolved in QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312) QRadar 7.3.3 Fix Pack 7 Interim Fix 2 (7.3.3.20210330030509) Affected versions
|
12 April 2021 | |
SECURITY BULLETIN | SUDO AS USED BY IBM QRADAR SIEM IS VULNERABLE TO ARBITRARY CODE EXECUTION | CLOSED | Resolved in QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104) QRadar 7.3.3 Fix Pack 10 (7.3.3.20211125190208) QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337) Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users. Affected versions
CVE-2021-3156: Sudo is vulnerable to a heap-based buffer overflow, caused by improper bounds checking when parsing command line arguments. By sending an "sudoedit -s" and a command-line argument that ends with a single backslash character, a local attacker could overflow a buffer and execute arbitrary code on the system with root privileges. This vulnerability is also known as Baron Samedit. CVSS Base score: 8.4 |
12 April 2021 | |
DEPLOYMENT | IJ32056 | RE-ADD OF MANAGED HOST ON QRADAR 7.4.2 FIX PACK 3 HANGS AT "HOST IS BEING ADDED TO THE DEPLOYMENT" AFTER A QCHANGE_NETSETUP COMMAND IS PERFORMED | OPEN | Workaround
Issue When re-adding a Managed Host to a QRadar deployment running 7.4.2 Fix Pack 3 after it has been removed, and qchange_netsetup has been run prior to the re-add attempt, the Managed Host can fail to add and the Add Host process appears in a hung state with a message similar to: Host is being added to the deployment. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [hostcontext.hostcontext] [a65729b7-ff60-47c7-bdef-33c4b20063e8/SequentialEventDispatcher] com.q1labs.configservices.capabilities.AddHost: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Failed to add host. Output: 'Done Presence Script', data:'hostcontext is already stopped, no need to stop the service. [hostcontext.hostcontext] [a65729b7-ff60-47c7-bdef-33c4b20063e8/SequentialEventDispatcher] com.q1labs.configservices.capabilities.AddHost: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Failed to read output from ssh connection on host 127.0.0.1 [hostcontext.hostcontext] [a65729b7-ff60-47c7-bdef-33c4b20063e8/SequentialEventDispatcher] com.q1labs.configservices.capabilities.AddHost: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]SSH connection or SSH command execution failed. The ip of the host is: 127.0.0.1 [hostcontext.hostcontext] [a65729b7-ff60-47c7-bdef-33c4b20063e8/SequentialEventDispatcher] com.q1labs.configservices.hostcontext.core.HostContextServices: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Error retrieving message [tomcat.tomcat] [Thread-644] com.q1labs.configservices.capabilities.CapabilitiesHandler: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Removing host 127.0.0.1 from the deployment model, if present, due to add_host failure. [tomcat.tomcat] [Thread-644] com.ibm.si.configservices.api.v3_0.deployment.DeploymentAPI: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]unable to add managed host: SSH connection or SSH command execution failed. |
12 April 2021 |
NETWORK CONFIGURATION | IJ31239 | A CRITICAL ISSUE HAS BEEN IDENTIFIED IN /OPT/QRADAR/BIN/QCHANGE_NETSETUP | CLOSED | Resolved in QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138) Workaround A flash notice is available for administrators that describes how to confirm information in qradar_netsetup.log before you complete any network changes using the /opt/qradar/bin/qchange_netsetup utility. For more information, see: Important: A critical issue has been identified in /opt/qradar/bin/qchange_netsetup (IJ31239). Issue QRadar development has identified a defect in the network component /opt/qradar/bin/qchange_netsetup where a hostname issue can cause a critical error, impacting the appliance configuration. |
31 March 2021 |
APPLICATION FRAMEWORK | IJ25911 | QRADAR APPS CAN FAIL TO INSTALL AFTER TOMCAT CLIENT CERTIFICATE(S) ARE RENEWED UNTIL SERVICE RESTARTS OCCUR | CLOSED |
Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 (7.4.3.20210517144015) QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312) QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138) Note: This issue was resolved for QRadar on Cloud administrators in 7.4.1 Fix Pack 2 QRoC Interim Fix 1, which is not available to on-premise users. Workaround If you are unable to upgrade, administrators can restart the Tomcat and Hostcontext services. Before you complete this procedure, administrators can alert their users that the user interface is unavailable and all users will be required to log back in when Tomcat is restarted. The user interface is unavailable until all required services are running as expected.
For more details on the effects of QRadar service restarts, see:
Issue QRadar Apps can fail to install after Tomcat client certificate(s) are renewed (eg. tomcat-client-conman or tomcat-client-traefik) until the tomcat service and hostcontext have been succesfully restarted. Messages similar to the following might be visible in journalctl -u conman when this issue is occuring: {host}.com conman-server[23711]: 2020/06/28 21:23:32 http: TLS handshake error from 127.0.0.1:47032: tls: failed to verify client's certificate: x509: certificate has expired or is not yet valid {host}.com conman-server[23711]: 2020/06/28 21:23:36 http: TLS handshake error from 127.0.0.1:47602: tls: failed to verify client's certificate: x509: certificate has expired or is not yet valid |
24 March 2021 |
UPGRADE | IJ30763 | QRADAR APPLICATION FRAMEWORK CAN FAIL AFTER PATCHING DUE TO INCORRECT HANDLING OF CASE SENSITIVITY OF HOSTNAMES | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 (7.4.3.20210517144015) QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428) QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343) QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722) Workaround Contact QRadar Support for a possible workaround that might address this issue in some instances. More information is available for administrators in this technical note: Upgrades can fail for hosts that contain case sensitivity of hostnames (APAR IJ30763). Issue After performing the QRadar patching process, the QRadar Application Framework can fail due to incorrect handling of the case sensitivity of hostnames. When this occurs, QRadar apps fail to load. |
09 February 2021 |
SEARCH | IJ26117 | PERFORMING A FREE TEXT SEARCH IN THE LAST FEW SECONDS OF AN HOUR CAN RETURN PARTIAL RESULTS AND CAUSE INDEX CORRUPTION | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312) QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138) Workaround Where possible, do not perform a free text Quick Filter search in the last 5-10 seconds of the hour. Issue Due to a timing issue (race condition), performing a free text Quick Filter search can sometimes only return partial results and cause corrupted indexes when the free text search is performed in the in last 5-10 seconds of an hour. A message generated in the QRadar User Interface can be similar to: Partial results may be returned due to incomplete payload indexes for the specified time range". Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: /events/records/aux/1/2020/5/4/13/lucene lockFactory=org.apache.lucene.store.NativeFSLockFactory@87bbef33: org.apache.lucene.store.LockObtainFailedException: Lock held by this virtual machine: /store/ariel/events/records/aux/1/2020/5/4/13/lucene/write.lock [ariel.ariel_query_server] [odi_31] at org.apache.lucene.store.SleepingLockWrapper.obtainLock(SleepingL ockWrapper.java:102) [ariel.ariel_query_server] [odi_31] at org.apache.lucene.index.IndexWriter. |
12 April 2021 |
DASHBOARD | IJ24804 | 'AVAILABLE DASHBOARDS' AND SELECTED DASHBOARDS' TABLES CAN SOMETIMES BE BLANK WHEN ATTEMPTING TO SHARE DASHBOARDS | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 (7.4.3.20210517144015) QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312) QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138) Workaround No workaround available. Issue QRadar users are sometimes unable to share dashboards amongst other users. When navigating the following; Admin > User Roles, the two tables "available dashboards" and "selected dashboards" can be blank. |
12 April 2021 |
AMAZON AWS PROTOCOL | IJ28708 | ALL QRADAR EVENT COLLECTION CAN UNEXPECTEDLY STOP WHEN USING A LOG SOURCE WITH THE AMAZON AWS S3 REST API PROTOCOL | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 (7.4.3.20210517144015) QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312) QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138) Workaround If you are unable to upgrade to a version where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue. Issue QRadar administrators can sometimes observe that no events are being received/processed by QRadar in instances where they have a Log Source in use configured with the Amazon AWS S3 Rest API protocol. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [ecs-ec-ingress.ecs-ec-ingress] [ECS Runtime Thread] java.lang.RuntimeException: Error attempting to load host.q1labs.lab:ecs-ec-ingress/EC_Ingress/Q1Labs_AmazonAWSREST Error : java.lang.NoClassDefFoundError: com.amazonaws.auth.AWSCredentialsProvider [ecs-ec-ingress.ecs-ec-ingress] [ECS Runtime Thread] Since there isn't a configuration error handler defined, the original error is wrapped in a new RuntimeException [ecs-ec-ingress.ecs-ec-ingress] [ECS Runtime Thread] at com.eventgnosis.system.SystemObject.installChildByName(SystemObj ect.java:317) [ecs-ec-ingress.ecs-ec-ingress] [ECS Runtime Thread] at com.eventgnosis.sources.EventSourceListenerManager.doWork(EventS ourceListenerManager.java:88) [ecs-ec-ingress.ecs-ec-ingress] [ECS Runtime Thread] at com.eventgnosis.system.SystemObject$DoWork.doIt(SystemObject.java:876) [ecs-ec-ingress.ecs-ec-ingress] [ECS Runtime Thread] at com.eventgnosis.system.SystemObject.doForAllMembers(SystemObject .java:854) |
12 April 2021 |
HIGH AVAILABILITY (HA) | IJ26435 | HIGH AVAILABILITY APPLIANCE JOIN CAN FAIL WHEN THE /STORE PARTITION ON THE SECONDARY APPLIANCE IS BUSY | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 (7.4.3.20210517144015) QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312) QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138) Workaround If you are unable to upgrade to a version where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue. Issue When attempting to create a High Availability (HA) pair, the process can fail when the /store partition on the Secondary appliance is unexpectedly in a busy state and unable to be accessed. A message similar to the following might be visible in the logs when this issue occurs. In qradar_hasetup.log: [HA Setup (S-M----)] [ERROR] Failed to start repartitioning on the slave host In the ha_part_setup.log file: mkfs.xfs: cannot open /dev/mapper/storerhel-store: Device or resource busy |
12 April 2021 |
BACKUP AND RESTORE | IJ30677 | DISCREPANCIES IN ARCHIVE DB TABLES CAN CAUSE ISSUES WITH BACKUP AND RESTORE FUNCTION ON FRESH INSTALL VS PATCHED APPLIANCE | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 (7.4.3.20210517144015) QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312) Workaround If you are unable to upgrade to a version where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue. Issue Discrepancies in archive database tables can cause issues in the backup and restore function on fresh install versus patched QRadar appliances. Messages similar to the following might be visible in qradar logging when this issue occurs: ErrorStream pg_restore: pg_restore: [archiver (db)] could not execute query: ERROR: column "column name x" of relation "column name y" does not exist |
12 April 2021 |
PROTOCOLS | IJ28166 | LOG SOURCES CONFIGURED TO USE THE WINDOWS EVENT LOG RPC PROTOCOL CAN GO INTO ERROR STATE DISPLAYING 'INTERNAL ERROR' | OPEN | Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number. If you have questions about this issue, ask in our Support Forums. Issue Some log source that are configured to use the Windows Event Log RPC Protocol can go into "Error" state with an "Internal Error". These instances have been identified as being caused when the jNQ jar file is required for use by the Protocol. Messages similar to the following might be visible in /var/log/qradar.log when this issue is occurs: [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for host [127.0.0.1]] java.lang.ArrayIndexOutOfBoundsException [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for host [127.0.0.1]] at jcifs.util.Encdec.dec_uint32le(Encdec.java:90) [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for host [127.0.0.1]] at ndr.NdrBuffer.dec_ndr_long(NdrBuffer.java:135) [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for host [127.0.0.1]] at ndr.NetworkDataRepresentation.readUnsignedLong(NetworkDataRepres entation.java:64) [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for host [127.0.0.1]] at com.q1labs.semsources.sources.windowseventrpc.ndr.util.NetworkDa taRepresentationAdapter.readUnsignedLong(NetworkDataRepresentati onAdapter.java:34) [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for host [127.0.0.1]] java.lang.NullPointerException [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for host [127.0.0.1]] at com.visuality.nq.client.rpc.Dcerpc.close(Dcerpc.java:901) [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for host [127.0.0.1]] at com.q1labs.semsources.sources.windowseventrpc.eventsource.common .EventLogWinRegistry.disconnectRemoteRegistry(EventLogWinRegistr y.java:245) |
23 September 2020 |
PROTOCOL | IJ31104 | LOG SOURCES CAN FAIL (IBMSIMJDBC, ORABLE, MCAFEE EPO) AFTER INSTALLATION OF PROTOCOL-JDBC-20201123202423.NOARCH.RPM | OPEN | Workaround Contact Support for a possible workaround that might address this issue in some instances. Issue Some Log Sources (IBMSIMJDBC, Oracle, McAfee EPO) can stop working as expected after the Autoupdate installation of the following Protocol due to a an SQLException that occurs: PROTOCOL-JDBC-7.4-20201123202423.noarch.rpm If these types of Log Sources have stopped working, verify if the Protocol version named above is installed: https://www.ibm.com/support/pages/qradar-using-yum-manually-install-reinstall-or-search-rpm-packages. |
06 March 2021 |
WINCOLLECT | IJ30911 | MICROSOFT EXCHANGE LOG SOURCES CONFIGURED TO USE WINCOLLECT MICROSOFT EXCHANGE PROTOCOL MISS MSGTRKMD(DATE)-*.LOG FILES | OPEN | Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates. Issue Microsoft Exchange Log Sources that are configured using the WinCollect Microsoft Exchange protocol fail to read MSGTRKMD(date)-*.log files (containing DELIVER logs), resulting in those logs not being processed by QRadar. This affects WinCollect v7.3.0 p1 |
10 March 2021 |
UPGRADE | IJ31253 | PATCHING A DETACHED QRADAR APP HOST CAN HANG AT 'APPLYING PRESQL SCRIPT' COMMAND DUE TO IMQ | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 (7.4.3.20210517144015) QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312) QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138) Workaround Administrators who experience an issue where the App Host appliance appears to be hung on 'Running presqlscripts' can locate the IMQ PID and force it to exit to complete the App Host appliance upgrade. A support technical note is also available for this issue. If you believe to be encountering this issue and would like assistance completing the workaround, contact support.
Issue Applying a patch on a detached QRadar App Host can sometimes hang at applying presql scripts. When App Host is stuck upgrading, 'Applying presql script' can be displayed in the command line without progressing and the ugprade cannot continue. For example: Administrators can confirm if the App Host upgrade appears to be hung on 'Applying presql script' in the command line. [INFO] (-i-patchmode) Runing presql scripts Applying presql script (57/57) |
12 April 2021 |
REPORTS | IJ31245 | REPORTS BASED ON AQL CAN RETURN INCORRECT RESULTS COMPARED TO RUNNING THE REPORT ON RAW DATA | OPEN | Workaround Run a daily report on raw data to provide the correct results. Issue Reports generate properly when run on raw data (values returned are the same as performing a search in log activity) but when the report is using AQL and run scheduled/manually (daily), the values do not represent 24 hours. For Example:
|
18 March 2021 |
PROTOCOLS | IJ30702 | UNKNOWN EVENT TYPE FOR LOG SOURCES USING SALESFORCE PROTOCOL CAN CAUSE 'UNABLE TO RETRIEVE SOME EVENT LOG FILE EVENTS' | OPEN | Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates. Issue QRadar can experience a Null Pointer Exception when some unknown events are processed by Log Sources using the Salesforce protocol. A message similar to the following can be observed in the User Interface when this issue occurs: "Unable to retrieve some event log file events."Also, messages similar to the following might be visible in /var/log/qradar.log: [ecs-ec-ingress.ecs-ec-ingress] [Salesforce REST API Provider Protocol Provider Thread: class com.q1labs.semsources.sources.salesforcerestapi.SalesforceRESTAP IProvider5405] com.q1labs.semsources.sources.salesforcerestapi.SalesforceRESTAP IProvider: [WARN] [NOT:0000004000][ipaddress/- -] [-/- -]Null Pointer Exception while procesing Event Log File API result [ecs-ec-ingress.ecs-ec-ingress] [Salesforce REST API Provider Protocol Provider Thread: class com.q1labs.semsources.sources.salesforcerestapi.SalesforceRESTAP IProvider5405] java.lang.NullPointerException [ecs-ec-ingress.ecs-ec-ingress] [Salesforce REST API Provider Protocol Provider Thread: class com.q1labs.semsources.sources.salesforcerestapi.SalesforceRESTAP IProvider5405] at java.lang.String.compareTo(String.java:1405) [ecs-ec-ingress.ecs-ec-ingress] [Salesforce REST API Provider Protocol Provider Thread: class com.q1labs.semsources.sources.salesforcerestapi.SalesforceRESTAP IProvider5405] at com.q1labs.semsources.sources.salesforcerestapi.SalesforceRESTAP IProvider.processEventLogFileAPIResults(SalesforceRESTAPIProvide r.java:464) |
26 February 2021 |
APPLICATION FRAMEWORK | IJ28791 | DSM EXPORT FUNCTION FAILS WHEN AUTHOR FIELD IS LEFT BLANK | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 (7.4.3.20210517144015) QRadar 7.4.2 (7.4.2.20201113144954) Note: This issue was also resolved in an interim fix for QRadar on Cloud appliances. Workaround Use the qappmanager utility to transition the affected app back into RUNNING state. Issue QRadar Apps can sometimes go into ERROR state after a tomcat service restart. This can occur when the call of the App Framework API is performed prior to the Rest API running successfully. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [tomcat.tomcat] [pool-1-thread-2] com.q1labs.uiframeworks.application.api.service.status.tasks.StartAppAsyncTask: [ERROR] [NOT:0000003000][x.x.x.x/- -] [-/- -] An error occurred while attempting to update app status for app instance with id [qapp-1155] to [RUNNING] [tomcat.tomcat] [pool-1-thread-2] com.q1labs.restapi_annotations.content.exceptions.endpointExcept ions.ServerProcessingException: An exception occurred while waiting for task to complete. [tomcat.tomcat] [pool-1-thread-2] at com.q1labs.configservices.task.AbstractTaskPoller.getFinishedTas kState(AbstractTaskPoller.java:41) [tomcat.tomcat] [pool-1-thread-2] at com.q1labs.configservices.task.AbstractTaskPoller.getFinishedTas kState(AbstractTaskPoller.java:22) [tomcat.tomcat] [pool-1-thread-2] at com.q1labs.uiframeworks.application.api.service.status.tasks.Sta rtAppAsyncTask.pollForCompletion(StartAppAsyncTask.java:202) [tomcat.tomcat] [pool-1-thread-2] at com.q1labs.uiframeworks.application.api.service.status.tasks.Sta rtAppAsyncTask.startAppInstance(StartAppAsyncTask.java:152) [tomcat.tomcat] [pool-1-thread-2] at com.q1labs.uiframeworks.application.api.service.status.tasks.Sta rtAppAsyncTask.runTask(StartAppAsyncTask.java:109) [tomcat.tomcat] [pool-1-thread-2] at com.ibm.si.frameworks.taskmanagement.Task.run(Task.java:108) [tomcat.tomcat] [pool-1-thread-2] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:522) [tomcat.tomcat] [pool-1-thread-2] at java.util.concurrent.FutureTask.run(FutureTask.java:277) [tomcat.tomcat] [pool-1-thread-2] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160) [tomcat.tomcat] [pool-1-thread-2] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) [tomcat.tomcat] [pool-1-thread-2] at java.lang.Thread.run(Thread.java:818) [tomcat.tomcat] [pool-1-thread-2] Caused by: [tomcat.tomcat] [pool-1-thread-2] java.util.concurrent.ExecutionException: com.q1labs.configservices.task.TaskTimeoutException: Task did not complete within timeout of [300] seconds [tomcat.tomcat] [pool-1-thread-2] at java.util.concurrent.FutureTask.report(FutureTask.java:133) [tomcat.tomcat] [pool-1-thread-2] at java.util.concurrent.FutureTask.get(FutureTask.java:203) [tomcat.tomcat] [pool-1-thread-2] at com.q1labs.configservices.task.SimpleTaskPoller.getTaskResponse( SimpleTaskPoller.java:45) [tomcat.tomcat] [pool-1-thread-2] at com.q1labs.configservices.task.AbstractTaskPoller.getFinishedTas kState(AbstractTaskPoller.java:37) [tomcat.tomcat] [pool-1-thread-2] ... 10 more [tomcat.tomcat] [pool-1-thread-2] Caused by: [tomcat.tomcat] [pool-1-thread-2] com.q1labs.configservices.task.TaskTimeoutException: Task did not complete within timeout of [300] seconds [tomcat.tomcat] [pool-1-thread-2] at com.q1labs.configservices.task.TaskResponsePollerThread.call(Tas kResponsePollerThread.java:92) [tomcat.tomcat] [pool-1-thread-2] at com.q1labs.configservices.task.TaskResponsePollerThread.call(Tas kResponsePollerThread.java:16) [tomcat.tomcat] [pool-1-thread-2] ... 4 more |
24 May 2021 |
QRADAR VULNERABILITY MANAGER | IJ28786 | RESULTS DISPLAYED ON 'SCAN RESULTS' SCREEN DO NOT ACCOUNT FOR 'PURGE SCAN RESULTS AFTER PERIOD (IN EXECUTION CYCLES)' SETTING | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) QRadar 7.4.2 (7.4.2.20201113144954) QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343) Workaround No workaround available. APARs identified with no workaround require administrators to upgrade their software version to resolve this issue. Issue The results displayed on the Scan Results screen does not take into account the value of "Purge Scan Results After Period (In Execution Cycles)". Results of scans that were run before the value of "Purge Scan Results After Period (In Days)" are not displayed. |
29 January 2021 |
LOG ACTIVITY / SEARCH | IJ29703 | REAL TIME EVENT STREAMING CAN SOMETIMES FAIL TO DISPLAY WHILE EVENTS ARE STILL BEING RECEIVED BY QRADAR | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 (7.4.3.20210517144015) QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428) Workaround If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances. Issue In some instances, real time streaming can fail to display while events are still received by QRadar. This can be caused when custom properties exceed the default allocated spillover cache size configured for CustomPropertyCache.spillover.threshold and then begins spilling to disk. While still being able to view events in QRadar when this is occuring, other behavior can be observed indicating that this issue is being experienced:
Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [tomcat.tomcat] [localhost-startStop-1] com.q1labs.cve.accumulation.definition.GlobalViewConfiguration: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Error reading custom properities. [tomcat.tomcat] [localhost-startStop-1] com.q1labs.frameworks.cache.SpilloverCacheException: Error reading object from buffer [tomcat.tomcat] [localhost-startStop-1] at com.q1labs.frameworks.cache.GenericSerializer.objectFromByteBuff er(GenericSerializer.java:49) [tomcat.tomcat] [localhost-startStop-1] at com.q1labs.frameworks.cache.GenericSerializer.get(GenericSeriali zer.java:83) [tomcat.tomcat] [localhost-startStop-1] at com.q1labs.frameworks.cache.GenericSerializer.get(GenericSeriali zer.java:17) [tomcat.tomcat] [localhost-startStop-1] at com.q1labs.frameworks.cache.chainentry.InsertionChainEntry.deser ialize(InsertionChainEntry.java:69) [tomcat.tomcat] [localhost-startStop-1] at com.q1labs.frameworks.cache.chainentry.ChainEntry.read(ChainEntr y.java:60) [tomcat.tomcat] [localhost-startStop-1] at com.q1labs.frameworks.cache.ChainAppendCache.readChainEntry(Chai nAppendCache.java:1362) [tomcat.tomcat] [localhost-startStop-1] at com.q1labs.frameworks.cache.ChainAppendCache.findOnDisk(ChainApp endCache.java:1213) [tomcat.tomcat] [localhost-startStop-1] at com.q1labs.frameworks.cache.ChainAppendCache.needsDiskUpdate(Cha inAppendCache.java:407) [tomcat.tomcat] [localhost-startStop-1] at com.q1labs.frameworks.cache.ChainAppendCache.access$100(ChainApp endCache.java:55) [tomcat.tomcat] [localhost-startStop-1] at com.q1labs.frameworks.cache.ChainAppendCache$ChainAppendCacheMem oryMap.removeEldestEntry(ChainAppendCache.java:298) [tomcat.tomcat] [localhost-startStop-1] at java.util.LinkedHashMap.afterNodeInsertion(LinkedHashMap.java:310) [tomcat.tomcat] [localhost-startStop-1] at java.util.HashMap.putVal(HashMap.java:675) [tomcat.tomcat] [localhost-startStop-1] at java.util.HashMap.put(HashMap.java:623) [tomcat.tomcat] [localhost-startStop-1] at com.q1labs.frameworks.cache.ChainAppendCache.put(ChainAppendCach e.java:1128) [tomcat.tomcat] [localhost-startStop-1] at com.q1labs.core.shared.ariel.CustomPropertyServices.constructAnd CacheProperty(CustomPropertyServices.java:410) [tomcat.tomcat] [localhost-startStop-1] at com.q1labs.core.shared.ariel.CustomPropertyServices.loadCustomPr operty(CustomPropertyServices.java:539) [tomcat.tomcat] [localhost-startStop-1] at com.q1labs.core.shared.ariel.CustomPropertyServices.getCustomPro pertyNoCache(CustomPropertyServices.java:77) [tomcat.tomcat] [localhost-startStop-1] at com.q1labs.cve.accumulation.definition.GlobalViewConfiguration.t estCustomEventProperties(GlobalViewConfiguration.java:559) [tomcat.tomcat] [localhost-startStop-1] at com.q1labs.cve.accumulation.definition.GlobalViewConfiguration.r ead(GlobalViewConfiguration.java:513) [tomcat.tomcat] [localhost-startStop-1] at com.q1labs.cve.accumulation.definition.GlobalViewConfiguration.l oad(GlobalViewConfiguration.java:593) [tomcat.tomcat] [localhost-startStop-1] at com.q1labs.cve.accumulation.definition.GlobalViewConfiguration.l oad(GlobalViewConfiguration.java:210) [tomcat.tomcat] [localhost-startStop-1] at com.q1labs.cve.accumulation.definition.GlobalViewsManager.{init} (GlobalViewsManager.java:102) [tomcat.tomcat] [localhost-startStop-1] at com.q1labs.cve.accumulation.definition.GlobalViewsManager.getIns tance(GlobalViewsManager.java:141) [tomcat.tomcat] [localhost-startStop-1] at com.q1labs.reporting.ReportServices.loadTemplates(ReportServices .java:683) [tomcat.tomcat] [localhost-startStop-1] at com.q1labs.reporting.ReportServices.onInit(ReportServices.java:279) [tomcat.tomcat] [localhost-startStop-1] at com.q1labs.frameworks.naming.FrameworksNaming.initializeNewCompo nent(FrameworksNaming.java:916) [tomcat.tomcat] [localhost-startStop-1] at com.q1labs.frameworks.naming.FrameworksNaming.getApplicationScop edComponent(FrameworksNaming.java:897) [tomcat.tomcat] [localhost-startStop-1] at com.q1labs.frameworks.core.FrameworksContext.getSingletonInstanc e(FrameworksContext.java:1369) [tomcat.tomcat] [localhost-startStop-1] at com.q1labs.reports.ui.ReportsApplication.{init}(ReportsApplicati on.java:47) [tomcat.tomcat] [localhost-startStop-1] at sun.reflect.NativeConstructorAccessorImpl.newInstance0(NativeMethod) [tomcat.tomcat] [localhost-startStop-1] at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeCons tructorAccessorImpl.java:83) [tomcat.tomcat] [localhost-startStop-1] at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Delega tingConstructorAccessorImpl.java:57) [tomcat.tomcat] [localhost-startStop-1] at java.lang.reflect.Constructor.newInstance(Constructor.java:437) [tomcat.tomcat] [localhost-startStop-1] at com.q1labs.uiframeworks.listener.FrameworksLifeCycle.contextInit ialized(FrameworksLifeCycle.java:364) [tomcat.tomcat] [localhost-startStop-1] at org.apache.catalina.core.StandardContext.listenerStart(StandardC ontext.java:4689) [tomcat.tomcat] [localhost-startStop-1] at org.apache.catalina.core.StandardContext.startInternal(StandardC ontext.java:5155) [tomcat.tomcat] [localhost-startStop-1] at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) [tomcat.tomcat] [localhost-startStop-1] at org.apache.catalina.core.ContainerBase.addChildInternal(Containe rBase.java:743) [tomcat.tomcat] [localhost-startStop-1] at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:719) [tomcat.tomcat] [localhost-startStop-1] at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:705) [tomcat.tomcat] [localhost-startStop-1] at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfi g.java:1125) [tomcat.tomcat] [localhost-startStop-1] at org.apache.catalina.startup.HostConfig$DeployDirectory.run(HostC onfig.java:1858) [tomcat.tomcat] [localhost-startStop-1] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.ja va:522) [tomcat.tomcat] [localhost-startStop-1] at java.util.concurrent.FutureTask.run(FutureTask.java:277) [tomcat.tomcat] [localhost-startStop-1] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec utor.java:1160) [tomcat.tomcat] [localhost-startStop-1] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe cutor.java:635) [tomcat.tomcat] [localhost-startStop-1] at java.lang.Thread.run(Thread.java:822) [tomcat.tomcat] [localhost-startStop-1] Caused by: [tomcat.tomcat] [localhost-startStop-1] java.io.IOException: Not enough buffer to read object from. [tomcat.tomcat] [localhost-startStop-1] at com.q1labs.frameworks.cache.GenericSerializer.objectFromByteBuff er(GenericSerializer.java:37) [tomcat.tomcat] [localhost-startStop-1] ... 46 more |
29 January 2021 |
UPGRADE | IJ29511 | QRADAR PATCHING PROCESS FAILS WHEN A DUPLICATE IP '0.0.0.0' EXISITS IN THE ATTACKER DATABASE TABLE | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 (7.4.3.20210517144015) QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428) Workaround If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances. Issue Patching to QRadar 7.4.x fails when there is a duplicate IP "0.0.0.0" in the attacker database table as the patch process is unable to create a proper index due to the duplication in attacker address. |
29 January 2021 |
FORWARDED EVENTS | IJ29516 | ONLINE FORWARDER CAN STOP SENDING EVENTS DUE TO A NULLPOINTEREXCEPTION WHEN SENDING TOO MANY EVENTS | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 (7.4.3.20210517144015) QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428) QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138) Workaround
|
29 January 2021 |
QFLOW | IJ29315 | QFLOW SERVICE CAN STOP PROCESSING FLOWS AND SWAP MEMORY USAGE CONTINUALLY GROWS UNTIL THE SERVICE IS RESTARTED | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 (7.4.3.20210517144015) QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428) QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138) Workaround A technical note with a support utility is available for this issue to assist administrators. For more information about the SwapMonitor utility for APAR IJ29315, see: https://www.ibm.com/support/pages/node/6370705. Issue The QRadar qflow process can stop receiving and processing flows from some flow sources causing the received packet count to drop and the qflow swap memory to start growing continually until the qflow service is restarted. Memory fixes were implemeted to address this behavior within QRadar QRM QVM release 7.4.1 Fix Pack 1, but the behavior can still occur until an upgrade to QRadar 7.4.2 Fix Pack 2 is completed. |
29 January 2021 |
SERVICES | IJ28752 | THE QRADAR PIPELINE CAN STOP RECEIVING ALL EVENTS DUE TO A STRINGOUTOUFBOUNDSEXCEPTION OCCURRING | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 (7.4.3.20210517144015) QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428) QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138) Workaround Perform a restart of the ecs-ingress service.
Issue In some instances, the QRadar pipeline can stop receiving all events when a stringoutofbounds exception occurs. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread] java.lang.StringIndexOutOfBoundsException: String index out of range: 43 [ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread] at java.lang.String.substring(String.java:2682) [ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread] at com.q1labs.sem.types.SyslogSourcePayload.parseLine(SyslogSourceP ayload.java:196) [ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread] at com.q1labs.sem.types.SyslogSourcePayload.getSourceName(SyslogSou rcePayload.java:159) [ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread] at com.q1labs.sem.types.SourcePayloadBase.put(SourcePayloadBase.jav a:331) [ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread] at com.q1labs.sem.types.SyslogSourcePayload.put(SyslogSourcePayload .java:412) |
29 January 2021 |
RULES / AQL | IJ28798 | 'THERE WAS A PROBLEM PARSING THE AQL QUERY. INVALID ESCAPE SEQUENCES DETECTED' WHEN " \ " IS USED IN AQL RULE FILTER | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 (7.4.3.20210517144015) QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428) Workaround Use an underscore character instead of a backslash character. As in the example above: "Process Commandline" ILIKE '%C:_Program Files%' Issue When editing or creating a rule that references a file path or filename that contains a backslash character " \ " in the AQL rule filter, a parsing error similar to the following can be displayed: There was a problem parsing the AQL query. Invalid escape sequences detected. For Example:
|
29 January 2021 |
RULE RESPONSE | IJ25315 | EMAILS FROM RULE RESPONSES CAN FAIL AND NOT BE SENT PROPERLY | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428) QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138) Workaround As a temporary workaround, you can set the smtp_host_lookup value from "dns" to "dns,native" in the /etc/postfix/main.cf file by running the following commands in CLI on the host(s) that the email server is configured: sed -i "s/smtp_host_lookup = dns/smtp_host_lookup = dns,native/g" /etc/postfix/main.cfYou will also need to change the script /opt/ibm/si/si-postfix/bin/configure-postfix.sh to prevent the postfix service to reset the configuration by running this command: sed -i "s/'tls|sasl|smtp' |/'tls|sasl|smtp' | grep -v smtp_host_lookup |/g" /opt/ibm/si/si-postfix/bin/configure-postfix.sh Issue Due to the new SMTP changes in QRadar v7.4.0 where the relay host is changed to localhost, the SMTP configuration is overwritten for the lookup causing emails to not be sent properly. This can prevent emails from features such as the rule response to not be sent. To identify the issue you can use the grep command to verify if the error is found such as: grep -A1 "relayhost configuration problem" /var/log/maillog The following errors can be seen in the /var/log/maillog file when this issue occurs: May 29 10:17:37 postfix/smtp[1446]: warning: relayhost configuration problem May 29 10:17:37 postfix/smtp[1448]: 31145B59: to= |
29 January 2021 |
SERVICES | IJ22145 | NEWLY CREATED QRADAR OUT OF MEMORY JAVA HEAP DUMPS DO NOT OVERWRITE PREVIOUSLY EXISTING ONES IN /STORE/JHEAP | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428) QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343) QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722) Workaround No workaround available. APARs identified with no workaround require administrators to upgrade their software version to resolve this issue. Issue Newly created QRadar "out of memory" java heap dumps do not overwrite older/existing heap dumps found in /store/jheap. This issue can cause an accumulation of unneeded files and file space consumed in /store/jheap on QRadar appliances. |
29 January 2021 |
APPLICATIONS / USER INTERFACE | IJ28638 | SOME QRADAR APPS CAN DISPLAY AS A PAGE WITH RANDOM TEXT WHEN A HOSTNAME BEGINS WITH 'CONSOLE' | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 (7.4.3.20210517144015) QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428) QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343) QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826) Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the Subscribe button on the right side of this page or ask a question about this APAR in our Support Forums. Issue Attempting to load some QRadar Apps within the User Interface can instead result in the displaying of a page with random text. This has been identifed as being caused by a error within the QRadar app framework when a hostname in the deployment begins with 'console'. Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs: [tomcat.tomcat] (474) /console/plugins/1301/app_proxy/] com.q1labs.uiframeworks.application.servlet.ContainerServlet: [ERROR] Unable to generate xConsoleHostHeader [tomcat.tomcat] (474) /console/plugins/1301/app_proxy/] java.lang.StringIndexOutOfBoundsException: String index out of range: 8 [tomcat.tomcat] (474) /console/plugins/1301/app_proxy/] at java.lang.String.substring(String.java:2682) [tomcat.tomcat] (474) /console/plugins/1301/app_proxy/] at com.q1labs.uiframeworks.application.servlet.ContainerServlet.cre ateConnection(ContainerServlet.java:382) [tomcat.tomcat] (474) /console/plugins/1301/app_proxy/] at com.q1labs.uiframeworks.application.servlet.ContainerServlet.ser vice(ContainerServlet.java:129) |
29 January 2021 |
APPLICATIONS / HIGH AVAILABILITY | IJ21232 | QRADAR APPS CAN FAIL TO LOAD AFTER A HIGH AVAILABILITY (HA) FAILOVER DUE TO SHARED SERVICE (VAULT) NOT WORKING AS EXPECTED | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428) QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138) Workaround No workaround available. Issue It has been identified that QRadar defined users can have different uid (user id) and gid (group id) for the same username on different systems resulting in shared services (vault) on High Availability (HA) failing to start after a HA failover occurs. |
29 January 2021 |
DOMAIN MANAGEMENT | IJ28496 | ATTACKER DATA FROM ANOTHER DOMAIN CAN BE VIEWED BY USERS NOT AUTHORIZED FOR THAT DOMAIN | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 (7.4.3.20210517144015) QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428) QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138) Workaround If you are unable to upgrade to a version where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue in some instances. Issue Users that are assigned rights to a specific domain can see attacker info from a domain they have not been assigned to in multi domain QRadar environments. For example: When viewing the top source dashboard targets, attacker data from a different domain can be observed. |
29 January 2021 |
QRADAR VULNERABILITY MANAGER | IJ28480 | VULNERABILITY DETAILS SCREEN DISPLAYS ASSETS ON WHICH THE VULNERABILITY HAS BEEN REMEDIATED | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428) QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138) Workaround No workaround available. APARs identified with no workaround require administrators to upgrade their software version to resolve this issue. Issue When a vulnerability is selected to view the details, the Vulnerability Details screen displays assets on which the vulnerability has been remediated. For example:
|
29 January 2021 |
QRADAR VULNERABILITY MANAGER | IJ28757 | ASSET VULNERABILITY ASSIGNMENTS CAN FAIL TO WORK AS EXPECTED DUE TO AN INCORRECT JAR REFERENCE | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428) QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343) QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722) Workaround The classpath in the script needs to reference an updated version of the icu4j jar file.
Issue Asset Vulnerability assignments updates can fail to work as expected when an incorrect jar file is used within QRadar (icu4j-58.2.jar instead of icu4j-65.1.jar) The crontab entry on the QRadar Console that runs the script /opt/qvm/assetupdates/run-qvm-assetupdates.sh fails with "class not found error", but the error is only visible when the command is run on the command line. For example: # /opt/qvm/assetupdates/run-qvm-assetupdates.shThe following error is displayed: 09:07:19,962 INFO [FrameworksContext] [NOT:0000006000][127.0.0.1/- -] [-/- -]Initializing resource loggers: [Lcom.q1labs.frameworks.core.IFrameworksContext$ResourceLogger;@ 41bb258b 09:07:19,968 INFO [FrameworksContext] [NOT:0000006000][127.0.0.1/- -] [-/- -]Frameworks instance name: 09:07:19,968 INFO [FrameworksContext] [NOT:0000006000][127.0.0.1/- -] [-/- -]Initializing with URL: file:/opt/qradar/conf/ 09:07:19,968 INFO [FrameworksContext] [NOT:0000006000][127.0.0.1/- -] [-/- -]Frameworks booting - logging, loader complete 09:07:19,969 INFO [FrameworksContext] [NOT:0000006000][127.0.0.1/- -] [-/- -]Loading frameworks.properties 09:07:20,244 INFO [NamedThreadFactory] [NOT:0000006000][127.0.0.1/- -] [-/- -]Thread factory created: Spillover Cache Vacuum 09:07:20,256 INFO [FrameworksContext] [NOT:0000006000][127.0.0.1/- -] [-/- -]Frameworks global cache manager was initialized using: /opt/qradar/conf/ehcache.xml 09:07:20,256 INFO [FrameworksContext] [NOT:0000006000][127.0.0.1/- -] [-/- -]Initializing jpa 09:07:21,003 INFO [FrameworksContext] [NOT:0000006000][127.0.0.1/- -] [-/- -]Initializing naming 09:07:21,005 INFO [FrameworksNaming] [NOT:0000006000][127.0.0.1/- -] [-/- -]Naming initializing, failFast disabled: false 09:07:21,441 INFO [FrameworksNaming] [NOT:0000006000][127.0.0.1/- -] [-/- -]com.q1labs.assetprofile.service.ui.UIByVulnerability.NAME MUST be public, static and not final for naming to help with setting of NAME 09:07:21,446 INFO [FrameworksNaming] [NOT:0000006000][127.0.0.1/- -] [-/- -]com.q1labs.assetprofile.service.ui.UIVulnerabilityService.NAME MUST be public, static and not final for naming to help with setting of NAME 09:07:22,072 INFO [FrameworksNaming] [NOT:0000006000][127.0.0.1/- -] [-/- -]com.q1labs.core.api.impl.health.HealthMetricAPIImpl.NAME MUST be public, static and not final for naming to help with setting of NAME 09:07:22,099 INFO [FrameworksNaming] [NOT:0000006000][127.0.0.1/- -] [-/- -]com.q1labs.core.dao.application.ApplicationUserRoleMapping.App licationUserRoleMapping.NAME MUST be public, static and not final for naming to help with setting of NAME 09:07:22,100 INFO [FrameworksNaming] [NOT:0000006000][127.0.0.1/- -] [-/- -]com.q1labs.core.dao.application.AugmentedSecurityProfile.NAME MUST be public, static and not final for naming to help with setting of NAME 09:07:22,495 ERROR [ThreadExceptionHandler] [NOT:0000003000][127.0.0.1/- -] [-/- -]Exception was uncaught in thread: main org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'qradarFrameworksContextService' defined in class path resource [appContext.xml]: Invocation of init method failed; nested exception is java.lang.NoClassDefFoundError: com.ibm.icu.text.DateFormat at org.springframework.beans.factory.support.AbstractAutowireCapabl eBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.j ava:1745) at org.springframework.beans.factory.support.AbstractAutowireCapabl eBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.jav a:576) at org.springframework.beans.factory.support.AbstractAutowireCapabl eBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java: 498) at org.springframework.beans.factory.support.AbstractBeanFactory.la mbda$doGetBean$0(AbstractBeanFactory.java:320) at org.springframework.beans.factory.support.AbstractBeanFactory$$L ambda$7.0000000014E93B30.getObject(Unknown Source) at org.springframework.beans.factory.support.DefaultSingletonBeanRe gistry.getSingleton(DefaultSingletonBeanRegistry.java:222) at org.springframework.beans.factory.support.AbstractBeanFactory.do GetBean(AbstractBeanFactory.java:318) at org.springframework.beans.factory.support.AbstractBeanFactory.ge tBean(AbstractBeanFactory.java:199) at org.springframework.beans.factory.support.DefaultListableBeanFac tory.preInstantiateSingletons(DefaultListableBeanFactory.java:846) at org.springframework.context.support.AbstractApplicationContext.f inishBeanFactoryInitialization(AbstractApplicationContext.java:863) at org.springframework.context.support.AbstractApplicationContext.r efresh(AbstractApplicationContext.java:546) at org.springframework.context.support.ClassPathXmlApplicationConte xt.{init}(ClassPathXmlApplicationContext.java:144) at org.springframework.context.support.ClassPathXmlApplicationConte xt.{init}(ClassPathXmlApplicationContext.java:85) at com.q1labs.qvm.assetupdates.Bootstrapper.initialize(Bootstrapper .java:42) at com.q1labs.qvm.assetupdates.Bootstrapper.main(Bootstrapper.java:106) Caused by: java.lang.NoClassDefFoundError: com.ibm.icu.text.DateFormat at java.lang.J9VMInternals.prepareClassImpl(Native Method) at java.lang.J9VMInternals.prepare(J9VMInternals.java:304) at java.lang.Class.getField(Class.java:1079) at com.q1labs.frameworks.naming.FrameworksNaming.checkNameConstant( FrameworksNaming.java:399) at com.q1labs.frameworks.naming.FrameworksNaming.loadClasses(Framew orksNaming.java:323) at com.q1labs.frameworks.naming.FrameworksNaming.loadNaming(Framewo rksNaming.java:171) at com.q1labs.frameworks.naming.FrameworksNaming.loadClasses(Framew orksNaming.java:270) at com.q1labs.frameworks.naming.FrameworksNaming.loadNaming(Framewo rksNaming.java:171) at com.q1labs.frameworks.naming.FrameworksNaming.loadNaming(Framewo rksNaming.java:105) at com.q1labs.frameworks.naming.FrameworksNaming.{init}(FrameworksN aming.java:86) at com.q1labs.frameworks.core.FrameworksContext.initServices(Framew orksContext.java:620) at com.q1labs.frameworks.core.FrameworksContext.initFrameworks(Fram eworksContext.java:257) at com.q1labs.qvm.assetupdates.frameworks.FrameworksContextServiceI mpl.retrieveFrameworkContext(FrameworksContextServiceImpl.java:31) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessor Impl.java:90) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod AccessorImpl.java:55) at java.lang.reflect.Method.invoke(Method.java:508) at org.springframework.beans.factory.support.AbstractAutowireCapabl eBeanFactory.invokeCustomInitMethod(AbstractAutowireCapableBeanF actory.java:1870) at org.springframework.beans.factory.support.AbstractAutowireCapabl eBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactor y.java:1813) at org.springframework.beans.factory.support.AbstractAutowireCapabl eBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.j ava:1741) ... 14 more Caused by: java.lang.ClassNotFoundException: com.ibm.icu.text.DateFormat at java.net.URLClassLoader.findClass(URLClassLoader.java:610) at java.lang.ClassLoader.loadClassHelper(ClassLoader.java:943) at java.lang.ClassLoader.loadClass(ClassLoader.java:888) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:349) at java.lang.ClassLoader.loadClass(ClassLoader.java:871) ... 34 more |
29 January 2021 |
APPLICATION FRAMEWORK | IJ28835 | QRADAR APPS CAN DISPLAY A BLANK PAGE AFTER A SPECIFIC QRADAR ENVIRONMENT PATCHING PATH HAS BEEN FOLLOWED | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 (7.4.3.20210517144015) QRadar 7.4.2 (7.4.2.20201113144954) Workaround Complete a restart of the ecs-ec-ingress service. Issue QRadar Apps can display a blank page when using QRadar 7.4.x that has been patched from 7.3.0 (or 7.3.1) to 7.4.0 and then patched to 7.4.1 or later. This issue can be caused by database table components of the "authorization manager" being left behind from version 7.3 during the pathcing processes.
|
21 May 2021 |
APPLICATIONS / DEPLOY CHANGES | IJ28820 | DEPLOY FUNCTION CAN BE SLOW TO COMPLETE AND APPS CAN FAIL TO LOAD AFTER IPTABLES RESTART ON A CONSOLE UNDER HEAVY LOAD | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 (7.4.3.20210517144015) QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428) QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138) Workaround No workaround available. APARs identified with no workaround require administrators to upgrade their software version to resolve this issue. Issue Docker rules can fail to be restored after a restart of iptables on a Console appliance under heavy load (high event processing, high CPU usage, ariel searches, system activity, etc.). When this occurs, multiple issues within QRadar can be experienced. For example:
hostname systemd[1]: Stopping IPv4 firewall with iptables... hostname preserve-docker-iptables-rules.sh[10574]: iptables: Setting chains to policy ACCEPT: filter nat [ OK ] hostname preserve-docker-iptables-rules.sh[10574]: iptables: Flushing firewall rules: [ OK ] hostname preserve-docker-iptables-rules.sh[10574]: iptables: Unloading modules: ip_tables[FAILED] hostname systemd[1]: iptables.service: control process exited, code=exited status=1 hostname systemd[1]: Stopped IPv4 firewall with iptables. hostname systemd[1]: Unit iptables.service entered failed state. hostname systemd[1]: iptables.service failed. hostname systemd[1]: Starting IPv4 firewall with iptables... hostname iptables.init[11422]: iptables: Applying firewall rules: [ OK ] hostname configure-docker-firewall.sh[12072]: Tue Feb 18 22:18:11 AST 2020 [configure_docker_firewall] Docker and iptables are running: will attempt to restore docker iptables hostname configure-docker-firewall.sh[12072]: Tue Feb 18 22:18:11 AST 2020 [configure_docker_firewall] Running 'bash -x /etc/docker/.docker_iptables_rules' hostname configure-docker-firewall.sh[12072]: Tue Feb 18 22:18:17 AST 2020 [configure_docker_firewall] Cleaning up stored docker iptables rules hostname configure-docker-firewall.sh[12072]: Tue Feb 18 22:18:17 AST 2020 [configure_docker_firewall] Running 'rm -f /etc/docker/.docker_iptables_rules' hostname systemd[1]: Started IPv4 firewall with iptables. hostname systemd[1]: Stopping IPv4 firewall with iptables... hostname preserve-docker-iptables-rules.sh[12930]: iptables: Setting chains to policy ACCEPT: nat filter [ OK ] hostname preserve-docker-iptables-rules.sh[12930]: iptables: Flushing firewall rules: [ OK ] hostname preserve-docker-iptables-rules.sh[12930]: iptables: Unloading modules: iptable_nat iptable_nat ip_tables[FAILED] hostname systemd[1]: iptables.service: control process exited, code=exited status=3 |
29 January 2021 |
DSM EDITOR | IJ25729 | EVENTS CONTAINING A CLOSED BRACKET " } " IN THE VALUE FIELD OF A JSON ARE NOT PARSED CORRECTLY BY THE DSM EDITOR | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428) QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138) Workaround No workaround available. APARs identified with no workaround require administrators to upgrade their software version to resolve this issue. Issue Events containing a single '}' in value field of the JSON is not parsed correctly by DSM editor. When in the DSM editor, the preview (highlight) works as expected, but the actual value does not extract when this issue occurs. For Example: Event 1: Having closing bracket in value field- ANDROID}. Mar 04 09:10:10Event 2: Not having the closing bracket in value field, parses properly. Mar 04 09:10:10 |
29 January 2021 |
MSRPC PROTOCOL | IJ29923 | THE QRADAR MSRPC PROTOCOL CAN INCREASE CPU UTILIZATION ON MICROSOFT WINDOWS SERVERS | OPEN | Workaround A flash notice is available for administrators that describes how to downgrade the Microsoft Windows Security Event Log over MSRPC version. For more information, see:https://www.ibm.com/support/pages/node/6382106 Issue Administrators with the latest version of the MSRPC protocol from December 9th, 2020 weekly auto update can experience increased CPU utilization for the EventLog service under svchosts.exe on their Windows Servers. Over time, this issue can lead to instability for the remote server. Administrators can downgrade their Microsoft Security Event Log over MSRPC protocol (PROTOCOL-WindowsEventRPC) version to avoid this reported issue. The following RPM versions are affected by this issue:
|
29 January 2021 |
OFFICE 365 PROTOCOL | IJ28711 | UNABLE TO CAPTURE LOGS FROM AN OFFICE 365 TENANT THAT IS NOT A .COM | CLOSED | Resolved in The following RPMs were delivered during the 2 February 2021 (Build 1612292229) weekly auto update:
Administrators can verify the latest RPM is installed for your QRadar version. If you continue to experience issues, contact support for a possible workaround that might address this issue in some instances or if you experience issues with your weekly auto update. Issue Attempting to capture logs from an Office 365 tenant can fail to receive any logs when the tenant does not end in ".com". The testing feature on the Log Source can successfully connect and authenticate to the API in these instances, but QRadar fails to receive the expected logs and stays in the state where it displays "Connected. Waiting for logs". |
03 February 2021 |
OFFICE 365 PROTOCOL | IJ28829 | 'WARNING: EXPECTED ROLE [ROLE] WAS NOT IN THE OBTAINED ACCESS TOKEN' MESSAGE DURING OFFICE 365 LOG SOURCE PROTOCOL TESTS | CLOSED | Resolved in The following RPMs were delivered during the 2 February 2021 (Build 1612292229) weekly auto update:
Administrators can verify the latest RPM is installed for your QRadar version. If you continue to experience issues, contact support for a possible workaround that might address this issue in some instances or if you experience issues with your weekly auto update. Issue An error warning similar to the following can be observed when testing protocol parameters in Log Source Management for Office 365 Log Source. This is due to the Roles ThreatIntelligence.Read, and ActivityReports.Read now being deprecated. Administrators who attempt to test their configuration might experience the following error messages: Testing ClientID [ID] :: TenantID [ID] Successfully obtained Azure AD Access Token with supplied credentials Access Token Roles: [ActivityFeed.ReadDlp, ServiceHealth.Read, ActivityFeed.Read] Warning: Expected role [ThreatIntelligence.Read] was not in the obtained Access Token - this may cause issues with data collection Warning: Expected role [ActivityReports.Read] was not in the obtained Access Token - this may cause issues with data collection Access Token contained expected role [ActivityFeed.ReadDlp] Access Token contained expected role [ServiceHealth.Read] Access Token contained expected role [ActivityFeed.Read] |
03 February 2021 |
JDBC PROTOCOL | IJ26314 | LOG SOURCE MANAGEMENT APP JDBC TESTS CAN FAIL WITH 'LOGIN FAILED FOR USER {USERNAME}' ON LOG SOURCES USING DOMAIN AUTHENTICATION | CLOSED | Resolved in The following RPMs were delivered during the 2 February 2021 (Build 1612292229) weekly auto update:
Administrators can verify the latest RPM is installed for your QRadar version. If you continue to experience issues, contact support for a possible workaround that might address this issue in some instances or if you experience issues with your weekly auto update. Issue When using Domain Authentication for JDBC log source configuration, the log source can be in Success state and working as expected, but the Log Source Management App tests for those log sources can fail with a message similar to the following: "Login failed for user '{username}'" |
03 February 2021 |
JDBC PROTOCOL | IJ29049 | LOG SOURCES CONFIGURED TO USE JDBC CAN FAIL TO COLLECT LOGS AFTER AN ECS-EC-INGRESS SERVICE RESTART HAS OCCURRED | CLOSED | Resolved in The following RPMs were delivered during the 2 February 2021 (Build 1612292229) weekly auto update:
Administrators can verify the latest RPM is installed for your QRadar version. If you continue to experience issues, contact support for a possible workaround that might address this issue in some instances or if you experience issues with your weekly auto update. Issue JDBC Log Sources can fail to collect events after an ecs-ec-ingress service restart has occurred. In these instances, the Log Sources continue to display "Success" state with a last status update of days or weeks prior to the ecs-ec-ingress restart date. |
03 February 2021 |
OFFENSES | IJ15472 | EVENT COUNT NUMBERS DOESN'T MATCH IN THE OFFENSE DETAILS SCREEN ON CLICKING THE EVENT/FLOW COUNT | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428) Workaround No workaround available. APARs identified with no workaround require administrators to upgrade their software version to resolve this issue. Issue It has been identified that the Event count in the Offense details screen does not match with the event count displayed when clicking the event/flow count. Rules using "when at least this many events are seen with the same event properties in this many minutes condition" are not matching the Event/Flow count in an Offense versus the Ariel search list of Events/Flows. |
29 January 2021 |
SEARCH / LOG ACTIVITY | IJ25367 | UNABLE TO DELETE AN EMPTY LOG SOURCE GROUP DUE TO DEPENDENCY CHECK FAIL | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) Workaround If you are unable to upgrade, contact QRadar Support for a possible workaround that might address this issue in some instances. Issue Attempting to delete an empty Log Source Group can fail with an error similar to "Error while getting Saved Search dependents for this Log Source Group: {xxxxxx}". Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [tomcat.tomcat] [pool-1-thread-4] com.q1labs.core.shared.datadeletion.LogSourceGroupDeletion: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Error while getting Saved Search dependents for this Log Source Group: 103540 [tomcat.tomcat] [pool-1-thread-4] java.lang.ArrayIndexOutOfBoundsException [tomcat.tomcat] [pool-1-thread-4] at com.q1labs.cve.utils.CustomColumnDefinition.fromString(CustomCol umnDefinition.java:386) [tomcat.tomcat] [pool-1-thread-4] at com.q1labs.ariel.ui.bean.ArielSearchForm.getColumns(ArielSearchF orm.java:1396) [tomcat.tomcat] [pool-1-thread-4] at com.q1labs.ariel.ui.bean.ArielSearchForm.getColumns(ArielSearchF orm.java:1301) [tomcat.tomcat] [pool-1-thread-4] at com.q1labs.ariel.ui.bean.ArielSearchForm.getColumns(ArielSearchF orm.java:1290) [tomcat.tomcat] [pool-1-thread-4] at com.q1labs.ariel.ui.bean.ArielSearchForm.requiresPayload(ArielSe archForm.java:1171) [tomcat.tomcat] [pool-1-thread-4] at com.q1labs.ariel.ui.bean.ArielSearchForm.getMappingFactory(Ariel SearchForm.java:1099) [tomcat.tomcat] [pool-1-thread-4] at com.q1labs.ariel.ui.bean.ArielSearchForm.getMappingFactory(Ariel SearchForm.java:1094) [tomcat.tomcat] [pool-1-thread-4] at com.q1labs.cve.utils.CriteriaParser.processPredicates(CriteriaPa rser.java:177) [tomcat.tomcat] [pool-1-thread-4] at com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSear chForm.java:833) [tomcat.tomcat] [pool-1-thread-4] at com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSear chForm.java:790) [tomcat.tomcat] [pool-1-thread-4] at com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSear chForm.java:746) [tomcat.tomcat] [pool-1-thread-4] at com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSear chForm.java:740) [tomcat.tomcat] [pool-1-thread-4] at com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSear chForm.java:731) [tomcat.tomcat] [pool-1-thread-4] at com.q1labs.core.shared.datadeletion.LogSourceGroupDeletion.getAr ielSavedSearchDependentsByGroupId(LogSourceGroupDeletion.java:131) [tomcat.tomcat] [pool-1-thread-4] at com.q1labs.core.shared.datadeletion.LogSourceGroupDeletion.getUs age(LogSourceGroupDeletion.java:58) [tomcat.tomcat] [pool-1-thread-4] at com.q1labs.core.shared.datadeletion.task.FindDependentsTask.getA ctualUsage(FindDependentsTask.java:291) [tomcat.tomcat] [pool-1-thread-4] at com.q1labs.core.shared.datadeletion.task.FindDependentsTask.getC hildUsage(FindDependentsTask.java:212) [tomcat.tomcat] [pool-1-thread-4] at com.q1labs.core.shared.datadeletion.task.FindDependentsTask.getD efaultUsage(FindDependentsTask.java:169) [tomcat.tomcat] [pool-1-thread-4] at com.q1labs.core.shared.datadeletion.task.FindDependentsTask.runT ask(FindDependentsTask.java:122) [tomcat.tomcat] [pool-1-thread-4] at com.ibm.si.frameworks.taskmanagement.Task.run(Task.java:108) [tomcat.tomcat] [pool-1-thread-4] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.ja va:522) [tomcat.tomcat] [pool-1-thread-4] at java.util.concurrent.FutureTask.run(FutureTask.java:277) [tomcat.tomcat] [pool-1-thread-4] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec utor.java:1160) [tomcat.tomcat] [pool-1-thread-4] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe cutor.java:635) [tomcat.tomcat] [pool-1-thread-4] at java.lang.Thread.run(Thread.java:812) [tomcat.tomcat] [pool-1-thread-4] com.q1labs.core.shared.datadeletion.task.FindDependentsTask: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Error trying to find Dependents for id: [103540], and type: LOG_SOURCE_GROUP [tomcat.tomcat] [pool-1-thread-4] java.lang.ArrayIndexOutOfBoundsException [tomcat.tomcat] [pool-1-thread-4] at com.q1labs.cve.utils.CustomColumnDefinition.fromString(CustomCol umnDefinition.java:386) [tomcat.tomcat] [pool-1-thread-4] at com.q1labs.ariel.ui.bean.ArielSearchForm.getColumns(ArielSearchF orm.java:1396) [tomcat.tomcat] [pool-1-thread-4] at com.q1labs.ariel.ui.bean.ArielSearchForm.getColumns(ArielSearchF orm.java:1301) [tomcat.tomcat] [pool-1-thread-4] at com.q1labs.ariel.ui.bean.ArielSearchForm.getColumns(ArielSearchF orm.java:1290) [tomcat.tomcat] [pool-1-thread-4] at com.q1labs.ariel.ui.bean.ArielSearchForm.requiresPayload(ArielSe archForm.java:1171) [tomcat.tomcat] [pool-1-thread-4] at com.q1labs.ariel.ui.bean.ArielSearchForm.getMappingFactory(Ariel SearchForm.java:1099) [tomcat.tomcat] [pool-1-thread-4] at com.q1labs.ariel.ui.bean.ArielSearchForm.getMappingFactory(Ariel SearchForm.java:1094) [tomcat.tomcat] [pool-1-thread-4] at com.q1labs.cve.utils.CriteriaParser.processPredicates(CriteriaPa rser.java:177) [tomcat.tomcat] [pool-1-thread-4] at com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSear chForm.java:833) [tomcat.tomcat] [pool-1-thread-4] at com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSear chForm.java:790) [tomcat.tomcat] [pool-1-thread-4] at com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSear chForm.java:746) [tomcat.tomcat] [pool-1-thread-4] at com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSear chForm.java:740) [tomcat.tomcat] [pool-1-thread-4] at com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSear chForm.java:731) [tomcat.tomcat] [pool-1-thread-4] at com.q1labs.core.shared.datadeletion.LogSourceGroupDeletion.getAr ielSavedSearchDependentsByGroupId(LogSourceGroupDeletion.java:131) [tomcat.tomcat] [pool-1-thread-4] at com.q1labs.core.shared.datadeletion.LogSourceGroupDeletion.getUs age(LogSourceGroupDeletion.java:58) [tomcat.tomcat] [pool-1-thread-4] at com.q1labs.core.shared.datadeletion.task.FindDependentsTask.getA ctualUsage(FindDependentsTask.java:291) [tomcat.tomcat] [pool-1-thread-4] at com.q1labs.core.shared.datadeletion.task.FindDependentsTask.getC hildUsage(FindDependentsTask.java:212) [tomcat.tomcat] [pool-1-thread-4] at com.q1labs.core.shared.datadeletion.task.FindDependentsTask.getD efaultUsage(FindDependentsTask.java:169) [tomcat.tomcat] [pool-1-thread-4] at com.q1labs.core.shared.datadeletion.task.FindDependentsTask.runT ask(FindDependentsTask.java:122) [tomcat.tomcat] [pool-1-thread-4] at com.ibm.si.frameworks.taskmanagement.Task.run(Task.java:108) [tomcat.tomcat] [pool-1-thread-4] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.ja va:522) [tomcat.tomcat] [pool-1-thread-4] at java.util.concurrent.FutureTask.run(FutureTask.java:277) [tomcat.tomcat] [pool-1-thread-4] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec utor.java:1160) [tomcat.tomcat] [pool-1-thread-4] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe cutor.java:635) [tomcat.tomcat] [pool-1-thread-4] at java.lang.Thread.run(Thread.java:812) |
23 February 2022 |
SECURITY BULLETIN | IBM QRADAR SIEM IS VULNERABLE TO DESERIALIZATION OF UNTRUSTED DATA | CLOSED | Resolved in QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428) QRadar 7.3.3 Fix Pack 7 IF1 (7.3.3.20210120163940) Affected versions
CVE-2020-4888: IBM QRadar SIEM could allow a remote attacker to execute arbitrary commands on the system, caused by insecure deserialization of user-supplied content by the Java deserialization function. By sending a malicious serialized Java object, an attacker could exploit this vulnerability to execute arbitrary commands on the system. CVSS Base score: 6.3 |
28 January 2021 | |
SECURITY BULLETIN | IBM QRADAR SIEM IS VULNERABLE TO USING COMPONENTS WITH KNOWN VULNERABILITIES | CLOSED | Resolved in QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428) QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343) QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446) Affected versions
|
26 January 2021 | |
SECURITY BULLETIN | IBM QRADAR SIEM IS VULNERABLE TO USING COMPONENTS WITH KNOWN VULNERABILITIES | CLOSED | Resolved in QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428) QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343) QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446) Affected versions
|
26 January 2021 | |
SECURITY BULLETIN | IBM QRADAR SIEM IS VULNERABLE TO USING COMPONENTS WITH KNOWN VULNERABILITIES | CLOSED | Resolved in QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428) QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343) QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446) Affected versions
|
26 January 2021 | |
SECURITY BULLETIN | APACHE ANT AS USED BY IBM QRADAR SIEM IS VULNERABLE TO INSECURE TEMPORARY FILES | CLOSED | Resolved in QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428) QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343) QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446) Affected versions
CVE-2020-11979: Apache Ant could allow a remote authenticated attacker to bypass security restrictions, caused by an insecure temporary file flaw. By sending a specially-crafted request, an attacker could exploit this vulnerability to inject modified source files into the build process. CVSS Base score: 6.5 |
26 January 2021 | |
SECURITY BULLETIN | IBM QRADAR SIEM IS VULNERABLE TO ARBITRARY FILE READ | CLOSED | Resolved in QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428) QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343) QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446) Affected versions
CVE-2020-4789: IBM QRadar could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. CVSS Base score: 6.5 |
26 January 2021 | |
SECURITY BULLETIN | IBM QRADAR SIEM IS VULNERABLE TO SERVER SIDE REQUEST FORGERY (SSRF) | CLOSED | Resolved in QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428) QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343) QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446) Affected versions
CVE-2020-4787: IBM QRadar is vulnerable to server side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. CVSS Base score: 4.2 |
26 January 2021 | |
SECURITY BULLETIN | IBM QRADAR SIEM IS VULNERABLE TO SERVER SIDE REQUEST FORGERY (SSRF) | CLOSED | Resolved in QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428) QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343) QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446) Affected versions
CVE-2020-4786: IBM QRadar Network Security is vulnerable to server side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. CVSS Base score: 5.4 |
26 January 2021 | |
SECURITY BULLETIN | SPRING FRAMEWORK AS USED BY IBM QRADAR SIEM IS VULNERABLE TO IMPROPER INPUT VALIDATION | CLOSED | Resolved in QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428) QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343) QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446) Affected versions
CVE-2020-5421: VMware Tanzu Spring Framework could allow a remote attacker to bypass security restrictions, caused by improper input validation. By using a specially-crafted jsessionid path parameter, an attacker could exploit this vulnerability to bypass RFD Protection. CVSS Base score: 5.3 |
26 January 2021 | |
SERVICES | IJ30161 | A QRADAR "DEPLOY CHANGES" PERFORMED ON DECEMBER 31 2020 CAN CAUSE QRADAR FUNCTIONALITY ISSUES | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.2 Fix Pack 1 (7.4.2.20210105144619) QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446) Workaround For more detailed information, please see the following Flash Notification: https://ibm.biz/BdfDdV An issue report and FAQ is available for IJ30161 from QRadar Support. For more information, see: https://www.ibm.com/support/pages/node/6398674 Issue Performing a "Deploy Changes" function on December 31 2020 can cause a QRadar deployment to stop functioning as expected. This issue is related to the function that validates a license key. Messages similar to the following might be visible in var/log/qradar.log when this issue occurs: [ecs-ec-ingress.ecs-ec-ingress] [main] com.eventgnosis.ecs: [INFO] [NOT:6000][X.X.X.X/- -] [-/- -]Waiting for valid license... [ecs-ep.ecs-ep] [main] com.eventgnosis.ecs: [INFO] [NOT:6000][X.X.X.X/- -] [-/- -]Waiting for valid license... [ecs-ec.ecs-ec] [main] com.eventgnosis.ecs: [INFO] [NOT:6000][X.X.X.X/- -] [-/- -]Waiting for valid license.. Note: This affects a manual "Deploy changes" function or any that are performed automatically (example: Auto Update) |
11 January 2021 |
RULES | IJ29115 | PERFORMING AN EXTENSION MANAGEMENT UNINSTALL CAN SOMETIMES CORRUPT RULES WITHIN QRADAR | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 (7.4.3.20210517144015) QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428) QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446) Workaround Upgrade to a QRadar verison to resolve this issue or contact QRadar Support for a possible workaround that might address this issue in some instances. Issue Performing an Uninstall with the Extension Manager can corrupt rules if QRadar's change-tracker has incorrectly recorded the "new_value" field in content_field_info within the QRadar database. When this occurs, attempting to modify a rule response or edit or delete a rule can generate an error pop-up similar to: A server exception occurred: PersistenceException: ERROR: could not parse XML document Detail: line 1: Start tag expected, '<' not found and messages in /varlog/qradar.log similar to: [tomcat.tomcat] [pool-1-thread-3] org.apache.openjpa.lib.jdbc.ReportingSQLException: ERROR: could not parse XML document Detail: line 1: Start tag expected, '<' not found |
16 November 2020 |
FORWARDING DESTINATIONS | IJ27364 | THE OPTION TO USE IPV6 SOURCE AND DESTINATION FROM AN EVENT WHEN CONFIGURING JSON FORWARDING DESTINATION IS NOT AVAILABLE | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 (7.4.3.20210517144015) QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428) QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138) QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446) Workaround A custom property could be added to parse IPv6 from events and used in the JSON format. For more information, see: How to create custom properties in QRadar. Issue When configuring Forwarding Destinations to forward data to other system using IPV6, the source or destination from an event is not an available option to select from when using JSON. |
02 September 2020 |
FLOW FORWARDING | IJ26689 | FORWARDING NORMALIZED FLOWS THAT ARE ASSOCIATED TO A DOMAIN FAILS WITH A BUFFERUNDERFLOWEXCEPTION WRITTEN TO QRADAR LOGGING | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 (7.4.3.20210517144015) QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428) QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138) QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446) Workaround Potential workaround for this issue. Note: This will impact all event and flow forwarding of normalized data, setting it to the the default domain.
|
31 July 2020 |
RULE RESPONSE | IJ28818 | ARIEL DATA FILE CORRUPTION CAN OCCUR CAUSING "I/O ERROR" DURING SEARCHES WHEN EMAIL RESPONSE TO A SPECIFIC RULE IS CONFIGURED | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428) QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446) Workaround Where possible, do not use the email response option when using the rule "log source stopped sending events". Issue Ariel data corruption can occur when using the rule "log source stopped sending events" with a large number of Custom Event Properties (CEP) and/or log sources in a log source group with an email response configured. When this data corruption is experienced, ariel searches can generate an "I/O error" in the QRadar User Interface if these corrupted files are acccessed. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: java.lang.IndexOutOfBoundsException at java.nio.Buffer.checkBounds(Buffer.java:578) at java.nio.ByteBuffer.get(ByteBuffer.java:686) at java.nio.DirectByteBuffer.get(DirectByteBuffer.java:285) at com.q1labs.core.types.BitMask.getBitMask(BitMask.java:107) at com.q1labs.core.types.event.mapping.NormalizedEventMappingV2.get (NormalizedEventMappingV2.java:61) at com.q1labs.core.types.event.mapping.NormalizedEventMappingV2.get (NormalizedEventMappingV2.java:31) at com.q1labs.ariel.FileReader.doRead(FileReader.java:192) at com.q1labs.ariel.FileReader.read(FileReader.java:184) at com.q1labs.ariel.RecordDumper.dumpRecords(RecordDumper.java:66) at com.q1labs.cve.utils.CommandLineClient.doDump(CommandLineClient. java:153) at com.q1labs.cve.utils.CommandLineClient.run(CommandLineClient.jav a:188) at com.q1labs.cve.utils.CommandLineClient.main(CommandLineClient.ja va:173) ------- or -------- java.lang.IllegalStateException: Potential mapping error. Array size: -1792 Max is 32767 at com.q1labs.frameworks.nio.MappingBase.getSizeShort(MappingBase.j ava:86) at com.q1labs.frameworks.nio.MappingBase.getSizeShort(MappingBase.j ava:80) at com.q1labs.core.types.networkevent.mapping.NetworkEventMappingUt ils.readCustomRuleResultMap(NetworkEventMappingUtils.java:238) at com.q1labs.core.types.event.mapping.NormalizedEventMappingV2.rea dCustomRules(NormalizedEventMappingV2.java:715) at com.q1labs.core.types.event.mapping.NormalizedEventMappingV2.get (NormalizedEventMappingV2.java:147) at com.q1labs.core.types.event.mapping.NormalizedEventMappingV2.get (NormalizedEventMappingV2.java:35) at com.q1labs.ariel.FileReader.doRead(FileReader.java:192) at com.q1labs.ariel.FileReader.read(FileReader.java:184) at com.q1labs.ariel.searches.service.ids.ArielFile$Crawler.nextReco rd(ArielFile.java:31) at com.q1labs.ariel.searches.service.ids.ArielFile.next(ArielFile.j ava:206) at com.q1labs.ariel.searches.service.ids.FilteredSource.next(Filter edSource.java:39) at com.q1labs.ariel.searches.tasks.QueryWorker.execute(QueryWorker. java:53) at com.q1labs.ariel.searches.tasks.ServiceTaskBase.runTask(ServiceT askBase.java:89) at com.q1labs.ariel.searches.tasks.ServiceTask.runTask(ServiceTask. java:69) at com.q1labs.ariel.searches.tasks.ServiceTaskBase$Runner.run(Servi ceTaskBase.java:32) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec utor.java:1160) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe cutor.java:635) at java.lang.Thread.run(Thread.java:818) -------or------- [ecs-ep.ecs-ep] Ariel Writer#events com.q1labs.frameworks.core.ThreadExceptionHandler: [ERROR] [NOT:0000003000][ IP_ADDRESS/- -] [-/- -]Exception was uncaught in thread: Ariel Writer#events [ecs-ep.ecs-ep] Ariel Writer#events java.lang.NullPointerException [ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.core.types.networkevent.CustomPropertyRecord.toByteBu ffer(CustomPropertyRecord.java:188) [ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.core.types.networkevent.mapping.NetworkEventMappingUt ils.writeCustomProperties(NetworkEventMappingUtils.java:326) [ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.core.types.event.mapping.NormalizedEventMappingV2.put CustomProperties(NormalizedEventMappingV2.java:701) [ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.core.types.event.mapping.NormalizedEventMappingV2.put Event(NormalizedEventMappingV2.java:541) [ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.core.types.event.mapping.NormalizedEventMappings$Exlu deCachedResults.putData(NormalizedEventMappings.java:68) [ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.core.types.event.mapping.NormalizedEventMappingV2.put (NormalizedEventMappingV2.java:281) [ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.core.types.event.mapping.NormalizedEventMappingV2.put (NormalizedEventMappingV2.java:35) [ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.ariel.io.NIOFileWriter.write(NIOFileWriter.java:110) [ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.ariel.io.SimpleWriter.writeRecord(SimpleWriter.java:47) [ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.ariel.io.BucketWriter.writeRecord(BucketWriter.java:62) [ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.ariel.io.AbstractDatabaseWriter.put(AbstractDatabaseW riter.java:114) [ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.ariel.DatabaseWriterAsync.processRecord(DatabaseWrite rAsync.java:131) [ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.ariel.ScatteringDatabaseWriter.access$401(ScatteringD atabaseWriter.java:30 |
10 November 2020 |
PROTOCOLS | IJ29518 | SMBTAILPROTOCOL LOG SOURCES CAN FUNCTION NORMALLY BUT DISPLAY IN 'ERROR' STATE WHEN A JNQEXCEPTION OCCURS | OPEN | Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the Subscribe button on the right side of this page or ask a question about this APAR in our Support Forums. Issue Log Sources using the SMBTail Protocol display in an error state when a jNQ exception is thrown, but the Log Source continues to function as expected. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [ecs-ec-ingress.ecs-ec-ingress] [Folder Monitor [127.0.0.1][smb://127.0.0.1/dhcplog/]] com.q1labs.semsources.sources.smbtail.io.jnq.JNQException: Unable to create/open - j50.log status = -1073741757 (0xc0000043) (0xC0000043) [ecs-ec-ingress.ecs-ec-ingress] [Folder Monitor [127.0.0.1][smb://127.0.0.1/dhcplog/]] com.q1labs.semsources.sources.windowsdhcp.WindowsDHCPTailProvide r: [ERROR] [NOT:0000003000][10.42.165.13/- -] [-/- -]TailingException: Unable to create/open - j50.log status = -1073741757 (0xc0000043) (0xC0000043) |
02 December 2020 |
PROTOCOLS | IJ29923 | THE QRADAR MSRPC PROTOCOL CAN INCREASE CPU UTILIZATION ON MICROSOFT WINDOWS SERVERS | OPEN | Workaround A flash notice is available for administrators that describes how to downgrade the Microsoft Windows Security Event Log over MSRPC version. For more information, see: https://www.ibm.com/support/pages/node/6382106. Issue Administrators with the latest version of the MSRPC protocol from 9 December 2020 weekly auto update can experience increased CPU utilization for the EventLog service under svchosts.exe on their Windows Servers. Over time, this issue can lead to instability for the remote server. Administrators can downgrade their Microsoft Security Event Log over MSRPC protocol (PROTOCOL-WindowsEventRPC) version to avoid this reported issue. The following RPM versions are affected by this issue:
|
14 December 2020 |
UPGRADE | IJ28593 | QRADAR PATCHING PROCESS CAN BE SLOWER THAN EXPECTED WHEN MILLIONS OF RECORDS EXIST IN DATABASE TARGET TABLES | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) Workaround Contact support for a possible workaround that might address this issue in some instances. Issue The QRadar patching process can run slower than expected in instances where there are millions of records in the database target tables. To identify why the patching process is experiencing issues, review the patches.log file for database clean up ID messages. If /var/log/setup-#####/patches.log displays Removing ID messages for target database tales at a rate of less than 50 lines per second, this can indicate that you need to contact support. For example: Removing id = XXXXX from public.target table. |
08 December 2020 |
SECURITY BULLETIN | MULTIPLE VULNERABILITIES IN IBM JAVA SDK AND IBM JAVA RUNTIME AFFECT IBM QRADAR SIEM | CLOSED | Resolved in QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343) QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722) Affected versions
|
15 December 2020 | |
SECURITY BULLETIN | APACHE SANTUARIO AS USED IN IBM QRADAR SIEM IS VULNERABLE TO IMPROPER INPUT VALIDATION | CLOSED | Resolved in QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343) QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722) Affected versions
Apache Santuario XML Security for Java could allow a remote attacker to bypass security restrictions, caused by the loading of XML parsing code from an untrusted source. An attacker could exploit this vulnerability to launch further attacks on the system when validating signed documents. CVSS Base score: 5.3 |
15 December 2020 | |
SECURITY BULLETIN | POSTGRESSQL JDBC DRIVER AS USED IN IBM QRADAR SIEM IS VULNERABLE TO INFORMATION DISCLOSURE | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343) QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722) Affected versions
PostgreSQL JDBC Driver could allow a remote authenticated attacker to obtain sensitive information, caused by an XML external entity (XXE) error when processing XML data. By sending specially crafted XML data, a remote attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 6.5 |
15 December 2020 | |
SECURITY BULLETIN | LDAPTIVE AS USED IN IBM QRADAR SIEM IS VULNERABLE TO SPOOFING | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343) QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722) Affected versions
Ldaptive could allow a remote attacker to conduct spoofing attack in DefaultHostnameVerifier, caused by the failure to properly verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate. By persuading a victim to visit a specially crafted Web site, an attacker could exploit this vulnerability to spoof SSL server. CVSS Base score: 5.3 |
15 December 2020 | |
LOG SOURCE MANAGEMENT APP | IJ29323 | EXPORTING LOG SOURCES TO CSV THAT USE AN XPATH WITH LINE BREAKS CAUSES EXTRA LINES TO BE GENERATED WITHIN THE EXPORTED CSV FILE | OPEN | Workaround When exporting Log Sources from the Log Source Management (LSM) app, users can remove the line breaks when entering the data into the LSM app or edit the CSV file to remove them after it is generated by the export. Issue When exporting Log Sources from the Log Source Management app, if there are Windows Log Sources using XPath that contains line breaks, it causes the exported CSV file to display incorrectly by also adding lines into the CSV file. |
19 November 2020 |
User Behavior Analytics (UBA) App | IJ29455 | USER BEHAVIOR ANALYTICS (UBA) APP VERSIONS PRIOR TO VERSION 3.8 FAIL TO START AFTER AN UPGRADE TO QRADAR 7.4.2 GA | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 (7.4.3.20210517144015) QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312) Workaround Administrators can upgrade their UBA app to version 3.8 or later after they complete their QRadar 7.4.2 upgrade. Issue The User Behavior Analytics for QRadar App (UBA) versions prior to 3.8 fail to load or start after an upgrade to QRadar version 7.4.2 GA. |
12 April 2021 |
AUTO UPDATE | IJ29298 | AUTOUPDATE ERROR IN THE QRADAR USER INTERFACE AFTER CHANGING TO THE NEW CLOUD BASED ADDRESS | OPEN | Workaround This error described is benign and does not cause any problems with the autoupdate download or expected functionality. Issue After changing the Autoupdate server to the new Cloud based address, the user interface can display a benign error message as described in this technical note. Error message: Autoupdate settings are updated. However, the system cannot connect to the specified web server address, directory. This will cause updates to fail. Verify that web server address, directory, credentials and the proxy settings are configured correctly and the web server is running properly. |
16 November 2020 |
ASSETS | IJ26166 | VULN COUNT IN ASSET LIST VIEW CAN FAIL TO MATCH VULN COUNT IN ASSET DETAILS OR QVM MANAGE VULNS BY ASSET VIEW | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944) QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826) Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the Subscribe button on the right side of this page or ask a question about this APAR in our Support Forums. Issue The vulnerability count in Asset list view can fail to match the vulnerability count in asset details or in the QVM manage vulnerabilities by asset view. This vulnerability count mismatch can be observed when using the api endpoint /qvm/vuln also. The mismatch occurs when vulnerabilities are no longer present on a second scan after being fixed or a service being disabled. The mismatch can also occur if vulnerability exceptions are configured. |
12 July 2021 |
SCAN RESULTS | IJ29292 | WHEN THE QVM PROCESSOR IS NOT RUNNING ON THE CONSOLE, SCAN START AND STOP EMAILS CONTAIN INCORRECT DATA IN SUBJECT AND BODY | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the Subscribe button on the right side of this page or ask a question about this APAR in our Support Forums. Issue When the QVM processor is not running on the console, scan start and scan stop emails contain: '$body.scanProfile.name' instead of the name of the scan profile. |
23 February 2022 |
USER INTERFACE | IJ28347 | THE TOMCAT SERVICE CAN HANG ON STARTUP WHEN CUSTOM AQL PROPERTIES EXIST | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) Workaround Administrators can install the software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances. Issue In some instances the QRadar Tomcat service (required for the User Interface) can hang during service startup due to the occurence of deadlocks when there are custom AQL properties configured in QRadar. |
2 February 2022 |
SYSTEM NOTIFICATIONS | IJ26223 | QRADAR DEPLOY OVERWRITES INDIVIDUALLY CONFIGURED SAR SENTINEL NOTIFICATION TUNING FOR EACH MANAGED HOST WITH CONSOLE'S | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309) Workaround Administrators can install the software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances. Issue The QRadar Deploy function overwrites the SAR Sentinel notification configuration tunings for each Managed Host in the deployment with that of the Console. This can cause erroneous SAR Sentinel "system load" notification messages to be generated for some QRadar Managed Hosts. |
26 November 2020 |
DSM EDITOR | IJ26131 | 'FAILED TO LOAD DATA' ERROR DISPLAYED IN THE QRADAR DSM EDITOR WINDOW | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) Workaround Administrators can install a software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances. Issue A 'failed to load data' message can be displayed in the QRadar DSM Editor while performing Event mapping. Example steps that can generate this error:
[tomcat.tomcat] [/console/restapi/api/application/data_ingestion/mappings/12] com.q1labs.frameworks.session.SessionContext: [ERROR] 1 leak(s) detected in session context: xxxx-xxxx-xxxx-xxxx-xxxx [tomcat.tomcat] [/console/restapi/api/application/data_ingestion/mappings/12] com.q1labs.frameworks.session.SessionContext: [ERROR] java.sql.PreparedStatement leak detected. Object created in following code path [tomcat.tomcat] [/console/restapi/api/application/data_ingestion/mappings/12] java.lang.Exception [tomcat.tomcat] [/console/restapi/api/application/data_ingestion/mappings/12] at com.q1labs.frameworks.session.BaseWrapper.{init}(BaseWrapper.java) [tomcat.tomcat] [/console/restapi/api/application/data_ingestion/mappings/12] at com.q1labs.frameworks.session.PreparedStatementWrapper.{init}(Pr eparedStatementWrapper.java:35) [tomcat.tomcat] [/console/restapi/api/application/data_ingestion/mappings/12] at com.q1labs.frameworks.session.ConnectionWrapper.prepareStatement (ConnectionWrapper.java:262) [tomcat.tomcat] [/console/restapi/api/application/data_ingestion/mappings/12] at com.ibm.si.data_ingestion.api.impl.application.ApplicationAPIImp l.getMappings(ApplicationAPIImpl.java:262) [tomcat.tomcat] [/console/restapi/api/application/data_ingestion/mappings/12] at com.ibm.si.data_ingestion.api.v7_0.application.ApplicationAPI.ge tEventMappings(ApplicationAPI.java:175) [tomcat.tomcat] [/console/restapi/api/application/data_ingestion/mappings/12] org.postgresql.util.PSQLException: The column name lc_name was not found in this ResultSet. [tomcat.tomcat] [/console/restapi/api/application/data_ingestion/mappings/12] at org.postgresql.jdbc.PgResultSet.findColumn(PgResultSet.java) [tomcat.tomcat] [/console/restapi/api/application/data_ingestion/mappings/12] at org.postgresql.jdbc.PgResultSet.getString(PgResultSet.java:2467) [tomcat.tomcat] [/console/restapi/api/application/data_ingestion/mappings/12] at com.mchange.v2.c3p0.impl.NewProxyResultSet.getString(NewProxyRes ultSet.java:3342) [tomcat.tomcat] [/console/restapi/api/application/data_ingestion/mappings/12] at org.apache.openjpa.lib.jdbc.DelegatingResultSet.getString(Delega tingResultSet.java:187) [tomcat.tomcat] [/console/restapi/api/application/data_ingestion/mappings/12] at com.ibm.si.data_ingestion.api.impl.application.ApplicationAPIImp l.getMappings(ApplicationAPIImpl.java:284) |
26 November 2020 |
QRADAR NETWORK INSIGHTS | IJ26096 | WHEN RUNNING QNI IN ADVANCED MODE MESSAGES '...[ERRNO 24] TOO MANY OPEN FILES' ARE WRITTEN TO QRADAR LOGGING | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309) Workaround Administrators can install the software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances. Issue When running QRadar Network Insights in Advanced Mode, repeated messages similar to the following can sometimes be observed being written to /var/log/qradar.log: TikaServer (6690) - ERROR - Error starting subprocess: [Errno 24] Too many open files TikaServer (6690) - ERROR - Error starting subprocess: [Errno 24] Too many open files |
26 November 2020 |
SEARCH | IJ26095 | QUICK SEARCH 'TOP IDS/IPS ALERT BY COUNTRY/REGION' GROUPS BY THE NON-EXISTENT COLUMN 'GEOGRAPHIC COUNTRY/REGION' | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) Workaround Administrators can install the software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances. Issue The quick search 'Top IDS/IPS Alert by Country/Region' groups by a non-existent column 'Geographic Country/Region'. For example:
|
26 November 2020 |
QRADAR VULNERABILITY MANAGER | IJ26089 | QVM SCHEDULED SCANS CAN FAIL TO DISPLAY WHEN THERE ARE A LARGE NUMBER OF SCAN PROFILE CRON SCHEDULES | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) Workaround No workaround available. Administrators must upgrade to resolve this software issue. Issue QRadar Vulnerability Manager scheduled scans entries can fail to be displayed in the User Interface calendar view when there are a large number (hundreds) of scan profile cron schedules. When this issue is occurring, clicking in the scheduled scans view in the User Interface can generate an error in the QRadar Console's /var/log/qradar.error log when the qvmprocessor is deployed on a separate QRadar managed host. Note: This issue is less likely to occur on systems where there are only a small number of scan profiles. Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs: [tomcat.tomcat] [admin@127.0.0.1(8387) /console/JSON-RPC/QVM.getCronScanProfiles QVM.getCronScanProfiles] com.q1labs.core.ui.servlet.RemoteJavaScript: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]An exception occurred while executing the remote method 'getCronScanProfiles' {hostname} tomcat[13976]: org.apache.cxf.interceptor.Fault: Could not receive Message. [tomcat.tomcat] [admin@127.0.0.1(8387) /console/JSON-RPC/QVM.getCronScanProfiles QVM.getCronScanProfiles] javax.xml.ws.WebServiceException: Could not receive Message. [tomcat.tomcat] [admin@127.0.0.1(8387) /console/JSON-RPC/QVM.getCronScanProfiles QVM.getCronScanProfiles] at org.apache.cxf.jaxws.JaxWsClientProxy.mapException(JaxWsClientPr oxy.java:183) [tomcat.tomcat] [admin@127.0.0.1(8387) /console/JSON-RPC/QVM.getCronScanProfiles QVM.getCronScanProfiles] at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.ja va:145) [tomcat.tomcat] [admin@127.0.0.1(8387) /console/JSON-RPC/QVM.getCronScanProfiles QVM.getCronScanProfiles] at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.j ava:56) [tomcat.tomcat] [admin@127.0.0.1(8387) /console/JSON-RPC/QVM.getCronScanProfiles QVM.getCronScanProfiles] at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java) [tomcat.tomcat] [admin@127.0.0.1(8387) /console/JSON-RPC/QVM.getCronScanProfiles QVM.getCronScanProfiles] at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSende rEndingInterceptor.handleMessage(MessageSenderInterceptor.java) {hostname} tomcat[13976]: at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:355) [tomcat.tomcat] [admin@127.0.0.1(8387) /console/JSON-RPC/QVM.getCronScanProfiles QVM.getCronScanProfiles] at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInte rceptorChain.java:308) [tomcat.tomcat] [admin@127.0.0.1(8387) /console/JSON-RPC/QVM.getCronScanProfiles QVM.getCronScanProfiles] at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:531) [tomcat.tomcat] [admin@127.0.0.1(8387) /console/JSON-RPC/QVM.getCronScanProfiles QVM.getCronScanProfiles] at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:440) [tomcat.tomcat] [admin@127.0.0.1(8387) /console/JSON-RPC/QVM.getCronScanProfiles QVM.getCronScanProfiles] at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:355) [tomcat.tomcat] [admin@127.0.0.1(8387) /console/JSON-RPC/QVM.getCronScanProfiles QVM.getCronScanProfiles] at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:313) [tomcat.tomcat] [admin@127.0.0.1(8387) /console/JSON-RPC/QVM.getCronScanProfiles QVM.getCronScanProfiles] at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java) [tomcat.tomcat] [admin@127.0.0.1(8387) /console/JSON-RPC/QVM.getCronScanProfiles QVM.getCronScanProfiles] at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.ja va:140) [tomcat.tomcat] [admin@127.0.0.1(8387) /console/JSON-RPC/QVM.getCronScanProfiles QVM.getCronScanProfiles] ... 67 more [tomcat.tomcat] [admin@127.0.0.1(8387) /console/JSON-RPC/QVM.getCronScanProfiles QVM.getCronScanProfiles] Caused by: [tomcat.tomcat] [admin@127.0.0.1(8387) /console/JSON-RPC/QVM.getCronScanProfiles QVM.getCronScanProfiles] java.net.SocketTimeoutException: Read timed out [tomcat.tomcat] [admin@127.0.0.1(8387) /console/JSON-RPC/QVM.getCronScanProfiles QVM.getCronScanProfiles] at java.net.SocketInputStream.socketRead0(Native Method) [tomcat.tomcat] [admin@127.0.0.1(8387) /console/JSON-RPC/QVM.getCronScanProfiles QVM.getCronScanProfiles] at java.net.SocketInputStream.socketRead(SocketInputStream.java) [tomcat.tomcat] [admin@127.0.0.1(8387) /console/JSON-RPC/QVM.getCronScanProfiles QVM.getCronScanProfiles] at java.net.SocketInputStream.read(SocketInputStream.java:182) [tomcat.tomcat] [admin@127.0.0.1(8387) /console/JSON-RPC/QVM.getCronScanProfiles QVM.getCronScanProfiles] at java.net.SocketInputStream.read(SocketInputStream.java:152) [tomcat.tomcat] [admin@127.0.0.1(8387) /console/JSON-RPC/QVM.getCronScanProfiles QVM.getCronScanProfiles] at com.ibm.jsse2.b.a(b.java:297) [tomcat.tomcat] [admin@127.0.0.1(8387) /console/JSON-RPC/QVM.getCronScanProfiles QVM.getCronScanProfiles] at com.ibm.jsse2.b.a(b.java:290) [tomcat.tomcat] [admin@127.0.0.1(8387) /console/JSON-RPC/QVM.getCronScanProfiles QVM.getCronScanProfiles] at com.ibm.jsse2.av.a(av.java:840) {hostname} tomcat[13976]: at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec utor.java:1160) {hostname} tomcat[13976]: at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe cutor.java:635) {hostname} tomcat[13976]: at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(T askThread.java:61) {hostname} tomcat[13976]: at java.lang.Thread.run(Thread.java:818) {hostname} tomcat[13976]: Caused by: {hostname} tomcat[13976]: java.net.SocketTimeoutException: SocketTimeoutException invoking https://XXXXXXXXXX:9999/scanProfileService: Read timed out {hostname} tomcat[13976]: at sun.reflect.GeneratedConstructorAccessor697.newInstance(Unknown Source) {hostname} tomcat[13976]: at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Delega tingConstructorAccessorImpl.java:57) {hostname} tomcat[13976]: at java.lang.reflect.Constructor.newInstance(Constructor.java:437) {hostname} tomcat[13976]: at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.ma pException(HTTPConduit.java:1402) {hostname} tomcat[13976]: at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.cl ose(HTTPConduit.java:1386) {hostname} tomcat[13976]: at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.j ava:56) {hostname} tomcat[13976]: at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java) {hostname} tomcat[13976]: at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSende rEndingInterceptor.handleMessage(MessageSenderInterceptor.java) {hostname} tomcat[13976]: ... 74 more {hostname} tomcat[13976]: Caused by: {hostname} tomcat[13976]: java.net.SocketTimeoutException: Read timed out {hostname} tomcat[13976]: at java.net.SocketInputStream.socketRead0(Native Method) {hostname} tomcat[13976]: at java.net.SocketInputStream.socketRead(SocketInputStream.java:127) {hostname} tomcat[13976]: at java.net.SocketInputStream.read(SocketInputStream.java:182) |
26 November 2020 |
OFFENSES | IJ25448 | 'APPLICATION ERROR' WHEN ATTEMPTING TO CLOSE AN OFFENSE ACCESSED FROM AN EMAIL LINK | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505) QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002) Workaround Navigate manually to the Offense using the QRadar user interface "Offenses" tab. Issue When attempting to close an Offense from within an email link, an "Application Error" is generated in the QRadar User Interface. The Offense opens as expected from within the email link, but the "Application Error" occurs when attempting to close it. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [tomcat.tomcat] [admin@127.0.0.1 (1312) /console/do/sem/properties] com.q1labs.uiframeworks.action.ExceptionHandler: [ERROR] [NOT:0000003000][127.0.0.1 /- -] [-/- -]An exception occurred while processing the request: [tomcat.tomcat] [admin@127.0.0.1 (1312) /console/do/sem/properties] com.ibm.si.content_management.utils.ApplicationErrorStateException [tomcat.tomcat] [admin@127.0.0.1 (1312) /console/do/sem/properties] at com.q1labs.sem.ui.action.MaintainProperties.findNextForward(Main tainProperties.java:230) [tomcat.tomcat] [admin@127.0.0.1 (1312) /console/do/sem/properties] at com.q1labs.sem.ui.action.MaintainProperties.updatePropertiesSecu re(MaintainProperties.java:80) [tomcat.tomcat] [admin@127.0.0.1 (1312) /console/do/sem/properties] at com.q1labs.sem.ui.action.MaintainProperties.updateProperties(Mai ntainProperties.java:213) [tomcat.tomcat] [admin@127.0.0.1 (1312) /console/do/sem/properties] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [tomcat.tomcat] [admin@127.0.0.1 (1312) /console/do/sem/properties] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessor Impl.java:90) [tomcat.tomcat] [admin@127.0.0.1 (1312) /console/do/sem/properties] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod AccessorImpl.java:55) [tomcat.tomcat] [admin@127.0.0.1 (1312) /console/do/sem/properties] at java.lang.reflect.Method.invoke(Method.java:508) [tomcat.tomcat] [admin@127.0.0.1 (1312) /console/do/sem/properties] at org.apache.struts.actions.DispatchAction.dispatchMethod(Dispatch Action.java:280) [tomcat.tomcat] [admin@127.0.0.1 (1312) /console/do/sem/properties] at org.apache.struts.actions.DispatchAction.execute(DispatchAction. java:216) [tomcat.tomcat] [admin@127.0.0.1 (1312) /console/do/sem/properties] at com.q1labs.uiframeworks.actions.DispatchAction.execute(DispatchA ction.java:64) [tomcat.tomcat] [admin@127.0.0.1 (1312) /console/do/sem/properties] at org.apache.struts.action.RequestProcessor.processActionPerform(R equestProcessor.java:484) [tomcat.tomcat] [admin@127.0.0.1 (1312) /console/do/sem/properties] at com.q1labs.uiframeworks.action.RequestProcessor.processActionPer form(RequestProcessor.java:101) [tomcat.tomcat] [admin@127.0.0.1 (1312) /console/do/sem/properties] at org.apache.struts.action.RequestProcessor.process(RequestProcess or.java:275) [tomcat.tomcat] [admin@127.0.0.1 (1312) /console/do/sem/properties] at org.apache.struts.action.ActionServlet.process(ActionServlet.jav a:1482) [tomcat.tomcat] [admin@127.0.0.1 (1312) /console/do/sem/properties] at com.q1labs.uiframeworks.action.ActionServlet.process(ActionServl et.java:122) [tomcat.tomcat] [admin@127.0.0.1 (1312) /console/do/sem/properties] at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java) [tomcat.tomcat] [admin@127.0.0.1 (1312) /console/do/sem/properties] at javax.servlet.http.HttpServlet.service(HttpServlet.java:661) [tomcat.tomcat] [admin@127.0.0.1 (1312) /console/do/sem/properties] at javax.servlet.http.HttpServlet.service(HttpServlet.java:742) [tomcat.tomcat] [admin@127.0.0.1 (1312) /console/do/sem/properties] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter (ApplicationFilterChain.java:231) [tomcat.tomcat] [admin@127.0.0.1 (1312) /console/do/sem/properties] at org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica tionFilterChain.java:166) [tomcat.tomcat] [admin@127.0.0.1 (1312) /console/do/sem/properties] at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.ja va:52) [tomcat.tomcat] [admin@127.0.0.1 (1312) /console/do/sem/properties] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter (ApplicationFilterChain.java:193) [tomcat.tomcat] [admin@127.0.0.1 (1312) /console/do/sem/properties] at org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica tionFilterChain.java:166) [tomcat.tomcat] [admin@127.0.0.1 (1312) /console/do/sem/properties] at com.q1labs.uiframeworks.servlet.AddUserHeaderFilter.doFilter(Add UserHeaderFilter.java:86) [tomcat.tomcat] [admin@127.0.0.1 (1312) /console/do/sem/properties] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter (ApplicationFilterChain.java:193) [tomcat.tomcat] [admin@127.0.0.1 (1312) /console/do/sem/properties] at org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica tionFilterChain.java:166) [tomcat.tomcat] [admin@127.0.0.1 (1312) /console/do/sem/properties] at com.q1labs.uiframeworks.servlet.ThreadNameFilter.doFilter(Thread NameFilter.java:53) [tomcat.tomcat] [admin@127.0.0.1 (1312) /console/do/sem/properties] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter (ApplicationFilterChain.java:193) [tomcat.tomcat] [admin@127.0.0.1 (1312) /console/do/sem/properties] at org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica tionFilterChain.java:166) [tomcat.tomcat] [admin@127.0.0.1 (1312) /console/do/sem/properties] at com.q1labs.core.ui.filters.StrutsParamFilter.doFilter(StrutsPara mFilter.java:41) [tomcat.tomcat] [admin@127.0.0.1 (1312) /console/do/sem/properties] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter (ApplicationFilterChain.java:193) [tomcat.tomcat] [admin@127.0.0.1 (1312) /console/do/sem/properties] at org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica tionFilterChain.java:166) [tomcat.tomcat] [admin@127.0.0.1 (1312) /console/do/sem/properties] at com.q1labs.uiframeworks.postauthredirect.PostLoginRedirectFilter .doFilter(PostLoginRedirectFilter.java:70) [tomcat.tomcat] [admin@127.0.0.1 (1312) /console/do/sem/properties] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter (ApplicationFilterChain.java:193) [tomcat.tomcat] [admin@127.0.0.1 (1312) /console/do/sem/properties] at org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica tionFilterChain.java:166) [tomcat.tomcat] [admin@127.0.0.1 (1312) /console/do/sem/properties] at com.q1labs.uiframeworks.auth.AuthenticationVerificationFilter.do Filter(AuthenticationVerificationFilter.java:304) |
15 September 2020 |
ASSETS | IJ25823 | NO ASSETS FOUND WHEN USING SCAN RESULTS -> OPEN SERVICES -> ASSETS | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) Workaround Perform an asset search on the Asset tab using the "Assets With Open Service" search parameter. Issue An asset can fail to be found when using Scan Results -> Open Services -> Assets on the Vulnerabilities tab. This occurs when the asset has the service, but has no vulnerabilities. |
26 November 2020 |
SEARCH | IJ25805 | NULLPOINTEREXCEPTION CAN CAUSE ACCUMULATED VALUE TIMESERIES DATA DISCREPANCIES WHEN MANAGED HOSTS ARE ENCRYPTED | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) Workaround Where possible, disable encryption for Managed Hosts. Issue When encryption is enabled for Managed Hosts, there can be variances in the accumulated value reported by some ADE Rules vs accumulated values shown in the timeseries graph when a Null Pointer Exception occurs. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [accumulator.accumulator] [SE client /127.0.0.1:59638] com.q1labs.frameworks.core.ThreadExceptionHandler: [ERROR] [ NOT:0000003000][127.0.0.1/- -] [-/- -]Exception was uncaught in thread: SE client /127.0.0.1:59638 [accumulator.accumulator] [SE client /127.0.0.1:59638] java.lang.NullPointerException [accumulator.accumulator] [SE client /127.0.0.1:59638] at com.q1labs.frameworks.nio.network.protocol.Protocol.pollMessage( Protocol.java:1227) [accumulator.accumulator] [SE client /127.0.0.1:59638] at com.q1labs.frameworks.nio.network.Communicator.read(Communicator .java:108) [accumulator.accumulator] [SE client /127.0.0.1:59638] at com.q1labs.cve.sentryengine.SentryEngineCommunicator.run(SentryE ngineCommunicator.java:50) [accumulator.accumulator] [SE client /127.0.0.1:59638] at java.lang.Thread.run(Thread.java:812)And [accumulator.accumulator] [SE client /127.0.0.1:33012] com.q1labs.frameworks.core.ThreadExceptionHandler: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Exception was uncaught in thread: SE client /127.0.0.1:33012 [accumulator.accumulator] [SE client /127.0.0.1:33012] java.lang.NullPointerException [accumulator.accumulator] [SE client /127.0.0.1:33012] at com.q1labs.frameworks.nio.network.protocol.Protocol.pollMessage( Protocol.java:1227) [accumulator.accumulator] [SE client /127.0.0.1:33012] at com.q1labs.frameworks.nio.network.protocol.Protocol.readFromSock et(Protocol.java:413) [accumulator.accumulator] [SE client /127.0.0.1:33012] at com.q1labs.frameworks.nio.network.Communicator.selectAndRead(Com municator.java:134) [accumulator.accumulator] [SE client /127.0.0.1:33012] at com.q1labs.frameworks.nio.network.Communicator.read(Communicator .java:110) [accumulator.accumulator] [SE client /127.0.0.1:33012] at com.q1labs.cve.sentryengine.SentryEngineCommunicator.run(SentryE ngineCommunicator.java:50) [accumulator.accumulator] [SE client /127.0.0.1:33012] at java.lang.Thread.run(Thread.java:812)And [accumulator.accumulator] [SE client /127.0.0.1:53604] com.q1labs.frameworks.core.ThreadExceptionHandler: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Exception was uncaught in thread: SE client /127.0.0.1:53604 [accumulator.accumulator] [SE client /127.0.0.1:53604] java.lang.NullPointerException [accumulator.accumulator] [SE client /127.0.0.1:53604] at com.q1labs.frameworks.nio.network.protocol.Protocol.disposeBuffe r(Protocol.java:1121) [accumulator.accumulator] [SE client /127.0.0.1:53604] at com.q1labs.frameworks.nio.network.protocol.Protocol.decodeObject Internal(Protocol.java:291) [accumulator.accumulator] [SE client /127.0.0.1:53604] at com.q1labs.frameworks.nio.network.protocol.Protocol.processProto colMessage(Protocol.java:1074) [accumulator.accumulator] [SE client /127.0.0.1:53604] at com.q1labs.frameworks.nio.network.protocol.Protocol.pollMessage( Protocol.java:1198) [accumulator.accumulator] [SE client /127.0.0.1:53604] at com.q1labs.frameworks.nio.network.protocol.Protocol.readFromSock et(Protocol.java:413) [accumulator.accumulator] [SE client /127.0.0.1:53604] at com.q1labs.frameworks.nio.network.Communicator.selectAndRead(Com municator.java:134) [accumulator.accumulator] [SE client /127.0.0.1:53604] at com.q1labs.frameworks.nio.network.Communicator.read(Communicator .java:110) [accumulator.accumulator] [SE client /127.0.0.1:53604] at com.q1labs.cve.sentryengine.SentryEngineCommunicator.run(SentryE ngineCommunicator.java:50) [accumulator.accumulator] [SE client /127.0.0.1:53604] at java.lang.Thread.run(Thread.java:812) |
26 November 2020 |
OFFENSES | IJ25800 | OFFENSES CAN BE CLOSED WITH NO APPROPRIATE REASON FOR CLOSE BEING SELECTED | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) Workaround Ensure to select a proper reason from the available drop dwon list options. Issue Offense Closed Reason can be blank for an offense if a previously used Reason for Close has been removed from the list and a QRadar user clicks OK without making another selection from drop-down. When this occurs, the closing reason for the affected offense displays as NULL in Offense reports. |
26 November 2020 |
WINCOLLECT | IJ24355 | WINCOLLECT 7.2.9 PATCH 3 INSTALLATION CAN FAIL UNEXPECTEDLY DUE TO THE MINIMUM UPGRADE VERSION CHECK | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) Workaround Temporarily rename the .minimum_upgrade_version hidden file that is causing the problem and rerun the WinCollect Installer. After the installation completes, rename the .minimum_upgrade_version hidden file back to the original filename.
Issue When attempting to install the SFS for WinCollect 7.2.9 P3 on Qradar 7.3.2, an error similar to the following might be observed during the installation process: "You are attempting to upgrade to 2019.14.0. The installed version only supports upgrades to 7.3.3.20191203144110". |
26 November 2020 |
QRADAR VULNERABILITY MANAGER | IJ22896 | 'FOUND BY SCAN PROFILE' SEARCH RETURNS NO RESULTS WHEN SCAN PROFILE NAME STARTS OR ENDS WITH SPACE (BLANK) CHARACTERS | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) Workaround None for existing scan profiles. Do not add leading or trailing spaces when creating a scan profile. Issue A "Found By Scan Profile" search returns no results when the name of the scan profile starts or ends with space (blank) characters. |
26 November 2020 |
UPGRADE | IJ26199 | LACK OF ADEQUATE FREE SPACE ON /BOOT PARTITION CAN CAUSE QRADAR PATCH FAILURE DURING RPM INSTALL | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) Workaround Administrators can install the software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances. Issue Older QRadar appliance configurations allowed for smaller /boot partititons. As such, when upgrading QRadar, there can sometimes be inadequate free space available in the /boot partition causing the upgrade to fail during rpm file installation. This lack of adequate available free space in the /boot partition is not currently identified during the QRadar pretests in Test Mode performed when an upgrade is performed. Messages similar to the following might be visible in the patches.log file for the QRadar installation version attempted (/var/log/setup-7.x.x.xxxxxx): [6/9] Install & Upgrade Packages Transaction check error: installing package kernel-3.XXXXXXXXXX.el7.x86_64 needs 812KB on the /boot filesystem Error Summary ------------- Disk Requirements: At least 1MB more space needed on the /boot filesystem. Please Check patches.log [INFO](patchmode) error was during install and we can't rollback [WARN](patchmode) ============================================= [WARN](patchmode) [6/9] Install & Upgrade Packages PROBLEMS! Can we roll back?? [6/9] Install & Upgrade Packages ? no [WARN](patchmode) |
26 November 2020 |
APPLICATION FRAMEWORK | IJ23719 | SI-QRADARCA CAN RETURN SUCCESSFUL STATUS EVEN WHEN A CERT IS FAILING WITH CERTIFICATE SIGNING FAILED | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) Workaround Administrators can install the software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances. Issue Running si-qradarca (i.e. # opt/qradar/ca/bin/si-qradarca) can return: "Successfully setup server certificate for service" Which conflicts with errors displayed in /var/log/localca.log: time="2020-01-23T15:25:16Z" level=error msg="Validating CSR /etc/docker/tls/si-docker.csr failed for host X.X.X.X with error Certificate signing failed for /opt/qradar/ca/certs/from-X.X.X.X/si-docker.csr as no hostname is found in deployment for ip address X.X.X.X" |
26 November 2020 |
VULNERABILITY SCANNER | IJ23838 | CREATING A TENABLE SECURITY CENTER SCAN CAN SOMETIMES FAIL WITH 'FAILED TO LOGIN TO TENABLE SECURITY SCANNER' IN QRADAR LOGGING | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) Workaround No workaround available. Administrators must upgrade to resolve this software issue. Issue Creating a Tenable Security Center scan using correct credentials can sometimes fail. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [vis] [Scanner Manager] com.q1labs.vis.scanners.tenable.securitycenter.SecurityCenterRES TClient: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]IOException caught while executing API call; Error message [java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: IBMJSSE2, class: com.ibm.jsse2.aj)] [vis] [Scanner Manager] com.q1labs.vis.ScannerManager: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Could not initialize scanner 'TenableSecurityCenter - Regression': Failed to initialize Tenable Security Center module; Error message [Failed to login to Tenable Security Center;] [vis] [Scanner Manager] com.q1labs.vis.exceptions.ScannerInitException: Failed to initialize Tenable Security Center module; Error message [Failed to login to Tenable Security Center;] [vis] [Scanner Manager] at com.q1labs.vis.scanners.tenable.securitycenter.SecurityCenterMod ule.init(SecurityCenterModule.java:104) [vis] [Scanner Manager] at com.q1labs.vis.scanners.base.ScannerModule.init(ScannerModule.ja va:310) [vis] [Scanner Manager] at com.q1labs.vis.ScannerManager.initializeScanner(ScannerManager.j ava:482) [vis] [Scanner Manager] at com.q1labs.vis.ScannerManager.submitFailedStatusIfInitError(Scan nerManager.java:298) [vis] [Scanner Manager] at com.q1labs.vis.ScannerManager.processScanRequest(ScannerManager. java:243) [vis] [Scanner Manager] at com.q1labs.vis.ScannerManager.processScanRequest(ScannerManager. java:208) [vis] [Scanner Manager] at com.q1labs.vis.messages.VisRequestMessageEnum$1.process(VisReque stMessageEnum.java:42) [vis] [Scanner Manager] at com.q1labs.vis.ScannerManager.run(ScannerManager.java:155) [vis] [Scanner Manager] at java.lang.Thread.run(Thread.java:818) [vis] [Scanner Manager] Caused by: [vis] [Scanner Manager] com.q1labs.vis.exceptions.ScannerInitException: Failed to login to Tenable Security Center; [vis] [Scanner Manager] at com.q1labs.vis.scanners.tenable.securitycenter.SecurityCenterMod ule.init(SecurityCenterModule.java:99) [vis] [Scanner Manager] ... 8 more [vis] [Scanner Manager] com.q1labs.vis.ScannerManager: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Unable to initialize scanner module 61 for scan request 11. [vis] [Scanner Manager] com.q1labs.vis.exceptions.ScannerInitException: Could not initialize scanner 'TenableSecurityCenter - Regression': Failed to initialize Tenable Security Center module; Error message [Failed to login to Tenable Security Center;] [vis] [Scanner Manager] at com.q1labs.vis.ScannerManager.initializeScanner(ScannerManager.j ava:491) [vis] [Scanner Manager] at com.q1labs.vis.ScannerManager.submitFailedStatusIfInitError(Scan nerManager.java:298) [vis] [Scanner Manager] at com.q1labs.vis.ScannerManager.processScanRequest(ScannerManager. java:243) [vis] [Scanner Manager] at com.q1labs.vis.ScannerManager.processScanRequest(ScannerManager. java:208) [vis] [Scanner Manager] at com.q1labs.vis.messages.VisRequestMessageEnum$1.process(VisReque stMessageEnum.java:42) [vis] [Scanner Manager] at com.q1labs.vis.ScannerManager.run(ScannerManager.java:155) [vis] [Scanner Manager] at java.lang.Thread.run(Thread.java:818) [vis] [Scanner Manager] Caused by: [vis] [Scanner Manager] com.q1labs.vis.exceptions.ScannerInitException: Failed to initialize Tenable Security Center module; Error message [Failed to login to Tenable Security Center;] [vis] [Scanner Manager] at com.q1labs.vis.scanners.tenable.securitycenter.SecurityCenterMod ule.init(SecurityCenterModule.java:104) [vis] [Scanner Manager] at com.q1labs.vis.scanners.base.ScannerModule.init(ScannerModule.ja va:310) [vis] [Scanner Manager] at com.q1labs.vis.ScannerManager.initializeScanner(ScannerManager.j ava:482) [vis] [Scanner Manager] ... 6 more [vis] [Scanner Manager] Caused by: [vis] [Scanner Manager] com.q1labs.vis.exceptions.ScannerInitException: Failed to login to Tenable Security Center; [vis] [Scanner Manager] at com.q1labs.vis.scanners.tenable.securitycenter.SecurityCenterMod ule.init(SecurityCenterModule.java:99) [vis] [Scanner Manager] ... 8 more |
26 November 2020 |
HIGH AVAILABILITY (HA) | IJ21012 | A HIGH AVAILABILITY FAILOVER CAN OCCUR AS MANAGED HOSTS REMOVED FROM DEPLOYMENT ARE NOT UPDATED IN THE PING TEST LIST | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) Workaround No workaround available. Administrators must upgrade to resolve this software issue. Issue It has been identified that in some instances a High Availablity (HA) failover can occur due to Managed Hosts being removed from the QRadar Deployment, not being removed from the ping test list. |
26 November 2020 |
PERFORMANCE | IJ23649 | SYSTEMSTABMON CAN RESULT IN LARGE NUMBERS OF STUCK 'DF' COMMANDS WHEN A HUNG NFS MOUNT OCCURS | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613) Workaround Administrators can install the software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances. Issue It has been identified that in some instances a High Availablity (HA) failover can occur due to Managed Hosts being removed from the QRadar Deployment, not being removed from the ping test list. |
26 November 2020 |
APP HOST | IJ21302 | APPS CAN FAIL TO LOAD IN QRADAR DUE TO FAILED CERTIFICATE REPLICATION TO APP HOST | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) Workaround Administrators can install the software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances. Issue It has been identified that the QRadar update-remote-certs.sh script fails to list the proper IP of App Host if the Qradar Console is in a NATed environment when an App Host is not. When this issue is occuring, certificate generation fails to push out as the managed host IP returns an empty result. |
26 November 2020 |
DEPLOY CHANGES | IJ21234 | RHEL KERNEL CRASH CAN OCCUR WHEN IPTABLES RESTARTS DURING QRADAR DEPLOY FUNCTIONS WHERE NAT'D CONNECTIONS EXIST | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722) Workaround Administrators can install the software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances. Issue It has been identified that iptables restarts during QRadar Deploy functions and can cause a RHEL kernel crash on systems that have NAT'd connections configured. |
26 November 2020 |
CERTIFICATES | IJ21198 | DER ENCODED CERTIFICATE IS ACCEPTED BY QRADAR BUT THEN DOES NOT WORK AS EXPECTED | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) Workaround Convert the DER encoded certificate to PEM type and retry to install the cert using /opt/qradar/bin/install-ssl-cert.sh. Issue It has been identified that QRadar install-ssl-cert.sh allows DER encoded certificate files to be copied to QRadar, but QRadar does not work as expected with this format of certificate files. |
26 November 2020 |
APPLICATION FRAMEWORK | IJ21178 | QRADAR APPS CAN FAIL TO LOAD WITH 'ERROR INITIALIZING CORE: FAILED TO LOCK MEMORY: CANNOT ALLOCATE MEMORY' ERROR | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) Workaround No workaround available. Administrators can upgrade to the released software vresion that resolves this issue. Issue It has been identified that in some instances QRadar Apps can fail to load. Messages similar to the following might be visible when this issue is occuring after attempting to restart vault: # systemctl restart vault-qrd {hostname} ensure-vault-ready-for-unseal.sh[23036]: Ensuring vault is ready to be unsealed... {hostname} si-vault[23035]: Error initializing core: Failed to lock memory: cannot allocate memory {hostname} si-vault[23035]: This usually means that the mlock syscall is not available. {hostname} si-vault[23035]: Vault uses mlock to prevent memory from being swapped to {hostname} si-vault[23035]: disk. This requires root privileges as well as a machine {hostname} si-vault[23035]: that supports mlock. Please enable mlock on your system or {hostname} systemd[1]: vault-qrd.service: main process exited, code=exited, status=1/FAILURE {hostname} ensure-vault-ready-for-unseal.sh[23036]: % Total % Received % Xferd Average Speed Time Time Time Current {hostname} ensure-vault-ready-for-unseal.sh[23036]: Dload Upload Total Spent Left Speed {hostname} ensure-vault-ready-for-unseal.sh[23036]: 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0curl: (7) Failed to connect to {IP_ADDRESS}: Invalid argument |
26 November 2020 |
QRADAR NETWORK INSIGHTS | IJ20593 | QNI LOG MESSAGES CAN DISPLAY INCORRECT STATISTICS WHEN LOW (BASIC) INSPECTION LEVEL IS SELECTED | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) Workaround No workaround available. Administrators can upgrade to the released software vresion that resolves this issue. Issue It has been identified that QRadar Network Inspection (QNI) can generate system log messages with incorrect statistics when Low (Basic) inspection level is selected. |
26 November 2020 |
DISK SPACE | IJ17854 | /TMP CAN FILL UP WITH NUMEROUS /TMP/TMP.XXXXXXXXXX DIRECTORIES | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) Workaround No workaround available. Administrators can upgrade to the released software vresion that resolves this issue. Issue It has been identified that the /tmp partition can sometimes fill up with /tmp/tmp.xxxxxxxx directories due to a missing cleanup configuration within QRadar. |
26 November 2020 |
OFFENSES | IJ19855 | OFFENSE WITH A LONG DESCRIPTION SPLITS AUDIT LOG INTO MULTIPLE ROWS CAUSING UNKNOWN SIM GENERIC EVENTS | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) Workaround No workaround available. Administrators can upgrade to the released software vresion that resolves this issue. Issue It has been identified that Offenses with a long offense description can split one audit log message into multiple rows causing Unknown SIM Generic events within QRadar. |
26 November 2020 |
SERVICES | IJ12278 | CONSOLE APPLIANCE CAN EXPERIENCE A KERNEL PANIC | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) Workaround Administrators can install the software version that resolves this software issue. If you are unable to upgrade, you can contact support to diagnose any Console crash/failure to clearly identify the cause of the issue. Support can implement a possible workaround that might address this issue in some instances. Issue It has been identified that a QRadar Console can experience a kernel panic and crash due to values in: /usr/lib/systemd/system/iptables.service |
26 November 2020 |
LICENSE | IJ06169 | FlOW PROCESSOR (1729) APPLIANCES ARE ASSIGNED AN INCORRECT AND EXPIRING LICENSE BY DEFAULT AFTER BEING ADDED INTO A QRADAR DEPLOYMENT | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) Workaround Email q1pd@us.ibm.com to receive a Flow Processor license update and apply a corrected license to the appropriate 1729 appliance in the System and License Management interface from the Admin tab. Issue It has been identified that a 1729 appliance added into a QRadar deployment receive an incorrect license. By default, the license expires in 33 days for the appliance, unless replaced. |
26 November 2020 |
HIGH AVAILABILITY (HA) | IJ04244 | RE-ADDING A PREVIOUSLY REMOVED HIGH AVAILABILITY 15XX SECONDARY INTO AN HA PAIR CAN FAIL DURING THE GLUSTERFS CONFIGURATION | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) Workaround Administrators can install the software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances. Issue It has been identified that removing a High Availability (HA) Event Collector (15xx) Secondary appliance and then attempting to re-add it back into an HA pair can sometimes result in the glusterFS failing to be correctly configured. When this issue occurs, the HA join process fails. Messages similar to the following might be visible in the qradar_hasync.log file when this issue occurs: [INFO] [ha_sync_replication.py] Failed to run command 'start': fuse directory "/store/persistent_queueha" is populated, but "/store/persistent_queue" is not empty. Please manually migrate data from "/store/persistent_queue to "/store/persistent_queueha" |
26 November 2020 |
MANAGED HOSTS | IJ03437 | QRADAR COMPONENTS CAN SOMETIMES BE REMOVED WHEN ADDING A NEW MANAGED HOST TO A QRADAR DEPLOYMENT | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) Workaround Administrators can install the software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances. Issue It has been identified that during the process of adding a new Managed Host to a QRadar deployment that QRadar components can sometimes be removed from a deployment. For example, Managed Hosts that are in the ADDING or ADD_FAILED_RETRY_CONNECTION state in the managedhost and serverhost tables can cause the qvmprocessor components to be removed during the rewrite of the deployment.xml file after the Admin tab, Actions drop-down, Deploy Full Configuration is performed. |
26 November 2020 |
MANAGED HOSTS | IJ02463 | UNABLE TO ADD A MANAGED HOST TO A DEPLOYMENT IF THE APPLIANCE SERIAL NUMBER ALREADY EXISTS IN THE DEPLOYMENT | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) Workaround Administrators can install the software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances. Issue It has been identified that a Managed Host cannot be added into a QRadar Deployment if the appliance serial number already exisits in the Deployment. Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs: [tomcat.tomcat] [Thread-296] com.ibm.si.configservices.api.v3_0.deployment.DeploymentAPI: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]unable to add managed host: The serial number is already found in the deployment. [tomcat.tomcat] [Thread-296] com.q1labs.restapi_annotations.content.exceptions.endpointExcept ions.ServerProcessingException: The serial number is already found in the deployment. [tomcat.tomcat] [Thread-296] at com.ibm.si.configservices.api.impl.DeploymentAPIImpl.addManagedH ost(DeploymentAPIImpl.java:849) [tomcat.tomcat] [Thread-296] at com.ibm.si.configservices.api.v3_0.deployment.DeploymentAPI$AddH ostThread.run(DeploymentAPI.java:979) [tomcat.tomcat] [Thread-296] at java.lang.Thread.run(Thread.java:785) [tomcat.tomcat] [Thread-296] Caused by: [tomcat.tomcat] [Thread-296] com.q1labs.configservices.common.ConfigServicesException: The serial number is already found in the deployment. [tomcat.tomcat] [Thread-296] at com.q1labs.configservices.capabilities.CapabilitiesHandler.addMa nagedHost(CapabilitiesHandler.java:1858) [tomcat.tomcat] [Thread-296] at com.ibm.si.configservices.api.impl.DeploymentAPIImpl.addManagedH ost(DeploymentAPIImpl.java:818 |
26 November 2020 |
UPGRADE | IV90332 | APPLYING A PATCH REVISION TO A QRADAR MANAGED HOST IN A DEPLOYMENT PRIOR TO THE CONSOLE IS ALLOWED TO OCCUR | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) Workaround Administrators can install the software version that resolves this software issue. If you are unable to upgrade, or experience this problem, contact support for a possible workaround that might address this issue in some instances. Issue QRadar's documented patching process steps state that the Console be patched successfully prior to patching any attached Managed Host. The patch framework currently allows the install of a QRadar patch revision onto a QRadar Managed Host prior to the Console being patched. When this situation occurs, the Managed Host can expereince various states of instability including required processes not starting. |
26 November 2020 |
USER ROLES | IJ23839 | 'USER ROLE' PAGE ON THE QRADAR USER INTERFACE CAN BEHAVE DIFFERENTLY DEPENDING ON USER ROLE SELECTED | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) Workaround Administrators can install the software version that resolves this software issue. If you are unable to upgrade or experience this issue, contact support for a possible workaround that might address this issue in some instances. Issue The QRadar User Roles Admin page can behave differently depending on the first role that is selected when opening the page. For example:
|
26 November 2020 |
DATA SYNCHRONIZATION APP | IJ29345 | SCRIPT REQUIRED FOR A QRADAR DATA SYNCHRONIZATION APP NOTIFICATION MIGHT BE MISSING IN SOME QRADAR PATCH VERSIONS | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the Subscribe button on the right side of this page or ask a question about this APAR in our Support Forums. Issue It has been identified that an updated script (generate_environment.sh) for the QRadar Data Synchronization App can be missing from some QRadar patch versions. The updated generate_environment.sh script alerts if the data sync is on the Destination Site and warns if the process is not started. |
26 November 2020 |
REFERENCE DATA | IJ28797 | REFERENCE DATA API DATA 'ADDS OR UPDATES' INTO REFERENCE SETS CAN BE SLOW OR TIMEOUT | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944) QRadar 7.4.3 (7.4.3.20210517144015) Note: This issue was resolved with the release of QRadar 7.4.2, but reopened on 04 March 2021 as the issue could still occur on 7.4.2 Consoles. Workaround Administrators can install the software version that resolves this software issue. If you are unable to upgrade or experience this issue, contact support for a possible workaround that might address this issue in some instances. Issue The reference data API can be slow or time out when adding or updating data within QRadar reference sets. This behavior can be observed when using QRadar Apps that use the API for this functionality. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [tomcat.tomcat] [x.x.x.x (3730) /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}] at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(Nio Endpoint.java:1623) [tomcat.tomcat] [x.x.x.x (3730) /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}] at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcess orBase.java:49) [tomcat.tomcat] [x.x.x.x (3730) /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec utor.java:1160) [tomcat.tomcat] [x.x.x.x (3730) /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe cutor.java:635) [tomcat.tomcat] [x.x.x.x (3730) /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}] at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(T askThread.java:61) [tomcat.tomcat] [x.x.x.x (3730) /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}] at java.lang.Thread.run(Thread.java:818) [tomcat.tomcat] [x.x.x.x (3730) /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}] Caused by: [tomcat.tomcat] [x.x.x.x (3730) /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}] com.q1labs.restapi_annotations.content.exceptions.endpointExcept ions.ServerProcessingException: Adding/updating data to Set {REFSET NAME} failed [tomcat.tomcat] [x.x.x.x (3730) /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}] at com.q1labs.core.api.v3_0.referencedata.ReferenceDataAPI_Sets.add DataToSet(ReferenceDataAPI_Sets.java:550) [tomcat.tomcat] [x.x.x.x (3730) /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}] at sun.reflect.GeneratedMethodAccessor1143.invoke(Unknown Source) [tomcat.tomcat] [x.x.x.x (3730) /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod AccessorImpl.java:55) [tomcat.tomcat] [x.x.x.x (3730) /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}] at java.lang.reflect.Method.invoke(Method.java:508) [tomcat.tomcat] [x.x.x.x (3730) /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}] at com.q1labs.restapi.servlet.utilities.APIRequestHandler.invokeMet hod(APIRequestHandler.java:1038) [tomcat.tomcat] [x.x.x.x (3730) /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}] at com.q1labs.restapi.servlet.utilities.APIRequestHandler.redirectR equest(APIRequestHandler.java:406) [tomcat.tomcat] [x.x.x.x (3730) /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}] ... 61 more [tomcat.tomcat] [x.x.x.x (3730) /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}] Caused by: [tomcat.tomcat] [x.x.x.x (3730) /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}] org.apache.catalina.connector.ClientAbortException: java.io.EOFException [tomcat.tomcat] [x.x.x.x (3730) /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}] at org.apache.catalina.connector.InputBuffer.realReadBytes(InputBuf fer.java:348) [tomcat.tomcat] [x.x.x.x (3730) /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}] at org.apache.catalina.connector.InputBuffer.checkByteBufferEof(Inp utBuffer.java:663) [tomcat.tomcat] [x.x.x.x (3730) /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}] at org.apache.catalina.connector.InputBuffer.read(InputBuffer.java: 370) [tomcat.tomcat] [x.x.x.x (3730) /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}] at org.apache.catalina.connector.CoyoteInputStream.read(CoyoteInput Stream.java:183) [tomcat.tomcat] [x.x.x.x (3730) /console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}] |
10 July 2021 |
PROTOCOLS | IJ26183 | ECS-EC-INGRESS PROCESS CAN SOMETIMES GO OUT OF MEMORY WHEN LOG SOURCES ARE USING THE WINDOWS IIS PROTOCOL | OPEN | Workaround Contact Support for a possible workaround that might address this issue in some instances. Issue In some instances, the ecs-ec-ingress process (required for event collection) can experience out of memory occurences that are caused by Log Sources using the Windows IIS Protocol when an incorrect .jar file is referenced for use. Messages similar to the following that are referencing a Log Source connecting to an SMB Host might be visible in /var/log/qradar.log when this issue occurs: [ecs-ec-ingress.ecs-ec-ingress] [Folder Monitor [x.x.x.x][smb://x.x.x.x/LogFiles/]] com.q1labs.semsources.sources.smbtail.io.SmbFileWithRetries: [ERROR] [NOT:0000003000][x.x.x.x/- -] [-/- -][smb://x.x.x.x/LogFiles/W3SVC13] exists(): Failed: Access error for file W3SVC13 status = -1073741790 (0xc0000022) (0xC0000022) |
15 July 2020 |
PROTOCOLS | IJ26863 | THE USE OF MSRPC AND IIS SIMULTANEOULY MIGHT CAUSE POTENTIAL DEADLOCK THREADS | CLOSED | Resolved in PROTOCOL-WindowsEventRPC-7.3-20201028123850.noarch.rpm PROTOCOL-WindowsEventRPC-7.4-20201028123859.noarch.rpm Workaround A weekly auto update is pending for users with the resolved RPM files. If you need assistance to apply a workaround, contact QRadar Support for a possible workaround that might address this issue. Issue It has been observed that MSRPC and IIS Log Sources cannot be used simultaneously due to a potential thread deadlock. Administrators might be required to disable a protocol until a Microsoft Windows Security Event Log over MSRPC protocol update can be delivered. This might be the result of a jar file. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: "RPCEventLogHandler thread" Id=3378 in BLOCKED on lock=com.example.common.NamedRepository@abc owned by RPCEventLogHandler thread Id=7388 at com.example.client.Server.dispose(Server.java:350) at com.example.client.Server.disconnect(Server.java:750) at com.example.client.Server.disconnect(Server.java:702) at com.example.client.Mount.doMount(Mount.java:521) at com.example.client.Mount.doMount(Mount.java:483) at com.example.client.Mount.doMount(Mount.java:479) at com.example.client.Mount.{init}(Mount.java:280) at com.example. client.rpc.SmbTransport.{init}(SmbTransport.java:29) at com.example.client.rpc.Dcerpc.connect(Dcerpc.java:818) at com.example.client.rpc.Dcerpc.{init}(Dcerpc.java:445) at com.example.client.rpc.Winreg.{init}(Winreg.java:130) at com.q1 labs.semsources.sources.windowseventrpc.eventsource.common.Event LogWinRegistry.connectRemoteRegistry(EventLogWinRegistry.java:58) at com.q1labs.semsources.sources.windowseventrpc.eventsource. RPCSession.queryRemoteHostInfo(RPCSession.java:80) at com.q1lab s.semsources.sources.windowseventrpc.eventsource.RPCSession.{ini t}(RPCSession.java:53) at com.q1labs.semsources.sources.windows eventrpc.eventsource.RPCEventLogHandler.connect(RPCEventLogHandl er.java:129) at com.q1labs.semsources.sources.windowseventrpc.e ventsource.RPCEventLogHandler.run(RPCEventLogHandler.java:372) at java.lang.Thread.run(Thread.java:818) "RPCEventLogHandler thread" Id=7388 in TIMED_WAITING on lock=java.util.concurrent.locks.ReentrantLock$NonfairSync@bxyz (running in native) owned by RPCEventLogHandler thread Id=3378 at sun.misc.Unsafe.park(Native Method) at java.util.concurrent.locks.LockSupport.parkNanos(LockSupport.java) at java.util.concurrent.locks.AbstractQueuedSynchronizer.doAcquireNa nos(AbstractQueuedSynchronizer.java) at java.util.concurren t.locks.AbstractQueuedSynchronizer.tryAcquireNanos(AbstractQueue dSynchronizer.java:1258) at java.util.concurrent.locks.Reentran tLock.tryLock(ReentrantLock.java:453) at com.example.client.Server.tryLock(Server.java:1528) at com.example.client.Server.waitTryLock(Server.java:1542) at com.example.client.Server.disconnect(Server.java:739) at com.example.client.Server.disconnect(Server.java:714) at com.example.client.Server.checkTimeouts(Server.java:665) at com.example.client.Server.findOrCreate(Server.java:965) - locked com.example.common.NamedRepository@a2d539c5 at com.example.client.Mount.doMount(Mount.java:498) at com.example.client.Mount.doMount(Mount.java:483) at com.example.client.Mount.doMount(Mount.java:479) at com.example.client.Mount.{init}(Mount.java:280) at com.example. client.rpc.SmbTransport.{init}(SmbTransport.java:29) at com.example.client.rpc.Dcerpc.connect(Dcerpc.java:818) at com.example.client.rpc.Dcerpc.{init}(Dcerpc.java:445) at com.example.client.rpc.Lsar.{init}(Lsar.java:118) at com.q1labs .semsources.sources.windowseventrpc.util.SIDCache.{init}(SIDCach e.java:40) at com.q1labs.semsources.sources.windowseventrpc.eve ntsource.RPCEventLogHandler.connect(RPCEventLogHandler.java:127) at com.q1labs.semsources.sources.windowseventrpc.eventsource.R PCEventLogHandler.run(RPCEventLogHandler.java:372) at java.lang.Thread.run(Thread.java:818) |
13 August 2020 |
UPGRADE | IJ29294 | PATCHING A DETACHED 1599 APPLIANCE CAN COMPLETE BUT WITH AN ERROR THAT IS BENIGN | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) Workaround This error message is caused by the /opt/qradar/bin/generate_cert_from_csr.sh attempting to access files if it was part of a QRadar deployment instead of detached. The error is therefore benign, and can be safely ignored. Issue Patching a detached 1599 appliance type to QRadar 7.4.1 FP2 can complete with an error similar to the following: Patch Report for xxx.xxx.xxx.xxx, appliance type: 1599 hostname : patch test succeeded. Error running 209: /media/updates/scripts/QRADAR-2072.install --mode mainpatch hostname : patch successful with errors. Messages similar to the following might be visible in the /var/log/setup-7.4.1.xxxxxx/patches.log file when this issue occurs: Nov 10 14:48:29 2020: Nov 10 14:48:29 2020:[DEBUG](-i-patchmode) Running script /media/updates/scripts/QRADAR-2072 .install --mode mainpatch Nov 10 14:48:30 2020: [QRADAR-2072] [mainpatch:Run] /opt/qradar/bin/generate_cert_from_csr.sh cat: /opt/qradar/conf/host.token: No such file or directory Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: Array index out of range: 1 at com.ibm.si.mks.Util.main(Util.java:352) grep: /store/configservices/deployed/globalconfig/deployment.xml: No such file or directory Nov 10 14:48:30 2020: Nov 10 14:48:30 2020:[DEBUG](-i-patchmode) Error running 209: /media/updates/scripts/QRADAR- 2072.install --mode mainpatch; Got error code of 1. Nov 10 14:48:30 2020: Nov 10 14:48:30 2020:[ERROR](-i-patchmode) Error running 209: /media/updates/scripts/QRADAR- 2072.install --mode mainpatch |
16 November 2020 |
API / RULES | IJ25486 | INCORRECT SYSTEM RULE NAME CAN BE RETURNED FROM AN API QUERY AFTER THE RULE HAS BEEN RENAMED AND TOMCAT HAS BEEN RESTARTED | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 (7.4.3.20210517144015) QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428) QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343) QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446) QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722) Workaround Use the QRadar user interface to perform the required search. This issue appears to only affect API searches. Issue Ariel query via API that makes use of rulename function returns incorrect name for system rules where the name has been changed AND tomcat has been restarted. For example:
|
16 November 2020 |
CONTENT MANAGEMENT TOOL (CMT) | IJ27031 | CONTENT MANAGEMENT TOOL IMPORT DEOPTIMIZES CUSTOM PROPERTIES REFERENCED IN A SEARCH FILTER TEST, REDUCING RULE PERFORMANCE | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428) QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343) QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446) Workaround No workaround available. Administrators can complete a software upgrade to QRadar 7.4.1 Fix Pack 2 to resolve this issue. Issue When using the Content Management Tool (CMT) to import a deoptimized property where the property already exists and is optimized, QRadar checks to see if there is anything on the system which needs it to be optimized, and if so, does not update it as it would negatively impact rule processing performance. This check works for some rule tests, but does not work if the custom property is referenced in a search filter test or AQL test. The CMT allows the property to be deoptimized despite there being an active rule using it. This can introduce performance issues for affected rules when this issue occurs. |
16 November 2020 |
RULES | IJ27238 | OFFENSE RULE SNMP TRAP RESPONSE FOR 'TOP 5 TARGETS' ONLY DISPLAYS 1 IP ADDRESS (THE TOP TARGET) INSTEAD OF TOP 5 | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) QRadar 7.4.2 (7.4.2.20201113144954) QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343) No workaround available. Administrators can complete a software upgrade to QRadar 7.4.1 Fix Pack 2 to resolve this issue. Issue When using the Content Management Tool (CMT) to import a deoptimized property where the property already exists and is optimized, QRadar checks to see if there is anything on the system which needs it to be optimized, and if so, does not update it as it would negatively impact rule processing performance. This check works for some rule tests, but does not work if the custom property is referenced in a search filter test or AQL test. The CMT allows the property to be deoptimized despite there being an active rule using it. This can introduce performance issues for affected rules when this issue occurs. |
16 November 2020 |
SERVICES | IJ28223 | ECS-EC-INGRESS SERVICE (EVENT COLLECTION) CAN HANG WITH A "TOO MANY OPEN FILES (ACCEPT FAILED)" WRITTEN TO QRADAR LOGGING | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428) QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343) QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446) QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722) Workaround Complete a restart of the ecs-ec-ingress service. Issue The ecs-ec-ingress service (event collection) can sometimes hang and stop processing events with a "java.net.SocketException: Too many open files (Accept failed)" message written to the QRadar logs. To confirm this issue, type the following command: journalctl -u ecs-ec-ingress If you are experiencing this issue, "Too many open files" errors are displayed after you use the journamctl command: ecs-ec-ingress[21929]: WARNING: RMI TCP Accept-7787: accept loop for ServerSocket[addr=0.0.0.0/0.0.0.0,localport=7787] throws ecs-ec-ingress[21929]: java.net.SocketException: Too many open files (Accept failed) ecs-ec-ingress[21929]: at java.net.ServerSocket.implAccept(ServerSocket.java:623) ecs-ec-ingress[21929]: at java.net.ServerSocket.accept(ServerSocket.java:582) ecs-ec-ingress[21929]: at sun.rmi.transport.tcp.TCPTransport$AcceptLoop.executeAcceptLoop(TCPTransport.java:417) ecs-ec-ingress[21929]: at sun.rmi.transport.tcp.TCPTransport$AcceptLoop.run(TCPTransport.java:389) ecs-ec-ingress[21929]: at java.lang.Thread.run(Thread.java:818) |
21 May 2021 |
INSTALLATION | IJ27831 | 'FAILED TO MODIFY RX AND TX VALUE FOR ETH0' WHEN INSTALLING QRADAR ON A KVM THAT IS USING VIRTIO_NET DRIVER | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428) QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343) QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446) QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722)
Your file should match the code snippet provided in this ifup-local example: if [[ "${DEVICE}" =~ ^bond.* ]]; then ETHTOOL_ENABLED=0 else ethtool -g "${DEVICE}" 2&>1 > /dev/null if [ "$?" -ne 1 ] ; then ETHTOOL_ENABLED=0 else ETHTOOL_ENABLED=1 fi fiChange to: if [[ "${DEVICE}" =~ ^bond.* ]]; then ETHTOOL_ENABLED=0 else ethtool -g "${DEVICE}" 2&>1 > /dev/null if [ "$?" -ne 1 ] ; then ETHTOOL_ENABLED=0 else ETHTOOL_ENABLED=0 fi fi Issue During the Network Information setup page of a QRadar installation, a message similar to "failed to modify rx and tx value for eth0" can sometimes be observed. This occurs when QRadar is installed on a KVM with the Virtio_Net driver and the ring buffer settings are attempted to be applied by the install, but fail. Attempting to manually configure the ring buffer settings with the ifup-local command fails with a similar error message. On this type of KVM installation, the QRadar installation should not be attempting to apply ring buffer settings. On this type of KVM installation, the QRadar installation should not be attempting to apply ring buffer settings for network interfaces. To verify if the Virtio_Net driver is in use, the following can be run from a command line: ethtool -i eth0 | grep -i driverThe following output indicates the virtio_net driver is installed: driver:virtio_net |
16 November 2020 |
RULE RESPONSE | IJ27086 | 'THIS INFORMATION SHOULD CONTRIBUTE TO THE NAME OF THE ASSOCIATED OFFENSE' RULE RESPONSE NOT WORKING AS EXPECTED | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428) QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343) QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446) QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722) Workaround Where possible, change option 5 in the example to use "This information should set or replace the name of the associated offense(s)" configured within in the Rule Response. Issue When selecting 'This information should contribute to the name of the associated offense(s)' in a Rule Reponse for an offense generated by a rule testing the building block 'when the event(s) have not been detected by one or more of these log sources for this many seconds', the description of the offense is not set to the event description. For example:
|
16 November 2020 |
ASSETS | IJ24031 | QRADAR ASSET CLEANUP PROCESS CAN FAIL AND GENERATE A PSQLEXCEPTION WHEN ATTEMPTING TO RUN | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428) QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343) QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446) Workaround No workaround available. Administrators can complete a software upgrade to QRadar 7.4.1 Fix Pack 2 to resolve this issue. Issue When the QRadar Asset Cleanup attempts to run, it can sometimes fail with a PSQL Exception generated in QRadar logging. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [assetprofiler.assetprofiler] [AssetCleanupThread] com.q1labs.assetprofile.cleanup.AssetCleanupWorker: [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Following message suppressed 633 times in 300000 milliseconds [assetprofiler.assetprofiler] [AssetCleanupThread] com.q1labs.assetprofile.cleanup.AssetCleanupWorker: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]AssetCleanupWorker.run(): Unable to cleanup asset. Skipping to next... [assetprofiler.assetprofiler] [AssetCleanupThread] com.q1labs.assetprofile.cleanup.AssetCleanupException: org.postgresql.util.PSQLException: This statement has been closed. [assetprofiler.assetprofiler] [AssetCleanupThread] at com.q1labs.assetprofile.cleanup.AssetCleanupWorker.createCleanup Updates(AssetCleanupWorker.java:614) [assetprofiler.assetprofiler] [AssetCleanupThread] at com.q1labs.assetprofile.cleanup.AssetCleanupWorker.cleanupAssetC omponents(AssetCleanupWorker.java:172) [assetprofiler.assetprofiler] [AssetCleanupThread] at com.q1labs.assetprofile.cleanup.AssetCleanupWorker.cleanAsset(As setCleanupWorker.java:405) [assetprofiler.assetprofiler] [AssetCleanupThread] at com.q1labs.assetprofile.cleanup.AssetCleanupWorker.walkAssetMode lAndClean(AssetCleanupWorker.java:260) [assetprofiler.assetprofiler] [AssetCleanupThread] at com.q1labs.assetprofile.cleanup.AssetCleanupWorker.run(AssetClea nupWorker.java:99) [assetprofiler.assetprofiler] [AssetCleanupThread] Caused by: [assetprofiler.assetprofiler] [AssetCleanupThread] org.postgresql.util.PSQLException: This statement has been closed. [assetprofiler.assetprofiler] [AssetCleanupThread] at org.postgresql.jdbc2.AbstractJdbc2Statement.checkClosed(Abstract Jdbc2Statement.java:2637) [assetprofiler.assetprofiler] [AssetCleanupThread] at org.postgresql.jdbc2.AbstractJdbc2Statement.getResultSet(Abstrac tJdbc2Statement.java:830) [assetprofiler.assetprofiler] [AssetCleanupThread] at com.mchange.v2.c3p0.impl.NewProxyPreparedStatement.getResultSet( NewProxyPreparedStatement.java:1408) [assetprofiler.assetprofiler] [AssetCleanupThread] at org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.getResul tSet(DelegatingPreparedStatement.java:202) [assetprofiler.assetprofiler] [AssetCleanupThread] at org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.getResul tSet(DelegatingPreparedStatement.java:200) [assetprofiler.assetprofiler] [AssetCleanupThread] at org.apache.openjpa.jdbc.sql.PostgresDictionary$PostgresPreparedS tatement.executeQuery(PostgresDictionary.java:1026) [assetprofiler.assetprofiler] [AssetCleanupThread] at org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeQ uery(DelegatingPreparedStatement.java:265) [assetprofiler.assetprofiler] [AssetCleanupThread] at org.apache.openjpa.jdbc.kernel.JDBCStoreManager$CancelPreparedSt atement.executeQuery(JDBCStoreManager.java:1774) [assetprofiler.assetprofiler] [AssetCleanupThread] at org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeQ uery(DelegatingPreparedStatement.java:265) [assetprofiler.assetprofiler] [AssetCleanupThread] at org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeQ uery(DelegatingPreparedStatement.java:255) [assetprofiler.assetprofiler] [AssetCleanupThread] at com.q1labs.assetprofile.cleanup.AssetCleanupWorker.createCleanup Updates(AssetCleanupWorker.java:568) [assetprofiler.assetprofiler] [AssetCleanupThread] ... 4 more |
16 November 2020 |
REPORTS | IJ25351 | ATTACHMENTS IN REPORT MAIL CAN BE CORRUPTED AFTER A QRADAR PATCH HAS BEEN APPLIED | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428) QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343) QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446) QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722) Workaround Use a short report name. As an example, for Japanese locale, using a report name of less than 10 characters fixed the issue. This issue may also occur when using languages with UTF-8 multibyte characters. Issue Mail attachments from QRadar Reports can be corrupted after smtp jar files have been upgraded within a QRadar patch (7.3.3 Fix Pack 2 or later). For example: The Mail attachment is split into filename*0= and filename*1=. |
16 November 2020 |
QRADAR NETWORK INSIGHTS | IJ22720 | QRADAR NETWORK INSIGHTS (QNI) PERFORMANCE DEGRADATION CAUSED BY YAHOO MAIL INSPECTOR COMPONENT | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428) QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343) QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446) QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722) Workaround If experiencing QNI performance degradation, contact Support for assistance with a system thread dump examination to determine if this issue is the cause. Issue When using the Yahoo Mail inspector component (libymailinsp.so), QNI decapper processes can be working as expected and then begin to drop packets leading to flows stopping. QNI cannot process flow traffic as expected while the decapper service is in this thread bound condition. |
16 November 2020 |
OFFENSE MANAGER | IJ24634 | QRADAR VERSIONS 7.3.2 OR LATER DO NOT INCLUDE THE "REPLY-TO:" FIELD WITHIN GENERATED NOTIFICATION EMAILS | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343) QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722) Workaround No workaround available. Administrators can complete a software upgrade to QRadar 7.4.1 Fix Pack 2 to resolve this issue. Issue Notification emails no longer include the "Reply-To:" field in email headers. QRadar versions pre-7.3.2 are not affected. Example of pre-7.3.2 QRadar: From: "QRADAR@localhost.localdomain" {QRADAR@localhost.localdomain} Reply-To: "root@localhost" {root@localhost.test.com} To: "root@localhost" {root@localhost.test.com} Subject: Offense #1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit |
16 November 2020 |
ROUTING RULES | IJ27022 | LARGE AMOUNTS OF REVERSE DNS LOOKUPS CAN BE GENERATED WHEN OFFLINE ROUTING RULES ARE CONFIGURED IN QRADAR | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428) QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343) QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446) QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722) Workaround No workaround available. Administrators can complete a software upgrade to QRadar 7.4.1 Fix Pack 2 or 7.3.3 Fix Pack 6 to resolve this issue. Issue When offline routing rules have been configured within QRadar (Admin -> System Configuration -> Routing Rules), large amounts of reverse DNS lookups can be generated. This can cause issues in some customer environments with their DNS server load. The issue described only occurs when forwarding "normalized' data, not raw payloads. |
16 November 2020 |
FLOWS | IJ28601 | DEFAULT NETFLOW FLOW SOURCE DOES NOT WORK ON NEWLY ADDED FLOW PROC AND GENERATES 'NO FLOW SOURCE DEFINED' ERROR IN LOGGING | CLOSED | Resolved in QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343) Workaround Performing a remove and re-add of the flow processor appliance from the QRadar Deployment corrects this issue. For more information, see steps 3 and 5 from the documentation. Issue The default netflow is not working as expected on a newly added Flow Processor. During the initial add process, the FLOWSOURCE_LIST under nva.qflow.qflow*.conf is not populated, causing qflow to not work as expected and no flows are received. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [hostcontext.hostcontext] [Thread-1803] com.q1labs.hostcontext.processmonitor.ProcessManager: [INFO] [NOT:0000006000][172.18.142.131/- -] [-/- -]Starting process qflow.qflow102 [QRADAR] [23524] qflow: [INFO] Reading in application signatures from file: /opt/qradar/conf/signatures.xml [QRADAR] [23524] qflow: [INFO] Application Signatures successfully read in from file: /opt/qradar/conf/signatures.xml [QRADAR] [23524] qflow: [INFO] Application mapper loading /opt/qradar/conf/user_application_mapping.conf [QRADAR] [23524] qflow: [INFO] Flow Buffer Size = 100000 [QRADAR] [23524] qflow: [INFO] Connecting to 172.18.142.131:32010 [QRADAR] [23524] qflow: [INFO] Initializing qflow: 23524 [QRADAR] [23524] qflow: [INFO] Packet Source Multi threading: disabled [QRADAR] [23524] qflow: [INFO] The Flow Governor flow limit is set to: 176508 based on DEPLOYMENT_FLOW_LIMIT: 1500000, HARDWARE_FLOW_LIMIT: 176508 and QF_GOVERNOR (user flow limit): 0 [QRADAR] [23524] qflow: [INFO] Flow De-Duplication: enabled [QRADAR] [23524] qflow: [INFO] TLVFlowFields: parse and processing of /opt/qradar/conf/flowFieldsDataType-conf.xml completed successfully [QRADAR] [23524] qflow: [INFO] Initializing Flow Aggregator [QRADAR] [23524] qflow: [INFO] The host.token file is encrypted on disk, decrypting for use. [QRADAR] [23524] qflow: [INFO] Initializing Packet Aggregator [QRADAR] [23524] qflow: [INFO] Flow debug log level set to 0 [QRADAR] [23524] qflow: [ERROR] No flow sources defined - sleeping until signal |
16 November 2020 |
LOG SOURCES | IJ29030 | LOG SOURCES DELETED FROM WITHIN LOG SOURCE GROUPS CAN STILL APPEAR IN THE QRADAR USER INTERFACE | OPEN | Workaround Contact Support for a possible workaround that might address this issue in some instances. Issue When a Log Source (that is assigned to a Log Source group) is deleted, that Log Source can sometimes continue to be displayed in the Log Source group. For example:
|
03 November 2020 |
MANAGED HOST | IJ29041 | REMAP (COMPONENT ID) OPTION CAN FAIL TO BE DISPLAYED DURING ADD HOST FUNCTION | OPEN | Workaround Contact Support for a possible workaround that might address this issue in some instances. Issue When adding a Managed Host to a QRadar Deployment, if the deployment model contains a connection where the target/source ID is invalid (a component with that ID does not exist in deployment.xml) the remap host model does not pop-up in the User Interface. When this issue occurs, it prevents the ability to perform the remap of component IDs on the Managed Host being added. The Managed Host add function completes, but an error is written to /var/log/qradar.error stating 'unable to add managed host' similar to the following: [tomcat.tomcat] [Thread-140205] com.ibm.si.configservices.api.v3_0.deployment.DeploymentAPI: [ERROR] [NOT:0000003000][x.x.x.x/- -] [-/- -] unable to add managed host: Unable to marshal deployment to staging while adding conection: Connection source contains an invalid component id 102 |
03 November 2020 |
CUSTOM EVENT PROPERTIES | IJ29043 | LARGE AMOUNT OF COLON " : " SYMBOLS GENERATED DURING JSON PARSING FOR WINDOWS EVENT LOG IN CUSTOM EVENT PROPERTIES | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944) Workaround No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the Subscribe button on the right side of this page or ask a question about this APAR in our Support Forums: https://ibm.biz/qradarforums Issue When attempting to use the JSON parser in Custom Event Properties to parse Windows Event Logs, a large amount of colon " : " symbols are generated and incorrect parser results are output. For example:
|
12 July 2021 |
SECURITY PROFILES | IJ29042 | USERS CREATED USING LDAP USER ATTRIBUTES CAN HAVE NO ADMIN ROLE SECURITY PROFILES FOR ADMIN ROLES | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) Workaround Configure the LDAP server so that users that have an Admin role get a Admin Security Profile. Issue Users created via LDAP User attributes can have Non Admin security profiles for Admin Roles. If accounts are configured via the User Interface, and a user has an Admin Role, they have to have Admin Security Profile. For example:
|
24 May 2021 | SECURITY BULLETIN | UNZIP AS USED BY IBM QRADAR SIEM IS VULNERABLE TO DENIAL OF SERVICE | CLOSED | Resolved in QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309) QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613) Affected versions
Issue Info-ZIP UnZip is vulnerable to a denial of service, caused by mishandling the overlapping of files inside a ZIP container. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause resource consumption. CVSS Base score: 3.3 |
13 October 2020 | SECURITY BULLETIN | APACHE DERBY AS USED BY IBM QRADAR SIEM IS VULNERABLE TO IMPROPER INPUT VALIDATION | CLOSED | Resolved in QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309) QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613) Affected versions
Issue Apache Derby could allow a remote attacker to bypass security restrictions, caused by improper validation of network packets received. By sending a specially-crafted network packet, an attacker could exploit this vulnerability to boot a database whose location and contents are under the user's control. CVSS Base score: 7.5 |
13 October 2020 |
RULES | IJ28759 | RULE RESPONSE EMAILS CONTAINING CUSTOM EVENT PROPERTIES DISPLAY THOSE PROPERTIES AS "N/A" IN THE RULE RESPONSE/td> | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) QRadar 7.4.2 (7.4.2.20201113144954) QRadar 7.4.1 Fix Pack 1 Intern Fix 1 (7.4.1.20201018191117) QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138) Workaround No workaround available. Administrators who experience this issue must upgrade to a software version where this issue is resolved. Issue Rule responses that use email templates containing Custom Event Properties do not populate the properties correctly in the response. When this issue occurs, those properties display as "N/A" in the response. |
26 November 2020 |
SERVICES | IJ25854 | "SOFTWARE INSTALL" QRADAR EVENT COLLECTOR OR DATANODE CAN FAIL TO START REQUIRED SERVICES AFTER ADDED TO DEPLOYMENT | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) QRadar 7.4.3 Fix Pack 5 (7.4.3.20220307203834) Workaround Perform a full replication on the affected Managed Host from a command line prompt:
Required services on a "software install" Event Collector or DataNode fail to start after they are added to the QRadar deployment. |
23 February 2022 |
OFFENSES | IJ25797 | NULLPOINTEREXCEPTION WRITTEN TO QRADAR LOGGING WHEN VIEWING EVENTS ASSOCIATED TO AN OFFENSE | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428) QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343) QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722) Workaround No workaround available, this issue requires a software release to resolve. Issue A Null Pointer Exception is written to Qradar logging when attempting to view Events associated with Offense. To replicate this issue:
Messages similar to the following might then be visible in /var/log/qradar.log: [tomcat.tomcat] [ArielQueryManager] com.q1labs.ariel.ui.bean.EventSearchDelegate: [ERROR] [127.0.0.1/- -] [-/- -]Error processingoffenseId parameter for offense EQ 1 [tomcat.tomcat] [ArielQueryManager] java.lang.NullPointerException [tomcat.tomcat] [ArielQueryManager] at com.q1labs.ariel.ui.bean.IUIArielSearchDelegate$OffenseProcessor .addOffenseSearchCriteria(IUIArielSearchDelegate.java:106) [tomcat.tomcat] [ArielQueryManager] at com.q1labs.ariel.ui.bean.EventSearchDelegate.prepareQuery(EventS earchDelegate.java:265) [tomcat.tomcat] [ArielQueryManager] at com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSearchForm. java:965) [tomcat.tomcat] [ArielQueryManager] at com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSearchForm. java:790) [tomcat.tomcat] [ArielQueryManager] at com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSearchForm. java:746) [tomcat.tomcat] [ArielQueryManager] at com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSearchForm. java:740) [tomcat.tomcat] [ArielQueryManager] at com.q1labs.ariel.ui.bean.QueryHandleSerializer.deserialize(Query HandleSerializer.java:191) [tomcat.tomcat] [ArielQueryManager] at com.q1labs.ariel.ui.bean.QueryHandleSerializer.deserialize(Query HandleSerializer.java:34) [tomcat.tomcat] [ArielQueryManager] at com.google.gson.internal.bind.TreeTypeAdapter.read(TreeTypeAdapter.java:69) [tomcat.tomcat] [ArielQueryManager] at com.google.gson.Gson.fromJson(Gson.java:887) [tomcat.tomcat] [ArielQueryManager] at com.google.gson.Gson.fromJson(Gson.java:852) [tomcat.tomcat] [ArielQueryManager] at com.google.gson.Gson.fromJson(Gson.java:801) [tomcat.tomcat] [ArielQueryManager] at com.q1labs.ariel.ui.bean.EventSearchDelegate.deserialize(EventSe archDelegate.java:433) [tomcat.tomcat] [ArielQueryManager] at com.q1labs.core.dao.ariel.ArielQueryHandle.getQueryHandle(ArielQ ueryHandle.java:158) [tomcat.tomcat] [ArielQueryManager] at com.q1labs.ariel.ui.ArielQueryManager.run(ArielQueryManager.java:594) |
27 June 2020 |
SECURITY BULLETIN | IBM QRADAR SIEM IS VULNERABLE TO USING COMPONENTS WITH KNOWN VULNERABILITIES | CLOSED | Resolved in QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309) QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613) Affected versions
The product includes vulnerable components (e.g., framework libraries) that may be identified and exploited with automated tools. |
07 October 2020 | |
SECURITY BULLETIN | IBM QRADAR SIEM IS VULNERABLE TO DESERIALIZATION OF UNTRUSTED DATA | CLOSED | Resolved in QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309) QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613) Affected versions
IBM QRadar could allow a remote attacker to execute arbitrary commands on the system, caused by insecure deserialization of user-supplied content by the Java deserialization function. By sending a malicious serialized Java object, an attacker could exploit this vulnerability to execute arbitrary commands on the system. CVSS Base Score: 6.3 |
07 October 2020 | |
SECURITY BULLETIN | IBM QRADAR SIEM IS VULNERABLE TO USING COMPONENTS WITH KNOWN VULNERABILITIES | CLOSED | Resolved in QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309) QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613) Affected versions
The product includes vulnerable components (e.g., framework libraries) that may be identified and exploited with automated tools. |
07 October 2020 | |
SECURITY BULLETIN | IBM QRADAR SIEM IS VULNERABLE TO KDC SPOOFING | CLOSED | Resolved in QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309) QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613) Affected versions
IBM QRadar SIEM when configured to use Active Directory Authentication may be susceptible to spoofing attacks. CVSS Base Score: 7.5 |
07 October 2020 | SECURITY BULLETIN | IBM QRADAR INCIDENT FORENSICS IS VULNERABLE TO USING COMPONENT WITH KNOWN VULNERABILITIES | CLOSED | Resolved in QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309) QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613) Affected versions
The product includes vulnerable components (e.g., framework libraries) that may be identified and exploited with automated tools. |
07 October 2020 |
DATA OBFUSCATION | IJ26220 | DATA DEOBFUSCATION KEYS CAN FAIL TO WORK AS EXPECTED IN SOME QRADAR DOMAIN ENVIRONMENTS | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.4.0 Fix Pack 4 (7.3.3.20200629201233) QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613) Workaround No workaround available. Issue Data deobfuscation fails when using the correct deobfuscation key for events that are tagged to an Event Collector domain where the Event Collector is connected to an Event Processor. The data deobfuscation keys created can sometimes fail with a message similar to "Deobfuscation fail". Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [tomcat.tomcat] [admin@127.0.0.1 (2367) /console/do/obfuscation/obfuscationdecryption] com.q1labs.obfuscation.ui.action.ObfuscationDecryptionAction: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]qradar.obfuscation.ui.obfuscationdecryption.error.CORRESPONDIN G_DECRYPTION_KEY_FOUND_IN_SESSION_BUT_DECRYPTION_FAIL, javax.crypto.BadPaddingException: decryption fail. javax.crypto.BadPaddingException: Given final block not properly padded |
17 July 2020 |
SEARCH | IJ25350 | SAVED SEARCHES CAN GENERATE AN APPLICATION ERROR WHEN A CUSTOM EVENT PROPERTY USES A RESERVED AQL KEY NAME | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309) QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613) Workaround Delete the Custom Event Property as disabling the property does not resolve the search errors. Issue When a custom event property is named using a reserved AQL name in QRadar, such as 'searchName', the user interface can generate an Application Error in the user interface when the search run. Note: This issue can be reproduced with the following steps, but it is not recommended as creating the custom property value as described can cause searches from running as documented in the error logs.
[tomcat.tomcat] [admin@127.0.0.1(8847) /console/do/ariel/arielSearch] Caused by: [tomcat.tomcat] [admin@127.0.0.1(8847) /console/do/ariel/arielSearch] java.lang.RuntimeException: Error processing criteria searchName [tomcat.tomcat] [admin@127.0.0.1(8847) /console/do/ariel/arielSearch] at com.q1labs.cve.utils.CriteriaBuilder.getCriteria(CriteriaBuilder .java:1517) [tomcat.tomcat] [admin@127.0.0.1(8847) /console/do/ariel/arielSearch] at com.q1labs.cve.utils.CriteriaBuilder.getQueryParams(CriteriaBuil der.java:386) [tomcat.tomcat] [admin@127.0.0.1(8847) /console/do/ariel/arielSearch] at com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSear chForm.java:927) [tomcat.tomcat] [admin@127.0.0.1(8847) /console/do/ariel/arielSearch] ... 81 more [tomcat.tomcat] [admin@127.0.0.1(8847) /console/do/ariel/arielSearch] Caused by: [tomcat.tomcat] [admin@127.0.0.1(8847) /console/do/ariel/arielSearch] java.lang.IllegalArgumentException: Operation Event is not valid. Should be one of [EQ, LT, LE, GT, GE, NEQ] [tomcat.tomcat] [admin@127.0.0.1(8847) /console/do/ariel/arielSearch] at com.q1labs.cve.utils.CriteriaBuilder.updateCriteria_Expression(C riteriaBuilder.java:1047) [tomcat.tomcat] [admin@127.0.0.1(8847) /console/do/ariel/arielSearch] at com.q1labs.cve.utils.CriteriaBuilder.updateCriteria(CriteriaBuil der.java:1316) [tomcat.tomcat] [admin@127.0.0.1(8847) /console/do/ariel/arielSearch] at com.q1labs.cve.utils.CriteriaBuilder.getCriteria(CriteriaBuilder .java:1424) [tomcat.tomcat] [admin@127.0.0.1(8847) /console/do/ariel/arielSearch] ... 83 more [tomcat.tomcat] [admin@127.0.0.1(8847) /console/do/ariel/arielSearch] org.apache.jsp.qradar.jsp.ArielSearch_jsp: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Could not forward to exception page, possibly an included JSP? [tomcat.tomcat] [admin@127.0.0.1(8964) /console/JSON-RPC/QRadar.getGlobalViewDetails QRadar.getGlobalViewDetails] com.q1labs.core.ui.servlet.RemoteJavaScript: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]An exception occurred while executing the remote method 'getGlobalViewDetails' [tomcat.tomcat] [admin@127.0.0.1(8964) /console/JSON-RPC/QRadar.getGlobalViewDetails QRadar.getGlobalViewDetails] java.lang.RuntimeException: java.lang.RuntimeException: Error processing criteria searchName [tomcat.tomcat] [admin@127.0.0.1(8964) /console/JSON-RPC/QRadar.getGlobalViewDetails QRadar.getGlobalViewDetails] at com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSear chForm.java:1007) [tomcat.tomcat] [admin@127.0.0.1(8964) /console/JSON-RPC/QRadar.getGlobalViewDetails QRadar.getGlobalViewDetails] at com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSear chForm.java:790) [tomcat.tomcat] [admin@127.0.0.1(8964) /console/JSON-RPC/QRadar.getGlobalViewDetails QRadar.getGlobalViewDetails] at com.q1labs.ariel.ui.UIArielServices.getGlobalViewID(UIArielServi ces.java:12530) [tomcat.tomcat] [admin@127.0.0.1(8964) /console/JSON-RPC/QRadar.getGlobalViewDetails QRadar.getGlobalViewDetails] at com.q1labs.ariel.ui.UIArielServices.getGlobalViewDetails(UIAriel Services.java:12253) [tomcat.tomcat] [admin@127.0.0.1(8964) /console/JSON-RPC/QRadar.getGlobalViewDetails QRadar.getGlobalViewDetails] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [tomcat.tomcat] [admin@127.0.0.1(8964) /console/JSON-RPC/QRadar.getGlobalViewDetails QRadar.getGlobalViewDetails] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessor Impl.java:90) [tomcat.tomcat] [admin@127.0.0.1(8964) /console/JSON-RPC/QRadar.getGlobalViewDetails QRadar.getGlobalViewDetails] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod AccessorImpl.java:55) |
12 June 2020 |
UPGRADE | IJ22566 | QRADAR PATCHING CAN FAIL AND ROLLBACK ON BLANK TABLES IN A QVM FUSION DATABASE | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309) QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613) Workaround If you are unable to upgrade, contact Support for a possible workaround that might address this issue in some instances. Issue The QRadar patching process can fail and rollback when there are unexpected blank tables within the QRadar Vulnerability Manager (QVM) fusion database. Messages similar to the following might be visible during the patch process and also within the most recent /var/log/setup-7.3.3.xxxxxxxxx/patches.log Dec 2 11:57:21 2019: Dec 2 11:57:21 2019:[DEBUG] ip={host_ipaddress} Dec 2 11:57:21 2019: Dec 2 11:57:21 2019:[DEBUG] starting Dec 2 11:57:21 2019: Dec 2 11:57:21 2019:[DEBUG] Found 0 patch report files. Dec 2 11:57:21 2019: Dec 2 11:57:21 2019:[DEBUG] Patch Report for 172.16.77.26, appliance type: 1202 {hostname}: patch test succeeded. 1 SQL script errors were detected; Error applying script [3/3] '/media/updates/opt/qvm/db/sql/functions/all_functions.sql' for Test_fusionvm database.; details: WARNING: SET TRANSACTION can only be used in transaction blocks ERROR: insert or update on table "toolsuitecomponents" violates foreign key constraint "fk_toolsuitecomponents_toolsuite_l7protocolcodes" DETAIL: Key (l7protocolcode)=(18) is not present in table "toolsuite_l7protocolcodes". CONTEXT: SQL statement "INSERT INTO ToolSuiteComponents VALUES (10001,5,'netbios - ports','/bin/netbios/netbios_ports.pl','1.0',TRUE,TRUE,18,'','', 1,5,10000,2,10,2)" PL/pgSQL function enable_netbios_ports() line 4 at SQL statement {hostname} : patch rolled back. Dec 2 11:57:21 2019: Dec 2 11:57:21 2019:[DEBUG] pr= Patch Report for |
05 February 2020 |
SECURITY BULLETIN | APACHE ZOOKEEPER AS USED BY IBM QRADAR SIEM IS VULNERABLE TO INFORMATION DISCLOSURE | CLOSED | Resolved in QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309) Affected versions
Issue Apache ZooKeeper could allow a remote attacker to obtain sensitive information, caused by the failure to check permissions by the getACL() command. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 7.5 |
21 September 2020 | |
OFFENSES | IJ27346 | OFFENSE API CALLS CAN CAUSE A HOSTCONTEXT TXSENTRY TO OCCUR AS NO LIMIT IS APPLIED TO THE NUMBER OF FIELDS TO BE RETURNED | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) QRadar 7.4.2 (7.4.2.20201113144954) QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309) Workaround Administrators can install QRadar 7.4.1 Fix Pack 1 to resolve this issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances. This issue reported by users with QRadar 7.4.1 (GA) General Availability installed. Issue The hostcontext process can experience a TxSentry (process is killed when taking too long to complete) that is caused by the Offense API not having limits set on the number of fields that it can return. This behavior can be observed during the usage of some QRadar apps that use Offense API calls (eg. Incident Overview app). Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [hostcontext.hostcontext] [baa9069a-d7b2-48bf-ab9b-32962f1f8055/SequentialEventDispatcher] com.q1labs.hostcontext.tx.TxSentry: [WARN] [NOT:0000004000][X.X.X.X/- -] [-/- -] Lock acquired on host X.X.X.X: rel=offense_device_link_pkey age=638 granted=t mode=AccessShareLock query='SELECT DISTINCT (CASE WHEN offense_properties.user' [hostcontext.hostcontext] [baa9069a-d7b2-48bf-ab9b-32962f1f8055/SequentialEventDispatcher] com.q1labs.hostcontext.tx.TxSentry: [WARN] [NOT:0000004000][X.X.X.X/- -] [-/- -] Lock acquired on host X.X.X.X: rel=sensordevicetype age=638 granted=t mode=AccessShareLock query='SELECT DISTINCT (CASE WHEN offense_properties.user' [hostcontext.hostcontext] [baa9069a-d7b2-48bf-ab9b-32962f1f8055/SequentialEventDispatcher] com.q1labs.hostcontext.tx.TxSentry: [WARN] [NOT:0000004000][X.X.X.X/- -] [-/- -] Lock acquired on host X.X.X.X: rel=sensordevice_eccomponentid_idx age=638 granted=t mode=AccessShareLock query='SELECT DISTINCT (CASE WHEN offense_properties.user' |
31 August 2020 |
QRADAR NETWORK INSIGHTS | IJ26718 | QRADAR NETWORK INSIGHTS (QNI) CAN INTERMITTENTLY SLOW OR STOP SENDING FLOWS WHEN QNI IS CONFIGURED TO USE DTLS FOR ITS COMMUNICATION PROTOCOL | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) QRadar 7.4.2 (7.4.2.20201113144954) QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309) QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613) Workaround Restarting the qflow process or QNI corrects this behavior. Issue In QRadar 7.4.1GA, QRadar Network Insights (QNI) flow sources that are configured to use DTLS for their communication protocol, can slow to only a few flows per minute (FPM) rate or stop entirely when sending flows into QRadar qflow. This behavior has been observed to occur after a few minutes or sometimes after several hours of proper function. |
21 May 2021 |
HIGH AVAILABILITY (HA) | IJ18179 | LOG COLLECTION ON A HIGH AVAILABILITY SECONDARY CAN FAIL TO OCCUR AFTER INITIAL FAILOVER DUE TO MISSING JAR FILES | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) QRadar 7.4.2 (7.4.2.20201113144954) QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309) QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613) Workaround
It has been identified that some required jar files are not copied to opt/ibm/si/services/ecs-ec-ingress/eventgnosis/lib/q1labs on a High Availability (HA) secondary appliance until a Deploy Full Configuration is performed after the HA secondary becomes active. |
18 October 2019 |
HISTORICAL CORRELATION | IJ26306 | EVENT/FLOW WINDOW IS BLANK FOR HISTORICAL CORRELATION OFFENSES AND VIEWING 'LAST 10 EVENTS/FLOWS' GENERATES ERROR | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312) Workaround No workaround available. This issue was reopend as the error was reported again after users by users at QRadar 7.4.2 and 7.4.1 Fix Pack 2 and closed with the release of QRadar 7.4.2 Fix Pack 3. Issue While attempting to view Events or Flows associated with a Historical Correlation Offense, the Event/Flow List window displays a blank page. When attempting to view the "Last 10 Events/Flows" for a Historical Correlation Offense, a message similar to the following is generated: An error occurred while fetching the Events for this offenseor An Error occurred while fetching the Flows for this offense Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: tomcat[44128]: Caused by: tomcat[44128]: java.lang.NoSuchMethodError: com/ibm/si/core/offensemapper/OffenseMapperFactory.getOffenseMap perType(ILjava/lang/String;Ljava/lang/String;)Lcom/ibm/si/core/o ffensemapper/OffenseMapperType; (loaded from file: /opt/qradar/webapps/console/WEB-INF/lib/q1labs_core.jar by PluginClassLoader tomcat[44128]: context: console tomcat[44128]: delegate: false tomcat[44128]: ---------- Parent Classloader: tomcat[44128]: java.net.URLClassLoader@17b2c16d tomcat[44128]: ) called from class com.ibm.si.hc.HistoricalCorrelationProcessor (loaded from file:/opt/qradar/webapps/console/WEB-INF/lib/q1labs_hc.jar by PluginClassLoader tomcat[44128]: context: console tomcat[44128]: delegate: false tomcat[44128]: ---------- Parent Classloader: tomcat[44128]: java.net.URLClassLoader@17b2c16d tomcat[44128]: ). tomcat[44128]: at com.ibm.si.hc.HistoricalCorrelationProcessor.transformQueryParam s(HistoricalCorrelationProcessor.java:2538) |
12 April 2021 |
REPORTS | IJ26071 | CSV REPORTS CAN FAIL TO GENERATE WHEN THERE IS NO ACCUMULATED DATA | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309) QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613) Workaround Use the .pdf report output for reports. The PDF option allows the report to be created and no error to be generated in the QRadar logs. Administrators who require CSV reports can install QRadar 7.4.1 Fix Pack 1. This issue was reported by users at QRadar 7.3.2 Patch 6. Issue When a report is configured for .csv output and that report has no accumulated data, the report fails to generate and an error is logged to QRadar logging. Messages similar to the folllowing might be visible in /var/log/qradar.log when this issue occurs: [report_runner] [main] com.q1labs.reporting.ReportRunner: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Error initializing ReportRunner [report_runner] [main] java.lang.Throwable: java.lang.RuntimeException: REPORT [MONTHLY#^#e028752#$#c64ac148-b504-4918-9fe3-76a4fba6c7f6#^#1583 161424583]: Failed to run using template [e028752#$#c64ac148-b504-4918-9fe3-76a4fba6c7f6.xml] [report_runner] [main] at com.q1labs.reporting.ReportRunner.main(ReportRunner.java:300) [report_runner] [main] Caused by: [report_runner] [main] java.lang.RuntimeException: REPORT [MONTHLY#^#e028752#$#c64ac148-b504-4918-9fe3-76a4fba6c7f6#^#1583 161424583]: Failed to run using template [e028752#$#c64ac148-b504-4918-9fe3-76a4fba6c7f6.xml] [report_runner] [main] at com.q1labs.reporting.Report.process(Report.java:623) [report_runner] [main] at com.q1labs.reporting.ReportRunner.main(ReportRunner.java:246) [report_runner] [main] Caused by: [report_runner] [main] java.lang.RuntimeException: REPORTING CSV builder: More than on table header found. This is invalid for single table report [report_runner] [main] at com.q1labs.reporting.csv.ReportCSVBuilder.buildColumnRecord(Repo rtCSVBuilder.java:100) [report_runner] [main] at com.q1labs.reporting.csv.ReportCSVBuilder.buildCsvFile(ReportCSV Builder.java:177) [report_runner] [main] at com.q1labs.reporting.Report.process(Report.java:520) [report_runner] [main] ... 1 more |
14 July 2020 |
SYSTEM NOTIFICATIONS | IJ22900 | NOTIFICATION TABLE CONTAINS DUPLICATE ROWS FOR THE SAME EVENT CAUSING DISCREPANCY IN NOTIFICATION DATA DISPLAYED | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309) QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613) Workaround Administrators can install QRadar 7.4.1 Fix Pack 1 to resolve this issue. Issue When opening a Notification for, “An invalid protocol source configuration may be stopping event collection.” there is an incorrect number of events displayed that does not match the number of notifications. For example, the Notification displays (6 events), but when clicking on “view all” there are only 3 events. |
09 October 2020 |
QRADAR VULNERABILITY MANAGER / EXPORT | IJ25880 | AN EXCEPTION IS THROWN WHEN ATTEMPTING AN EXPORT FROM THE SCAN RESULTS VULNERABILITIES LIST | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309) Workaround Administrators can install QRadar 7.4.1 Fix Pack 1 to resolve issues when exporting scan results from the Vulnerabilities tab. This issue was reported by users at QRadar Vulnerability Manager 7.4.0 (GA) General Availability and later. Issue An Export error pop up exception is generated when attempting to export the list of vulerabilities from the Scan Results user interface. For example:
|
27 June 2020 |
LOG ACTIVITY | IJ26129 | EVENTS COPIED FROM ONE QRADAR DEPLOYMENT TO ANOTHER CANNOT BE OPENED IF THE COMPONENT ID DOES NOT EXIST IN THE NEW ONE | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309) QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613) Workaround Administrators can install QRadar 7.4.1 Fix Pack 1 to resolve issues when copying event data between appliances. This issue was reported by users at QRadar 7.4.0 Fix Pack 1 and later. Issue When events are copied from one QRadar deployment to another and the component id associated to those events does not exist within the data on the new QRadar deployment, those events cannot be opened. An "Application Error" is generated in the QRadar User Interface when these affected events are attempted to be opened. Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs: {timetstamp}18:14:55.738727 ::ffff:127.0.0.1 [tomcat.tomcat] [user@host (8302) /console/do/ariel/arielDetails] com.q1labs.uiframeworks.action.ExceptionHandler: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]An exception occurred while processing the request: {timetstamp}18:14:55.739787 ::ffff:127.0.0.1 [tomcat.tomcat] [user@host (8302) /console/do/ariel/arielDetails] java.lang.NullPointerException |
15 July 2020 |
QRADAR NETWORK INSIGHTS / UPGRADE | IJ22448 | PATCH OF A QNI APPLIANCE CAN FAIL WHEN THE NAPATECH SERVICE FAILS TO START | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309) QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613) Workaround Administrators can install QRadar 7.4.1 Fix Pack 1 to resolve Napatech service issues related to software upgrades. This issue might be experienced by users at QRadar Network Insights 7.3.2 (GA) General Availability or later. Issue QRadar patching fails on a QNI appliance that has a failed Napatech card and/or the required napatech3 service is not able to be started. |
09 October 2020 |
QFLOW | IJ25317 | QFLOW MEMORY USAGE CAN CONTINUALLY GROW AS ADDITIONAL UNIQUE TEMPLATES ARE USED | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309) Workaround Administrators can install QRadar 7.4.1 Fix Pack 1 to resolve this issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances. This issue might be experienced by users with memory issues related to QFlow with QRadar 7.3.2 Fix Pack 7 or later installed. Issue The QRadar qflow process currently does not flush any of its templates from memory when they have been inactive for a period of time. As more unique templates are used by the qflow process (eg. QNI/third party exporter restarts cause a "new" template to be stored in QFlow memory), the memory used by qflow continually grows. |
12 June 2020 |
LICENSING | IJ23772 | AVERAGE EPS REPORTED FOR A MANAGED HOST CAN REPORT ZERO (0) DUE TO NULL VALUES LISTED IN A GLOBAL VIEW (GV) | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309) Workaround Administrators can install QRadar 7.4.1 Fix Pack 1 to resolve this issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances. This issue might be experienced by users with memory issues related to QFlow with QRadar 7.3.2 Fix Pack 7 or later installed. Issue The Average EPS in the table License_pool_allocation for some Managed Hosts is not updated due to a NullPointerException that occurs in a Global View (GV). When this occurs, the Average EPS for affected Managed Hosts can display as zero (0) EPS. |
19 September 2020 |
REPORTS | IJ10609 | "NO DATA FOR CHART" IN TIMESERIES REPORT WHEN 'TIME' VARIABLE IS THE HORIZONTAL AXIS | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309) QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613) Workaround No workaround available. Issue It has been identified that timeseries reports with the Time variable configured for the X-Axis display "No data for Chart". For example, to replcate this issue:
|
09 October 2020 |
TELNET FLOW INSPECTOR | IJ18004 | QRADAR NETWORK INSIGHTS (QNI) TELNET INSPECTOR CAN INCORRECTLY CLASSIFY SOME LDAP FLOW TRAFFIC AS TELNET TRAFFIC | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309) QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613) Workaround Administrators can install QRadar 7.4.1 Fix Pack 1 to resolve this issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances. This issue reported by users with QRadar 7.4.1 (GA) General Availability installed. Issue It has been identified that in some instances, the QRadar Network Insights (QNI) Telnet Inspector can incorrectly classify LDAP flow traffic as Telnet traffic. When this occurs, false positives can sometimes occur within rule functionality. |
09 October 2020 |
DEPLOY CHANGES | IJ25798 | DEPLOY FUNCTION CAN FAIL DUE TO AN INCONSISTENT INDEX FROM THE CONSOLE VS MANAGED HOSTS | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309) Workaround Administrators can install QRadar 7.4.1 Fix Pack 1 to resolve this issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances. This issue reported by users with QRadar 7.4.1 (GA) General Availability installed. Issue A QRadar deploy function can fail when there is inconsistency in an index (reference_data_element_data1) from what is on the Console vs what is on a Managed Host. Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs: [hostcontext.hostcontext] [Thread-68701] ComponentOutput: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream replication: psql:/store/replication/tx0000000000000302764.sql:220939: ERROR: index row size 2928 exceeds maximum 2712 for index "reference_data_element_data1" [hostcontext.hostcontext] [Thread-68701] ComponentOutput: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream replication: HINT: Values larger than 1/3 of a buffer page cannot be indexed. [hostcontext.hostcontext] [Thread-68701] ComponentOutput: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream replication: Consider a function index of an MD5 hash of the value, or use full text indexing. [hostcontext.hostcontext] [Thread-68701] ComponentOutput: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream replication: CONTEXT: SQL statement "INSERT INTO public.reference_data_element SELECT * FROM rep.public_reference_data_element" [hostcontext.hostcontext] [Thread-68701] ComponentOutput: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream replication: PL/pgSQL function replicate_restore_dump(text,text) line 24 at EXECUTE {hostname}-primary replication[197954]: Could not apply /store/replication/tx0000000000000302764.sql. |
27 June 2020 |
LICENSE | IJ13317 | LICENSE POOL MANAGEMENT CAN DISPLAY "N/A" FOR THE EPS RATE FOR SOME HOSTS WITH A NULL POINTER EXCEPTION IN THE LOGS | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309) Workaround Administrators can install QRadar 7.4.1 Fix Pack 1 to resolve issues where the the System and License Management user interface displays N/A. Issue It has been identifed that in some instances the EPS rate for a host can display as "N/A" in the License Pool Management window. This has most often been observed with High Availability hosts. Messages similar to the following might be visible in /var/log/qradar.log when this issue is occuring. Note: The the GV number can vary in the log instances. For example, GV_{Number}_HOURLY: {hostname}[hostcontext.hostcontext] [e42ecea2-e414-426d-b3c6-e397734e6a70/SequentialEventDispatcher] com.q1labs.hostcontext.licensing.LicenseMonitor: [INFO] [NOT:0000006000][Con.sol.eIP.20/- -] [-/- -]Following message suppressed 1 times in 300000 milliseconds {hostname}[hostcontext.hostcontext] [e42ecea2-e414-426d-b3c6-e397734e6a70/SequentialEventDispatcher] com.q1labs.hostcontext.licensing.LicenseMonitor: [ERROR] [NOT:0000003000][Con.sol.eIP.20/- -] [-/- -]Cannot retrieve data for GV_{Number}_HOURLY {hostname}[hostcontext.hostcontext] [e42ecea2-e414-426d-b3c6-e397734e6a70/SequentialEventDispatcher] java.lang.NullPointerException {hostname}[hostcontext.hostcontext] [e42ecea2-e414-426d-b3c6-e397734e6a70/SequentialEventDispatcher] at com.q1labs.hostcontext.licensing.Statistics.getIP(Statistics.jav a:243) {hostname}[hostcontext.hostcontext] [e42ecea2-e414-426d-b3c6-e397734e6a70/SequentialEventDispatcher] at com.q1labs.hostcontext.licensing.Statistics.updateEPSorFPS(Stati stics.java:186) {hostname}[hostcontext.hostcontext] [e42ecea2-e414-426d-b3c6-e397734e6a70/SequentialEventDispatcher] at com.q1labs.hostcontext.licensing.Statistics.getEpsFps(Statistics .java:127) {hostname}[hostcontext.hostcontext] [e42ecea2-e414-426d-b3c6-e397734e6a70/SequentialEventDispatcher] at com.q1labs.hostcontext.licensing.Statistics.update(Statistics.ja va:49) {hostname}[hostcontext.hostcontext] [e42ecea2-e414-426d-b3c6-e397734e6a70/SequentialEventDispatcher] at com.q1labs.hostcontext.licensing.LicenseMonitor.timeExpired(Lice nseMonitor.java:239) {hostname}[hostcontext.hostcontext] [e42ecea2-e414-426d-b3c6-e397734e6a70/SequentialEventDispatcher] at com.q1labs.frameworks.events.timer.TimerEventGenerator$TimerEven tInfo.dispatchEvent(TimerEventGenerator.java:234) {hostname}[hostcontext.hostcontext] [e42ecea2-e414-426d-b3c6-e397734e6a70/SequentialEventDispatcher] at com.q1labs.frameworks.events.SequentialEventDispatcher$DispatchT hread.run(SequentialEventDispatcher.java:129) |
06 February 2019 |
DEPLOY CHANGES | IJ15527 | DEPLOY FUNCTION CAN TIMEOUT WHEN A REQUIRED PROCESS IS UNABLE TO CONNECT TO QRADAR APPS | CLOSED | Resolved in QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309) QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002) QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249) Workaround No workaround available. Issue It has been identified that when QRadar Apps do not respond to a required process during a Deploy function, the Deploy can timeout. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [hostcontext.hostcontext] [b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] com.q1labs.hostcontext.configuration.ConfigSetUpdater: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Failed to execute db app sync post deploy action [hostcontext.hostcontext] [b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] com.q1labs.configservices.process.ProcessException: Unable to execute platform app sync. [hostcontext.hostcontext] [b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] at com.q1labs.hostcontext.action.DBAppSyncPostDeployAction.executeA ction(DBAppSyncPostDeployAction.java) [hostcontext.hostcontext] [b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] at com.q1labs.hostcontext.configuration.ConfigSetUpdater.postDownlo adAndApply(ConfigSetUpdater.java) [hostcontext.hostcontext] [b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] at com.q1labs.hostcontext.configuration.ConfigSetUpdater.downloadAn dApplyConfiguration(ConfigSetUpdater.java) [hostcontext.hostcontext] [b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] at com.q1labs.hostcontext.configuration.ConfigSetUpdater.startDownl oadAndApplyConfiguration(ConfigSetUpdater.java) [hostcontext.hostcontext] [b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] at com.q1labs.hostcontext.configuration.ConfigChangeObserver.update Configuration(ConfigChangeObserver.java) [hostcontext.hostcontext] [b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] at com.q1labs.hostcontext.configuration.ConfigChangeObserver.update (ConfigChangeObserver.java) [hostcontext.hostcontext] [b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] at com.q1labs.hostcontext.observer.Subject.updateNotify(Subject.java) [hostcontext.hostcontext] [b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] at com.q1labs.hostcontext.observer.JMSMessageSubject.messageReceive d(JMSMessageSubject.java) [hostcontext.hostcontext] [b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] at com.q1labs.frameworks.events.jms.JMSMessageEvent.dispatchEvent(J MSMessageEvent.java) [hostcontext.hostcontext] [b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] at com.q1labs.frameworks.events.SequentialEventDispatcher$DispatchT hread.run(SequentialEventDispatcher.java) [hostcontext.hostcontext] [b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] Caused by: [hostcontext.hostcontext] [b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] com.ibm.si.application.conman.sync.ApplicationSyncException: An error occurred while attempting to sync apps on host [e7979a607d5e320f8c98.localdeployment] [hostcontext.hostcontext] [b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] at com.ibm.si.application.conman.sync.DBConmanSyncService.syncAppsO nHost(DBConmanSyncService.java) [hostcontext.hostcontext] [b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] at com.ibm.si.application.conman.sync.DBConmanSyncService.performMa nagedHostAppSync(DBConmanSyncService.java) [hostcontext.hostcontext] [b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] at com.ibm.si.application.conman.sync.DBConmanSyncService.performSy nc(DBConmanSyncService.java) [hostcontext.hostcontext] [b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] at com.q1labs.hostcontext.action.DBAppSyncPostDeployAction.executeA ction(DBAppSyncPostDeployAction.java) [hostcontext.hostcontext] [b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] ... 9 more [hostcontext.hostcontext] [b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] Caused by: [hostcontext.hostcontext] [b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] com.ibm.si.application.platform.exception.ApplicationPlatformSer viceException: 20 attempts across 10 minutes failed to connect to these apps: 1004:[Reference Data Import - LDAP] |
16 May 2019 |
MICROSOFT OFFICE 365 MESSAGE TRACE | IJ26483 | ECS-EC-INGRESS SERVICE CAN EXPERIENCE OUT OF MEMORY OCCURRENCES WHEN MICROSOFT OFFICE 365 MESSAGE TRACE LOG SOURCE IS ENABLED | OPEN | Workaround Contact Support for a possible workaround that might address this issue in some instances. Issue The QRadar ecs-ec-ingress service (used to collect events) can experience Out Of Memory occurrences when Microsoft Office 365 Message Trace log sources are in use (enabled) and large volumes of events are being ingested by the log source at initial startup. |
25 July 2020 |
WINCOLLECT | IJ27064 | WINCOLLECT CAN CAPTURE RANDOM IP ADDRESSES FOR POPULATING THE 'ORIGINATING COMPUTER' FIELD IN EVENTS | CLOSED | Resolved in WinCollect 7.3.0 Fix Pack 1 (Build 41) (7.3.0.41) Workaround No workaround available. Administrators must upgrade to a version where this issue is resolved. Issue WinCollect can capture random IP addresses to populate the 'OriginatingComputer=ipaddress' field in event payloads when the events are being generated by WinCollect. Example payload generated: <13>Jul 22 18:35:43 ip_address AgentDevice=WindowsLog AgentLogFile=Security PluginVersion=7.2.9.105 Source=Microsoft-Windows-Security-Auditing Computer=hostnameFQDN OriginatingComputer=random_ip_address |
28 October 2020 |
DEPLOY CHANGES | IJ25798 | DEPLOY FUNCTION CAN FAIL DUE TO AN INCONSISTENT INDEX FROM THE CONSOLE VS MANAGED HOSTS | OPEN | Workaround Contact Support for a possible workaround that might address this issue in some instances. Issue A QRadar deploy function can fail when there is inconsistency in an index (reference_data_element_data1) from what is on the Console vs what is on a Managed Host. Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs: [hostcontext.hostcontext] [Thread-68701] ComponentOutput: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream replication: psql:/store/replication/tx0000000000000302764.sql:220939: ERROR: index row size 2928 exceeds maximum 2712 for index "reference_data_element_data1" [hostcontext.hostcontext] [Thread-68701] ComponentOutput: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream replication: HINT: Values larger than 1/3 of a buffer page cannot be indexed. [hostcontext.hostcontext] [Thread-68701] ComponentOutput: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream replication: Consider a function index of an MD5 hash of the value, or use full text indexing. [hostcontext.hostcontext] [Thread-68701] ComponentOutput: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream replication: CONTEXT: SQL statement "INSERT INTO public.reference_data_element SELECT * FROM rep.public_reference_data_element" [hostcontext.hostcontext] [Thread-68701] ComponentOutput: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream replication: PL/pgSQL function replicate_restore_dump(text,text) line 24 at EXECUTE {hostname}-primary replication[197954]: Could not apply /store/replication/tx0000000000000302764.sql. |
27 June 2020 |
LOG SOURCE MANAGEMENT APP | IJ27045 | UNABLE TO ADD MULTIPLE LOG SOURCES AT A TIME TO A LOG SOURCE GROUP USING THE LOG SOURCE MANAGEMENT APP | OPEN | Workaround Moving the Log Sources one at a time to Log Source groups works as expected. Issue Attempting to add multiple Log Sources at a time to a Log Source Management Group using the Log Source Management app does not work as expected. When selecting multiple Log Sources and then selecting “add to group”, a loading bar is displayed indicating the move process is occurring and a completion/success message is generated. Despite the appearance of success of the Log Sources being moved, the selected Log Sources have not been added to the group. |
24 August 2020 |
LOG ACTIVITY | IJ27199 | ‘DEVICE STOPPED EMITTING EVENTS’ EVENT CAN DISPLAY INCORRECT LOG SOURCE TIME OF EPOCH 0 | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428) QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343) QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446) Workaround No workaround available. Administrators can complete a software upgrade to QRadar 7.4.1 Fix Pack 2 to resolve this issue. Issue The event ‘Device Stopped Emitting events’ details page can display an incorrect Log Source Time of EPOCH 0 (i.e. Jan 1 1970) due to the device sending the event’s “time” value not being set correctly. This can cause unexpected rule behavior due to the incorrect value for the Log Source Time. |
16 November 2020 |
DSM EDITOR | IJ26226 | DSM EDITOR FAILS TO PREVIEW CUSTOM PROPERTY OVERRIDE OF ‘ANY’ ‘ANY’ FOR HIGH AND LOW LEVEL CATEGORY BUT PARSES IT CORRECTLY | OPEN | Workaround No workaround available. Issue When adding selectivity to a custom property override in the DSM Editor page and using “any” for both High Level Category and Low Level Category, nothing is displayed in the DSM Editor preview, but it parses as expected in the pipline if it is applied. |
22 July 2020 |
EXTENSION MANAGEMENT | IJ26462 | ‘FAILED EXTENSION INSTALLATION TASK FOR EXTENSION ID |
CLOSED | Workaround No workaround available. This issue is closed as permanent restriction. This scenario is one that we will not resolve through the legacy import process. The newer import process in development will support a resolution (by the user) of these conflict cases during the installation process; so it should be able to fix this issue. Issue Performing a DSM Import from within the QRadar User Interface can fail with the error “Failed Extension installation task for extension id XX”. For example:
|
24 July 2020 |
DASHBOARD | IJ26192 | RSS FEED DASHBOARDS DO NOT WORK WHEN QRADAR IS BEHIND A PROXY | CLOSED | Workaround No workaround available. This issue is closed as permanent restriction. Issue When QRadar is behind a proxy, RSS feed dashboard items cannot connect and report an error. Example error meesage in the Dashboard: Unable to view rss feed of url http://feeds.feedburner.com/SecurityIntelligence. |
14 July 2020 |
OFFENSES / REPORTS | IJ25398 | THERE ARE DISCREPANCIES IN THE COLUMNS INCLUDED WITHIN THE OFFENSE SEARCH AND OFFENSE DETAILS REPORT | CLOSED | Workaround No workaround available. Closed as suggestion for future release. Issue There are discrepancies in the columns included within the Offense search and Offense details report. For example:
Comments Unfortunately, there will be no work done on the existing Offense Screen/Searches or Reporting that will allow the user to refine the offense details. The user may use the Offense API, which will have significant performance improvements in 7.4.1, to retrieve the information that they are looking for. |
14 July 2020 |
DASHBOARD | IJ26192 | RSS FEED DASHBOARDS DO NOT WORK WHEN QRADAR IS BEHIND A PROXY | CLOSED | Workaround No workaround available. This issue is closed as permanent restriction. Issue When QRadar is behind a proxy, RSS feed dashboard items cannot connect and report an error. Example error meesage in the Dashboard: Unable to view rss feed of url http://feeds.feedburner.com/SecurityIntelligence. |
14 July 2020 |
UPGRADE / HIGH AVAILABILITY (HA) | IJ12252 | QRADAR PATCH FAILS WHEN MORE THAN ONE .SFS IS MOUNTED | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) Workaround To resolve the issue, remove the deleted mounts by typing umount /media/updates as many times as needed, or until all /media/updates mount references are removed. Type the command mount | grep media to verify the all volumes mounted to /media/updates are removed. Remount the .SFS file you need to patch or update your system. Check for deleted mounts on both Primary and Secondary HA nodes. For more information, see the following technical note. Issue It has been identified that when two sfs files are mounted, the QRadar patch test is successful, but the patch fails with an error similar to “Original patch sfs file, ‘{patch_file_path}’ not found, please verify and restore the file.” Look for similar messages in /var/log/setup- Copying file /storetmp/732_QRadar_interimfix-7.3.2.20190522204210-IF02-201907 10135412.sfs to host /storetmp:/storetmp/732_QRadar_interimfix-7.3.2.20190522204210-I F02-20190710135412.sfs cp: cannot create regular file 'root@/storetmp:/storetmp/732_QRadar_interimfix-7.3.2.2019052220 4210-IF02-20190710135412.sfs/732_QRadar_interimfix-7.3.2.2019052 2204210-IF02-20190710135412.sfs': No such file or directory [ERROR] Couldn't copy patch file FILE to host /storetmp. [ERROR] Copied patch file to standby host, but MD5 sums do not match. [ERROR](a-i-has-testmode) HOSTNAME-secondary : patch test failed. [ERROR](a-i-has-testmode) Patching can not continue Patch Report for IP-ADDRESS, appliance type: 1828 HOSTNAME-primary : patch test succeeded. Copied patch file to standby host, but MD5 sums do not match. See the following Technote for additional information: https://www.ibm.com/support/pages/node/1072998 |
22 November 2019 |
LOG SOURCE MANAGEMENT APP | IJ24187 | TESTING A CONFIGURATION IN THE LOG SOURCE MANAGEMENT APP CAN FAIL FOR SOME PROTOCOLS WHILE THE CONFIGURED LOG SOURCE WORKS | OPEN | Workaround No workaround available. Issue Testing a configuration using the Log Source Management App can fail with an unknown error on some protocols. Regular operation of the configured Log Source to collect data can function properly in some instances where the testing function fails. |
08 April 2020 |
DATA OBFUSCATION / DOMAINS | IJ24467 | DOMAIN OBFUSCATION PROFILE CAN FAIL TO BE COPIED CORRECTLY TO EVENT COLLECTOR | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210) QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709) Workaround Contact Support for a possible workaround that might address this issue in some instances. Issue A Domain Obfuscation profile can fail to be applied to the correct domain due to obfuscation_field_expression_domain and obfuscation_reg_expression_domain failing to be added to the Event Collector replication profile sent from the QRadar Console. |
24 April 2020 |
LOG SOURCE MANAGEMENT APP | IJ25871 | BULK EDIT > ADD TO GROUP FOR LOG SOURCES USING THE LOG SOURCE MANAGEMENT APP V6 DOES NOT WORK AS EXPECTED | CLOSED | Resolved in This issue was resolved in Log Source Management App version 6.1.0. Users who experience with bulk editing log sources can update to the latest version of the app or use the QRadar Assistant to upgrade their applications. Workaround No workaround available. Issue Performing a Bulk Edit > Add to Group function for log sources using the Log Source Managment (LSM) app v6 displays as successful but does not add the log sources to the group. The LSM app v5 does not experience this issue. |
06 February 2021 |
SEARCH / HIGH AVAILABILITY (HA) | IJ07275 | ARIEL CURSOR FILES (USED FOR SAVED SEARCHES) ARE LOST AFTER A HIGH AVAILABILITY CONSOLE FAILOVER OCCURS | CLOSED | Resolved in QRadar 7.3.2 Patch 2 (7.3.2.20190522204210) Workaround No workaround available. Issue It has been identified that the Ariel cursor files, which are created and used for saved searches, are not being copied to the Standby HA console appliance. When a High Availability (HA) console failover occurs, the Saved Searches no longer appear in the QRadar User Interface as the required cursor files are not present. |
07 March 2019 |
AMAZON AWS REST API PROTOCOL | IJ26748 | AMAZON AWS S3 REST API PROTOCOL CAN POLL FOR PREVIOUSLY PROCESSED EVENTS DUE TO AN AWS API CHANGE | OPEN | Workaround No workaround available. Issue It has been identified that when using the Amazon AWS S3 REST API protocol that the QRadar appliance can poll for older events. This causes Amazon AWS S3 and Cisco Umbrella log sources to poll for events that were previously processed by QRadar. Previously, QRadar used a marker file to determine the last polling interval to ensure that the AWS S3 buckets polled did not request older events in the API query. This functionality has changed recently in the Amazon AWS REST API. The root cause of this issue is a transition of the Amazon AWS REST API to use a new startAfter key value in API queries. This issue is reported in the following protocol versions:
|
02 August 2020 |
SYSTEM NOTIFICATIONS | IJ26134 | SYSTEM NOTIFICATIONS FOR ‘PROCESS TUNNEL.TUNNEL{XXX} HAS FAILED TO START…” CAN BE CAUSED BY DUPLICATE OFFSITE TUNNEL CREATION | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) Workaround Contact Support for a possible workaround that might address this issue in some instances. Issue QRadar System Notifications relating to tunnels not starting can be observed when duplicate tunnels for encrypted offsite targets are created by QRadar within the deployment.xml configuration file. Additional duplicate tunnels can be generated after each subsequent Deploy function when this issue occurs. Event name: “Error: Process monitor application has failed to startup multiple times” Payload: Apr 8 23:48:58 127.0.0.1 [ProcessMonitor] com.q1labs.hostcontext.processmonitor.ProcessManager: [ERROR] [NOT:0150114103][x.x.x.x/- -] [-/- -]Process tunnel.tunnel293 has failed to start for 6828 intervals. Continuing to try to start... |
15 July 2020 |
SYSTEM NOTIFICATIONS | IJ26118 | QRADAR SYSTEM NOTIFICATIONS THAT CONTAIN QIDS WITH URL LINKS CAN DISPLAY INCORRECTLY AFTER PATCHING QRADAR | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) QRadar 7.4.2 (7.4.2.20201113144954) QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505) QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002) Workaround No workaround available. Issue QRadar System Notifications that contain QIDs with URL links can fail to display correctly after patching. (e.g. assetprofiler QID – 38750073) |
14 July 2020 |
DEPLOY CHANGES | IJ25798 | DEPLOY FUNCTION CAN FAIL DUE TO AN INCONSISTENT INDEX FROM THE CONSOLE VS MANAGED HOST(S) | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) Workaround Contact Support for a possible workaround that might address this issue in some instances. Issue A QRadar deploy function can fail when there is inconsistency in an index (reference_data_element_data1) from what is on the Console vs what is on a Managed Host. Messages similar to the following might be visible in /var/log/qradar.error when this issue is occurs: [hostcontext.hostcontext] [Thread-68701] ComponentOutput: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream replication: psql:/store/replication/tx0000000000000302764.sql:220939: ERROR: index row size 2928 exceeds maximum 2712 for index "reference_data_element_data1" [hostcontext.hostcontext] [Thread-68701] ComponentOutput: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream replication: HINT: Values larger than 1/3 of a buffer page cannot be indexed. [hostcontext.hostcontext] [Thread-68701] ComponentOutput: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream replication: Consider a function index of an MD5 hash of the value, or use full text indexing. [hostcontext.hostcontext] [Thread-68701] ComponentOutput: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream replication: CONTEXT: SQL statement "INSERT INTO public.reference_data_element SELECT * FROM rep.public_reference_data_element" [hostcontext.hostcontext] [Thread-68701] ComponentOutput: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream replication: PL/pgSQL function replicate_restore_dump(text,text) line 24 at EXECUTE hostname-primary replication[197954]: Could not apply /store/replication/tx0000000000000302764.sql. |
27 June 2020 |
LICENSE / QRADAR NETWORK INSIGHTS | IJ25793 | LICENSE CANNOT BE APPLIED SUCCESSFULLY TO QNI APPLIANCE TYPES 6500 ON PATCHED DEPLOYMENTS | OPEN | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505) Workaround Note: This commannd can take a couple minutes before it returns to the shell prompt as the Tomcat restart may take a couple minutes. Run the following command: sed -i.install 's/^forensicsRealtime=.*/forensicsRealtime=6200,6300,6400,6500,0 ,software/g' /opt/qradar/conf/templates/deployments/applianceTypes.properties ; systemctl restart tomcatNote: Formatting on this page may result in the command to be wrapped. Please note the format example below: sed -i.install ‘text’ /filepath ; systemctl restart tomcat Issue In some instances, licenses cannot be successfully applied to QRadar Network Insight (QNI) appliance types 6500. This behavior has been observed in QRadar deployments that have been patched (i.e., not fresh installs). |
29 July 2020 |
CUSTOM PROPERTIES / DATA OBFUSCATION | IJ19993 | CUSTOM PROPERTY IS NOT PROPERLY PARSED FROM EVENT PAYLOAD WHEN EXPRESSION BASED DATA OBFUSCATION HAS BEEN IN USE | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) Workaround No workaround available. Issue It has been identified that a correctly configured Custom Property does not properly parse event data when expression based Data Obfuscation has been configured and is in use. When this occurs, the expected event payload data is not parsed for use and display by QRadar. |
07 October 2019 |
QRADAR VULNERABILITY MANAGER | IJ22496 | ‘{PROFILENAME} CANNOT BE RAN AS IT HAS ON DEMAND SCANNING ENABLED’ WHEN SCAN NAME CONTAINS ‘RC’ OR CRE’ | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) Workaround No workaround available. Issue Scan profiles cannot be run from the Scan Results screen when a scan name contains ‘RC’ or ‘CRE’. A message similar to: “{ProfileName} cannot be ran as it has On Demand Scanning enabled” is generated in the QRadar User Interface when this issue is occurring. |
10 February 2020 |
SEARCH / SHOW AQL | IJ21226 | ‘SHOW AQL’ BUTTON DISPLAYS “NULL” OUTPUT FOR A SAVED SEARCH USING ‘PAYLOAD MATCHES REGULAR EXPRESSION’ FILTER | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) Workaround No workaround available. Issue It has been identified that using the “Show AQL” button for a saved search using the “Payload Matches Regular Expression” filter displays “null” in the text field where the AQL should display. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [tomcat.tomcat] [admin@127.0.0.1(6577) /console/restapi/api/ariel/saved_searches/2818] com.q1labs.cve.api.v10_0.ariel.ArielAPI_v10: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Error occurred while returning the saved search [tomcat.tomcat] [admin@127.0.0.1(6577) /console/restapi/api/ariel/saved_searches/2818] java.lang.RuntimeException: Predicate 'com.q1labs.core.types.event.NormalizedEventPredicate$PayloadMat ches@34bf9463' [class: class com.q1labs.core.types.event.NormalizedEventPredicate$PayloadMatc hes] doesn't implement I2AQL [tomcat.tomcat] [admin@127.0.0.1(6577) /console/restapi/api/ariel/saved_searches/2818] at com.q1labs.ariel.ql.I2AQL.aql(I2AQL.java:142) [tomcat.tomcat] [admin@127.0.0.1(6577) /console/restapi/api/ariel/saved_searches/2818] at com.q1labs.ariel.ql.I2AQL.aql(I2AQL.java:147) [tomcat.tomcat] [admin@127.0.0.1(6577) /console/restapi/api/ariel/saved_searches/2818] at com.q1labs.cve.utils.CriteriaBuilder.buildAql(CriteriaBuilder.ja va:512) [tomcat.tomcat] [admin@127.0.0.1(6577) /console/restapi/api/ariel/saved_searches/2818] at com.q1labs.cve.utils.ArielSearchForm2AQL.convert(ArielSearchForm 2AQL.java:143) [tomcat.tomcat] [admin@127.0.0.1(6577) /console/restapi/api/ariel/saved_searches/2818] at com.q1labs.cve.utils.ArielSearchForm2AQL.convert(ArielSearchForm 2AQL.java:105) [tomcat.tomcat] [admin@127.0.0.1(6577) /console/restapi/api/ariel/saved_searches/2818] at com.q1labs.cve.api.impl.ariel.ArielAPIImpl.convertToAQL(ArielAPI Impl.java:1112) [tomcat.tomcat] [admin@127.0.0.1(6577) /console/restapi/api/ariel/saved_searches/2818] at com.q1labs.cve.api.impl.ariel.ArielAPIImpl.buildArielSavedSearch DTO(ArielAPIImpl.java:1091) [tomcat.tomcat] [admin@127.0.0.1(6577) /console/restapi/api/ariel/saved_searches/2818] at com.q1labs.cve.api.impl.ariel.ArielAPIImpl.getSavedSearch(ArielA PIImpl.java:1123) [tomcat.tomcat] [admin@127.0.0.1(6577) /console/restapi/api/ariel/saved_searches/2818] at com.q1labs.cve.api.v10_0.ariel.ArielAPI_v10.getSavedSearch(Ariel API_v10.java:199) [tomcat.tomcat] [admin@127.0.0.1(6577) /console/restapi/api/ariel/saved_searches/2818] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [tomcat.tomcat] [admin@127.0.0.1(6577) /console/restapi/api/ariel/saved_searches/2818] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessor Impl.java:90) [tomcat.tomcat] [admin@127.0.0.1(6577) /console/restapi/api/ariel/saved_searches/2818] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod AccessorImpl.java:55) [tomcat.tomcat] [admin@127.0.0.1(6577) /console/restapi/api/ariel/saved_searches/2818] at java.lang.reflect.Method.invoke(Method.java:508) [tomcat.tomcat] [admin@127.0.0.1(6577) /console/restapi/api/ariel/saved_searches/2818] at com.q1labs.restapi.servlet.utilities.APIRequestHandler.invokeMet hod(APIRequestHandler.java:1031) [tomcat.tomcat] [admin@127.0.0.1(6577) /console/restapi/api/ariel/saved_searches/2818] at com.q1labs.restapi.servlet.utilities.APIRequestHandler.redirectR equest(APIRequestHandler.java:399) [tomcat.tomcat] [admin@127.0.0.1(6577) /console/restapi/api/ariel/saved_searches/2818] at com.q1labs.restapi.servlet.utilities.APIRequestHandler.handleReq uest(APIRequestHandler.java:239) [tomcat.tomcat] [admin@127.0.0.1(6577) /console/restapi/api/ariel/saved_searches/2818] at com.q1labs.restapi.servlet.apidelegate.APIDelegate.handleRequest (APIDelegate.java:303) [tomcat.tomcat] [admin@127.0.0.1(6577) /console/restapi/api/ariel/saved_searches/2818] at com.q1labs.restapi.servlet.apidelegate.APIDelegate.service(APIDe legate.java:221) [tomcat.tomcat] [admin@127.0.0.1(6577) /console/restapi/api/ariel/saved_searches/2818] at javax.servlet.http.HttpServlet.service(HttpServlet.java:742) [tomcat.tomcat] [admin@127.0.0.1(6577) /console/restapi/api/ariel/saved_searches/2818] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter (ApplicationFilterChain.java:231) [tomcat.tomcat] [admin@127.0.0.1(6577) /console/restapi/api/ariel/saved_searches/2818] at org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica tionFilterChain.java:166) [tomcat.tomcat] [admin@127.0.0.1(6577) /console/restapi/api/ariel/saved_searches/2818] at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.ja va:52) [tomcat.tomcat] [admin@127.0.0.1(6577) /console/restapi/api/ariel/saved_searches/2818] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter (ApplicationFilterChain.java:193) [tomcat.tomcat] [admin@127.0.0.1(6577) /console/restapi/api/ariel/saved_searches/2818] at org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica tionFilterChain.java:166) [tomcat.tomcat] [admin@127.0.0.1(6577) /console/restapi/api/ariel/saved_searches/2818] at com.q1labs.uiframeworks.auth.EulaFilter.doFilter(EulaFilter.java :141) [tomcat.tomcat] [admin@127.0.0.1(6577) /console/restapi/api/ariel/saved_searches/2818] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter (ApplicationFilterChain.java:193) |
27 November 2019 |
AUTO UPDATE | IJ21293 | AUTOUPDATE AND CRON NOT RUNNING ON 7.3.2 QRADAR IMAGES INSTALLED ON GOOGLE CLOUD PLATFORM AND AMAZON WEB SERVICES | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) Workaround Performing the following commands from a command line on the system after it’s built corrects the issue outlined in the APAR. $ sudo su - $ pwck $ systemctl start crond.service Issue It has been identified that 7.3.2 QRadar Images installed on Google Cloud Platform and Amazon Web Services (AWS) do not have Automatic Updates and the cron service does not run. |
09 December 2019 |
BACKUP AND RESTORE | IJ21230 | CONFIG BACKUP CAN TAKE LONGER THAN EXPECTED TO COMPLETE IF A MANAGED HOST TIMEOUT OCCURS | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210) QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709) Workaround Contact Support for a possible workaround that might address this issue in some instances. Issue It has been identified that the script update-remote-certs.sh does not have an SSH connection timeout configured for the rsync command. This can result in a longer than expected time to restore a config backup if Managed Host connections experience a timeout. |
29 July 2020 |
REFERENCE DATA | IJ21228 | TOMCAT OUT OF MEMORY CAN OCCUR DURING AUTOMATED REFERENCE DATA CLEANUP BY QRADAR | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) Workaround Contact Support for a possible workaround that might address this issue in some instances. Issue It has been identified that in some instances, the tomcat process can experience an Out of Memory occurance during QRadar’s automated cleanup of reference data. The QRadar User Interface is unavailable during a tomcat Out Of Memory occurance until the affected services recover. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: com.q1labs.core.shared.referencedata.ReferenceDataManager: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ReferenceDataManager.deleteFromReferenceDataCollection() - SQLException caught while trying to delete from Reference Data Collection : UBA : User Accounts, Successful, Recent com.q1labs.core.shared.referencedata.ReferenceDataManager: [ERROR] Chained SQL Exception [1/2]: Batch entry 0 delete from reference_data_element rde where rde.rdk_id = (select id from reference_data_key where rd_id = 53 and domain_info = 2147483647) and data= ? was aborted: An I/O error occurred while sending to the backend. Call getNextException to see other errors in the batch. com.q1labs.core.shared.referencedata.ReferenceDataManager: [ERROR] Chained SQL Exception [2/2]: An I/O error occurred while sending to the backend. com.q1labs.core.shared.referencedata.ReferenceDataManager: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ReferenceDataManager.deleteFromReferenceDataCollection() getNextException(): java.sql.BatchUpdateException: Batch entry 0 delete from reference_data_element rde where rde.rdk_id = (select id from reference_data_key where rd_id = 53 and domain_info = 2147483647) and data = ? was aborted: An I/O error occurred while sending to the backend. Call getNextException to see other errors in the batch. at org.postgresql.jdbc.BatchResultHandler.handleError(BatchResultHa ndler.java:148) at org.postgresql.jdbc.PgStatement.executeBatch(PgStatement.java) at org.postgresql.jdbc.PgPreparedStatement.executeBatch(PgPreparedS tatement.java:1556) at com.mchange.v2.c3p0.impl.NewProxyPreparedStatement.executeBatch( NewProxyPreparedStatement.java:1723) at org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeB atch(DelegatingPreparedStatement.java:250) at org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator$LoggingCo nnection$LoggingPreparedStatement.executeBatch(LoggingConnection Decorator.java:1149) at org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeB atch(DelegatingPreparedStatement.java:250) at org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeB atch(DelegatingPreparedStatement.java:250) at org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeB atch(DelegatingPreparedStatement.java:250) at org.apache.openjpa.jdbc.kernel.JDBCStoreManager$CancelPreparedSt atement.executeBatch(JDBCStoreManager.java:1809) at com.q1labs.frameworks.session.PreparedStatementWrapper.executeBa tch(PreparedStatementWrapper.java:265) at com.q1labs.core.dao.referencedata.light.ReferenceDataCacheSet.ru nSqlStatement(ReferenceDataCacheSet.java:494) at com.q1labs.core.dao.referencedata.light.ReferenceDataCacheSet.de leteData(ReferenceDataCacheSet.java:576) at com.q1labs.core.dao.referencedata.light.ReferenceDataCacheSet.ac cess$800(ReferenceDataCacheSet.java:36) at com.q1labs.core.dao.referencedata.light.ReferenceDataCacheSet$5. call(ReferenceDataCacheSet.java:273) at com.q1labs.core.dao.referencedata.light.ReferenceDataCacheSet$5. call(ReferenceDataCacheSet.java:251) at com.q1labs.core.dao.referencedata.light.RefDataCacheLock.writeCa cheAccess(RefDataCacheLock.java:125) at com.q1labs.core.dao.referencedata.light.ReferenceDataCacheSet.de leteElement(ReferenceDataCacheSet.java:250) at com.q1labs.core.dao.referencedata.light.RefDataDomainProtection. deleteElement(RefDataDomainProtection.java:83) at com.q1labs.core.shared.referencedata.ReferenceDataManager.delete FromReferenceDataCollection(ReferenceDataManager.java:885) at com.q1labs.core.shared.referencedata.ReferenceDataManager.delete FromReferenceDataCollection(ReferenceDataManager.java:946) at com.q1labs.core.shared.referencedata.ReferenceDataTimer.expireDa ta(ReferenceDataTimer.java:186) at com.q1labs.core.shared.referencedata.ReferenceDataTimer.timeExpi red(ReferenceDataTimer.java:68) at com.q1labs.frameworks.events.timer.TimerEventGenerator$TimerEven tInfo.dispatchEvent(TimerEventGenerator.java:234) at com.q1labs.frameworks.events.SequentialEventDispatcher$DispatchT hread.run(SequentialEventDispatcher.java:129) Caused by: org.postgresql.util.PSQLException: An I/O error occurred while sending to the backend. at org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorIm pl.java:333) at org.postgresql.jdbc.PgStatement.executeBatch(PgStatement.java:81 6)... 23 more Caused by: java.net.SocketException: Socket closed at java.net.SocketInputStream.socketRead0(Native Method) at java.net.SocketInputStream.socketRead(SocketInputStream.java:127) at java.net.SocketInputStream.read(SocketInputStream.java:182) at java.net.SocketInputStream.read(SocketInputStream.java:152) |
06 December 2019 |
RULES | IJ20895 | PARSING RULE 'WHEN THE EVENT MATCHES THIS SEARCH FILTER' CAN GENERATE A NUMBERFORMATEXCEPTION | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) Workaround Attempt to use different test conditon(s) for achieving the same expected output as the failing rule set. Issue It has been identified that a "NumberFormatException" is generated when Rules using the following conditions are executed:
[ecs-ep.ecs-ep] [27592323-5063-4bc6-910b-205a351006fc/SequentialEventDispatcher] com.q1labs.semsources.cre.tests.ArielFilterTest: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Error parsing parameters [ecs-ep.ecs-ep] [27592323-5063-4bc6-910b-205a351006fc/SequentialEventDispatcher] java.lang.NumberFormatException: For input string: "100003 100033 100001" [ecs-ep.ecs-ep][27592323-5063-4bc6-910b-205a351006fc/SequentialEventDispatcher] at java.lang.NumberFormatException.forInputString(NumberFormatExcep tion.java:76) [ecs-ep.ecs-ep] [27592323-5063-4bc6-910b-205a351006fc/SequentialEventDispatcher] at java.lang.Integer.parseInt(Integer.java:592) [ecs-ep.ecs-ep] [27592323-5063-4bc6-910b-205a351006fc/SequentialEventDispatcher] at java.lang.Integer.parseInt(Integer.java:627) [ecs-ep.ecs-ep] [27592323-5063-4bc6-910b-205a351006fc/SequentialEventDispatcher] at com.q1labs.semsources.cre.tests.ArielFilterTest.createArielTest( ArielFilterTest.java:49) [ecs-ep.ecs-ep] [27592323-5063-4bc6-910b-205a351006fc/SequentialEventDispatcher] at com.q1labs.semsources.cre.tests.ArielFilterTest.setParms(ArielFi lterTest.java:90) [ecs-ep.ecs-ep] [27592323-5063-4bc6-910b-205a351006fc/SequentialEventDispatcher] at com.q1labs.semsources.cre.tests.CREEventTest.init(CREEventTest.j ava:121) [ecs-ep.ecs-ep] [27592323-5063-4bc6-910b-205a351006fc/SequentialEventDispatcher] at com.q1labs.semsources.cre.CustomRule. |
13 November 2019 |
RULES | IJ20631 | RULES WITH CONDITIONS THAT SPAN ACROSS MIDNIGHT DO NOT WORK AS EXPECTED | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) Workaround Separate conditions in two different rules one that involves the required time frame (example: 18:00 to midnight and midnight to 03:00). Create two building blocks and include them in a rule that use the filter "and when the event match any of the following {building blocks}" Issue It has been identified that rules created with conditions that span across midnight, do not fire as expected. Example of rule conditions within a rule that does not fire:
|
13 November 2019 |
RULES | IJ20762 | ADDING MULTIPLE LOG SOURCE TYPES TO A RULE CAN SOMETIMES CAUSE THE RULE NOT TO FIRE AS EXPECTED | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) Workaround Separate conditions in two different rules one that involves the required time frame (example: 18:00 to midnight and midnight to 03:00). Create two building blocks and include them in a rule that use the filter "and when the event match any of the following {building blocks}" Issue It has been identified that when adding multiple Log Source Types to a Rule using "and when the event(s) have not been detected by one or more of these log source types for this many seconds" test, the Rule does not fire as expected. For example: Rule with single test "and when the event(s) have not been detected by one or more of Symantec Endpoint Protection, Linux OS, IBM Proventia Network Intrusion Prevention System (IPS), Microsoft Windows Security Event Log for 7 seconds" with response configured to generate event. Messages similar to the following might be visible in /var/log/qradar.error when this issue is occurring: [ecs-ep.ecs-ep] [97d6c86b-f52e-4421-8690-c814b3a99ce2/SequentialEventDispatcher] com.q1labs.semsources.cre.tests.LackOfDeviceTypeEvents_Test: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Exception reading in parms [ecs-ep.ecs-ep] [97d6c86b-f52e-4421-8690-c814b3a99ce2/SequentialEventDispatcher] java.lang.NumberFormatException: For input string: " 11" [ecs-ep.ecs-ep] [97d6c86b-f52e-4421-8690-c814b3a99ce2/SequentialEventDispatcher] at java.lang.NumberFormatException.forInputString(NumberFormatExcep tion.java:76) [ecs-ep.ecs-ep] [97d6c86b-f52e-4421-8690-c814b3a99ce2/SequentialEventDispatcher] at java.lang.Integer.parseInt(Integer.java:581) [ecs-ep.ecs-ep] [97d6c86b-f52e-4421-8690-c814b3a99ce2/SequentialEventDispatcher] at java.lang.Integer.valueOf(Integer.java:778) [ecs-ep.ecs-ep] [97d6c86b-f52e-4421-8690-c814b3a99ce2/SequentialEventDispatcher]at com.q1labs.semsources.cre.tests.LackOfDeviceTypeEvents_Test.getD eviceByTypeIDs(LackOfDeviceTypeEvents_Test.java:58) [ecs-ep.ecs-ep] [97d6c86b-f52e-4421-8690-c814b3a99ce2/SequentialEventDispatcher]at com.q1labs.semsources.cre.tests.LackOfDeviceTypeEvents_Test.popu lateEventDataMap(LackOfDeviceTypeEvents_Test.java:104) [ecs-ep.ecs-ep] [97d6c86b-f52e-4421-8690-c814b3a99ce2/SequentialEventDispatcher]at com.q1labs.semsources.cre.tests.LackOfDeviceTypeEvents_Test.setP arms(LackOfDeviceTypeEvents_Test.java:136) [ecs-ep.ecs-ep] [97d6c86b-f52e-4421-8690-c814b3a99ce2/SequentialEventDispatcher]at com.q1labs.semsources.cre.tests.CREEventTest.init(CREEventTest.java:123) [ecs-ep.ecs-ep] [97d6c86b-f52e-4421-8690-c814b3a99ce2/SequentialEventDispatcher]at com.q1labs.semsources.cre.CustomRule. |
13 November 2019 |
RULES | IJ20328 | 'WHEN THE EVENT(S) HAVE NOT BEEN DETECTED BY ONE OR MORE OF THESE LOG SOURCE GROUPS' TEST ALLOWS RULE ACTIONS TO BE SET | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) Workaround Do not set rule actions for these tests. Issue It has been identified that when setting a rule with "when the event(s) have not been detected by one or more of these log source groups for this many seconds", rule actions can be set. However, for the other rules of the type "have not been detected", rule actions are disabled with a statement: No action(s) available with the 'event(s) have not been detected' test A rule action should not be able to be configured on a non existing event. |
16 October 2019 |
SERVICES / BACKUP AND RESTORE | IJ20760 | HOSTCONTEXT FAILS TO START WHEN A CONFIG PRIOR TO 7.1MR2 IS RESTORED ON A NEW INSTALL OF 7.3.1 | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722) Workaround If you cannot upgrade to a version where this issue is resolved, contact Support for a possible workaround that might address this issue in some instances. Issue It has been identified that hostcontext fails to start after a config has been restored on a new install of 7.3.x with a backup taken from a system originally installed prior to version 7.1MR2. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [hostcontext.hostcontext] [main] com.ibm.si.application.platform.AppPlatformManager: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]An error occurred while refreshing platform selection. [hostcontext.hostcontext] [main] java.lang.Exception: Failed to read workloads host from database using cached id [53]. [hostcontext.hostcontext] [main] at com.ibm.si.application.platform.AppPlatformManager.createConManC lient(AppPlatformManager.java:330) [hostcontext.hostcontext] [main] at com.ibm.si.application.platform.AppPlatformManager.initLocal(App PlatformManager.java:209) [hostcontext.hostcontext] [main] at com.ibm.si.application.platform.AppPlatformManager.refresh(AppPl atformManager.java:175) [hostcontext.hostcontext] [main] at com.ibm.si.application.platform.AppPlatformManager.onInit(AppPla tformManager.java:94) [hostcontext.hostcontext] [main] at com.q1labs.frameworks.naming.FrameworksNaming.initializeNewCompo nent(FrameworksNaming.java:916) [hostcontext.hostcontext] [main] at com.q1labs.frameworks.naming.FrameworksNaming.getApplicationScop edComponent(FrameworksNaming.java:897) [hostcontext.hostcontext] [main] at com.q1labs.frameworks.core.FrameworksContext.getSingletonInstanc e(FrameworksContext.java:1404) [hostcontext.hostcontext] [main] at com.ibm.si.application.platform.AppPlatformManager.getInstance(A ppPlatformManager.java:80) [hostcontext.hostcontext] [main] at com.q1labs.hostcontext.app.LocalApplicationSentry.onInit(LocalAp plicationSentry.java:156) [hostcontext.hostcontext] [main] at com.q1labs.frameworks.naming.FrameworksNaming.initializeNewCompo nent(FrameworksNaming.java:916) [hostcontext.hostcontext] [main] at com.q1labs.frameworks.naming.FrameworksNaming.getApplicationScop edComponent(FrameworksNaming.java:897) [hostcontext.hostcontext] [main] at com.q1labs.frameworks.core.FrameworksContext.getSingletonInstanc e(FrameworksContext.java:1404) [hostcontext.hostcontext] [main] at com.q1labs.hostcontext.app.LocalApplicationSentry.getInstance(Lo calApplicationSentry.java:68) [hostcontext.hostcontext] [main] at com.q1labs.hostcontext.HostContext.init(HostContext.java:336) [hostcontext.hostcontext] [main] at com.q1labs.hostcontext.HostContext.main(HostContext.java:1300) [hostcontext.hostcontext] [main] com.ibm.si.application.platform.AppPlatformManager: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]An error occurred initializing app platform manager. [hostcontext.hostcontext] [main] com.q1labs.frameworks.exceptions.FrameworksNamingException: Failed to initialize component: AppPlatformManager [hostcontext.hostcontext] [main] at com.q1labs.frameworks.naming.FrameworksNaming.initializeNewCompo nent(FrameworksNaming.java:920) [hostcontext.hostcontext] [main] at com.q1labs.frameworks.naming.FrameworksNaming.getApplicationScop edComponent(FrameworksNaming.java:897) [hostcontext.hostcontext] [main] at com.q1labs.frameworks.core.FrameworksContext.getSingletonInstanc e(FrameworksContext.java:1404) [hostcontext.hostcontext] [main] at com.ibm.si.application.platform.AppPlatformManager.getInstance(A ppPlatformManager.java:80) [hostcontext.hostcontext] [main] at com.q1labs.hostcontext.app.LocalApplicationSentry.onInit(LocalAp plicationSentry.java:156) [hostcontext.hostcontext] [main] at com.q1labs.frameworks.naming.FrameworksNaming.initializeNewCompo nent(FrameworksNaming.java:916) [hostcontext.hostcontext] [main] at com.q1labs.frameworks.naming.FrameworksNaming.getApplicationScop edComponent(FrameworksNaming.java:897) [hostcontext.hostcontext] [main] at com.q1labs.frameworks.core.FrameworksContext.getSingletonInstanc e(FrameworksContext.java:1404) [hostcontext.hostcontext] [main] at com.q1labs.hostcontext.app.LocalApplicationSentry.getInstance(Lo calApplicationSentry.java:68) [hostcontext.hostcontext] [main] at com.q1labs.hostcontext.HostContext.init(HostContext.java:336) [hostcontext.hostcontext] [main] at com.q1labs.hostcontext.HostContext.main(HostContext.java:1300) [hostcontext.hostcontext] [main] Caused by: [hostcontext.hostcontext] [main] com.ibm.si.application.platform.exception.ApplicationPlatformSer viceException: java.lang.Exception: Failed to read workloads host from database using cached id [53]. [hostcontext.hostcontext] [main] at com.ibm.si.application.platform.AppPlatformManager.refresh(AppPl atformManager.java:193) [hostcontext.hostcontext] [main] at com.ibm.si.application.platform.AppPlatformManager.onInit(AppPla tformManager.java:94) [hostcontext.hostcontext] [main] at com.q1labs.frameworks.naming.FrameworksNaming.initializeNewCompo nent(FrameworksNaming.java:916) [hostcontext.hostcontext] [main] ... 10 more [hostcontext.hostcontext] [main] Caused by: [hostcontext.hostcontext] [main] java.lang.Exception: Failed to read workloads host from database using cached id [53]. [hostcontext.hostcontext] [main] at com.ibm.si.application.platform.AppPlatformManager.createConManC lient(AppPlatformManager.java:330) [hostcontext.hostcontext] [main] at com.ibm.si.application.platform.AppPlatformManager.initLocal(App PlatformManager.java:209) [hostcontext.hostcontext] [main] at com.ibm.si.application.platform.AppPlatformManager.refresh(AppPl atformManager.java:175) [hostcontext.hostcontext] [main] ... 12 more [hostcontext.hostcontext] [main] com.q1labs.hostcontext.app.LocalApplicationSentry: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]An error occurred initializing application sentry. [hostcontext.hostcontext] [main] com.q1labs.frameworks.exceptions.FrameworksNamingException: Failed to initialize component: LocalApplicationSentry [hostcontext.hostcontext] [main] at com.q1labs.frameworks.naming.FrameworksNaming.initializeNewCompo nent(FrameworksNaming.java:920) [hostcontext.hostcontext] [main] at com.q1labs.frameworks.naming.FrameworksNaming.getApplicationScop edComponent(FrameworksNaming.java:897) [hostcontext.hostcontext] [main] at com.q1labs.frameworks.core.FrameworksContext.getSingletonInstanc e(FrameworksContext.java:1404) [hostcontext.hostcontext] [main] at com.q1labs.hostcontext.app.LocalApplicationSentry.getInstance(Lo calApplicationSentry.java:68) [hostcontext.hostcontext] [main] at com.q1labs.hostcontext.HostContext.init(HostContext.java:336) [hostcontext.hostcontext] [main] at com.q1labs.hostcontext.HostContext.main(HostContext.java:1300) [hostcontext.hostcontext] [main] Caused by: [hostcontext.hostcontext] [main] java.lang.NullPointerException [hostcontext.hostcontext] [main] at com.q1labs.hostcontext.app.LocalApplicationSentry.onInit(LocalAp plicationSentry.java:157) [hostcontext.hostcontext] [main] at com.q1labs.frameworks.naming.FrameworksNaming.initializeNewCompo nent(FrameworksNaming.java:916) [hostcontext.hostcontext] [main] ... 5 more [hostcontext.hostcontext] [main] com.q1labs.hostcontext.HostContext: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]error occured while initializing hostcontext [hostcontext.hostcontext] [main] java.lang.NullPointerException [hostcontext.hostcontext] [main] at com.q1labs.hostcontext.HostContext.init(HostContext.java:343) [hostcontext.hostcontext] [main] at com.q1labs.hostcontext.HostContext.main(HostContext.java:1300) [hostcontext.hostcontext] [main] com.q1labs.frameworks.core.ThreadExceptionHandler: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Exception was uncaught in thread: main |
08 November 2019 |
FLOWS | IJ18233 | A MANUALLY ADDED OR EDITED FLOW SOURCE ALIAS DOES NOT WORK AS EXPECTED | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) Workaround Contact Support for a possible workaround that might address this issue in some instances. Issue It has been identified that a manually added or edited Flow Source alias does not work as expected. When a flow source alias is manually created or edited, the flow collector component is not being properly populated on the associated managed host and the edited alias is not listed in the search filter for the flow interface. Associated flows are not received when this issue occurs. |
19 August 2019 |
FLOWS | IJ20453 | REFERENCE DATA CAN FAIL TO BE UPDATED WHEN REFERENCEDATA.TIMETOLIVE.PERIOD IS SET TO 0 | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613) Workaround Contact Support for a possible workaround that might address this issue in some instances. Issue It has been identified that in some instances referencedata.timetolive.period is set to 0 in /opt/qradar/conf/frameworks.properties. When this issue occurs, a failed reference data manager initialization can be experienced causing reference data not tobe updated. This can also affect some application functionality (eg. Reference data not being updated by UBA as expected). Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [tomcat.tomcat] [ReferenceDataUpdateServiceThread_1] com.q1labs.core.shared.referencedata.ReferenceDataUpdateServiceT hread: [ERROR] [NOT:0000003000][xxxxx/- -] [-/- -]ReferenceDataUpdateServiceThread An unexpected exception was encountered processing name=UBA : User Accounts, Successful, Recent size=6 {shared:[host/xxxxxxxxxxxxxx]} Jun 11 14:04:59 ::ffff: [tomcat.tomcat] [ReferenceDataUpdateServiceThread_1] java.lang.NullPointerException Jun 11 14:04:59 ::ffff:xxxxxxx [tomcat.tomcat] [ReferenceDataUpdateServiceThread_1] at com.q1labs.core.shared.referencedata.ReferenceDataUpdateServiceT hread.run(ReferenceDataUpdateServiceThread.java:100) tomcat[5690]: 11-Jun-2019 14:09:13.428 WARNING [xxxxxx(7157925) /console/do/rulewizard] com.sun.messaging.jmq.jmsclient.ExceptionHandler.logCaughtExcept ion [I500]: Caught JVM Exception: com.s un.messaging.jms.JMSException: [ADD_PRODUCER_REPLY(19)] [C4036]: A broker error occurred. :[409] [B4183]: Producer can not be added to destination ReferenceDataUpdates [Topic], limit of 100 producers would be exceeded user=qradar, broker =127.0.0.1:7676(7677) Jun 11 14:09:13 ::ffff:xxxxxxx[tomcat.tomcat] [xxxx@xxxxx (7157925) /console/do/rulewizard] com.q1labs.core.shared.referencedata.ReferenceDataManager: [ERROR] [NOT:0000003000][xxxxxxx/- -] [-/- -]Unable to initiali ze Reference Data Manager [tomcat.tomcat] [Token: SIRT_Script_access@xxxxx(519) /console/restapi/api/reference_data/sets/ThreatIntel_False_Posit ives_IP] Caused by: Jun 28 08:59:34 ::ffff:xxxxxxx [tomcat.tomcat] [Token: SIRT_Script_access@xxxxx(519) /console/restapi/api/reference_data/sets/ThreatIntel_False_Posit ives_IP] java.lang.IllegalArgumentException: Non-positive period. [tomcat.tomcat] [Token: SIRT_Script_access@xxxx(519) /console/restapi/api/reference_data/sets/ThreatIntel_False_Posit ives_IP] at java.util.Timer.schedule(Timer.java:297) [tomcat.tomcat] [Token: SIRT_Script_access@xxxx (519) /console/restapi/api/reference_data/sets/ThreatIntel_False_Posit ives_IP] at com.q1labs.frameworks.events.timer.TimerEventGenerator.addListen er(TimerEventGenerator.java:102) [tomcat.tomcat] [Token: SIRT_Script_access@xxxx(519) /console/restapi/api/reference_data/sets/ThreatIntel_False_Posit ives_IP] at com.q1labs.frameworks.session.SessionContext.addTimerEventListen er(SessionContext.java:778) [tomcat.tomcat] [Token: SIRT_Script_access@xxxx(519) /console/restapi/api/reference_data/sets/ThreatIntel_False_Posit ives_IP] at com.q1labs.core.shared.referencedata.ReferenceDataManager.onInit (ReferenceDataManager.java:136) [tomcat.tomcat] [Token: SIRT_Script_access@xxxx(519) /console/restapi/api/reference_data/sets/ThreatIntel_False_Posit ives_IP] at com.q1labs.frameworks.naming.FrameworksNaming.initializeNewCompo nent(FrameworksNaming.java:916) |
29 October 2019 |
QRADAR RISK MANAGER | IJ12227 | RISK_MANAGER_BACKUP.SH CREATES TARBALL FILES IN /STORE/QRM_BACKUPS/ DIRECTORY ON QRADAR CONSOLE | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) Workaround Contact Support for a possible workaround that might address this issue in some instances. Issue It has been identified that /opt/qradar/bin/dbmaint/risk_manager_backup.sh runs on the QRadar Console when it should only run on the QRadar Risk Manager (QRM) managed host. When the script runs (daily), it produces tarball files in /store/qrm_backups. Example output when running the following command on the QRadar Console: # ls -l /store/qrm_backups -rw-r--r-- 1 root root 245 Dec 12 04:01 backup-2018-11-25-04-00-58.tgz |
02 January 2019 |
DEPLOY CHANGES | IJ11784 | DEPLOY FULL CONFIGURATION FUNCTION DOES NOT PROGRESS PAST "PREPARING FOR DEPLOYMENT" MESSAGE | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613) Workaround Contact Support for a possible workaround that might address this issue in some instances. Issue It has been identified that a Deploy Full Configuration function (Admin > Advanced drop down) can sometimes stall at the message "Preparing for deployment". |
31 December 2018 |
UPGRADE | IJ11530 | DRACUT ERROR 'WARNING:DRACUT-INITQUEUE TIMEOUT STARTING TIMEOUT SCRIPTS' DURING UPGRADE | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) Workaround To workaround this issue, add rd.bootif=0 to /etc/default/grub For example: # cat /etc/default/grub GRUB_CMDLINE_LINUX="biosdevname=0 ethdevice-timeout=60 nicdelay=30 linksleep=30 console=ttyS0,9600 console=tty1 rd.bootif=0 ip=dhcp BOOTIF=MAC_address" Issue It has been identified that in some instances, a dracut error similar to the following can be observed during a QRadar upgrade. "Warning : dracut-initqueue timeout starting timeout scripts" The upgrade then fails and kicks out to a dracut emergency shell. This has been observed on appliances that were initally built/configured using PXE boot with a DHCP server that is no longer reachable. |
31 December 2018 |
QRADAR NETWORK INSIGHTS / DISK SPACE | IJ10391 | [QNI] THE /TMP PARTITION CAN RUN OUT OF FREE SPACE DUE TO THE IMGCTR.LOG FILE | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) Workaround Moving the imgctr.log file out of the /tmp directory to a directory with more available free space addresses this issue until this APAR is addressed. Issue It has been identified that the /tmp partition can run out of free disk space due to the imgctr.log file growing too large in size. |
31 October 2018 |
FIREWALL / ADMINISTRATION | IJ05865 | FIREWALL RULE CHANGES PERFORMED IN THE UI WHEN IPV6 IS ENABLED GENERATE AN ERROR: 'UNEXPECTED SERVER ERROR OCCURS.' | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) Workaround Contact Support for a possible workaround that might address this issue in some instances. Issue It has been identified that attempting to make Firewall changes using the QRadar User Interface (System and License Management), when IPv6 is enabled, can generate an error: "Unexpected server error occurs. Try at later time." Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: lsdep1 [IPTABLES] [17677] ERROR: Failed to apply ip6tables rules! The offending line is 34 or: -A QChain -m udp -p udp --dport 512:65535 --sport 3333 ! --syn -j ACCEPT [hostcontext.hostcontext] [pool-1-thread-4] com.ibm.si.hostcontext.task.SetAccessControlIptableRulesTask: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Failed to run /bin/bash -c echo "QRADAR=ANY : UDP : 3333" >/opt/qradar/conf/access.conf ; /opt/qradar/bin/iptables_update.pl [hostcontext.hostcontext] [pool-1-thread-4] com.ibm.si.hostcontext.task.SetAccessControlIptableRulesTask: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Failed to update access control iptable rules [hostcontext.hostcontext] [pool-1-thread-4] java.lang.Exception: Failed to run /bin/bash -c echo "QRADAR=ANY : UDP : 3333" >/opt/qradar/conf/access.conf ; /opt/qradar/bin/iptables_update.pl [hostcontext.hostcontext] [pool-1-thread-4] at com.ibm.si.hostcontext.task.SetAccessControlIptableRulesTask.run Task(SetAccessControlIptableRulesTask.java:154) [hostcontext.hostcontext] [pool-1-thread-4] at com.ibm.si.frameworks.taskmanagement.Task.run(Task.java:108) [hostcontext.hostcontext] [pool-1-thread-4] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java) [hostcontext.hostcontext] [pool-1-thread-4] at java.util.concurrent.FutureTask.run(FutureTask.java:277) [hostcontext.hostcontext] [pool-1-thread-4] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec utor.java:1160) [hostcontext.hostcontext] [pool-1-thread-4] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe cutor.java:635) [hostcontext.hostcontext] [pool-1-thread-4] at java.lang.Thread.run(Thread.java:785) |
31 October 2018 |
HISTORICAL CORRELATION RULES | IJ05099 | HISTORICAL CORRELATION CAN COMPLETE WITH ERRORS WHEN USING 'COMMON RULES' | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) Workaround No workaround available. Issue It has been identified that Historical Correlation using 'Common Rules' can sometimes use tests that are not applicable to the database that the Historical Correlation is being run against. When this occurs, the Historical Correlation being run fails to complete successfully (completes with errors).Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs: [historical_correlation_server.historical_correlation_server] [Thread-169061] com.q1labs.semsources.cre.CustomRuleReader: [ERROR] [NOT:0040023100][127.0.0.1/- -] [-/- -]Unknown exception occurred while reading CRE rules. To see the exceptions which caused this, view the error log. If this problem persists, please contact customer support. [historical_correlation_server.historical_correlation_server] [Thread-169061] com.q1labs.semsources.cre.CustomRuleReader: [ERROR] [NOT:0000003000][9.180.225.71/- -] [-/- -]Historical::Real exception [historical_correlation_server.historical_correlation_server] [Thread-169061] java.util.ConcurrentModificationException [historical_correlation_server.historical_correlation_server] [Thread-169061] at java.util.ArrayList$Itr.checkForComodification(ArrayList.java:91) [historical_correlation_server.historical_correlation_server] [Thread-169061] at java.util.ArrayList$Itr.next(ArrayList.java:862) [historical_correlation_server.historical_correlation_server] [Thread-169061] at com.q1labs.semsources.cre.CustomRuleReader.setListenerRules(Cust omRuleReader.java:591) [historical_correlation_server.historical_correlation_server] [Thread-169061] at com.q1labs.semsources.cre.CustomRuleReader.readRules(CustomRuleR eader.java:353) [historical_correlation_server.historical_correlation_server] [Thread-169061] at com.q1labs.semsources.cre.CustomRuleReader.readRules(CustomRuleR eader.java:288) [historical_correlation_server.historical_correlation_server] [Thread-169061] at com.q1labs.semsources.cre.CustomRuleReader.run(CustomRuleReader. java:213) |
23 March 2018 |
FLOWS | IJ25586 | 'QFLOW: [ERROR] NETFLOW V9 FLOW SET |
CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309) Reported in QRadar 7.2.8 and later. Workaround No workaround available. Issue Changes have been made to the IPFIX code path to correctly handle padding at the end of flow sets. Netflow v9 records do not have these same changes, and therefore Netflow v9 errors similar to the following might be observed in /var/log/qradar.log: [QRADAR] [10831] qflow: [WARNING] default_Netflow: Missed 224 flows from 127.0.0.1:6 (794335908,794336132) [QRADAR] [10831] qflow: [ERROR] NetFlow v9 flow set 0 has a length of 256 starting at offset 249 which exceeds the length of the buffer 250. Skipping flow set. [QRADAR] [10831] qflow: [ERROR] NetFlow v9 flow set 53 has a length of 47620 starting at offset 139 which exceeds the length of the buffer 140. Skipping flow set. [QRADAR] [10831] qflow: [ERROR] NetFlow v9 flow set 160 has a length of 256 starting at offset 127 which exceeds the length of the buffer 128. Skipping flow set. [QRADAR] [10831] qflow: [ERROR] NetFlow v9 flow set 0 has a length of 4416 starting at offset 139 which exceeds the length of the buffer 140. Skipping flow set. |
26 November 2020 |
ADAPTER / QRADAR RISK MANAGER | IJ24757 | CISCO ASA ADAPTER BACKUP FAILS WITH 'CAN'T MIX 128 AND 32 BIT ADDRESSES' | CLOSED | Resolved in QRadar Risk Manager Adapter Bundle 13.1 (2019.06-20000000) Workaround No workaround available. Issue A Cisco ASA device backup can fail when a crypto map references an access control list rule that contains an IPv6 address. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: Caused by: javax.xml.ws.soap.SOAPFaultException: Can't mix 128 and 32 bit addresses at /usr/share/ziptie-server/adapters/ziptie.adapters.cisco.security appliance_2019.06.17062537/scripts/ZipTie/Adapters/Cisco/SecurityAppliance/AclToRoute.pm line 47. at com.sun.xml.ws.fault.SOAP11Fault.getProtocolException(SOAP11Fault.java) at com.sun.xml.ws.fault.SOAPFaultBuilder.createException(SOAPFaultBuilder.java) at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java) at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java) at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java) at com.sun.proxy.$Proxy95.backup(Unknown Source) at org.ziptie.server.job.backup.BackupTask.performTask(BackupTask.java) at org.ziptie.server.job.AbstractAdapterTask.execute(AbstractAdapterTask.java) |
07 July 2020 |
ADAPTER / QRADAR RISK MANAGER | IJ23722 | CISCO IOS RULES CONTAINING MULTIPLE PORTS OR SERVICES ARE NOT PROCESSED CORRECTLY | CLOSED | Resolved in QRadar Risk Manager Adapter Bundle 13.1 (2019.06-20000000) Workaround No workaround available. Issue A Cisco IOS rule that contains multiple ports or services is not processed correctly. The rule is incorrectly displayed on the Configuration Monitor > Device List > Rules screen. Path searches that involve the rule do not work as expected. The device backup log on the Recent Activity screen might contain entries similar to the following when this issue occurs: FAILED to process rule - skipping rule with error [ FAILED to parse host address - 443 ] |
07 July 2020 |
ADAPTER / QRADAR RISK MANAGER | IJ20463 | IP ADDRESS CAN SOMETIMES NOT BE ASSIGNED TO A CHECK POINT HTTPS DEVICE | CLOSED | Resolved in QRadar Risk Manager Adapter Bundle 13.1 (2019.06-20000000) Workaround No workaround available. Issue It has been identified that in some instances an IP address might not be assigned to an interface on a Check Point HTTPS device. This can result in the Topology screen displaying an unclassified device against other devices that have a route to the IP address, path searches through the Check Point device failing, and interfaces not being displayed when attempting to create a network link between the Check Point device and another device. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: Jul 18 12:20:37 ::ffff:127.0.0.1 [tomcat-rm.tomcat-rm] [nobody@xx.xx.xx.xx (6683080) /console/JSON-RPC/SRM.getDeviceInterfacesByAdminIpSRM.getDeviceInterfacesminIp] com.q1labs.simulator.util.model.TopologyService: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Device [x.x.x.x] is an unclassified device - not fetching ifaces |
07 July 2020 |
ADAPTER / QRADAR RISK MANAGER | IJ18490 | BACKUP OF CISCO NEXT-GENERATION INTRUSION PREVENTION SYSTEM DEVICE CAN FAIL DUE TO A COMMAND TIMEOUT | CLOSED | Resolved in QRadar Risk Manager Adapter Bundle 13.1 (2019.06-20000000) Workaround No workaround available. Issue A Cisco Next-Generation Intrusion Prevention System device backup can fail with the following error appearing on the Configuration Source Management User Interface window: IPC::Run: timeout on timer #1 at /usr/share/perl5/vendor_perl/IPC/Run.pm line 2956. at /usr/share/ziptie-server/core/org.ziptie.adapters.common_2019.06 _04-17062537/scripts/ZipTie/SSH.pm line 473. at org.ziptie.server.job.PerlErrorParserElf.parse(PerlErrorParserElf.java) at org.ziptie.server.job.AbstractAdapterTask.execute(AbstractAdapterTask.java) at org.ziptie.server.dispatcher.Operation.execute(Operation.java) at org.ziptie.server.dispatcher.OperationExecutor$JobThread.runJob( OperationExecutor.java) at org.ziptie.server.dispatcher.OperationExecutor$JobThread.run(Ope rationExecutor.java) This occurs when the adapter receives a response that ends with the "--More--" prompt and it fails to recognize the format of the control characters that are embedded within the "--More--" prompt. This results in a command timing out, and the backup failing. |
07 July 2020 |
SECURITY BULLETIN | IBM QRADAR SIEM IS VULNERABLE TO AN XML EXTERNAL ENTITY INJECTION (XXE) ATTACK | CLOSED | Resolved in QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505) QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002) Affected versions
IBM QRadar is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. CVSS Base score: 7.6 |
13 July 2020 | |
SECURITY BULLETIN | IBM QRADAR SIEM IS VULNERABLE TO DENIAL OF SERVICE | CLOSED | Resolved in QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505) QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002) Affected versions
IBM QRadar could allow an authenticated user to cause a denial of service of the qflow process by sending a malformed sflow. CVSS Base score: 7.6 |
13 July 2020 | |
SECURITY BULLETIN | IBM QRADAR SIEM IS VULNERABLE TO CROSS-SITE SCRIPTING | CLOSED | Resolved in QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505) QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002) Affected versions
IBM QRadar is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. CVSS Base score: 6.1 |
13 July 2020 | |
SECURITY BULLETIN | IBM QRADAR SIEM IS VULNERABLE TO CROSS-SITE SCRIPTING | CLOSED | Resolved in QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505) QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002) Affected versions
IBM QRadar is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. CVSS Base score: 5.4 |
13 July 2020 | |
SECURITY BULLETIN | APACHE TIKA AS USED BY IBM QRADAR SIEM IS VULNERABLE TO A DENIAL OF SERVICE | CLOSED | Resolved in QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505) QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002) Affected versions
|
13 July 2020 | |
SECURITY BULLETIN | IBM QRADAR SIEM IS VULNERABLE TO USING COMPONENTS WITH KNOWN VULNERABILITIES | CLOSED | Resolved in QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505) QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002) Affected versions
|
13 July 2020 | |
SECURITY BULLETIN | IBM QRADAR SIEM IS VULNERABLE TO COMMAND INJECTION | CLOSED | Resolved in QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505) QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002) Affected versions
IBM QRadar SIEM could allow a remote privileged user to execute commands. CVSS Base score: 9.1 |
13 July 2020 | |
UPGRADE / APPS | IJ25734 | QRADAR APP VERSIONS CAN DOWNGRADE DURING A QRADAR PATCH | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) QRadar 7.4.1 (7.4.1.20200716115107) Workaround Verify you have the latest app versions installed after the patch is completed by navigating to Admin tab > Extensions Management. Issue After installing a QRadar patch, any QRadar Apps already installed and that are included by default within the QRadar patch (eg. Log Source Managment App) should be verified for it's version and updated (if needed) as the QRadar patch can downgrade installed Apps to the version contained within the patch. |
12 August 2020 |
SYSTEM NOTIFICATIONS | IJ25886 | QRADAR SYSTEM NOTIFICATIONS THAT CONTAIN QIDS WITH URL LINKS CAN DISPLAY INCORRECTLY AFTER PATCHING QRADAR | CANCELLED | This QRadar System Notification APAR is replaced with IJ26118. |
27 June 2020 |
PROTOCOL | IJ22340 | THE REST API WITHIN QRADAR-PROTOCOL-OKTARESTAPI CAN HANG CAUSING OKTA LOG SOURCES TO STOP RECEIVING EVENTS | OPEN | Workaround Disable and enable any Okta Identity Management log sources that stop receiving events. Issue Okta Log Sources can stop receiving events due to the Okta Rest API experiencing a hang condition when calling executeMethod for HTTPClient. |
18 March 2020 |
AQL / REPORTS | IJ25142 | SOME REPORTS GENERATED FROM AN ADVANCED SEARCH (AQL) THAT USES A MATHEMATICAL EXPRESSION DISPLAY INCORRECT OUTPUT | OPEN | Technical write-up available A technical write-up is included for IJ25142 to assist administrators further. Workaround The issue described above is caused by a failure with aggregated data. Reports run manually or hourly, or on raw data should not be affected. Issue Daily, Weekly, or Monthly (aggregated data) reports generated from an Advanced Search (AQL) that uses mathematical expressions can ignore the calculations and instead display the data for each property on a separate column. The name of the column is the alias given to the calculated value. To replicate this issue:
|
24 June 2020 |
UPGRADE / KERNEL BOOT | IJ25612 | KERNEL 3.10.0-1127.EL7.X86_64 CAN CAUSE FILESYSTEM MOUNT FAILURE AND THE QRADAR APPLIANCE WILL FAIL TO BOOT | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) QRadar 7.4.0 Fix Pack 4 (7.4.0.20200629201233) QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002) Tools available A troubleshooting tool is available to help administrators identify IJ25612. Workaround At the grub prompt, choose the previous kernel version. For more information, see: https://www.ibm.com/support/pages/node/6235774 Issue Upgrade or patch to QRadar 7.4.0 Fix Pack 3 can result in failure to mount filesystem and cause the QRadar appliance to fail to boot. This is due to the use of kernel 3.10.0-1127.el7.x84_64 as identified in the following note: https://access.redhat.com/solutions/5075561 |
17 June 2020 |
RULES / IBM X-FORCE | IJ25352 | QRADAR CUSTOM RULE ENGINE CAN EXPERIENCE PERFORMANCE DEGRADATION WHEN USING X-FORCE RULES' | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428) QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343) QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722) Workaround No workaround available. Issue The QRadar custom rule engine (CRE) can experience performance degradation when X-Force rules are in use. When this occurs, System Notification messages similar to 'Performance degradation has been detected in the event pipeline. Event(s) were routed directly to storage' can sometimes be observed if the CRE can no longer keep up with the processing of events due. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [ecs-ep.ecs-ep] [CRE Processor [5]] java.nio.BufferUnderflowException [ecs-ep.ecs-ep] [CRE Processor [5]] at java.nio.DirectByteBuffer.get(DirectByteBuffer.java:271) [ecs-ep.ecs-ep] [CRE Processor [5]] at java.nio.ByteBuffer.get(ByteBuffer.java:715) [ecs-ep.ecs-ep] [CRE Processor [5]] at com.q1labs.frameworks.cache.GenericSerializer.objectFromByteBuff er(GenericSerializer.java:33) [ecs-ep.ecs-ep] [CRE Processor [5]] at com.q1labs.frameworks.cache.GenericSerializer.get(GenericSeriali zer.java:74) [ecs-ep.ecs-ep] [CRE Processor [5]] at com.q1labs.frameworks.cache.GenericSerializer.get(GenericSeriali zer.java:17) [ecs-ep.ecs-ep] [CRE Processor [5]] at com.q1labs.frameworks.cache.ChainAppendCache$InsertionChainEntry .deserialize(ChainAppendCache.java:320) [ecs-ep.ecs-ep] [CRE Processor [5]] at com.q1labs.frameworks.cache.ChainAppendCache$ChainEntry.read(Cha inAppendCache.java:241) [ecs-ep.ecs-ep] [CRE Processor [5]] at com.q1labs.frameworks.cache.ChainAppendCache.readChainEntry(Chai nAppendCache.java:1211) [ecs-ep.ecs-ep] [CRE Processor [5]] at com.q1labs.frameworks.cache.ChainAppendCache.findOnDisk(ChainApp endCache.java:1162) [ecs-ep.ecs-ep] [CRE Processor [5]] at com.q1labs.frameworks.cache.ChainAppendCache.findOnDisk(ChainApp endCache.java:1148) [ecs-ep.ecs-ep] [CRE Processor [5]] at com.q1labs.frameworks.cache.ChainAppendCache.get(ChainAppendCach e.java:1000) [ecs-ep.ecs-ep] [CRE Processor [5]] at com.q1labs.core.aql.XForceFunctions.getCategorization(XForceFunc tions.java:278) [ecs-ep.ecs-ep] [CRE Processor [5]] at com.q1labs.core.aql.XForceManager.getCategorization(XForceManage r.java:268) AND [ecs-ep.ecs-ep] [CRE Processor [0]] java.lang.NegativeArraySizeException [ecs-ep.ecs-ep] [CRE Processor [0]] at com.q1labs.frameworks.cache.GenericSerializer.objectFromByteBuff er(GenericSerializer.java:32) [ecs-ep.ecs-ep] [CRE Processor [0]] at com.q1labs.frameworks.cache.GenericSerializer.get(GenericSeriali zer.java:74) [ecs-ep.ecs-ep] [CRE Processor [0]] at com.q1labs.frameworks.cache.GenericSerializer.get(GenericSeriali zer.java:17) [ecs-ep.ecs-ep] [CRE Processor [0]] at com.q1labs.frameworks.cache.ChainAppendCache$InsertionChainEntry .deserialize(ChainAppendCache.java:320) [ecs-ep.ecs-ep] [CRE Processor [0]] at com.q1labs.frameworks.cache.ChainAppendCache$ChainEntry.read(Cha inAppendCache.java:241) [ecs-ep.ecs-ep] [CRE Processor [0]] at com.q1labs.frameworks.cache.ChainAppendCache.readChainEntry(Chai nAppendCache.java:1211) [ecs-ep.ecs-ep] [CRE Processor [0]] at com.q1labs.frameworks.cache.ChainAppendCache.findOnDisk(ChainApp endCache.java:1162) [ecs-ep.ecs-ep] [CRE Processor [0]] at com.q1labs.frameworks.cache.ChainAppendCache.findOnDisk(ChainApp endCache.java:1148) [ecs-ep.ecs-ep] [CRE Processor [0]] at com.q1labs.frameworks.cache.ChainAppendCache.get(ChainAppendCach e.java:1000) [ecs-ep.ecs-ep] [CRE Processor [0]] at com.q1labs.core.aql.XForceFunctions.getCategorization(XForceFunc tions.java:278) [ecs-ep.ecs-ep] [CRE Processor [0]] at com.q1labs.core.aql.XForceManager.getCategorization(XForceManage r.java:268) |
16 November 2020 |
UPGRADE | IJ25396 | PATCHING CAN SUCCEED ON THE CONSOLE BUT FAIL AND ROLL BACK ON MANAGED HOSTS | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505) Workaround Contact Support for a possible workaround that might address this issue in some instances if you cannot upgrade to QRadar 7.4.0 Fix Pack 3. Issue Patching to QRadar 7.4 can succeed on the Console appliance but fail on Managed Hosts due to the patch not finding some database columns and also failing to remove duplicates. Messages similar to the following might be visible in the associated /var/log/setup-#####/patches.log when this issue occurs: 4 SQL script errors were detected; Error applying script [38/53] '/media/updates/opt/qradar/conf/templates/db_update_offense.inet .1.sql' for Test_qradar database.; details: WARNING: SET TRANSACTION can only be used in transaction blocks ERROR: could not create unique index "attacker_ipaddress_key" |
16 June 2020 |
DASHBOARD | IJ24884 | DASHBOARD DATA (INCLUDING TIME SERIES) CAN FAIL TO LOAD | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505) Workaround Contact Support for a possible workaround that might address this issue in some instances if you cannot upgrade to QRadar 7.4.0 Fix Pack 3. Issue Dashboard data (including time series) can fail to load after patching to QRadar 7.4.0 FP1 or higher. This behavior has been identified as being caused by incompatible changes within a jar file contained in the patching process. Messages similar to the following might be visible within /var/log/qradar.log when this issue occurrs: [accumulator_rollup.accumulator_rollup] [main] com.q1labs.frameworks.core.JMSFactory: [WARN] [NOT:0000004000][x.x.x.x/- -] [-/- -]message.queue.serviceport property not found, defaulting to 7677 [accumulator_rollup.accumulator_rollup] [main] com.q1labs.cve.accumulation.definition.GlobalViewConfiguration: [ERROR] [NOT:0000003000][x.x.x.x/- -] [-/- -]Unable to read Global View Definitions. [accumulator_rollup.accumulator_rollup] [main] com.thoughtworks.xstream.converters.ConversionException: Failed calling method |
27 May 2020 |
OFFENSES | IJ24819 | OFFENSE PURGING CAN FAIL IN QRADAR 7.4.0 FP1 IF01 OR 7.4.0 FP2 WHEN THE PATCHING PATH BEGAN AT QRADAR 7.3.3 FP3 | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505) QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002) Workaround No workaround available. Issue The purging (removal) of Offenses within QRadar fails when QRadar has been patched to version 7.4.0 FP1 IF01 or 7.4.0 FP2 from QRadar 7.3.3 FP3 specificallly due to an issue with database column ordering. Upgrade paths affected: 1) QRadar 7.3.3 FP3 upgraded to 7.4.0 FP2 2) QRadar 7.3.3 FP3 upgraded to 7.4.0 FP1 and applied IF01 Note: Customers who patch from QRadar versions prior to 7.3.3 FP3 (eg. 7.3.3 FP2) to 7.4.0 FP1 IF01 or 7.4.2 FP2 should not be affected by this Offense purging failure issue. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] com.ibm.si.mpc.magi.contrib.commands.offense.OffensePurgeCommand: [INFO] [NOT:0000006000][x/- -] [-/- -]Found 100 offense to purge in this transaction. The specified transaction size is 100 and retention period is 2592000 seconds. [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] com.ibm.si.mpc.magi.contrib.commands.offense.OffensePurgeCommand: [ERROR] Chained SQL Exception [1/2]: Batch entry 0 select * from purge_offense(10499) as result was aborted: ERROR: column "first_target_ipaddress" is of type inet but expression is of type bigint Hint: You will need to rewrite or cast the expression. Where: PL/pgSQL function purge_offense(bigint) line 6 at SQL statement Call getNextException to see other errors in the batch. [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] com.ibm.si.mpc.magi.contrib.commands.offense.OffensePurgeCommand: [ERROR] [NOT:03000][-/- -] [-/- -]database executing purge command failed. [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] java.sql.BatchUpdateException: Batch entry 0 select * from purge_offense(10499) as result was aborted: ERROR: column "first_target_ipaddress" is of type inet but expression is of type bigint [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] Hint: You will need to rewrite or cast the expression. [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] Where: PL/pgSQL function purge_offense(bigint) line 6 at SQL statement Call getNextException to see other errors in the batch. [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] at org.postgresql.jdbc.BatchResultHandler.handleError(BatchResultHa ndler.java:148) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] at org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExe cutorImpl.java:2184) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] at org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorIm pl.java:481) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] at org.postgresql.jdbc.PgStatement.executeBatch(PgStatement.java:840) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] at org.postgresql.jdbc.PgPreparedStatement.executeBatch(PgPreparedS tatement.java:1538) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] at com.ibm.si.mpc.magi.contrib.commands.base.BasePurgeCommand.execu te(BasePurgeCommand.java:93) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] at com.ibm.si.mpc.magi.contrib.ModelPersister.processCommands(Model Persister.java:2528) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] at com.ibm.si.mpc.magi.contrib.ModelPersister.processCommands(Model Persister.java:2492) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] at com.ibm.si.mpc.magi.contrib.ModelPersister.executePurgeCommands( ModelPersister.java:833) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] at com.ibm.si.mpc.magi.contrib.ModelPersister.process(ModelPersiste r.java:1258) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] at com.ibm.si.mpc.magi.contrib.ModelPersister.processCurrentTransac tion(ModelPersister.java:579) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] at com.ibm.si.mpc.magi.contrib.ModelPersister.processCommands(Model Persister.java:453) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] at com.ibm.si.mpc.magi.contrib.ModelPersister.process(ModelPersiste r.java:293) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] at com.ibm.si.mpc.magi.contrib.TxStateManager.playCurrent(TxStateMa nager.java:259) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] at com.ibm.si.mpc.magi.contrib.ModelPersister$Persister.playCurrent (ModelPersister.java:2918) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] at com.ibm.si.mpc.magi.contrib.ModelPersister$Persister.run(ModelPe rsister.java:2874) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] Caused by: org.postgresql.util.PSQLException: ERROR: column "first_target_ipaddress" is of type inet but expression is of type bigint [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] Hint: You will need to rewrite or cast the expression. [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] Where: PL/pgSQL function purge_offense(bigint) line 6 at SQL statement [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] at org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(Qu eryExecutorImpl.java:2440) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] at org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExe cutorImpl.java:2183) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] ... 14 more [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] com.ibm.si.mpc.magi.contrib.ModelPersister: [WARN] [NOT:0180002100][x/- -] [-/- -]Exception encounted when executing transaction 54069. [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] com.ibm.si.mpc.magi.contrib.PersistenceException: Failed to persist sem model [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] at com.ibm.si.mpc.magi.contrib.ModelPersister.processCurrentTransac tion(ModelPersister.java:676) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] at com.ibm.si.mpc.magi.contrib.ModelPersister.processCommands(Model Persister.java:453) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] at com.ibm.si.mpc.magi.contrib.ModelPersister.process(ModelPersiste r.java:293) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] at com.ibm.si.mpc.magi.contrib.TxStateManager.playCurrent(TxStateMa nager.java:259) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] at com.ibm.si.mpc.magi.contrib.ModelPersister$Persister.playCurrent (ModelPersister.java:2918) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] at com.ibm.si.mpc.magi.contrib.ModelPersister$Persister.run(ModelPe rsister.java:2874) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] Caused by: java.sql.BatchUpdateException: Batch entry 0 select * from purge_offense(10499) as result was aborted: ERROR: column "first_target_ipaddress" is of type inet but expression is of type bigint [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] Hint: You will need to rewrite or cast the expression. [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] Where: PL/pgSQL function purge_offense(bigint) line 6 at SQL statement Call getNextException to see other errors in the batch. [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] at org.postgresql.jdbc.BatchResultHandler.handleError(BatchResultHa ndler.java:148) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] at org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExe cutorImpl.java:2184) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] at org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorIm pl.java:481) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] at org.postgresql.jdbc.PgStatement.executeBatch(PgStatement.java:840) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] at org.postgresql.jdbc.PgPreparedStatement.executeBatch(PgPreparedS tatement.java:1538) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] at com.ibm.si.mpc.magi.contrib.commands.base.BasePurgeCommand.execu te(BasePurgeCommand.java:93) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] at com.ibm.si.mpc.magi.contrib.ModelPersister.processCommands(Model Persister.java:2528) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] at com.ibm.si.mpc.magi.contrib.ModelPersister.processCommands(Model Persister.java:2492) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] at com.ibm.si.mpc.magi.contrib.ModelPersister.executePurgeCommands( ModelPersister.java:833) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] at com.ibm.si.mpc.magi.contrib.ModelPersister.process(ModelPersiste r.java:1258) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] at com.ibm.si.mpc.magi.contrib.ModelPersister.processCurrentTransac tion(ModelPersister.java:579) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] ... 5 more [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] Caused by: org.postgresql.util.PSQLException: ERROR: column "first_target_ipaddress" is of type inet but expression is of type bigint [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] Hint: You will need to rewrite or cast the expression. [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] Where: PL/pgSQL function purge_offense(bigint) line 6 at SQL statement [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] at org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(Qu eryExecutorImpl.java:2440) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] at org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExe cutorImpl.java:2183) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] ... 14 more |
08 May 2020 |
UPGRADE / APPLICATION FRAMEWORK | IJ24903 | QRADAR APPLICATIONS CAN BE MISSING AFTER PATCHING QRADAR TO 7.4.0 FP1 OR NEWER | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505) Workaround Contact Support for a possible workaround that might address this issue in some instances. Issue After patching QRadar to 7.4.0 FP1 or newer, some QRadar applications can be missing in the User Interface. |
27 May 2020 |
APPLICATION FRAMEWORK / DISK SPACE | IJ23680 | QRADAR APP INSTALLATION OR REMOVAL CAN GENERATE REPEATED LOG WRITES 'USING GETRESPONSEBODYASSTREAM INSTEAD IS RECOMMENDED' | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505) QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002) Workaround No workaround available. Issue When QRadar Apps are installed or uninstalled, repeated messages similar to the following can sometimes be continually written to the QRadar log. This issue is benign and only writes data to the logs, but these repeated messages and consume extra isk space. When this issue occurs, the following message is displayed in /var/log/qradar.log: tomcat[14713]: 2019-12-11 10:26:09,615 [QRADAR] [admin@127.0.0.1] org.apache.commons.httpclient.HttpMethodBase: [WARN] Going to buffer response body of large or unknown size. Using getResponseBodyAsStream instead is recommended. |
23 March 2020 |
AQL / ADVANCED SEARCH | IJ23387 | AQL QUERIES WITH SUBQUERIES CAN CAUSE A FILE HANDLE LEAK THAT LEADS TO ARIEL SERVICE OUTAGES | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505) QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002) Workaround A restart of the ariel_proxy_server on the QRadar console can temporarily alleviate this issue, but the issue can re-occur. systemctl restart ariel_proxy_server Issue AQL Queries with subqueries can result in a file handle leak which can cause ariel process to run out of file handles over time. When there are no more available file handles, ariel outages can occur over a period of time when the handles exceed the maximum for that process until the process is restarted. For example, the following sample AQL query can cause this file handle leak to occur in QRadar: select qid from events where username in (select username from events limit 3) limit 3 |
18 March 2020 |
OFFENSES / DASHBOARD | IJ23415 | 'APPLICATION ERROR' WHEN ATTEMPTING TO CLOSE OPEN OFFENSES USING DASHBOARD WIDGET | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505) QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002) Workaround Close the Offense through the QRadar Offenses tab in the user interface. Issue 'Application Error' can occur when attempting to close open offenses using Dashboard widget. For Example:
Messages similar to the following might be visible in /car/log/qradar.log when this issue occurs: [tomcat.tomcat] [user@127.0.0.1 (8795) /console/do/sem/properties] com.q1labs.uiframeworks.action.ExceptionHandler: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]An exception occurred while processing the request: [tomcat.tomcat] [user@127.0.0.1 (8795) /console/do/sem/properties] com.ibm.si.content_management.utils.ApplicationErrorStateException [tomcat.tomcat] [user@127.0.0.1 (8795) /console/do/sem/properties] at com.q1labs.sem.ui.action.MaintainProperties.findNextForward(Main tainProperties.java:230) [tomcat.tomcat] [user@127.0.0.1 (8795) /console/do/sem/properties] at com.q1labs.sem.ui.action.MaintainProperties.updatePropertiesSecu re(MaintainProperties.java:80) [tomcat.tomcat] [user@127.0.0.1 (8795) /console/do/sem/properties] at com.q1labs.sem.ui.action.MaintainProperties.updateProperties(Mai ntainProperties.java:213) [tomcat.tomcat] [user@127.0.0.1 (8795) /console/do/sem/properties] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [tomcat.tomcat] [user@127.0.0.1 (8795) /console/do/sem/properties] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java) [tomcat.tomcat] [user@127.0.0.1 (8795) /console/do/sem/properties] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod AccessorImpl.java:55) [tomcat.tomcat] [user@127.0.0.1 (8795) /console/do/sem/properties] at java.lang.reflect.Method.invoke(Method.java:508) [tomcat.tomcat] [user@127.0.0.1 (8795) /console/do/sem/properties] at org.apache.struts.actions.DispatchAction.dispatchMethod(Dispatch Action.java:280) [tomcat.tomcat] [user@127.0.0.1 (8795) /console/do/sem/properties] at org.apache.struts.actions.DispatchAction.execute(DispatchAction.java) [tomcat.tomcat] [user@127.0.0.1 (8795) /console/do/sem/properties] at com.q1labs.uiframeworks.actions.DispatchAction.execute(DispatchA ction.java:64) [tomcat.tomcat] [user@127.0.0.1 (8795) /console/do/sem/properties] at org.apache.struts.action.RequestProcessor.processActionPerform(R equestProcessor.java:484) [tomcat.tomcat] [user@127.0.0.1 (8795) /console/do/sem/properties] at com.q1labs.uiframeworks.action.RequestProcessor.processActionPer form(RequestProcessor.java:101) [tomcat.tomcat] [user@127.0.0.1 (8795) /console/do/sem/properties] at org.apache.struts.action.RequestProcessor.process(RequestProcess or.java:275) [tomcat.tomcat] [user@127.0.0.1 (8795) /console/do/sem/properties] at org.apache.struts.action.ActionServlet.process(ActionServlet.java) [tomcat.tomcat] [user@127.0.0.1 (8795) /console/do/sem/properties] at com.q1labs.uiframeworks.action.ActionServlet.process(ActionServl et.java:122) [tomcat.tomcat] [user@127.0.0.1 (8795) /console/do/sem/properties] at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java) [tomcat.tomcat] [user@127.0.0.1 (8795) /console/do/sem/properties] at javax.servlet.http.HttpServlet.service(HttpServlet.java:661) [tomcat.tomcat] [user@127.0.0.1 (8795) /console/do/sem/properties] at javax.servlet.http.HttpServlet.service(HttpServlet.java:742) [tomcat.tomcat] [user@127.0.0.1 (8795) /console/do/sem/properties] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter (ApplicationFilterChain.java:231) [tomcat.tomcat] [user@127.0.0.1 (8795) /console/do/sem/properties] at org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica tionFilterChain.java:166) [tomcat.tomcat] [user@127.0.0.1 (8795) /console/do/sem/properties] at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java) [tomcat.tomcat] [user@127.0.0.1 (8795) /console/do/sem/properties] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter (ApplicationFilterChain.java:193) [tomcat.tomcat] [user@127.0.0.1 (8795) /console/do/sem/properties] at org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica tionFilterChain.java:166) [tomcat.tomcat] [user@127.0.0.1 (8795) /console/do/sem/properties] at com.q1labs.uiframeworks.servlet.AddUserHeaderFilter.doFilter(Add UserHeaderFilter.java:86) [tomcat.tomcat] [user@127.0.0.1 (8795) /console/do/sem/properties] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter (ApplicationFilterChain.java:193) [tomcat.tomcat] [user@127.0.0.1 (8795) /console/do/sem/properties] at org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica tionFilterChain.java:166) [tomcat.tomcat] [user@127.0.0.1 (8795) /console/do/sem/properties] at com.q1labs.uiframeworks.servlet.ThreadNameFilter.doFilter(Thread NameFilter.java:53) [tomcat.tomcat] [user@127.0.0.1 (8795) /console/do/sem/properties] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter (ApplicationFilterChain.java:193) [tomcat.tomcat] [user@127.0.0.1 (8795) /console/do/sem/properties] at org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica tionFilterChain.java:166) [tomcat.tomcat] [user@127.0.0.1 (8795) /console/do/sem/properties] at com.q1labs.core.ui.filters.StrutsParamFilter.doFilter(StrutsPara mFilter.java:41) [tomcat.tomcat] [user@127.0.0.1 (8795) /console/do/sem/properties] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter (ApplicationFilterChain.java:193) [tomcat.tomcat] [user@127.0.0.1 (8795) /console/do/sem/properties] at org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica tionFilterChain.java:166) [tomcat.tomcat] [user@127.0.0.1 (8795) /console/do/sem/properties] at com.q1labs.uiframeworks.postauthredirect.PostLoginRedirectFilter .doFilter(PostLoginRedirectFilter.java:70) [tomcat.tomcat] [user@127.0.0.1 (8795) /console/do/sem/properties] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter (ApplicationFilterChain.java:193) [tomcat.tomcat] [user@127.0.0.1 (8795) /console/do/sem/properties] at org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica tionFilterChain.java:166) [tomcat.tomcat] [user@127.0.0.1 (8795) /console/do/sem/properties] at com.q1labs.uiframeworks.auth.AuthenticationVerificationFilter.do Filter(AuthenticationVerificationFilter.java:304) [tomcat.tomcat] [user@127.0.0.1 (8795) /console/do/sem/properties] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter (ApplicationFilterChain.java:193) [tomcat.tomcat] [user@127.0.0.1 (8795) /console/do/sem/properties] at org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica tionFilterChain.java:166) [tomcat.tomcat] [user@127.0.0.1 (8795) /console/do/sem/properties] at com.q1labs.uiframeworks.auth.PersistentSessionFilter.doFilter(Pe rsistentSessionFilter.java:89) [tomcat.tomcat] [user@127.0.0.1 (8795) /console/do/sem/properties] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter (ApplicationFilterChain.java:193) [tomcat.tomcat] [user@127.0.0.1 (8795) /console/do/sem/properties] at org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica tionFilterChain.java:166) [tomcat.tomcat] [user@127.0.0.1 (8795) /console/do/sem/properties] at com.q1labs.uiframeworks.auth.SecAuthenticationFilter.doFilter(Se cAuthenticationFilter.java:132) [tomcat.tomcat] [user@127.0.0.1 (8795) /console/do/sem/properties] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter (ApplicationFilterChain.java:193) [tomcat.tomcat] [user@127.0.0.1 (8795) /console/do/sem/properties] at com.ibm.si.console.cors.ProcessCorsFilter.doFilter(ProcessCorsFi lter.java:159) [tomcat.tomcat] [user@127.0.0.1 (8795) /console/do/sem/properties] at org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica tionFilterChain.java:166) [tomcat.tomcat] [user@127.0.0.1 (8795) /console/do/sem/properties] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter (ApplicationFilterChain.java:193) [tomcat.tomcat] [user@127.0.0.1 (8795) /console/do/sem/properties] at org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica tionFilterChain.java:166) [tomcat.tomcat] [user@127.0.0.1 (8795) /console/do/sem/properties] at com.q1labs.uiframeworks.encoding.AddEncodingToRequestFilter.doFi lter(AddEncodingToRequestFilter.java:56) [tomcat.tomcat] [user@127.0.0.1 (8795) /console/do/sem/properties] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter (ApplicationFilterChain.java:193) [tomcat.tomcat] [user@127.0.0.1 (8795) /console/do/sem/properties] at org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica tionFilterChain.java:166) [tomcat.tomcat] [user@127.0.0.1 (8795) /console/do/sem/properties] at com.q1labs.uiframeworks.servlet.DestroySessionFilter.doFilter(De stroySessionFilter.java:26) [tomcat.tomcat] [user@127.0.0.1 (8795) /console/do/sem/properties] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter (ApplicationFilterChain.java:193) [tomcat.tomcat] [user@127.0.0.1 (8795) /console/do/sem/properties] at org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica tionFilterChain.java:166) [tomcat.tomcat] [user@127.0.0.1 (8795) /console/do/sem/properties] at com.q1labs.uiframeworks.servlet.AddHSTSHeaderFilter.doFilter(Add HSTSHeaderFilter.java:22) |
11 March 2020 |
DSM EDITOR | IJ25156 | 'NO EVENTS WERE PARSED' MESSAGE AND BLANK LOG ACTIVITY PREVIEW WHEN USING THE DSM EDITOR TO CONFIGURE EVENT PARSING | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505) QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002) Workaround No workaround available. systemctl restart ariel_proxy_server Issue When using the DSM Editor to configure event parsing, a message similar to "No events were parsed" can be generated and the Log Activity Preview window remains blank. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [tomcat.tomcat] [/console/restapi/api/application/data_ingestion/simulate] com.q1labs.restapi.servlet.apidelegate.APIDelegate: [ERROR] Request Exception [tomcat.tomcat] [/console/restapi/api/application/ data_ingestion/simulate] com.q1labs.restapi_annotations.content.exceptions. APIMappedException: Unable to complete parsing simulation [tomcat.tomcat] [/console/restapi/api/application/data_ingestion/simulate] at com.q1labs.restapi_annotations.content.exceptions.APIMappedExcep tion.{init}(APIMappedException.java:131) [tomcat.tomcat] [/console/restapi/api/application/data_ingestion/simulate] Caused by: [tomcat.tomcat] [/console/restapi/api/application/data_ingestion/simulate] java.lang.IllegalArgumentException: Comparison method violates its general contract! [tomcat.tomcat] [/console/restapi/api/application/data_ingestion/simulate] at java.util.TimSort.mergeLo(TimSort.java:788) [tomcat.tomcat] [/console/restapi/api/application/data_ingestion/simulate] at java.util.TimSort.mergeAt(TimSort.java:525) [tomcat.tomcat] [/console/restapi/api/application/data_ingestion/simulate] at java.util.TimSort.mergeCollapse(TimSort.java:452) [tomcat.tomcat] [/console/restapi/api/application/data_ingestion/simulate] at java.util.TimSort.sort(TimSort.java:256) [tomcat.tomcat] [/console/restapi/api/application/data_ingestion/simulate] at java.util.Arrays.sort(Arrays.java:1856) [tomcat.tomcat] [/console/restapi/api/application/data_ingestion/simulate] at java.util.ArrayList.sort(ArrayList.java:1473) [tomcat.tomcat] [/console/restapi/api/application/data_ingestion/simulate] at com.ibm.si.data_ingestion.dsm_simulator.ParserSimulator.setPrope rtyParsers(ParserSimulator.java:112) [tomcat.tomcat] [/console/restapi/api/application/data_ingestion/simulate] at com.ibm.si.data_ingestion.api.impl.application.ApplicationAPIImp l.simulateParse(ApplicationAPIImpl.java:1060) |
27 May 2020 |
OFFENSES | IJ24334 | OFFENSE PURGING CAN SOMETIMES FAIL WITH A BATCHUPDATEEXCEPTION | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505) QRadar 7.4.0 Fix Pack 2(7.4.0.20200426161706) QRadar 7.4.0 Fix Pack 1 Interim Fix 01(7.4.0.20200424160445) QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002) QRadar 7.3.3 Fix Pack 3 Interim Fix 01(7.3.3.20200427135149) Workaround No workaround available. Issue In some instances, Offense purging (removal) can fail with an BatchUpdateException being written to QRadar logging. The Offense model within QRadar can experience unnecessary bloat as offenses are unable to be removed from the system. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] com.ibm.si.mpc.magi.contrib.commands.offense.OffensePurgeCommand: [ERROR] Chained SQL Exception [1/2]: Batch entry 0 select * from purge_offense(1338) as result was aborted: ERROR: INSERT has more expressions than target columns Where: PL/pgSQL function purge_offense(bigint) line 6 at SQL statement Call getNextException to see other errors in the batch. [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] com.ibm.si.mpc.magi.contrib.commands.offense.OffensePurgeCommand: [ERROR] Chained SQL Exception [2/2]: ERROR: INSERT has more expressions than target columns Where: PL/pgSQL function purge_offense(bigint) line 6 at SQL statement [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] com.ibm.si.mpc.magi.contrib.commands.offense.OffensePurgeCommand: [ERROR] [NOT:0000003000][X.X.X.X/- -] [-/- -]database executing purge command failed. [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] java.sql.BatchUpdateException: Batch entry 0 select * from purge_offense(1338) as result was aborted: ERROR: INSERT has more expressions than target columns [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] Where: PL/pgSQL function purge_offense(bigint) line 6 at SQL statement Call getNextException to see other errors in the batch. [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at org.postgresql.jdbc.BatchResultHandler.handleError (BatchResultHandler.java) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at org.postgresql.core.v3.QueryExecutorImpl.processResults (QueryExecutorImpl.java) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at org.postgresql.core.v3.QueryExecutorImpl.execute (QueryExecutorImpl.java) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at org.postgresql.jdbc.PgStatement.executeBatch(PgStatement. java) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at org.postgresql.jdbc.PgPreparedStatement.executeBatch(PgPrepared Statement.java) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at com.ibm.si.mpc.magi.contrib.commands.base.BasePurgeCommand. execu te(BasePurgeCommand.java) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at com.ibm.si.mpc.magi.contrib.ModelPersister.processCommands (Model Persister.java) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at com.ibm.si.mpc.magi.contrib.ModelPersister.processCommands (ModelPersister.java) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at com.ibm.si.mpc.magi.contrib.ModelPersister.executePurgeCommands (ModelPersister.java) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at com.ibm.si.mpc.magi.contrib.ModelPersister.process(ModelPersister .java) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at com.ibm.si.mpc.magi.contrib.ModelPersister.processCurrent Transaction(ModelPersister.java) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at com.ibm.si.mpc.magi.contrib.ModelPersister.processCommands (Model Persister.java) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at com.ibm.si.mpc.magi.contrib.ModelPersister.process (ModelPersister.java) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at com.ibm.si.mpc.magi.contrib.TxStateManager.playCurrent (TxStateManager.java) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at com.ibm.si.mpc.magi.contrib.ModelPersister$Persister.playCurrent (ModelPersister.java) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at com.ibm.si.mpc.magi.contrib.ModelPersister$Persister.run (ModelPersister.java) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] Caused by: org.postgresql.util.PSQLException: ERROR: INSERT has more expressions than target columns [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] Where: PL/pgSQL function purge_offense(bigint) line 6 at SQL statement [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at org.postgresql.core.v3.QueryExecutorImpl.receiveError Response(QueryExecutorImpl.java:2440) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at org.postgresql.core.v3.QueryExecutorImpl.processResults (QueryExecutorImpl.java:2183) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127]... 14 more [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] com.ibm.si.mpc.magi.contrib.ModelPersister: [WARN] [NOT:0180002100][X.X.X.X/- -] [-/- -]Exception encounted when executing transaction 753127. [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] com.ibm.si.mpc.magi.contrib.PersistenceException: Failed to persist sem model [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at com.ibm.si.mpc.magi.contrib.ModelPersister.processCurrent Transaction(ModelPersister.java) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at com.ibm.si.mpc.magi.contrib.ModelPersister.processCommands(Model Persister.java) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at com.ibm.si.mpc.magi.contrib.ModelPersister.process(ModelPersister.java) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at com.ibm.si.mpc.magi.contrib.TxStateManager.playCurrent (TxStateManager.java:259) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at com.ibm.si.mpc.magi.contrib.ModelPersister$Persister.play Current(ModelPersister.java:2918) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at com.ibm.si.mpc.magi.contrib.ModelPersister$Persister.run (ModelPersister.java:2874) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] Caused by: java.sql.BatchUpdateException: Batch entry 0 select * from purge_offense(1338) as result was aborted: ERROR: INSERT has more expressions than target columns [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] Where: PL/pgSQL function purge_offense(bigint) line 6 at SQL statement Call getNextException to see other errors in the batch. [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at org.postgresql.jdbc.BatchResultHandler.handleError(BatchResult Handler.java) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at org.postgresql.core.v3.QueryExecutorImpl.processResults(Query ExecutorImpl.java) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutor Impl.java) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at org.postgresql.jdbc.PgStatement.executeBatch(PgStatement.java) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at org.postgresql.jdbc.PgPreparedStatement.executeBatch (PgPreparedStatement.java) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at com.ibm.si.mpc.magi.contrib.commands.base.BasePurgeCommand. execute(BasePurgeCommand.java) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at com.ibm.si.mpc.magi.contrib.ModelPersister.processCommands (ModelPersister.java) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at com.ibm.si.mpc.magi.contrib.ModelPersister.processCommands (ModelPersister.java) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at com.ibm.si.mpc.magi.contrib.ModelPersister.executePurgeCommands (ModelPersister.java) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at com.ibm.si.mpc.magi.contrib.ModelPersister.process (ModelPersister.java) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at com.ibm.si.mpc.magi.contrib.ModelPersister.processCurrentTransac tion(ModelPersister.java) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] ... 5 more [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] Caused by: org.postgresql.util.PSQLException: ERROR: INSERT has more expressions than target columns [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] Where: PL/pgSQL function purge_offense(bigint) line 6 at SQL statement [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(Qu eryExecutorImpl.java) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at org.postgresql.core.v3.QueryExecutorImpl.processResults (QueryExecutorImpl.java) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127]... 14 more |
23 May 2020 |
UPGRADE | IJ24630 | PATCHING PROCESS TO QRADAR 7.4 CAN FAIL WHEN ATTACKER_HISTORY DATABASE TABLE CONTAINS DUPLICATE VALUES | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505) QRadar 7.4.0 Fix Pack 2 (7.4.0.20200426161706) Workaround No workaround available. Issue QRadar patching process on Consoles and Managed Hosts can fail if the database attacker_history table has duplicate values. Messages similar to the following might be visible during the patching process when this issue occurs: ERROR: could not create unique index "attacker_history_ipaddress_key" DETAIL: Key (ipaddress, domain_id)=(X.X.X.X, 0) is duplicated. CONTEXT: SQL statement "ALTER TABLE public.attacker_history ADD CONSTRAINT attacker_history_ipaddress_key UNIQUE(ipaddress, domain_id) WITH (fillfactor='50');" PL/pgSQL function create_inet_index(character varying,character varying,character varying,character varying,character varying) line 12 at EXECUTE SQL statement "SELECT create_inet_index( 'attacker_history_ipaddress_key', 'attacker_history', 'public', 'ipaddress', 'domain_id')" PL/pgSQL function create_offense_inet_indexes() line 6 at PERFORMError applying script [70/87] '/media/updates/opt/qradar/conf/templates/db_update_offense.inet .2.sql' for Test_qradar database.; details: |
02 May 2020 |
SCAN TOOLS / QRADAR VULNERABILITY MANAGER | IJ24430 | QRADAR VULNERABILITY MANAGER SCANNER REVERSE TUNNELS ARE NOT BEING CREATED WHEN THE QVM PROCESSOR IS LOCATED ON THE QRADAR CONSOLE | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.4.0 Fix Pack 2 (7.4.0.20200426161706) Workaround Where possible, disable encryption to QVM hosts and perform a Deploy Full Configuration. Issue QRadar Vulnerability Manager reverse tunnels are not being created to QVM scanners when the QVM processor is located on the QRadar Console. No scan tools will run when this issue is occurring. Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs: [7171]: WARNING: Interceptor for {http://processor.workflow.qvm.q1labs.com/}IProcessorEndpointSer vice#{http://processor.workflow.qvm.q1labs.com/}getScans has thrown exception, unwinding now [7171]: org.apache.cxf.interceptor.Fault: Could not send Message. [7171]: at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSende rEndingInterceptor.handleMessage(MessageSenderInterceptor.java) [7171]: at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInte rceptorChain.java:308) [7171]: at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:531) [7171]: at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:440) [7171]: at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:355) [7171]: at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:313) [7171]: at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java) [7171]: at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java) [7171]: at com.sun.proxy.$Proxy59.getScans(Unknown Source) [7171]: at com.q1labs.qvm.workflow.scan.gateway.ws.ProcessorServiceGatewayW ebServiceImpl.getQueuedJobs(ProcessorServiceGatewayWebServiceImp l.java:53) [7171]: at com.q1labs.qvm.workflow.scan.ScanToolProcess.exec(ScanToolProcess.java) [7171]: at com.q1labs.qvm.workflow.AbstractWorkflowProcess.run(AbstractWork flowProcess.java:160) [7171]: at java.lang.Thread.run(Thread.java:818) [7171]: Caused by: java.net.ConnectException: ConnectException invoking https://127.0.0.1:9999/processor: Connection refused (Connection refused) [7171]: at sun.reflect.GeneratedConstructorAccessor59.newInstance(Unknown Source) [7171]: at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Delega tingConstructorAccessorImpl.java:57) [7171]: at java.lang.reflect.Constructor.newInstance(Constructor.java:437) [7171]: at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.ma pException(HTTPConduit.java:1402) [7171]: at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.cl ose(HTTPConduit.java:1386) [7171]: at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java) [7171]: at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java) [7171]: at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSende rEndingInterceptor.handleMessage(MessageSenderInterceptor.java) [7171]: ... 12 more [7171]: Caused by: java.net.ConnectException: Connection refused (Connection refused) [7171]: at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java) [7171]: at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainS ocketImpl.java:236) [7171]: at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java) [7171]: at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:374) [7171]: at java.net.Socket.connect(Socket.java:666) [7171]: at sun.net.NetworkClient.doConnect(NetworkClient.java:187) [7171]: at sun.net.www.http.HttpClient.openServer(HttpClient.java:494) [7171]: at sun.net.www.http.HttpClient.openServer(HttpClient.java:589) [7171]: at com.ibm.net.ssl.www2.protocol.https.c. |
02 May 2020 |
OFFENSES | IJ24275 | EXPORTING OFFENSES CAN FAIL WITH AN ERROR 'THERE WAS A PROBLEM COMPLETING YOUR EXPORT. PLEASE TRY AGAIN LATER' | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505) QRadar 7.4.0 Fix Pack 2 (7.4.0.20200426161706) Workaround No workaround available. Issue Exporting offenses to .csv or XML can sometimes fail with error "There was a problem completing your export. Please try again later." Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs: [tomcat.tomcat] [ExportJob-admin-10b9e80c-2622-44ad-b156-7efbf677d2ae] com.q1labs.core.ui.coreservices.export.ExportJobProcessor: [ERROR] [NOT:0000003000][X.X.X.X/- -] [-/- -]Error invoking setFirstTargetIPAddress with data Z.Z.Z.Z [tomcat.tomcat] [ExportJob-admin-10b9e80c-2622-44ad-b156-7efbf677d2ae] com.q1labs.core.ui.coreservices.export.ExportJobProcessor: [ERROR] [NOT:0000003000][X.X.X.X/- -] [-/- -]Error exporting data [tomcat.tomcat] [ExportJob-admin-10b9e80c-2622-44ad-b156-7efbf677d2ae] java.lang.IllegalArgumentException: java.lang.ClassCastException@70f49eb7 [tomcat.tomcat] [ExportJob-admin-10b9e80c-2622-44ad-b156-7efbf677d2ae] at sun.reflect.GeneratedMethodAccessor827.invoke(Unknown Source) [tomcat.tomcat] [ExportJob-admin-10b9e80c-2622-44ad-b156-7efbf677d2ae] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod AccessorImpl.java:55) [tomcat.tomcat] [ExportJob-admin-10b9e80c-2622-44ad-b156-7efbf677d2ae] at java.lang.reflect.Method.invoke(Method.java:508) [tomcat.tomcat] [ExportJob-admin-10b9e80c-2622-44ad-b156-7efbf677d2ae] at com.q1labs.core.ui.coreservices.export.ExportJobProcessor.export JDBCSearch(ExportJobProcessor.java:1013) [tomcat.tomcat] [ExportJob-admin-10b9e80c-2622-44ad-b156-7efbf677d2ae] at com.q1labs.core.ui.coreservices.export.ExportJobProcessor.run(Ex portJobProcessor.java:221) [tomcat.tomcat] [ExportJob-admin-10b9e80c-2622-44ad-b156-7efbf677d2ae] com.q1labs.core.ui.coreservices.export.ExportJobProcessor: [ERROR] [NOT:0090003100][X.X.X.X/- -] [-/- -]The following error was encountered while performing a data export: java.lang.IllegalArgumentException: java.lang.ClassCastException@70f49eb7 at sun.reflect.GeneratedMethodAccessor827.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod AccessorImpl.java:55) at java.lang.reflect.Method.invoke(Method.java:508) at com.q1labs.core.ui.coreservices.export.ExportJobProcessor.export JDBCSearch(ExportJobProcessor.java:1013) at com.q1labs.core.ui.coreservices.export.ExportJobProcessor.run(Ex portJobProcessor.java:221) |
02 May 2020 |
SECURITY BULLETIN | IBM QRADAR SIEM IS VULNERABLE TO SERVER-SIDE REQUEST FORGERY (SSRF) | CLOSED | Resolved in QRadar 7.4.0 (7.4.0.20200304205308) QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709) QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249) QRadar Incident Forensics 7.4.0 (SFS) (7.4.0.20200304205308) QRadar Incident Forensics 7.4.0 (ISO) (7.4.0.20200304205308) Affected versions IBM QRadar 7.3.0 to 7.3.3 Patch 2 Issue IBM QRadar SIEM is vulnerable to Server Side Request Forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. |
14 April 2020 | |
SECURITY BULLETIN | IBM QRADAR SIEM IS VULENRABLE TO AUTHORIZATION BYPASS | CLOSED | Resolved in QRadar 7.4.0 (7.4.0.20200304205308) QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709) QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249) QRadar Incident Forensics 7.4.0 (SFS) (7.4.0.20200304205308) QRadar Incident Forensics 7.4.0 (ISO) (7.4.0.20200304205308) Affected versions IBM QRadar 7.3.0 to 7.3.3 Patch 2 Issue IBM QRadar SIEM could allow an authenticated user to access data and perform unauthorized actions due to inadequate permission checks. |
14 April 2020 | |
SECURITY BULLETIN | IBM QRADAR SIEM IS VULNERABLE TO INSTANTIATION OF ARBITRARY OBJECTS | CLOSED | Resolved in QRadar 7.4.0 (7.4.0.20200304205308) QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709) QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249) QRadar Incident Forensics 7.4.0 (SFS) (7.4.0.20200304205308) QRadar Incident Forensics 7.4.0 (ISO) (7.4.0.20200304205308) Affected versions IBM QRadar 7.3.0 to 7.3.3 Patch 2 Issue IBM QRadar could allow a remote attacker to include arbitrary files. A remote attacker could send a specially-crafted request specify a malicious file from a remote system, which could allow the attacker to execute arbitrary code on the vulnerable server. |
14 April 2020 | |
SECURITY BULLETIN | IBM QRADAR SIEM IS VULNERABLE TO PHP OBJECT INJECTION | CLOSED | Resolved in QRadar 7.4.0 (7.4.0.20200304205308) QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709) QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249) QRadar Incident Forensics 7.4.0 (SFS) (7.4.0.20200304205308) QRadar Incident Forensics 7.4.0 (ISO) (7.4.0.20200304205308) Affected versions IBM QRadar 7.3.0 to 7.3.3 Patch 2 Issue IBM QRadar could allow an authenticated user to send a specially crafted command which would be executed as a lower privileged user. |
14 April 2020 | |
SECURITY BULLETIN | IBM QRADAR SIEM IS VULNERABLE TO PRIVILEGE ESCALATION | CLOSED | Resolved in QRadar 7.4.0 (7.4.0.20200304205308) QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709) QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249) QRadar Incident Forensics 7.4.0 (SFS) (7.4.0.20200304205308) QRadar Incident Forensics 7.4.0 (ISO) (7.4.0.20200304205308) Affected versions IBM QRadar 7.3.0 to 7.3.3 Patch 2 Issue IBM QRadar could allow a local user to gain escalated privileges due to weak file permissions. |
14 April 2020 | |
SECURITY BULLETIN | IBM QRADAR SIEM CONTAINS HARD-CODED CREDENTIALS | CLOSED | Resolved in QRadar 7.4.0 (7.4.0.20200304205308) QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709) QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249) QRadar Incident Forensics 7.4.0 (SFS) (7.4.0.20200304205308) QRadar Incident Forensics 7.4.0 (ISO) (7.4.0.20200304205308) Affected versions IBM QRadar 7.3.0 to 7.3.3 Patch 2 Issue IBM QRadar contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. |
14 April 2020 | |
SECURITY BULLETIN | IBM QRADAR SIEM IS VULNERABLE TO IMPROPER INPUT VALIDATION | CLOSED | Resolved in QRadar 7.4.0 (7.4.0.20200304205308) QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709) QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249) QRadar Incident Forensics 7.4.0 (SFS) (7.4.0.20200304205308) QRadar Incident Forensics 7.4.0 (ISO) (7.4.0.20200304205308) Affected versions IBM QRadar 7.3.0 to 7.3.3 Patch 2 Issue IBM QRadar SIEM is vulnerable to improper input validation, allowing an authenticated attacker to perform unauthorized actions. |
14 April 2020 | |
SECURITY BULLETIN | MULTIPLE VULNERABILITIES IN IBM JAVA SDK AND IBM JAVA RUNTIME AFFECT IBM QRADAR SIEM | CLOSED | Resolved in QRadar 7.4.0 (7.4.0.20200304205308) QRadar 7.3.3 Fix Pack 2 (7.3.3.20200208135728) QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249) QRadar Incident Forensics 7.4.0 (SFS) (7.4.0.20200304205308) QRadar Incident Forensics 7.4.0 (ISO) (7.4.0.20200304205308) Affected versions IBM QRadar 7.3.0 to 7.3.3 Patch 1 Issue There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 8 and IBM® Runtime Environment Java™ Version 8 used by IBM QRadar SIEM. IBM QRadar SIEM has addressed the applicable CVEs. |
14 April 2020 | |
SECURITY BULLETIN | IBM QRADAR SIEM IS VULNERABLE TO INVALID CERTIFICATE VALIDATION | CLOSED | Resolved in QRadar 7.4.0 (7.4.0.20200304205308) QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709) QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249) QRadar Incident Forensics 7.4.0 (SFS) (7.4.0.20200304205308) QRadar Incident Forensics 7.4.0 (ISO) (7.4.0.20200304205308) Affected versions IBM QRadar 7.3.0 to 7.3.3 Patch 2 Issue IBM QRadar does not validate, or incorrectly validates, a certificate which could allow an attacker to spoof a trusted entity by using a man-in-the-middle (MITM) attack. |
14 April 2020 | |
SECURITY BULLETIN | IBM QRADAR SIEM IS VULNERABLE TO INFORMATION EXPOSURE | CLOSED | Resolved in QRadar 7.4.0 (7.4.0.20200304205308) QRadar 7.3.3 Fix Pack 2 (7.3.3.20200208135728) QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249) QRadar Incident Forensics 7.4.0 (SFS) (7.4.0.20200304205308) QRadar Incident Forensics 7.4.0 (ISO) (7.4.0.20200304205308) Affected versions IBM QRadar 7.3.0 to 7.3.3 Patch 2 Issue IBM QRadar generates an error message that includes sensitive information that could be used in further attacks against the system. |
14 April 2020 | |
SECURITY BULLETIN | IBM QRADAR SIEM IS VULNERABLE TO INFORMATION EXPOSURE | CLOSED | Resolved in QRadar 7.4.0 (7.4.0.20200304205308) QRadar 7.3.3 Fix Pack 2 (7.3.3.20200208135728) QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249) QRadar Incident Forensics 7.4.0 (SFS) (7.4.0.20200304205308) QRadar Incident Forensics 7.4.0 (ISO) (7.4.0.20200304205308) Affected versions IBM QRadar 7.3.0 to 7.3.3 Patch 1 Issue IBM QRadar could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. |
14 April 2020 | |
SECURITY BULLETIN | IBM QRADAR SIEM IS VULNERABLE TO USING COMPONENTS WITH KNOWN VULNERABILITIES | CLOSED | Resolved in QRadar 7.4.0 (7.4.0.20200304205308) QRadar 7.3.3 Fix Pack 2 (7.3.3.20200208135728) QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249) QRadar Incident Forensics 7.4.0 (SFS) (7.4.0.20200304205308) QRadar Incident Forensics 7.4.0 (ISO) (7.4.0.20200304205308) Affected versions IBM QRadar 7.3.0 to 7.3.3 Patch 1 Issue Apache Solr is vulnerable to server-side request forgery, caused by not having corresponding whitelist mechanism in the shards parameter. By using a specially-crafted argument, an attacker could exploit this vulnerability to conduct SSRF attack. |
14 April 2020 | |
RULES | IJ20330 | RULES THAT COMPARE FIELD 'SOURCE OR DESTINATION IP' AGAINST IP TYPE REFERENCE DATA FOR SUPERFLOWS FAIL | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210) QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709) Workaround Use a hard-coded IP in the rule test instead of using a reference set. Issue It has been identified that a rule that tests for the presence of source/destination IP against an IP type reference set for superflows fails with exception: Failed to parse IP address: Multiple (X) |
13 December 2019 |
FLOWS / QRADAR NETWORK INSIGHTS (QNI) | IJ20540 | QRADAR NETWORK INSIGHTS (QNI) FLOWS INTO QRADAR ARE DECREASED AND/OR STOP SENDING ENTIRELY | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210) QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709) Workaround Temporarily change from Advanced (High) inspection to Enriched (Med) inspection. Issue It has been identified that in some instances QRadar Network Insights can decrease and/or stop sending flows into QRadar when associated decapper/tika threads are in a stuck state. |
27 March 2020 |
BACKUP / RECOVERY | IJ21252 | BACKUP/RESTORE PAGE IN THE QRADAR USER INTERFACE CAN FAIL TO LOAD 'PLEASE WAIT WHILE THE REQUESTED INFORMATION IS GATHERED' | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210) QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709) Workaround Reduce the number of backups available to the QRadar system. Issue It has been identified that the QRadar User Interface "Backup and Recovery" page in environments with a very large number of backups (multiple thousand) hangs while loading for an extended period of time. The page partially loads with a message similar to the following "Please wait while the requested information is gathered...". |
09 December 2019 |
INSTALL / UPGRADE | IJ23224 | IPV6 MANAGED HOSTS DO NOT AUTOMATICALLY PATCH WHEN USING THE "PATCH ALL" OPTION | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210) QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709) Workaround After verifiying the Console is successfully patched, copy the patch SFS to the Managed Host, and perfrom the patch process steps manually on affected Managed Hosts. Issue Managed Hosts configured with IPV6 addresses fail to patch automatically when the "Patch All" option is selected for the patching process. Status Summary of Hosts +---------+-------------------+ |Hostname |Status | |---------+-------------------| |{hostname}|No Action Performed| |{hostname}|Patch Successful | +---------+-------------------+ Sep 26 11:17:05 2018: Sep 26 11:17:05 2018:[DEBUG](posthost) ip=ipv6address Sep 26 11:17:05 2018: Sep 26 11:17:05 2018:[DEBUG](posthost) starting Sep 26 11:17:05 2018: Sep 26 11:17:05 2018:[DEBUG](posthost) Found 0 patch report files. Sep 26 11:17:05 2018: Sep 26 11:17:05 2018:[DEBUG](posthost) Patch Report for ipv6address, appliance type: 3199 {hostname} : patch test succeeded. {hostname}-secondary : patch test succeeded. {hostname} : patch succeeded. {hostname}-secondary : patch succeeded. Tried 3 times to copy file but md5 sums never matched after copy operations. Sep 26 11:17:05 2018: Sep 26 11:17:05 2018:[DEBUG](posthost) pr= Patch Report for (ipv6_address), appliance type: 3199 {hostname} : patch test succeeded. {hostname}-secondary : patch test succeeded. {hostname} : patch succeeded. {hostname}-secondary : patch succeeded. Tried 3 times to copy file but md5 sums never matched after copy operations. |
13 March 2020 |
INSTALL / UPGRADE | IJ23465 | PATCH PRETEST VALIDATE_HOSTNAME.SH CAN FAIL ON A SECONDARY MANAGED HOST APPLIANCE CAUSING PATCH PROCESS TO FAIL | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210) QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709) Workaround Contact Support for a possible workaround that might address this issue in some instances. Issue During the QRadar patch pretest, the validate_hostname.sh script can fail when running on a Secondary Managed Host appliance in a High Availability pair causing the patch to fail. Messages similar to the following might be visible when this issue occurs: [INFO](testmode) Running pretest 7/8: Validate deployment hostnames ERROR: This patch requires SSH access to all Managed Hosts to validate hostnames. ERROR: The following Managed Hosts are not accessible via SSH: - {appliance} [ERROR](testmode) Patch pretest 'Validate deployment hostnames' failed. (validate_hostname.sh) [INFO](testmode) Running pretest 8/8: Check for QIF appliances in deployment [ERROR](testmode) Failed 1/8 pretests. Aborting the patch. [ERROR](testmode) Failed pretests [ERROR](testmode) Pre Patch Testing shows a configuration issue. Patching this host cannot continue. [INFO](testmode) Set ip-135-56 status to 'Patch Test Failed' [ERROR](testmode) Patching can not continue Status Summary of Hosts +----------+-------------------+ |Hostname |Status | |----------+-------------------| |appliance |Patch Test Failed | |appliance |No Action Performed| +----------+-------------------+ Patch Report for {ipaddress}, appliance type: 500 Patch pretest 'Validate deployment hostnames' failed. (validate_hostname.sh) {appliance}: patch test failed. |
23 March 2020 |
RULES | IJ23642 | PERFORMANCE IMPROVEMENTS WITH REFERENCE DATA AND CUSTOM RULE ENGINE PROCESSING | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210) QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709) Workaround No workaround available. Issue QRadar requires an improvement with the performance of Custom Rule Engine processing of Reference Data. |
17 March 2019 |
INSTALL / UPGRADE | IJ23684 | QRADAR PATCHING PROCESS CAN FAIL ON DB_UPDATE.187085.HOSTNAMETYPE_UPDATE.SQL | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210) QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709) Workaround Contact Support for a possible workaround that might address this issue in some instances. Issue QRadar patching process can fail on db_update.187085.hostnametype_update.sql |
23 March 2020 |
INSTALL / UPGRADE | IJ23685 | QRADAR PATCHING PROCESS CAN FAIL ON DB_UPDATE_740.ARIEL_GENERICLIST_PROPERTY_EXPRESSION.SQL | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210) QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709) Workaround Contact Support for a possible workaround that might address this issue in some instances. Issue QRadar patching process can fail on db_update_740.ariel_genericlist_property_expression.sql |
23 March 2020 |
LICENSE | IJ21568 | NO WARNING OF UPCOMING EPS/FPS LICENSE EXPIRING | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210) QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002) Workaround Contact Support for a possible workaround that might address this issue in some instances. Issue No warning message for a QRadar license nearing expiration for an Event Processor when the EPS/FPM expires. This causes the license pool to become over-allocated without appropriate notice. For example: There is no warning message that the license is going to expire soon. Only a message that the license is expired. Current behavior: License "{LicenseIdentity}" allocated to host {IP ADDRESS} has expired. |
20 December 2019 |
AUTHENTICATION / LDAP | IJ20982 | QRADAR LDAP AUTHENTICATION CAN FAIL DUE TO SHA1 CERTIFICATES BEING BLOCKED | CLOSED | Resolved in QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210) Workaround Contact Support for a possible workaround that might address this issue in some instances. Issue It has been identified that SHA1 certificates can be blocked due to invalid algorithms. QRadar LDAP authentication can fail when this issue occurs. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: tomcat[25530]: at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) tomcat[25530]: at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java) tomcat[25530]: at org.apache.coyote.AbstractProcessorLight.process(AbstractProcess orLight.java:66) tomcat[25530]: at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(Abs tractProtocol.java:806) tomcat[25530]: at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(Nio Endpoint.java:1498) tomcat[25530]: at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcess orBase.java:49) tomcat[25530]: at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec utor.java:1160) tomcat[25530]: at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe cutor.java:635) tomcat[25530]: at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(T askThread.java:61) tomcat[25530]: at java.lang.Thread.run(Thread.java:812) tomcat[25530]: Caused by: tomcat[25530]: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints tomcat[25530]: at com.ibm.jsse2.k.a(k.java:42) tomcat[25530]: at com.ibm.jsse2.av.a(av.java:688) tomcat[25530]: at com.ibm.jsse2.D.a(D.java:495) tomcat[25530]: at com.ibm.jsse2.D.a(D.java:534) tomcat[25530]: at com.ibm.jsse2.E.a(E.java:151) tomcat[25530]: at com.ibm.jsse2.E.a(E.java:401) tomcat[25530]: at com.ibm.jsse2.D.r(D.java:444) tomcat[25530]: at com.ibm.jsse2.D.a(D.java:399) tomcat[25530]: at com.ibm.jsse2.av.a(av.java:1006) tomcat[25530]: at com.ibm.jsse2.av.i(av.java:574) tomcat[25530]: at com.ibm.jsse2.av.a(av.java:468) tomcat[25530]: at com.ibm.jsse2.i.write(i.java:17) tomcat[25530]: at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java) tomcat[25530]: at java.io.BufferedOutputStream.flush(BufferedOutputStream.java) tomcat[25530]: at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:455) tomcat[25530]: at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:428) tomcat[25530]: at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:371) tomcat[25530]: at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:226) tomcat[25530]: ... 84 more tomcat[25530]: Caused by: tomcat[25530]: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints tomcat[25530]: at com.ibm.jsse2.aB.a(aB.java:18) tomcat[25530]: at com.ibm.jsse2.aB.a(aB.java:82) tomcat[25530]: at com.ibm.jsse2.aB.checkServerTrusted(aB.java:45) tomcat[25530]: at com.ibm.jsse2.E.a(E.java:757) tomcat[25530]: ... 97 more |
13 November 2019 |
ROUTING RULES / FORWARDED EVENTS | IJ22899 | OFFLINE FORWARDED NORMALIZED EVENTS DO NOT HAVE ASSOCIATED EVENT PROCESSOR ID IN LOG ACTIVITY OF DESTINATION HOST | CLOSED | Resolved in QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210) QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709) Workaround No workaround available. Issue Offline forwarded normalized events display unknown Event Processor (EP) in the Log Activity of the destination host. As there is no associated Event Processor ID, this can cause event investigation issues during drill down in Offenses, rule triggering correlation, etc. |
14 February 2020 |
QRADAR DEPLOYMENT INTELLIGENCE APP (QDI) | IJ22709 | QRADAR DEPLOYMENT INTELLIGENCE (QDI) APP ADVANCED HEALTH QUERY DISPLAYS BLANK GRAPHS FOR ENCRYPTED MANAGED HOSTS | OPEN: Reported as an issue in QRadar 7.3.2 Patch 6 and later. | Workaround No workaround available. Issue The QRadar Deployment Intelligence (QDI) App displays blank graphs when attempting to perform an advanced health query on an encrypted Managed Host. This is caused by the advanced health querying using the Managed Host primary IP instead of the VIP (tunnel IP). |
14 February 2020 |
SYSTEM NOTIFICATIONS | IJ22344 | 'NO SEARCH WAS FOUND WITH ID SYSTEM-LOGS. DROPPING BACK TO DEFAULT SEARCH' IN SYSTEM NOTIFICATIONS AND LOGGING | OPEN: Reported as an issue in QRadar 7.3.2 Patch 5 and later. | Workaround No workaround available. Issue Messages similar to the following might be visible in QRadar System Notifications and in /var/log/qradar.error after applying a QRadar patch: [tomcat.tomcat] [admin@xx.xx.xx.xx(8380) /console/do/ariel/arielSearch] com.q1labs.ariel.ui.action.ArielSearch: [WARN] [NOT:0000004000][xx.xx.xx.xx/- -] [-/- -]No search was found with id SYSTEM-LOGS. Dropping back to default search. |
14 February 2020 |
RULES / PEFORMANCE VISUALIZATION | IJ22339 | RULE PERFORMANCE INFORMATION FOR MODIFIED DEFAULT/SYSTEM RULES IS STORED IN THE ORIGINAL RULE NOT IN THE UPDATED RULE | OPEN: Reported as an issue in QRadar 7.3.2 and later. | Workaround No workaround available. Issue Rule performance data for modified System/Default Rules is stored in the original rule, not the modified rule. This can lead to incorrect Rule Performance visualization data. |
14 February 2020 |
AUDIT LOG | IJ22766 | EVENT MAPPING ADDS OR EDITS PERFORMED USING THE 'MAP EVENT' BUTTON IN LOG ACTIVITY ARE NOT AUDITED | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) Workaround No workaround available. Issue Event mapping adds or edits performed using Log Activity -> View Event Information -> Click on Map Event are not audited in /var/log/audit/audit.log |
14 February 2020 |
JDBC PROTOCOL / LOG SOURCE MANAGEMENT APP | IJ20450 | LOG SOURCE MANAGEMENT APP IS NOT ABLE TO CREATE JDBC LOG SOURCE WHEN 'NONE' IS CHOSEN FROM THE 'QUERYLIST' | CLOSED | Resolved in PROTOCOL-JDBC-7.3-20200110201324.noarch.rpm or later. This protocol update is available through QRadar weekly auto updates. Workaround Use the legacy Log Source management user interface to create JDBC log sources where the Predefined Query field must be set to None. Issue It has been identified that creating a JDBC Log Source using the Log Source Management app fails when 'none' is chosen from the Predefined Query field. Using the legacy Log Source User Interface (UI) to create the same Log Source works as expected. |
23 October 2019 |
ORACLE DATABASE LISTENER PROTOCOL | IJ22710 | REPEATED 'CAUGHT SIGPIPE, RESET CONNECTION' EVENTS BEING GENERATED WHEN USING PROTOCOL ORACLE DATABASE LISTENER | OPEN: Reported in QRadar 7.3.1 Patch 8 and later. | Workaround No workaround available. Issue When using Log Sources configured with the Oracle Database Listener Protocol, the oracle_osauditlog_fwdr.pl script is causing repeated "caught sigpipe, reset connection" events to be generated. |
19 February 2020 |
LOG ACTIVITY | IJ22898 | POPUP "ERROR! NO NODE SENT TO TREE METHOD'EXPANDNODE()" IN LOG ACTIVITY TAB WHEN USING DOUBLE BYTE CHARACTER SET LOCALE | OPEN: Reported in QRadar 7.3.2 Patch 6 and later. | Workaround No workaround available. Note: This does not occur when using the English locale in QRadar. Issue A Client Exception popup message can occur in the QRadar User Interface on the Log Activity tab when QRadar is configured to use double byte character set locales and attempting a navigation path as follows:
|
28 February 2020 |
APACHE KAFKA / LOG SOURCE MANAGEMENT APP | IJ22711 | MULTILINE LOG SOURCE IDENTIFIER PATTERN FOR APACHE KAFKA PROTOCOL NOT WORKING WITH LOG SOURCE MANAGEMENT APP | OPEN: Reported in QRadar 7.3.2 Patch 4 and later. | Workaround Use the legacy Log Sources User Interface instead of the Log Source Management App. Issue The Log Source Management App saves Multiline Log Source Identifier Pattern without valid line break regex for the Apache Kafka Protocol. |
28 February 2020 |
APPLICATION FRAMEWORK / CERTIFICATES | IJ23059 | APPS CAN FAIL TO LOAD DUE TO CERTIFICATES NOT BEING RENEWED AS EXPECTED WHEN THE QRADARCA-MONITOR SERVICE HANGS | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210) QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709) Workaround A restart of the qradarca-monitor service running on the QRadar Console can often correct the stuck service. # systemctl restart qradarca-monitor Issue QRadar Apps can fail to load due to expired certificates not being renewed if the qradarca-monitor service is in a stuck state. Messages similar to the following might be visible in /var/log/messages when this issue occurs: bash[119986]: net.runtime_pollWait(0x7f9c451ffe70, 0x72, 0x8) bash[119986]: /root/.gradle/go/binary/1.8.3/go/src/runtime/netpoll.go:164 +0x59 bash[119986]: net.(*pollDesc).wait(0xc4202a81b8, 0x72, 0x8cdfc0, 0x8ca560) bash[119986]: /root/.gradle/go/binary/1.8.3/go/src/net/fd_poll_ runtime.go:75+0x38 bash[119986]: net.(*pollDesc).waitRead(0xc4202a81b8,0xc42028eab8,0x1) bash[119986]: /root/.gradle/go/binary/1.8.3/go/src/net/fd_poll_ runtime.go:80+0x34 bash[119986]: net.(*netFD).Read(0xc4202a8150, 0xc42028eab8, 0x1, 0x1, 0x0, 0x8cdfc0, 0x8ca560) bash[119986]: /root/.gradle/go/binary/1.8.3/go/src/net/fd_unix. go:250 +0x1b7 bash[119986]: net.(*conn).Read(0xc4202aa038, 0xc42028eab8, 0x1, 0x1, 0x0, 0x0, 0x0) bash[119986]: /root/.gradle/go/binary/1.8.3/go/src/net/net.go: 181 +0x70 bash[119986]: io.ReadAtLeast(0x7f9c45200170, 0xc4202aa038, 0xc42028eab8, 0x1, 0x1, 0x1, 0x6f3a40, 0x1, 0xc42028eab8) bash[119986]: /root/.gradle/go/binary/1.8.3/go/src/io/io.go:307 +0xa9 bash[119986]: io.ReadFull(0x7f9c45200170, 0xc4202aa038, 0xc42028eab8, 0x1, 0x1, 0x40, 0x53c8e0, 0x7f9c45200170) bash[119986]: /root/.gradle/go/binary/1.8.3/go/src/io/io.go:325 +0x58 bash[119986]: q1git.canlab.ibm.com/pi/si-qradarca/vendor/golang. org/x/crypto/s sh.readVersion(0x7f9c45200170, 0xc4202aa038, 0xc4202aa038, 0x7f9c45200170, 0xc4202aa038, 0x0, 0x0) bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/ q1git.canlab.ibm.com/pi/si-qradarca/vendor/golang.org/x/crypto/ssh/ transport.go:317 +0x101 bash[119986]: q1git.canlab.ibm.com/pi/si-qradarca/vendor/golang.org /x/crypto/ssh.exchangeVersions(0x8ced40, 0xc4202aa038, 0xc42028ead0, 0xa, 0x10, 0x10, 0x0, 0x8, 0x5, 0x8) bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/ q1git.canlab.ibm.com/pi/si-qradarca/vendor/golang.org/x/crypto/ ssh/transport.go:301 +0x111 bash[119986]: q1git.canlab.ibm.com/pi/si-qradarca/vendor/golang. org/x/crypto/ssh.(*connection).clientHandshake(0xc4202a4a80, 0xc42028ea80, 0x10, 0xc420322a90, 0x0, 0x0) bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/ q1git.canlab.ibm.com/pi/si-qradarca/vendor/golang.org/x/crypto/ ssh/client.go:100 +0xf7 bash[119986]: q1git.canlab.ibm.com/pi/si-qradarca/vendor/golang.org /x/crypto/ssh.NewClientConn(0x8d2ee0, 0xc4202aa038, 0xc42028ea80, 0x10, 0xc42016c230, 0x8d2ee0, 0xc4202aa038, 0x0, 0x0, 0xc42028ea80,...) bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/ q1git.canlab.ibm.com/pi/si-qradarca/vendor/golang.org/x/crypto/ ssh/client.go:83 +0x103 bash[119986] q1git.canlab.ibm.com/pi/si-qradarca/vendor/golang.org/ x/crypto/ssh.Dial(0x764983, 0x3, 0xc42028ea80, 0x10, 0xc42016c230, 0xc42028ea80, 0x10, 0xc42031e000) bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/ q1git.canlab.ibm.com/pi/si-qradarca/vendor/golang.org/x/crypto/ssh/ client.go:177 +0xb3 bash[119986]: q1git.canlab.ibm.com/pi/si-qradarca/localca.connectToHost (0x764c0e, 0x4, 0xc42019ca86, 0xd, 0x1, 0xc420292840, 0x31, 0xdd) bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/ q1git.canlab.ibm.com/pi/si-qradarca/localca/util.go:281 +0x260 bash[119986]: q1git.canlab.ibm.com/pi/si-qradarca/localca.CheckRemote FileExisted(0x764c0e, 0x4, 0xc42019ae80, 0x20, 0xc42019ca86, 0xd, 0xc42016c400, 0x0, 0x0) bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/ q1git.canlab.ibm.com/pi/si-qradarca/localca/remote.go:62 +0x136 bash[119986]: q1git.canlab.ibm.com/pi/si-qradarca/localca.checkCertifi cateOnRemote(0xc42019ca86, 0xd, 0xc4201937d0, 0x9, 0xc42019ae60, 0x12, 0xc4201937e0, 0x9, 0x764b6a, 0x4, ...) bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/ q1git.canlab.ibm.com/pi/si-qradarca/localca/check.go:94 +0x2a6 bash[119986]: q1git.canlab.ibm.com/pi/si-qradarca/localca.regenerate CertFromCSR(0x3, 0xc4201506b8, 0x6, 0xc4201423c0, 0x29, 0xc4201426f0, 0x21, 0x2, 0x9211a0, 0x0, ...) bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/ q1git.canlab.ibm.com/pi/si-qradarca/localca/monitor.go:228 +0x421 bash[119986]: q1git.canlab.ibm.com/pi/si-qradarca/localca.(*checkmap). monitorAndRegenerateCert(0xc42016d978, 0x3, 0xc4201506b8, 0x6, 0xc4201423c0, 0x29, 0xc4201426f0, 0x21, 0x2, 0x9211a0, ...) bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/ q1git.canlab.ibm.com/pi/si-qradarca/localca/monitor.go:177 +0x307 bash[119986]: q1git.canlab.ibm.com/pi/si-qradarca/localca.monitor Cert(0xc4201500a0, 0x0, 0x1, 0xc420164000) bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/ q1git.canlab.ibm.com/pi/si-qradarca/localca/monitor.go:228 +0x421 bash[119986]: q1git.canlab.ibm.com/pi/si-qradarca/localca.(*checkmap). monitorAndRegenerateCert(0xc42016d978, 0x3, 0xc4201506b8, 0x6, 0xc4201423c0, 0x29, 0xc4201426f0, 0x21, 0x2, 0x9211a0, ...) bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/ q1git.canlab.ibm.com/pi/si-qradarca/localca/monitor.go:177 +0x307 bash[119986]: q1git.canlab.ibm.com/pi/si-qradarca/localca.monitor Cert(0xc4201500a0, 0x0, 0x1, 0xc420164000) bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/ q1git.canlab.ibm.com/pi/si-qradarca/localca/monitor.go:197 +0x49e bash[119986]: q1git.canlab.ibm.com/pi/si-qradarca/localca.(*monitor). MonitorCertificates(0x9211a0, 0xc4201500a0, 0x0, 0xc4201500b0, 0x0) bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/ q1git.canlab.ibm.com/pi/si-qradarca/localca/monitor.go:46 +0x41 bash[119986]: main.cmdExecutor(0x4062fc, 0xc4200b2058) bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/ q1git.canlab.ibm.com/pi/si-qradarca/main.go:462 +0x3d79 bash[119986]: main.main( bash[119986]: goroutine 9 [select, 46859 minutes]: bash[119986]: q1git.canlab.ibm.com/pi/si-qradarca/vendor/golang.org/ x/crypto/ssh.(*handshakeTransport).kexLoop(0xc4200d09a0) bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/ q1git.canlab.ibm.com/pi/si-qradarca/vendor/golang.org/x/crypto/ssh/ handshake.go:268 +0x823 bash[119986]: created by q1git.canlab.ibm.com/pi/si-qradarca/vendor/golang.org/x/ crypto/ssh.newClientTransport bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/ q1git.canlab.ibm.com/pi/si-qradarca/vendor/golang.org/x/crypto/ssh/ handshake.go:135 +0x1c8 bash[119986]: goroutine 25 [chan receive, 46859 minutes]: bash[119986]: q1git.canlab.ibm.com/pi/si-qradarca/vendor/golang.org/ x/crypto/ssh.(*Client).handleChannelOpens(0xc4201c0580, 0xc4201e8300) bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/ q1git.canlab.ibm.com/pi/si-qradarca/vendor/golang.org/x/crypto/ ssh/client.go:147 +0x68 |
28 February 2020 |
EVENT PIPELINE / DISK SPACE | IJ23194 | EVENT COLLECTION ON APPLIANCES CAN STOP DUE TO AN INCORRECT PIPELINEDISKMONITOR FREE SPACE CALCULATION | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210) QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709) Workaround Run the following from the command line on all QRadar appliances: # sed -i.bak 's/du -sB/du -xsB/' /opt/qradar/bin/pipelineDiskMonitor.py Issue The event collection service ecs-ec-ingress on QRadar appliances can stop sending events as a result of an incorrect calculation performed by the pipelineDiskMonitor.py script not taking into account that there can be filesystems mounted under store. Note: Seeing "percents=" in the error message below with a value greater than 100% is an indication that this can be the cause for event collection stopping. Example below: "percents=148%" Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [ecs-ec-ingress.ecs-ec-ingress] [PipelineDiskMonitor] com.ibm.si.ecingress.destinations.SECStoreForwardDestination(ecs -ec-ingress/EC_Ingress/TCP_TO_ECParse): [WARN] [NOT:0060005100][10.1.17.76/- -] [-/- -]PipelineDiskMonitor has detected that spillover queue threshold is crossed (total=70252554 MB, used=103749251 MB, free=-33496697 MB, percents=148%, ingress=1%, ec=1%). The ecs-ec-ingress starts dropping events until disk issue resolved. |
13 March 2020 |
OUTPOST24 VULNERABILITY SCANNER | IJ23038 | LAST SCAN DATE DISPLAYED FOR OUTPOST24 VULNERABILITY SCANNER WITHIN QRADAR CAN BE INCORRECT | OPEN: Reported in QRadar 7.3.2 Patch 5 and later. | Workaround No workaround available. Issue Incorrect Last Scan date value is displayed in QRadar for an Outpost24 vulnerability scan. To replication this reported issue:
|
06 March 2020 |
OFFENSES / EMAIL ALERTS | IV49730 | IT IS NOT POSSIBLE TO CUSTOMIZE OFFENSE RULE EMAIL ALERTS | CLOSED | Resolved in QRadar 7.4.0 (7.4.0.20200304205308) Workaround Install QRadar 7.4 where features added in this version resolve this reported APAR. Issue Currently you can modify email alerts for event and flow rules using /store/configservices/staging/globalconfig/templates/ custom_alerts/alert-config.xml but it is not possible to customize the email alerts for offense based rules. |
21 April 2015 |
CONTENT MANAGEMENT TOOL (CMT) | IV80631 | CONTENT MANAGEMENT TOOL IMPORTS CAN SOMETIMES TAKE LONGER THAN EXPECTED AND/OR FAIL AFTER RUNNING FOR A LONG PERIOD OF TIME | CLOSED | Note: This issue is currently tagged closed as a suggestion for a future release. In the current implementation we are not looking to maintain the legacy CMT. Performance is a paramount concern in our rewrite of the CMT so this type of issue should not re-occur when support for import is written in the new implementation. Workaround If possible, do not have Reference Set elements in the Content Management Tool (CMT) export prior to attempting the bundled CMT import. Issue Content Management Tool imports that include Reference Set elements can sometimes run for an unexpectedly long period of time. In some instances, it has been known cause an Out Of Memory occurance after attempting to complete the import over a period of multiple days. |
03 January 2020 |
DEPLOY CHANGES | IV87562 | A QRADAR 'DEPLOY' FUNCTION CAN RESTART TUNNELS UNEXPECTEDLY | CLOSED | Resolved in QRadar 7.4.0 (7.4.0.20200304205308) Workaround No workaround available. Issue It has been observed that a QRadar 'Deploy' function can sometimes restart tunnels unnecessarily when changes are made in the User Interface that should not require a tunnel restart. For example, tunnels restart after a regular 'Deploy Changes with the following user actions':
|
04 August 2016 |
DASHBOARD | IV94448 | DASHBOARDS ELEMENTS/WIDGETS THAT HAVE BEEN SHARED CAN SOMETIMES FAIL TO LOAD IN THE QRADAR USER INTERFACE | CLOSED | Resolved in QRadar 7.4.0 (7.4.0.20200304205308) QRadar 7.3.2 (7.3.2.20190201201121). Issue After sharing Dashboards, it has been observed that some of the shared Dashboard elements/widgets can fail to load and exceptions in /var/log/qradar.error similar to the following might be visible upon user login: [tomcat] [admin@127.0.0.1 (3814) /console/JSON-RPC/QRadar.getDashboardSearch QRadar.getDashboardSearch] com.q1labs.qradar.ui.widget.graph.ArielSearchGraphWidget: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/- -]Could not parse 'items to graph' from user data: [tomcat] admin@127.0.0.1 (3814) /console/JSON-RPC/QRadar.getDashboardSearch QRadar.getDashboardSearch] java.lang.NumberFormatException: For input string: "" [tomcat] [admin@127.0.0.1 (3814) /console/JSON-RPC/QRadar.getDashboardSearch QRadar.getDashboardSearch] at java.lang.NumberFormatException.forInputString(NumberFormatException.java) |
03 January 2020 |
DASHBOARD | IV96788 | SETTING UP DISPLAYED DASHBOARD RESTRICTIONS BY USER ROLE IS NOT HONORED | CLOSED | Note: This issue is currently tagged closed as a suggestion for a future release. When a user is created/deployed, they inherit a copy of the out-of-the-box dashboard templates. These are modifiable because they are a user-owned copy of the template. The User Role dashboard sharing feature only applies to user-created dashboards. When shared using 'Share' option, the dashboards are read-only (if you are not the owner, you should not be able to delete it). In the future dashboard will be moved to Pulse app. Issue It has been observed after configuring Dashboards for QRadar users, and attempting to restrict the Available Dashboards by User Role, that the Dashboard viewing restrictions are not honored. |
05 June 2018 |
QRADAR VULNERABILITY MANAGER / SCAN REPORT | IV98492 | QRADAR VULNERABILITY MANAGER SCAN CAN SOMETIMES NOT DETECT MS17-010 VULNERABILITY | CLOSED | Resolved in QRadar 7.4.0 (7.4.0.20200304205308) Workaround Create a scan policy and include only the netbios tool group. Issue It has been identified that QVM vulnerability scans do not detect the "CVE-2017-0143 - MS17-010 - Microsoft - Windows - EternalBlue Issue" vulnerability when a scan policy contains only the "smb - EternalBlue - MS17-010" tool. |
31 July 2017 |
MANAGED HOST / HOSTCONEXT SERVICES | IJ02072 | QRADAR LOGGING REPORTS HOSTCONTEXT '...TOO MANY OPEN FILES' MESSAGES | CLOSED | Resolved in QRadar 7.4.0 (7.4.0.20200304205308) Workaround No workaround available. The file handle issue was partially addressed in APAR IV94782, but an outstanding issue causing the same behavior could still be present. Issue It has been observed in some customer environments that Hostcontext can run out of available file handles due to code relating to nva.conf. Repetitive messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [hostcontext.hostcontext] [ProcessMonitor] java.io.IOException: error=24, Too many open files |
13 December 2017 |
DEPLOY CHANGES | IJ02476 | REMOVING ENCRYPTION FROM A MANAGED HOST CAUSES DEPLOY FUNCTION TO FAIL TO THAT MANAGED HOST | CLOSED | Resolved in QRadar 7.4.0 (7.4.0.20200304205308) Workaround From the System and License Management interface, encrypt the host connection on the Managed Host and Deploy changes. Issue It has been identified that the QRadar deploy function to a Managed Host fails (times out) after removing encryption from that Managed Host (Encrypt Host Connection option). To replicate this issue:
Messages similar to the following might be visible in /var/log/qradar.log when this issue occurrs: [hostcontext.hostcontext] [f83a84ed-53ae-4592-ade5-8fa6ee3f1620/SequentialEventDispatcher] at com.q1labs.frameworks.events.SequentialEventDispatcher$DispatchT hread.run(SequentialEventDispatcher.java) [hostcontext.hostcontext] [f83a84ed-53ae-4592-ade5-8fa6ee3f1620/SequentialEventDispatcher] Caused by: [hostcontext.hostcontext] [f83a84ed-53ae-4592-ade5-8fa6ee3f1620/SequentialEventDispatcher] com.q1labs.hostcontext.exception.HostContextConfigException: Failed to download new configuration set [hostcontext.hostcontext] [f83a84ed-53ae-4592-ade5-8fa6ee3f1620/SequentialEventDispatcher] at com.q1labs.hostcontext.configuration.ConfigSetUpdater.downloadAn dProcessGlobalSets(ConfigSetUpdater.java) [hostcontext.hostcontext] [f83a84ed-53ae-4592-ade5-8fa6ee3f1620/SequentialEventDispatcher] at com.q1labs.hostcontext.configuration.ConfigSetUpdater.prepareNon ConsoleGlobalSets(ConfigSetUpdater.java) [hostcontext.hostcontext] [f83a84ed-53ae-4592-ade5-8fa6ee3f1620/SequentialEventDispatcher] ... 10 more [hostcontext.hostcontext] [f83a84ed-53ae-4592-ade5-8fa6ee3f1620/SequentialEventDispatcher] Caused by: [hostcontext.hostcontext] [f83a84ed-53ae-4592-ade5-8fa6ee3f1620/SequentialEventDispatcher] com.q1labs.hostcontext.exception.HostContextConfigException: Timeout on deployment token synchronization [hostcontext.hostcontext] [f83a84ed-53ae-4592-ade5-8fa6ee3f1620/SequentialEventDispatcher] at com.q1labs.hostcontext.configuration.ConfigSetUpdater.downloadAn dProcessGlobalSets(ConfigSetUpdater.java) [hostcontext.hostcontext] [f83a84ed-53ae-4592-ade5-8fa6ee3f1620/SequentialEventDispatcher] ... 11 more [hostcontext.hostcontext] [f83a84ed-53ae-4592-ade5-8fa6ee3f1620/SequentialEventDispatcher] com.q1labs.hostcontext.util.HostContextUtilities: [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Removing file hostcontext.NODOWNLOAD [hostcontext.hostcontext] [f83a84ed-53ae-4592-ade5-8fa6ee3f1620/SequentialEventDispatcher] com.q1labs.hostcontext.configuration.ConfigChangeObserver: [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Following message suppressed 1 times in 300000 milliseconds [hostcontext.hostcontext] [f83a84ed-53ae-4592-ade5-8fa6ee3f1620/SequentialEventDispatcher] com.q1labs.hostcontext.configuration.ConfigChangeObserver: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Failed to download and apply new configuration [hostcontext.hostcontext] [f83a84ed-53ae-4592-ade5-8fa6ee3f1620/SequentialEventDispatcher] com.q1labs.hostcontext.exception.HostContextConfigException: Unable to create flag file to denote a hostcontext restart to create tunneled frameworks connections |
12 December 2017 |
OFFENSES | IJ02571 | OFFENSE RULE SNMP RESPONSES DO NOT REFLECT THE OFFENSE DATA | CLOSED | This issue has been closed as an expired issue and no fix is planned at this time. Workaround No workaround available. Issue It has been observed, that after an offense rule is created and an SNMP response is configured for that rule to modify the offenseCRE.snmp.xml file to configure OIDs (properties) that are sent in the SNMP trap, the response coding in QRadar uses the asset model to attempt to populate these values for the Offense. When this occurs, the SNMP trap does not always contain the expected data that is visible in the Offense. |
12 December 2017 |
LOG ACTIVITY / SEARCH | IJ05192 | LOG ACTIVITY SEARCH ERRORS '...PROBLEM CONNECTING TO THE QUERY SERVER' AND '...INVALID WHITE SPACE CHARACTER...' IN THE LOGS | CLOSED | Resolved in QRadar 7.4.0 (7.4.0.20200304205308) QRadar 7.3.3 Patch 1 (7.3.3.20191203144110) Workaround No workaround available. Issue It has been observed that Log Activity searches can sometimes fail with a message similar to: "There was a problem connecting to the query server. please try again later" This error message and coincide with error messages in /var/log/qradar.error: [ariel.ariel_proxy_server] [ariel_query_13:cf3b383b-17ba-4895-a0ef-ef31b99c12f7] com.thoughtworks.xstream.io.StreamException: [ariel.ariel_proxy_server] [ariel_query_13:cf3b383b-17ba-4895-a0ef-ef31b99c12f7] Caused by: [ariel.ariel_proxy_server] [ariel_query_13:cf3b383b-17ba-4895-a0ef-ef31b99c12f7] com.ctc.wstx.exc.WstxIOException: Invalid white space character (0x11) in text to output [ariel.ariel_proxy_server] [ariel_query_13:cf3b383b-17ba-4895-a0ef-ef31b99c12f7] at com.ctc.wstx.sw.BaseStreamWriter.writeCharacters(BaseStreamWriter.java) [ariel.ariel_proxy_server] [ariel_query_13:cf3b383b-17ba-4895-a0ef-ef31b99c12f7] at com.thoughtworks.xstream.io.xml.StaxWriter.setValue(StaxWriter.java) [ariel.ariel_proxy_server] [ariel_query_13:cf3b383b-17ba-4895-a0ef-ef31b99c12f7] ... 77 more |
10 February 2020 |
OFFENSES / PERFORMANCE | IJ09192 | OFFENSE SUMMARY PAGE CAN SOMETIMES TAKE LONGER THAN EXPECTED TO LOAD FOR OFFENSES WITH A LARGE NUMBER OF ATTACKERS | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.4.0 (7.4.0.20200304205308) Workaround No workaround available. Issue It has been identified that loading the offense summary of a single offense can sometimes take longer than expected (multiple minutes) for Offenses with a large number of attackers. |
04 December 2018 |
DEPLOYMENT / REMOVE HOST | IJ12277 | PROCESSOR MANAGED HOSTS INSTALLED AS TYPE "SOFTWARE" GENERATE ERROR WHEN ATTEMPTING TO BE REMOVED FROM DEPLOYMENT | CLOSED | Resolved in QRadar 7.4.0 (7.4.0.20200304205308) Workaround Install the latest software version or contact Support for a possible workaround that might address this issue if you cannot upgrade at this time. Issue It has been identified that attempting to a remove a QRadar processor (Event or Flow) from a QRadar deployment can fail and generate an error similar to the following if they if was built as type "Software" at version 7.2.x and then upgraded to 7.3.1. When this issue occurs, the following error messages can be displayed in the user interface:
|
16 September 2019 |
VULNERABILITY SCAN / QRADAR VULNERABILITY MANAGER | IJ19254 | TXSENTRY ERRORS CAN OCCUR DURING VULNERABILITY IMPORTS OF A LARGE NUMBER OF ASSETS WITH VULNERABILITY EXCEPTIONS | CLOSED | Resolved in QRadar 7.4.0 (7.4.0.20200304205308) Workaround Avoid importing thousands of assets that require the same vulnerability exception at once by staggering the vulnerability imports. Issue It has been identified that a TxSentry can occur during vulnerability imports of a large number of assets (multiple thousand) with vulnerability exceptions. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: com.q1labs.hostcontext.tx.TxSentry: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/- -] Lock acquired on host 127.0.0.1: rel=vulninstance age=623 granted=t mode=RowShareLock query='SELECT exception_rule.config_update(); |
16 September 2019 |
RULES / RULES WIZARD | IJ19268 | LOADING RULES FROM EVENTS GENERATES '[UNKNOWN RULE NAME]' AND 'INVALID XML CONTENT' MESSAGES IN QRADAR LOGGING | CLOSED | Resolved in QRadar 7.4.0 (7.4.0.20200304205308) Workaround Upgrade to the latest software version or contact Support for a possible workaround that might address this issue in some instances if you are unable to upgrade at this time. Issue It has been identified that when loading Rules from within events, messages containing "UNKNOWN RULE NAME" might be displayed. These errors have been observed when control characters are present in data within the rule_data database table. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069) /console/restapi/api/analytics/rules] Caused by: [tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069) /console/restapi/api/analytics/rules] com.q1labs.restapi_annotat ions.content.exceptions.endpointExceptions.ServerProcessingExcep tion: An error occured while trying to retrieve the rule [tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069) /console/restapi/api/analytics/rules] at com.q1labs.core.api.imp l.customrule.CustomRuleAPIImpl.getCustomRules(CustomRuleAPIImpl.java) [tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069) /console/restapi/api/analytics/rules] at com.q1labs.core.api.R2_ 2016.customrule.CustomRuleAPI.getCustomRules(CustomRuleAPI.java) [tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069) /console/restapi/api/analytics/rules] at sun.reflect.GeneratedMethodAccessor526.invoke(Unknown Source) [tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069) /console/restapi/api/analytics/rules] at sun.reflect.DelegatingM ethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java) [tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069) /console/restapi/api/analytics/rules] at java.lang.reflect.Method.invoke(Method.java:508) [tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069) /console/restapi/api/analytics/rules] at com.q1labs.restapi.serv let.utilities.APIRequestHandler.invokeMethod(APIRequestHandler.java) [tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069) /console/restapi/api/analytics/rules] at com.q1labs.restapi.serv let.utilities.APIRequestHandler.redirectRequest(APIRequestHandler.java) [tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069) /console/restapi/api/analytics/rules] ... 46 more [tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069) /console/restapi/api/analytics/rules] Caused by: [tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069) /console/restapi/api/analytics/rules] [openjpa-2.2.2-r422266:1468616 fatal general error] org.apache.openjpa.persistence.PersistenceException: ERROR: invalid XML content Detail: line 1: xmlParseCharRef: invalid xmlChar value 6 lt;a href='javascript:editParameter("12", "3")' class='dynamic'>metadata ^ line 1: xmlParseCharRef: invalid xmlChar value 6 ns multiselect="false" source="user" format="user"/][userSelection]metadata ^ line 1: chunk is not well balanced {prepstmnt 1473478204 SELECT * FROM custom_rule WHERE (CAST( xpath( '/rule[@buildingBlock="false"]', CAST( (encode(rule_data, 'escape')) AS XML)) AS text ARRAY) != '{}' AND rule_type NOT IN (6, 7, 8)) ORDER BY id ASC} |
26 September 2019 |
RULES / RULES WIZARD | IJ20232 | ' ? ' CHARACTERS DISPLAYED AT THE END OF EACH LINE OF "RULE NOTES" THAT CONTAIN LINE BREAKS | CLOSED | Resolved in QRadar 7.4.0 (7.4.0.20200304205308) Workaround No workaround available. Issue It has been identified that when configuring a rule that includes a line break in the "Rule Notes" section, question mark '?' characters are displayed at the end of each line. |
17 October 2019 |
ROUTING RULES | IJ20466 | EVENTS CONFIGURED TO BE DROPPED BY ROUTING RULES ARE NOT BEING DROPPED DURING A HOSTCONTEXT RESTART | OPEN: Reported in QRadar 7.3.2 versions | Workaround Contact Support for a possible workaround that might address this issue in some instances. Issue It has been identified that Events which are configured to be dropped by routing rules are not being dropped during a hostcontext restart. |
08 November 2019 |
RULES / RULES WIZARD | IJ20767 | 'AN ERROR HAS OCCURRED SAVING YOUR RULE. PLEASE TRY AGAIN LATER' WHEN ATTEMPTING TO SAVE A RULE | CLOSED | Resolved in QRadar 7.4.0 (7.4.0.20200304205308) Workaround No workaround available. Issue It has been identified that when saving a Rule, the following message might be observed due to rule_data not being validated prior to persisting it to the database: "An error has occurred saving your rule. Please try again later." To replicate this issue:
|
13 November 2019 |
API | IJ20152 | NETWORK ID FETCHED BY API '/ASSET_MODEL/ASSETS" AND 'CONFIG/NETWORK_HIERARCHY/NETWORKS' ARE DIFFERENT | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.4.0 (7.4.0.20200304205308) Workaround No workaround available. Issue It has been identified that the network id fetched by the API /asset_model/assets and /config/network_hierarchy/networks are different. This can produce unexpected or incorrect data being returned for queries using the API. |
17 October 2019 |
DISK SPACE | IJ20632 | A QRADAR APP BACKUP SCRIPT CAN SOMETIMES FAIL CAUSING /STORE PARTITION FREE SPACE ISSUES | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210) QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709) QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249) Workaround No workaround available. Issue It has been identified that in some instances the app-volume-backup.py does not clean up failed/incomplete backups. When this issue occurs, it is possible that the /store partition can fill. |
12 November 2019 |
MANAGED HOST / ADD HOST | IJ22140 | ADD HOST CAN FAIL WITH PASSWORD DECODING ERROR | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.4.0 (7.4.0.20200304205308) QRadar 7.3.3 Patch 2 (7.3.3.20200208135728) Workaround Contact Support for a possible workaround that might address this issue in some instances. Issue The QRadar Add Host process can fail due to a password decoding issue that occurs during the Add Host processes. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [hostcontext.hostcontext] [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher] java.lang.IllegalArgumentException: Last unit does not have enough valid bits [hostcontext.hostcontext] [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher] at java.util.Base64$Decoder.decode0(Base64.java:745) [hostcontext.hostcontext] [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher] at java.util.Base64$Decoder.decode(Base64.java:537) [hostcontext.hostcontext] [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher] at java.util.Base64$Decoder.decode(Base64.java:560) [hostcontext.hostcontext] [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher] at com.ibm.si.mks.KeyStoreCrypto.decrypt(KeyStoreCrypto.java:98) [hostcontext.hostcontext] [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher] at com.ibm.si.mks.Crypto.decrypt(Crypto.java:55) [hostcontext.hostcontext] [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher] at com.q1labs.frameworks.crypto.CryptoUtils.decrypt(CryptoUtils.jav a:46) [hostcontext.hostcontext] [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher] at com.q1labs.frameworks.core.FrameworksContext.decrypt(FrameworksC ontext.java:1122) [hostcontext.hostcontext] [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher] at com.q1labs.configservices.capabilities.AddHost.getPresenceComman d(AddHost.java:2143) [hostcontext.hostcontext] [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher] at com.q1labs.configservices.capabilities.AddHost.executePresence(A ddHost.java:2103) [hostcontext.hostcontext] [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher] at com.q1labs.configservices.capabilities.AddHost.add(AddHost.java: 1530) [hostcontext.hostcontext] [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher] at com.q1labs.configservices.capabilities.AddHost.addManagedHost(Ad dHost.java:324) [hostcontext.hostcontext] [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher] at com.q1labs.hostcontext.core.executor.AddHostExecutor.addManagedH ost(AddHostExecutor.java:74) [hostcontext.hostcontext] [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher] at com.q1labs.hostcontext.core.executor.AddHostExecutor.invoke(AddH ostExecutor.java:51) [hostcontext.hostcontext] [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher] at com.q1labs.configservices.hostcontext.core.requests.BaseHostRequ est.invoke(BaseHostRequest.java:71) [hostcontext.hostcontext] [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher] at com.q1labs.configservices.hostcontext.core.HostContextServices.m essageReceived(HostContextServices.java:489) [hostcontext.hostcontext] [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher] at com.q1labs.frameworks.events.jms.JMSMessageEvent.dispatchEvent(J MSMessageEvent.java:107) [hostcontext.hostcontext] [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher] at com.q1labs.frameworks.events.SequentialEventDispatcher$DispatchT hread.run(SequentialEventDispatcher.java:129) [hostcontext.hostcontext] [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher] com.q1labs.configservices.capabilities.AddHost: [ERROR] [NOT:0000003000][x.x.x.x/- -] [-/- -]Unable to add managed host. The ip of the host is: x.x.x.x [hostcontext.hostcontext] [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher] com.q1labs.configservices.hostcontext.core.HostContextServices: [ERROR] [NOT:0000003000][x.x.x.x/- -] [-/- -]Error retrieving message [hostcontext.hostcontext] [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher] com.q1labs.configservices.hostcontext.exception.HostContextExcep tion: Could not get executor object com.q1labs.hostcontext.core.executor.AddHostExecutor [hostcontext.hostcontext] [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher] at com.q1labs.configservices.hostcontext.core.requests.BaseHostRequ est.invoke(BaseHostRequest.java:76) [hostcontext.hostcontext] [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher] at com.q1labs.configservices.hostcontext.core.HostContextServices.m essageReceived(HostContextServices.java:489) [hostcontext.hostcontext] [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher] at com.q1labs.frameworks.events.jms.JMSMessageEvent.dispatchEvent(J MSMessageEvent.java:107) [hostcontext.hostcontext] [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher] at com.q1labs.frameworks.events.SequentialEventDispatcher$DispatchT hread.run(SequentialEventDispatcher.java:129) [hostcontext.hostcontext] [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher] Caused by: [hostcontext.hostcontext] [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher] com.q1labs.configservices.hostcontext.exception.HostContextExcep tion: Command exited with non-zero value (4): add_host [hostcontext.hostcontext] [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher] at com.q1labs.hostcontext.core.executor.AddHostExecutor.addManagedH ost(AddHostExecutor.java:80) |
17 January 2020 |
ACCESS / USER LOG IN | IJ21731 | QRADAR USERS CAN BE UNABLE TO LOGIN TO THE USER INTERFACE WHEN MULTIPLE HOST LOCKS OCCUR AT THE SAME TIME | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.4.0 (7.4.0.20200304205308) QRadar 7.3.3 Patch 2 (7.3.3.20200208135728) QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249) Workaround A tomcat service restart on the QRadar console via an SSH connection can be performed to enable logins to be successful again when this issue occurs: systemctl restart tomcatNOTE: The QRadar user interface becomes available again after all required process are running as expected. Issue QRadar users can be prevented from performing a successful login when the QRadar cleanup job for authentication fails to run as expected when multiple host locks occur at the same time. |
19 December 2019 |
CUSTOM EVENT PROPERTIES | IJ19261 | JSON EXPRESSIONS CAN MATCH IN CUSTOM EVENT PROPERTY UI PAYLOAD TESTS BUT DO NOT MATCH ON RECEIVED EVENTS | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.4.0 (7.4.0.20200304205308) QRadar 7.3.3 Patch 2 (7.3.3.20200208135728) Workaround Ensure the correct expression is being used. Not all expressions that provide a result while using test button in the QRadar User Interface provide the expected results when events are processed. Issue It has been identified that putting a "/" before the index doesn't invalidate the match when testing JSON expressions in the Custom Event Property UI (CEP). This can result in false positives in the CEP user interface (Admin > Data Sources > Custom Event Properties). For example:
|
26 September 2019 |
HTTP INSPECTOR / QRADAR NETWORK INSIGHTS | IJ20823 | QRADAR NETWORK INSIGHTS (QNI) COREDUMP CAN OCCUR DUE TO HTTP INSPECTOR | CLOSED | Resolved in QRadar Netowrk Insights 7.4.0 (7.4.0.20200304205308) QRadar Netowrk Insights 7.3.3 Patch 2 (7.3.3.20200208135728) Workaround: No workaround available. Issue: It has been identified that the QRadar Network Insights (QNI) HTTP inspector component can cause QNI core dump instances in /store/jheap on the QNI appliance. QNI cannot process flow traffic as expected while the decapper service is not running. |
13 November 2019 |
UPGRADE / HIGH AVAILABILITY (HA) | IJ21673 | HIGH AVAILABILITY (HA) CROSSOVER NO LONGER ENABLED AFTER PATCHING | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) Workaround Re-enable the crossover after the patching process is completed using the following command from an SSH session: /opt/qradar/ha/bin/qradar_nettune.pl crossover enable How to verify crossover status on HA: https://ibm.biz/BdqBSg Issue After patching to QRadar 7.3.3, High Availability (HA) pairs configured with a crossover cable connection can have the crossover no longer enabled after the appliance reboot processes are complete. |
24 May 2021 |
FLOWS | IJ21657 | 'LAST PROXY IPV4' AND 'LAST PROXY IPV6' FLOW DATA IS NOT PARSED CORRECTLY | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210) QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709) QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249) Workaround Contact Support for a possible workaround that might address this issue in some instances. Issue At QRadar version 7.3.2+, the "Last Proxy IPv4" and "Last Proxy IPv6" fields from flows are not properly parsed. When this occurs, new and previous searches configured to use that data no longer function as expected. |
19 December 2019 |
DSM EDITOR | IJ21643 | DSM EDITOR PAGE 'EXPORT' BUTTON IS MISSING | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.4.0 (7.4.0.20200304205308) QRadar 7.3.3 Patch 2 (7.3.3.20200208135728) Workaround Contact Support for a possible workaround that might address this issue in some instances. Issue The DSM Editor page 'Export" button is missing after upgrading to QRadar 7.3.3 from 7.3.2 p4+. |
20 December 2019 |
DSM EDITOR | IJ21610 | DSM EDITOR USER INTERFACE REGEX VALIDATION CAN DIFFER FROM THE QRADAR PIPELINE | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.4.0 (7.4.0.20200304205308) Workaround Contact Support for a possible workaround that might address this issue in some instances or upgrade to the latest software version. Issue The DSM Editor User Interface and the Pipeline can sometimes disagree as to what constitutes a valid regex. This has been observed when a character that doesn't have any special meaning from a regex perspective is escaped unecessarly. Example: username\=(\S+) <-- the = sign here does not require to be escaped and while this would pass most regex engines, QRadar might consider this invalid regex. |
18 December 2019 |
INSTALL | IJ21608 | QRADAR SOFTWARE INSTALL CAN FAIL DUE TO PARTITION SIZE CHECK FAILURE | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) Workaround Install QRadar at an earlier version (example 7.3.1 Patch 5) and then patch up. Issue QRadar software installation with an SDA disk smaller than a certain size fails with message similar to: Initializing... Starting setup session in screen EULA accepted on Thu Jan 4 19:30:16 UTC 2018 About to install QRadar version 7.3.0.20171205025101 Install started on Thu Jan 4 19:30:17 UTC 2018 but was not completed. Attempting to continue... done. Checking that SELinux is disabled... OK: SELinux is disabled. Checking that system language is set to en_US.UTF-8... OK: System language is set to en_US.UTF-8 Checking for minimum disk size... ERROR: Boot disk sda is only 32768 MiB but must be at least 78125 MiB. ERROR: This version does not support small drives. You must replace the drive before trying again. Press enter to close screen |
20 December 2019 |
QRADAR RISK MANAGER / ADAPTER BACKUP | IJ21606 | QRADAR RISK MANAGER (QRM) DEVICE ADAPTER BACKUPS CAN FAIL WHEN STRICT SSH KEY EXCHANGE ALGORITHMS ARE EMPLOYED TO RESTRICT COMM | CLOSED | Resolved in QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210) QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709) QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249) Workaround No workaround available. Issue QRadar Risk Manager (QRM) is unable to discover or back up devices when strict SSH key exchange algorithms are employed to restrict communication. "Couldn't agree a key exchange algorithm" is present on the Configuration Source Management's Backup Error Detail dialog, and if the backup was initiated on the Configuration Monitor screen, in the Recent Activity Adapter Backup log viewer. |
16 December 2019 |
QRADAR VULNERABILITY INSIGHTS APP | IJ21604 | QRADAR VULNERABILITY INSIGHTS APP REPORT IN FAILED "ERROR" STATUS | OPEN: Reported in QRadar Vulnerbility Insights App v1.1.0 | Workaround: Contact Support for a possible workaround that might address
this issue in some instances. Issue: QRadar Vulnerability Insights scan compare report can fail to generate with only 'error' text being shown against the report in the User Interface when vulnerability critical details contains "::" characters. |
20 December 2019 |
USER INTERFACE | IJ21588 | "TYPEERROR: DOMAPI.GETELM IS NOT A FUNCTION" WHEN ON THE QRADAR ADMIN TAB AND USING FIREFOX WEB BROWSER | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) Workaround: No workaround available. Issue: It is possible that clicking on the Admin tab when you are already on the Admin tab will throw a Client exception with the message similar to: The following client exception occurred while handling the server response: {0} TypeError: domapi.getElm is not a function This has been observed on Firefox version 68.0.1 as well as Firefox version 71.0 on Windows 10. |
20 December 2019 |
AQL CUSTOM PROPERTY | IJ21571 | APPLICATION ERROR IN THE UI CAN BE GENERATED WHEN OPENING AN EVENT RETURNED FROM A SEARCH WITH AQL CUSTOM PROPERTY | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) Workaround No workaround available. Issue An Application Error can be generated in the QRadar User Interface when opening an Event returned from a search containing an AQL Custom Property. This can occur when a backend exception is generated by an AQL Custom Property that results in a divide by zero occurence. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [tomcat.tomcat] [admin@127.0.0.1(18133002) /console/do/ariel/arielDetails] Caused by: [tomcat.tomcat] [admin@127.0.0.1(18133002) /console/do/ariel/arielDetails] java.lang.ArithmeticException: divide by zero [tomcat.tomcat] [admin@127.0.0.1(18133002) /console/do/ariel/arielDetails] at com.q1labs.ariel.ql.parser.ArithmeticFunctions$DivideLong.calcul ate(ArithmeticFunctions.java:352) [tomcat.tomcat] [admin@127.0.0.1(18133002) /console/do/ariel/arielDetails] at com.q1labs.ariel.ql.parser.ArithmeticFunctions$ArithmeticFunctio nLong.calculate(ArithmeticFunctions.java:223) [tomcat.tomcat] [admin@127.0.0.1(18133002) /console/do/ariel/arielDetails] at com.q1labs.ariel.ql.parser.ArithmeticFunctions$ArithmeticFunctio nLong.calculate(ArithmeticFunctions.java:205) [tomcat.tomcat] [admin@127.0.0.1(18133002) /console/do/ariel/arielDetails] at com.q1labs.ariel.ql.parser.ArithmeticFunction.calculateValue(Ari thmeticFunctions.java:32) [tomcat.tomcat] [admin@127.0.0.1(18133002) /console/do/ariel/arielDetails] at com.q1labs.ariel.ql.parser.ArithmeticFunction.calculate(Arithmet icFunctions.java:39) [tomcat.tomcat] [admin@127.0.0.1(18133002) /console/do/ariel/arielDetails] at com.q1labs.ariel.ql.parser.ArithmeticFunction.calculate(Arithmet icFunctions.java:19) [tomcat.tomcat] [admin@127.0.0.1(18133002) /console/do/ariel/arielDetails] at com.q1labs.ariel.metadata.Metadata$ScalarFunctionBase.call(Metad ata.java:71) [tomcat.tomcat] [admin@127.0.0.1(18133002) /console/do/ariel/arielDetails] ... 65 more [tomcat.tomcat] [admin@127.0.0.1(18133002) /console/do/ariel/arielDetails] com.q1labs.uiframeworks.action.ExceptionHandler: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Root cause: [tomcat.tomcat] [admin@127.0.0.1(18133002) /console/do/ariel/arielDetails] java.lang.ArithmeticException: divide by zero |
2 February 2022 |
APPLICATION FRAMEWORK | IJ21567 | RESET OF QRADAR CERTIFICATES CAN FAIL WHEN QRADARCA-MONITOR SERVICE IS RUNNING AT THE SAME TIME | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210) QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002) Workaround Contact Support for a possible workaround that might address this issue in some instances. Issue The reset-qradar-ca.sh script can fail to reset all certificates properly if it encounters the same time as qradarca-monitor service is running. Messages similar to the following might be visible in /var/log/localca.log when this issue occurs: time="2019-10-03T12:36:57-04:00" level=debug msg="Start loading configurations from /opt/qradar/ca/conf.d/conman-server.json" time="2019-10-03T12:36:57-04:00" level=debug msg="Checking certificate /etc/conman/tls/conman_ca.crt expiration status for local host" time="2019-10-03T12:36:57-04:00" level=warning msg="Certificate /etc/conman/tls/conman_ca.crt was not found. Preparing to generate new certificate" time="2019-10-03T12:36:57-04:00" level=debug msg="Certificate /etc/conman/tls/conman_ca.crt is close to expire. Regenerate the certificate" time="2019-10-03T12:36:57-04:00" level=debug msg="Regenerating dependent certificate id=4, type=intermediate, file=/etc/conman/tls/conman_ca.crt, cfg=/opt/qradar/ca/conf.d/conman-server.json" time="2019-10-03T12:36:57-04:00" level=debug msg="Start loading configurations from /opt/qradar/ca/conf.d/conman-server.json" time="2019-10-03T12:36:57-04:00" level=info msg="Setup intermediate CA for service conman" time="2019-10-03T12:37:00-04:00" level=debug msg="127.0.0.1-> {fqdn}" action=command time="2019-10-03T12:37:00-04:00" level=debug msg="Appliance Type: 4000\tProduct Version: 7.3.2.20190522204210" action=command time="2019-10-03T12:37:00-04:00" level=debug msg=" 12:36:56 up 83 days, 1:43, 0 users, load average: 2.33, 2.35, 2.19" action=command time="2019-10-03T12:37:00-04:00" level=debug msg=------------------------------------------------------------ ------------ action=command time="2019-10-03T12:37:00-04:00" level=debug action=command time="2019-10-03T12:37:00-04:00" level=info msg="Setup CSR /etc/vault-qrd/tls/vault-qrd.csr for service vault-qrd under host IP ADDRESS" time="2019-10-03T12:37:01-04:00" level=debug msg="INFO: Retrieving /etc/vault-qrd/tls/vault-qrd.csr from each server, will be placed in separate from-x.x.x.x directories under /opt/qradar/ca/certs" action=pull time="2019-10-03T12:37:01-04:00" level=debug action=pull time="2019-10-03T12:37:01-04:00" level=debug msg="IP ADDRESS" -> xxxxxxx.xxxxxx.com" action=pull time="2019-10-03T12:37:01-04:00" level=debug msg="Appliance Type: 1400\tProduct Version: 7.3.2.20190522204210" action=pull time="2019-10-03T12:37:01-04:00" level=debug msg=" 12:37:00 up 83 days, 14:38, 0 users, load average: 2.45, 2.48, 2.57" action=pull time="2019-10-03T12:37:01-04:00" level=warning msg="CSR path /opt/qradar/ca/certs/from-IPADDRESS/vault-qrd.csr does not exist" time="2019-10-03T12:37:01-04:00" level=debug msg=------------------------------------------------------------ ------------ action=pull time="2019-10-03T12:37:01-04:00" level=debug msg="rsync: change_dir \"/etc/vault-qrd/tls\" failed: No such file or directory (2)" action=pull time="2019-10-03T12:37:01-04:00" level=debug msg="rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1650) [Receiver=3.1.2]" action=pull time="2019-10-03T12:37:01-04:00" level=debug msg="rsync: [Receiver] write error: Broken pipe (32)" action=pull time="2019-10-03T12:37:01-04:00" level=debug action=pull time="2019-10-03T12:37:01-04:00" level=info msg="Run command /opt/ibm/si/vault-qrd/bin/tls-certs-updated.sh" time="2019-10-03T12:37:04-04:00" level=error msg="Failed to generate intermediate CA for service conman" error="exit status 1" time="2019-10-03T12:37:04-04:00" level=error msg="Failed to regenerate the intermediate certificate /etc/conman/tls/conman_ca.crt" And In the /var/log/setup-xxx/configure-qradar-ca.log: [configure-qradar-ca.sh] [RunAndLog] /opt/qradar/bin/si-vault write -format=json conman-int-pki/intermediate/generate/exported common_name="CONMAN-CA" ttl=26280h key_bits=4096 exclude_cn_from_sans=true > /tmp/tmp.xxxxxxx [configure-qradar-ca.sh] Export intermediate CA key file to /var/tmp/qradar_int.key [configure-qradar-ca.sh] [RunAndLog] /opt/qradar/bin/si-vault write -format=json qradar-pki/root/sign-intermediate csr="@/var/tmp/qradar_int.csr" common_name="CONMAN-CA" ttl=26280h > /tmp/tmp.33wItN4riu Error writing data to qradar-pki/root/sign-intermediate: Error making API request. |
20 December 2019 |
INSTALL / PRE-CHECK | IJ21518 | QRADAR NETWORK INSIGHTS (QNI) INSTALLATIONS CAN FAIL AT STORAGE PRE-CHECK | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428) QRadar 7.4.2 (7.4.2.20201113144954) QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343) QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446) QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722) Workaround If you are unable to upgrade to QRadar 7.4.1 Fix Pack 2, you can contact QRadar Support for a possible workaround that might address this issue in some instances. Issue It has been identified that QRadar Network Insights (QNI) installations can fail at storage pre-check for one or more reasons.
|
24 May 2021 |
USERS / RULES | IJ21487 | RULE FIRING FALSE POSITIVE/NEGATIVE CAN OCCUR DUE TO A RULE WITH A USER THAT NO LONGER EXISTS IN THE DEPLOYMENT | OPEN: Reported in QRadar 7.3.2 Patch 4 | Workaround: Contact Support for a possible workaround that might address
this issue in some instances. Issue: It has been identified that Rules are not being properly loaded when the origin user does not exist anymore in the QRadar deployment. This has been observed after Content Managment Tool (CMT) imports have been performed as it allows the import of data even if a user does not exist. False positive/negative Rule firing can be experienced when this issue occurs. Messages similar to the following might be visble in /var/log/qradar.log: [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:41338] com.ibm.si.ariel.aql.metadata.exceptions.InsufficientUserCapabil itiesException: User "xxxxx@domain.com" does not have required capabilities to access catalog "events" [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:41338] at com.ibm.si.ariel.aql.metadata.MetadataFactory.createUserCatalog( MetadataFactory.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:41338] at com.ibm.si.ariel.aql.metadata.MetadataFactory.getCatalogByName(M etadataFactory.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:41338] at com.q1labs.ariel.ql.parser.Parser.getMetadata(Parser.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:41338] at com.q1labs.ariel.ql.parser.Parser.getMetadata(Parser.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:41338] at com.q1labs.ariel.protocol.ClientData.initColumns(ClientData.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:41338] at com.q1labs.ariel.protocol.SearchAlias.clientData(SearchAlias.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:41338] at com.q1labs.ariel.searches.tasks.Result.resultForAlias(Result.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:41338] at com.q1labs.ariel.protocol.SearchAlias.result(SearchAlias.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:41338] at com.q1labs.ariel.searches.AccessManager.updateResult(AccessManag er.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:41338] at com.q1labs.ariel.searches.AccessManager.findQueryResult(AccessMa nager.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:41338] at com.q1labs.ariel.ConnectedClient.findQueryResult(ConnectedClient .java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:41338] at com.q1labs.ariel.ConnectedClient.findQueryResult(ConnectedClient .java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:41338] at com.q1labs.ariel.ConnectedClient.processMessage(ConnectedClient. java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:41338] at com.q1labs.ariel.ConnectedClient.run(ConnectedClient.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:41338] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec utor.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:41338] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe cutor.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:41338] at java.lang.Thread.run(Thread.java) |
16 December 2019 |
API / QRADAR VULNERABILITY MANAGER | IJ21464 | QRADAR VULNERABILITY MANAGER (QVM) API THROWS ILLEGAL ARGUMENT EXCEPTION WHEN REQUESTING VULNERABILITIES THAT HAVE A RISK OF 'CRITICAL' | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) Workaround Exception all Critical vulnerabilities in QVM or remove the critical vulnerabilities from the asset view. Issue It has been identified that the QVM Vulninstance API throws an illegal argument exception when the vulnerability information requested includes vulnerabilities that have Critical Risk. The vulnerability content could have came from 3rd party scanner or from using the vulnerability triage feature in QVM and changing risk of some vulnerabilities to Critical. This affects Apps like QRadar Vulnerability Insights (QVI) that query vulnerabilities through the API or any other integrations that use the QVM Vulninstance API. QVI App data sync would report errors on data sync and have zero counts on the dashboard. Messages similar to the following might be visible in /var/log/qradar.error when an API call is made: [tomcat.tomcat] [pool-1-thread-1] java.lang.IllegalArgumentException: Invalid RiskFactor name: Critical [tomcat.tomcat] [pool-1-thread-1] at com.q1labs.assetprofile.api.r1_2017.pojo.RiskFactorDTO.forName(R iskFactorDTO.java) [tomcat.tomcat] [pool-1-thread-1] at com.q1labs.assetprofile.api.r1_2017.R1_2017VulnInstanceDTOAdapter. doConvert(R1_2017VulnInstanceDTOAdapter.java) [tomcat.tomcat] [pool-1-thread-1] at com.q1labs.assetprofile.api.vulninstance.common.AbstractVulnInst anceDTOAdapter.dtoConvert(AbstractVulnInstanceDTOAdapter.java) [tomcat.tomcat] [pool-1-thread-1] at com.q1labs.assetprofile.api.vulninstance.common.VulninstancesAPI Task.runTask(VulninstancesAPITask.java) [tomcat.tomcat] [pool-1-thread-1] at com.ibm.si.frameworks.taskmanagement.Task.run(Task.java) [tomcat.tomcat] [pool-1-thread-1] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java) [tomcat.tomcat] [pool-1-thread-1] at java.util.concurrent.FutureTask.run(FutureTask.java) [tomcat.tomcat] [pool-1-thread-1] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java) [tomcat.tomcat] [pool-1-thread-1] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java) [tomcat.tomcat] [pool-1-thread-1] at java.lang.Thread.run(Thread.java) |
24 May 2021 |
OFFENSES | IJ21461 | DUPLICATE OFFENSE RULE RESPONSE CAN OCCUR 30 MINUTES AFTER INITIAL OFFENSE TRIGGERING | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) Workaround No workaround available. Administrators who experience this issue must upgrade to a software version where this issue is resolved. Issue It has been identified that a duplicate Offense Rule response can sometimes unexpectedly occur 30 minutes after the initial Offense Rule response occurs. For example, receiving a duplicate (second) e-mail response for one time offense update 30 minutes after the first one after verifying that nothing updated in the offense (no second event that cause offense generation). In this example, second e-mail response is a false positive. |
24 May 2021 |
ROUTING RULES / EVENT FORWARDING | IJ21459 | ONLINE AND OFFLINE TCP SELECTIVE FORWARDING CAN LOSE AN EVENT DURING A CONNECTION RESET | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) Workaround: No workaround available. Issue: It has been identified that Online and Offline TCP selective forwarding can lose an event if the connection is reset at the remote end as QRadar views this event as received. |
16 December 2019 |
CONTENT MANAGEMENT TOOL (CMT) | IJ21456 | CONTENT MANAGEMENT TOOL IMPORT CONTAINING A DELETED/DISABLED BULK ADD LOG SOURCE CAN FAIL | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.4.0 (7.4.0.20200304205308) QRadar 7.3.3 Patch 2 (7.3.3.20200208135728) Workaround No workaround available. Issue It has been identified that a Content Managment Tool (CMT) import with a deleted/disabled Bulk Add log source can fail with a null pointer exception. The following two conditions must be met:
[tomcat.tomcat] [] com.ibm.si.content_management.ContentCustom: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Failed to apply custom logic. [tomcat.tomcat] java.lang.NullPointerException [tomcat.tomcat] at com.ibm.si.content_management.ContentCustom.importSensorDevice(ContentCustom.java) [tomcat.tomcat] at com.ibm.si.content_management.ContentCustom.importCustom(ContentCustom.java) [tomcat.tomcat] at com.ibm.si.content_management.Content.importCustomContent(Content.java) [tomcat.tomcat] at com.ibm.si.content_management.ContentManager.importContent(ContentManager.java) [tomcat.tomcat] at com.ibm.si.content_management.ContentManager.doImport(ContentManager.java) |
09 December 2019 |
APPLICATION FRAMEWORK | IJ21454 | ERROR "SSL.CERTIFICATEERROR: HOSTNAME '{IPADDRESS}' DOESN'T MATCH '{FQDN}'" WHEN APP-VOLUME-BACKUP.PY SCRIPT RUNS | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) Workaround: Contact Support for a possible workaround that might address this issue in some instances. Issue: It has been identified that the app-volume-backup.py backup script can fail with an error similar to: ssl.CertificateError: hostname '{IP Address}' doesn't match '{FQDN}'. When this issue occurs, QRadar App data backups do not complete successfully. This is caused when the script requests the IP address but it's not contained in the SAN in customer's certificate. |
16 December 2019 |
REFERENCE SETS | IJ21446 | REFERENCE SETS INCORRECTLY DISPLAY " 0 " IN 'NUMBER OF ELEMENTS' AND 'ASSOCIATED RULES' | OPEN: Reported in QRadar 7.3.2 versions | Workaround: Add a value (then remove it, if desired) to the Reference
Set(s). This should repair the reference set tables involved
and display the proper # of Elementts or Rules associated. Issue: It has been identified that the "Associated Rules" column and the "Number of Elements" column in the Reference Set Management user interface can sometimes display " 0 " when there are rules and/or elements associated with the Reference Set. |
13 December 2019 |
REPORTS | IJ21445 | 'APPLICATION ERROR' WHEN MODIFYING REPORTS CREATED BY A DIFFERENT USER OR ASSIGNING REPORT TO A NEW GROUP | CLOSED | Resolved in: QRadar 7.4.0 (7.4.0.20200304205308) QRadar 7.3.3 Patch 2 (7.3.3.20200208135728) Workaround Either modify the report by the original user who created it without adding new groups, or while modifying the report unassign it from all existing groups Issue It has been identified that an "Application Error" can be generated when clicking the "Finish" button during modification of Reports in certain scenarios.
Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [tomcat.tomcat] [ /console/do/reportwizard] com.q1labs.uiframeworks.action.ExceptionHandler: [ERROR] Chained SQL Exception [1/1]: You can't operate on a closed Statement!!! [tomcat.tomcat] [ /console/do/reportwizard] com.q1labs.uiframeworks.action.ExceptionHandler: [ERROR] [NOT:0000003000][-/- -]An exception occurred while processing the request: [tomcat.tomcat] [ /console/do/reportwizard] java.sql.SQLException: You can't operate on a closed Statement!!! [tomcat.tomcat] [ /console/do/reportwizard] at com.mchange.v2.sql.SqlUtils.toSQLException(SqlUtils.java) [tomcat.tomcat] [ /console/do/reportwizard] at com.mchange.v2.sql.SqlUtils.toSQLException(SqlUtils.java) [tomcat.tomcat] [ /console/do/reportwizard] at com.mchange.v2.c3p0.impl.NewProxyPreparedStatement.setString(NewProxyPreparedStatement.java) [tomcat.tomcat] [ /console/do/reportwizard] at org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.setString(DelegatingPreparedStatement.java) [tomcat.tomcat] [ /console/do/reportwizard] at org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator$LoggingConnection$LoggingPreparedStatement.setString(LoggingConnectionDecorator.java) [tomcat.tomcat] [ /console/do/reportwizard] at org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.setString(DelegatingPreparedStatement.java) [tomcat.tomcat] [ /console/do/reportwizard] at org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.setString(DelegatingPreparedStatement.java) [tomcat.tomcat] [ /console/do/reportwizard] at org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.setString(DelegatingPreparedStatement.java) [tomcat.tomcat] [ /console/do/reportwizard] at com.q1labs.frameworks.session.PreparedStatementWrapper.setString(PreparedStatementWrapper.java) [tomcat.tomcat] [ /console/do/reportwizard] at com.q1labs.core.shared.group.FgroupTypeFactory.assignItemsToGroups(FgroupTypeFactory.java) [tomcat.tomcat] [ /console/do/reportwizard] at com.q1labs.reports.ui.util.ReportGroupFactory.assignItemsToGroups(ReportGroupFactory.java) [tomcat.tomcat] [ /console/do/reportwizard] at com.q1labs.reports.ui.action.ReportWizard.generateReport(ReportWizard.java) [tomcat.tomcat] [ /console/do/reportwizard] at com.q1labs.reports.ui.action.ReportWizard.fetchPageToDisplay(ReportWizard.java) [tomcat.tomcat] [ /console/do/reportwizard] at com.q1labs.reports.ui.action.ReportWizard.executeAction(ReportWizard.java) [tomcat.tomcat] [ /console/do/reportwizard] at com.q1labs.uiframeworks.actions.WizardAction.execute(WizardAction.java) [tomcat.tomcat] [ /console/do/reportwizard] at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java) [tomcat.tomcat] [ /console/do/reportwizard] at com.q1labs.uiframeworks.action.RequestProcessor.processActionPerform(RequestProcessor.java) [tomcat.tomcat] [ /console/do/reportwizard] at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java) [tomcat.tomcat] [ /console/do/reportwizard] at org.apache.struts.action.ActionServlet.process(ActionServlet.java) [tomcat.tomcat] [ /console/do/reportwizard] at com.q1labs.uiframeworks.action.ActionServlet.process(ActionServlet.java) [tomcat.tomcat] [ /console/do/reportwizard] at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java) [tomcat.tomcat] [ /console/do/reportwizard] at javax.servlet.http.HttpServlet.service(HttpServlet.java) [tomcat.tomcat] [ /console/do/reportwizard] at javax.servlet.http.HttpServlet.service(HttpServlet.java) [tomcat.tomcat] [ /console/do/reportwizard] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java) [tomcat.tomcat] [ /console/do/reportwizard] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java) [tomcat.tomcat] [ /console/do/reportwizard] at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java) [tomcat.tomcat] [ /console/do/reportwizard] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat.tomcat] [ /console/do/reportwizard] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java) [tomcat.tomcat] [ /console/do/reportwizard] at com.q1labs.uiframeworks.postauthredirect.PostLoginRedirectFilter.doFilter(PostLoginRedirectFilter.java:70) [tomcat.tomcat] [ /console/do/reportwizard] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java) [tomcat.tomcat] [ /console/do/reportwizard] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java) [tomcat.tomcat] [ /console/do/reportwizard] at com.q1labs.uiframeworks.valve.ErrorReportValve.invoke(ErrorReportValve.java) [tomcat.tomcat] [ /console/do/reportwizard] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java) [tomcat.tomcat] [ /console/do/reportwizard] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java) [tomcat.tomcat] [ /console/do/reportwizard] at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java) [tomcat.tomcat] [ /console/do/reportwizard] at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java) [tomcat.tomcat] [ /console/do/reportwizard] at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java) [tomcat.tomcat] [ /console/do/reportwizard] at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java) [tomcat.tomcat] [ /console/do/reportwizard] at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java) [tomcat.tomcat] [ /console/do/reportwizard] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java) [tomcat.tomcat] [ /console/do/reportwizard] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java) [tomcat.tomcat] [ /console/do/reportwizard] at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java) [tomcat.tomcat] [ /console/do/reportwizard] at java.lang.Thread.run(Thread.java) [tomcat.tomcat] [ /console/do/reportwizard] Caused by: [tomcat.tomcat] [ /console/do/reportwizard] java.lang.NullPointerException [tomcat.tomcat] [ /console/do/reportwizard] at com.mchange.v2.c3p0.impl.NewProxyPreparedStatement.maybeDirtyTransaction(NewProxyPreparedStatement.java) [tomcat.tomcat] [ /console/do/reportwizard] at com.mchange.v2.c3p0.impl.NewProxyPreparedStatement.setString(NewProxyPreparedStatement.java:961) [tomcat.tomcat] [ /console/do/reportwizard] ... 74 more [tomcat.tomcat] [ /console/do/reportwizard] com.q1labs.uiframeworks.action.ExceptionHandler: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Root cause: [tomcat.tomcat] [ /console/do/reportwizard] java.lang.NullPointerException [tomcat.tomcat] [ /console/do/reportwizard] at com.mchange.v2.c3p0.impl.NewProxyPreparedStatement.maybeDirtyTransaction(NewProxyPreparedStatement.java) [tomcat.tomcat] [ /console/do/reportwizard] at com.mchange.v2.c3p0.impl.NewProxyPreparedStatement.setString(NewProxyPreparedStatement.java:961) [tomcat.tomcat] [ /console/do/reportwizard] at org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.setString(DelegatingPreparedStatement.java) [tomcat.tomcat] [ /console/do/reportwizard] at org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator$LoggingConnection$LoggingPreparedStatement.setString(LoggingConnectionDec orator.java) [tomcat.tomcat] [ /console/do/reportwizard] at org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.setString(DelegatingPreparedStatement.java) [tomcat.tomcat] [ /console/do/reportwizard] at org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.setString(DelegatingPreparedStatement.java) [tomcat.tomcat] [ /console/do/reportwizard] at org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.setString(DelegatingPreparedStatement.java) [tomcat.tomcat] [ /console/do/reportwizard] at com.q1labs.frameworks.session.PreparedStatementWrapper.setString(PreparedStatementWrapper.java) [tomcat.tomcat] [ /console/do/reportwizard] at com.q1labs.core.shared.group.FgroupTypeFactory.assignItemsToGroups(FgroupTypeFactory.java) [tomcat.tomcat] [ /console/do/reportwizard] at com.q1labs.reports.ui.util.ReportGroupFactory.assignItemsToGroups(ReportGroupFactory.java) [tomcat.tomcat] [ /console/do/reportwizard] at com.q1labs.reports.ui.action.ReportWizard.generateReport(ReportWizard.java) [tomcat.tomcat] [ /console/do/reportwizard] at com.q1labs.reports.ui.action.ReportWizard.fetchPageToDisplay(ReportWizard.java) [tomcat.tomcat] [ /console/do/reportwizard] at com.q1labs.reports.ui.action.ReportWizard.executeAction(ReportWizard.java) [tomcat.tomcat] [ /console/do/reportwizard] at com.q1labs.uiframeworks.actions.WizardAction.execute(WizardAction.java) [tomcat.tomcat] [ /console/do/reportwizard] at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java) [tomcat.tomcat] [ /console/do/reportwizard] at com.q1labs.uiframeworks.action.RequestProcessor.processActionPerform(RequestProcessor.java) [tomcat.tomcat] [ /console/do/reportwizard] at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java) [tomcat.tomcat] [ /console/do/reportwizard] at org.apache.struts.action.ActionServlet.process(ActionServlet.java) |
06 December 2019 |
RULES | IJ21420 | QRADAR DEPENDENCY CHECKER SOMETIMES DOES NOT FIND DEPENDENT RULES OR BUILDING BLOCKS | OPEN: Reported in multiple QRadar versions | Workaround: Create a new rule test that includes the building block not
being picked up by the QRadar dependency checker. Issue: It has been identified that the QRadar dependency checker does not find rules or building blocks referenced in a system rule if a newly added building block is added to an original rule test (instead of a new rule test). For example:
|
16 December 2019 |
RULES | IJ21352 | RULE NAMES IN 'LIST OF RULES CONTRIBUTING TO OFFENSE' CAN BE INCORRECT | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944) QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826) Workaround: Close the original offense after modifying the rule name. The next time the rule is triggered it creates a new offense that has the updated rule name in the list. Note: The offense name might be different based on what option for offense naming is chosen in the Rule Wizard. Issue: It has been identified that in some instances Rule Names in "List of Rules Contributing to Offense" are incorrect. For example:
|
12 July 2021 |
ROUTING RULES | IJ21347 | ROUTING RULES CAN FAIL TO WORK AS EXPECTED WHEN A HUNG THREAD DOES NOT RESTART AS EXPECTED | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) Workaround From SSH command line session, restart the ecs-ec service manually using the following command: systemctl restart ecs-ec Note: The offense name might be different based on what option for offense naming is chosen in the Rule Wizard. Issue It has been identified that in some instances an RPC call from the event collection service can fail to restart as expected. When this issue is occuring, routing rules can fail to work as expected until the ecs-ec service is restarted successfully. Messages similar to the following might be visible in qradar logging when this issue occurs: "87393acc-aa0a-4cd2-97da-6c6a8a65454f/SequentialEventDispatcher" Id=83 in BLOCKED on lock=java.util.HashMap@8607f58e owned by SelectiveForwardingStatisticsReportingTimer Id=89 at com.q1labs.semsources.selectiveforwarding.SelectiveForwardingCom municator.notifyStatisticsUpdated(SelectiveForwardingCommunicator.java:268) at com.q1labs.core.shared.selectiveforwardingset.SelectiveForwardin gSetCache.notifyDestinationChangeListener(SelectiveForwardingSetCache.java:591) at com.q1labs.core.shared.selectiveforwardingset.SelectiveForwardin gSetCache.messageReceived(SelectiveForwardingSetCache.java) at com.q1labs.frameworks.events.jms.JMSMessageEvent.dispatchEvent(JMSMessageEvent.java) at com.q1labs.frameworks.events.SequentialEventDispatcher$DispatchT hread.run(SequentialEventDispatcher.java:129) "SelectiveForwardingStatisticsReportingTimer" Id=89 in RUNNABLE (running in native) at java.net.SocketInputStream.socketRead0(Native Method) at java.net.SocketInputStream.socketRead(SocketInputStream.java) at java.net.SocketInputStream.read(SocketInputStream.java) at java.net.SocketInputStream.read(SocketInputStream.java) at com.ibm.jsse2.b.a(b.java:262) at com.ibm.jsse2.b.a(b.java:33) at com.ibm.jsse2.av.a(av.java:579) - locked java.lang.Object@47749733 at com.ibm.jsse2.av.i(av.java:574) - locked java.lang.Object@91bc8eee at com.ibm.jsse2.av.a(av.java:280) at com.ibm.jsse2.av.startHandshake(av.java:431) at com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java) at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java) at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(Htt pURLConnection.java) - locked com.ibm.net.ssl.www2.protocol.https.e@93c90c60 at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Http URLConnection.java) - locked com.ibm.net.ssl.www2.protocol.https.e@93c90c60 at com.ibm.net.ssl.www2.protocol.https.b.getOutputStream(b.java) - locked com.ibm.net.ssl.www2.protocol.https.b@2111733 at com.q1labs.core.shared.jsonrpc.RPC.executeMethod(RPC.java) at com.q1labs.core.shared.jsonrpc.RPC.executeMethod(RPC.java) at com.q1labs.core.shared.jsonrpc.RPC.executeMethodWithTimeout(RPC.java) at com.q1labs.core.shared.jsonrpc.RPC.executeMethod(RPC.java) at com.q1labs.semsources.selectiveforwarding.SelectiveForwardingCom municator.reportStats(SelectiveForwardingCommunicator.java) - locked java.util.HashMap@8607f58e at com.q1labs.semsources.selectiveforwarding.SelectiveForwardingCom municator$1.run(SelectiveForwardingCommunicator.java) at java.util.TimerThread.mainLoop(Timer.java) at java.util.TimerThread.run(Timer.java) |
13 December 2019 |
LOG SOURCE GROUPS | IJ21333 | UNABLE TO DELETE LOG SOURCE GROUP DUE TO FAILED DEPENDENCY CHECK | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944) Workaround If you are unable to upgrade to a version where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue. Note: The offense name might be different based on what option for offense naming is chosen in the Rule Wizard. Issue It has ben identified that in some instances Log Source groups cannot be deleted due to dependency check failure caused by a customviewparams (SELECTIVE_FORWARDING-events-xxx) that uses arielsearchlite class. This customviewparam does not have proper database name structure. Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs: [tomcat.tomcat] [pool-1-thread-5] com.q1labs.core.shared.datadeletion.LogSourceGroupDeletion: [ERROR] [NOT:0000003000][xxx.xxx.xxx.xxx/- -] [-/- -]Error while getting Saved Search dependents for this Log Source Group: 104460 [tomcat.tomcat] [pool-1-thread-5] java.lang.RuntimeException: java.lang.RuntimeException: Could not locate the configuration for ariel database null [tomcat.tomcat] [pool-1-thread-5] at com.q1labs.core.shared.ariel.ArielSearchLite.toQueryParams(Ariel SearchLite.java:682) [tomcat.tomcat] [pool-1-thread-5] at com.q1labs.core.shared.ariel.ArielSearchLite.toQueryParams(Ariel SearchLite.java:369) [tomcat.tomcat] [pool-1-thread-5] at com.q1labs.core.shared.ariel.ArielSearchLite.toQueryParams(Ariel SearchLite.java:363) [tomcat.tomcat] [pool-1-thread-5] at com.q1labs.core.shared.ariel.ArielSearchLite.toQueryParams(Ariel SearchLite.java:358) [tomcat.tomcat] [pool-1-thread-5] at com.q1labs.core.shared.ariel.ArielSearchLite.toQueryParams(Ariel SearchLite.java:353) [tomcat.tomcat] [pool-1-thread-5] at com.q1labs.core.shared.datadeletion.LogSourceGroupDeletion.getAr ielSavedSearchDependentsByGroupId(LogSourceGroupDeletion.java) [tomcat.tomcat] [pool-1-thread-5] at com.q1labs.core.shared.datadeletion.LogSourceGroupDeletion.getUs age(LogSourceGroupDeletion.java:58) [tomcat.tomcat] [pool-1-thread-5] at com.q1labs.core.shared.datadeletion.task.FindDependentsTask.getA ctualUsage(FindDependentsTask.java:291) [tomcat.tomcat] [pool-1-thread-5] at com.q1labs.core.shared.datadeletion.task.FindDependentsTask.getC hildUsage(FindDependentsTask.java:212) [tomcat.tomcat] [pool-1-thread-5] at com.q1labs.core.shared.datadeletion.task.FindDependentsTask.getD efaultUsage(FindDependentsTask.java:169) [tomcat.tomcat] [pool-1-thread-5] at com.q1labs.core.shared.datadeletion.task.FindDependentsTask.runT ask(FindDependentsTask.java:122) [tomcat.tomcat] [pool-1-thread-5] at com.ibm.si.frameworks.taskmanagement.Task.run(Task.java:108) [tomcat.tomcat] [pool-1-thread-5] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:522) [tomcat.tomcat] [pool-1-thread-5] at java.util.concurrent.FutureTask.run(FutureTask.java:277) [tomcat.tomcat] [pool-1-thread-5] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec utor.java:1160) [tomcat.tomcat] [pool-1-thread-5] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) [tomcat.tomcat] [pool-1-thread-5] at java.lang.Thread.run(Thread.java:812) [tomcat.tomcat] [pool-1-thread-5] Caused by: [tomcat.tomcat] [pool-1-thread-5] java.lang.RuntimeException: Could not locate the configuration for ariel database null [tomcat.tomcat] [pool-1-thread-5] at com.q1labs.core.shared.ariel.ArielUtils.getProperties(ArielUtils.java:713) [tomcat.tomcat] [pool-1-thread-5] at com.q1labs.core.shared.ariel.ArielSearchLite.loadProperties(Arie lSearchLite.java:897) [tomcat.tomcat] [pool-1-thread-5] at com.q1labs.core.shared.ariel.ArielSearchLite.toQueryParams(Ariel SearchLite.java:385) [tomcat.tomcat] [pool-1-thread-5] ... 16 more |
12 July 2021 |
DEPLOY CHANGES | IJ21674 | 'DEPLOY' FUNCTION CAN FAIL AFTER A CONFIGURATION RESTORE IS PERFORMED | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312) QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138) Workaround If you are unable to upgrade to a version where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue. Issue: QRadar "deploy" function can fail after a configuration restore has been performed. These instances of "deploy" failure occur due to missing bandwidth_egress_filter database table entries during the restore process. Messages similar to the following might be visible in QRadar logging when this issue occurs: com.q1labs.frameworks.exceptions.FrameworksException: Failed to get next filter ID for hostID=677 and wildcard device at com.q1labs.core.shared.bm.BandwidthConfigurationUtilities.update BMForAQSDeployment(BandwidthConfigurationUtilities.java:155) at com.q1labs.configservices.config.globalset.ibm.BandwidthManagerT ransformer.updateDeploymentAQSConfig(BandwidthManagerTransformer .java:110) ... 80 more Caused by: com.q1labs.frameworks.exceptions.FrameworksException: Failed to execute query for next valid class ID at com.q1labs.core.shared.bm.BandwidthConfigurationUtilities.getNex tValidFilterID(BandwidthConfigurationUtilities.java:942) at com.q1labs.core.shared.bm.BandwidthConfigurationUtilities.update BMForAQSDeployment(BandwidthConfigurationUtilities.java:151) ... 81 more Caused by: {openjpa-2.4.3-r422266:1833086 nonfatal user error} org.apache.openjpa.persistence.ArgumentException: Cannot load object with id "com.q1labs.core.dao.bm.BandwidthEgressFilter-com.q1labs. core.dao.bm.BandwidthEgressFilterCompKey@b055f". Instance "com.q1labs.core.dao.bm.BandwidthEgressFilter@31a91e2c" with the same id already exists in the L1 cache. This can occur when you assign an existing id to a new instance, and before flushing attempt to load the existing instance for that id. |
12 April 2021 |
AQL | IJ21676 | QRADAR ERROR WHEN ATTEMPTING TO EXECUTE A LONG AQL QUERY | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) Workaround The problem can be avoided by reducing the length of the search criteria used (eg. reduce the number of "or" clauses"). Issue: QRadar ERROR can occur when executing a long AQL query. An 'Application Error' can be generated in the QRadar User Interface when executing AQL and an API error can occur in API. Messages similar to the following might be visible in /var/log/httpd/error.log when this issue occurs: [proxy_ajp:error] [pid 4251] ajp_msg_append_cvt_string(): BufferOverflowException 4 631 |
23 February 2022 |
RULES / APP CONTENT EXTENSIONS | IJ21677 | MODIFIED RULES FROM INSTALLED CONTENT PACK AND THEN UNINSTALLING CONTENT PACK CAUSES NULLPOINTEREXCEPTION | CLOSED | Workaround Closed as Permanent restriction. This ARAR will be closed due to exclusion from current plans to remediate the issue within this generation of QRadar SIEM. While not gauranteed, issues such as this may be remediated in the next generation of QRadar SIEM. If you have further questions, please feel wlecome to reach out to your support represtative. Thank you for your understanding. Contact Support for a possible workaround that might address this issue in some instances. Issue: Rules modified after installing a content pack in which they are contained, and then uninstalling that content pack can result in NullPointerException(s). Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [ecs-ep.ecs-ep] [Thread-127] com.q1labs.core.dao.cre.CustomRule: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Error while unmarshalling rule id 500 from DB table custom_rule [ecs-ep.ecs-ep] [Thread-127] java.lang.NullPointerException [ecs-ep.ecs-ep] [Thread-127] at com.q1labs.core.dao.cre.CustomRule.getRule(CustomRule.java:299) [ecs-ep.ecs-ep] [Thread-127] at com.q1labs.core.shared.cre.CREServices.getCustomRules(CREService s.java:1955) [ecs-ep.ecs-ep] [Thread-127] at com.q1labs.core.shared.cre.CREServices.getCustomRules(CREService s.java:1974) [ecs-ep.ecs-ep] [Thread-127] at com.q1labs.core.shared.cre.CREServices.getAllFlowAndEventRules(C REServices.java:1801) [ecs-ep.ecs-ep] [Thread-127] at com.q1labs.semsources.cre.CustomRuleReader.readRules(CustomRuleR eader.java:332) [ecs-ep.ecs-ep] [Thread-127] at com.q1labs.semsources.cre.CustomRuleReader.run(CustomRuleReader. java:225) |
02 January 2020 |
UPGRADE / APP FRAMEWORK | IJ21697 | DOCKER CAN FAIL TO START DURING QRADAR PATCHING PROCESSES | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343) QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722) Workaround Administrators can install the software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances. Issue: In some instances, Docker can fail to start during the QRadar upgrade processes. When this occurs, QRadar Apps cannot be used or installed until the issue with Docker is corrected. |
02 January 2020 |
DECAPPER / SYSTEM | IJ21698 | QRADAR NETWORK INSIGHTS (QNI) DECAPPER CAN CRASH AND GENERATE A COREDUMP | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210) QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709) Workaround No workaround available. Issue The QRadar Network Insights (QNI) decapper can crash and generate a coredump. These particular decapper coredump instances are related to a DTLS error. Support can analyze the coredump that is generated to futher determine if this is the issue affecting the QNI decapper. Messages similar to the following might be visible in /var/log/messages and /var/log/qradar.log when this issue occurs: Example from messages log file where multiple core dump messages appear: [578]: Process 5298 (decapper) of user 99 killed by SIGABRT - dumping core [691]: Process 8687 (decapper) of user 99 killed by SIGABRT - dumping core [351]: Process 5846 (decapper) of user 99 killed by SIGABRT - dumping core [466]: Process 4250 (decapper) of user 99 killed by SIGABRT - dumping core [830]: Process 4891 (decapper) of user 99 killed by SIGABRT - dumping core [649]: Process 4823 (decapper) of user 99 killed by SIGABRT - dumping core [868]: Process 6960 (decapper) of user 99 killed by SIGABRT - dumping core [450]: Process 7803 (decapper) of user 99 killed by SIGABRT - dumping core [995]: Process 9482 (decapper) of user 99 killed by SIGABRT - dumping core Example from qradar.log: decapper - INFO - rtf for rtf0 died - return code: -6 decapper - INFO - Started rtf process for case rtf0 decapper: [main] decapper.keybag: [INFO] Reading keybag configuration...... decapper: [main] decapper.APPID: [INFO] Reading signature file.... decapper: [main] decapper.yara: [INFO] YaraRules: Reading rule file...... decapper: [main] decapper.yara: [WARN] YaraRules: Config file is empty. decapper: [main] decapper: [INFO] rtf0: Processing napatech [hostcontext.hostcontext] [Server Host Status Processor] com.q1labs.configservices.controller.ServerHostS tatusUpdater: [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Sent update status of host 127.0.0.1 to ACTIVE decapper: [] decapper.capture: [INFO] rtf1: [1] Packet Capture Stats 60 sec: (Read: Packets(1938480, 32297/sec), Oct ets(909349284, 15150791/sec)) (Dropped: Packets(0, 0/sec), Octets(0, 0/sec)) decapper: [] decapper.capture: [INFO] rtf1: [1] Content Scan Stats 60 sec: Requests(8873, 147/sec) Throttled(0, 0/se c) Filtered(2, 0/sec) decapper: [] decapper.capture: [INFO] rtf1: [1] Flow Report Stats 60 sec: Std(33000, 549/sec, 10406 unique) Content( 32041, 533/sec) Dropped(0, 0/sec) |
02 January 2020 |
API | IJ22370 | TRAFFICANALYSIS API IN QRADAR CAN GENERATE ERROR 'CODE: 500 MESSAGE: UNEXPECTED INTERNAL SERVER ERROR' | CLOSED | Resolved in QRadar 7.4.0 (7.4.0.20200304205308) Workaround: No workaround available. Issue: The QRadar TrafficAnalysis API can fail with an error similar to {"http_response": {"code": 500, "message": "Unexpected internal server error"}, "code": 1020, "description": "An error occurred during the attempt to update the Autodetection Config Record.", "details": {}, "message": "An error occured while trying to update the Autodetection Config Record with id: 513"} Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs: [tomcat.tomcat] [127.0.0.1(4690) /console/restapi/api/config/event_sources/log_source_management/ autodetection/config_records/43] Caused by: [tomcat.tomcat] [127.0.0.1(4690) /console/restapi/api/config/event_sources/log_source_management/ autodetection/config_records/43] java.lang.IllegalArgumentException: Parameter position 1 is not declared in query "select MIN(a.taOrder) from TrafficAnalysisConfigRecord a where a.taOrder > 10000 and 0 = (select COUNT(b) from TrafficAnalysisConfigRecord b where b.taOrder = a.taOrder + 1)". Declared parameter keys are "[]". [tomcat.tomcat] [127.0.0.1(4690) /console/restapi/api/config/event_sources/log_source_management/ autodetection/config_records/43] at org.apache.openjpa.persistence.AbstractQuery.getParameter(Abstra ctQuery.java) [tomcat.tomcat] [127.0.0.1(4690) /console/restapi/api/config/event_sources/log_source_management/ autodetection/config_records/43] at org.apache.openjpa.persistence.AbstractQuery.setParameter(Abstra ctQuery.java) [tomcat.tomcat] [127.0.0.1(4690) /console/restapi/api/config/event_sources/log_source_management/ autodetection/config_records/43] at org.apache.openjpa.persistence.AbstractQuery.setParameter(Abstra ctQuery.java) [tomcat.tomcat] [127.0.0.1(4690) /console/restapi/api/config/event_sources/log_source_management/ autodetection/config_records/43] at com.q1labs.frameworks.session.JPASessionDelegate.namedQueryForSi ngleResult(JPASessionDelegate.java) [tomcat.tomcat] [127.0.0.1(4690) /console/restapi/api/config/event_sources/log_source_management/ autodetection/config_records/43] at com.q1labs.core.dao.qidmap.TrafficAnalysisConfigRecord.getTAConf igRecordForTAConfigRecordPrecedence(TrafficAnalysisConfigRecord. java) [tomcat.tomcat] [127.0.0.1(4690) /console/restapi/api/config/event_sources/log_source_management/ autodetection/config_records/43] at com.ibm.si.data_ingestion.api.impl.trafficanalysis.validation.Tr afficAnalysisConfigRecordValidator.validatePrecedence(TrafficAna lysisConfigRecordValidator.java) [tomcat.tomcat] [127.0.0.1(4690) /console/restapi/api/config/event_sources/log_source_management/ autodetection/config_records/43] at com.ibm.si.data_ingestion.api.v10_0.trafficanalysis.impl.Traffic AnalysisAPIImpl.updatePrecedence(TrafficAnalysisAPIImpl.java) [tomcat.tomcat] [127.0.0.1(4690) /console/restapi/api/config/event_sources/log_source_management/ autodetection/config_records/43] at com.ibm.si.data_ingestion.api.v10_0.trafficanalysis.impl.Traffic AnalysisAPIImpl.updateTAConfigRecordWithoutNotificationMask(Traf ficAnalysisAPIImpl.java) [tomcat.tomcat] [127.0.0.1(4690) /console/restapi/api/config/event_sources/log_source_management/ autodetection/config_records/43] at com.ibm.si.data_ingestion.api.v10_0.trafficanalysis.impl.Traffic AnalysisAPIImpl.updateTAConfigRecord(TrafficAnalysisAPIImpl.java) [tomcat.tomcat] [127.0.0.1(4690) /console/restapi/api/config/event_sources/log_source_management/ autodetection/config_records/43] ... 68 more |
05 February 2020 |
RULES / PERFORMANCE | IJ22342 | QRADAR USER INTERFACE RULES PAGE CAN TAKE LONGER THAN EXPECTED TO LOAD | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) QRadar 7.4.3 Fix Pack 5 (7.4.3.20220307203834) Workaround: No workaround available. Issue The QRadar User Interface "Rules" page can take over 20 seconds to populate due to multiple inefficiencies in how the data needed for the Rules page is gathered/loaded. |
23 February 2022 |
SEARCH | IJ22156 | 'RUNTIME EXCEPTION PROCESSING REQUEST GET QUERY STATUS - QUERYSTATUSWAIT' DURING ARIEL SEARCHES IN QRADAR LOGGING | CLOSED | Resolved in QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137) Workaround: No workaround available. Instances of these specific NullPointerException errors generated during Ariel searches have been investigated and found to be benign. Issue: A 'Runtime exception processing request Get query status - QueryStatusWait' error can be generated during the running of Ariel searches. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:49444] com.q1labs.ariel.ConnectedClient: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Runtime exception processing request Get query status - QueryStatusWait [Id=e253ffee-2feb-4b96-89f5-825e4fa86ca3, waitMillis=0]: u=admin [ariel_proxy.ariel_proxy_server] [ariel_client/127.0.0.1:49444] java.lang.NullPointerException [ariel_proxy.ariel_proxy_server] [ariel_client/127.0.0.1:49444] at com.ibm.si.ariel.aql.metadata.CatalogDatabase.userHasAccess(MetadataFactory.java) [ariel_proxy.ariel_proxy_server] [ariel_client/127.0.0.1:49444] at com.ibm.si.ariel.aql.metadata.MetadataFactory.getCatalogByName(MetadataFactory.java) [ariel_proxy.ariel_proxy_server] [ariel_client/127.0.0.1:49444] at com.ibm.si.ariel.aql.metadata.MetadataFactory.createUserCatalog(MetadataFactory.java) [ariel_proxy.ariel_proxy_server] [ariel_client/127.0.0.1:49444] at com.q1labs.ariel.ql.parser.Parser.getMetadata(Parser.java) [ariel_proxy.ariel_proxy_server] [ariel_client/127.0.0.1:49444] at com.q1labs.ariel.ql.parser.Parser.getMetadata(Parser.java) [ariel_proxy.ariel_proxy_server] [ariel_client/127.0.0.1:49444] at com.q1labs.ariel.protocol.ClientData.initColumns(ClientData.java) [ariel_proxy.ariel_proxy_server] [ariel_client/127.0.0.1:49444] at com.q1labs.ariel.protocol.SearchAlias.clientData(SearchAlias.java) [ariel_proxy.ariel_proxy_server] [ariel_client/127.0.0.1:49444] at com.q1labs.ariel.searches.tasks.Result.resultForAlias(Result.java) [ariel_proxy.ariel_proxy_server] [ariel_client/127.0.0.1:49444] at com.q1labs.ariel.protocol.SearchAlias.result(SearchAlias.java) [ariel_proxy.ariel_proxy_server] [ariel_client/127.0.0.1:49444] at com.q1labs.ariel.searches.AccessManager.updateResult(AccessManager.java) [ariel_proxy.ariel_proxy_server] [ariel_client/127.0.0.1:49444] at com.q1labs.ariel.searches.AccessManager.findQueryResult(AccessManager.java) [ariel_proxy.ariel_proxy_server] [ariel_client/127.0.0.1:49444] at com.q1labs.ariel.ConnectedClient.findQueryResult(ConnectedClient.java) [ariel_proxy.ariel_proxy_server] [ariel_client/127.0.0.1:49444] at com.q1labs.ariel.ConnectedClient.findQueryResult(ConnectedClient.java) [ariel_proxy.ariel_proxy_server] [ariel_client/127.0.0.1:49444] at com.q1labs.ariel.ConnectedClient.processMessage(ConnectedClient.java:278) [ariel_proxy.ariel_proxy_server] [ariel_client/127.0.0.1:49444] at com.q1labs.ariel.ConnectedClient.run(ConnectedClient.java) [ariel_proxy.ariel_proxy_server] [ariel_client/127.0.0.1:49444] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java) [ariel_proxy.ariel_proxy_server] [ariel_client/127.0.0.1:49444] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java) [ariel_proxy.ariel_proxy_server] [ariel_client/127.0.0.1:49444] at java.lang.Thread.run(Thread.java) |
30 May 2022 |
PROTOCOL INSPECTOR / QRADAR NETWORK INSIGHTS (QNI) | IJ22087 | SOME SMTP AND FTP FLOWS RECEIVED BY QRADAR NETWORK INSIGHTS (QNI) MISCLASSIFIED AS IRC TRAFFIC | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210) QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709) Workaround Contact Support for a possible workaround that might address this issue in some instances. Issue: Some SMTP and FTP flows received by QRadar Network Insights (QNI) are being misclassified as IRC traffic. The application "determination algorithm" for these flows displays as "QNI Inspectors". |
17 January 2020 |
DEPLOY CHANGES | IJ22083 | 'DEPLOY' BUTTON DOES NOT FUNCTION FOM THE 'ADMIN TAB > DATA SOURCES > EVENTS' WINDOW | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) Workaround Navigate to another User Interface window that prompts the Deploy changes to be performed. Issue When in the Admin > Data Sources > Events view, the Deploy changes button does not function. |
17 January 2020 |
SEARCH | IJ22001 | SEARCHES CAN CAUSE A RUNTIME EXCEPTION WITH A NULLPOINTEREXCEPTION GENERATED IN QRADAR LOGGING | OPEN: Reported in QRadar 7.3.2 Patch 3 | Workaround: No workaround available. Issue: In some instances, searches performed within QRadar can generate a NullPointerException in QRadar logging similar to: [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:35464] com.q1labs.ariel.ConnectedClient: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Runtime exception processing request Get query status - QueryStatusWait [Id=7b08480a-770f-4a0d-942f-f214e5f88660, waitMillis=0]: u=admin [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:35464] java.lang.NullPointerException [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:35464] at com.ibm.si.ariel.aql.metadata.CatalogDatabase.userHasAccess(Meta dataFactory.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:35464] at com.ibm.si.ariel.aql.metadata.MetadataFactory.createUserCatalog(MetadataFactory.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:35464] at com.ibm.si.ariel.aql.metadata.MetadataFactory.getCatalogByName(MetadataFactory.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:35464] at com.q1labs.ariel.ql.parser.Parser.getMetadata(Parser.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:35464] at com.q1labs.ariel.ql.parser.Parser.getMetadata(Parser.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:35464] at com.q1labs.ariel.protocol.ClientData.initColumns(ClientData.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:35464] at com.q1labs.ariel.protocol.SearchAlias.clientData(SearchAlias.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:35464] at com.q1labs.ariel.searches.tasks.Result.resultForAlias(Result.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:35464] at com.q1labs.ariel.protocol.SearchAlias.result(SearchAlias.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:35464] at com.q1labs.ariel.searches.AccessManager.updateResult(AccessManager.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:35464] at com.q1labs.ariel.searches.AccessManager.findQueryResult(AccessManager.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:35464] at com.q1labs.ariel.ConnectedClient.findQueryResult(ConnectedClient.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:35464] at com.q1labs.ariel.ConnectedClient.findQueryResult(ConnectedClient.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:35464] at com.q1labs.ariel.ConnectedClient.processMessage(ConnectedClient.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:35464] at com.q1labs.ariel.ConnectedClient.run(ConnectedClient.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:35464] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:35464] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:35464] at java.lang.Thread.run(Thread.java) |
31 January 2020 |
FLOWS | IJ21982 | FLOWS CAN CONTAIN INCORRECT VALUES FOR PACKET TIMES, IP ADDRESSES, PROTOCOLS, SIZE, SOURCE OR DESTINATION PORT | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210) QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709) QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249) Workaround Restarting the qflow process on affectd QRadar Console, Flow Processor or Flow Collector can be used to rectify this behavior temporarily, but the behavior can re-occur: systemctl restart qflowNote: Restarting qflow service results in an interruption in flow collection. Issue: Flows can get incorrect first packet time or unusual IP addresses, values and bytes. The source bytes or destination bytes display as either 4G in size or 0. The source and destination port displays as 0. This behavior has predominately been observed in flows received from QRadar Network Insights appliances. |
14 January 2020 |
GEOGRAPHIC DATA | IJ21884 | GEODATA UPDATES NO LONGER OCCURING WITH '401 UNAUTHORIZED AT /OPT/QRADAR/BIN/GEOIPUPDATE-PUREPERL.PL' IN QRADAR LOGGING | CLOSED | Workaround: Sign up for a MaxMind account
and configured QRadar system settings. For more information, see: Configuring a MaxMind account for geographic data updates (APAR IJ21884). Closed as documentation error. Issue: QRadar geographic updates for GeoLite2-City.mmdb can fail to be obtained and installed from maxmind.com due to a login failure with the default userid and license key used within QRadar. To verify if this issue occurs, on the QRadar Console command line, run the geodata update command: /opt/qradar/bin/geodata_update.sh Messages similar to the following are displayed: 401 Unauthorized at /opt/qradar/bin/geoipupdate-pureperl.pl line 222, <$fh> line 37 |
06 January 2020 |
SEARCH | IJ21739 | 'PAYLOAD CONTAINS' AQL FILTER FROM A BASIC SEARCH CAN GENERATE AN ILLEGAL ARGUMENT EXCEPTION AND INCORRECT RESULTS | OPEN: Reported in QRadar 7.3.2 Patch 2 | Workaround: Enable store payload in the Log Sources. Issue: Using the 'Payload Contains' AQL filter generated from a basic search generates an illegal argument exception and has incorrect search results when compared with the results of the basic search. For example:
Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: com.q1labs.frameworks.nio.exceptions.ExtendedRuntimeException: Error calling function com.q1labs.ariel.ql.parser.ICU4jSearch([B@e6bc0507): java.lang.IllegalArgumentException at com.q1labs.frameworks.util.Utils.icu4jSearch(Utils.java) at com.q1labs.frameworks.util.Utils.icu4jSearch(Utils.java) at com.q1labs.ariel.ql.parser.ICU4jSearch.calculate(Functions.java) at com.q1labs.ariel.ql.parser.ICU4jSearch.calculate(Functions.java) |
31 December 2019 |
AQL CUSTOM PROPERTIES | IJ21723 | AQL PROPERTY WITH FUNCTION CONTAINING MULTIPLE ARGUMENTS CANNOT BE USED AS AN AGGREGATED PROPERTY IN THRESHOLD RULE CREATION | OPEN: Reported in QRadar 7.3.2 Patch 2 | Workaround: No workaround available. Issue: An AQL property that has a function with multiple arguments cannot be selected as an aggregated property in a Threshold Rule in the Rule Wizard page. For example, the following example AQL is stored as a saved search and threshold monitoring rule is created on it. SELECT sourceip, SUM(LONG("eventcount") + LONG("sourceport")) AS total FROM events GROUP BY sourceip LAST 5 MINUTES When the aggregation has two components that are summarized in one value (as above), the Rule Wizard is unable to select it and it fails to save the rule configuration. The rule can be saved and it works successfully when there is only a single aggregated parameter, such as SUM(LONG("eventcount")) |
02 January 2020 |
LOG SOURCES | IJ21722 | AUTO DISCOVERED LOG SOURCES ARE NOT AUTO DISCOVERED AGAIN IF DELETED USING THE LOG SOURCE MANAGEMENT APP | CLOSED | Resolved in: QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.4.0 (7.4.0.20200304205308) QRadar 7.3.3 Fix Pack 2 (7.3.3.20200208135728) QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249) Workaround
Note: The QRadar UI only becomes available again after all required process are running as expected after a "Restart We Server" has been completed. Issue Using the Log Source Management App to delete a Log Source causes it to not be auto discovered again. |
19 December 2019 |
SYSTEM NOTIFICATIONS | IJ21721 | REPEATED SYSTEM NOTIFICATION MESSAGES FROM MANAGED HOST(S) INDICATING SYNCHRONIZATION TO CONSOLE 'TLSDATE TIMED OUT' | OPEN: Reported in multiple QRadar versions | Workaround: Contact Support for a possible workaround that might address this issue in some instances. Repeated System Notifications can be generated from Managed Hosts regarding time synchronization to the QRadar console. time_sync.sh reports 'tlsdate timed out' when httpd does not respond within 5 seconds. This issue can generate a large number of events if communication to the QRadar console is unavailable for a period of time. Notificaiton is similar to: [hostcontext.hostcontext]: [ERROR] [NOT:0150003100] Time Synchronization to Console has failed - tlsdate timed out |
19 December 2019 |
APP HOST | IJ21720 | QRADAR APP HOST CANNOT BE REMOVED FROM THE DEPLOYMENT IF ALL APPS HAVE BEEN UNINSTALLED | CLOSED | Closed as permanent restriction. Administrators can install at least one app and migrate it to the console,
so the App Host appliance can be removed.
Workaround
Issue A QRadar App Host cannot be removed from the Deployment if all Apps have been uninstalled. The option Admin > System and License Management > highlight app host > Deployment Actions > 'Remove Host' is grayed out |
29 July 2020 |
RULES / QRADAR ON CLOUD | IJ21717 | QRADAR ON CLOUD USERS ARE UNABLE TO DELETE ANOMALY DETECTION ENGINE RULES | CLOSED | Resolved in QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104) Workaround: Contact Support and request them to delete the appropriate ADE rule. QRadar on Cloud users with appropriate rights assigned are not able to delete Anomaly Detection Engine (ADE ) rules. Users are able to delete other rule types, but no pop-up window is displayed when attempting to delete an ADE rule. |
02 January 2020 |
TOPOLOGY / QRADAR RISK MANAGER (QRM) | IJ21704 | SUBNETS CAN INTERMITTENTLY APPEAR AND DISAPPEAR ON THE QRADAR RISK MANAGER TOPOLOGY SCREEN | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210) QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709) QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249) Workaround Contact Support for a possible workaround that might address this issue if you are unable to upgrade to resolve this issue through a fix pack update. Issue Subnets can appear and disappear intermittently on the QRadar Risk Manager Topology screen. |
19 December 2019 |
HIGH AVAILABILITY (HA) | IJ21703 | ADDED OR EDITED NTP SERVER SETTINGS ARE NOT IMPLEMENTED ON HIGH AVAILABILITY (HA) STANDBY APPLIANCE | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) Workaround Restart the chrony service manually via SSH connection command line for affected HA standy appliances: systemctl restart chronyd Issue After adding or updating a NTP server in QRadar for a High Availability (HA) appliance (using the steps in System and License Management on the Active HA appliance), the chrony service on the High Availability Standby appliance needs to be restarted for the chrony config change to be implemented. |
26 November 2020 |
DATA OBFUSCATION | IJ21702 | UNABLE TO ADD NEW DATA OBFUSCATION EXPRESSION TO AN EXISTING DATA OBFUSCATION PROFILE | OPEN: Reported in QRadar 7.3.2 Patch 4 | Workaround:
Results New obfuscation expression should be added. Issue: Users might be unable to add a new Data Obfuscation expression to an existing obfuscation profile in QRadar environments with a very large number of Log Sources. The error message generated in the QRadar User Interface is similar to: java.lang.NumberFormatException: empty String Example of steps that lead to this issue:
java.lang.NumberFormatException:
empty String |
02 January 2020 |
LOG ACTIVITY / NETWORK ACTIVITY | IJ21700 | REGEX ' + ' (PLUS) SYMBOL TO MATCH ONE OR MORE OF ANYTHING IS HIDDEN AFTER FILTER IS APPLIED | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505) Workaround: No workaround available. Issue: The regex expression \w+ is being displayed in 'add filter' as
\w and not \w+ . For example:
|
19 December 2019 |
USERS | IJ20771 | UNABLE TO REASSIGN CUSTOM EVENT PROPERTY TO ANOTHER USER WHEN DELETING A USER | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343) QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722) Workaround No workaround available. If the user needs to be deleted, you have to delete the Custom Event Property not reassign it. Issue It has been identified that when trying to delete a non admin/admin user who has a Custom Event Property, you cannot reassign that Custom Event Property to another user. The page hangs at the dependency reassign and does not reassign the Custom Event Property successfully. |
16 November 2020 |
SYSLOG REDIRECT | IJ03249 | AUTODISCOVERED LOG SOURCES CREATED BY SYSLOG REDIRECT CAN HAVE INCORRECT LOG SOURCE IDENTIFIERS | Closed as program error. | It has been identified that autodiscovered Log Sources created using the Syslog Redirect Protocol, can have incorrect Log Source Identifiers listed due to a regex issue used within the Protocol. The issue is resolved with the following version of the Syslog Redirect RPM: | 13 November 2019 |
UPGRADE | IJ00366 | APPLYING A QRADAR .SFS PATCH CAN FAIL WHEN WGET HAS A PROXY SERVER CONFIGUREDCONFIGURED | OPEN: Reported in QRadar 7.3.2 Patch 4 | Workaround: Via an SSH session to the QRadar console:
Temporarily disable to wget proxy settings in /etc/wgetrc It has been identified that the check_undeployed script used within the QRadar patch framework can fail when there is a proxy server configured for wget to use. The check_undeployed script attempts to use that proxy to reach localhost and fails. Messages similar to the following might be visible in the /var/log/setup-7.x.x.../patches.log when this issue occurs: Verifying if there are any un-deployed changes... ERROR: Could not determine undeployed changes, response was invalid. --2018-03-28 12:11:34-- https://127.0.0.1/console/services/configservices?method=hasUndeployedChanges Connecting to {proxyIP:port}... connected. Proxy tunneling failed: Service UnavailableUnable to establish SSL connection. An error was encountered attempting to process patches. Please contact customer support for further assistance. |
29 March 2018 |
UPGRADE / SCANNER | IJ10746 | QRADAR UPGRADE CAN HANG IF IT'S UNABLE TO REACH A CONFIGURED SCANNER OVER THE INTERNET | CLOSED | Closed as Permanent restriction. Contact Support for a possible workaround that might address this issue in some instances. It has been identified that a QRadar upgrade can hang at message: 'System upgrade is in progress - DO NOT REBOOT or shutdown now!' if the QRadar upgrade process is unable to reach an internet configured scanner. QRadar attempts to retrieve a certificate during the upgrade and if internet connectivity is not allowed, the upgrade cannot reach the external scanner to complete the process. |
09 December 2019 |
API / OFFENSES | IJ05914 | OFFENSE API DOES NOT RETURN EXPECTED OFFENSES WHEN USING "ID" AND "INACTIVE" FIELD IF OFFENSE ACTIVE_CODE IS 'DORMANT' | CLOSED | Resolved in: QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.4.0 (7.4.0.20200304205308) QRadar 7.3.3 Patch 1 (7.3.3.20191203144110) QRadar 7.3.2 Patch 6 (7.3.3.20191224145010) Workaround
It has been identified that the Offense API does not return all expected offenses when using "id" and "inactive" field when the offense active_code is set as "dormant" in the database for the Offense. To further explain this reported issue, users can compare API results to the QRadar database: qradar=# select count(*) from offense; count ------- 1515 (1 row) qradar=# select count(*) from offense where active_code=1; count ------- 0 (1 row) qradar=# select count(*) from offense where active_code=2; count ------- 148 (1 row) qradar=# select count(*) from offense where active_code=3; count ------- 1367 (1 row) API results display: status = open returns 149 status = closed returns 1366 status="OPEN" and inactive=true returns 1 status="OPEN" and inactive=false returns 0 Using inactive = false gives incorrect results. The active code value in the User Interface can be:
|
09 December 2019 |
SYSTEM NOTIFICATIONS | IJ20362 | 'SAR SENTINEL: THRESHOLD CROSSED FOR DRBD0' SYSTEM NOTIFICATIONS | CLOSED | Resolved in: QRadar 7.4.0 (7.4.0.20200304205308) QRadar 7.3.3 Patch 1 (7.3.3.20191203144110) QRadar 7.3.2 Patch 6 (7.3.3.20191224145010) It has been identified that QRadar can report "SAR Sentinel: Threshold crossed for drbd0" system notifications for managed hosts in a High Availability (HA) pair. Investigation has determined that these messages can be excessively and erroneously generated due to a change made within the fix for APAR IJ06526. |
09 December 2019 |
SEARCH / SERVICES | IJ21718 | ARIEL SEARCHES FAIL AND EVENTS ARE NOT PROCESSED/WRITTEN TO DISK WHEN A CONCURRENT MODIFICATION EXCEPTION OCCURS | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.4.0 (7.4.0.20200304205308) QRadar 7.3.3 Patch 2 (7.3.3.20200208135728) QRadar 7.3.3 Patch 1 Interim Fix 01 (7.3.3.20191220154048) QRadar 7.3.2 Patch 5 Interim Fix 01 (7.3.2.20191220232616) Workaround A flash notice has been issued for APAR IJ21718. For more information, see: QRadar: Custom property concurrency can cause search and ariel data loss (APAR IJ21718). Administrators can complete a Deploy Full Configuration to ensure a service restart until an interim fix is available on IBM Fix Central. Issue An uncaught ConcurrentModificationException can occur within the QRadar Ariel Writer thread. When this occurs, events received into QRadar fail to be processed and written to disk, and failure exceptions occur during ariel/event searches within QRadar. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [ecs-ep.ecs-ep] [Ariel Writer#events] com.q1labs.frameworks.core.ThreadExceptionHandler: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Exception was uncaught in thread: Ariel Writer#events [ecs-ep.ecs-ep] [Ariel Writer#events] java.util.ConcurrentModificationException [ecs-ep.ecs-ep] [Ariel Writer#events] at gnu.trove.TPrimitiveIterator.nextIndex(TPrimitiveIterator.java) [ecs-ep.ecs-ep] [Ariel Writer#events] at gnu.trove.TIterator.hasNext(TIterator.java) [ecs-ep.ecs-ep] [Ariel Writer#events] at com.q1labs.core.types.networkevent.mapping.NetworkEventMappingUt ils.writeCustomProperties(NetworkEventMappingUtils.java) [ecs-ep.ecs-ep] [Ariel Writer#events] at com.q1labs.core.types.event.mapping.NormalizedEventMappingV2.put CustomProperties(NormalizedEventMappingV2.java) [ecs-ep.ecs-ep] [Ariel Writer#events] at com.q1labs.core.types.event.mapping.NormalizedEventMappingV2.put Event(NormalizedEventMappingV2.java) [ecs-ep.ecs-ep] [Ariel Writer#events] at com.q1labs.core.types.event.mapping.NormalizedEventMappings$Exlu deCachedResults.putData(NormalizedEventMappings.java) [ecs-ep.ecs-ep] [Ariel Writer#events] at com.q1labs.core.types.event.mapping.NormalizedEventMappingV2.put (NormalizedEventMappingV2.jav) [ecs-ep.ecs-ep] [Ariel Writer#events] at com.q1labs.core.types.event.mapping.NormalizedEventMappingV2.put (NormalizedEventMappingV2.java) [ecs-ep.ecs-ep] [Ariel Writer#events] at com.q1labs.ariel.io.NIOFileWriter.write(NIOFileWriter.java:110) [ecs-ep.ecs-ep] [Ariel Writer#events] at com.q1labs.ariel.io.SimpleWriter.writeRecord(SimpleWriter.java) [ecs-ep.ecs-ep] [Ariel Writer#events] at com.q1labs.ariel.io.BucketWriter.writeRecord(BucketWriter.java) [ecs-ep.ecs-ep] [Ariel Writer#events] at com.q1labs.ariel.io.AbstractDatabaseWriter.put(AbstractDatabaseW riter.java) [ecs-ep.ecs-ep] [Ariel Writer#events] at com.q1labs.ariel.DatabaseWriterAsync.processRecord(DatabaseWrite rAsync.java) [ecs-ep.ecs-ep] [Ariel Writer#events] at com.q1labs.ariel.ScatteringDatabaseWriter.access$401(ScatteringD atabaseWriter.java) [ecs-ep.ecs-ep] [Ariel Writer#events] at com.q1labs.ariel.ScatteringDatabaseWriter$Node.writeRecord(Scatt eringDatabaseWriter.java) [ecs-ep.ecs-ep] [Ariel Writer#events] at com.q1labs.ariel.ScatteringDatabaseWriter$Node.processRecord(Sca tteringDatabaseWriter.java) [ecs-ep.ecs-ep] [Ariel Writer#events] at com.q1labs.ariel.ScatteringDatabaseWriter$Node.access$1100(Scatt eringDatabaseWriter.java) [ecs-ep.ecs-ep] [Ariel Writer#events] at com.q1labs.ariel.ScatteringDatabaseWriter$DataNodes.processRecor d(ScatteringDatabaseWriter.java) [ecs-ep.ecs-ep] [Ariel Writer#events] at com.q1labs.ariel.ScatteringDatabaseWriter.processRecord(Scatteri ngDatabaseWriter.java) [ecs-ep.ecs-ep] [Ariel Writer#events] at com.q1labs.ariel.DatabaseWriterAsync.run(DatabaseWriterAsync.java) [ecs-ep.ecs-ep] [Ariel Writer#events] java.lang.Thread.run(Thread.java) |
19 December 2019 |
APPLICATION SIGNATURES / QRADAR NETWORK INSIGHTS | IJ20455 | FALSE POSITIVE MATCHES FOR SIGNATURES CAN OCCUR AS QRADAR NETWORK INSIGHTS (QNI) CAN SKIPS SRC/DST PORT SPECIFIERS IN SIGNATURE.XML | CLOSED | Resolved in: QRadar 7.4.0 (7.4.0.20200304205308) QRadar 7.3.3 Patch 1 (7.3.3.20191203144110) QRadar 7.3.2 Patch 6 (7.3.3.20191224145010) It has been identified that the QRadar Network Insights processing of signatures.xml skips srcPort / dstPort specifiers. This can cause false positive matches for some signatures. |
09 December 2019 |
ASSETS / UPGRADE | IJ20458 | QRADAR PATCH AND OR REPLICATION PROCESS CAN FAIL WHEN MULTIPLE DUPLICATED ASSET.ASSETVIEW DATA EXISTS | CLOSED | Resolved in: QRadar 7.4.0 (7.4.0.20200304205308) QRadar 7.3.3 Patch 1 (7.3.3.20191203144110) QRadar 7.3.2 Patch 6 (7.3.3.20191224145010) It has been identified that a QRadar patch and or replication process can fail when there are more than one duplicated asset.assetview database entry with the same (domain_id, network_addr and ipv6) values on the console. |
09 December 2019 |
VULNERABILITY SCANS | IJ21607 | VULNERABILITY MANAGER (QVM) SCANS CAN STAY AT 100% AND NEVER COMPLETE | CLOSED | Resolved in: QRadar 7.4.0 (7.4.0.20200304205308) QRadar 7.3.3 Patch 1 (7.3.3.20191203144110) QRadar 7.3.2 Patch 6 (7.3.3.20191224145010) Vulnerability Manager scans can stay in the running state at 100% and never go to a Stopped state. Due to a timing issue, two threads try to determine if they are the last tool to run within a job and the jobtracking endtime never gets set, and the scan never finishes. When this occurs, the vulnerability data does not get sent to the asset DB, vulnerability counts remain at zero on screen, and the scan duration keeps increasing even though the scan has finished. |
19 December 2019 |
WINCOLLECT | IV99859 | WINCOLLECT AGENTS ARE DOWNGRADED TO VERSION 7.2.3 AFTER A CONFIGURATION RESTORE ON THE QRADAR CONSOLE | CLOSED | Resolved in: QRadar 7.4.0 (7.4.0.20200304205308) QRadar 7.3.3 Fix Pack 1 (7.3.3.20191203144110) QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249) Issue It has been identified that WinCollect agents that have been upgraded above version 7.2.3 are downgraded to version 7.2.3 after performing a Configuration Restore of QRadar 7.2.8. This is caused by the older WinCollect 7.2.3 agent core files being installed when the Config Restore is performed. |
09 December 2019 |
SYSTEM NOTIFICATIONS / LICENSE | IJ07448 | 'THE APPLIANCE EXCEEDED THE EPS OR FPM ALLOCATION WITHIN THE LAST HOUR' MESSAGES CAN BE CAUSED BY HEALTH METRICS EVENTS | CLOSED | Resolved in: QRadar 7.4.0 (7.4.0.20200304205308) QRadar 7.3.3 Patch 1 (7.3.3.20191203144110) Issue It has been identified that System Notifications similar to 'The appliance exceeded the EPS or FPM allocation within the last hour' can sometimes be caused by Health Metrics events generated/processed by QRadar. System Notifications generated by the increased number of Health Metric events in QRadar 7.3.1, are false positives. QRadar is not properly calculating the license giveback for Health Metric events in relation to EPS/FPM license warning System Notifications. |
09 December 2019 |
BACKUP / RESTORE | IJ14189 | DATA BACKUPS CAN FAIL (TIME OUT) WHEN A BACKEND "PS" COMMAND HANGS | CLOSED | Resolved in QRadar 7.3.3 Patch 1 (7.3.3.20191203144110) It has been identified that data backups can fail when a backend ps command hangs. QRadar system notifications similar to "Backup: last backup exceeded execution threshold error." and messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [hostcontext.hostcontext] [Backup] com.q1labs.hostcontext.backup.core.BackupUtils: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Cannot execute 'ps -e -o pid -o ppid -o cmd' [hostcontext.hostcontext] [Backup] java.lang.InterruptedException [hostcontext.hostcontext] [Backup] at java.lang.Object.wait(Native Method) [hostcontext.hostcontext] [Backup] at java.lang.Object.wait(Object.java) [hostcontext.hostcontext] [Backup] at java.lang.UNIXProcess.waitFor(UNIXProcess.java) [hostcontext.hostcontext] [Backup] at com.q1labs.hostcontext.backup.core.BackupUtils.getPsProcesses(Ba ckupUtils.java) [hostcontext.hostcontext] [Backup] at com.q1labs.hostcontext.backup.BackupRecoveryEngine.cleanup(Backu pRecoveryEngine.java) [hostcontext.hostcontext] [Backup] at com.q1labs.hostcontext.backup.BackupRecoveryEngine$BackupThread. run(BackupRecoveryEngine.java) [hostcontext.hostcontext] [Backup] com.q1labs.hostcontext.backup.BackupRecoveryEngine: [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Cancel process '/bin/bash /opt/qradar/bin/run_command.sh /opt/qradar/bin/determine_partition.sh /store/backup/store/tmp/backup/determine_partition' if exists |
09 December 2019 |
BURST DATA / EVENT COLLECTORS | IJ12229 | EVENT COLLECTORS CAN EXPERIENCE PIPLELINE PERFORMANCE ISSUES DUE TO NOT HAVING AN APPLIANCE CAPABILITY CONFIGURED | CLOSED | Resolved in QRadar 7.4.0 (7.4.0.20200304205308) Issue It has been identified that Event Collectors (EC) do not have an appliance level capability set. Because of this, QRadar pipeline processes are not protected from bursts in the incoming event rate (EPS). Event Collectors inherit their licensing limits from the connected Event Processor (EP) and frequently EPs have a much higher capability and license than an EC can handle. The lack of appliance capability limitiations being configured for ECs can expose them to pipeline performance issues. |
09 December 2019 |
FORWARDED EVENTS / NETWORK | IJ18585 | SOME FORWARDED EVENTS CAN FAIL TO FORWARD SUCCESSFULLY WHEN A CONNECTION DROP OCCURS TO THE EVENT FORWARDING RECEIVER | CLOSED | Resolved in: QRadar 7.4.0 (7.4.0.20200304205308) QRadar 7.3.3 Patch 1 (7.3.3.20191203144110) QRadar 7.3.2 Patch 6 (7.3.3.20191224145010) It has been identified that a network device can sometimes break the long connection between QRadar and a configured event forward target. Some events are not forwarded prior to the connection being recovered. Warning messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [ecs-ep.ecs-ep] com.q1labs.sem.selectiveforwarding.SelectiveForwardingCommunicat orThread: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/- -]2019-07-15 15:50:20.0368 [ |
09 December 2019 |
DSM EDITOR | IJ19112 | DIFFERENCES IN HOW DSM EDITOR PARSES VERSUS HOW THE PIPELINE PARSES CAN PREVENT PROPER DSM EDITOR REGEX WRITING/TESTING | CLOSED | Resolved in: QRadar 7.4.0 (7.4.0.20200304205308) QRadar 7.3.3 Patch 1 (7.3.3.20191203144110) QRadar 7.3.2 Patch 6 (7.3.3.20191224145010) It has been identified that the DSM editor parses differently versus the pipeline due to a trailing LF (line feed) or a space contained in payloads. These differences in parsing behavior can inhibit the proper writing and testing of regex when using the DSM Editor. |
09 December 2019 |
AUTHENTICATION (LDAP) / ACCESS | IJ13595 | LDAP LOGINS CAN FAIL IF PAGINATION IS DISABLED FOR BIND USERS | CLOSED | Resolved in: QRadar 7.4.0 (7.4.0.20200304205308) QRadar 7.3.3 Patch 1 (7.3.3.20191203144110) QRadar 7.3.2 Patch 6 (7.3.3.20191224145010) Workaround Enable paging for the bind user, or change the bind user to one that has paging allowed. It has been identified that the DSM editor parses differently versus the pipeline due to a trailing LF (line feed) or a space contained in payloads. Issue It has been identified that QRadar LDAP logins can fail if pagination is disabled for bind user. In the LDAP authentication setup, test connection to the backend server succeeds. If group authentication is used, group load fails. |
09 December 2019 |
LOG SOURCES / LOG SOURCE MANAGEMENT APP | IJ15429 | TOMCAT OUT OF MEMORY CAN OCCUR WHEN PERFORMING AN ENABLE OR DISABLE OF A LOG SOURCE | CLOSED | Resolved in: QRadar 7.4.0 (7.4.0.20200304205308) QRadar 7.3.3 Patch 1 (7.3.3.20191203144110) QRadar 7.3.2 Patch 6 (7.3.3.20191224145010) It has been identified that performing an enable or disable of a Log Source using either the API (Log Source Management App) or the legacy Log Source management page can sometimes cause a tomcat out of memory in QRadar environments with a very large number of Log Sources. |
09 December 2019 |
OFFENSES | IJ16002 | THE OFFENSE PAGE IN THE QRADAR USER INTERFACE CAN BE SLOW TO OPEN AFTER PATCHING TO QRADAR 7.3.2 | CLOSED | Resolved in: QRadar 7.4.0 (7.4.0.20200304205308) QRadar 7.3.3 Patch 1 (7.3.3.20191203144110) QRadar 7.3.2 Patch 6 (7.3.3.20191224145010) Issue It has been identified that after patching to QRadar 7.3.2, that opening the Offense page in the QRadar User Interface can take longer than expected. |
09 December 2019 |
EVENT LOGS / TRAFFIC ANALYSIS | IJ21155 | EXCESSIVE LOGGING OF MESSAGE 'TRAFFIC ANALYSIS WILL CREATE NEW DEVICES WITH EVENT COALESCING TURNED ON' | CLOSED | Resolved in: QRadar 7.3.3 (7.3.3.20191031163225) QRadar 7.3.2 Patch 6 (7.3.3.20191224145010) Workaround: You can turn off logging for the TrafficaAnalysisFilter class from the command line of the QRadar Console to prevent it from filling the logs.
Issue: It has been identified that excessive logs similar to the following might be visible in /var/log/qradar.log: [ecs-ec.ecs-ec] [[type=com.eventgnosis.system.ThreadedEventProcessor][parent=l3r tc.canlab.ibm.com:ecs-ec/EC/TrafficAnalysis1/TrafficAnalysis]] com.ibm.si.ec.filters.trafficanalysis.TrafficAnalysisFilter: [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Traffic analysis will create new devices with event payload storage turned on [ecs-ec.ecs-ec] [[type=com.eventgnosis.system.ThreadedEventProcessor][parent=l3r tc.canlab.ibm.com:ecs-ec/EC/TrafficAnalysis1/TrafficAnalysis]] com.ibm.si.ec.filters.trafficanalysis.TrafficAnalysisFilter: [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Traffic analysis will create new devices with event coalescing turned on |
28 November 2019 |
CUSTOM PROPERTIES / SYSTEM NOTIFICATIONS | IJ15775 | REGEXMONITOR FEATURE CAN SOMETIMES DISABLE CUSTOM PROPERTIES WITHOUT ANY SYSTEM NOTIFICATION | CLOSED | Resolved in: QRadar 7.4.0 (7.4.0.20200304205308) QRadar 7.3.3 Patch 1 (7.3.3.20191203144110) QRadar 7.3.2 Patch 6 (7.3.3.20191224145010) It has been identified that in the RegexMonitor feature that is designed to automatically disable expensive custom properties to prevent performance issues can sometimes disable inexpensive custom properties and without generating a System Notification. |
09 December 2019 |
DASHBOARD / USER INTERFACE | IJ18066 | QRADAR USER INTERFACE CAN BECOME INACCESSIBLE DUE TO TOMCAT TXSENTRY WHEN USING 'TOP CATEGORY TYPES' DASHBOARD ITEM | CLOSED | Resolved in: QRadar 7.4.0 (7.4.0.20200304205308) QRadar 7.3.3 Patch 1 (7.3.3.20191203144110) QRadar 7.3.2 Patch 6 (7.3.3.20191224145010) It has been identified that in some instances the "Top Category Types" Dashboard item can lead to a TXSentry killing the tomcat process. When this occurs, the QRadar User Interface can become inaccessible. Messages similar to the following might be visble in /var/log/qradar.log when this issue occurs: TX on host 1console_ip: pid=5919 age=616 IP=127.0.0.1 port=40362 locks=42 query='SELECT id, parent_id, category_name, chain_name, offense_count, attacker_count, target_count, event_count, start_time, end_time FROM category_type_summary_proc(323, true, '1,2') WHERE parent_id NOT IN(10000,11000,14000) AND id NOT IN(10000,11000,14000) AND MOD(id, 1000)<>0 ORDER BY offense_count desc LIMIT 5 ' |
09 December 2019 |
RULES / USER INTERFACE | IJ17357 | HTTP 504 ERROR IN QRADAR USER INTERFACE WHEN SELECTING CUSTOM RULES OR WHEN OPENING RULES IN THE RULE WIZARD | CLOSED | Resolved in: QRadar 7.4.0 (7.4.0.20200304205308) QRadar 7.3.3 Patch 1 (7.3.3.20191203144110) It has been identified that in some instances selecting or opening a custom rule from the Rule Wizard can fail with a 504 error being generated in the QRadar User Interface window. This can occur if you have a large number of reference data elements. |
09 December 2019 | APPLICATION FRAMEWORK | IJ21495 | QRADAR APPS CAN GO OUT OF MEMORY DUE TO A RHEL KERNEL BUG WITH DENTRY SLAB CACHE | CLOSED | Resolved in: QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.4.0 (7.4.0.20200304205308) QRadar 7.3.3 Patch 1 (7.3.3.20191203144110) It has been identified that in some instances QRadar Apps can experience out of memory occurences due to Red Hat Enterprise Linux (RHEL) kernel bug with dentry slab cache where kernel memory does not get freed as expected. For more information, see: https://access.redhat.com/solutions/55818 |
09 December 2019 |
ROUTING RULES / OFFLINE FORWARDER | IJ18101 | CUSTOM AQL EVENT/FLOW PROPERTIES WHILE USING OFFLINE FORWARDER WITH JSON FORWARDED DESTINATIONS CAN CAUSE PERFORMANCE ISSUES | CLOSED | Resolved in: QRadar 7.4.0 (7.4.0.20200304205308) QRadar 7.3.3 Patch 1 (7.3.3.20191203144110) QRadar 7.3.2 Patch 2 (7.3.2.20190522204210) It has been identified that QRadar environments with custom AQL Event/Flow properties can experience system performance issues with offline forwarder when using JSON forwarded destinations after 7.3.2 p2 upgrade. |
09 December 2019 |
UPGRADE / SNMP | IJ17204 | ECS-EP PROCESS FAILS TO START AFTER PATCHING TO QRADAR 7.3.2 (OR LATER) WHEN CUSTOM SNMP TRAP EVENTS WERE CONFIGURED | CLOSED | Resolved in: QRadar 7.4.0 (7.4.0.20200304205308) QRadar 7.3.3 Patch 1 (7.3.3.20191203144110) QRadar 7.3.2 Patch 6 (7.3.3.20191224145010) It has been identified that the ecs-ep service can fail to start after patching to QRadar 7.3.2 when custom snmp trap events were configured. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [ecs-ep.ecs-ep] [ECS Runtime Thread] Caused by: java.io.FileNotFoundException: /opt/ibm/si/services/ecs-ep/current/frameworks_conf/customCRE.sn mp.xml (No such file or directory) [ecs-ep.ecs-ep] [ECS Runtime Thread] at java.io.FileInputStream.open(FileInputStream.java:212) [ecs-ep.ecs-ep] [ECS Runtime Thread] at java.io.FileInputStream. |
09 December 2019 |
OFFENSES | IJ16819 | OFFENSES CAN FAIL TO GENERATE AND OR UPDATE WHEN USERNAME OR HOSTNAME IN ASSET EXCEEDS 255 CHARACTERS | CLOSED | Resolved in: QRadar 7.4.0 (7.4.0.20200304205308) QRadar 7.3.3 Patch 1 (7.3.3.20191203144110) It has been identified that Offenses can fail to generate and or Offense data can fail to update when a username or hostname in an asset exceeds 255 characters. When this issue occurs, the magistrate (MPC) continuously attempts to recover and repeatedly experiences a TX Sentry reported in /var/log/qradar.log with entries similar to: 'Multiple (101) TX's found, attempting recovery' Messages similar to the following might be visible in qradar-sql.log when this issue occurs: postgres[49684]: [3-1] ERROR: value too long for type character varying(255) postgres[49684]: [3-2] CONTEXT: SQL statement "INSERT into offense_target_link (offense_id, target_id, add_time, macaddress, hostname, username) postgres[49684]: [3-3] values (p_offense, v_target, extract (epoch from now())::int8, substring (v_identity.macaddress from 1 for 17), v_identity.hostname, v_identity.username)" postgres[49684]: [3-4] PL/pgSQL function link_offense_targets(bigint,character varying,integer) line 34 at SQL statement postgres[49684]: [3-5] STATEMENT: select * from link_offense_targets($1,$2, $3, $4) as result |
09 December 2019 |
DEPLOY CHANGES / QFLOW | IJ15630 | DEPLOY FUNCTION TIMEOUT CAUSED BY INCORRECT DEPLOYMENT.XML COMPONENT DATA AFTER A QFLOW SOURCE IS REMOVED | CLOSED | Resolved in: QRadar 7.4.0 (7.4.0.20200304205308) QRadar 7.3.3 Patch 1 (7.3.3.20191203144110) It has been identified that QRadar 'Deploy' function can fail (timeout) after removing a QFlow source that has connections to QRadar Network Insights (QNI) in Deployment.xml. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [tomcat.tomcat] [user@127.0.0.1 (9488) /console/JSON-RPC/QRadar.scheduleDeployment QRadar.scheduleDeployment] at java.lang.Thread.run(Thread.java:812) [tomcat.tomcat] [user@127.0.0.1 (9488) /console/JSON-RPC/QRadar.scheduleDeployment QRadar.scheduleDeployment] Caused by: [tomcat.tomcat] [user@127.0.0.1 (9488) /console/JSON-RPC/QRadar.scheduleDeployment QRadar.scheduleDeployment] java.lang.NullPointerException [tomcat.tomcat] [user@127.0.0.1 9488) /console/JSON-RPC/QRadar.scheduleDeployment QRadar.scheduleDeployment] at com.q1labs.configservices.util.forensics.QniDtlsHelper.getQflowD tlsConnectionsList(QniDtlsHelper.java) [tomcat.tomcat] [user@127.0.0.1 (9488) /console/JSON-RPC/QRadar.scheduleDeployment QRadar.scheduleDeployment] at com.q1labs.configservices.config.globalset.forensics.QniDtlsConf igurationTransformer.configureDtlsConnections(QniDtlsConfigurati onTransformer.java) |
09 December 2019 |
LOG SOURCES / USER INTERFACE | IJ16162 | QRADAR USER INTERFACE BECOMES UNRESPONSIVE DURING BULK CHANGES MADE TO A LARGE NUMBER OF LOG SOURCES USING THE API | CLOSED | Resolved in: QRadar 7.4.0 (7.4.0.20200304205308) QRadar 7.3.3 Patch 1 (7.3.3.20191203144110) It has been identified that the QRadar User Interface can sometimes become unresponsive due to a session leak caused during a large amount of bulk changes made to Log Sources using the QRadar Log Source Management App (API) in QRadar environments with hundreds of thousands of Log Sources. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [tomcat.tomcat] [LogSourceServices_PersisterTimer] com.q1labs.rpcservices.LogSourceServices: [ERROR] [NOT:0000003000][IP ADDRESS/- -] [-/- -]Unable to get session context to update device last seen times [tomcat.tomcat] [LogSourceServices_PersisterTimer] java.util.ConcurrentModificationException [tomcat.tomcat] [LogSourceServices_PersisterTimer] at gnu.trove.impl.hash.THashIterator.nextIndex(THashIterator.java) [tomcat.tomcat] [LogSourceServices_PersisterTimer] at gnu.trove.impl.hash.THashIterator.hasNext(THashIterator.java) [tomcat.tomcat] [LogSourceServices_PersisterTimer] at java.lang.Iterable.forEach(Iterable.java:85) [tomcat.tomcat] [LogSourceServices_PersisterTimer] at com.q1labs.rpcservices.LogSourceUpdate.closePreparedStatements(L ogSourceUpdate.java) [tomcat.tomcat] [LogSourceServices_PersisterTimer] at com.q1labs.rpcservices.LogSourceServices$PersistLogSourceUpdateT ask.persistLogSourceUpdates(LogSourceServices.java) [tomcat.tomcat] [LogSourceServices_PersisterTimer] at com.q1labs.rpcservices.LogSourceServices$PersistLogSourceUpdateT ask.run(LogSourceServices.java) [tomcat.tomcat] [LogSourceServices_PersisterTimer] at java.util.TimerThread.mainLoop(Timer.java:566) [tomcat.tomcat] [LogSourceServices_PersisterTimer] at java.util.TimerThread.run(Timer.java) [tomcat.tomcat] [LogSourceServices_PersisterTimer] com.q1labs.frameworks.session.SessionContext: [ERROR] [NOT:0000003000][x.x.x.x/- -] [-/- -]28012 leak(s) detected in session context: 640axxxx-xxxx-xxxx-xxxx-e33fc1xxxx [tomcat.tomcat] [LogSourceServices_PersisterTimer] com.q1labs.frameworks.session.SessionContext: [ERROR] [NOT:0000003000][x.x.x.x/- -] [-/- -]java.sql.PreparedStatement leak detected. Object created in following code path [tomcat.tomcat] [LogSourceServices_PersisterTimer] java.lang.Exception [tomcat.tomcat] [LogSourceServices_PersisterTimer] at com.q1labs.frameworks.session.BaseWrapper. |
09 December 2019 |
FLOWS / USER INTERFACE | IJ21572 | NO FLOW SOURCE ALIAS ARE DISPLAYED IN THE QRADAR USER INTERFACE | CLOSED | Resolved in: QRadar 7.3.3 (7.3.3.20191031163225) QRadar 7.3.2 Patch 6 (7.3.3.20191224145010) A fresh install or patch to QRadar version 7.3.2 can experience an issue where no Flow Alias are displayed in the QRadar User Interface -> Admin -> Flow Source Alias page. |
19 December 2019 |
ROUTING RULES | IJ21049 | ROUTING RULES FOR ASSET HOSTNAME FILTERING ON SPECIFIC EVENT COLLECTOR APPLIANCES DOES NOT WORK AS EXPECTED | CLOSED | Resolved in: QRadar 7.4.0 (7.4.0.20200304205308) QRadar 7.3.3 (7.3.3.20191031163225) Workaround Contact Support for a possible workaround that might address this issue in some instances. Issue It has been identified that Routing rule for asset hostname filtering is not working due to the asset.hostname table not being replicated to all hosts (event collectors). Creating a routing rule over the event collector around EC for destination asset hostname or source asset hostname equals hostname and selecting drop; the drop does not happen as the asset.hostname table is empty on the EC. |
06 December 2019 |
CUSTOM PROPERTIES | IJ21052 | REPLICATION FOR ARIEL_PROPERTY_LEEF_EXPRESSION AND ARIEL_PROPERTY_CEP_EXPRESSION NOT WORKING AS EXPECTED | CLOSED | Resolved in: QRadar 7.4.0 (7.4.0.20200304205308) QRadar 7.3.3 (7.3.3.20191031163225) It has been identified that replication for ariel_property_leef_expression and ariel_property_cep_expression is not working on the Event Collector appliance as expected, as the tables are not replicated to all hosts (event collectors). This can cause routing rule drops to not work as expected as events are not parsing those fields properly. |
06 December 2019 |
REFERENCE DATA | IJ20134 | REFERENCE SET DATA CAN BE MISSING FROM EVENT COLLECTORS DUE TO MISSING DATABASE TABLE FIELDS WITHIN REPLICATION | CLOSED | Resolved in: QRadar 7.4.0 (7.4.0.20200304205308) QRadar 7.3.3 (7.3.3.20191031163225) QRadar 7.3.2 Patch 6 (7.3.3.20191224145010) It has been identified that some database table fields containing Reference Set data is omitted from the data being replicated to QRadar collector managed hosts. When this issue occurs, there is Reference Set data missing on event collector appliances causing the potential for QRadar rule functionality to not work as expected. |
06 December 2019 |
EVENT COLLECTOR / ROUTING RULES | IJ21053 | EVENT COLLECTOR IS NOT AWARE OF NETWORK NAME/RANGE AS THE TABLE IS NOT REPLICATED TO THE EVENT COLLECTOR(S) | CLOSED | Resolved in: QRadar 7.4.0 (7.4.0.20200304205308) QRadar 7.3.3 (7.3.3.20191031163225) QRadar 7.3.2 Patch 6 (7.3.3.20191224145010) It has been identified that Event Collector(s) are not aware of network name/range as the network database table is not replicated on the Event Collector(s). This can cause routing rules to not work as expected as Event Collector(s) do not have the appropriate database table information. |
06 December 2019 |
QRADAR DEPLOYMENT INTELLIGENCE | IJ20138 | HEALTH METRIC DATA CAN BE MISSING FROM EVENT COLLECTORS DUE TO MISSING DATABASE TABLE FIELDS WITHIN REPLICATION | CLOSED | Resolved in: QRadar 7.4.0 (7.4.0.20200304205308) QRadar 7.3.3 (7.3.3.20191031163225) QRadar 7.3.2 Patch 6 (7.3.3.20191224145010) It has been identified that some database table fields containing Health Metric data is omitted from the data being replicated to QRadar collector managed hosts. When this issue occurs, there is Health Metric data missing on event collector appliances causing QRadar Deployment Intelligence (QDI) to not report any information from Event Collectors. |
06 December 2019 |
DOMAINS / TENANTS | IJ18325 | QRADAR LOG MANAGER DOMAIN MANAGEMENT 'ADD' BUTTON DOES NOT WORK AS EXPECTED | CLOSED | Resolved in: QRadar 7.4.0 (7.4.0.20200304205308) QRadar 7.3.3 (7.3.3.20191031163225) QRadar 7.3.2 Patch 6 (7.3.3.20191224145010) It has been identified that within a QRadar Log Manager, the Admin -> Domain Management -> Add button does not work as expected. When the 'Add' button is selected, the next pop up window does not appear. |
06 December 2019 |
TOPOLOGY / QRADAR RISK MANAGER | IJ17290 | 'VIEW TOPOLOGY' WHEN SELECTED FROM ASSET DETAILS DIALOG NEVER COMPLETES | CLOSED | Resolved in QRadar 7.3.3 (7.3.3.20191031163225). Workaround: Perform a host search for the asset on the Topology screen. It has been identified that when "View Topology" is selected in the Asset Details dialog, no results are returned. The Network Topology dialog that is launched displays either "Wait for data to be retrieved" or "[key not defined: srm.modelDefinition.pleaseWaitForModel]" and never completes. |
06 December 2019 |
FLOWS | IJ15964 | QFLOW CAN SOMETIMES PARSE NETFLOW/JFLOW INCORRECTLY | CLOSED | Resolved in: QRadar 7.3.3 (7.3.3.20191031163225) QRadar 7.3.2 Patch 6 (7.3.3.20191224145010) It has been identified that in some instances invalid IP data or other incorrect data can be observed for flows that are received/parsed in the Network Activity tab. When this issue occurs, the following might be displayed in the user interface when viewing NETFLOW or JFLOW records:
|
06 December 2019 |
DOMAINS / TENANTS | IJ17186 | EVENTS CAN SOMETIMES BE DROPPED WHEN AN EVENT COLLECTOR IS USED FOR MULTIPLE TENANTS | CLOSED | Resolved in QRadar 7.3.3 (7.3.3.20191031163225). It has been identified that events can be dropped when an Event Collector is configured for use by Log Sources for multiple tenants. Messages similar to the following might be visible in /var/log/qradar.log when this issue is occurring: [ecs-ec.ecs-ec] com.q1labs.semsources.filters.TenantQueuedEventThrottleFilter: [WARN] [Tenant:1: |
06 December 2019 |
USER INTERFACE / PERFORMANCE | IJ17018 | QRADAR USER INTERFACE CAN BECOME INACCESSIBLE DUE TO AN OUT OF MEMORY OCCURING WHEN USING THE ASSET API | CLOSED | Resolved in QRadar 7.3.3 (7.3.3.20191031163225). It has been identiifed that in some instances the Asset API can cause tomcat to experience an Out of Memory issue. When this occurs the QRadar User Interface is inaccessible until required services are working as expected. For example, this issue has been reported cases where asset integration was completed through the Watson Advisor for QRadar application. |
06 December 2019 |
MANAGE VULNERABILITIES / QRADAR VULNERABILITY MANAGER | IJ16602 | EXCEPTIONED VULNERABILITIES REAPPEAR IN MANAGE VULNERABILITIES TAB AFTER RESCANNING | CLOSED | Resolved in: QRadar 7.3.3 (7.3.3.20191031163225) QRadar 7.3.2 Patch 4 (7.3.2.20190803012943) It has been identified that vulnerabilities that have been exceptioned reappear in the Manage Vulnerabilities tabs after rescanning. |
06 December 2019 |
DATA NODE | IJ16438 | DATA NODES ADDED TO AN EVENT PROCESSOR IN PROCESSING ONLY MODE SHOW AS REBALANCING COMPLETED WITHOUT REBALANCE OCCURRING | SUGGESTION | Note: This issue is currently tagged closed as a suggestion
for a future release. Issue: It has been identified that after adding a Data Node to an Event Processor that is in Processing Only mode, rebalancing appears to complete quickly, but rebalancing of data to the new Data Node did not acutally happen. Comment: The goal of rebalancing is not to make free space % exactly equal across the cluster. The behavior mentioned works as designed. |
06 December 2019 |
DEPLOY CHANGES | IJ16640 | QRADAR DEPLOY FUNCTIONS CAN TIMEOUT WHEN THE CERTIFICATE VALIDATOR FAILS DUE TO EMPTY CERTIFICATES BEING PRESENT | CLOSED | Resolved in QRadar 7.3.3 (7.3.3.20191031163225). Workaround: Remove the empty certificates from /opt/qradar/trusted_certificates and retry the deploy function. Contact Support if assistance is required with this task. It has been identified that test_tomcat_connection.sh can take longer than expected time to complete when empty certificates are present in /opt/qradar/trusted_certificates/. The Certificate Validator does not work and can lead to QRadar deploy functions timing out. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [tomcat.tomcat] [localhost-startStop-1] java.security.cert.CertificateException: Unable to initialize, java.io.IOException: Short read of DER length [tomcat.tomcat] [localhost-startStop-1] at com.ibm.security.x509.X509CertImpl. |
06 December 2019 |
ADVANCED SEARCH (AQL) | IJ16172 | ADVANCED SEARCH (AQL) FAILS WHEN USING THE LABELS OF A CUSTOM EVENT PROPERTY FIELDS IN A GROUP BY | CLOSED | Resolved in QRadar 7.3.3 (7.3.3.20191031163225). It has been identified that an Advanced Search (AQL) fails when using the labels (alias) of Custom Event Properties in a 'group by'. |
06 December 2019 |
LOG SOURCE MANAGEMENT APP / USER INTERFACE | IJ16160 | TOMCAT OUT OF MEMORY CAN OCCUR WHEN ASSIGNING LOG SOURCES TO GROUPS IN SYSTEMS WITH VERY LARGE NUMBER OF LOG SOURCES | CLOSED | Resolved in: QRadar 7.3.3 (7.3.3.20191031163225) QRadar 7.3.2 Patch 5 (7.3.2.20191022133252) It has been identified that a Tomcat process out of memory can sometimes occur in QRadar environments with hundreds of thousands of Log Sources when assigning Log Sources to Log Source Groups using the Log Source Management App. When a Tomcat out of memory occurs, the QRadar User Interface becomes unavailable until all related services are running as expected. |
06 December 2019 |
LICENSE | IJ15970 | QRADAR VULNERABILITY MANAGER (QVM) LICENSE WARNING BANNER CAN DISPLAY WHEN IT SHOULD NOT | CLOSED | Resolved in QRadar 7.3.3 (7.3.3.20191031163225). It has been identified that a QRadar Vulnerability Manager (QVM) license warning banner can be displayed when interfaces have been added to assets that have not been scanned by QVM. The asset count incorrectly includes the assets. The message appears similar to the following: WARNING: You have scanned {number} assets but are only licensed to scan {number} assets. License Update Required! |
06 December 2019 |
API | IJ16954 | THE REST API FOR 'USERS' INCORRECTLY CHECKS USER NAMES FOR VALIDATION WHEN UPDATING FIELDS | CLOSED | Resolved in QRadar 7.3.3 (7.3.3.20191031163225). It has been identified that the REST API for 'users' in QRadar incorrectly checks user names for validation when updating fields. API response messages similar to the following can be observed when usernames with invalid characters (created using LDAP) exist: {"http_response":{"code":500,"message":"Unexpected internal server error"},"code":12,"description":"","details":{},"message" : "Endpoint invocation returned an unexpected error"} Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [tomcat.tomcat] [admin@127.0.0.1 (942) /console/restapi/api/staged_config/access/users/3] com.q1labs.restapi.servlet.apidelegate.APIDelegate: [ERROR] [-/- -]Request Exception [tomcat.tomcat] [admin@127.0.0.1 (942) /console/restapi/api/staged_config/access/users/3] com.q1labs.restapi_annotations.content.exceptions.APIMappedExcep tion: Endpoint invocation returned an unexpected error [tomcat.tomcat] [admin@127.0.0.1 (942) /console/restapi/api/staged_config/access/users/3] at com.q1labs.restapi.exceptionmapper.ExceptionMapper.mapException( ExceptionMapper.java) [tomcat.tomcat] [admin@127.0.0.1 (942) /console/restapi/api/staged_config/access/users/3] at com.q1labs.restapi.servlet.utilities.APIRequestHandler.processEn dpointException(APIRequestHandler.java) |
06 December 2019 |
USER INTERFACE / LOGIN | IJ16944 | QRADAR USER INTERFACE LOGIN MESSAGE LINE FORMATTING IS NOT WORKING AS EXPECTED | CLOSED | Resolved in QRadar 7.3.3 (7.3.3.20191031163225). It has been identified that when a line break is entered into a QRadar User Interface 'Login Message' it is converted into the line feed symbol (\n). When the request is made to generate the Console login page, the line feed remains in the html as is and no new lines are created. For example:
|
06 December 2019 |
RULES / PERMISSIONS | IJ16943 | QRADAR USER CAN ACCESS CUSTOM RULE INFORMATION WHEN NOT GIVEN ACCESS TO 'VIEW CUSTOM RULES' AND 'MAINTAIN CUSTOM RULES' | CLOSED | Resolved in QRadar 7.3.3 (7.3.3.20191031163225). It has been identified that QRadar users can access custom rules even when their access has not been granted to View Custom Rules and Maintain Custom Rules. To replicate or validate this reported issue:
Results The User cannot open the rules definitions or view the rules summary page but the user can view all the rule Groups and list all available rules on the system. The names of the rules can be quite informative and specific for a particular domain and tenancy and should not be exposed to a user with this specific role settings. |
06 December 2019 |
BACKUP / RESTORE | IJ17940 | PERFORMING A RESTORE AND SELECTING 'CUSTOM RULE CONFIGURATION' ONLY DOES NOT INCLUDE REFERENCE DATA DEPENDENCIES | CLOSED | Resolved in QRadar 7.3.3 (7.3.3.20191031163225). It has been identified that performing a restore from a configuration backup and selecting the Custom Rule Configuration does not include reference data structures, and reference_data_rules and the restore fails. Messages similar to the following might be visible in /var/log/qradar.log when this issue is occurring: [hostcontext.hostcontext] [BackupServices_restore] com.q1labs.hostcontext.backup.BackupRecoveryEngine: [ERROR][127.0.0.1/- -] [-/- -]Unable to execute restore request [hostcontext.hostcontext] [BackupServices_restore] com.q1labs.configservices.hostcontext.exception.RestoreException : Unable to restore backup archive [hostcontext.hostcontext] [BackupServices_restore] at com.q1labs.hostcontext.backup.BackupRecoveryEngine.restore(Backu pRecoveryEngine.java:4423) [hostcontext.hostcontext] [BackupServices_restore] at com.q1labs.hostcontext.backup.BackupRecoveryEngine.doRestore(Bac kupRecoveryEngine.java:5872) [hostcontext.hostcontext] [BackupServices_restore] at com.q1labs.hostcontext.core.executor.RestoreExecutor$1.run(Resto reExecutor.java:70) [hostcontext.hostcontext] [BackupServices_restore] Caused by: [hostcontext.hostcontext] [BackupServices_restore] com.q1labs.configservices.hostcontext.exception.RestoreException: Test database restore failed... aborting restore process [hostcontext.hostcontext] [BackupServices_restore] at com.q1labs.hostcontext.backup.BackupRecoveryEngine.restore(Backu pRecoveryEngine.java:4307) [hostcontext.hostcontext] [BackupServices_restore] ... 2 more [hostcontext.hostcontext] [BackupServices_restore] Caused by: [hostcontext.hostcontext] [BackupServices_restore] com.q1labs.configservices.hostcontext.exception.RestoreException : Test backup failed [hostcontext.hostcontext] [BackupServices_restore] at com.q1labs.hostcontext.backup.BackupRecoveryEngine.restoreOnTopO fTestDb(BackupRecoveryEngine.java:2881) [hostcontext.hostcontext] [BackupServices_restore] at com.q1labs.hostcontext.backup.BackupRecoveryEngine.doTestRestore (BackupRecoveryEngine.java:2647) [hostcontext.hostcontext] [BackupServices_restore] at com.q1labs.hostcontext.backup.BackupRecoveryEngine.restore(Backu pRecoveryEngine.java:4303) [hostcontext.hostcontext] [BackupServices_restore] ... 2 more [hostcontext.hostcontext] [BackupServices_restore] Caused by: [hostcontext.hostcontext] [BackupServices_restore] com.q1labs.configservices.hostcontext.exception.RestoreException : Unable to restore database [hostcontext.hostcontext] [BackupServices_restore] at com.q1labs.hostcontext.backup.BackupRecoveryEngine.doDbRestore(B ackupRecoveryEngine.java:3007) [hostcontext.hostcontext] [BackupServices_restore] at com.q1labs.hostcontext.backup.BackupRecoveryEngine.restoreOnTopO fTestDb(BackupRecoveryEngine.java:2868) [hostcontext.hostcontext] [BackupServices_restore]... 4 more [hostcontext.hostcontext] [BackupServices_restore] Caused by: [hostcontext.hostcontext] [BackupServices_restore] com.q1labs.configservices.hostcontext.exception.RestoreException : Unable to restore database [hostcontext.hostcontext] [BackupServices_restore] at com.q1labs.hostcontext.backup.BackupRecoveryEngine.doDbRestore(B ackupRecoveryEngine.java:2996) [hostcontext.hostcontext] [BackupServices_restore]... 5 more [hostcontext.hostcontext] [BackupServices_restore] Caused by: [hostcontext.hostcontext] [BackupServices_restore] java.lang.Exception: unable to execute sql statement: ALTER TABLE public.reference_data_rules ADD CONSTRAINT reference_data_rules_rule_id_fkey FOREIGN KEY (rule_id) REFERENCES public.custom_rule(id) ON DELETE CASCADE; [hostcontext.hostcontext] [BackupServices_restore] at com.q1labs.hostcontext.capabilities.PostgresAction.executeSql(Po stgresAction.java:668) [hostcontext.hostcontext] [BackupServices_restore] at com.q1labs.hostcontext.capabilities.PostgresAction.applyConstrai nts(PostgresAction.java:287) [hostcontext.hostcontext] [BackupServices_restore] at com.q1labs.hostcontext.backup.BackupRecoveryEngine.doDbRestore(B ackupRecoveryEngine.java:2974) [hostcontext.hostcontext] [BackupServices_restore]... 5 more [hostcontext.hostcontext] [BackupServices_restore] Caused by: [hostcontext.hostcontext] [BackupServices_restore] org.postgresql.util.PSQLException: ERROR: insert or update on table "reference_data_rules" violates foreign key constraint "reference_data_rules_rule_id_fkey" Detail: Key (rule_id)=(126720) is not present in table "custom_rule". [hostcontext.hostcontext] [BackupServices_restore] at org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(Qu eryExecutorImpl.java:2440) [hostcontext.hostcontext] [BackupServices_restore] at org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExe cutorImpl.java:2183) [hostcontext.hostcontext] [BackupServices_restore] at org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorIm pl.java:308) [hostcontext.hostcontext] [BackupServices_restore] at org.postgresql.jdbc.PgStatement.executeInternal(PgStatement.java :441) [hostcontext.hostcontext] [BackupServices_restore] at org.postgresql.jdbc.PgStatement.execute(PgStatement.java:365) [hostcontext.hostcontext] [BackupServices_restore] at org.postgresql.jdbc.PgStatement.executeWithFlags(PgStatement.java) [hostcontext.hostcontext] [BackupServices_restore] at org.postgresql.jdbc.PgStatement.executeCachedSql(PgStatement.jav) [hostcontext.hostcontext] [BackupServices_restore] at org.postgresql.jdbc.PgStatement.executeWithFlags(PgStatement.java) [hostcontext.hostcontext] [BackupServices_restore] at org.postgresql.jdbc.PgStatement.execute(PgStatement.java) [hostcontext.hostcontext] [BackupServices_restore] at com.q1labs.hostcontext.capabilities.PostgresAction.executeSql(Po stgresAction.java) [hostcontext.hostcontext] [BackupServices_restore]... 7 more |
06 December 2019 |
USER MANAGEMENT | IJ16672 | UNABLE TO CREATE USERNAMES CONTAINING WHITESPACE CHARACTERS AND AN INCORRECT WARNING MESSAGE IS DISPLAYED WHEN ATTEMPTED | CLOSED | Resolved in QRadar 7.3.3 (7.3.3.20191031163225). It has been identified that attempting to create usernames containing whitespace(s) no longer works as expected and the error message displayed when attempted does not clearly identify that is the reason for the failure to create. The message generated is similar to: "Username must not contain any of the following non-whitespace characters: / ' \ " |
06 December 2019 |
LOGS / DISK SPACE | IJ14984 | LOGROTATE CONFIGURATION NEEDS TO BE UPDATED TO BETTER HANDLE /VAR/LOG/CRON.LOG | CLOSED | Resolved in QRadar 7.3.3 (7.3.3.20191031163225). It has been identified that QRadar's logrotate configuration needs to be updated to better handle rotation of the /var/log/cron.log file to prevent it from growing too large. |
06 December 2019 |
REPORTS | IJ15667 | REPORTS WITH ONLY ONE OUTPUT COLUMN FAIL TO GENERATE IN XLS FORMAT | CLOSED | Resolved in QRadar 7.3.3 (7.3.3.20191031163225). Workaround: Do not use the defaults. Attempt to run the report with lower configured limits (use less than 1000). It has been identified that reports that only have one column when created, fail to generate in XLS format. CSV and PDF reports with one column are created without issue. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [report_runner] [main] com.q1labs.reporting.ReportServices: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]REPORT [MANUAL#^#admin#$#79d06981-1cca-4954-a46b-18694b6afc1c#^#1553011 304019]: An error was encountered rendering the XLS version of the report [MANUAL#^#admin#$#79d06981-1cca-4954-a46b-18694b6afc1c#^#1553011 304019].java.lang.IllegalArgumentException: Merged region A1 must contain 2 or more cells [report_runner] [main] com.q1labs.reporting.ReportServices: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]REPORT [MANUAL#^#admin#$#79d06981-1cca-4954-a46b-18694b6afc1c#^#1553011 304019]: Report Exception: admin#$#79d06981-1cca-4954-a46b-18694b6afc1c.xml [report_runner] [main] java.lang.RuntimeException: REPORT [MANUAL#^#admin#$#79d06981-1cca-4954-a46b-18694b6afc1c#^#1553011 304019]: Failed to generate report version. [report_runner] [main] at com.q1labs.reporting.Report.process(Report.java:668) [report_runner] [main] at com.q1labs.reporting.ReportRunner.main(ReportRunner.java:246) [report_runner] [main] com.q1labs.reporting.ReportRunner: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Run report "admin#$#79d06981-1cca-4954-a46b-18694b6afc1c" Error [report_runner] [main] java.lang.RuntimeException: REPORT [MANUAL#^#admin#$#79d06981-1cca-4954-a46b-18694b6afc1c#^#1553011 304019]: Failed to run using template [admin#$#79d06981-1cca-4954-a46b-18694b6afc1c.xml] [report_runner] [main] at com.q1labs.reporting.Report.process(Report.java:675) [report_runner] [main] at com.q1labs.reporting.ReportRunner.main(ReportRunner.java:246) [report_runner] [main] Caused by: [report_runner] [main] java.lang.RuntimeException: REPORT [MANUAL#^#admin#$#79d06981-1cca-4954-a46b-18694b6afc1c#^#1553011 304019]: Failed to generate report version. [report_runner] [main] at com.q1labs.reporting.Report.process(Report.java:668) [report_runner] [main] ... 1 more [report_runner] [main] com.q1labs.reporting.ReportRunner: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Error initializing ReportRunner [report_runner] [main] java.lang.Throwable: java.lang.RuntimeException: REPORT [MANUAL#^#admin#$#79d06981-1cca-4954-a46b-18694b6afc1c#^#1553011 304019]: Failed to run using template [admin#$#79d06981-1cca-4954-a46b-18694b6afc1c.xml] [report_runner] [main] at com.q1labs.reporting.ReportRunner.main(ReportRunner.java:300) [report_runner] [main] Caused by: [report_runner] [main] java.lang.RuntimeException: REPORT [MANUAL#^#admin#$#79d06981-1cca-4954-a46b-18694b6afc1c#^#1553011 304019]: Failed to run using template [admin#$#79d06981-1cca-4954-a46b-18694b6afc1c.xml] [report_runner] [main] at com.q1labs.reporting.Report.process(Report.java:675) [report_runner] [main] at com.q1labs.reporting.ReportRunner.main(ReportRunner.java:246) [report_runner] [main] Caused by: [report_runner] [main] java.lang.RuntimeException: REPORT [MANUAL#^#admin#$#79d06981-1cca-4954-a46b-18694b6afc1c#^#1553011 304019]: Failed to generate report version. [report_runner] [main] at com.q1labs.reporting.Report.process(Report.java:668) [report_runner] [main]... 1 more |
06 December 2019 |
SYSTEM NOTIFICATIONS / MANAGED HOSTS | IV94033 | MANAGED HOSTS CONFIGURED USING IPV6 CANNOT PROPERLY TIME SYNC TO THE QRADAR CONSOLE | CLOSED | Resolved in QRadar 7.3.3 (7.3.3.20191031163225). It has been observed that Managed Hosts that are added to a QRadar deployment and configured using IPV6 networking cannot properly time sync with their QRadar Console. System Notification messages similar to the following might be visible when this issue occurs: Low Level Category: Alert Payload: Aug 29 14:40:04 127.0.0.1 [ERROR] [NOT:0150003100] Time Synchronization to Console has failed - rdate: timeout |
08 December 2019 |
UPGRADE / OFFENSES | IJ14779 | REQUIRED APPLIANCE REBOOT DURING QRADAR PATCHING CAN SOMETIMES CAUSE DATA LOSS, A SOFT CLEAN SIM, OR FILE CORRUPTION | CLOSED | Resolved in QRadar 7.3.3 (7.3.3.20191031163225). It has been identified that when a required appliance reboot occurs during QRadar patches (kernel update) there is the possibility of data loss, a corrupted offense model (forcing a Soft Clean SIM), or other file corruption. This issue can occur when QRadar processes are not allowed to shut down successfully prior to the appliance reboot. |
06 December 2019 |
UPGRADE / LOG MANAGER | IJ15560 | UNABLE TO CONFIGURE BONDED MANAGEMENT INTERFACE USING QCHANGE AFTER MOVING FROM A 8028 TO 3128 APPLIANCE TYPE | CLOSED | Resolved in QRadar 7.3.3 (7.3.3.20191031163225). It has been identfied that a bonded management interface cannot be configured using qchange_netsetup after moving from a QRadar Log Manager 8028 appliance type to a QRadar 3128 appliance type. Following the wizard - when brought to the "assign by functionality" window by selecting the All-in-one option the following error is presented: "Cannot switch an appliance id from 8028 to 3128" By selecting Log Manager Console 8028 the error message displayed is: Template change from Enterprise to Logger is not supported |
06 December 2019 |
ADVANCED SEARCH (AQL) | IJ15467 | AQL OUTPUT IS INCORRECT WHEN USING SOURCEASSETNAME FILTER BASED ON PAYLOAD | CLOSED | Resolved in QRadar 7.3.3 (7.3.3.20191031163225). It has been identified that performing an AQL search that contains the 'sourceassetname' filter based on payload generates incorrect AQL output when the Show AQL button output is pasted into Advanced Search. |
06 December 2019 |
RULES / USER INTERFACE | IJ15514 | QRADAR RULES PAGE CAN TAKE LONGER THAN EXPECTED TO LOAD | CLOSED | Resolved in QRadar 7.3.3 (7.3.3.20191031163225). It has been identified that the QRadar Rules page in the User Interface can take longer than expected to load in instances where thousands of rules exist. Timeouts can sometimes occur while the Rules are being gathered by QRadar backend processes. NOTE: A duplicate APAR IJ15515 was also created and sent via IBM My Notifications. Users who received this notice should refer to IJ15514 for the resolution to this issue. |
06 December 2019 |
API / LOG SOURCE | IJ15494 | BULK EDITING/ADDING/DELETING A LARGE NUMBER OF LOG SOURCES CAN GENERATE A JVM EXCEPTION IN QRADAR LOGGING | CLOSED | Resolved in: QRadar 7.3.3 (7.3.3.20191031163225). QRadar 7.3.2 Patch 4 (7.3.2.20190803012943). It has been identified that when performing a bulk edit (including an add or delete) on a large number of Log Sources using the API or the Log Source Management app, a message similar to the following can sometimes be generated in /var/log/qradar.log: tomcat[20763]: 05-Feb-2019 19:58:57.275 WARNING [ServerHostServices_PersisterTimer] com.sun.messaging.jmq.jmsclient. ExceptionHandler.logCaughtException [I500]: Caught JVM Exception: com.sun.messaging.jms.JMSException: [ADD_PRODUCER_REPLY(19)] [C4036]: A broker error occurr ed. :[409] [B4183]: Producer can not be added to destination objectChangeNotifications2 [Topic], limit of 100 producers would be exceeded user=qradar, broker =127.0.0.1:7676(7677) |
08 December 2019 |
SEACH / REFERENCE DATA | IJ14001 | IDENTITY EXCLUSION RULES ARE NOT LOADED WHEN THE FILTER CONTAINS A REFERENCE DATA RELATED SEARCH | CLOSED | Resolved in: QRadar 7.3.3 (7.3.3.20191031163225) QRadar 7.3.2 Patch 4 (7.3.2.20190803012943) It has been identified that the identity exclusion rules are not loaded when the filter contains a reference data related search. For example:
|
06 December 2019 |
GEOGRAPHIC DATA / RULES | IJ13413 | GEOGRAPHIC RULE TESTS USING 'AND NOT WHEN THE SOURCE IS LOCATED IN OTHER' ARE NOT WORKING AS EXPECTED | CLOSED | Resolved in QRadar 7.3.3 (7.3.3.20191031163225). Workaround: Users can leverage the geographic rule test "and when the source IP is a part of any of the following geographic network locations" as this function works as expected. Issue: It has been identified that Rule tests for "and NOT when the source is located in other" matches all events, regardless of whether the Network Hierarchy has the GEO defined for the IP range or not. |
06 December 2019 |
VULNERABILITY DETAILS / QRADAR VULNERABILITY MANAGER | IJ16571 | VULNERABILITY HISTORY LIST DATE ORDERING IS INCORRECT | CLOSED | Resolved in QRadar 7.3.3 (7.3.3.20191031163225). It has been identified that when viewing vulnerability history lists, the ordering by date is incorrect. In QRadar 7.3.1 versions an error similar to the following is written to qradar logging when this occurs: [tomcat.tomcat] [admin@127.0.0.1 (9556) /console/JSON-RPC/QVM.getVulnerabilityHistoryList QVM.getVulnerabilityHistoryList] com.q1labs.assetprofile.service.ui.UIVulnerabilityService: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Unparseable date: "25 May 2019, 17:05:13" [tomcat.tomcat] [admin@127.0.0.1 (9556) /console/JSON-RPC/QVM.getVulnerabilityHistoryList QVM.getVulnerabilityHistoryList] com.q1labs.assetprofile.service.ui.UIVulnerabilityService: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Unparseable date: "25 May 2019, 13:09:37" NOTE:In QRadar 7.3.2 versions, the ordering by date is also incorrect, but the error is not present in the QRadar logs. |
06 December 2019 |
QRADAR VULNERABILITY MANAGER / VULNERABILITY EXPORT | IJ13700 | VULNERABILITY SCAN RESULT CSV FILE CAN INCORRECTLY DISPLAY IP ADDRESSES ACROSS MULTIPLE COLUMNS | CLOSED | Resolved in QRadar 7.3.3 (7.3.3.20191031163225). It has been identified that when a scan result is exported from the Vulnerability Tab in CSV format, the generated .csv file can somtimes contain IP addresses across multiple columns and the results are incorrect. When this occurs, the scan result is not readable. |
06 December 2019 |
REPORTS | IJ11779 | QRADAR VULNERABILITY MANAGER: REPORTRUNNER OUT OF MEMORY CAN OCCUR WHEN RUNNING THE DEFAULT SCAN SUMMARY REPORT | CLOSED | Resolved in QRadar 7.3.3 (7.3.3.20191031163225). It has been identified that a ReportRunner Out of Memory can sometimes occur when the default Scan Summary Report is run with the default limits configured. |
06 December 2019 |
REPORTS | IJ12226 | FAILED XLS TABLE REPORT WITH "MERGED REGION A1 MUST CONTAIN 2 OR MORE CELLS" MESSAGES IN QRADAR LOGGING | CLOSED | Resolved in QRadar 7.3.3 (7.3.3.20191031163225). It has been identified that when attempting to generate an XLS table report which has no data accumulated for the period it is being generated for (i.e. weekly or monthly), the report fails and generates exception messages in QRadar logging. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [report_runner] [main] com.q1labs.reporting.ReportServices: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]REPORT [WEEKLY#^#abc#$#09095b15-f5a3-486f-a7d7-15b57513fb3e#^#154321211 4517]: An error was encountered rendering the XLS version of the report [WEEKLY#^#abc#$#09095b15-f5a3-486f-a7d7-15b57513fb3e#^#154321211 4517].java.lang.IllegalArgumentException: Merged region A1 must contain 2 or more cells [report_runner] [main] com.q1labs.reporting.ReportServices: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Unable to send report "09095b15-f5a3-486f-a7d7-15b57513fb3e" to test@email.com [report_runner] [main] com.q1labs.frameworks.exceptions.FrameworksException: Unable to send mail message to: [test@email.com] [report_runner] [main] at com.q1labs.frameworks.util.SMTPMail.send(SMTPMail.java) [report_runner] [main] at com.q1labs.frameworks.util.SMTPMail.send(SMTPMail.java) [report_runner] [main] at com.q1labs.frameworks.util.SMTPMail.sendMessage(SMTPMail.java) [report_runner] [main] at com.q1labs.reporting.Report.sendMail(Report.java) [report_runner] [main] at com.q1labs.reporting.Report.process(Report.java) [report_runner] [main] at com.q1labs.reporting.ReportRunner.main(ReportRunner.java) [report_runner] [main] Caused by: [report_runner] [main] javax.mail.MessagingException: IOException while sending message; nested exception is: java.io.FileNotFoundException: /store/tmp/reporting/WEEKLY#^#abc#$#09095b15-f5a3-486f-a7d7-15b5 7513fb3e#^#1543212114517/XLS/09095b15-f5a3-486f-a7d7-15b57513fb3 e.xls (No such file or directory) [report_runner] [main] at com.sun.mail.smtp.SMTPTransport.sendMessage(SMTPTransport.java) [report_runner] [main] at com.q1labs.frameworks.util.SMTPMail.send(SMTPMail.java) [report_runner] [main] ... 5 more [report_runner] [main] com.q1labs.reporting.ReportServices: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]REPORT [WEEKLY#^#abc#$#09095b15-f5a3-486f-a7d7-15b57513fb3e#^#154321211 4517]: Report Exception: abc#$#09095b15-f5a3-486f-a7d7-15b57513fb3e.xml [report_runner] [main] java.lang.RuntimeException: REPORT [WEEKLY#^#abc#$#09095b15-f5a3-486f-a7d7-15b57513fb3e#^#154321211 4517]: Failed to generate report version. [report_runner] [main] at com.q1labs.reporting.Report.process(Report.java) [report_runner] [main] at com.q1labs.reporting.ReportRunner.main(ReportRunner.java) [report_runner] [main] com.q1labs.reporting.ReportRunner: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Run report "abc#$#09095b15-f5a3-486f-a7d7-15b57513fb3e" Error [report_runner] [main] java.lang.RuntimeException: REPORT [WEEKLY#^#abc#$#09095b15-f5a3-486f-a7d7-15b57513fb3e#^#154321211 4517]: Failed to run using template [abc#$#09095b15-f5a3-486f-a7d7-15b57513fb3e.xml] [report_runner] [main] at com.q1labs.reporting.Report.process(Report.java) [report_runner] [main] at com.q1labs.reporting.ReportRunner.main(ReportRunner.java) [report_runner] [main] Caused by: [report_runner] [main] java.lang.RuntimeException: REPORT [WEEKLY#^#abc#$#09095b15-f5a3-486f-a7d7-15b57513fb3e#^#154321211 4517]: Failed to generate report version. [report_runner] [main] at com.q1labs.reporting.Report.process(Report.java) [report_runner] [main] ... 1 more [report_runner] [main] com.q1labs.reporting.ReportRunner: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Error initializing ReportRunner [report_runner] [main] java.lang.Throwable: java.lang.RuntimeException: REPORT [WEEKLY#^#abc#$#09095b15-f5a3-486f-a7d7-15b57513fb3e#^#154321211 4517]: Failed to run using template [abc#$#09095b15-f5a3-486f-a7d7-15b57513fb3e.xml] [report_runner] [main] at com.q1labs.reporting.ReportRunner.main(ReportRunner.java) [report_runner] [main] Caused by: [report_runner] [main] java.lang.RuntimeException: REPORT [WEEKLY#^#abc#$#09095b15-f5a3-486f-a7d7-15b57513fb3e#^#154321211 4517]: Failed to run using template [abc#$#09095b15-f5a3-486f-a7d7-15b57513fb3e.xml] [report_runner] [main] at com.q1labs.reporting.Report.process(Report.java) [report_runner] [main] at com.q1labs.reporting.ReportRunner.main(ReportRunner.java) [report_runner] [main] Caused by: [report_runner] [main] java.lang.RuntimeException: REPORT [WEEKLY#^#abc#$#09095b15-f5a3-486f-a7d7-15b57513fb3e#^#154321211 4517]: Failed to generate report version. |
06 December 2019 |
LOG ACTIYITY | IJ15905 | USING THE 'UPDATE' BUTTON ON A LOG ACTIVITY SEARCH PAGE THE DAY OF A DST (TIME) CHANGE MOVES THE START/END TIME ONE HOUR | CLOSED | Resolved in: QRadar 7.3.3 (7.3.3.20191031163225) QRadar 7.3.2 Patch 4 (7.3.2.20190803012943) QRadar 7.3.1 Patch 8 IF03 (7.3.1.20190612151858) Workaround: Edit the search Start/End times to adjust for the one hour change made by clicking the update button. Issue: It has been observed that when the 'Update' button is clicked on a Log Activity search the day that a DST change has a occured, the 'Start Time' and 'End Time' can shift by one hour. |
06 December 2019 |
PERFORMANCE / CUSTOM PROPERTIES | IJ11734 | SOME SPECIFIC ARIEL CUSTOM EVENT PROPERTIES INDEXING CAN CAUSE ARIEL INDEXING AND RULE EVALUATION DEGRADATION | CLOSED | Resolved in: QRadar 7.3.3 (7.3.3.20191031163225) QRadar 7.3.2 Patch 5 (7.3.2.20191022133252) It has been identified that some Custom Event Properties (CEPs) indexing functions within QRadar can cause extra CPU overhead during Ariel Indexing and rule evaluation. When this occurs, QRadar performance degradation can sometimes be observed causing events to be routed directly to storage. |
06 December 2019 |
SYSTEM NOTIFICATIONS / QRADAR VULNERABILITY MANAGER | IJ10950 | SYSTEM NOTIFICATION 'UNABLE TO DETERMINE ASSOCIATED LOG SOURCE' CREATED FOR SOME INFORMATIONAL VULNERABILITY EVENTS | CLOSED | Resolved in: QRadar 7.3.3 (7.3.3.20191031163225) QRadar 7.3.2 Patch 4 (7.3.2.20190803012943) It has been identified that some Vulnerability Manager information events are not parsed correctly by QRadar. The information events are similar to the following: Message: Oct 10 10:09:28 127.0.0.1 [[type=com.eventgnosis.system.ThreadedEventProcessor][parent={ho stname} : e cs-ec/EC/TrafficAnalysis1/TrafficAnalysis]] com.q1labs.semsources.filters.trafficanalysis.TrafficAnalysisFilter: [WARN][127.0.0.1/- -] [-/- -]Unable to determine associated log source for IP address {IP_ADDR}. Unable to automatically detect the associated log source for IP address. Messages similar to the following might be visible in /var/log/qradar.log when this issue is occurring: [qvmprocessor.qvmprocessor] [main] com.q1labs.qvm.workflow.util.DecryptPropertyConfigurer: [INFO] Loading properties file from URL [file:/opt/qradar/conf/frameworks.properties] [qvmprocessor.qvmprocessor] [main] com.q1labs.qvm.workflow.util.DecryptPropertyConfigurer: [INFO] Loading properties file from URL [file:/opt/qradar/conf/qvmprocessor.properties] [qvmprocessor.qvmprocessor] [main] com.q1labs.qvm.workflow.util.DecryptPropertyConfigurer: [INFO] Loading properties file from URL [file:/opt/qvm/console/conf/qvmkeystore.properties] [qvmprocessor.qvmprocessor] [main] com.q1labs.qvm.workflow.util.DecryptPropertyConfigurer: [INFO] Loading properties file from URL [file:/opt/qvm/db/conf/qvmdb.properties] [qvmprocessor.qvmprocessor] [main] com.q1labs.qvm.workflow.util.DecryptPropertyConfigurer: [INFO] Loading properties file from URL [file:/opt/qradar/conf/nva.conf] [qvmprocessor.qvmprocessor] [main] com.q1labs.qvm.workflow.util.DecryptPropertyConfigurer: [INFO] Loading properties file from URL [file:/opt/qradar/conf/nva.hostcontext.conf] [qvmprocessor.qvmprocessor] [main] com.q1labs.qvm.workflow.util.DecryptPropertyConfigurer: [INFO] Loading properties file from URL [file:/opt/qradar/conf/qvmhostedscanner.properties] [qvmprocessor.qvmprocessor] [main] com.q1labs.qvm.workflow.util.DecryptPropertyConfigurer: [INFO] Loading properties file from URL [file:/opt/qradar/conf/qvmscanner.properties] |
08 December 2019 |
API | IJ10417 | QRADAR VULNERABILITY MANAGER: API DOES NOT FACTOR RISK SCORE FOR RETURNED RESULTS | CLOSED | Resolved in QRadar 7.3.3 (7.3.3.20191031163225) It has been identified that when executing saved_searches against the QVM vuln_instances API that contain the risk score search parameter, the results ignore what is set for this parameter. For example: If the risk score is set for greater than or equal to 7, results with risk scores less than 7 are returned when using the QVM API. |
06 December 2019 |
CONNECTIONS | IJ09314 | QRADAR RISK MANAGER: '[REPORTING THREAD - SIMEVENT/SIMARC BUNDLE1]...PROFILER DROPPED XXXX EVENTS' MESSAGES IN QRADAR LOGGING | CLOSED | Resolved in QRadar 7.3.3 (7.3.3.20191031163225) It has been identified that in some instances the QRadar Risk Manager arc builder thread/queue that processes events does not remove events from the queue quickly enough to prevent the queue from filling up. Messages similar to the following are generated in /var/log/qradar.log when this issue occurs: [Reporting Thread - SimEvent bundle1] com.q1labs.semsources.filters.arc.NetworkModelsServices$SimEvent sBundle: [INFO] [NOT:0000006000][Oth.erE.C&EP.29/- -] [-/- -]Profiler stats: timestamp=1527102000000, numRecordsCreated=1418, numFlowsProcessed=0, numNormalizedEventsProcessed=3249953, numNormalizedEventsSeen=3252830, numFlowsSeen=0, numEventsDropped=23376 [Reporting Thread - SimEvent bundle1] com.q1labs.semsources.filters.arc.NetworkModelsServices$SimEvent sBundle: [WARN] [NOT:0080004102][Oth.erE.C&EP.29/- -] [-/- -]profiler dropped 23376 events in the last profiling interval [Ariel Writer#simevent] com.q1labs.ariel.searches.service.io.buffers.SharedBuffers: [INFO] [NOT:0000006000][Oth.erE.C&EP.29/- -] [-/- -]LZ4 segment is set to 16 pages [Reporting Thread - SimArc bundle1] com.q1labs.semsources.filters.arc.NetworkModelsServices$ArcsBund le: [INFO] [NOT:0000006000][Oth.erE.C&EP.29/- -] [-/- -]Profiler stats: timestamp=1527102000000, numRecordsCreated=300000, numFlowsProcessed=0, numNormalizedEventsProcessed=981487, numNormalizedEventsSeen=9401352, numFlowsSeen=0, numEventsDropped=23376, numAllowArcsCreated=0, numDenyArcsCreated=300000 May 23 19:53:57 ::ffff:Oth.erE.C&EP.29 [arc_builder.arc_builder] [Reporting Thread - SimArc bundle1] com.q1labs.semsources.filters.arc.NetworkModelsServices$ArcsBund le: [WARN][Oth.erE.C&EP.29/- -] [-/- -]profiler dropped 23376 events in the last profiling interval |
06 December 2019 |
QRADAR OPERATIONS APP | IJ17924 | INACTIVE REPORT CAN CAUSE A 'NULLPOINTEREXCEPTION' IN QRADAR LOGGING AND QRADAR OPERATIONS APP FAILS TO DISPLAY EPS RATE | CLOSED | Resolved in QRadar 7.3.3 (7.3.3.20191031163225) Workaround: Enable the inactive report identified in the error logs. For example: Error calling function com.q1labs.cve.aql.GlobalViewFunction({REPORT_NAME}): java.lang.NullPointerException Issue: In some instances an inactive report can cause a NullPointerException to be generated in the QRadar logs. When this issue occurs, the IBM QRadar Operations app can fail to display Event Per Second (EPS) data. Messages similar to the following might be visible in /var/log/qradar.log: [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:50872] com.q1labs.frameworks.nio.exceptions.ExtendedRuntimeException: Error calling function com.q1labs.cve.aql.GlobalViewFunction(or [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:50872] java.lang.NullPointerException [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:50872] at com.q1labs.cve.aql.GlobalViewFunction.calculate(GlobalViewFunction.java) |
06 December 2019 |
ADVANCED SEACH (AQL) | IJ08965 | AQL QUERIES CONTAINING ASSET FUNCTIONS CAN FAIL WHEN RUN AGAINST LARGE ASSET MODELS | CLOSED | Resolved in QRadar 7.3.3 (7.3.3.20191031163225) It has been identified that AQL queries containing ASSET functions can fail against large asset models. When this occurs, applications such as UBA might display: 404 error messages, instead of usage data. Queries made on the Log Activity page might show "An error occurred during the search." instead of the intended search results. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [ariel_proxy.ariel_proxy_server] [ariel_query_14:0ebaccb8-e31a-44c3-90f3-5aebffcb19f5] com.q1labs.frameworks.nio.exceptions.ExtendedRuntimeException: GenericAssetFunction function: Error during initialization com.q1labs.core.aql.AssetUserFunction [ariel_proxy.ariel_proxy_server] [ariel_query_14:0ebaccb8-e31a-44c3-90f3-5aebffcb19f5] at com.q1labs.core.aql.GenericAssetFunction.initialize(GenericAsset Function.java) |
06 December 2019 |
DEPLOY CHANGES | IJ15811 | DEPLOY FULL CONFIGURATION DOES NOT COMPLETE (TIME OUT) WHEN THE FILE HOSTCONTEXT.NODOWNLOAD IS PRESENT | CLOSED | Resolved in: QRadar 7.3.2 Patch 5 (7.3.2.20191022133252). QRadar 7.3.3 (7.3.3.20191031163225). Workaround: Remove the file /opt/qradar/conf/hostcontext.NODOWNLOAD on any affected Managed Host (or Console) and attempt the Deploy Full Configuration again. For full details, review the support technical note. |
06 December 2019 |
PERFORMANCE / NETWORK INTERFACE | IJ14133 | INCORRECT RX AND TX RING BUFFER SETTINGS CAN CAUSE PERFORMANCE ISSUES ON BOND0 OR BOND1 MANAGEMENT INTERFACES | CLOSED | Resolved in: QRadar 7.3.3 (7.3.3.20191031163225) QRadar 7.3.2 Patch 6 (7.3.3.20191224145010) It has been identified that using bond0 for a QRadar management interface or bond1 for a crossover interface can have ethtool incorrectly set hardware parameters for the NIC driver tx and rx ring buffers for the bond interface instead of the underlying slave interfaces. As it is the actual slave interfaces that have the hardware parameters set, and it possible to bond different NICs (Broadcom, Intel 1 GB, Intel 10Gb), etc., in some cases the hardware interfaces will default to boot up driver values. Intel NICs can sometimes default to a setting of 256 out of 4096 for both tx and rx ring buffer settings. When this situation occurs, SAR sentinel - threshold crossed messages referencing dropped packets or other performance related issues can sometimes be observed with QRadar. To read more, see this forum discussion. |
08 December 2019 |
FLOWS / NETWORK ACTIVITY | IJ15473 | FLOW SOURCE COLUMN AND FLOW INTERFACE COLUMN CAN DISPLAY 'HOST_NAME" INSTEAD OF THE EXPECTED HOSTNAME | CLOSED | Resolved in QRadar 7.3.3 (7.3.3.20191031163225) It has been identified that Flow Source column and Flow Interface column in the Network Activity tab can display "HOST_NAME" instead of the expected hostname. |
08 December 2019 |
UPGRADE | IJ03411 | POST_INSTALL.SH SCRIPT THAT RUNS DURING THE PATCH PROCESS CAN CAUSE MULTIPLE LOGROTATE FILES TO BE CREATED | CLOSED | Resolved in QRadar 7.3.3 (7.3.3.20191031163225) The post_install.sh script that runs during the QRadar patch updates can sometimes not complete cleanly. When this occurs, two logrotate files can be created (logrotate.orig and logrotate.rej) in the same directory. Having multiple logrotate files under /etc/cron.hourly can cause multiple conflicts and race conditions within QRadar. Messages similar to the following might be visible in the patches.log file when this issue occurs: Sat Dec 9 10:54:38 ADT 2017: [create_nobody_dirs] mkdir -p /store/sentry/db Sat Dec 9 10:54:38 ADT 2017: [create_nobody_dirs] chown nobody.nobody /store/sentry/db patching file /etc/cron.hourly/logrotate Hunk #1 succeeded at 3 with fuzz 1. Sat Dec 9 10:54:38 ADT 2017 [post_install.sh]: mkdir -p /tmp Sat Dec 9 10:54:38 ADT 2017 [post_install.sh]: mkdir -p /var/log/audit Sat Dec 9 10:54:38 ADT 2017 [post_install.sh]: mkdir -p /var/log/dca/old |
08 December 2019 |
SCAN RESULTS / QRADAR VULNERABILITY MANAGER | IJ02466 | 'AN ERROR OCCURRED EXECUTING THE QVM SCAN. PLEASE TRY AGAIN LATER' WHEN RUNNING ON DEMAND SCAN | CLOSED | Resolved in QRadar 7.3.3 (7.3.3.20191031163225) It has been identified that when the QVM processor is not running on the Console server, an asset is right-clicked and the Run Vulnerability Scan option is chosen, the scan runs as expected but an error message similar to the following might be generated in the user interface window: "An Error occurred executing the QVM Scan. Please try again. If this error persists please contact Customer Support." Messages similar to the following might also be visible in /var/log/qradar.log when this issue occurs: [tomcat] [admin@127.0.0.1 (323) /console/do/assetprofile/QVMScanForm] com.q1labs.assetprofile.bean.action.QVMScanAction: [ERROR][127.0.0.1/- -] [-/- -]An error occured executing QVM On-Demand Scan. [tomcat] [admin@127.0.0.1 (323) /console/do/assetprofile/QVMScanForm] com.q1labs.console.qvm.QVMClientException: An error occurred executing operation. [tomcat] [admin@127.0.0.1 (323) /console/do/assetprofile/QVMScanForm] at com.q1labs.console.qvm.QVMClientImpl.executeOperation(QVMClientImpl.java) [tomcat] [admin@127.0.0.1 (323) /console/do/assetprofile/QVMScanForm] at com.q1labs.sem.ui.semservices.QVMServicesImpl.runOnDemandScan(QV MServicesImpl.java) [tomcat] [admin@127.0.0.1 (323) /console/do/assetprofile/QVMScanForm] at com.q1labs.assetprofile.bean.action.QVMScanAction.runOnDemandSca n(QVMScanAction.java) [tomcat] [admin@127.0.0.1 (323) /console/do/assetprofile/QVMScanForm] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [tomcat] [admin@127.0.0.1 (323) /console/do/assetprofile/QVMScanForm] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java) [tomcat] [admin@127.0.0.1 (323) /console/do/assetprofile/QVMScanForm] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod AccessorImpl.java) [tomcat] [admin@127.0.0.1 (323) /console/do/assetprofile/QVMScanForm] at java.lang.reflect.Method.invoke(Method.java) [tomcat] [admin@127.0.0.1 (323) /console/do/assetprofile/QVMScanForm] at org.apache.struts.actions.DispatchAction.dispatchMethod(Dispatch Action.java) [tomcat] [admin@127.0.0.1 (323) /console/do/assetprofile/QVMScanForm] at org.apache.struts.actions.DispatchAction.execute(DispatchAction.java) [tomcat] [admin@127.0.0.1 (323) /console/do/assetprofile/QVMScanForm] at com.q1labs.uiframeworks.actions.DispatchAction.execute(DispatchA ction.java) [tomcat] [admin@127.0.0.1 (323) /console/do/assetprofile/QVMScanForm] at org.apache.struts.action.RequestProcessor.processActionPerform(R equestProcessor.java) [tomcat] [admin@127.0.0.1 (323) /console/do/assetprofile/QVMScanForm] at com.q1labs.uiframeworks.action.RequestProcessor.processActionPer form(RequestProcessor.java) [tomcat] [admin@127.0.0.1 (323) /console/do/assetprofile/QVMScanForm] at org.apache.struts.action.RequestProcessor.process(RequestProcess or.java) [tomcat] [admin@127.0.0.1 (323) /console/do/assetprofile/QVMScanForm] at org.apache.struts.action.ActionServlet.process(ActionServlet.java) [tomcat] [admin@127.0.0.1 (323) /console/do/assetprofile/QVMScanForm] at com.q1labs.uiframeworks.action.ActionServlet.process(ActionServlet.java) [tomcat] [admin@127.0.0.1 (323) /console/do/assetprofile/QVMScanForm] at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java) [tomcat] [admin@127.0.0.1 (323) /console/do/assetprofile/QVMScanForm] at javax.servlet.http.HttpServlet.service(HttpServlet.java) [tomcat] [admin@127.0.0.1 (323) /console/do/assetprofile/QVMScanForm] at javax.servlet.http.HttpServlet.service(HttpServlet.java) |
08 December 2019 |
BACKUP / RESTORE | IJ12106 | RESTORING A CONFIGURATION BACKUP DOES NOT RESTORE CUSTOM_FUNCTION TABLES | CLOSED | Resolved in QRadar 7.3.3 (7.3.3.20191031163225) It has been identified that the custom_functions tables are not restored correctly when using a configuration backup on the QRadar Console. |
08 December 2019 |
SCAN RESULTS / QRADAR VULNERABILITY MANAGER | IV96156 | PATCH SCANNING RETURNS SUGGESTION FOR AN AIX PATCH THAT DOES NOT EXIST | CLOSED | Resolved in QRadar 7.3.3 (7.3.3.20191031163225) It has been observed in some instances that QRadar Vulnerability Manager patch scanning can suggest patches for AIX that are not currently available. |
08 December 2019 |
SCAN EXCLUSIONS | IV93272 | QRADAR VULNERABILITY MANAGER: SCAN EXCLUSION PAGE CAN SOMETIMES HANG FOR AN EXTENDED PERIOD OF TIME WHEN ADDING MULTIPLE, LARGE IP RANGES | CLOSED | Resolved in QRadar 7.3.3 (7.3.3.20191031163225) Workaround: Adding one IP range per scan exclusion can help to alleviate the User Interface page unresponsiveness. Issue: It has been observed when adding multiple, large IP ranges (example: x.x.x.1-255) to a Scan Exclusion belonging to a Domain containing other scanners, that the Scan Exclusion page can hang (be unresponsive) for an extended period of time. |
08 December 2019 |
FORWARDED EVENTS / MANAGED HOST | IV84190 | EVENT/FLOW FORWARDING USING ENCRYPTED OFFSITE SOURCE AND TARGET CAN NOT BE ACCOMPLISHED SUCCESSFULLY | CLOSED | Resolved in QRadar 7.3.3 (7.3.3.20191031163225) Workaround: Where possible: Do not use the encryption option for offsite source and target event/flow forwarding until this issue is resolved. Issue: Forwarding normalized Events and Flows using encrypted offsite source and targets cannot be configured successfully to an event collector on a managed host. The initial configuration process succeeds in the User Interface, but the authorized_keys file in /root/.ssh are overwritten without including the offsite sources keys during the required Deploy changes function after configuration. |
08 December 2019 |
SECURITY BULLETIN | IBM QRadar SIEM is vulnerable to incorrect authorization in some components | CLOSED | Resolved in QRadar 7.3.2 Patch 5 (7.3.2.20191022133252). | 06 November 2019 | |
SECURITY BULLETIN | IBM QRadar SIEM is vulnerable to multiple Kernel vulnerabilities | CLOSED | Resolved in QRadar 7.3.2 Patch 5 (7.3.2.20191022133252). | 06 November 2019 | |
SECURITY BULLETIN | IBM QRadar SIEM is vulnerable to Jetty Vulnerabilities | CLOSED | Resolved in: QRadar 7.3.2 Patch 5 (7.3.2.20191022133252) QRadar 7.2.8 Patch 17 (7.2.8.20190910154321) |
06 November 2019 | |
SECURITY BULLETIN | IBM QRadar SIEM is vulnerable to cross site scripting (XSS) | CLOSED | Resolved in QRadar 7.3.2 Patch 5 (7.3.2.20191022133252). | 06 November 2019 | |
SECURITY BULLETIN | IBM QRadar SIEM is vulnerable to cross site scripting (XSS) | CLOSED | Resolved in QRadar 7.3.2 Patch 5 (7.3.2.20191022133252). | 06 November 2019 | |
SECURITY BULLETIN | IBM QRadar SIEM is vulnerable to cross site scripting (XSS) | CLOSED | Resolved in QRadar 7.3.2 Patch 5 (7.3.2.20191022133252). | 05 November 2019 | |
SECURITY BULLETIN | Apache Tika as used by IBM QRadar SIEM is vulnerable to denial of service | CLOSED | Resolved in QRadar 7.3.2 Patch 5 (7.3.2.20191022133252). | 06 November 2019 | |
SECURITY BULLETIN | IBM QRadar SIEM is vulnerable to Intel Microarchitectural Data Sampling (MDS) Vulnerabilites | CLOSED | Resolved in: QRadar 7.3.2 Patch 5 (7.3.2.20191022133252) QRadar 7.2.8 Patch 17 (7.2.8.20190910154321) |
06 November 2019 | |
SECURITY BULLETIN | XStream as used by IBM QRadar SIEM is vulnerable to OS command injection | CLOSED | Resolved in QRadar 7.3.2 Patch 5 (7.3.2.20191022133252). | 20 November 2019 | |
REPORTS | IJ18488 | REPORT DOES NOT CHART THE TOP 5 DESTINATION PORTS FOR TIME VS COUNT | CLOSED | Resolved in: QRadar 7.3.2 Patch 5 (7.3.2.20191022133252). QRadar 7.3.3 (7.3.3.20191031163225). It has been identified that Reports do not chart the top 5 destination ports for Time vs Count as expected. The chart is generated, but it charts 5 destination ports at random instead of the expected top 5 destination ports by Time vs Count. Note: Running the Saved Search on which the report is based returns the proper results, ordered by top 5 destination ports (by count). |
05 November 2019 |
MANAGED HOSTS | IJ10406 | ATTEMPTING TO RE-ADD A MANAGED HOST (MH) THAT ORIGINALLY FAILED TO ADD DUE TO TIMEOUT CAN LEAVE THE MH IN A STUCK STATE | CLOSED | Resolved in: QRadar 7.3.2 Patch 5 (7.3.2.20191022133252). QRadar 7.3.3 (7.3.3.20191031163225). It has been identified that when a Managed Host fails to add due to timeout, re-attempting to add it again can fail and cause the Managed Host to be in a stuck state, unable to successfully add to the deployment. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [tomcat.tomcat] [IPADDRESS] com.q1labs.configservices.capabilities.CapabilitiesHandler: [ERROR][IPADDRESS/- -] [-/- -]Failed to inject deployment model for appliance type 1599 [tomcat.tomcat] [127.0.0.1] com.q1labs.configservices.common.ConfigServicesException: Failed to inject deployment [default]. Managed host IPADDRESS already exists in deployment model[default]. [tomcat.tomcat] [127.0.0.1] at com.q1labs.configservices.schemaext.DeploymentExtension.injectDeploymentModel(DeploymentExtension.java:1320) |
05 November 2019 |
APPLICATION FRAMEWORK | IJ20143 | DOCKER IPTABLES CAN GROW UNEXPECTEDLY IN SIZE WHEN APPS ARE INSTALLED/MIGRATED/REMOVED CAUSING DEPLOYS TO FAIL | CLOSED | Resolved in: QRadar 7.4.0 (7.4.0.20200304205308) QRadar 7.3.3 (7.3.3.20191031163225) QRadar 7.3.2 Patch 5 (7.3.2.20191022133252) It has been identified that /etc/docker/docker_iptables.sh can grow in size unexpectedly when QRadar Apps are installed/migrated/removed. Performing QRadar Deploy functions can sometimes fail when this issue is occurring. |
05 November 2019 |
UPGRADE / PRETEST | IJ16960 | THE QRADAR PATCH PRETEST FAILS WHEN A BACKUP IS IN 'MISSING' STATE IN THE DATABASE | CLOSED | Resolved in: QRadar 7.3.3 (7.3.3.20191031163225) QRadar 7.3.2 Patch 5 (7.3.2.20191022133252) It has been identified that /etc/docker/docker_iptables.sh can grow in size unexpectedly when QRadar Apps are installed/migrated/removed. Performing QRadar Deploy functions can sometimes fail when this issue is occurring. |
05 November 2019 |
UPGRADE / INSTALL | IJ16041 | QRADAR INSTALLATION HANGS WHEN USING COMPRESSED IPV6 ADDRESS | CLOSED | Resolved in: QRadar 7.3.3 (7.3.3.20191031163225) QRadar 7.3.2 Patch 5 (7.3.2.20191022133252) It has been identified that when using compressed IPv6 on a QRadar installation, the installation hangs during the local CA generation. |
05 November 2019 |
GEOGRAPHIC DATA | IJ11947 | GEOGRAPHIC LOCATION IS USING IPV4 ADDRESS WHEN CONFIGURED IN RULES INSTEAD OF THE IPV6 ADDRESS | CLOSED | Resolved in: QRadar 7.3.3 (7.3.3.20191031163225) QRadar 7.3.2 Patch 5 (7.3.2.20191022133252) It has been identified that only IPv4 addresses are being queried for source/destination geographic location under NormalizedEventProperties.java This can cause QRadar to use the geographic location of an IPv4 address for use in rules instead of the actual expected IPv6 source address location. For example: 1. Have events that are sending logs containing both a source IP and source IPv6 address, and the source IP having different country as the source IPv6. 2. Create a search, adding source geographic location column. 3. The source geographic location should be taking source IPv6 address's country by default, but it takes the source IP's country instead. |
05 November 2019 |
HIGH AVAILABILITY (HA) / PORT SCAN | IJ14440 | 'EXCEPTION NOT HANDLED. UNDEFINED BEHAVIOR' MESSAGE IN LOGGING ON QRADAR HIGH AVAILABILITY APPLIANCES | CLOSED | Resolved in: QRadar 7.3.2 Patch 5 (7.3.2.20191022133252). QRadar 7.3.3 (7.3.3.20191031163225). It has been identified that messages similar to the following might be visilbe in /var/log/qradar.log on High Availability (HA) appliances when Qualys scanner is configured to target a wide range of ports, including port 10101: [ha_manager] [NIOServer:10101] com.q1labs.ha.manager.nio.NIOServer: [WARN][ |
05 November 2019 |
RULES / LOG SOURCE | IJ15665 | DEVICE (+TYPE +GROUP) STOPPED SENDING EVENTS RULE TEST IS NO LONGER FIRING THE PROPER 'DEVICE STOPPED SENDING EVENTS' EVENT | CLOSED | Resolved in: QRadar 7.3.3 (7.3.3.20191031163225) QRadar 7.3.2 Patch 5 (7.3.2.20191022133252) It has been identified that QRadar is sometimes not generating the proper 'device stopped sending events' event when the rule test fires (QID 38750074). A new event is generated if the "new event" response is selected, but it does not contain any identifiable information about the log source that stopped sending. |
05 November 2019 |
OFFENSES / DOMAIN MANAGEMENT | IJ16738 | USERS ASSIGNED TO A DOMAIN DO NOT HAVE ACCESS TO OFFENSES WHERE THE TARGET IS FROM THE NETWORK "OTHER" | CLOSED | Resolved in: QRadar 7.3.3 (7.3.3.20191031163225) QRadar 7.3.2 Patch 5 (7.3.2.20191022133252) It has been identified that when a user is assigned to a Domain, that user cannot view an Offense where the target is from the Network "Other". |
05 November 2019 |
SCAN PROFILE / QRADAR VULNERABILITY MANAGER | IJ17416 | SCAN PROFILES WHICH USE PUBLIC KEY AUTHENTICATION DO NOT WORK CORRECTLY AFTER UPGRADING TO QRADAR VULNERABILITY MANAGER (QVM) 7.3.2 | CLOSED | Resolved in: QRadar 7.3.3 (7.3.3.20191031163225) QRadar 7.3.2 Patch 5 (7.3.2.20191022133252) Workaround: Edit the Scan Profiles to remove the credentials, then add new credentials containing only a user name. Issue: It has been identified that Scan Profiles which use public key authentication do not work correctly after upgrading to QRadar 7.3.2. The upgrade results in an invalid password being added to the Scan Profiles, resulting in authentication failures during a scan. When this occurs, variances in scan results prior and post application of QRadar 7.3.2 can be observed. |
05 November 2019 |
DEPLOY CHANGES | IJ18582 | 'UNABLE TO DEPLOY CHANGES, COULD NOT RETRIEVE UNDEPLOYED CHANGE LIST -- THE REQUEST TIMED OUT. | CLOSED | Resolved in: QRadar 7.3.3 (7.3.3.20191031163225) QRadar 7.3.2 Patch 5 (7.3.2.20191022133252) It has been identified that in some instances, QRadar Vulnerability Manager .rpm files contained within an AutoUpdate installation can take longer than expected to install and generate messages in the QRadar User Interface similar to: "Unable to deploy changes, Could not retrieve undeployed change list -- the request timed out." |
05 November 2019 |
OFFENSES / USER AUTHENTICATION (LDAP) | IJ17323 | SOURCE IP OR DESTINATION IP FILTER IS NOT AN AVAILABLE TEST OPTION FOR 'COMMON' RULES | CLOSED | Resolved in: QRadar 7.3.3 (7.3.3.20191031163225) QRadar 7.3.2 Patch 5 (7.3.2.20191022133252) It has been identified that QRadar users (LDAP) created with invalid characters cannot assign or close Offenses. Invalid characters characters are defined as this regular expression: [\t\n\f\r\p{Z}-[ ]] A message similar to the following is generated in the QRadar User Interface: Application error Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [tomcat.tomcat] [admin@127.0.0.1 (1286) /console/do/sem/properties] java.lang.IllegalArgumentException: userName is not a valid user or authorized service: user@domain |
05 November 2019 |
REPORTS | IJ17229 | SHORT REPORTS CONFIGURED WITH LINE OR BAR CHARTS CAN FAIL TO GENERATE WITH AN SQL EXCEPTION WRITTEN TO QRADAR LOGGING | CLOSED | Resolved in: QRadar 7.3.3 (7.3.3.20191031163225) QRadar 7.3.2 Patch 5 (7.3.2.20191022133252) It has been identified that short reports (hourly or manual reports that are run on raw data) return errors when executing and fail to generate when configured to use line or bar graphs. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [report_runner] [main] com.q1labs.reporting.ReportServices: [ERROR][-/- -]Error generating SQL chart [report_runner] [main] java.lang.RuntimeException: Error generating SQL chart [report_runner] [main] at com.q1labs.dal.charts.SQLChart.getChartData(SQLChart.java) [report_runner] [main] at com.q1labs.dal.charts.AbstractChart.createChart(AbstractChart.java) [report_runner] [main] at com.q1labs.dal.charts.SQLChart. |
05 November 2019 |
REPORTS | IJ17199 | REPORT Y-AXIS VALUE PLOTTED CAN BE PULLED FROM DIFFERENT COLUMN THAN WHAT WAS CONFIGURED FOR THE REPORT | CLOSED | Resolved in: QRadar 7.3.3 (7.3.3.20191031163225) QRadar 7.3.2 Patch 5 (7.3.2.20191022133252) It has been identified that QRadar plots the 2nd column of a saved search result as the Y-axis interval in the bar chart of a report regardless of the parameter selected. To confirm or replicate this issue: Create a search
For the top chart container:
For the bottom chart container:
Results Expected: The Y-Axis uses the values 'Count' Actual: Y-Axis incorrectly uses the 'Event Name (Unique Count)' |
05 November 2019 |
LOG MESSAGES | IJ15784 | 'NO JESSIONID PASSED WITH COOKIE' MESSAGES IN QRADAR LOGS | CLOSED | Resolved in: QRadar 7.3.3 (7.3.3.20191031163225) QRadar 7.3.2 Patch 5 (7.3.2.20191022133252) It has been identified that repeated messages similar to the following might be visible in /var/log/qradar.error and qradar.log: [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] com.q1labs.core.shared.jsonrpc.RPC: [WARN][127.0.0.1/- -] [-/- -]No JSESSIONID passed with cookie. [ecs-ec.ecs-ec] [LastEventSeenProcessor] com.q1labs.core.shared.jsonrpc.RPC: [WARN] [127.0.0.1/- -] [-/- -]No JSESSIONID passed with cookie. |
05 November 2019 |
SYSLOG REDIRECT PROTOCOL | IJ03249 | AUTODISCOVERED LOG SOURCES CREATED BY SYSLOG REDIRECT CAN HAVE INCORRECT LOG SOURCE IDENTIFIERS | OPEN: Reported in PROTOCOL-SyslogRedirect-7.2-20170426083458 | No workaround available. It has been identified that autodiscovered Log Sources created using the Syslog Redirect Protocol, can have incorrect Log Source Identifiers listed due to a regex issue used within the Protocol. This issue is to be corrected in a future release of the SyslogRedirect Protocol. |
28 March 2018 |
IPv6 / UNIVERSAL DSM / OFFENSES | IJ11715 | OFFENSES CAN STOP GENERATING WITH ‘FAILED TO CREATE/READ OFFENSE DEVICE FOR ID : 0’ EXCEPTION MESSAGE IN LOGS | OPEN: Reported in QRadar 7.3.1 Patch 6 | When Offenses are not being generated and caused by this specific issue, performing a Soft Clean of the SIM model can correct the behavior. See the following for more information regarding performing a Soft Clean of the SIM model: https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.1/com.ibm.qradar.doc/t_tuning_guide_tuning_cleaning_sim_model.html It has been identified that offenses can stop being generated due to the QRadar GenericDSM parsing process not handling IPv6 addresses correctly when setting host source address. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [ecs-ep.ecs-ep] [MPC/PersisterThread@0000186609] com.q1labs.sem.magi.contrib.commands.offense.OffenseDeviceCreateCommand: [ERROR] [-/- -]Failed to create/read offense device for id: 0 [ecs-ep.ecs-ep] [MPC/PersisterThread@0000186609] com.q1labs.sem.magi.contrib.ModelPersister: [WARN] [-/- -]Exception encounted when executing transaction 186609. [ecs-ep.ecs-ep] [MPC/PersisterThread@0000186609] java.lang.NullPointerException [ecs-ep.ecs-ep] [MPC/PersisterThread@0000186609] at com.q1labs.sem.magi.contrib.ModelPersister.flushDirtyLightDAOBatchUpdate(ModelPersister.java) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000186609] at com.q1labs.sem.magi.contrib.ModelPersister.flushDirtyOffenseKeys (ModelPersister.java) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000186609] at com.q1labs.sem.magi.contrib.ModelPersister.persistDirtyModel(ModelPersister.java) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000186609] at com.q1labs.sem.magi.contrib.ModelPersister.process(ModelPersister.java) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000186609] at com.q1labs.sem.magi.contrib.ModelPersister.processCurrentTransac tion(ModelPersister.java) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000186609] at com.q1labs.sem.magi.contrib.ModelPersister.processCommands(ModelPersister.java) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000186609] at com.q1labs.sem.magi.contrib.ModelPersister.process(ModelPersister.java) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000186609] at com.q1labs.sem.magi.contrib.TxStateManager.playCurrent(TxStateManager.java) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000186609] at com.q1labs.sem.magi.contrib.ModelPersister$Persister.playCurrent (ModelPersister.java) [ecs-ep.ecs-ep] [MPC/PersisterThread@0000186609] at com.q1labs.sem.magi.contrib.ModelPersister$Persister.run(ModelPersister.java) |
03 December 2018 |
DASHBOARD | IJ12103 | STAT FILTER INTERVAL PEAK VALUES CAN BE INCORRECT CAUSING INACCURATE EPS TO BE REPORTED | CLOSED | Resolved in QRadar Baseline Maintenance extension v1.0.5 or later.
Workaround No workaround available. Administrators can review the official documentation for a change list of updates related to the Baseline Maintenance Content Extension. Issue: It has been identified that Stat Filter data values can sometimes be inaccurate on interval peak value. When this occurs, EPS values reported in QRadar can be incorrect or inconsistent with actual event counts. |
26 August 2019 |
DASHBOARD | IJ17440 | STATFILTER EVENT PER SECOND (EPS) REPORTING CAN VARY IN ACCURACY | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944) QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826) Workaround No workaround available. For more information on how EPS is displayed within the QRadar User Interface, please reference IBM technote: https://www.ibm.com/support/pages/node/280679 Issue It has been identified that due to the way StatFilter calculates Event Per Second (EPS), variances in the performance of the appliance it is running on, can cause differences in the accuracy of the EPS metrics that are calculated and reported. |
12 July 2021 |
MANAGED HOST | IJ07896 | CONFIGSERVICES PASSWORD CONTAINING MULTI-BYTE CHARACTERS CAUSES ‘ADD HOST’ PROCESS TO FAIL | CLOSED | Resolved in QRadar 7.3.2 (7.3.2.20190201201121) It has been identified that the Add Host process (Admin > System and License Management > Deployment Actions > Add Host) fails when the configservices password (used within QRadar) has been changed to include multi-byte characters.Messages similar to the following might be visible in /var/log/qradar.error when attempting to add a Managed Host to the QRadar deployment when the configservices password includes multi-byte characters: [hostcontext.hostcontext] [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher] com.q1labs.configservices.capabilities.AddHost: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Add host failed trying to add [hostcontext.hostcontext] [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher] java.lang.ArrayIndexOutOfBoundsException [hostcontext.hostcontext] [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher] at javax.xml.bind.DatatypeConverterImpl.guessLength(DatatypeConverterImpl.java) [hostcontext.hostcontext] [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher] at javax.xml.bind.DatatypeConverterImpl._parseBase64Binary(Datatype ConverterImpl.java) [hostcontext.hostcontext] [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher] at javax.xml.bind.DatatypeConverterImpl.parseBase64Binary(DatatypeConverterImpl.java) [hostcontext.hostcontext] [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher] at javax.xml.bind.DatatypeConverter.parseBase64Binary(DatatypeConverter.java) [hostcontext.hostcontext] [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher] at com.ibm.si.mks.KeyStoreCrypto.decrypt(KeyStoreCrypto.java) [hostcontext.hostcontext] [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher] at com.ibm.si.mks.Crypto.decrypt(Crypto.java) [hostcontext.hostcontext] [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher] at com.q1labs.frameworks.crypto.CryptoUtils.decrypt(CryptoUtils.java) [hostcontext.hostcontext] [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher] at com.q1labs.frameworks.core.FrameworksContext.decrypt(FrameworksContext.java) [hostcontext.hostcontext] [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher] at com.q1labs.configservices.capabilities.AddHost.getPresenceCommand(AddHost.java) [hostcontext.hostcontext] [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher] at com.q1labs.configservices.capabilities.AddHost.executePresence(AddHost.java) [hostcontext.hostcontext] [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher] at com.q1labs.configservices.capabilities.AddHost.add(AddHost.java) [hostcontext.hostcontext] [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher] at com.q1labs.configservices.capabilities.AddHost.addManagedHost(AddHost.java) [hostcontext.hostcontext] [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher] at com.q1labs.hostcontext.core.executor.AddHostExecutor.addManagedHost(AddHostExecutor.java) [hostcontext.hostcontext] [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher] at com.q1labs.hostcontext.core.executor.AddHostExecutor.invoke(AddHostExecutor.java) [hostcontext.hostcontext] [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher] at com.q1labs.configservices.hostcontext.core.requests.BaseHostRequest.invoke (BaseHostRequest.java) [hostcontext.hostcontext] [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher] at com.q1labs.configservices.hostcontext.core.HostContextServices.m essageReceived(HostContextServices.java) [hostcontext.hostcontext] [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher] at com.q1labs.frameworks.events.jms.JMSMessageEvent.dispatchEvent(J MSMessageEvent.java) [hostcontext.hostcontext] [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher] at com.q1labs.frameworks.events.SequentialEventDispatcher$DispatchT hread.run(SequentialEventDispatcher.java) [hostcontext.hostcontext] [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher] com.q1labs.configservices.capabilities.AddHost: [ERROR] [-/- -]Unable to add managed host. The ip of the host is:a.b.a.c.dd [hostcontext.hostcontext] [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher] com.q1labs.configservices.hostcontext.core.HostContextServices: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Error retrieving message [hostcontext.hostcontext] [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher] com.q1labs.configservices.hostcontext.exception.HostContextException: Could not get executor object com.q1labs.hostcontext.core.executor.AddHostExecutor [hostcontext.hostcontext] [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher] at com.q1labs.configservices.hostcontext.core.requests.BaseHostRequ est.invoke(BaseHostRequest.java) [hostcontext.hostcontext] [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher] at com.q1labs.configservices.hostcontext.core.HostContextServices.m essageReceived(HostContextServices.java) [hostcontext.hostcontext] [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher] at com.q1labs.frameworks.events.jms.JMSMessageEvent.dispatchEvent(J MSMessageEvent.java) [hostcontext.hostcontext] [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher] at com.q1labs.frameworks.events.SequentialEventDispatcher$DispatchT hread.run(SequentialEventDispatcher.java) [hostcontext.hostcontext] [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher] Caused by: [hostcontext.hostcontext] [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher] com.q1labs.configservices.hostcontext.exception.HostContextExcep tion: Command exited with non-zero value (4): add_host [hostcontext.hostcontext] [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher] at com.q1labs.hostcontext.core.executor.AddHostExecutor.addManagedH ost(AddHostExecutor.java) [hostcontext.hostcontext] [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher] at com.q1labs.hostcontext.core.executor.AddHostExecutor.invoke(AddH ostExecutor.java) [hostcontext.hostcontext] [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher] at com.q1labs.configservices.hostcontext.core.requests.BaseHostRequ est.invoke(BaseHostRequest.java) [hostcontext.hostcontext] [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher] ... 3 more [tomcat.tomcat] [Thread-2051] com.ibm.si.configservices.api.v3_0.deployment.DeploymentAPI: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]unable to add managed host: null |
19 July 2018 |
SECURITY BULLETIN | LINUX KERNEL AS USED IN IBM QRADAR NETWORK PACKET CAPTURE IS VULNERABLE TO DENIAL OF SERVICE | CLOSED | Resolved in: QRadar Network Packet Capture 7.3.2 Patch 2 (7.3.2.5019) QRadar Network Packet Capture 7.2.8 Patch 5 (7.2.8.60) |
19 September 2019 | |
SECURITY BULLETIN | IBM QRADAR NETWORK PACKET CAPTURE IS VULNERABLE TO INTEL MICROARCHITECTURAL DATA SAMPLING (MDS) VULNERABILITES | CLOSED | Resolved in: QRadar Network Packet Capture 7.3.2 Patch 2 (7.3.2.5019) QRadar Network Packet Capture 7.2.8 Patch 5 (7.2.8.60) |
19 September 2019 | |
AMAZON AWS S3 REST API PROTOCOL | IJ18861 | LOGS STOP COLLECTING AND A ‘REQUESTTIMETOOSKEWED’ ERROR IN QRADAR LOGGING WHEN USING AMAZON AWS S3 REST API PROTOCOL | OPEN: Reported in QRadar 7.3.1 Patch 3 and later | Workaround: If possible, implement an AWS V4 REST API connection to avoid the issue. Issue: It has been identified that logs can stop being collected when using the Amazon AWS S3 REST API Protocol. Messages similar to the following might be visible in /var/log/qradar.log when this issue is occurs: [ecs-ec-ingress.ecs-ec-ingress] [Amazon AWS S3 REST API Protocol Provider Thread: class com.q1labs.semsources.sources.amazonawsrest.AmazonAWSRESTProvider] com.q1labs.semsources.sources.amazonawsrest.utils.web.SimpleRestV2InputStream: [ERROR][-/--] <?xml version="1.0"encoding="UTF-8"?> <Error><Code>RequestTimeTooSkewed</Code> <Message>The difference between the request time and the current time is too large.</Message> <RequestTime> Fri, 10 Aug 2019 24:09:49 +0000</RequestTime> <ServerTime> 2019-08-10T00:09:51Z</ServerTime> |
17 September 2019 |
LOG SOURCE MANAGEMENT APP (LSM) / OPSEC LEA PROTOCOL | IJ19050 | ‘INVALID CERTIFICATE FILENAME’ WHEN USING THE LOG SOURCE MANAGEMENT APP TO CONFIGURE A CHECK POINT LOG SOURCE | CLOSED | Resolved in QRadar Weekly Auto Update for 21 July 2020 as PROTOCOL-LEA-7.3-20200521125015 and PROTOCOL-LEA-7.4-20200521125017 or later. Administrators who manually install RPM files can confirm their RPM installed version or download and install the LEA protocol for their QRadar version: Workaround Use the legacy Log Source User Interface to edit your Check Point log source as this issue is only seen when using the Log Source Management App. Issue It has been identified that when using the Log Source Management App to configure a Check Point Log Source, messages similar to the following might be returned on POST: curl -s -X POST -u user-H 'Content-Type: application/json' -H 'Version: 9.1' -H 'Accept: application/json' --data-binary '{ description: "New Description for CheckPoint Firewall" }' 'https://server.domain.com/api/config/event_sources/log_source_m anagement/log_sources/8311' Response: { "http_response": { "code": 422, "message": "The request was well-formed but was unable to be followed due to semantic errors" }, "code": 1021, "description": "The protocol parameter value does not match the allowed pattern.", "details": { "parameter_value": "opsec_cert_10.10.10.10.p12", "parameter_name": "certificateFilename", "parameter_id": 2080 }, "message": "Invalid certificate file name" } |
20 March 2020 |
WINCOLLECT | IJ18859 | WINCOLLECT AGENT CAN STOP SENDING EVENTS UNEXPECTEDLY | CLOSED | Resolved in WinCollect 7.2.9 Fix Pack 1 (Build 96) (7.2.9.96) Workaround Restarting the WinCollect Agent can resume event sending processes with the affected Agent in these instances. Note: This is a temporary workaround. If the same issue arises with Microsoft Windows "EvtSubscribe", the WinCollect Agent can stop sending events again. Issue It has been identified that in some instances a WinCollect Agent can stop sending events unexpectedly when Microsoft Windows "EvtSubscribe" fails to send notifications that new events have arrived. |
13 April 2021 |
UPGRADE | IJ00884 | WHEN PATCHING FROM 7.2.4 TO 7.2.8 OR GREATER THE PATCH MAY FAIL IF THE NON-ADMIN ROLE HAS API PERMISSIONS | CLOSED | This issue has been closed as a cancelled APAR. Workaround Either uncheck the API permissions in all user roles that use it, or delete the roles themselves. Issue When a QRadar version 7.2.4 is patched to 7.2.8 or above the patch or upgrade may fail as a result of a Non-Admin user having API permissions in their user role. To determine if you are seeing this after a failed patch or upgrade check /var/log/setup-7.x.x.x.x.x.x/qradar_setup.log for messages similar to this. Running pretest 'QVM Flatten Check' removing /tmp/qvmsqlskip if it exists QVM Database schema is OK - no flatten will happen during patching Done running pretest 'QVM Flatten Check' Running precheck scripts: (1/14) Precheck failed: "/media/updates/scripts/725_patch_80235.install --mode precheck" [ERROR](testmode) The patch has been aborted at the user's request. [ERROR](testmode) Pre Patch Testing shows a configuration issue. Patching this host cannot continue. [INFO](testmode) Set qradarconsole status to 'Patch Test Failed' [ERROR] Failed to apply patch on localhost, not checking any managed hosts. |
10 April 2018 |
CUSTOM ACTION SCRIPTS | IJ15444 | EDITING THE CUSTOM FIXED PARAMETERS IN A CUSTOM ACTION SCRIPT CHANGES THE ORDER OF DATA OUTPUT WHEN THE SCRIPT IS RUN | CLOSED | Resolved in QRadar 7.3.2 Patch 2 (7.3.2.20190522204210) Workaround: Remove all the parameters and add them in the desired (original) order. You can also change the script variables order to match the required parameters. It has been identified that after editing the custom Fixed Property parameters in a custom action script, the incorrect data order is output when the custom action script is run. |
16 May 2019 |
INSTALLATION | IJ18833 | QRADAR INSTALLATION CAN FAIL DURING GET_MYVER | CLOSED | Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852) It has been identified that a QRadar installation can fail with an error similar to the following being displayed on screen: Failed. Exit code:1. Message: ERROR: Failed to run '/opt/qradar/bin/qradar_setup' script: 1 Traceback (most recent call last) File "/opt/qradar/bin/qradar_netsetup.py", line 3913, in {module} main () File "/opt/qradar/bin/qradar_netsetup.py", line 3910, in main qradarNetsetup.finalBlock(exc=e) File "/opt/qradar/bin/qradar_netsetup.py", line 3753, in finalBlock myvermap = get_myver() File "/opt/qradar/bin/ibm_os_utils.py", line 272, in get_myver map = eval(buffer) File "{string}", line 1 Device "ens192 ^ SyntaxError: EOL while scanning string literal System setup failed. Please logout/login on the console terminal to reconfigure system. |
05 September 2019 |
SEARCH | IJ05777 | NEW ARIEL SEARCHES ARE UNABLE TO START DURING DELETE OF /TRANSIENT CURSOR FILES | CLOSED | Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852) Resolved in No workaround available. Issue It has been identified that new QRadar searches are unable to start while cursor files from /transient are currently being deleted as ariel connection issues are experienced. Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs: [tomcat.tomcat] [Token: Local Health Console@127.0.0.1 (60) /console/restapi/api/ariel/searches] com.q1labs.restapi_annotations.content.exceptions.APIMappedException: Failed to connect to ariel server. Please try again later During the same time stamps as the message above, messages similar to the following are being generated in /var/log/qradar.log: [ariel_proxy.ariel_proxy_server] [main] com.q1labs.ariel.searches.Locations: [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -] Data for xxxx-xxxx-xxxx-xxxxxx was deleted, 7 KB was freed on hard drive, reason: data is expired, exp.date: 18-02-19,15:49:14 [ariel_proxy.ariel_proxy_server] [main] com.q1labs.ariel.searches.Locations: [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Data for xxxx-xxxx-xxxx-xxxxxx was deleted, 8 KB was freed on hard drive, reason: data is expired, exp.date: 18-02-19,15:49:15 |
29 April 2021 |
PROTOCOL / AMAZON AWS REST API | IJ16603 | AMAZON CLOUD TRAIL LOG SOURCE UNABLE TO PULL LOGS FROM AN S3 BUCKET WHEN A TILDE ” ~ ” EXISTS IN A FILENAME OR DIRECTORIES | OPEN: Reported in PROTOCOL-AmazonAWSRESTAPI-7.3-20180627173947 | Workaround: Modify directories and filenames to avoid using tilde ‘~’ characters. It has been identified that Amazon CloudTrail Log Source type is unable to pull logs from the S3 bucket when a tilde ‘~’ is used in filenames or directories. The Log Source message when this occurs is similar to the following: ERROR - Error authenticating with Amazon S3 Bucket - update configuration and save or disable/enable the log source to retry ERROR - SignatureDoesNotMatch - The request signature we calculated does not match the signature you provided. Check your key and signing method. |
28 August 2019 |
LOG SOURCE MANAGEMENT APP / PROTOCOL | IJ15594 | ‘SOURCE NAME REGEX’ AND ‘SOURCE NAME FORMATTING STRING’ DISPLAYED WHEN SHOW ADVANCED OPTIONS IS SET TO ‘NO’. | OPEN: Reported in PROTOCOL-UDPMultilineSyslog-7.3-20170321173400 | Contact Support for a possible workaround that might address this issue in some instances. It has been identified that when using the Log Source Management App, the UDP Multiline Syslog protocol type has the Source Name Regex and Source Name Formatting String displayed in the user interface when Show Advanced Options is set to No. The advanced options should only be visible to users when Show Advanced Options is set to Yes. |
28 August 2019 |
REPORTS / ADVANCED SEARCH (AQL) | IJ17433 | ADVANCED SEARCH (AQL) THAT INCLUDES ‘HAVING’ CLAUSE GENERATES AN APPLICATION ERROR WHEN USED IN SCHEDULED REPORTS | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944) QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826) Workaround Reports generate as expected when using the manual report option instead of scheduled, or using AQL without the “HAVING” clause. Issue It has been identified that an ‘Application Error’ dialogue is generated in the Report Wizard when using a scheduled report with an AQL that includes “HAVING” clause. To recreate this issue:
Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [tomcat.tomcat] [Admin@127.0.0.1 (2727) /console/do/reportwizard] com.q1labs.reports.ui.action.ReportWizard: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Error setting chart data for chart Events/Logs [tomcat.tomcat] [Admin@127.0.0.1 (2727) /console/do/reportwizard] java.lang.IllegalArgumentException: key should not be null [tomcat.tomcat] [Admin@127.0.0.1 (2727) /console/do/reportwizard] at com.q1labs.ariel.IndexTree. |
12 July 2021 |
EMAIL NOTIFICATIONS | IJ16965 | QRADAR CAN STOP SENDING EMAIL NOTIFICATIONS WHEN SMBTAIL HAS TOO MANY OPEN PORT CONNECTIONS | Closed as unreproducible in next release | Workaround Performing a restart of the ecs-ec service from an SSH connection to the QRadar Console can temporarily correct this condition. Issue It has been identified that in some instances, SMBTail configured Log Sources in Error state can use up too many port connections causing QRadar to stop sending email notifications. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [ecs-ep] [[type=com.eventgnosis.system.ThreadedEventTerminator] [parent={host}:ecs-ep/EP/EmailDestination]] com.q1labs.sem.util.EmailSender: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Exception attempting to send email: Sending the email to the following server failed : localhost:25 [ecs-ep] [[type=com.eventgnosis.system.ThreadedEventTerminator] [parent={host}:ecs-ep/EP/EmailDestination]] org.apache.commons.mail.EmailException: Sending the email to the following server failed : localhost:25 [ecs-ep] [[type=com.eventgnosis.system.ThreadedEventTerminator] [parent={host}:ecs-ep/EP/EmailDestination]] at org.apache.commons.mail.Email.sendMimeMessage(Email.java:1242) [ecs-ep] [[type=com.eventgnosis.system.ThreadedEventTerminator] [parent={host}:ecs-ep/EP/EmailDestination]] at org.apache.commons.mail.Email.send(Email.java:1267) [ecs-ep] [[type=com.eventgnosis.system.ThreadedEventTerminator] [parent={host}:ecs-ep/EP/EmailDestination]] at com.q1labs.sem.util.EmailSender.send(EmailSender.java:137) [ecs-ep] [[type=com.eventgnosis.system.ThreadedEventTerminator] [parent={host}:ecs-ep/EP/EmailDestination]] at com.q1labs.semsources.destinations.EmailDestination.outputEvent( EmailDestination.java:42) [ecs-ep] [[type=com.eventgnosis.system.ThreadedEventTerminator] [parent={host}:ecs-ep/EP/EmailDestination]] at com.eventgnosis.system.ThreadedEventTerminator.run(ThreadedEvent Terminator.java:51) [ecs-ep] [[type=com.eventgnosis.system.ThreadedEventTerminator] [parent={host}:ecs-ep/EP/EmailDestination]] at java.lang.Thread.run(Thread.java:785) [ecs-ep] [[type=com.eventgnosis.system.ThreadedEventTerminator] [parent={host}:ecs-ep/EP/EmailDestination]] Caused by: [ecs-ep] [[type=com.eventgnosis.system.ThreadedEventTerminator] [parent={host}:ecs-ep/EP/EmailDestination]] javax.mail.MessagingException: Could not connect to SMTP host: localhost, port: 25; nested exception is: java.net.BindException: Address already in use (Bind failed) [ecs-ep] [[type=com.eventgnosis.system.ThreadedEventTerminator] [parent={host}:ecs-ep/EP/EmailDestination]] at com.sun.mail.smtp.SMTPTransport.openServer(SMTPTransport.java) [ecs-ep] [[type=com.eventgnosis.system.ThreadedEventTerminator] [parent={host}:ecs-ep/EP/EmailDestination]] at com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.ja va:311) [ecs-ep] [[type=com.eventgnosis.system.ThreadedEventTerminator] [parent={host}:ecs-ep/EP/EmailDestination]] at javax.mail.Service.connect(Service.java:233) [ecs-ep] [[type=com.eventgnosis.system.ThreadedEventTerminator] [parent={host}:ecs-ep/EP/EmailDestination]] at javax.mail.Service.connect(Service.java:134) [ecs-ep] [[type=com.eventgnosis.system.ThreadedEventTerminator] [parent={host}:ecs-ep/EP/EmailDestination]] at javax.mail.Service.connect(Service.java:86) [ecs-ep] [[type=com.eventgnosis.system.ThreadedEventTerminator] [parent={host}:ecs-ep/EP/EmailDestination]] at com.sun.mail.smtp.SMTPTransport.connect(SMTPTransport.java:144) [ecs-ep] [[type=com.eventgnosis.system.ThreadedEventTerminator] [parent={host}:ecs-ep/EP/EmailDestination]] at javax.mail.Transport.send0(Transport.java:150) [ecs-ep] [[type=com.eventgnosis.system.ThreadedEventTerminator] [parent={host}:ecs-ep/EP/EmailDestination]] at javax.mail.Transport.send(Transport.java:80) [ecs-ep] [[type=com.eventgnosis.system.ThreadedEventTerminator] [parent={host}:ecs-ep/EP/EmailDestination]] at org.apache.commons.mail.Email.sendMimeMessage(Email.java:1232) [ecs-ep] [[type=com.eventgnosis.system.ThreadedEventTerminator] [parent={host}:ecs-ep/EP/EmailDestination]] ... 5 more |
28 August 2019 |
REPORTS | IJ18481 | 'DAILY "START TIME" MUST BE BEFORE "END TIME"' MESSAGE WHEN SELECTING PREVIOUS DAY START TIME BETWEEN 12AM AND 12:45AM | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) Workaround No workaround available. Issue It has been identified that the Report container can fail to save and generates a pop up message similar to '"Daily "Start Time" must be before "End Time"' when using "Data of previous day" and any start time between 12:00AM and 12:45AM is selected in daily scheduling of a report. |
26 August 2019 |
DEVICE SUPPORT MODULE (DSM) | IJ16412 | MICROSOFT OFFICE 365 DSM IS POPULATING THE IPV4 LOG SOURCE ADDRESS AS SOURCE IP WHEN IT SHOULD BE USING IPV6 ADDRESS | OPEN: Reported in DSM-MicrosoftOffice365-7.3-20190226183934 | Workaround: From the Admin tab > DSM Editor user interface, create an override for the Source IP in QRadar to substitute 0.0.0.0 when an IPv6 address is present in the ClientIP of the event payload. This change prevents the packet IP address being entered in to the Source IP address field in IPv4 format when an IPv6 address is available.
It has been identified that the QRadar Microsoft Office 365 DSM successfully parses the IPv6 address from the an Office 365 event payloads and adds it as IPv6 on the properties, but it places the Log Source (Packet) IPv4 address in the Source IP field of the user interface. |
28 August 2019 |
SCHEDULED SCAN / QRADAR VULNERABILITY MANAGER (QVM) | IJ17942 | VULNERABILITY SCHEDULED SCANS CAN FAIL AND THE SCAN DATA APPEARS TO HANG | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) Workaround Administrators can install a software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances. Issue It has been identified that Vulnerability Manager scheduled scans can fail with the scan data hanging. When this occurs, affected scans have no results to be processed and scans sit at 'stopped' and the duration continues counting up. Cancelling an affected scan during its run time causes it to stay at 100% with duration counting up and providing no results again. Hovering over the Progress bar, the "Estimated time to Process" appears but the time that is displayed continues to rise with the duration. Manually run scans complete as expected when this behavior is affecting scheduled scans. Messages similar to the following might be visible in /var/log/qradar-sql.log when this issue occurs: postgres[23015]: [1161-1] ERROR: out of shared memory postgres[23015]: [1161-2] HINT: You might need to increase max_locks_per_transaction. postgres[23015]: [1161-3] CONTEXT: SQL statement "SELECT (NOT EXISTS(SELECT jo.JobOrderID postgres[23015]: [1161-4] FROM JobOrders jo.... postgres[4285]: [3478-1] ERROR: relation "tt_table9" does not exist postgres[4285]: [3478-2] CONTEXT: SQL statement "truncate table tt_TABLE9" postgres[4285]: [3478-3] PL/pgSQL function cwf_orgunit_getallcompanynodesabove_maint(integer) line 18 at SQL statement postgres[4285]: [3478-4] SQL statement "INSERT INTO tt_new_rows_mapped_q1_exclusion_rules |
26 November 2020 |
WINCOLLECT | IJ17949 | WINCOLLECT AGENT ONLY RUNS A DNS LOOKUP WHEN THE AGENT IS RESTARTED | CLOSED | Resolved in WinCollect 7.2.9 Patch 1 Workaround No workaround available. Issue It has been identified that there are instances where a WinCollect Agent should run a refresh DNS Lookup. When using Event Forwarding, the current WinCollect Agents behaves as follows: The WinCollect Agent runs and does a DNS look-up when it gets its first event from the Windows Computer in an attempt to resolve the proper IP and then cache this IP. This IP is used in the originating computer field in the payload. If the Windows Computer is switched between a wired/wireless connection it effectively receives a new IP address. The WinCollect Agent caches the event, and does not perform a DNS query for a new IP. The Windows Computer asset does not get a new IP address registered for it until the WinCollect Agent is restarted. |
18 November 2019 |
GEOGRAPHIC DATA | IJ17989 | QRADAR CONTINUES TO USE THE GEO2LITE MAXMIND DATABASE FOR GEODATA INFORMATION WHEN MAXMIND SUBSCRIPTION CONFIGURED | CLOSED | Resolved in QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022) Workaround Contact Support for a possible workaround that might address this issue in some instances. Issue It has been identified that QRadar continues to use the Geo2Lite MaxMind database even when a paid subscription to MaxMind is configured in the QRadar User Interface -> System Settings. |
06 September 2022 |
REPORTS | IJ18005 | LEFT TAB REPORT FILTER OPTIONS IN THE REPORTING TAB ARE NOT WORKING AS EXPECTED USING A GROUP THAT HAS BEEN SHARED | OPEN: Reported in QRadar 7.3.1 and 7.3.2 versions | Workaround: Sort the reporting tab by "Schedule" to see relevant reports. It has been identified that the left tab filters in the Reporting tab (Manual, Hourly, Weekly, Monthly) are not filtering the report list as expected. For example:
|
07 August 2019 |
X-FORCE UPDATES / PROXY | IJ18011 | MANUAL SCASERVER PROXY CONFIG SETTINGS ARE OVERWRITTEN BY /OPT/QRADAR/SYSTEMD/BIN/SCASERVER_UPDATE_SETTINGS.SH | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) Workaround If you are unable to upgrade to a release where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue. Issue It has been identified that the scaserver fails to connect to *.xforce-security.com using an authenticated proxy when /opt/qradar/systemd/bin/scaserver_update_settings.sh runs and overwrites the required manual changes that were made in:
|
24 May 2021 |
PROTOCOL / TIVOLI ENDPOINT MANAGER SOAP | IJ18014 | BIGFIX LOG SOURCE RECEIVING LOGIN SUCCESS EVENTS AND NOT RECEIVING ACTION EVENTS | OPEN: Reported in PROTOCOL-IBMBigFixSOAP-7.3-20180914130641 | No workaround available. It has been identified that BigFix Log Sources are only receiving Login Success events and not receiving Action events. |
16 August 2019 |
HIGH AVAILABILITY (HA) | IJ18040 | ADDING HIGH AVAILABILITY TO AN APPLIANCE CAN FAIL DURING THE REMOTE VERSION CHECK | OPEN: Reported in QRadar 7.3.2 versions | Contact Support for a possible workaround that might address this issue in some instances. ERROR DESCRIPTION:Ø It has been identified that adding High Availability (HA) to an appliance can fail due to the remote version check incorrectly reporting the QRadar version of the appliance that is to become the Secondary HA appliance. Messgages similar to the following might be visible in the qradar_hasetup.log file on the "Primary" appliance when this issue occurs: [HA Setup (P-M----)] ESC[31m[ERROR] Remote system is version root@1.1.1 7.3.2 but we are 7.3.2. You must re-install the standby system with the latest version. |
08 August 2019 |
RESOURCE RESTRICTION / SEARCH | IJ18069 | CONFIGURED RESTRICTION DOES NOT CANCEL SEARCHES AS EXPECTED AND THE SEARCH RUNS UNTIL A TIMEOUT LIMIT IS REACHED | OPEN: Reported in QRadar 7.3.2 versions | Workaround: Modify the search using further filtering so as not to hit the Admin -> Resource Restriction "Record Limit" that is configured. It has been identified that the Admin -> Resource Restrictions for Record Limit set within the QRadar User Interface is not working as expected. When a search hits the configured Resource Restriction it does not immediately cancel. The search still shows as in progress with 100% until it hits the default execution timeout limit. Messages similar to the following might be visible in QRadar logging when this issue occurs: ariel_client /127.0.0.1:41920 | [Action] [Search] [SearchExecuted] query starts, description="User:tkmau,Source:UI,Params:Id:xxxxx-xxxx-xxxx- xxxx-xxxxx,DB: The actual cancelled message is located after the read timeout is displayed: ariel_query_22:xxxxx-xxxx-xxxx-xxxx-xxxxx | [Action] [Search] [SearchCompleted] query finished, status=CANCELED, stat details="Id:xxxxx-xxxx-xxxx-xxxx-xxxxx, FileStats [dataFileCount=22, compressedDataFileCount=0, indexFileCount=11, dataTotalSize=130746346KB, compressedDataTotalSize=0KB, indexTotalSize=101139786KB, progress=100.0%, totalResult=27, totalResultDataSize=18KB, searchTime=45800ms]", concurrent queries="5" [ariel_proxy.ariel_proxy_server] [AsynchronousReceiver:localhost/127.0.0.1:32023] com.q1labs.frameworks.nio.network.Communicator: [ERROR] [NOT:0000003000][x.x.x.x/- -] [-/- -]Read timeout (45000 ms) expired, Port: 52760, localhost/127.0.0.1:32023 [ariel_proxy.ariel_proxy_server] [AsynchronousReceiver:localhost/127.0.0.1:32023] java.net.SocketTimeoutException: Read timeout (45000 ms) expired, Port: 52760, localhost/127.0.0.1:32023 [ariel_proxy.ariel_proxy_server] [AsynchronousReceiver:localhost/127.0.0.1:32023] at com.q1labs.frameworks.nio.network.protocol.Protocol$Asynchronous Receiver.readBlockFromChannel(Protocol.java:1577) [ariel_proxy.ariel_proxy_server] [AsynchronousReceiver:localhost/127.0.0.1:32023] at com.q1labs.frameworks.nio.network.protocol.Protocol$Asynchronous Receiver.read(Protocol.java:1597) [ariel_proxy.ariel_proxy_server] [AsynchronousReceiver:localhost/127.0.0.1:32023] at com.q1labs.frameworks.nio.network.protocol.Protocol$Asynchronous Receiver.run(Protocol.java:1657) [ariel_proxy.ariel_proxy_server] [AsynchronousReceiver:localhost/127.0.0.1:32023] at java.lang.Thread.run(Thread.java:812) [ariel_proxy.ariel_proxy_server] [aqw_remote_14:ff3ee225-1044-4c88-9523-55e902cce450] com.q1labs.ariel.searches.service.ids.Slave: [INFO] [-/- -]Error closing remote server [localhost:32023] [ariel_proxy.ariel_proxy_server] [aqw_remote_14:xxxxx-xxxx-xxxx-xxxx-xxxxx] java.util.concurrent.ExecutionException: java.net.SocketTimeoutException: Read timeout (45000 ms) expired, Port: 52760, localhost/127.0.0.1:32023 [ariel_proxy.ariel_proxy_server] [aqw_remote_14:xxxxx-xxxx-xxxx-xxxx-xxxxx] at com.q1labs.frameworks.nio.network.protocol.ProtocolProcessor.rep ortError(ProtocolProcessor.java:409) [ariel_proxy.ariel_proxy_server] [aqw_remote_14:xxxxx-xxxx-xxxx-xxxx-xxxxx] at com.q1labs.frameworks.nio.network.protocol.Protocol$Asynchronous Receiver.run(Protocol.java:1664) [ariel_proxy.ariel_proxy_server] [aqw_remote_14:xxxxx-xxxx-xxxx-xxxx-xxxxx] at java.lang.Thread.run(Thread.java:812) [ariel_proxy.ariel_proxy_server] [aqw_remote_14:xxxxx-xxxx-xxxx-xxxx-xxxxx] Caused by: [ariel_proxy.ariel_proxy_server] [aqw_remote_14:xxxxx-xxxx-xxxx-xxxx-xxxxx] java.net.SocketTimeoutException: Read timeout (45000 ms) expired, Port: 52760, localhost/127.0.0.1:32023 [ariel_proxy.ariel_proxy_server] [aqw_remote_14:xxxxx-xxxx-xxxx-xxxx-xxxxx] at com.q1labs.frameworks.nio.network.protocol.Protocol$Asynchronous Receiver.readBlockFromChannel(Protocol.java:1577) [ariel_proxy.ariel_proxy_server] [aqw_remote_14:xxxxx-xxxx-xxxx-xxxx-xxxxx] at com.q1labs.frameworks.nio.network.protocol.Protocol$Asynchronous Receiver.read(Protocol.java:1597) [ariel_proxy.ariel_proxy_server] [aqw_remote_14:xxxxx-xxxx-xxxx-xxxx-xxxxx] at com.q1labs.frameworks.nio.network.protocol.Protocol$Asynchronous Receiver.run(Protocol.java:1657) [ariel_proxy.ariel_proxy_server] [aqw_remote_14:xxxxx-xxxx-xxxx-xxxx-xxxxx] ... 1 more |
09 August 2019 |
RULES / RULE WIZARD | IJ18085 | THE RULE EDITOR DOES NOT DISPLAY THE SPECIAL SYMBOL " + " WHEN DISPLAYING RULE CONDITIONS | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505) QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002) Workaround No workaround available. Issue It has been identified that the Rule editor does not display the regex special symbol " + " when displaying the rule conditions in the stack. To replicate this issue:
|
02 August 2019 |
REPORTS / QRADAR VULNERABILITY MANAGER (QVM) | IJ18087 | 'MISSING PATCHES' REPORT CAN FAIL TO GENERATE WHEN THERE IS A LARGE SET OF VULNERABILITY SCAN DATA | OPEN: Reported in QRadar 7.3.2 Patch 2 | Contact Support for a possible workaround that might address this issue in some instances. It has been identified that when there is a large set of vulnerability data from vulnerability scans and the default 'Missing Patches' report is run, the report shows as 'Generating' until it stops and never actually generates. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [hostcontext.hostcontext] [xxxxx-xxxx-xxxx-xxxx-xxxxx/SequentialEventDispatcher] com.q1labs.hostcontext.tx.TxSentry: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/- -]Found a process on host 127.0.0.1 report_runner, pid=65806, TX age=651 secs |
02 August 2019 |
REPORTS | IJ18097 | REPORTS CAN FAIL TO GENERATE WHEN REQUIRED SPILLOVER FOLDER WITH PERMISSIONS FAILS TO BE CREATED | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343) QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722) Workaround If you are unable to upgrade to a software version that resolves this issue, but experience this error, contact QRadar Support for a possible workaround that might address this issue in some instances. Issue It has been identified that reports can fail to generate due to a required spillover folder with proper permissions not being generated as expected. The folder is required for proper report_runner functionality. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [report_runner] [main] com.q1labs.cve.accumulation.definition.GlobalViewConfiguration: [ERROR] [-/- -]Error reading custom properities. [report_runner] [main] com.q1labs.frameworks.cache.SpilloverCacheException: java.lang.Exception: Unable to create cache directory in /store/transient/report_runner/CustomPropertyCache. Possibly insufficient permissions? [report_runner] [main] at com.q1labs.frameworks.cache.ChainAppendCache.commitCurrentBuffer ToDisk(ChainAppendCache.java) [report_runner] [main] at com.q1labs.frameworks.cache.ChainAppendCache.addDiskEntry(ChainA ppendCache.java:1129) [report_runner] [main] at com.q1labs.frameworks.cache.ChainAppendCache.access$100(ChainApp endCache.java) [report_runner] [main] at com.q1labs.frameworks.cache.ChainAppendCache$1.removeEldestEntry (ChainAppendCache.java:465) [report_runner] [main] at java.util.LinkedHashMap.afterNodeInsertion(LinkedHashMap.java) [report_runner] [main] at java.util.HashMap.putVal(HashMap.java) [report_runner] [main] at java.util.HashMap.put(HashMap.java) [report_runner] [main] at com.q1labs.frameworks.cache.ChainAppendCache$1.put(ChainAppendCa che.java) [report_runner] [main] at com.q1labs.frameworks.cache.ChainAppendCache$1.put(ChainAppendCa che.java:) [report_runner] [main] at com.q1labs.frameworks.cache.ChainAppendCache.put(ChainAppendCach e.java) [report_runner] [main] at com.q1labs.core.shared.ariel.CustomPropertyServices.constructAnd CacheProperty(CustomPropertyServices.java) [report_runner] [main] at com.q1labs.core.shared.ariel.CustomPropertyServices.loadCustomPr operty(CustomPropertyServices.java) [report_runner] [main] at com.q1labs.core.shared.ariel.CustomPropertyServices.getCustomPro pertyNoCache(CustomPropertyServices.java) [report_runner] [main] at com.q1labs.cve.accumulation.definition.GlobalViewConfiguration.t estCustomEventProperties(GlobalViewConfiguration.java) [report_runner] [main] at com.q1labs.cve.accumulation.definition.GlobalViewConfiguration.r ead(GlobalViewConfiguration.java) [report_runner] [main] at com.q1labs.cve.accumulation.definition.GlobalViewConfiguration.l oad(GlobalViewConfiguration.java) [report_runner] [main] at com.q1labs.cve.accumulation.definition.GlobalViewConfiguration.g etInstance(GlobalViewConfiguration.java) [report_runner] [main] at com.q1labs.reporting.charts.ArielChart.setData(ArielChart.java) [report_runner] [main] at com.q1labs.reporting.ReportTemplate.rebuildTemplate(ReportTempla te.java) [report_runner] [main] at com.q1labs.reporting.ReportTemplate.read(ReportTemplate.java) [report_runner] [main] at com.q1labs.reporting.ReportServices.reload(ReportServices.java) [report_runner] [main] at com.q1labs.reporting.ReportRunner.main(ReportRunner.java) [report_runner] [main] Caused by: [report_runner] [main] java.lang.Exception: Unable to create cache directory in /store/transient/report_runner/CustomPropertyCache. Possibly insufficient permissions? [report_runner] [main] at com.q1labs.frameworks.cache.ChainAppendCache.commitCurrentBuffer ToDisk(ChainAppendCache.java) [report_runner] [main] ... 21 more |
16 November 2020 |
WINCOLLECT | IJ18099 | WINCOLLECT LOG SOURCES CAN BE MISSING A DAILY LOG FILE | OPEN: Reported in WinCollect 7.2.8.145 and later | No workaround available. It has been identified that WinCollect Log Sources can sometimes be missing one day of data when the WinCollect Agent is pulling daily log files. The WinCollect plugin can incorrectly identify that there are two active day log files and when this occurs it only processes the log file that is the latest, thereby skipping a day log file. |
12 August 2019 |
OFFENSES / NETWORK HIERARCHY | IJ18103 | THE QRADAR OFFENSE MODEL CAN EXPERIENCE REDUCED RESPONSIVENESS AFTER AN UPDATE IS MADE TO A LARGE NETWORK HIERARCHY | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) QRadar 7.4.3 Fix Pack 5 (7.4.3.20220307203834) Workaround No workaround available. Issue It has been identified that when changes/updates are made to a large Network Hierarchy, the QRadar Offense model can experience an unexpected reduction in responsiveness and in some instances, a TxSentry can also be experienced. Messages similar to the following might be visible in /var/log/qradar.log when a related TxSentry occurs: com.q1labs.hostcontext.tx.TxSentry: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/- -]Found a process on host console: ecs-ep.ecs-ep, pid=106257 children= immediately=false, TX age=600 secs com.q1labs.hostcontext.tx.TxSentry: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/- -] TX on host console: pid=106257 age=600 IP=127.0.0.1 port=54026 locks=113 query='SELECT id, network FROM clean_netid_network_details_proc()' com.q1labs.hostcontext.tx.TxSentry: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/- -] Lock acquired on host console: rel=attacker_tplu_idx age=600 granted=t mode=RowExclusiveLock query='SELECT id, network FROM clean_netid_network_detail' |
23 February 2022 |
ADVANCED SEARCH (AQL) | IJ18156 | QRADAR ADVANCED SEARCH FAILS WHEN THERE IS MORE THAN ONE OPERATOR IN A CONDITION | CLOSED: Duplicate of IJ16392. | Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852) Issue It has been identified that the QRadar Advanced Search (AQL) fails with a NullPointerException when there is more than one operator in a condition. Example of an Advanced Search resulting in NullPointerException: SELECT LOGSOURCETYPENAME(devicetype) AS "LogSourceType", LOGSOURCENAME(logsourceid) AS "LogSourceName", SUM(IF "File Hash" IS NULL AND "PANW-file-hash" IS NULL AND "PANW-traps-file-hash" IS NULL THEN 1 ELSE 0 END) AS "HashCount" FROM events GROUP BY logsourceid LAST 1 HOURS Messages similar to the following might be visible in /var/log/qradar.log when this issue is occurring: [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:51760] com.q1labs.ariel.ql.parser.Parser: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]java.lang.NullPointerException:null [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:51760] java.lang.NullPointerException [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:51760] at com.q1labs.ariel.IndexTree.useTree(IndexTree.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:51760] at com.q1labs.ariel.IndexTree.createPredicate(IndexTree.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:51760] at com.q1labs.ariel.IndexTree.createPredicate(IndexTree.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:51760] at com.q1labs.ariel.ql.parser.FieldInfoCondition.getKeyCreator(Fiel dInfoCondition.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:51760] at com.q1labs.ariel.ql.parser.FieldInfoBase.getObjectType(FieldInfo Base.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:51760] at com.q1labs.ariel.ql.parser.ParserBase.createAggregateFunctionInf o(ParserBase.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:51760] at com.q1labs.ariel.ql.parser.ParserBase.processScalarFunction(Pars erBase.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:51760] at com.q1labs.ariel.ql.parser.ParserBase.processExpression(ParserBa se.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:51760] at com.q1labs.ariel.ql.parser.ParserBase.processExpression(ParserBa se.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:51760] at com.q1labs.ariel.ql.parser.ParserBase.processColumnContext(Parse rBase.java:428) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:51760] at com.q1labs.ariel.ql.parser.ParserBase.processQueryContext(Parser Base.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:51760] at com.q1labs.ariel.ql.parser.ParserBase.createQueryParams(ParserBa se.java:1409) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:51760] at com.q1labs.ariel.ql.parser.ParserBase.parseBatch(ParserBase.java :1636) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:51760] at com.q1labs.ariel.ql.parser.Parser.parseStatement(Parser.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:51760] at com.q1labs.ariel.ql.parser.Parser.executeStatement(Parser.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:51760] at com.q1labs.ariel.ConnectedClient.processStatement(ConnectedClien t.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:51760] at com.q1labs.ariel.ConnectedClient.processMessage(ConnectedClient. java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:51760] at com.q1labs.ariel.ConnectedClient.run(ConnectedClient.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:51760] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec utor.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:51760] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe cutor.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:51760] at java.lang.Thread.run(Thread.java) |
14 August 2019 |
EARLY WARNINGS / QRADAR VULNERABILITY MANAGER (QVM) | IJ18159 | THE QRADAR VULNERABILITY MANAGER (QVM) EARLY WARNINGS PROCESS CAN CAUSE UNEXPECTED SLOWNESS IN LOADING VULNERABILITY USER INTERFACE PAGES | CLOSED | Resolved in QRadar 7.4.0 (7.4.0.20200304205308) Workaround Install the latest version or contact Support for a possible workaround that might address this issue if you are unable to upgrade. Issue It has been identified that the QRadar Vulnerability Manager (QVM) early warnings process can cause QVM performance issues that sometimes lead to User Interface pages not loading data. Some performance degradation examples:
|
07 August 2019 |
RULES | IJ18161 | CUSTOM RULE FAILS TO LOAD DUE TO ORPHANED LINK_UUID IN THE CUSTOM_RULE DATABASE TABLE | CLOSED: Duplicate of IJ15968. | Duplicate of IJ15968 and resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852) Issuebr /> It has been identified that a QRadar custom rule fails to load when it is associated with an orphaned link_uuid within the custom_rule table of the database. Messages similar to the following might be visible in /var/log/qradar.log whe this issue occurs: [ecs-ep.ecs-ep] [xxxx-xxxx-xxxx-xxxx-xxxx/SequentialEventDispatcher] com.q1labs.core.dao.cre.CustomRule: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Error while unmarshalling rule id 108018 from DB table custom_rule [ecs-ep.ecs-ep] [xxxx-xxxx-xxxx-xxxx-xxxx//SequentialEventDispatcher] java.lang.NullPointerException [ecs-ep.ecs-ep] [xxxx-xxxx-xxxx-xxxx-xxxx//SequentialEventDispatcher] at com.q1labs.core.dao.cre.CustomRule.getRule(CustomRule.java) [ecs-ep.ecs-ep] [xxxx-xxxx-xxxx-xxxx-xxxx//SequentialEventDispatcher] at com.q1labs.core.shared.cre.CREServices.getCustomRules(CREServices. java) [ecs-ep.ecs-ep] [xxxx-xxxx-xxxx-xxxx-xxxx//SequentialEventDispatcher] at com.q1labs.core.shared.cre.CREServices.getCustomRules(CREServices .java) [ecs-ep.ecs-ep] [xxxx-xxxx-xxxx-xxxx-xxxx//SequentialEventDispatcher] at com.q1labs.core.shared.cre.CREServices.getAllFlowAndEventRules(C REServices.java) [ecs-ep.ecs-ep] [xxxx-xxxx-xxxx-xxxx-xxxx//SequentialEventDispatcher] at com.q1labs.semsources.cre.CustomRuleReader.readRules(CustomRuleR eader.java:) [ecs-ep.ecs-ep] [xxxx-xxxx-xxxx-xxxx-xxxx//SequentialEventDispatcher] at com.q1labs.semsources.cre.CustomRuleReader.objectChanged(CustomR uleReader.java) [ecs-ep.ecs-ep] [xxxx-xxxx-xxxx-xxxx-xxxx//SequentialEventDispatcher] at com.q1labs.frameworks.events.config.ConfigurationChangeEvent.dis patchEvent(ConfigurationChangeEvent.java) [ecs-ep.ecs-ep] [xxxx-xxxx-xxxx-xxxx-xxxx//SequentialEventDispatcher] at com.q1labs.frameworks.events.SequentialEventDispatcher$DispatchT hread.run(SequentialEventDispatcher.java) |
14 August 2019 |
RULES / BUILDING BLOCKS | IJ18167 | 'URL (CUSTOM) IS CATEGORIZED BY X-FORCE AS ONE OF THE FOLLOWING CATEGORIES' IS DEFAULTED IN BUILDING BLOCK WHEN CREATING A RULE | OPEN: Reported in QRadar 7.3.1 Patch 8 | No workaround available. It has been identified that the following rule test can sometimes be defaulted in the Building Block when creating a rule: "and when URL (custom) is categorized by X-Force as one of the following categories" After attempting to change the default Custom Event Property (URL) to another Custom Event Property, the URL (custom) remains in the database and is still used by the rule. |
30 August 2019 |
RULES / AQL | IJ18181 | UNABLE TO EDIT AQL FILTER IN A RULE WHEN '%\U' OR '%\X%' PARAMETERS ARE USED IN THE LIKE CLAUSE | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) Workaround No workaround available. Issue It has been identified that an AQL filter in a Rule cannot be edited when '%\u%' or '%\x%' parameters are used in the Like clause. For example:
|
16 August 2019 |
SCAN RESULTS / QRADAR VULNERABILITY MANAGER (QVM) | IJ18208 | SELECTING 'SCAN RESULTS' ON THE VULNERABILITIES TAB CAN GENERATE 'APPLICATION ERROR' OR 'HTTP ERROR 404' | CLOSED | Resolved in QRadar 7.4.0 (7.4.0.20200304205308) QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002) Workaround Select the Vulnerabilities tab to display the scan results. It has been identified that selecting Scan Results on the Vulnerabilities tab can result in either "Application Error" or "HTTP ERROR 404" being displayed. This occurs when the host name in the Web browser's URL starts with "console". For example: console-12345.qradar.test.com. Note: The timezones are displayed correctly in the QRadar user interface, this issue only affects the timezone values that are included within the vulnerability export file. |
07 August 2019 |
MANAGE VULNERABILITIES / DATA EXPORT | IJ18235 | TIMEZONE VALUES IN THE EXPORTED VULNERABILITIES FILE FROM QRADAR VULNERABILITY MANAGER (QVM) ARE GMT TIMEZONE INSTEAD OF THE SYSTEM TIMEZONE | CLOSED | Resolved in QRadar Vulnerability Manager 7.4.0 (7.4.0.20200304205308) Workaround No workaround available. Issue It has been identified that when vulnerabilities are exported from the Manage Vulnerabilities -> By Asset -> By Vulnerability Instance window in the QRadar User Interface (UI), the "first seen date" and "last seen date" time stamp values in the export file are in the GMT timezone instead of the system timezone. Note: The timezones are displayed correctly in the QRadar user interface, this issue only affects the timezone values that are included within the vulnerability export file. |
12 August 2019 |
REPORTS / DAILY | IJ18239 | THE LEGEND FOR DAILY STACKED BAR CHART REPORTS WITH X-AXIS AS 'TIME' DOES NOT SORT AS EXPECTED | OPEN: Reported in QRadar 7.3.1 Patch 8 | Workaround: Do not use the Time X-Axis for daily reports using stacked bar charts. It has been identified that the legend for daily stacked bar chart reports with X-axis using Time, does not sort as expected. The legend does not always correlate with the table results displayed. |
19 August 2019 |
UPGRADE / RULES | IJ18241 | AFTER UPGRADE TO 7.3.2 PATCH 2, QRADAR USER INTERFACE RULE PAGE CAN FAIL TO LOAD AFTER A MANAGED HOST HAS BEEN REPLACED | OPEN: Reported in QRadar 7.3.2 Patch 2 | Contact Support for a possible workaround that might address this issue in some instances. It has been identified that the Rule page can fail to load in the QRadar User Interface after upgrading to QRadar 732 p2. This is due to the presence of an old hostid in the basehostid column of the custom rule table after a Managed Host has been replaced. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [tomcat.tomcat [admin@127.0.0.1 (1593749) /console/do/rulewizard/maintainRules] com.q1labs.uiframeworks.action.ExceptionHandler: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]An exception occurred while processing the request: [tomcat.tomcat] [admin@127.0.0.1 (1593749) /console/do/rulewizard/maintainRules] java.lang.NullPointerException [tomcat.tomcat] [admin@127.0.0.1 (1593749) /console/do/rulewizard/maintainRules] at com.q1labs.sem.ui.semservices.RuleWizardForm.getAnalysis(RuleWiz ardForm.java) [tomcat.tomcat] [admin@127.0.0.1 (1593749) /console/do/rulewizard/maintainRules] at com.q1labs.sem.ui.semservices.RuleWizardForm.copyInitialDataFrom DAO(RuleWizardForm.java:2139) [tomcat.tomcat] [admin@127.0.0.1 (1593749) /console/do/rulewizard/maintainRules] at com.q1labs.sem.ui.semservices.RuleWizardForm.summaryCopyFromDAO( RuleWizardForm.java) [tomcat.tomcat] [admin@127.0.0.1 (1593749) /console/do/rulewizard/maintainRules] at com.q1labs.sem.ui.action.MaintainRules.getAllRules(MaintainRules.java) [tomcat.tomcat] [admin@127.0.0.1 (1593749) /console/do/rulewizard/maintainRules] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [tomcat.tomcat] [admin@127.0.0.1 (1593749) /console/do/rulewizard/maintainRules] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessor Impl.java) [tomcat.tomcat] [admin@127.0.0.1 (1593749) /console/do/rulewizard/maintainRules] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod AccessorImpl.java) [tomcat.tomcat] [admin@127.0.0.1 (1593749) /console/do/rulewizard/maintainRules] at java.lang.reflect.Method.invoke(Method.java) |
19 August 2019 |
ROUTING RULES / EVENT COLLECTORS (15xx) | IJ18322 | ONLINE SELECTIVE FORWARDING GENERATES NULLPOINTEREXCEPTION WHEN EVENTS ARE COLLECTED AND 'STORE EVENT PAYLOAD' IS NOT SELECTED | CLOSED | Resolved in QRadar 7.4.0 (7.4.0.20200304205308) Workaround Open the Log Source(s) collecting the event(s) and ensure that 'Store Event Payload' is selected. Issue It has been identified that Online Selective Forwarding, reports dropped events and generates a NullPointerException in the /var/log/qradar.error log when an event(s) is collected with 'Store Event Payload' option unchecked for the Log Source. Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs: selectiveforwarding.SelectiveForwardingCommunicatorThread: [WARN] [-/--]Exceeded maximum number of retries, dropping event.and also: [ecs-ec.ecs-ec] [SelectiveForwardingCommunictorThread_60] .sem.selectiveforwarding.SelectiveForwardingCommunicatorThread: [ERROR] [-/--]SelectiveForwardingSender disconnected because of: [ecs-ec.ecs-ec] [SelectiveForwardingCommunictorThread_60] java.lang.NullPointerException [ecs-ec.ecs-ec] [SelectiveForwardingCommunictorThread_60] at java.util.regex.Matcher.getTextLength(Matcher.java) [ecs-ec.ecs-ec] [SelectiveForwardingCommunictorThread_60] at java.util.regex.Matcher.reset(Matcher.java) [ecs-ec.ecs-ec] [SelectiveForwardingCommunictorThread_60] at java.util.regex.Matcher.{init}(Matcher.java) [ecs-ec.ecs-ec] [SelectiveForwardingCommunictorThread_60] at java.util.regex.Pattern.matcher(Pattern.java) [ecs-ec.ecs-ec] [SelectiveForwardingCommunictorThread_60] at com.q1labs.core.dao.selectiveforwarding.light.SelectiveForwardin gDestination.isPayloadHeaderMissing(SelectiveForwardingDestinati on.java) [ecs-ec.ecs-ec] [SelectiveForwardingCommunictorThread_60] at com.q1labs.sem.forwarding.mapping.ForwardingPayloadMapping.put(F orwardingPayloadMapping.java) [ecs-ec.ecs-ec] [SelectiveForwardingCommunictorThread_60] at com.q1labs.sem.forwarding.network.ForwardingUDPConnector.send(Fo rwardingUDPConnector.java) [ecs-ec.ecs-ec] [SelectiveForwardingCommunictorThread_60] at com.q1labs.sem.selectiveforwarding.SelectiveForwardingCommunicat orThread.process(SelectiveForwardingCommunicatorThread.java) [ecs-ec.ecs-ec] [SelectiveForwardingCommunictorThread_60] at com.q1labs.sem.selectiveforwarding.SelectiveForwardingCommunicat orThread.run(SelectiveForwardingCommunicatorThread.java) [ecs-ec.ecs-ec] [SelectiveForwardingCommunictorThread_60] com.q1labs.sem.selectiveforwarding.SelectiveForwardingCommunicat orThread: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/- -]Exceeded maximum number of retries, dropping event. |
19 August 2019 |
DATA EXPORT / LOG ACTIVITY | IJ18323 | LOG ACTIVITY CSV DATA EXPORT DOES NOT CONTAIN THE COLUMN NAME FOR 'PAYLOAD' | OPEN: Reported in QRadar 7.3.1 Patch 6 | No workaround available. It has been identified that output from Log Activity -> Actions -> Export to CSV does not contain the header/column name for 'Payload'. |
19 August 2019 |
AUTHENTICATION (LDAP) / ACCESS | IJ18324 | QRADAR USER FAILS TO LOGIN SUCCESSFULLY WHEN USERNAME DOES NOT MATCH CASE WHEN USING EXTERNAL AUTHENTICATION IN 7.3.2 PATCH 3 | OPEN: Reported in QRadar 7.3.2 Patch 3 and later | Workaround: Login with a username that exactly matches the case of the QRadar user delegate. It has been identified that when external authentication is active/enabled in QRadar 7.2.3 Patch 3 (eg. LDAP Authentication), QRadar users attempting to log in with usernames that do not exactly match the case of their QRadar user delegate cause a NullPointerExpection to be generated and the user login attempt fails. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [tomcat.tomcat] [TestTest@127.0.0.1 (2271) /console/login] java.lang.NullPointerException [tomcat.tomcat] [TestTest@127.0.0.1 (2271) /console/login] at com.q1labs.uiframeworks.auth.UserNamePasswordAuthentication. authenticate(UserNamePasswordAuthentication.java) [tomcat.tomcat] [TestTest@127.0.0.1 (2271) /console/login] at com.q1labs.uiframeworks.auth.LoginEndpoint.authenticate (LoginEndpoint.java) [tomcat.tomcat] [TestTest@127.0.0.1 (2271) /console/login] at com.q1labs.uiframeworks.auth.LoginEndpoint.login (LoginEndpoint.java) [tomcat.tomcat] [TestTest@127.0.0.1 (2271) /console/login] at com.q1labs.uiframeworks.auth.LoginEndpoint.doPost (LoginEndpoint.java) |
13 August 2019 |
AUTO UPDATE / DISK SPACE | IJ18327 | WHEN AUTOUPDATE EXPERIENCES AN OUT OF MEMORY INSTANCE THE RESULTING DUMP FILE IS CREATED IN THE ROOT " / " PARTITION | OPEN: Reported in QRadar 7.3.2 versions | Contact Support for a possible workaround that might address this issue in some instances. It has been identified that in instances of AutoUpdate experiencing an Out Of Memory occurrence, the resulting dump file (e.g. core.20190109.005124.183434.0001.dmp) is written to the Root " / " partition. Note: Required services on a QRadar appliance are stopped when less than 5% free space is detected in a monitored partion until the free space issue is corrected. |
14 August 2019 |
AUTO UPDATE / PROXY | IJ18339 | QRADAR AUTOUPDATE CAN FAIL TO RUN WHEN A PROXY SERVER IS CONFIGURED DUE TO MISSING LIBRARY | OPEN: Reported in QRadar 7.3.2 versions | Workaround: Contact Support for a possible workaround that might address this issue in some instances or see the following technical note for more information: Auto Update Proxy Issues "500 SSL NEGOTIATION FAILED" (Updated). It has been identified that in some instances, AutoUpdate can fail to run when configured to connect using a proxy server. The specific instances in this APAR of AutoUpdate failing to run when configured to use a proxy server are due to the missing library: LWP-Protocol-connect-6.09Messages similar to the following might be visible in the Autoupdate logs when this issue occurs: [DEVEL] Attempting to retrieve https://qmmunity.q1labs.com/autoupdates/manifest_list?version=7. 3.2.20190522204210&customer= |
14 August 2019 |
DATA EXPORT / QRADAR ON CLOUD | IJ18449 | UNABLE TO DOWNLOAD EXPORTS MESSAGE 'YOUR EXPORT JOB HAS COMPLETED. THE FILE SIZE EXCEEDS THE EMAIL ATTACHMENT LIMIT...' | OPEN: Reported in QRadar 7.3.2 versions | Contact Support for a possible workaround that might address this issue in some instances. It has been identified that exports can be too large for email making them unable to be downloaded within QRadar on Cloud environments. Messages similar to the following might be visible in the user interface when this issue occurs: 'Your export job has completed. The file size exceeds the email attachment limit, you can download the results using the below link. Note that the link is valid for one download only.' https:// |
26 August 2019 |
ADVANCED SEARCH (AQL) | IJ18455 | RUNTIMEEXCEPTION GENERATED IN QRADAR LOGGING WHEN AN INVALID AQL IS RUN RATHER THAN PROPER AQL PARSER REJECTION | OPEN: Reported in QRadar 7.3.2 Patch 3 | No workaround available. It has been identified that a runtime exception is generated when executing an invalid Advanced Search (AQL) that has aggregate functions in the WHERE clause instead of being rejected by the AQL parser. Messages similar to the following might be visible in /var/log/qardar.log when this issue occurs: [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:59740] com.q1labs.ariel.ConnectedClient: [WARN] [-/- -]Ariel Server cannot decode command, cmd=Execute statement - AQLRequest ["select qid from events where max(qid)!=0", PARSE] [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:59740] java.lang.RuntimeException: Unable to write Serializable [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:59740] at com.q1labs.frameworks.nio.network.protocol. Mappings$SerializableMapping.put(Mappings.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:59740] at com.q1labs.frameworks.nio.network.protocol.Mappings$Serializable Mapping.put(Mappings.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:59740] at com.q1labs.frameworks.nio.network. protocol.Protocol.putMappable(Protocol.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:59740] at com.q1labs.frameworks.nio.network.protocol.Protocol. write(Protocol.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:59740] at com.q1labs.frameworks.nio.network.protocol. Protocol.writeAndFlush(Protocol.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:59740] at com.q1labs.frameworks.nio.network. CommunicatorBase.writeAndFlush(CommunicatorBase.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:59740] at com.q1labs.frameworks.nio.network.Communicator. writeAndFlush(Communicator.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:59740] at com.q1labs.ariel.ConnectedClient.processMessage (ConnectedClient.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:59740] at com.q1labs.ariel.ConnectedClient.run(ConnectedClient.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:59740] at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:59740] at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:59740] at java.lang.Thread.run(Thread.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:59740] Caused by: [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:59740] java.io.NotSerializableException: com.q1labs.ariel.ql.parser.AggregateFunctionInfo [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:59740] at java.io.ObjectOutputStream.writeObject0 (ObjectOutputStream.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:59740] at java.io.ObjectOutputStream.defaultWriteFields (ObjectOutputStream.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:59740] at java.io.ObjectOutputStream.writeSerialData (ObjectOutputStream.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:59740] at java.io.ObjectOutputStream.writeOrdinary Object(ObjectOutputStream.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:59740] at java.io.ObjectOutputStream.writeObject0 (ObjectOutputStream.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:59740] at java.io.ObjectOutputStream.defaultWriteFields (ObjectOutputStream.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:59740] at java.io.ObjectOutputStream.writeSerialData (ObjectOutputStream.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:59740 at java.io.ObjectOutputStream.writeOrdinaryObject (ObjectOutputStream.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:59740] at java.io.ObjectOutputStream.writeOrdinaryObject (ObjectOutputStream.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:59740] at java.io.ObjectOutputStream.writeObject0 (ObjectOutputStream.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:59740] at java.io.ObjectOutputStream.writeObject (ObjectOutputStream.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:59740] at com.q1labs.frameworks.nio.network.protocol. Mappings$SerializableMapping.put(Mappings.java) [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:59740] |
26 August 2019 |
QRADAR ADVISOR WITH WATSON | IJ18462 | QRADAR ADVISOR WITH WATSON APP TAB IS BLANK WITH 'FAILED TO LOAD INVESTIGATIONS' MESSAGE | OPEN: Reported in QRadar 7.3.1 Patch 6 Interim Fix 02 | Contact Support for a possible workaround that might address this issue in some instances. It has been identified that in instances where the QRadar Offense API is attempting to handle very large queries, the QRadar Advisor With Watson App tab can sometimes be blank with only the message 'Failed to load investigations' being displayed. |
26 August 2019 |
SCAN RESULTS / QRADAR VULERABILITY MANAGER (QVM) | IJ18486 | RED TRIANGLE 'ASSET MODEL HAS NOT BEEN UPDATED' CAN BE INCORRECTLY DISPLAYED FOR SCAN RESULTS FROM QRADAR VULERABILITY MANAGER (QVM) | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) Workaround If you are unable to upgrade to a release where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue. Issue It has been identified that in some instances where the asset model has been updated, the "Asset Model has not been updated" red warning triangle is incorrectly displayed on the QRadar Vulnerability Manager Scan Results. |
24 May 2021 |
RULE TEST / DISK SPACE | IJ18492 | /VAR/LOG PARTITION CAN FILL WITH EXCEPTION THROWN WHEN USING 'CHAINED EXPLOIT FOLLOWED BY SUSPICIOUS EVENTS' RULE TEST | OPEN: Reported in QRadar 7.3.2 Patch 2 | No workaround available. It has been identified that an exception is thrown during the test of the Custom Rule Engine rule "Chained Exploit Followed by Suspicious Events". As events are tested against rules, the following exception is thrown for every test and can quickly fill up the /var/log partition. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [ecs-ep.ecs-ep] [CRE Processor [4]] com.q1labs.semsources.cre.CustomRule: [ERROR] [-/- -]Exception in rule 100106 - Chained Exploit Followed by Suspicious Events: Entry.next=null, data[removeIndex]={ipaddress}=package com.q1labs.semsources.cre.tests.gen.RuleSequence_SourceIP_In@a57 ddb4a previous={ipaddress}=package com.q1labs.semsources.cre.tests.gen.RuleSequence_SourceIP_In@a57 ddb4a key={ipaddress}value=package com.q1labs.semsources.cre.tests.gen.RuleSequence_SourceIP_In@af1 35446 size=25000 maxSize=25000 Please check that your keys are immutable, and that you have used synchronization properly. If so, then please report this to commons-dev@jakarta.apache.org as a bug. [ecs-ep.ecs-ep] [CRE Processor [4]] java.lang.IllegalStateException: Entry.next=null, data[removeIndex]={ipaddress}=package com.q1labs.semsources.cre.tests.gen.RuleSequence_SourceIP_In@a57 ddb4a previous={ipaddress}=package com.q1labs.semsources.cre.tests.gen.RuleSequence_SourceIP_In@a57 ddb4a key={ipaddress} value=package com.q1labs.semsources.cre.tests.gen.RuleSequence_SourceIP_In@af1 35446 size=25000 maxSize=25000 Please check that your keys are immutable, and that you have used synchronization properly. If so, then please report this to commons-dev@jakarta.apache.org as a bug. [ecs-ep.ecs-ep] [CRE Processor [4]] at org.apache.commons.collections.map.LRUMap.reuseMapping (LRUMap.java) [ecs-ep.ecs-ep] [CRE Processor [4]] at com.q1labs.frameworks.cache.LFUMap.reuseMapping(LFUMap.java) [ecs-ep.ecs-ep] [CRE Processor [4]] at org.apache.commons.collections.map.LRUMap.addMapping (LRUMap.java) [ecs-ep.ecs-ep] [CRE Processor [4]] at org.apache.commons.collections.map.AbstractHashedMap. put(AbstractHashedMap.java) [ecs-ep.ecs-ep] [CRE Processor [4]] at com.q1labs.frameworks.cache.LFUMap.put(LFUMap.java) [ecs-ep.ecs-ep] [CRE Processor [4]] at com.q1labs.semsources.cre.tests.DoubleSequenceFunction_Test.test (DoubleSequenceFunction_Test.java) [ecs-ep.ecs-ep] [CRE Processor [4]] at com.q1labs.semsources.cre.tests.CREStatefulEventTest.test(CRESta tefulEventTest.java) [ecs-ep.ecs-ep] [CRE Processor [4]] at com.q1labs.semsources.cre.gen.TestExecutor_1_0.test(TestExecutor _1_0.java) [ecs-ep.ecs-ep] [CRE Processor [4]] at com.q1labs.semsources.cre.CustomRule.test(CustomRule.java:519) [ecs-ep.ecs-ep] [CRE Processor [4]] at com.q1labs.semsources.cre.CustomRule.test(CustomRule.java:476) [ecs-ep.ecs-ep] [CRE Processor [4]] at com.q1labs.semsources.cre.CustomRuleSetExecutor.testRule(CustomR uleSetExecutor.java:342) [ecs-ep.ecs-ep] [CRE Processor [4]] at com.q1labs.semsources.cre.CustomRuleSetExecutor.test(CustomRuleS etExecutor.java:210) [ecs-ep.ecs-ep] [CRE Processor [4]] at com.q1labs.semsources.cre.LocalRuleExecutor.processEventInProper tyMode(LocalRuleExecutor.java:229) [ecs-ep.ecs-ep] [CRE Processor [4]] at com.q1labs.semsources.cre.LocalRuleExecutor.processEvent(LocalRu leExecutor.java:158) [ecs-ep.ecs-ep] [CRE Processor [4]] at com.q1labs.semsources.cre.CREEventProcessor.processEvent(CustomR uleEngine.java:521) [ecs-ep.ecs-ep] [CRE Processor [4]] at com.q1labs.semsources.cre.CREEventProcessor.run(CustomRuleEngine .java:464) |
26 August 2019 |
QRADAR APPS / HIGH AVAILABILITY (HA) | IJ18520 | QRADAR APPS CAN FAIL TO LOAD AFTER A FAILOVER IS PERFORMED TO A REBUILT PRIMARY HIGH AVAILABILITY APPLIANCE | OPEN: Reported in QRadar 7.3.2 Patch 2 | Contact Support for a possible workaround that might address this issue in some instances. It has been identified that when a High Availability Primary appliance is rebuilt, after the first failover back to that Primary appliance is performed, QRadar Apps can fail to load. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [hostcontext.hostcontext] [pool-1-thread-2] com.ibm.si.api.workload.v1.ApiException: java.net.UnknownHostException: [xxxxxxxxx].localdeployment: |
26 August 2019 |
ADVANCED SEARCH (AQL) | IJ18551 | ADVANCED SEARCH (AQL) THAT USES A REFERENCE SET ASSIGNED TO A TENANT FAILS TO RETURN RESULTS AND GENERATES ERROR | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944) QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826) Workaround Advanced Search (AQL) which uses a filter based on Reference Set assigned to Shared and Domain works as expected. Issue It has been identified that running a search based on AQL using a Reference Set that is assigned to a Tenant fails with an error similar to: "ReferenceSetfunction : Unknown reference data collection '{reference_set}' Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:40510] com.q1labs.ariel.ql.parser.Parser: [ERROR][-/- -]ReferenceSet function: Unknown reference data collection {reference_set}' [ariel_proxy.ariel_proxy_server] [ariel_client/127.0.0.1:40510] com.q1labs.frameworks.nio.exceptions.ExtendedRuntimeException: ReferenceSet function: Unknown reference data collection {reference_set} [ariel_proxy.ariel_proxy_server] [ariel_client/127.0.0.1:40510] at com.q1labs.core.aql.AbstractRefDataCollectionFunction. load(AbstractRefDataCollectionFunction.java) [ariel_proxy.ariel_proxy_server] [ariel_client/127.0.0.1:40510] at com.q1labs.core.aql.ReferenceSet$1.call(ReferenceSet.java) [ariel_proxy.ariel_proxy_server] [ariel_client/127.0.0.1:40510] at com.q1labs.core.aql.ReferenceSet$1.call(ReferenceSet.java) [ariel_proxy.ariel_proxy_server] [ariel_client/127.0.0.1:40510] at com.q1labs.core.aql.AbstractRefDataCollectionFunction. exceptionWrapper(AbstractRefDataCollectionFunction.java) [ariel_proxy.ariel_proxy_server] [ariel_client/127.0.0.1:40510] at com.q1labs.core.aql.ReferenceSet. getArgumentTypes(ReferenceSet.java) [ariel_proxy.ariel_proxy_server] [ariel_client/127.0.0.1:40510] at com.q1labs.ariel.ql.parser.ScalarFunctionInfo.create(ScalarFunctionInfo.java) [ariel_proxy.ariel_proxy_server] [ariel_client/127.0.0.1:40510] at com.q1labs.ariel.ql.parser.ParserBase. processScalarFunction(ParserBase.java) [ariel_proxy.ariel_proxy_server] [ariel_client/127.0.0.1:40510] at com.q1labs.ariel.ql.parser.ParserBase.processBooleanExpression(P arserBase.java) [ariel_proxy.ariel_proxy_server] [ariel_client/127.0.0.1:40510] at com.q1labs.ariel.ql.parser.ParserBase.processBooleanExpression(ParserBase.java) [ariel_proxy.ariel_proxy_server] [ariel_client/127.0.0.1:40510] at com.q1labs.ariel.ql.parser.ParserBase. processBooleanExpression(ParserBase.java) [ariel_proxy.ariel_proxy_server] [ariel_client/127.0.0.1:40510] at com.q1labs.ariel.ql.parser.ParserBase. processBooleanExpression(ParserBase.java) [ariel_proxy.ariel_proxy_server] [ariel_client/127.0.0.1:40510] at com.q1labs.ariel.ql.parser.ParserBase. processBooleanExpression(ParserBase.java) [ariel_proxy.ariel_proxy_server] [ariel_client/127.0.0.1:40510] at com.q1labs.ariel.ql.parser.ParserBase.createQueryParams(ParserBase.java) [ariel_proxy.ariel_proxy_server] [ariel_client/127.0.0.1:40510] at com.q1labs.ariel.ql.parser.ParserBase.parseBatch(ParserBase.java) [ariel_proxy.ariel_proxy_server] [ariel_client/127.0.0.1:40510] at com.q1labs.ariel.ql.parser.Parser.parseStatement(Parser.java) [ariel_proxy.ariel_proxy_server] [ariel_client/127.0.0.1:40510] at com.q1labs.ariel.ql.parser.Parser.executeStatement(Parser.java) [ariel_proxy.ariel_proxy_server] [ariel_client/127.0.0.1:40510] at com.q1labs.ariel.ConnectedClient.processStatement(ConnectedClient.java) [ariel_proxy.ariel_proxy_server] [ariel_client/127.0.0.1:40510] at com.q1labs.ariel.ConnectedClient.processMessage(ConnectedClient.java) [ariel_proxy.ariel_proxy_server] [ariel_client/127.0.0.1:40510] at com.q1labs.ariel.ConnectedClient.run(ConnectedClient.java) [ariel_proxy.ariel_proxy_server] [ariel_client/127.0.0.1:40510] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java) [ariel_proxy.ariel_proxy_server] [ariel_client/127.0.0.1:40510] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java) [ariel_proxy.ariel_proxy_server] [ariel_client/127.0.0.1:40510] at java.lang.Thread.run(Thread.java) |
12 July 2021 |
REFERENCE SETS | IJ18553 | INSTANCES OF NO SEARCH RESULTS RETURNED CAN OCCUR FOR USER ROLES WITH 'READ ONLY' PERMISSIONS ON REFERENCE SETS | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) Workaround Contact Support for a possible workaround that might address this issue in some instances. Issue It has been identified that users of a particular user role with read only access can experience issues when searching through reference sets. When opening the "View Reference Sets" window through the Log Activity -> Add Filter -> Reference Set -> View Reference Set window they are able to enter a name to search on the reference set names, but after pressing enter, the window does not update to reflect the search that has been performed. When selecting a field to sort on (Name,Type....) the window updates to reflect the search. |
26 August 2019 |
APPLICATION FRAMEWORK / APP INSTALL | IJ18610 | APPS CONTAINING A NULL PAYLOAD IN ARIEL_PROPERTY_EXPRESSION DATABASE TABLE FAIL TO INSTALL AT QRADAR 7.3.2 PATCH 3 | CLOSED | Resolved in QRadar 7.3.2 Patch 4 (7.3.2.20190803012943) It has been identified that after patching to QRadar 7.3.2 Patch 3, QRadar Apps that have a null payload in the database table ariel_property_expression (eg. Cb Defense App for IBM QRadar) fail to install. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [tomcat.tomcat] [admin@127.0.0.1] com.ibm.si.content_management.Content: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Failed to import [device_ext] [tomcat.tomcat] [admin@127.0.0.1] java.lang.NullPointerException [tomcat.tomcat] [admin@127.0.0.1] at com.ibm.si.content_management.utils.ContentMgmtChangeTracker. buildChanges(ContentMgmtChangeTracker.java) [tomcat.tomcat] [admin@127.0.0.1] at com.ibm.si.content_management.utils.ContentMgmtChangeTracker.bui ldUpdateChanges(ContentMgmtChangeTracker.java) [tomcat.tomcat] [admin@127.0.0.1] at com.ibm.si.content_management.Content.updateContent(Content.java) [tomcat.tomcat] [admin@127.0.0.1] at com.ibm.si.content_management.Content.importContent(Content.java) [tomcat.tomcat] [admin@127.0.0.1] at com.ibm.si.content_management.Content.importCustom Content(Content.java) [tomcat.tomcat] [admin@127.0.0.1] at com.ibm.si.content_management.ContentManager.importContent(Conte ntManager.java) [tomcat.tomcat] [admin@127.0.0.1] at com.ibm.si.content_management.ContentManager.doImport (ContentManager.java) [tomcat.tomcat] [admin@127.0.0.1] at com.ibm.si.data_ingestion.api.impl.cmt.install. ExtensionInstaller.doImport(ExtensionInstaller.java) [tomcat.tomcat] [admin@127.0.0.1] at com.ibm.si.data_ingestion.api.impl.cmt.install. ExtensionInstaller.installExtension(ExtensionInstaller.java) [tomcat.tomcat] [admin@127.0.0.1] at com.ibm.si.data_ingestion.api.impl.cmt.tasks. InstallExtensionTask.runTask(InstallExtensionTask.java) [tomcat.tomcat] [admin@127.0.0.1] at com.ibm.si.frameworks.taskmanagement.Task.run(Task.java) [tomcat.tomcat] [admin@127.0.0.1] at java.util.concurrent.Executors$RunnableAdapter. call(Executors.java) [tomcat.tomcat] [admin@127.0.0.1] at java.util.concurrent.FutureTask.run(FutureTask.java) [tomcat.tomcat] [admin@127.0.0.1] at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java) [tomcat.tomcat] [admin@127.0.0.1] at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java) [tomcat.tomcat] [admin@127.0.0.1] at java.lang.Thread.run(Thread.java) [tomcat.tomcat] [admin@127.0.0.1] com.q1labs.frameworks.session.SessionContext: [WARN] [-/- -]Attempt made to begin nested read-write transaction [tomcat.tomcat] [admin@127.0.0.1] java.lang.Exception [tomcat.tomcat] [admin@127.0.0.1] at com.q1labs.frameworks.session.SessionContext. beginTransaction(SessionContext.java) [tomcat.tomcat] [admin@127.0.0.1] at com.ibm.si.content_management.utils.ContentMgmtChangeTracker. buildChanges(ContentMgmtChangeTracker.java) [tomcat.tomcat] [admin@127.0.0.1] at com.ibm.si.content_management.utils.ContentMgmtChangeTracker. buildUpdateChanges(ContentMgmtChangeTracker.java) [tomcat.tomcat] [admin@127.0.0.1] at com.ibm.si.content_management.Content.updateContent(Content.java) [tomcat.tomcat] [admin@127.0.0.1] at com.ibm.si.content_management.Content.importContent(Content.java) [tomcat.tomcat] [admin@127.0.0.1] at com.ibm.si.content_management.Content.importCustomContent(Content.java) [tomcat.tomcat] [admin@127.0.0.1] at com.ibm.si.content_management.ContentManager. importContent(ContentManager.java) [tomcat.tomcat] [admin@127.0.0.1] at com.ibm.si.content_management.ContentManager. doImport(ContentManager.java) [tomcat.tomcat] [admin@127.0.0.1] at com.ibm.si.data_ingestion.api.impl.cmt.install. ExtensionInstaller.doImport(ExtensionInstaller.java) [tomcat.tomcat] [admin@127.0.0.1] at com.ibm.si.data_ingestion.api.impl.cmt.install. ExtensionInstaller.installExtension(ExtensionInstaller.java) [tomcat.tomcat] [admin@127.0.0.1] at com.ibm.si.data_ingestion.api.impl.cmt.tasks. InstallExtensionTask.runTask(InstallExtensionTask.java) [tomcat.tomcat] [admin@127.0.0.1] at com.ibm.si.frameworks.taskmanagement.Task.run(Task.java) [tomcat.tomcat] [admin@127.0.0.1] at java.util.concurrent.Executors$RunnableAdapter. call(Executors.java) [tomcat.tomcat] [admin@127.0.0.1] at java.util.concurrent.FutureTask.run(FutureTask.java:277) [tomcat.tomcat] [admin@127.0.0.1] at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java) [tomcat.tomcat] [admin@127.0.0.1] at java.util.concurrent.ThreadPoolExecutor$Worker. run(ThreadPoolExecutor.java) [tomcat.tomcat] [admin@127.0.0.1] at java.lang.Thread.run(Thread.java) |
30 August 2019 |
HIGH AVAILABILITY (HA) | IJ18607 | ADDING AN APPLIANCE INTO HIGH AVAILABILITY FAILS WHEN HOSTNAME ENDS WITH [.LOCALDOMAIN] | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) Workaround Do not have appliance hostnames ending in . QRadar: Changing the network settings of managed hosts. Issue It has been identified that adding an appliance into High Availability (HA) fails when the appliance hostname ends in .[localdomain]. Messages similar to the following might be visible in the ha_setup.log file when this issue occurs: [HA Setup (S-M----)] [ERROR] Unexpected error. Failed to calculate maximum secondary size |
26 November 2020 |
AUTHENTICATION / HIGH AVAILABILITY (HA) | IJ18609 | ACTIVE DIRECTORY AUTHENTICATION LOGIN FAILS AFTER A FAILOVER TO HIGH AVAILABILITY SECONDARY CONSOLE | OPEN: Reported in QRadar 7.3.1 versions | Contact Support for a possible workaround that might address this issue in some instances. It has been identified that in some instances QRadar Active Directory authentication can fail after a failover to a high availability secondary console has occurred. In these specific instances of Active Directory failure to login, the /etc/krb5.conf file has been emptied out, and is a 0 byte file. |
30 August 2019 |
SCHEDULED SCANS | IJ18337 | QRADAR VULNERABILITY MANAGER (QVM) SCAN JOBS THAT USE ADVANCED RUN SCHEDULE OPTION FAIL TO RUN | OPEN: Reported in QRadar 7.3.2 versions | Workaround: Edit the scan profile to use a daily, weekly, or monthly schedule. It has been identified that QRadar Vulnerability Manager scan jobs that use the advanced run schedule option fail to run. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [qvmprocessor.qvmprocessor] [qvmScheduler_Worker-1] org.quartz.core.JobRunShell: [ERROR] Job qvmScheduling.113 threw an unhandled Exception: [qvmprocessor.qvmprocessor] [qvmScheduler_Worker-1] java.lang.NoSuchMethodError: com/q1labs/core/shared/permissions/UserManager.getDeployedUserBy Id(J)Lcom/q1labs/core/dao/permissions/light/User; (loaded from file:/opt/qradar/jars/q1labs_core.jar by sun.misc.Launcher$AppClassLoader@ccd55a90) called from class com.q1labs.qvm.workflow.processor.security.user.UserManagerUserL ocator (loaded from file:/opt/qradar/jars/q1labs_qvmworkflow.jar by sun.misc.Launcher$AppClassLoader@ccd55a90). [qvmprocessor.qvmprocessor] [qvmScheduler_Worker-1] at com.q1labs.qvm.workflow.processor.security.user.UserManagerUserL ocator.getUserByUserId(UserManagerUserLocator.java:44) [qvmprocessor.qvmprocessor] [qvmScheduler_Worker-1] at com.q1labs.qvm.workflow.processor.ws.scanprofile.ScanProfileServ iceImpl.setLastUserName(ScanProfileServiceImpl.java) [qvmprocessor.qvmprocessor] [qvmScheduler_Worker-1] at com.q1labs.qvm.workflow.scheduler.ScheduleScan. executeInternal(ScheduleScan.java:50) [qvmprocessor.qvmprocessor] [qvmScheduler_Worker-1] at org.springframework.scheduling.quartz.QuartzJobBean. execute(QuartzJobBean.java:114) [qvmprocessor.qvmprocessor] [qvmScheduler_Worker-1] at org.quartz.core.JobRunShell.run(JobRunShell.java:206) [qvmprocessor.qvmprocessor] [qvmScheduler_Worker-1] at org.quartz.simpl.SimpleThreadPool$WorkerThread.run (SimpleThreadPool.java |
19 August 2019 |
BACKUP & RECOVERY | IJ14189 | DATA BACKUPS CAN FAIL (TIME OUT) WHEN A BACKEND "PS" COMMAND HANGS | CLOSED | Resolved in: QRadar 7.4.0 (7.4.0.20200304205308) QRadar 7.3.3 Patch 1 (7.3.3.20191203144110) QRadar 7.3.2 Patch 6 (7.3.3.20191224145010) It has been identified that data backups can fail when a backend ps command hangs. QRadar notifications similar to "Backup: last backup exceeded execution threshold error." and messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [hostcontext.hostcontext] [Backup] com.q1labs.hostcontext.backup.core.BackupUtils: [ERROR] [-/- -]Cannot execute 'ps -e -o pid -o ppid -o cmd' [hostcontext.hostcontext] [Backup] java.lang.InterruptedException [hostcontext.hostcontext] [Backup] at java.lang.Object.wait(Native Method) [hostcontext.hostcontext] [Backup] at java.lang.Object.wait(Object.java:189) [hostcontext.hostcontext] [Backup] at java.lang.UNIXProcess.waitFor(UNIXProcess.java) [hostcontext.hostcontext] [Backup] at com.q1labs.hostcontext.backup.core.BackupUtils. getPsProcesses(Ba ckupUtils.java) [hostcontext.hostcontext] [Backup] at com.q1labs.hostcontext.backup.BackupRecoveryEngine .cleanup(BackupRecoveryEngine.java) [hostcontext.hostcontext] [Backup] at com.q1labs.hostcontext.backup.BackupRecoveryEngine $BackupThread.run(BackupRecoveryEngine.java) [hostcontext.hostcontext] [Backup] com.q1labs.hostcontext.backup.BackupRecoveryEngine: [INFO] [-/- -]Cancel process '/bin/bash /opt/qradar/bin/run_command.sh /opt/qradar/bin/determine_partition.sh /store/backup/store/tmp/backup/determine_partition' if exists |
09 December 2019 |
DEPLOY CHANGES / LOG SOURCES | IJ17858 | AUTOUPDATE FAILS TO DEPLOY INSTALLED UPDATES ON QRADAR ENVIRONMENTS THAT HAVE A PROXY SERVER CONFIGURED | OPEN: Reported in QRadar 7.3.2 versions | Contact Support for a possible workaround that might address this issue in some instances. It has been identified that QRadar deploys can fail/hang after receiving/running the autoupdate-deploy-1607112703-00 script contained within AutoUpdate. NOTE: A Support ticket needs to be logged to confirm that the number of flow sources is the reason for hostcontext out of memory occurrences. |
06 August 2019 |
AUTO UPDATE / PROXY | IJ17855 | AUTOUPDATE FAILS TO DEPLOY INSTALLED UPDATES ON QRADAR ENVIRONMENTS THAT HAVE A PROXY SERVER CONFIGURED | OPEN: Reported in QRadar 7.3.2 versions | Workaround: Perform a manual "Deploy Changes" from the Admin tab after the weekly auto update has downloaded and installed. It has been identified that in QRadar environments where a proxy server is configured, AutoUpdates that have been downloaded/installed do not get deployed out to the Managed Hosts automatically. User Interface messages similar to "There are undeployed changes. Click 'Deploy Changes' to deploy them". NOTE: A Support ticket needs to be logged to confirm that the number of flow sources is the reason for hostcontext out of memory occurrences. |
26 July 2019 |
FLOWS / SERVICE | IJ17432 | HOSTCONTEXT CAN EXPERIENCE AN OUT OF MEMORY OCCURRENCE WHEN A VERY LARGE NUMBER OF FLOW SOURCES EXIST | OPEN: Reported in QRadar 7.3.1 Patch 8 Interim Fix 01 | Contact Support for a possible workaround that might address this issue in some instances. It has been identified that the hostcontext process can experience an out of memory occurence in QRadar environments that have a very large number of flow sources (hundreds of thousands). NOTE: A Support ticket needs to be logged to confirm that the number of flow sources is the reason for hostcontext out of memory occurrences. |
08 July 2019 |
BACKUP AND RECOVERY | IJ17414 | PERFORMING A CONFIGURATION RESTORE ON A CONSOLE THAT HAS A NEW IP ADDRESS CAN MODIFY SIMILAR IP ADDRESSES IN QRADAR CONFIG FILE | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) Workaround If you are unable to upgrade to a release where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue. Issue It has been identified that when a config restore is performed on a QRadar Console that has had the IP address changed, similar IP addresses can sometimes be incorrectly modified in the configuration file "deployment.xml". Example scenario deployment:
Reported issues
|
24 May 2021 |
QRADAR VULNERABILITY INSIGHTS APP | IJ17410 | X-FORCE USER LIMITS EXCEEDED WHEN USING QRADAR VULNERABILITY INSIGHTS (QVI) APP | OPEN: Reported in QRadar 7.3.1 Patch 8 | No workaround available. It has been identified that when using the QRadar Vulnerability Insights application, the records limit of 5000 for the Xforce user can be exceeded. When this occurs, any new requessts to X-Force fail. |
08 July 2019 |
HIGH AVAILABILITY (HA) | IJ17408 | ENABLING CROSSOVER ON HIGH AVAILABILITY PAIR CAN CAUSE NETWORK COMMUNICATION FAILURE ON THE PRIMARY NODE | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) Workaround If you are unable to upgrade to a release where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue. Issue It has been identified that in some instances enabling High Availability (HA) crossover caused network communication to fail on the primary HA node. This occurs if the HA crossover becomes set as the default route, disrupting expected network communications. |
24 May 2021 |
OFFENSES / PERFORMANCE | IJ17380 | ATTEMPTING TO OPEN AN OFFENSE CAN FAIL WHEN THERE ARE A LARGE NUMBER OF NETWORKS ASSOCIATED TO IT | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505) QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002) Workaround Where possible, modify the user needing access to the Offense to include administrator (Admin) permissions. It has been identified that attempting to load an Offense can fail when an offense has a large number of networks associated with it. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [tomcat.tomcat] [user@127.0.0.1 (2281) /console/do/sem/offensesummary] Caused by: [tomcat.tomcat] [user@127.0.0.1 (2281) /console/do/sem/offensesummary] java.lang.StackOverflowError [tomcat.tomcat] [user@127.0.0.1 (2281) /console/do/sem/offensesummary] at org.apache.openjpa.lib.util.J2DoPrivHelper$ 59.run(J2DoPrivHelper.java) [tomcat.tomcat] [user@127.0.0.1 (2281) /console/do/sem/offensesummary] at org.apache.openjpa.lib.util.J2DoPrivHelper$ 59.run(J2DoPrivHelper.java) [tomcat.tomcat] [user@127.0.0.1 (2281) /console/do/sem/offensesummary] at java.security.AccessController.doPrivileged (AccessController.java) [tomcat.tomcat] [user@127.0.0.1 (2281) /console/do/sem/offensesummary] at org.apache.openjpa.persistence.AnnotationPersistenceXML MetaDataParser.parseXMLClassAnnotations (AnnotationPersistenceXMLMetaDataParser.java) [tomcat.tomcat] [user@127.0.0.1 (2281) /console/do/sem/offensesummary] at org.apache.openjpa.persistence.AnnotationPersistenceXML MetaDataParser.parse(AnnotationPersistenceXMLMeta DataParser.java) [tomcat.tomcat] [user@127.0.0.1 (2281) /console/do/sem/offensesummary] at org.apache.openjpa.persistence.PersistenceMetaData Factory.loadXMLMetaData(PersistenceMeta DataFactory.java) [tomcat.tomcat] [user@127.0.0.1 (2281) /console/do/sem/offensesummary] at org.apache.openjpa.meta.MetaDataRepository.get XMLMetaDataInternal(MetaDataRepository.java) [tomcat.tomcat] [user@127.0.0.1 (2281) /console/do/sem/offensesummary] at org.apache.openjpa.meta.MetaDataRepository.getXMLMeta Data(MetaDataRepository.java) [tomcat.tomcat] [user@127.0.0.1 (2281) /console/do/sem/offensesummary] at org.apache.openjpa.kernel.exps.AbstractExpression Builder.traversePath(AbstractExpressionBuilder.java) [tomcat.tomcat] [user@127.0.0.1 (2281) /console/do/sem/offensesummary] at org.apache.openjpa.kernel.jpql.JPQLExpressionBuilder.getPath(JPQ LExpressionBuilder.java:2000) [tomcat.tomcat] [user@127.0.0.1 (2281) /console/do/sem/offensesummary] at org.apache.openjpa.kernel.jpql.JPQLExpressionBuilder.getPathOrCo nstant(JPQLExpressionBuilder.java) [tomcat.tomcat] [user@127.0.0.1 (2281) /console/do/sem/offensesummary] at org.apache.openjpa.kernel.jpql.JPQLExpressionBuilder.eval(JPQLEx pressionBuilder.java) [tomcat.tomcat] [user@127.0.0.1 |
08 July 2019 |
LICENSE / EVENT COLLECTOR | IJ17363 | QRADAR EVENT COLLECTOR APPLIANCE DOES NOT INHERIT THE LICENCE LIMITS FROM THE EVENT PROCESSOR AFTER THE IP ADDRESS HAS BEEN CHANGED | OPEN: Reported in QRadar 7.3.2 versions | Workaround
It has been identified that after an Event Processor (EP) has had the IP address changed, when an Event Collector (EC) is added to it, that EC does not inherit the license limits from the EP. |
08 July 2019 |
CUSTOM ACTION SCRIPTS | IJ17358 | CUSTOM ACTION SCRIPTS REFERENCING THE QRADAR CONSOLE HOSTNAME FAIL IN QRADAR 7.3.2 | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) Workaround If you are unable to upgrade to a release where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue. Issue It has been identified that Custom Action Scripts referencing the hostname of the QRadar console that worked as expected in 7.3.1 fails to work in QRadar 7.3.2 versions. |
24 May 2021 |
OFFENSES | IJ17332 | OFFENSES FOR NON-ADMIN USER FAIL TO LOAD WHEN A SECURITY PROFILE HAS 'NO RESTRICTIONS' CONFIGURED | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) Workaround In instances where possible, modify the user to be an admin user. Issue It has been identified that Offenses for non-admin user fail to load with a security profile that has No Restrictions configured. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [tomcat.tomcat] [user@127.0.0.1 (2281) /console/do/sem/offensesummary] Caused by: [tomcat.tomcat] [user@127.0.0.1 (2281) /console/do/sem/offensesummary] java.lang.StackOverflowError [tomcat.tomcat] [user@127.0.0.1 (2281) /console/do/sem/offensesummary] at org.apache.openjpa.lib.util.J2DoPrivHelper$59. run(J2DoPrivHelper) [tomcat.tomcat] [user@127.0.0.1 (2281) /console/do/sem/offensesummary] at org.apache.openjpa.lib.util.J2DoPrivHelper$59.run (J2DoPrivHelper.java) [tomcat.tomcat] [user@127.0.0.1 (2281) /console/do/sem/offensesummary] at java.security.AccessController.doPrivileged (AccessController.java) [tomcat.tomcat] [user@127.0.0.1 (2281) /console/do/sem/offensesummary] at org.apache.openjpa.persistence.AnnotationPersistence XMLMetaDataParser.parseXMLClassAnnotations (AnnotationPersistenceXMLMetaDataParser.java) [tomcat.tomcat] [user@127.0.0.1 (2281) /console/do/sem/offensesummary] at org.apache.openjpa.persistence.AnnotationPersistence XMLMetaDataParser.parse(AnnotationPersistenceXML MetaDataParser.java) [tomcat.tomcat] [user@127.0.0.1 (2281) /console/do/sem/offensesummary] at org.apache.openjpa.persistence.PersistenceMetaDataFactory. loadXMLMetaData(PersistenceMetaDataFactory.java) [tomcat.tomcat] [user@127.0.0.1 (2281) /console/do/sem/offensesummary] at org.apache.openjpa.meta.MetaDataRepository.getXMLMeta DataInternal(MetaDataRepository.java) [tomcat.tomcat] [user@127.0.0.1 (2281) /console/do/sem/offensesummary] at org.apache.openjpa.meta.MetaDataRepository.getXMLMeta Data(MetaDataRepository.java) [tomcat.tomcat] [user@127.0.0.1 (2281) /console/do/sem/offensesummary] at org.apache.openjpa.kernel.exps.AbstractExpression Builder.traversePath(AbstractExpressionBuilder.java) [tomcat.tomcat] [user@127.0.0.1 (2281) /console/do/sem/offensesummary] at org.apache.openjpa.kernel.jpql.JPQLExpression Builder.getPath(JPQLExpressionBuilder.java) [tomcat.tomcat] [user@127.0.0.1 (2281) /console/do/sem/offensesummary] at org.apache.openjpa.kernel.jpql.JPQLExpression Builder.getPathOrConstant(JPQLExpressionBuilder.java) [tomcat.tomcat] [user@127.0.0.1 (2281) /console/do/sem/offensesummary] at org.apache.openjpa.kernel.jpql.JPQLExpressionBuilder. eval(JPQLExpressionBuilder.java) [tomcat.tomcat] [user@127.0.0.1 (2281) /console/do/sem/offensesummary] at org.apache.openjpa.kernel.jpql.JPQLExpression Builder.getValue(JPQLExpressionBuilder.java) |
08 July 2019 |
DISK UTILITIES | IJ17331 | DISKMAINTENANCE.PL SCRIPT DOES NOT HONOR FILES IN THE PATH_TO_KEEP DEFINED IN /OPT/QRADAR/CONF/DISKMAINTD.CONF | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) Workaround Administrators can install a software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances. Issue It has been identified that diskmaintd.pl deletes files that are older than 6 hours in paths identified in path_to_keep as defined in /opt/qradar/conf/diskmaintd.conf. |
08 July 2019 |
SERVER DISCOVERY | IJ17324 | DUPLICATE 'SERVER TYPE' CAN SOMETIMES BE DISPLAYED IN SERVER DISCOVERY DROP DOWN | OPEN: Reported in QRadar 7.3.2 versions | Contact Support for a possible workaround that might address this issue in some instances. It has been identified that duplicate entries in the 'Server Type' drop down in Asset -> Server Discovery can sometimes be observed. |
08 July 2019 |
RULES | IJ17309 | SOURCE IP OR DESTINATION IP FILTER IS NOT AN AVAILABLE TEST OPTION FOR 'COMMON' RULES | CLOSED | Resolved in QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022) Workaround No workaround available. Issue It has been identified that Source IP and Destination IP filters are not available for Common Rules for "when the event matches this search filter" rule test, but is available as an option in Event Rule and Flow Rule. |
06 September 2022 |
PROTOCOL / DISCONNECTED LOG COLLECTOR (DLC) | IJ17308 | AUTOUPDATE DEPLOY SCRIPT PERFORMS A RESTART OF THE ECS-EC PROCESS WHEN IT IS SOMETIMES NOT REQUIRED | OPEN: Reported in QRadar 7.3.2 version using PROTOCOL-IBMQRadarDLC.7.3-2018121713325 | No workaround available. It has been identified that when the PROTOCOL-IBM-QRadarDLC is installed in a QRadar environment, a new autoupdate-deploy script is employed. That script, when run, has been found to perform ecs-ec process restarts in instances where the process restart is not required. |
04 July 2019 |
APP FRAMEWORK / APP INSTALL | IJ17231 | LARGER QRADAR APPS CAN FAIL TO INSTALL DUE TO A TIMEOUT VALUE BEING REACHED DURING THE INSTALLATION | CLOSED | Resolved in QRadar 7.4.0 (7.4.0.20200304205308) Workaround Install the latest software version or contact Support for a possible workaround that might address this issue in some instances if you cannot upgrade at this time. Issue It has been identified that in some instances, large QRadar Apps (eg Pulse, UBA) can fail to install due to a timeout value being reached during the installation process. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: Pulse App Error [tomcat.tomcat] [pool-1-thread-4] com.q1labs.uiframeworks.application.api.service.builders.shared. AsyncBuildStageTask: [ERROR] [-/- -] An exception occurred while building app asynchronously. Triggering rollback. [tomcat.tomcat] [admin@127.0.0.1 com.ibm.si.content_management.utils.AppFrameworkAPIClient: [ERROR] [-/- -]Install of app 1354 did not complete cat.tomcat] [pool-1-thread-4] com.q1labs.uiframeworks.application.api.exception.AppDockerImage BuildException: An error occurred while building docker image. Task state is PROCESSING [tomcat.tomcat] [pool-1-thread-4] at com.q1labs.uiframeworks.application.api.service.builders.shared. DockerBuildProcessor.process(DockerBuildProcessor.java) [tomcat.tomcat] [pool-1-thread-4] at com.q1labs.uiframeworks.application.api.service.builders.shared. AsyncBuildStageTask.runTask(AsyncBuildStageTask.java) [tomcat.tomcat] [pool-1-thread-4] at com.ibm.si.frameworks.taskmanagement.Task.run(Task.java) [tomcat.tomcat] [pool-1-thread-4] at java.util.concurrent.Executors$RunnableAdapter. call(Executors.java) [tomcat.tomcat] [pool-1-thread-4] at java.util.concurrent.FutureTask.run(FutureTask.java) [tomcat.tomcat] [pool-1-thread-4] at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java) [tomcat.tomcat] [pool-1-thread-4] at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java) [tomcat.tomcat] [pool-1-thread-4] at java.lang.Thread.run(Thread.java:812) [tomcat.tomcat] [admin@127.0.0.1] com.ibm.si.content_management.ContentManager: [ERROR][-/- -]Failed to import content file [/store/tmp/cmt/out/Pulse_2/extension_zip.xml] [tomcat.tomcat] [admin@127.0.0.1] com.ibm.si.data_ingestion.api.impl.cmt.tasks.InstallExtensionTask: [ERROR][-/- -]installing extension with id = 301 failed: An error occurred installing application. Please see error logs for details. [tomcat.tomcat] [admin@127.0.0.1] java.lang.Exception: An error occurred installing application. Please see error logs for details. [tomcat.tomcat] [admin@127.0.0.1] at com.ibm.si.data_ingestion.api.impl.cmt.tasks.InstallExtensionTas k.runTask(InstallExtensionTask.java) [tomcat.tomcat] [admin@127.0.0.1] at com.ibm.si.frameworks.taskmanagement.Task.run(Task.java) [tomcat.tomcat] [admin@127.0.0.1] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java) [tomcat.tomcat] [admin@127.0.0.1] at java.util.concurrent.FutureTask.run(FutureTask.java) [tomcat.tomcat] [admin@127.0.0.1] at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java) UBA App Error [tomcat.tomcat] [pool-1-thread-9] com.q1labs.uiframeworks.application.api.exception.AppDockerImage BuildException: An error occurred while building docker image. Task state is PROCESSING [tomcat.tomcat] [pool-1-thread-9] at com.q1labs.uiframeworks.application.api.service.builders.shared. DockerBuildProcessor.process(DockerBuildProcessor.java) [tomcat.tomcat] [pool-1-thread-9] at com.ibm.si.frameworks.taskmanagement.Task.run(Task.java) [tomcat.tomcat] [pool-1-thread-9] at com.q1labs.uiframeworks.application.api.service.builders.shared. AsyncBuildStageTask.runTask(AsyncBuildStageTask.java) [tomcat.tomcat] [pool-1-thread-9] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java) [tomcat.tomcat] [pool-1-thread-9] at java.util.concurrent.FutureTask.run(FutureTask.java) [tomcat.tomcat] [pool-1-thread-9] at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java) [tomcat.tomcat] [pool-1-thread-9] at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java) [tomcat.tomcat] [pool-1-thread-9] at java.lang.Thread.run(Thread.java) [tomcat.tomcat] [admin@127.0.0.1] com.ibm.si.content_management.utils.AppFrameworkAPIClient: [ERROR][-/- -]Install of app 1602 did not complete [tomcat.tomcat] [admin@127.0.0.1] com.ibm.si.content_management.ContentManager: [ERROR][-/- -]Failed to import content file [/store/tmp/cmt/out/User_Behavior_Analytics/ubaApp-3143-release- 3.2.0-201903211320.xml] [tomcat.tomcat] [admin@127.0.0.1] com.ibm.si.data_ingestion.api.impl.cmt.tasks.InstallExtensionTask: [ERROR][-/--]installing extension with id = 551 failed: An error occurred installing application. Please see error logs for details. [tomcat.tomcat] [admin@127.0.0.1] java.lang.Exception: An error occurred installing application. Please see error logs for details. [tomcat.tomcat] [admin@127.0.0.1] at com.ibm.si.data_ingestion.api.impl.cmt.tasks.InstallExtension Task.runTask(InstallExtensionTask.java) [tomcat.tomcat] [admin@127.0.0.1] at com.ibm.si.frameworks.taskmanagement.Task.run(Task.java:108) [tomcat.tomcat] [admin@127.0.0.1] at java.util.concurrent.Executors$RunnableAdapter. call(Executors.java) [tomcat.tomcat] [admin@127.0.0.1] at java.util.concurrent.FutureTask.run(FutureTask.java:277) [tomcat.tomcat] [admin@127.0.0.1] at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java) |
26 June 2019 |
DISK SPACE / EVENT QUEUE | IJ17202 | /STORE/PERSISTENT_QUEUE CAN RUN OUT OF DISK SPACE DUE TO ECS AND EC-INGRESS SPILLOVER QUEUE CONFIGURATION | CLOSED | Resolved in QRadar 7.4.0 (7.4.0.20200304205308) Install the latest software version or contact Support for a possible workaround that might address this issue if you are unable to upgrade at this time. It has been identified that /store/persistent_queue/ can run out of free space due the configuration of tuning parameters for the event queues:
|
25 June 2019 |
PROTOCOL / UDP MULTILINE SYSLOG | IJ17839 | 'LISTEN PORT MUST BE AN INTEGER BETWEEN 1 AND 65535' MESSAGE WHEN CONFIGURING PORT 514 FOR UDP MULTILINE PROTOCOL LOG SOURCES | CLOSED | An updated version of UDP Multiline Syslog protocol has been published to IBM Fix Central to resolve this issue: PROTOCOL-UDPMultilineSyslog-7.3-20190412134523 Administrators who have QRadar weekly auto updates enabled will receive this RPM file during the next weekly update. However, users experiencing this issue can download and manually install the RPM on the QRadar Console appliance using: yum -y install {rpmname}. Issue: It has been identified that when editing a Log Source that uses the UDP Multiline Syslog protocol, QRadar can generate an error when the user attempts to assign a listen port value of 514. The QRadar generates an error similar to the following: Listen port must be an integer between 1 and 65535. Port 514 is the default Syslog listeners in QRadar and the error presented when trying to assign port 514 should be more clearly defined. This is a benign error message and users need to select a different port to use for the UDP Multiline Syslog protocol. The protocol requires an update to provide a better error message for a portin use, such as: There is already a listener using that port. |
26 July 2019 |
API / PERFORMANCE | IJ17016 | QRADAR INCIDENT FORENSICS RECOVERY HANGS WITH 'RUNNING' STATUS | OPEN: Reported in QRadar Packet Capture 7.3.2 versions | No workaround available. It has been identified that in some instances, a timeout occurs with Incident Forensics in the backend while attempting to retrieve required PCAP data. When this issue occurs a Forensics Recovery can hang in 'Running' status. |
05 July 2019 |
RULES / FLOWS | IJ16995 | REFERENCE SET RULE TEST DOES NOT WORK AS EXPECTED WITH SUPERFLOWS | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) Workaround No workaround available. Issue It has been identified that Reference Set rule tests only use the first IP reflected in a Superflow. Example with having 2 rules:
|
26 November 2020 |
SCANNERS | IJ16994 | VA SCANNER STAYS AT 'PENDING' STATE WHEN ATTEMPTING TO START IT FROM A FLOW COLLECTOR APPLIANCE | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) Workaround No workaround available. Issue It has been identified that flow collectors are listed in the QRadar User Interface options for configuring a VA scanner, but attempting to start a scanner from a flow collector does not work as expected, and stays at 'Pending' state. When attempting to start the vis service on a flow collector, a command line error similar to the following is returned: "Job for vis.service failed because the control process exited with error code. See "systemctl status vis.service" and "journalctl -xe" for details.|"Flow collectors do not have VIS components enabled, and should not have been available to select when configuring a scanner. |
2 February 2022 |
DNS SETTINGS | IJ16968 | DNS SETTINGS MODIFIED ON AN EVENT COLLECTOR APPLIANCE (15XX) DO NOT PERSIST AFTER THE APPLIANCE REBOOTS | CLOSED | Closed as an invalid issue. Administrators must unmanaged and use qchange_netsetup to update their DNS settings. It has been identified that when DNS settings are modified on Event Collector appliances (15xx) do not persist after an appliance reboot. Changes to resolv.conf are not supported and do not persist on Event Collector appliances after a reboot. Invalid issues are not publicly visible, so the link to the APAR has been removed and left in the table for reference purposes. |
05 July 2019 |
AQL / X-FORCE | IJ16967 | ADVANCED SEARCH (AQL) USING XFORCE_IP_CONFIDENCE FUNCTION DOES NOT WORK AS EXPECTED WHEN RUN USING LOCALES OTHER THAN ENGLISH (UNITED STATES) | OPEN: Reported in QRadar 7.3.2 versions | Workaround Click the user icon in the top right hand corner of the UI, then go to User preferences -> locale. Change this to English (United States). Refresh your browser and confirm the functions work as expected. Issue It has been identified that using the XFORCE_IP_CONFIDENCE function does not work as expected in an Advanced Search (AQL) when QRadar is configured to use a locale other than English (United States). |
05 July 2019 |
INSTALL / QRADAR PACKET CAPTURE | IJ16966 | QRADAR PACKET CAPTURE: /ROOT/RESET_INTERFACES.SH SCRIPT ON PCAP APPLIANCES DOES NOT WORK AS EXPECTED | OPEN: Reported in QRadar Network Packet Capture 7.3.2 Patch 1 | Contact Support for a possible workaround that might address this issue in some instances. The /root/Reset_Interfaces.sh script on PCAP appliances was introduced to correct issues that incorrect udev naming can sometimes cause. It has been observed that the script does not perform all expected tasks but does complete, then prompts for a reboot. |
05 July 2019 |
DASHBOARDS | IJ16962 | UNABLE TO ADD THE 'EVENTS BY SEVERITY' DASHBOARD INTO THE QRADAR USER INTERFACE | OPEN: Reported in QRadar 7.3.2 versions | No workaround available. It has been identified that attempting to add the 'Events by Severity' dashboard into the QRadar User Interface (UI) fails and does not provide any error or feedback in the UI. |
26 June 2019 |
SIMULATION / QRADAR RISK MANAGER (QRM) | IJ16947 | WHEN 'USE CONNECTION DATA' IS CONFIGURED THE SIMULATION DOES NOT COMPLETE AND GENERATES AN ILLEGALARGUMENTEXCEPTION | OPEN: Reported in QRadar 7.3.2 versions | Workaround: Do not use the selection 'Use Connection Data' in the simulation. It has been identified that a Risk Manager simulation can fail to complete when 'Use Connection Data' is selected. The Configuration Monitor screen displays "No Results" in the Results column. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [tomcat-rm.tomcat-rm] [SimulationRunner-10001-Test] com.q1labs.simulator.simulation.SimulationRunner: [ERROR] [-/- -]Error executing simulation 10001:Points below the dimension's min value are not allowed (using + PortRangeEnumerator enumerator) [tomcat-rm.tomcat-rm] [SimulationRunner-10001-Test] java.lang.IllegalArgumentException: Points below the dimension's min value are not allowed (using + PortRangeEnumerator enumerator) [tomcat-rm.tomcat-rm] [SimulationRunner-10001-Test] at com.q1labs.simulator.topology.MultiRange.__createFromPoints(Mult iRange.java:723) [tomcat-rm.tomcat-rm] [SimulationRunner-10001-Test] at com.q1labs.simulator.topology.MultiRange.createFromPoints(MultiR ange.java:682) [tomcat-rm.tomcat-rm] [SimulationRunner-10001-Test] at com.q1labs.simulator.iag.impl.InferredAccessGraph$ArcProcessor.g etPortResults(InferredAccessGraph.java:1151) [tomcat-rm.tomcat-rm] [SimulationRunner-10001-Test] at com.q1labs.simulator.iag.impl.InferredAccessGraph.findReachable( InferredAccessGraph.java:1231) |
17 June 2019 |
INSTALL / QRADAR NETWORK INSIGHTS | IJ18213 | QRADAR NETWORK INSIGHTS 1920 INSTALL MENU DOES NOT DISPLAY THE OPTION FOR A QNI 6200 APPLIANCE | CLOSED | Resolved in QRadar 7.4.0 (7.4.0.20200304205308) QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002) Workaround Review IBM QRadar Network Insights: Install Menu does not Display a Select Option for QNI 6200 Appliances (APAR IJ18213) for additional installation instructions. Issue It has been identified that the QRadar Network Insights (QNI) install menu on a fresh install of QRadar 7.3.2 patch 2 displays the options for a 6000 and 6100 appliance type, but not a QNI 6200 appliance. If you continue to experience issues, Contact Support for additional assistance. |
16 August 2019 |
SCANNER / TENABLE | IJ17829 | TENABLE SECURITY SCANNER IMPORT FAILS DUE TO CHANGES IN THE ALLOWED CIPHER SUITES ON THE TENABLE SERVER | CLOSED | The fix for this issue is released in the following RPM package update: VIS-TenableSecurityCenter-7.3-20190725180412.noarch.rpm. This update will be delivered in the next QRadar weekly auto update, but is available on IBM Fix Central now. Administrators who require an immediate resolution to this issue should ensure they have installed the latest version of the VIS-TenableSecurityCenter rpm file on their Console from IBM Fix Central using the command: yum -y install 7.3.0-QRADAR-VIS-TenableSecurityCenter-7.3-20190725180412.noarch.rpm Issue: It has been identified that Tenable Security scan imports can fail. This is caused by changes in the list of allowed Cipher Suites on the Tenable Server. |
22 August 2019 |
AUTHENTICATION / USER ROLES | IJ16851 | USER LOGIN FAILURE AFTER DELETING A QRADAR USER ROLE OR SECURITY PROFILE WHEN LDAP GROUP AUTH IS ACTIVE | OPEN: Reported in QRadar 7.3.2 versions | Workaround: From the Admin tab > Authentication window, open each affected LDAP Repository for editing, and immediately save. A deploy changes is required for the changes to take effect. It has been identified that user login failure can occur after deleting a QRadar user role or security profile when LDAP group authorization is active. |
14 June 2019 |
SYSTEM SETTINGS / DEPLOY CHANGES | IJ18436 | UNABLE TO SAVE CHANGES MADE TO QRADAR SYSTEM SETTINGS AND 'INTERNAL ERROR: SAVE FAILED" MESSAGE IS DISPLAYED | CLOSED | This auto update script issue was addressed in the following RPM release on IBM Fix Central: DSM-ArborNetworksPravail-7.3-20190822144538 Administrators who have QRadar weekly auto updates enabled will receive this RPM file during the next weekly update. However, users experiencing this issue can download and manually install the RPM on the QRadar Console appliance using: yum -y install {rpmname}. Issue: It has been identified that an Auto Update action script can change the owernship of nva.conf in the staging directory to root during a Deploy function. When ownership of nva.conf is changed, administrators can experience a user interface issue when they attempt to save changes made to some parameters in System Settings. The QRadar User Interface can fail to save System Settings with the error message:'Internal Error: save failed' Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: Unable to write system settings: java.io.IOException: Failed to write nva.conf/store/configservices/staging/globalconfig/nva.conf (Permission denied) |
26 August 2019 |
FLOWS / DEPLOY CHANGES | IJ16823 | UNABLE TO CONFIGURE DTLS FOR QRADAR NETWORK INSIGHTS (QNI) FLOW CONFIGURATION WHEN FLOW SOURCE IS FROM THE CONSOLE | CLOSED | Resolved in: QRadar 7.4.0 (7.4.0.20200304205308) QRadar 7.3.3 Patch 2 (7.3.3.20200208135728) QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249) Workaround From a command line interface (SSH), connect to the QRadar Console appliance as the root user and type the following command: chown -R nobody:nobody /opt/qradar/conf/dtlsAfter you have set the ownership, you can successfully complete a Deploy Changes from the Admin tab. Issue It has been identified that attempting to enable DTLS on QRadar Network insights (QNI) flow configuration can cause the required Deploy Changes to fail when flow source is from the Console appliance. Administrators can attempt to verify this issue by changing the Console's default netflow to use a Linking Protocol = DTLS. For example:
|
08 July 2019 |
UPGRADE | IJ16821 | QRADAR PATCH FAILS TO COMPLETE SUCCESSFFULLY WHEN A HTTP_PROXY ENVIRONMENT VARIABLE IS CONFIGURED | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343) QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722) Workaround Prior to attempting the QRadar patching process, unset the environment variable http_proxy before running patch. Ensure sure that it is not being set in the root users profile when logging in. If a QRadar patch has already failed, roll back the patch to prior 7.3.x version, unset http_proxy, and re-run the patch. Issue It has been identified that QRadar patching can fail to complete successfully when there is a http_proxy configured in /etc/environment Messages similar to the following might be visible when this issue occurs: [WARN](patchmode) time="2019-03-07T22:20:47+04:00" level=fatal msg="Error checking for blob sha256:fbbe1dc3535f2e4cfd3606016df4b075ae74e3bf39f8490cdbc073d93 at destination: pinging docker registry returned: Get https://xxxxxxxxxxx.localdeployment:5000/v2/:Forbidden" [DEBUG](patchmode) WARN: Failed to deliver images to the registry [DEBUG](patchmode) ERROR: Failed to push images to the registry. |
26 November 2020 |
RULES / RULE TEST | IJ16820 | RULE CONDITION 'WHEN THE EVENT MATCHES DESTINATION GEOGRAPHIC COUNTRY/REGION' IS NOT WORKING CORRECTLY FOR TURKEY | OPEN: Reported in QRadar 7.3.2 Patch 1 | No workaround available. It has been identified that the Rule Condition when the event matches Destination Geographic Country/Region is not working correctly for the country of Turkey. This can cause unexpected rule responses and or Offense behavior. For example: When events have Destination IP addess within Turkey the events match rules that include the rule condition: when the event matches Destination Geographic Country/Region is not Turkey. |
14 June 2019 |
LOG SOURCE MANAGEMENT APP | IJ17859 | USING THE 'DON'T SHOW ME AGAIN' BUTTON ON THE LOG SOURCE MANAGEMENT APP BANNER DOES NOT WORK AS EXPECTED | CLOSED | Closed as a suggestion for future release. It has been identified that the "Don't Show Me Again" button that can be displayed on a Log Source Management (LSM) app banner message does not work as expected. The banner message that was selected for 'Don't Show Me Again' is displayed when the web browser used for the QRadar user interface is restarted. |
16 August 2019 |
HIGH AVILABILITY (HA) / EVENT COLLECTOR | IJ16785 | POSTGRESQL DATABASE ON QRADAR COLLECTOR APPLIANCE (15XX) CAN BE OUT OF SYNC ON STANDBY APPLIANCE CAUSING ISSUES AFTER FAILOVER | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) Workaround Administrators can install a software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances. Issue It has been identified that after a failover occurs from an active to a standby Event Collector appliance (15XX), the QRadar postgresql database can be out of sync in some instances and requests a FULL replication transaction. This can lead to various issues within QRadar occuring after an appliance failover, such as incorrect EPS license setting to ecs-ec-ingress, incorrect Log Source configurations, or missing routing rules. |
14 June 2019 |
API | IJ16784 | RESTAPI WITH BASIC AUTHENTICATION CAN FAIL TO GET USER CAPABILITIES WHEN USING LDAP AUTH 'LOCAL AUTHORIZATION' | OPEN: Reported in QRadar 7.3.1 Patch 3 | No workaround available. It has been identified that using RESTAPI to get endpoint resources with basic authentication fails to get user capabilities when using LDAP authentication with local authorization. A message similar to the following is returned: {"http_response":{"code":403,"message":"Your account is not authorized to access the requested resource"},"code":26, "description":"","details":{},"message": "User has insufficient capabilities to access this endpoint resource"} Messages similar to the following might also be visible in /var/log/qradar.log when this issue occurs: [tomcat.tomcat] [ou=People,dc=my-domain,dc=com\ldapuser1@127.0.0.1 (189) /console/restapi/api/reference_data/tables] com.q1labs.core.shared.capabilities.CapabilityConfiguration: [INFO] [-/- -]user ou=People,dc=my-domain,dc=com\ldapuser1 does not exist. Returning false [tomcat.tomcat] [ou=People,dc=my-domain,dc=com\ldapuser1@127.0.0.1 (189) /console/restapi/api/reference_data/tables] com.q1labs.core.shared.capabilities.CapabilityConfiguration: [INFO] [-/- -]user ou=People,dc=my-domain,dc=com\ldapuser1 does not exist. Returning false |
14 June 2019 |
OFFENSES | IJ16742 | OFFENSES CAN FAIL TO BE UPDATED AFTER A CONSOLE APPLIANCE REBOOT | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210) QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709) Workaround Perform a Soft Clean SIM. See the following documentation for steps and results of performing a Soft Clean SIM, Cleaning the SIM data model. Issue It has been identified that in some instances, Offenses can fail to update after a Console appliance reboot has occurred (controlled or uncontrolled) due to a required file becoming corrupted and deleted. Messages similar to the following might be visble in /var/log/qrdar.error when this issue occurs: [ecs-ep.ecs-ep] [ECS Runtime Thread] com.q1labs.core.shared.storage.BaseStorageContext: [ERROR] [-/- -] Error reading file /store/mpc/core/ CounterProcessor/dormant-handles-index.ser, deleting it... [ecs-ep.ecs-ep] [ECS Runtime Thread] java.io.EOFException [ecs-ep.ecs-ep] [ECS Runtime Thread] at java.io.ObjectInputStream $PeekInputStream.readFully(ObjectInputStream.java) [ecs-ep.ecs-ep] [ECS Runtime Thread] at java.io.ObjectInputStream$BlockDataInputStream .readShort(ObjectInputStream.java) [ecs-ep.ecs-ep] [ECS Runtime Thread] at java.io.ObjectInputStream.readStreamHeader(ObjectInputStream.java) [ecs-ep.ecs-ep] [ECS Runtime Thread] at java.lang.Thread.run(Thread.java:812) [ecs-ep.ecs-ep] [ECS Runtime Thread] com.q1labs.core.shared.storage.BaseStorageContext: [ERROR][-/- -]Error reading file /store/mpc/core/ CounterProcessor/active-handles-index.ser, deleting it... [ecs-ep.ecs-ep] [ECS Runtime Thread] java.io.EOFException [ecs-ep.ecs-ep] [ECS Runtime Thread] at java.io.ObjectInputStream$PeekInputStream.readFully (ObjectInputStream.java) [ecs-ep.ecs-ep] [ECS Runtime Thread] at java.io.ObjectInputStream$BlockDataInputStream. readShort(ObjectInputStream.java) |
14 June 2019 |
RULES / FLOW DIRECTION | IJ16741 | RULES DEPENDENT UPON FLOW DIRECTION CAN FIRE UNEXPECTEDLY DUE TO QRADAR NETWORK INSIGHTS (QNI) LOGGING REVERSED FLOW DIRECTION | OPEN: Reported in QRadar 7.3.2 versions | No workaround avaialble. It has been identified that in instances of Content Flow generated by QRadar Network Insights, reversed flow direction with 0 byte payload lengths are observed. i.e. The flow direction is from server to client, when the server should be destination, but shows server as source. When this occurs, rules dependent on flow direction can fire in instances they should not have. |
08 July 2019 |
AUTHENTICATION / ACTIVE DIRECTORY (AD) | IJ16739 | ACTIVE DIRECTORY REPOSITORY SETUP PAGE FIELD NAME 'LOGIN DN' CAN CAUSE CONFUSION AS TO IT'S PROPER USE | OPEN: Reported in QRadar 7.3.2 versions | Workaround: Use a Windows account name (also known as sAMAccountName) in the 'Login DN' field. It has been identified that on the Admin > Authentication > Active Directory setup page, the field 'Login DN' can be confused as to its proper usage (connection testing). When setting up an Active Directory repository, entering a full Distinguished Name (DN) in the "Login DN" field causes the test connection to fail. Both the 'Login DN' field and associated password field are directly tied to the "Test connection" button and are not used at any other time. |
14 June 2019 |
QRADAR VULNERABILITY MANAGER | IJ16670 | 'CRITICAL' IS NOT AN OPTION IN RISK LIST OF VULNERABILITY MANAGER'S 'REMEDIATION TIMES' WINDOW | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) Workaround No workaround available. Administrators who experience this issue must upgrade to a software version where this issue is resolved. Issue It has been identified that the use of 'Critical' is inconsistent within the QRadar Vulnerabiulity Manager user interface windows and options. For Example: 'Critical' is not listed on the 'Remediation Times' window in Vulnerability Manager. |
24 May 2021 |
POLICY MONITOR / QRADAR RISK MANAGER | IJ16610 | QRADAR RISK MANAGER (QRM) POLICY QUESTION DOES NOT RETURN ALL MATCHING RULES FOR CONDITION SPECIFIED | OPEN: Reported in QRadar 7.3.1 Patch 6 | No workarond available. It has been identified that a Risk Manager Policy Monitor question with a return type of Device/Rules and a condition "allow connections to the following IP addresses" does not find a rule that should match this condition if the rule uses an object group to reference the IP addresses. |
18 June 2019 |
RISK FACTOR / QRADAR VULNERABILITY MANAGER | IJ16594 | ASSET PROFILER EXCEPTION CAUSED BY NEW 'CRITICAL RISK FACTOR' CLASSIFICATION IN QRADAR VULNERABILITY MANAGER (QVM) | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) Workaround Contact Support for a possible workaround that might address this issue in some instances. Issue It has been identified that the new PCI Severity and Risk Factor classification 'Critical' causes the asset profiler to throw an Invalid RiskFactor Exception in QRadar logging when a vulnerability is assigned a Critical Risk Factor. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [tomcat.tomcat] [pool-1-thread-6] com.q1labs.assetprofile. api.vulninstance.common.VulninstancesAPITask: [ERROR][-/- -]An unhandled exception was thrown during the execution of task: 258 [tomcat.tomcat] [pool-1-thread-6] java.lang.IllegalArgumentException: Invalid RiskFactor name: Critical [tomcat.tomcat] [pool-1-thread-6] at com.q1labs.assetprofile.api.r1_2017.pojo.RiskFactorDTO.forName (RiskFactorDTO.java) [tomcat.tomcat] [pool-1-thread-6] at com.q1labs.assetprofile.api.r1_2017.R1_2017VulnInstanceDTOAdapte r.doConvert(R1_2017VulnInstanceDTOAdapter.java) |
07 June 2019 |
FLOWS / FLOW SOURCE ALIAS | IJ18233 | A MANUALLY ADDED OR EDITED FLOW SOURCE ALIAS DOES NOT WORK AS EXPECTED | OPEN: Reported in QRadar 7.3.0 and 7.3.1 versions | Contact Support for a possible workaround that might address this issue in some instances. It has been identified that a manually added or edited Flow Source alias does not work as expected. When a flow source alias is manually created or edited, the flow collector component is not being properly populated on the associated managed host and the edited alias is not listed in the search filter for the flow interface. Associated flows are not received when this issue is occurring. |
19 August 2019 |
DOMAIN MANAGEMENT | IJ18345 | LOG SOURCES WITHIN A LOG SOURCE GROUP DO NOT INHERIT DOMAIN MEMBERSHIP WHEN THE LOG SOURCE GROUP IS ADDED TO A DOMAIN | CLOSED | Resolved in: QRadar 7.3.1 Patch 7 (7.3.1.20181123182336) QRadar 7.3.2 (7.3.2.20190201201121) Workaround: From the Admin tab, open Domain Management interface to select the Log Sources you would like to add, then manually add the log soures. It has been identified that adding Log Source Groups to a Domain does not cause the log sources contained inside the Log Source Group or it's Sub Groups to inherit that Domain membership, even if the Log Source is not within another Domain. |
15 August 2019 |
SECURITY BULLETIN | APACHE TOMCAT AS USED IN IBM QRADAR SIEM IS VULNERABLE TO A DENIAL OF SERVICE | CLOSED | Resolved in QRadar 7.3.2 Patch 4 (7.3.2.20190803012943) | 15 August 2019 | |
BACKUP / RECOVERY | IJ18357 | CHANGE TO FILE PERMISSION ON GEOLITE2-CITY.MMDB CAN OCCUR AFTER A CONFIG RESTORE AND DEPLOY IS SUCCESSFULLY PERFORMED | OPEN: Reported in QRadar 7.3.2 Patch 4 | Contact Support for a possible workaround that might address this issue in some instances. It has been identified that in some instances, the file permissions for /store/configservices/deployed/globalconfig/GeoLite2-City.mmdb can be changed from "nobody nobody" to "root root" after a successful Configuration Restore and a Deploy Changes has been performed. When this issue occurs, permission errors can be observed in the logs when users attempt to save changes from the Admin > System Settings window in QRadar. Messages similar to the following might be visible in /var/log/qradar.log: [tomcat.tomcat][LocationUtils_Timer] com.q1labs.core.shared.location.LocationUtils: [ERROR][-/- -]Error occurred while reloading the LocationUtils database [tomcat.tomcat] [LocationUtils_Timer] java.io.IOException: Destination '/store/configservices/deployed/globalconfig/GeoLite2-City.mmdb' exists but is read-only [tomcat.tomcat] [LocationUtils_Timer] at org.apache.commons.io. FileUtils.copyFile(FileUtils.java) [tomcat.tomcat] [LocationUtils_Timer] at org.apache.commons.io. FileUtils.copyFile(FileUtils.java) [tomcat.tomcat] [LocationUtils_Timer] at com.q1labs.core.shared. location.LocationUtils.getCorrectCurrentGeoLiteFile(LocationUtils.java) [tomcat.tomcat] [LocationUtils_Timer] at com.q1labs.core.shared.location. LocationUtils.reload(LocationUtils.java) [tomcat.tomcat] [LocationUtils_Timer] at com.q1labs.core.shared.location. LocationUtils$LocationUtilsReloadTask.run(LocationUtils.java) [tomcat.tomcat] [LocationUtils_Timer] at java.util.TimerThread.mainLoop(Timer.java) [tomcat.tomcat] [LocationUtils_Timer] at java.util.TimerThread.run(Timer.java) |
15 August 2019 |
SCAN RESULTS | IJ16518 | QRADAR VULNERABILITY MANAGER (QVM) SCAN RESULT RECORDS LISTED IN THE USER INTERFACE ARE NEVER PURGED | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) Workaround No workaround available. Issue ERROR DESCRIPTION:Ø It has been identified that vulnerability scan results records that are listed in the User Interface continue to be displayed after the 'Purge Scan Results After Period' purges the backed data. |
31 May 2019 |
OFFENSES | IJ16941 | OFFENSES CAN FAIL TO GENERATE WHEN EXPECTED, WHEN SPILLOVER FROM MEMORY TO DISK DURING CACHING OCCURS | CLOSED | Resolved in QRadar 7.3.2 Patch 4 (7.3.2.20190803012943) It has been identified that Offenses can be slow to generate or fail to generate when expected when QRadar experiences a cache spillover from memory to disk. Messages similar to the following might be visible in /var/log/qradar.log when this specifc issue occurs: [ecs-ep.ecs-ep] [MPC/PersisterThread@0000050540] com.q1labs.frameworks.cache.ChainAppendCache: [WARN][-/- -]TargetIPtoID is experiencing heavy COLLISIONS exceeding configured threshold (this may have negative performance impact) threshold = 5.0 average collisions = 7.0 [ecs-ep.ecs-ep] [MPC/PersisterThread@0000050540] com.q1labs.frameworks.cache.ChainAppendCache: [WARN][-/- -]LightTarget is experiencing heavy COLLISIONS exceeding configured threshold (this may have negative performance impact) threshold = 5.0 average collisions = 6.0 |
19 June 2019 |
DEPLOY CHANGES | IJ00025 | DEPLOY FUNCTION CAN SOMETIMES FAIL DUE TO TUNNELS NOT STARTING CORRECTLY WHEN ENCRYPTION IS ENABLED | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) Note: This issue was previously closed in 7.3.2 Fix Pack 4, but reopened and resolved in QRadar 7.4.3. Workaround If you are unable to upgrade to a release where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue. Issue It has been identified that on encrypted managed hosts with QRadar 7.3.0.x versions that the generate_tunnel_environment.sh script can sometimes fail to start tunnels correctly. When this occurs, there is no connectivity between QRadar Managed Hosts and the Console causing deploys and all traffic between the Console and the encrypted Managed Hosts to fail. |
24 May 2021 |
CUSTOM PROPERTIES / PARSE IN ADVANCE | IJ16411 | QRADAR DEPENDENCY CHECKER CAN FAIL WHEN USERS WITH NO LOCALE CONFIGURED ATTEMPTS TO MODIFY A CUSTOM EVENT PROPERTY | CLOSED | Resolved in QRadar 7.3.2 Patch 4 (7.3.2.20190803012943) Workaround: Have the user configure a user locale and retry the "un-select" for the Custom Event Property. It has been identified that the QRadar dependency checker can launch when "Parse in advance for rules, reports and searches' check box is cleared from the Property Definition section in the user interface and can generate an error message "1.Found Custom Rules: 0" or "2. Error occured while finding Ariel Indexing". This issue can occur in cases where the QRadar user who created the custom property has no locale configured. Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs: [tomcat.tomcat] [pool-1-thread-10] com.q1labs.core.shared.datadeletion.task.FindDependentsTask: [ERROR][-/- -]Error trying to find Dependents for id: [347902bb-f6c0-4b07-9791-f3a8b0a94f17], and type: EVENT_REGEX_PROPERTY_DEPENDENCY [tomcat.tomcat] [pool-1-thread-10] java.lang.NullPointerException [tomcat.tomcat] [pool-1-thread-10] at java.util.Locale.(Locale.java) [tomcat.tomcat] [pool-1-thread-10] at java.util.Locale.(Locale.java) [tomcat.tomcat] [pool-1-thread-10] at com.q1labs.core.shared.datadependency.CustomPropertyDependency.g etArielIndexingByPropertyId(CustomPropertyDependency.java) [tomcat.tomcat] [pool-1-thread-10] at com.q1labs.core.shared.datadependency.CustomPropertyDependency.g etUsage(CustomPropertyDependency.java) |
28 May 2019 |
FLOWS / SIGNATURES | IJ17359 | MANUAL CHANGES MADE TO SIGNATURES.XML ARE OVERWRITTEN DURING AN AUTOUPDATE FUNCTION | CLOSED | Closed as a documentation issue. Users who include custom signature values for source and destination ports to identify flow traffic should ensure that they have a signature ID (sigid) defined in their signatures.xml file to prevent the auto update from discarding the change. Customers can use a sigid value of 3000 or above to denote custom changes to the signatures.xml file. Including the sigid value will prevent xmldiff from merging signature.xml changes with the autoupdate version of the signatures.xml file when updates occur. For an example on including new source and destination ports for signature detection, see this technical note: QRadar: Detecting SMB1 & SMBv2 Traffic with QFlow (Updated) Issue: It has been identified that when manual changes are made to signatures.xml using the Technote documented methods to preserve the changes, an AutoUpdate function overwrites the manual changes anyway. |
09 August 2019 |
REPORTS | IJ16290 | A REPORT RUN ON RAW DATA CAN FAIL WITH 'STRING INCOMPATIBLE WITH COM.Q1LABS.FRAMEWORKS.NIO.COMPOSITEKEY' IN LOGGING | OPEN: Reported in multiple QRadar versions | No workaround available. It has been identified that performing a "Run Report on RAW data' can fail and output an error to /var/log/qradar.log similar to the following: [report_runner] [main] com.q1labs.cve.aggregation. props.AggregatedRecordKeyProperty: [ERROR][-/- -]About to cast key = IPADDRESS.hostname.lab:ecs-ec/EC/Processor2 to CompositeKey [report_runner] [main] com.q1labs.reporting.ReportServices: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]java.lang.String incompatible with com.q1labs.frameworks.nio.CompositeKey [report_runner] [main] java.lang.ClassCastException: java.lang.String incompatible with com.q1labs.frameworks.nio.CompositeKey [report_runner] [main] at com.q1labs.cve.aggregation.props.AggregatedRecordKeyProperty.cre ateKey(AggregatedRecordKeyProperty.java) [report_runner] [main] at com.q1labs.cve.aggregation.props.AggregatedRecordKeyProperty.cre ateKey(AggregatedRecordKeyProperty.java) [report_runner] [main] at com.q1labs.cve.resultset.CVEResultSet.getObject(CVEResultSet.java) [report_runner] [main] at com.q1labs.cve.resultset.CVEResultSet.getLong(CVEResultSet.java) [report_runner] [main] at com.q1labs.cve.resultset.CVEResultSet.getLong(CVEResultSet.java) [report_runner] [main] at com.q1labs.dal.charts.SQLChart.getChartDataForTimeSeries(SQLChar t.java) [report_runner] [main] at com.q1labs.dal.charts.SQLChart.getChartData(SQLChart.java) [report_runner] [main] at com.q1labs.dal.charts.AbstractChart.createChart(AbstractChart.java) [report_runner] [main] at com.q1labs.dal.charts.SQLChart(SQLChart.java) [report_runner] [main] at com.q1labs.dal.charts.SQLChart(SQLChart.java) [report_runner] [main] at com.q1labs.reporting.charts.ArielChart.processResultSet(ArielCha rt.java) [report_runner] [main] at com.q1labs.reporting.charts.ArielChart.getData(ArielChart.java) [report_runner] [main] at com.q1labs.reporting.Chart.getXML(Chart.java) [report_runner] [main] at com.q1labs.reporting.Report.createData(Report.java) [report_runner] [main] at com.q1labs.reporting.Report.process(Report.java) [report_runner] [main] at com.q1labs.reporting.ReportRunner.main(ReportRunner.java) |
15 May 2019 |
RULES / NETWORK HIERARCHY | IJ16173 | IPV6 NETWORK HIERARCHY GENERATES A NULLPOINTEREXCEPTION WHEN A RULE IS BASED OFF A NETWORK DEFINED IN REMOTENET.CONF | OPEN: Reported in QRadar 7.3.2 | No workaround available. It has been identified that a IPv6 Network Hierarchy can sometimes throw NullPointerException errors in QRadar logging when a rule is based off a network defined in remotenet.conf. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [ecs-ep.ecs-ep] [CRE Processor [0]] com.q1labs.semsources.cre.CustomRule: [ERROR][-/- -]Exception in rule 1496 - Connection to a Remote Proxy or Anonymization Service (Outbound): null [ecs-ep.ecs-ep] [CRE Processor [0]] java.lang.NullPointerException [ecs-ep.ecs-ep] [CRE Processor [0]] at com.q1labs.semsources.cre.tests.NetworkViewAny.match(NetworkViewAny.java) [ecs-ep.ecs-ep] [CRE Processor [0]] at com.q1labs.semsources.cre.tests.NetworkView.testAny(NetworkView.java) [ecs-ep.ecs-ep] [CRE Processor [0]] at com.q1labs.semsources.cre.tests.gen.NetworkView_AnyAny.test(Netw orkView_AnyAny.java) [ecs-ep.ecs-ep] [CRE Processor [0]] at com.q1labs.semsources.cre.tests.NetworkView_Test.test(NetworkVie w_Test.java:56) [ecs-ep.ecs-ep] [CRE Processor [0]] at com.q1labs.semsources.cre.gen.TestExecutor_0_4.test(TestExecutor _0_4.java) [ecs-ep.ecs-ep] [CRE Processor [0]] at com.q1labs.semsources.cre.CustomRule.test(CustomRule.java) [ecs-ep.ecs-ep] [CRE Processor [0]] at com.q1labs.semsources.cre.CustomRule.test(CustomRule.java) [ecs-ep.ecs-ep] [CRE Processor [0]] at com.q1labs.semsources.cre.CustomRuleSetExecutor.testRule(CustomR uleSetExecutor.java) [ecs-ep.ecs-ep] [CRE Processor [0]] at com.q1labs.semsources.cre.CustomRuleSetExecutor.test(CustomRuleS etExecutor.java) [ecs-ep.ecs-ep] [CRE Processor [0]] at com.q1labs.semsources.cre.LocalRuleExecutor.processEventInProper tyMode(LocalRuleExecutor.java) [ecs-ep.ecs-ep] [CRE Processor [0]] at com.q1labs.semsources.cre.LocalRuleExecutor.processEvent(LocalRu leExecutor.java) [ecs-ep.ecs-ep] [CRE Processor [0]] at com.q1labs.semsources.cre.CREEventProcessor.processEvent(CustomR uleEngine.java) [ecs-ep.ecs-ep] [CRE Processor [0]] at com.q1labs.semsources.cre.CREEventProcessor.run(CustomRuleEngine.java) |
15 May 2019 |
UPGRADE | IJ16080 | PATCHING QRADAR PACKET CAPTURE TO 7.3.1B322 CAN FAIL TO MOUNT /DEV/SDB1 PARTITION AFTER REBOOT | OPEN: Reported in QRadar Packet Capture 7.3.1b322 | Contact Support for a possible workaround that might address this issue in some instances. It has been identified that after patching QRadar Packet Capture appliance to 7.3.1b322, the /dev/sdb1 partition does not mount after reboot. |
16 May 2019 |
DATABASE / DATA | IJ16063 | QRADAR PACKET CAPTURE APPLIANCE NOT STORING NETWORK DATA AS EXPECTED DUE TO MONGODB PROCESS FAILURE | OPEN: Reported in QRadar Packet Capture 7.3.1b322 | No workaround available. It has been identified that in some instances a PCAP appliance appears to be storing network data, but any attempt to do a PCAP search (natively or as a Forensics Recovery) shows 0 results. The required mongod process can coredump and sometimes fails to restart due to a pid/lock file issue. Messages similar to the following might be visible in /var/log/messages when this particular issue occurs: abrt[5377]: Saved core dump of pid 5277 (/usr/local/mongodb-linux-x86_64-3.4.1/bin/mongod) to /var/spool/abrt/ccpp-2019-02-28-16:28:41-5277 (215597056 bytes) abrtd: Directory 'ccpp-2019-02-28-16:28:41-5277' creation detected abrtd: Executable '/usr/local/mongodb-linux-x86_64-3.4.1/bin/mongod' doesn't belong to any package and ProcessUnpackaged is set to 'no' abrtd: 'post-create' on'/var/spool/abrt/ccpp-2019-02-28-16:28:41-5277' exited with 1 abrtd: Deleting problem directory '/var/spool/abrt/ccpp-2019-02-28-16:28:41-5277' |
16 May 2019 |
LICENSE | IJ16043 | PCAP LICENSE REPORTS AS "EVALUATION" ON INSTALLATIONS OF VERSION 730B307+ THAT ARE PATCHED UP TO 731B322 | OPEN: Reported in QRadar Packet Capture 7.3.1b322 | No workaround available. It has been identified that when a valid PCAP license is applied to PCAP version 730b307+ that has been patched up to 731b322, the license that was displaying as "permanent" at the earlier veersion, changes to displaying as "evaluation". |
16 May 2019 |
PCAP EXPORT / PERMISSIONS | IJ16042 | QRADAR INCIDENT FORENSICS USER WITH SYSTEM ADMIN ROLE THAT IS NOT THE 'ADMIN' USER CANNOT PERFORM DOWNLOAD OF A PCAP FROM THE USER INTERFACE | CLOSED | Resolved in QRadar 7.3.2 Patch 4 (7.3.2.20190803012943) Workaround: Create another user without "System Admin" role. Login with the newly created user to complete the recovery and download the pcap file. It has been identified that a QRadar user that has the "System Admin" role but is not the user "admin" cannot successfully perform a PCAP download. A message similar to the following is displayed when the download is attempted: Error "Failed to load resource; the server responded with a status of 400 (Bad Request)" or "...404 (Not Found)". |
24 May 2019 |
DOMAINS / MULTITENANCY | IJ16001 | INCONSISTENT BEHAVIOR IN DOMAIN ENVIRONMENTS WITH HOW DISPATCHED EVENTS AND OFFENSES ARE OCCURRING | CLOSED | Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852) It has been identified that in a domain environment, there is an inconsistency in how dispatched events and offenses are tagged and handled. For example:
|
19 AUGUST 2019 |
TOPOLOGY / RISK MANAGER | IJ15529 | DISPLAY OF THE TOPOLOGY SCREEN IS ALWAYS BASED ON ADMIN USER SET | OPEN: Reported in QRadar Risk Manager (QRM) 7.3.1 versions | No workaround available. It has been identified that when the Topology screen is selected, the displayed topology is based on the topology properties that are set by the admin user. Another user can edit and save the properties, but the displayed topology continues to use the the admin user properties. |
18 April 2019 |
VULNERABILITY SCAN IMPORT / SERVICE | IJ15513 | IMQ PROCESS CAN GO OUT OF MEMORY WHEN IMPORTING A LARGE AMOUNT OF SCAN RESULTS | OPEN: Reported in multiple QRadar versions | No workaround available. It has been identified that importing a large amount of scan results can sometimes cause the imq process on a QRadar Console to experience an Out of Memory ccurrence. Messages similar to the following might be visible in /var/log.qradar.log when this issue occurs: tomcat[31977]: 05-Feb-2019 10:58:40.758 WARNING [configservices@127.0.0.1 (2778) /console/JSON-RPC System.postScanResponse] com.sun.messaging.jmq.jmsclient.ExceptionHandler.logCaughtExcept ion [I500]: Caught JVM Exception: com.sun.messaging.jms.JMSException: [ADD_PRODUCER_REPLY(19)] [C4036]: A broker error occurred. :[500] Low memory user=qradar, broker=127.0.0.1:7676(7677) [tomcat.tomcat] [configservices@127.0.0.1 (2778) /console/JSON-RPC System.postScanResponse] com.q1labs.rpcservices.VisServices: [ERROR][-/- -]Failed to post jms message [tomcat.tomcat] [configservices@127.0.0.1 (2778) /console/JSON-RPC System.postScanResponse] com.sun.messaging.jms.JMSException: [ADD_PRODUCER_REPLY(19)] [C4036]: A broker error occurred. :[500] Low memory user=qradar, broker=127.0.0.1:7676(7677) [tomcat.tomcat] [configservices@127.0.0.1 (2778) /console/JSON-RPC System.postScanResponse] at com.sun.messaging.jmq.jmsclient.ProtocolHandler.throwServerError Exception(ProtocolHandler.java:4093) [tomcat.tomcat] [configservices@127.0.0.1 (2778) /console/JSON-RPC System.postScanResponse] at com.sun.messaging.jmq.jmsclient.ProtocolHandler.createMessagePro ducer(ProtocolHandler.java:1353) [tomcat.tomcat] [configservices@127.0.0.1 (2778) /console/JSON-RPC System.postScanResponse] at com.sun.messaging.jmq.jmsclient.ProtocolHandler.createMessagePro ducer(ProtocolHandler.java:1247) [tomcat.tomcat] [configservices@127.0.0.1 (2778) /console/JSON-RPC System.postScanResponse] at com.sun.messaging.jmq.jmsclient.ProtocolHandler.createMessagePro ducer(ProtocolHandler.java:1241) |
23 April 2019 |
REPORTS / AQL | IJ15497 | FLOW SOURCE COLUMN AND FLOW INTERFACE COLUMN CAN DISPLAY 'HOST_NAME" INSTEAD OF THE EXPECTED HOSTNAME | OPEN: Reported in QRadar 7.3.1 versions | No workaround available. It has been identified that the output in a report graph is ordered by event count instead of date as in the AQL that is used in the report. For example:
|
26 April 2019 |
DEVICE SUPPORT MODULE (DSM) | IJ15445 | CISCO ASA EVENTS CAN BE MISIDENTIFIED AS A POSSIBLE SECURITY INCEDENT DUE TO FLIPPED SOURCE AND DESTINATION IP | OPEN: Reported in DSM-CiscoFirewallDevices-7.3-20181220154136.noarch | No workaround available. It has been identified that Cisco ASA 'Teardown TCP Connection' events are being misinterpreted as a potential security incident because the source and destination IP address are being flipped by QRadar. This issue can cause Rules/Offenses to be incorrectly fired/generated. |
31 July 2019 |
DATA NODE | IJ15414 | OUT OF MEMORY OCCURRENCES ON DATANODE APPLIANCES CAN BE EXPERIENCED DUE TO DEFAULT JVM SETTINGS BEING USED | CLOSED | Resolved in QRadar 7.3.2 Patch 4 (7.3.2.20190803012943) It has been identified that Data Node appliances can be using default JVM memory settings instead of the QRadar tuned settings. When this issue occurs, "Out of Memory" errors can sometimes be experienced on affected Data Node appliances. |
13 May 2019 |
QRADAR VULNERABILITY MANAGER / ASSETS | IJ15360 | ASSET VIEW DISPLAYS DIFFERENT VULNERABILITY COUNT VS THE ASSET SUMMARY VIEW WHEN QVM EXCEPTION VULNERABILITIES IS USED | OPEN: Reported in QRadar 7.3.1 Patch 7 and 7.3.2 Patch 1 | No workaround available. It has been identified that the Asset View screen displays a different Vulnerability count compared to the Asset Summary view Screen when QVM exception vulnerabilities is used. Details:
|
11 April 2019 |
REPORTS | IJ15337 | 'APPLICATION ERROR: AN ERROR HAS OCCURED' WHEN OPENING AN EMAIL LINK TO DOWNLOAD AN EXPORTED REPORT | CLOSED | Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852) Workaround: When you receive the email, navigate to /store/exports on the QRadar Console and copy the file directly from the directory. It has been identified that a message similar to "Application Error: an error has occurred." can be generated when clicking on an email link to an exported report. For example:
|
26 April 2019 |
API / OFFENSES | IJ15331 | QRADAR OFFENSE API INEFFICIENCIES CAN CAUSE HIGHER THAN EXPECTED APPLIANCE SYSTEM LOAD | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.3.1 Patch 8 (7.3.1.20190228154648) Workaround No workaround available. Issue It has been identified that inefficiencies in the QRadar Offense API (/api/siem/offenses) endpoint around processing security permissions can cause a higher than expected CPU usage and processing time. |
26 April 2019 |
HIGH AVAILABILITY (HA) | IJ15328 | HIGH AVAILABILITY APPLIANCE SHOWS AS FAILED STATE WHEN /TMP PARTITION AT 100% USAGE CAUSES CONF FILE TRUNCATION | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722) Workaround Administrators can install a software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances. Issue It has been identified that a High Availaibility (HA) appliance can display in failed state due to the /tmp partition filling to 100% usage. When this 100% /tmp usage situation occurs, the drbd.conf and ha.conf files, needed for proper HA functionality, can become truncated. |
26 November 2020 |
OFFENSES / ANOMALY RULE | IJ15298 | ANOMALLY DETECTION ENGINE (ADE) RULES FIRE 2 OFFENSES INSTEAD OF 1 WHEN DEFAULT RULE RESPONSES ARE CONFIGURED | OPEN: Reported in QRadar 7.3.2 | No workaround available. It has been identified that enabled Anomally Detection Engine (ADE) rules that are configured with the default Rule Response settings can see two offenses generated instead of one from a rule being fired. For example, when this issue occurs users might see the following:
|
11 April 2019 |
WINCOLLECT | IJ15297 | MANAGED WINCOLLECT AGENTS DO NOT RECEIVE CONFIG UPDATES WHEN USING 'ENCRYPT HOST CONNECTIONS' IN CONSOLE SETTINGS | OPEN: Reported in WinCollect 7.2.8 Patch 2 (7.2.8-145) | No workaround available. It has been identified that Managed WinCollect agents do not receive Config Updates if "Encrypt Host Connections" is selected under the "Console" appliance settings (System and License Management). NOTE: "Encrypt Host Connections" has no benefit when this check box is selected on the QRadar Console appliance. This setting is specific to non-Console / managed host appliances and enables SSH tunnels for communication to managed hosts for data requested by the Console. |
10 May 2019 |
RULES / RULE WIZARD | IJ15295 | CUSTOM/AQL ARITHMATIC PROPERTY IS NOT AVAILABLE TO SELECT IN THE RULE STACK TEST PAGE WHEN CREATING AN ANOMALY RULE IN THE RULE WIZARD | OPEN: Reported in QRadar 7.3.1 Patch 7 | No workaround available. It has been identified that the sum of two fields is not getting populated for the "Accumulated property" at the Anomaly Rule Wizard > Rule Test Stack Editor page and a message "There are parameters in the test stack which have not been specified" is displayed. To reproduce or verify this issue, see the procedure below.
Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [tomcat.tomcat] [admin@127.0.0.1 (5048) /console/do/rulewizard/saveCustomizeConditionParameter] com.q1labs.sem.ui.util.RuleConditionUtils: [WARN] [-/- -]No lookup results found for user selection(s) SUM(SubtractDouble(SourceBytes, SourcePackets)) for method com.q1labs.ariel.ui.RuleWizardUtils.getAggregatedSearchFields |
09 April 2019 |
WINCOLLECT | IJ15236 | CYRILLIC TEXT IS DECODED INCORRECTLY WHEN WINCOLLECT FILE FORWARDING FILE CONTENT USES WINDOWS-1251 FORMATTING | CLOSED | Closed as unreproducible in next release. Upon further investigation for this issue as reported in WinCollect 7.2.2-2, this issue is working in a newer versions of WinCollect. WinCollect 7.2.9 was used to verify that the reported Cyrillic text issue could not be reproduced. When configuring the File Forwarder plugin on WinCollect, switch the File Reader Encoding setting to use UTF8 (no conversion). The result was the Cyrillic characters were displayed in the payload on QRadar. |
26 July 2019 |
ASSETS | IJ15215 | ASSET SAVED SEARCH CRITERIA THAT IS CONFIGURED AS DEFAULT CHANGES ON SUBSEQUENT RESULT PAGES | CLOSED | Resolved in QRadar 7.5.0 Update Pack 4 (7.5.0.20221129155237) Workaround No workaround available. Issue It has been identified that asset save search criteria which was set as default, returns to the original default values when viewing subsequent returned results pages (eg. page 2). |
13 December 2022 |
HIGH AVAILABILITY (HA) | IJ15214 | HIGH AVAILABILITY FAILOVER CAN DISPLAY A GENERIC MESSAGE 'ERROR: COULDN'T UPDATE ROUTING TABLE' | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) Workaround No workaround available. Administrators must upgrade to resolve this software issue. Issue It has been identified that a required script fails at start_routing during a High Availability failover due to missing or incorrect network configuration file content. A default message similar to the following is displayed: ERROR: Couldn't update routing table. |
26 November 2020 |
PROTOCOLS | IJ15213 | AUTOMATIC CERTIFICATE DOWNLOADER USES TLS 1.0 BY DEFAULT AND FAILS WHEN VENDOR HAS DISABLED TLS 1.0 | OPEN: Reported as a Protocol Commmon RPM issue | Contact Support for a possible workaround that might address this issue in some instances. It has been identified that the automatic certificate downloader uses TLS 1.0 to attempt to communicate by default. This fails when TLS 1.0 is disabled at the receiving end for obtaining the certificate. Using Netskop as an example of a failure as displayed in /var/log/qradar.log: [ecs-ec-ingress.ecs-ec-ingress] [Thread-34177] com.q1labs.semsources.sources.netskopeactiverestapi.NetskopeActi veRESTAPIProvider: [ERROR][-/--]Unable to download certificate chain from [example.goskope.com:443] [ecs-ec-ingress.ecs-ec-ingress] [Thread-34177] com.q1labs.semsources.sources.netskopeactiverestapi.NetskopeActi veRESTAPIProvider: [ERROR][-/--]An error occured when trying to configure a source connection for provider class com.q1labs.semsources.sources.netskopeactiverestapi.NetskopeActi veRESTAPIProvider254 [ecs-ec-ingress.ecs-ec-ingress] [Thread-34177] java.lang.Exception: Server [[example.goskope.com:443] presented no certificate chain! [ecs-ec-ingress.ecs-ec-ingress] [Thread-34177] at com.q1labs.semsources.sources.utils.certificate.CertificateDownl oader.getCertificate(CertificateDownloader.java) [ecs-ec-ingress.ecs-ec-ingress] [Thread-34177] at com.q1labs.semsources.sources.utils.certificate.CertificateDownl oader.downloadCertificates(CertificateDownloader.java) [ecs-ec-ingress.ecs-ec-ingress] [Thread-34177] at com.q1labs.semsources.sources.utils.certificate.CertificateDownl oader.downloadCertificates(CertificateDownloader.java) [ecs-ec-ingress.ecs-ec-ingress] [Thread-34177] at com.q1labs.semsources.sources.netskopeactiverestapi.NetskopeActi veRESTAPIProvider.checkCerts(NetskopeActiveRESTAPIProvider.java) [ecs-ec-ingress.ecs-ec-ingress] [Thread-34177] at com.q1labs.semsources.sources.netskopeactiverestapi.NetskopeActi veRESTAPIProvider.preExecuteConfigure(NetskopeActiveRESTAPIProvi der.java:53) [ecs-ec-ingress.ecs-ec-ingress] [Thread-34177] at com.q1labs.semsources.sources.base.SourceProvider.run(SourceProv ider.java:179) [ecs-ec-ingress.ecs-ec-ingress] [Thread-34177] com.q1labs.semsources.sources.netskopeactiverestapi.NetskopeActi veRESTAPISource: [ERROR][-/--] There appears to be a configuration issue with the provider connection 'class com.q1labs.semsources.sources.netskopeactiverestapi.NetskopeActi veRESTAPIProvider254'. |
27 May 2019 |
AUTO UPDATE | IJ14781 | AUTOUPDATE PROXY SETTING PASSWORD CONTAINING A ' # ' (POUND) OR ' ? ' (QUESTION MARK) SYMBOL BREAKS THE PROXY CALL | OPEN: Reported in multiple QRadar versions | Workaround No workaround available. Issue It has been identified that when the AutoUpdate proxy password contains either a # (pound) or ? (question mark) symbol, it breaks the proxy call and can result in the password being displayed in autoupdate logs. |
02 April 2019 |
UPGRADE / PRETEST | IJ14475 | QRADAR PATCH HANGS WHEN ONE OR MORE HOSTS IN THE DEPLOYMENT ARE UNREACHABLE | CLOSED | Resolved in QRadar 7.3.2 Patch 4 (7.3.2.20190803012943) Issue It has been identified that during a QRadar patch, the patch can hang for a longer than expected period of time when one or more Managed Hosts in the Deployment are not reachable via SSH (network issue, powered off, etc.). When this issue occurs, the following error message can be displayed: Patch Report for {ApplianceIP}, appliance type: 3199 Patch pretest 'Validate deployment hostnames' failed. (validate_hostname.sh) {Hostname} : patch test failed. |
28 May 2019 |
SEARCH / SERVICES | IJ14442 | ARIEL PROXY OUT OF MEMORY OCCURRENCES CAN BE OBSERVED WHEN LARGE SEARCHES WITH AGGREGATIONS ARE PERFORMED | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) Workaround No workaround available. Issue It has been identified that the ariel proxy service can experience Out of Memory occurrences when large searches are performed that include data aggregations (many columns, custom properties, etc.). When 'Out of Memory' occurrences are experienced with the ariel proxy service, java heap dumps (/store/jheap) can be examined by QRadar Support to identify if these types of searched are the cause. |
01 May 2019 |
LICENSE | IJ14252 | LARGE FLOW LICENSE CAN BE APPLIED TO QRADAR BUT ANY LICENSE AMOUNT OVER 1.2 MILLION FPM IS NOT HONORED BY QRADAR | CLOSED | Resolved in QRadar 7.3.2 Patch 1 (7.3.2.20190410024210) Workaround No workaround available. Issue It has been identified that applying flow licensing of larger than 1.2 million flows per minute (FPM) is not honored by QRadar. The system is capped at the 1.2 million FPM amount. |
29 August 2020 |
DISK SPACE | IJ14139 | LOGROTATE CAN FAIL TO RUN WHEN PARTITION IS FULL AND "ALERT EXITED ABNORMALLY WITH [1]" IN /VAR/LOG/MESSAGES | CLOSED | Resolved in QRadar 7.3.2 Patch 4 (7.3.2.20190803012943) Issue It has been identified that logrotate can create a zero byte file in instances when the partition has filled and then subsequent logrotates fail. When this occurs, monitored partitions containing logs are more vulnerable to being filled. IMPORTANT: When disk usage of a monitored partition reaches 95%, QRadar data collection and search processes are shut down to protect the file system from reaching 100%. Messages similar to the following might be visible in /var/log/messages when this issue occurs: Feb 22 14:06:48 ip-191-172 logrotate: ALERT exited abnormally with [1] |
16 May 2019 |
VULNERABILITY SCAN / SCAN TOOLS | IJ14136 | VULNERABILITY MANAGER SCANS DO NOT RESPECT CONFIGURED OPERATIONAL WINDOWS | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) Workaround No workaround available. Issue It has been identified that QRadar Vulnerability Manager (QVM) scan tools that are launched within an operational window can continue to run beyond the end of the operational window. |
27 February 2019 |
OKTA REST API PROTOCOL | IJ13746 | INCONSISTENT USER INTERFACE STATUS MESSAGES AND ISSUE WITH AUTO ACQUIRE CERTIFICATE USING THE OKTA RESTAPI PROTOCOL | OPEN: Reported in QRadar 7.3.1 versions | It has been identifed that there are inconsistent and confusing status messages that can sometimes be generated when using the Otka RESTAPI Protocol along with functionality issues with the Auto Aquire Certificate option in the user interface.
|
26 February 2019 |
IJ13589 | SETTING A LARGE 'MAX EMAIL ATTACHMENT SIZE' CAN PREVENT POSTFIX FROM STARTING | OPEN: Reported in QRadar 7.3.1 and 7.3.2 versions | Workaround: Lower the "Max Email Attachment Size" limit in the QRadar User Interface: Admin tab > System Settings. It has been identified that Setting "Max Email Attachment Size" in QRadar "Systems Setting" to a large number can prevent postfix from being started. Postfix has mailbox_size_limit and message_size_limit configuration properties where message_size_limit can go over mailbox_size_limit. Messages similar to the following might be visible in maillog when this issue occurs: fatal: main.cf configuration error: mailbox_size_limit is smaller than message_size_limit |
15 May 2019 | |
AUTHENTICATION / LDAP | IJ13588 | LDAP GROUP BASED AUTHENTICATION: 'SORRY, AN ERROR OCCURRED' WHEN A SECURITY PROFILE OR USER ROLE HAS AN '&' IN THE NAME | OPEN: Reported in QRadar 7.3.1 and 7.3.2 versions | Workaround: Change the name of the user role or security profile to use "and" instead of the '&' (ampersand) symbol. It has been identified that when user roles or security profiles have an '&' (ampersand) in them (eg. R&D or Systems & Networking) and then LDAP based authentication is attempted to be configured, those security profiles or user roles are not visible nor are any others that come after them. |
15 May 2019 |
HIGH AVAILABILITY (HA) | IJ13486 | REMOVE HA (HIGH AVAILABILTY) PROCESS CAN FAIL WHILE PERFORMING A PID CHECK ON THE HA_SETUP SCRIPT | OPEN: Reported in QRadar 7.3.1 Patch 6 | Contact Support for a possible workaround that might address this issue in some instances. It has been identified that attempting to perform a Remove HA (High Availability) from within the QRadar User Interface can sometimes fail when performing a PID check on the ha_setup script. This has been observed when a Deploy function is in progress when the Remove HA is performed. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [hostcontext.hostcontext] [Thread-1885552] ComponentOutput: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream ha_setup.sh: Jan 29 10:35:10: [HA Setup (S-M----)] [ERROR] Another instance of the HA setup script is already running. [hostcontext.hostcontext] [xxxxx-xxxx-xxxx-xxx-xxxxxxx/SequentialEventDispatcher] com.q1labs.configservices.controller.ServerHostStatusUpdater: [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Sent update status of host 127.0.0.1 to REMOVED_FAILED |
15 May 2019 |
SCAN / CENTRALIZED CREDENTIALS | IJ13412 | WARNING ICON DISPLAYED NEXT TO A SCAN RESULT WHEN SNMP COMMUNITY STRING IS DEFINED IN CENTRALIZED CREDENTIALS | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) Workaround Use the Additional Credentials tab rather than Centralized Credentials. Issue It has been identified that when using SNMP community string for scans via centralized credentials, an error (Yellow warning triangle icon) is generated next to the scan results. The results can differ from those with the SNMP community string set in the Additional Creds tab when creating a Scan Profile. |
24 May 2021 |
HIGH AVAILABILITY (HA) | IJ13410 | HIGH AVAILABILITY SECONDARY APPLIANCE DEPLOY CAN FAIL WITH 'ANOTHER INSTANCE OF THE HA SETUP SCRIPT IS ALREADY RUNNING' | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) Workaround No workaround available. Issue It has been identified that when multiple deploys occur to a QRadar High Availability (HA) Secondary appliance (can sometimes happen with Autoupdate), a message similar to "Another instance of the HA setup script is already running. Skipping HA deploy operation." and a /opt/qradar/ha/.local_ha_failed token can be generated. When this situation occurs, the HA Secondary appliance can become unresponsive. |
24 May 2021 |
LICENSE | IJ13319 | LICENSE POOL MANAGEMENT CAN DISPLAY "N/A" FOR THE EPS RATE FOR SOME HOSTS WITH A NULL POINTER EXCEPTION IN THE LOGS | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) Workaround No workaround available. Issue It has been identifed that the EPS rate for a host can display as "N/A" in the License Pool Management window when the host has an EPS or FPS rate of "0". |
24 May 2021 |
UPGRADE / HIGH AVAILABILITY (HA) | IJ13316 | OFFENSE INDEXING ON A CUSTOM EVENT PROPERTY (CEP) THAT HAS A UTF 0X00 (NULL) VALUE CAN CAUSE OFFENSES TO STOP GENERATING | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428) QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343) QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446) QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722) Workaround
NOTE: Performing a Soft Clean: Closes all offenses, but does not remove them from the system. Issue It has been identified that Offense generation in QRadar can stop occuring when Offenses are being indexed on a Custom Event Property (CEP) that have a utf 0x00 (null) value. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [ecs-ep.ecs-ep] [MPC/CleanupAndPersistence[1]] com.q1labs.sem.magi.contrib.ModelPersister: [INFO] [-/- -]Saving TX 0000035761 0.02MB [ecs-ep.ecs-ep] [MPC/CleanupAndPersistence[1]] com.q1labs.sem.magi.contrib.ModelPersister: [INFO] [-/- -]Harvested 34 commands in 0:00:00.174 [ecs-ep.ecs-ep] [MPC/PersisterThread@0000035761] com.q1labs.sem.magi.contrib.ModelPersister: [INFO] [-/- -]Processing TX 0000035761 (1/1) 0.02MB [ecs-ep.ecs-ep] [MPC/PersisterThread@0000035761] com.q1labs.sem.magi.contrib.ModelPersister: [WARN] [-/- -]Exception encounted when executing transaction 35761. [ecs-ep.ecs-ep] [MPC/PersisterThread@0000035761] com.q1labs.sem.magi.contrib.PersistenceException: Failed to persist sem model [ecs-ep.ecs-ep] [MPC/PersisterThread@0000035761] Caused by: [ecs-ep.ecs-ep] [MPC/PersisterThread@0000035761] org.postgresql.util.PSQLException: ERROR: invalid byte sequence for encoding "UTF8": 0x00 |
20 March 2019 |
QUICK FILTER / QVM | IJ13234 | QUICK SEARCH MENU BAR IN QRADAR VULNERABILITY MANAGEMENT (QVM) WINDOW DOES NOT EXIST FOR QRADAR LDAP USERS | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) Workaround Use a QRadar created user instead of an LDAP one. Optionally, administrators can install QRadar 7.4.2 as this upgrade resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances. Issue It has been identified that the Quick Search menu does not exist in the Vulnerability Management windows of the QRadar user interface for users created from LDAP authentication.> |
26 November 2020 |
REPORTS | IJ12888 | REPORTS FAIL TO GENERATE AFTER A CONSOLE MIGRATION HAS BEEN PERFORMED | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210) QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709) Workaround Contact Support for a possible workaround that might address this issue in some instances. Issue It has been identified that after a console migration, Reports can sometimes fail to generate with an error message similar to the following in /var/log/qradar.log: [reporting_executor.reporting_executor] [Report Queue] com.q1labs.reporting.ReportServices: [ERROR][-/- -]"Lock to templates folder is acquired by another process, skipping templates reload." |
28 January 2019 |
RULES | IJ12545 | "BB:CATEGORYDEFINITION: AUTHENTICATION FAILURES" IS SOMETIMES NOT DISPLAYED IN THE RULE WIZARD | CLOSED | Closed as suggestion for future release. No workaround available as this issue cannot be reproduced. It has been identified that in some instances, the building Block "BB:CategoryDefinition: Authentication Failures" is displayed in the list of available building blocks on the Rules page, but is not displayed as an available option in the QRadar Rules wizard. |
26 February 2021 |
SYSTEM NOTIFICATIONS | IJ13237 | SAR SENTINEL THRESHOLD CROSSED SYSTEM NOTIFICATION FOR DROPPED PACKETS CAN BE CAUSED BY RHEL7 PACKET HANDLING/REPORTING | CLOSED | Resolved in QRadar 7.4.0 (7.4.0.20200304205308) Workaround Disable "Dropped Receive Packets" notification from Admin -> Global System Notifications This has most often been observed in envrironments using bonded interfaces. For more information, see: https://access.redhat.com/solutions/2073223. It has been identified that messages similar to the following can sometimes be generated in QRadar due to RHEL7 packet drop reporting/handling methods: [hostcontext.hostcontext] [Thread-255] com.q1labs.hostcontext.sar.SarSentinel: [WARN] [NOT:0150124100][127.0.0.1/- -] [-/- -]Dropped receive packets on interface eno1 has an average of 47.7 over the past 5 intervals, and has exceeded the configured threshold of 1.0. To resolve: If your system continues to exhibit this behavior, please contact Customer Support. |
13 May 2019 |
OFFENSES | IJ12521 | SELECTING 'SHOW INACTIVE CATEGORIES' WHEN VIEWING OFFENSE 'BY CATEGORY' DISPLAYS RESULTS AS "NONE" OR "0" | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) Workaround No workaround available. Issue It has been identified that selecting the 'Show Inactive Categories' in Offense view 'By Category' displays either "None" or "0" for results. For example: For example:
|
28 January 2019 |
SERVICE / EVENT COLLECTORS | IJ18032 | EC CAN FAIL TO PROCESS/PARSE EVENTS AFTER PATCHING TO 7.3.2 P3 IF YOU HAVE PRE-EXISTING ROUTING RULES CONFIGURED | CLOSED | Resolved in: QRadar 7.4.0 (7.4.0.20200304205308) QRadar 7.3.2 Patch 4 (7.3.2.20190803012943) It has been identified that after patching to QRadar 7.3.2 Patch 3, events received by QRadar collector appliances can fail to be processed/parsed when an event forwarder or routing rule has been configured in QRadar. In these instances, the events are successfully received by the collector in the ecs-ec-ingress process, but are not sent to the ecs-ec process for parsing. IMPORTANT UPDATE TO IJ18032
The threadtop command can be run from the command line prompt on a QRadar Event Collector appliance: /opt/qradar/support/threadTop.sh -p 7777 -e "ECS Runtime" -s -n 20 The following output from the threadtop command identifies that the QRadar Event Collector appliance is affected: System Time: 31/07/2019 at 14:49:55.637 “ECS Runtime Thread” Id=67 in TIMED_WAITING (running in native) at java.lang.Thread.sleep(Native Method) at java.lang.Thread.sleep(Thread.java:942) at com.q1labs.core.shared.ariel.ArielSearchLite.waitForArielClient(ArielSearchLite.java) at com.q1labs.core.shared.ariel.ArielSearchLite.toQueryParams(ArielSearchLite.java) at com.q1labs.core.shared.ariel.ArielSearchLite.toQueryParams(ArielSearchLite.java) at com.q1labs.core.shared.ariel.ArielSearchLite.toQueryParams(ArielSearchLite.java) at com.q1labs.core.shared.ariel.ArielSearchLite.toQueryParams(ArielSearchLite.java) at com.q1labs.core.shared.ariel.ArielSearchLite.toQueryParams(ArielSearchLite.java) at com.q1labs.core.shared.selectiveforwardingset.SelectiveForwardingSetCache. setQueryFilter(SelectiveForwardingSetCache.java) at com.q1labs.core.shared.selectiveforwardingset.SelectiveForwardingSetCache. loadSearchForm(SelectiveForwardingSetCache.java) at com.q1labs.core.shared.selectiveforwardingset.SelectiveForwardingSetCache. initializeSetCache(SelectiveForwardingSetCache.java) - locked java.lang.Object@35323b09 at com.q1labs.core.shared.selectiveforwardingset.SelectiveForwardingSetCache. onInit(SelectiveForwardingSetCache.java) at com.q1labs.frameworks.naming.FrameworksNaming.initializeNewComponent (FrameworksNaming.java) at com.q1labs.frameworks.naming.FrameworksNaming.getApplicationScopedComponent (FrameworksNaming.java) - locked com.q1labs.frameworks.naming.FrameworksNaming@1269d08c at com.q1labs.frameworks.core.FrameworksContext.getSingletonInstance(FrameworksContext.java) at com.q1labs.core.shared.selectiveforwardingset.SelectiveForwardingSetCache. getInstance(SelectiveForwardingSetCache.java) - locked java.lang.Object@d1bed3f at com.q1labs.sem.selectiveforwarding.SelectiveForwardingCommunicator. onInit(SelectiveForwardingCommunicator.java) at com.q1labs.frameworks.naming.FrameworksNaming.initializeNewComponent (FrameworksNaming.java) at com.q1labs.frameworks.naming.FrameworksNaming.getApplicationScopedComponent (FrameworksNaming.java) - locked com.q1labs.frameworks.naming.FrameworksNaming@1269d08c at com.q1labs.frameworks.core.FrameworksContext.getSingletonInstance(FrameworksContext.java) |
31 July 2019 |
RULES | IJ17939 | RULE TEST 'WHEN ANY OF THESE EVENT PROPERTIES ARE CONTAINED IN ANY OF THESE REFERENCE SET(S)' CAN PRODUCE FALSE POSITIVE/NEGATIVE | CLOSED | Closed as suggestion for future release. It has been identified that QRadar does not enforce proper validation for the 'when any of these event properties are contained in any of these reference set(s)' Custom Rule Engine (CRE) test. This issue can cause false positive or negative rule results. Validation fields: - Custom Properties can include: alphanumeric, numeric, IP, ports, or DateTime values - Reference sets can include alphanumeric, case insensitive alpha numeric, numeric, IP, or ports Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [ecs-ep.ecs-ep] [CRE Processor [5]] com.q1labs.semsources.cre.CustomRule: [ERROR][127.0.0.1/- -] Exception in test: Failed to test [ecs-ep.ecs-ep] [CRE Processor [5]] com.q1labs.jstl.base.exceptions.TestFailedException: Failed to test [ecs-ep.ecs-ep] [CRE Processor [5]] at com.q1labs.semsources.cre.tests.ReferenceSetTest.test(ReferenceSetTest.java) [ecs-ep.ecs-ep] [CRE Processor [5]] at com.q1labs.semsources.cre.tests.ReferenceSetTest.test(ReferenceS etTest.java) [ecs-ep.ecs-ep] [CRE Processor [5]] at com.q1labs.semsources.cre.gen.TestExecutor_1_6.test(TestExecutor_1_6.java) [ecs-ep.ecs-ep] [CRE Processor [5]] at com.q1labs.semsources.cre.CustomRule.test(CustomRule.java) [ecs-ep.ecs-ep] [CRE Processor [5]] at com.q1labs.semsources.cre.CustomRuleSetExecutor.testRule(CustomRuleSetExecutor.java) [ecs-ep.ecs-ep] [CRE Processor [5]] Caused by: com.q1labs.frameworks.exceptions.CIDRNetworkException: Failed to parse IP address: CUSTOM_PROPERTY_VALUE [ecs-ep.ecs-ep] [CRE Processor [5]] at com.q1labs.core.dao.util.Host.parseIPAddress(Host.java:207) [ecs-ep.ecs-ep] [CRE Processor [5]] at com.q1labs.core.dao.util.Host.fromString(Host.java:56) [ecs-ep.ecs-ep] [CRE Processor [5]] at com.q1labs.core.types.HostKeySerializer.keyFromString(HostKeySerializer.java:52) [ecs-ep.ecs-ep] [CRE Processor [5]] Caused by: java.lang.NumberFormatException: For input string: "CUSTOM_PROPERTY_VALUE" [ecs-ep.ecs-ep] [CRE Processor [5]] at java.lang.NumberFormatException.forInputString(NumberFormatException.java) |
30 July 2019 |
CHECK POINT SMS HTTPS ADAPTER | IJ16155 | CHECK POINT HTTPS ADAPTER DOES NOT CLOSE THE API SESSION AFTER A BACKUP COMPLETES | CLOSED | Resolved in QRadar Risk Manager (QRM) adapters.bundle-2019.06-17062537 on IBM Fix Central. To read adapter installation documentation, see: Installing Adapters. It has been identified that the Check Point HTTPS adapter does not close the API session after a backup. When this occurs, sessions persist in the Check Point Smart Console user interface Sessions screen. |
15 May 2019 |
CHECK POINT SMS HTTPS ADAPTER | IJ13247 | CHECK POINT HTTPS DEVICE CAN FAIL TO BACKUP WHEN INTERFACES HAVE NO IP ADDRESS | CLOSED | Resolved in QRadar Risk Manager (QRM) adapters.bundle-2019.06-17062537 on IBM Fix Central. To read adapter installation documentation, see: Installing Adapters. It has been identified that a Check Point HTTPS device backup fails if the device has interfaces without an IP address. The Device Backup log will contain the error message: Error backing up device [Failed to parse interfaces for device [null] FAILED : Failed to backup device The Backup Error Detail will contain the error message: Status:PARSE_WARNING |
11 February 2019 |
F5 BIG-IP ADAPTER | IJ10820 | RISK MANAGER BACKUP FAILS FOR F5 ADAPTER WHEN THERE IS A LARGE LIST OF HOTFIXES | CLOSED | Resolved in QRadar Risk Manager (QRM) adapters.bundle-2019.06-17062537 on IBM Fix Central. To read adapter installation documentation, see: Installing Adapters. It has been identified that the backup function for an F5 adapter can fail when there is a large list of hotfixes and a subsequent timeout occurs: 2018-10-24 15:07:19 [ZipTie::SSH] ERROR: UNEXPECTED_RESPONSE encountered on the device '127.0.0.1' 2018-10-24 15:07:19 [ZipTie::SSH] [RESPONSE FROM THE DEVICE] 2018-10-24 15:07:19 [ZipTie::SSH] Timed-out after 300 seconds (Started waiting at: Wed Oct 24 15:02:16 2018 -- Ended waiting at: Wed Oct 24 15:07:17 2018 -- Command took 301 seconds) while waiting to match the regular expression ' |
31 October 2018 |
JUNIPER JUNOS ADAPTER | IJ12258 | JUNIPER JUNOS BACKUP FAILS WHEN USING BORDER GATEWAY PROTOCOL (BGP) | CLOSED | Resolved in QRadar Risk Manager (QRM) adapters.bundle-2019.06-17062537 on IBM Fix Central. To read adapter installation documentation, see: Installing Adapters. It has been identified that a Juniper JUNOS device backup can time out if the device uses Border Gateway Protocol (BGP) and a large number of BGP routes are present. |
21 December 2018 |
CISCO IOS ADAPTER | IJ10888 | BACKUP OF AN IOS DEVICE CAN FAIL WITH 'JAVA.LANG.EXCEPTION: NOT A HASH REFERENCE...' ERROR | CLOSED | Resolved in QRadar Risk Manager (QRM) adapters.bundle-2019.06-17062537 on IBM Fix Central. To read adapter installation documentation, see: Installing Adapters. It has been identified that the backup of an IOS device can fail with a "java.lang.Exception: Not a HASH reference at Parsers.pm line java.lang.Exception: Not a HASH reference at /usr/share/ziptie-server/adapters/ziptie.adapters.cisco.ios_2018 .10.19110827/scripts/ZipTie/Adapters/Cisco/IOS/Parsers.pm line 2453. at org.ziptie.server.job.AbstractAdapterTask.execute(AbstractAdapte rTask.java) at org.ziptie.server.dispatcher.Operation.execute(Operation.java) at org.ziptie.server.dispatcher.OperationExecutor$JobThread.runJob( OperationExecutor.java) at org.ziptie.server.dispatcher.OperationExecutor$JobThread.run(Ope rationExecutor.java) Caused by: javax.xml.ws.soap.SOAPFaultException: Not a HASH reference at /usr/share/ziptie-server/adapters/ziptie.adapters.cisco.ios_2018 .10.19110827/scripts/ZipTie/Adapters/Cisco/IOS/Parsers.pm line 2453. at com.sun.xml.ws.fault.SOAP11Fault.getProtocolException(SOAP11Faul t.java) at com.sun.xml.ws.fault.SOAPFaultBuilder.createException(SOAPFaultB uilder.java) |
31 October 2018 |
CISCO IOS ADAPTER | IJ15701 | BACKUP OF CISCO IOS DEVICE CAN FAIL WITH ERROR: "CAN'T USE STRING ("0") AS AN ARRAY REF WHILE 'STRICT REFS' IN USE" | CLOSED | Resolved in QRadar Risk Manager (QRM) adapters.bundle-2019.06-17062537 on IBM Fix Central. To read adapter installation documentation, see: Installing Adapters. It has been identified that backup of Cisco IOS devices can fail with an error message: Can't use string ("0") as an ARRAY ref while "strict refs". This occurs when a NAT source list references an Access Control List that does not exist. For example: java.lang.Exception: Can't use string ("0") as an ARRAY ref while "strict refs" in use at /usr/share/ziptie-server/core/org.ziptie.adapters.common_2018.10 _03-19110827/scripts/ZipTie/Model/AddressTranslation.pm line 236. at org.ziptie.server.job.AbstractAdapterTask.execute(AbstractAdapte rTask.java) at org.ziptie.server.dispatcher.Operation.execute(Operation.java) at org.ziptie.server.dispatcher.OperationExecutor$JobThread.runJob( OperationExecutor.java) at org.ziptie.server.dispatcher.OperationExecutor$JobThread.run(Ope rationExecutor.java) Caused by: javax.xml.ws.soap.SOAPFaultException: Can't use string ("0") as an ARRAY ref while "strict refs" in use at /usr/share/ziptie-server/core/org.ziptie.adapters.common_2018.10 _03-19110827/scripts/ZipTie/Model/AddressTranslation.pm line 236 |
25 April 2019 |
CISCO IOS ADAPTER | IJ15703 | CISCO IOS DEVICE BACKUP CAN TIMEOUT WHEN THE DEVICE USES BGP AND A LARGE NUMBER OF BGP ROUTES ARE PRESENT | CLOSED | Resolved in QRadar Risk Manager (QRM) adapters.bundle-2019.06-17062537 on IBM Fix Central. To read adapter installation documentation, see: Installing Adapters. It has been identified that a Cisco IOS device backup can time out if the device uses BGP and a large number of BGP routes are present. |
25 April 2019 |
CHECK POINT SMS HTTPS ADAPTER | IJ15495 | BACKUP OF CHECK POINT HTTPS DEVICE CAN FAIL WITH MESSAGE 'CAN'T USE AN UNDEFINED VALUE AS AN ARRAY REFERENCE' | CLOSED | Resolved in QRadar Risk Manager (QRM) adapters.bundle-2019.06-17062537 on IBM Fix Central. To read adapter installation documentation, see: Installing Adapters. It has been identified that a Check Point HTTPS device backup can fail with an error similar to: java.lang.Exception: Can't use an undefined value as an ARRAY reference at /usr/share/ziptie-server/adapters/ziptie.adapters.checkpoint. https_2018.10.19110827/scripts/ZipTie/Adapters/CheckPoint/HTTPS/Utils.pm line 138. at org.ziptie.server.job.AbstractAdapterTask.execute(AbstractAdapte rTask.java) at org.ziptie.server.dispatcher.Operation.execute(Operation.java) at org.ziptie.server.dispatcher.OperationExecutor$JobThread.runJob( OperationExecutor.java) at org.ziptie.server.dispatcher.OperationExecutor$JobThread.run(Ope rationExecutor.java) Caused by: javax.xml.ws.soap.SOAPFaultException: Can't use an undefined value as an ARRAY reference at /usr/share/ziptie-server/adapters/ziptie.adapters.checkpoint.htt ps_2018.10.19110827/scripts/ZipTie/Adapters/CheckPoint/HTTPS/Uti ls.pm line 138. at com.sun.xml.ws.fault.SOAP11Fault.getProtocolException(SOAP11Fault.java) at com.sun.xml.ws.fault.SOAPFaultBuilder.createException(SOAPFaultB uilder.java) at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHan dler.java) at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java) at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java) at com.sun.proxy.$Proxy83.backup(Unknown Source) at org.ziptie.server.job.backup.BackupTask.performTask(BackupTask.java) at org.ziptie.server.job.AbstractAdapterTask.execute(AbstractAdapterTask.java) |
16 April 2019 |
CHECK POINT SMS HTTPS ADAPTER | IJ13701 | CHECK POINT CLUSTERXL DEVICE IS UNABLE TO BACKUP SUCCESSFULLY WHEN IT HAS NO CLUSTER IP CONFIGURED | CLOSED | Resolved in QRadar Risk Manager (QRM) adapters.bundle-2019.06-17062537 on IBM Fix Central. To read adapter installation documentation, see: Installing Adapters. It has been identified in QRadar Risk Manager that a Check Point Cluster XL device discovered from Check Point SMS with Check Point HTTPS adapter fails to backup when running against a cluster IP that is not assigned to a valid interface. |
21 February 2019 |
JUNIPER JUNOS ADAPTER | IJ10745 | JUNOS DEVICES WITH DHCP CONFIGURED DO NOT SUCCESSFULLY MERGE INTO THE RISK MANAGER TOPOLOGY | CLOSED | Resolved in QRadar Risk Manager (QRM) adapters.bundle-2019.06-17062537 on IBM Fix Central. To read adapter installation documentation, see: Installing Adapters. It has been identified that Juniper JUNOS devices with DHCP configured interfaces do not merge into the Risk Manager topology successfully. When this occurs the logs contain "PARSE_WARNING / No interfaces with assigned IP addresses were found". |
24 October 2018 |
CHECK POINT SMS HTTPS ADAPTER | IJ13703 | CHECK POINT HTTPS ADAPTER UNABLE TO BACKUP A DEVICE WITHOUT SUPER USER PERMISSIONS | CLOSED | Resolved in QRadar Risk Manager (QRM) adapters.bundle-2019.06-17062537 on IBM Fix Central. To read adapter installation documentation, see: Installing Adapters. Workaround: Assign the user to the Super User permissions profile to complete a device configuration backup. It has been identified that the Check Point HTTPS adapter in QRadar Risk Manager will fail to backup a device if the SMS is running R80.10 or greater and the user's permissions profile is not Super User. |
27 February 2019 |
SEARCH | IJ07013 | COMPLETED SCANS OF ASSETS WITHIN QRADAR CAN AFFECT QRADAR'S SEARCH RESULTS OF THOSE ASSETS | OPEN: Reported in multiple QRadar versions | No workaround available. It has been identified that after assets have been scanned, subsequent searches of those assets can return incorrect/unexpected results. Pre-conditions A discovery, full, patch and web scan has been run against the same target (asset) and the Assets tab has been populated. Example of steps that replicate this issue
Results
|
12 June 2018 |
ADVANCED SEARCH (AQL) | IJ16182 | AN ADVANCED SEARCH (AQL) CONTAINING 'LOGSOURCETYPENAME' CALLED ON AN INVALID LOGSOURCEID CREATES REPEATED LOGGING ERRORS | CLOSED | Workaround: Function accepts the devicetype as a parameter, so use LOGSOURCETYPENAME(devicetype) in your AQL query. NOTE: This APAR has been flagged as closed/cancelled as there is a workaround to resolve this issue. It has been identified that if an Advanced Search (AQL) uses the function LOGSOURCETYPENAME() and calls on an invalid parameter (logsourceid) it should return "{unknown:no sensor device type xxxx}" instead of throwing an error for each event. For example: "SELECT UTF8(payload) as RawLog FROM events WHERE LOGSOURCETYPENAME(logsourceid) IMATCHES 'Cisco adaptive security appliance.*?' LAST 3 DAYS" Repeated errors for "Error fetching name of sensor device type for id XXX" are logged in /var/log/qradar.error and qradar.log. This behavior can potentially cause /var/log to be filled quickly. |
16 May 2019 |
QRADAR DEPLOYMENT INTELLIGENCE (QDI) | IJ15357 | QDI APP CAN REPORT INCORRECT STATE OF QVM SCANNERS | CLOSED | This APAR has been closed as it will deprecate with the QVM
internal scanning end of support. The end of support for the QVM
scanner is scheduled for the second quarter of 2023 and will
result in all related issues being closed due to deprecation.
Please feel welcome to reach out to your support representative
if your have any further questions. It has been identified that in some instances, the QRadar Deployment Intelligence (QDI) App can report the incorrect state of QRadar Vulnerability Manager (QVM) Scanners. |
15 April 2019 |
DEPLOYMENT VIEW | IJ15210 | QRADAR NETWORK INSIGHTS COMPONENTS CAN BE MISSING CONNECTION ARROWS TO IT'S FLOW PROCESSOR COMPONENT | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) Workaround No workaround available. Workaround It has been identified that when viewing QRadar Network Insights (QNI) appliance in the Deployment View, the connection arrow is missing from the QNI appliance to the corresponding Flow Processor. |
2 February 2022 |
OPERATIONS APP | IJ14479 | OPERATIONS APP ERROR "FAILED TO LOAD THE FOLLOWING DATA" FOR EVENT AND FLOW GRAPH | CLOSED | No workaround available. Closed as Permanent restriction. It has been identified that in some instances the Event and Flow graph can display an error similar to: "Failed to load the following data EPS". Subsequent attempts to reload the data on the graph area can sometimes correct this issue. See the full APAR text for workaround information. |
15 May 2019 |
SMB FLOW INSPECTOR | IJ13359 | QRADAR NETWORK INSIGHTS (QNI) DECAPPER 'OUT OF MEMORY' INSTANCES CAUSED BY SMB INSPECTOR | OPEN: Reported as an issue in QRadar 7.3.1 Patch 6 IF02 | No workaround available. It has been identified that the SMB inspector QRadar Network Insights (QNI) component can cause QNI decapper service Out of Memory instances and a coredump file to be generated in /store/jheap on the QNI appliance. QNI cannot process flow traffic as expected while the decapper service is not running. |
28 May 2019 |
HTTP FLOW INSPECTOR | IJ13358 | QRADAR NETWORK INSIGHTS (QNI) DECAPPER 'OUT OF MEMORY' INSTANCES CAUSED BY HTTP INSPECTOR | OPEN: Reported as an issue in QRadar 7.3.1 Patch 6 IF02 | No workaround available. It has been identified that the HTTP inspector QRadar Network Insights (QNI) component can cause QNI decapper service Out of Memory instances and a coredump file to be generated in /store/jheap on the QNI appliance. QNI cannot process flow traffic as expected while the decapper service is not running. |
28 May 2019 |
SEARCH / USER INTERFACE | IJ13245 | UNABLE TO SAVE A SEARCH AFTER TRIED WITH BLANK IN NAME FIELD ON THE LOG ACTIVITY PAGE | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) Workaround Close the dialog box and click on "Save Criteria" again. Issue It has been identified that the ability to save a search with a name is not immediately possible if the "Save" button has been clicked with a blank name field first. For example:
|
26 November 2020 |
AUDIT EVENTS | IJ13147 | NOT ALL APPPLIANCE LOGIN ATTEMPTS ARE LOGGED/AUDITED THE SAME WAY WITHIN QRADAR | OPEN: Reported as an issue in QRadar 7.3.1 Patch 5 | Not all login attempts (success or failure) into a QRadar appliance are logged the same way into the QRadar User Interface when logging in using SSH or by using the IMM. For example:
|
13 May 2019 |
ACCESS / AD AUTHENTICATION | IJ17937 | LOGIN ACCCESS TO QRADAR CAN BE RESTRICTED FROM LDAP/AD ENVIRONMENTS DUE TO DIFFERENCES IN DOMAIN REALMS | CLOSED | Resolved in QRadar 7.4.0 (7.4.0.20200304205308) QRadar 7.3.2 Patch 4 (7.3.2.20190803012943) Workaround To workaround this authentication issue, administrators can open the Admin tab, click the Authentication icon and edit the Domain input field in the Active Directory Authentication Module to use upper case letters. Issue It has been identified that LDAP users authentication for logging in to QRadar can fail after performing an update to QRadar 7.3.2 Patch 3 due to a changes in how QRadar handles AD authenticaiton when the domain name of QRadar is not matched to the domain name of the Active Directory (AD) server. This login issue can occur when the different domain for realms other than the domain in QRadar host. The Key Distribution Center (KDC) in QRadar complains that the client name is not matching. This can occur when more than one entry exists in the [realms] in the /opt/qradar/conf/kb5.conf file. |
30 JULY 2019 |
LOG MESSAGES | IJ12221 | ARIELUTILS.JAVA REPEATEDLY WRITING UNNECESSARILY TO LOG FILES IN /VAR/LOG/ | CLOSED | Resolved in QRadar 7.4.0 (7.4.0.20200304205308) Workaround This logging can be disabled using the mod_log4j.pl via SSH to the Console:
Issue It has been identified that ArielUtils.java can repeatedly be writing unnecessarily to /var/log/qradar.error and qradar.log with messages similar to the following: [ecs-ep.ecs-ep][xxxxxxx-xxxx/SequentialEventDispatcher] com.q1labs.core.shared.ariel.ArielUtils$UnknownPropertyException: No property 'Account Locked Out Security ID' exists in set: ACF2 rule key APIContextPath APIMethod... |
09 January 2019 |
DEPLOY CHANGES | IJ15655 | DEPLOY FUNCTION CAN TIMEOUT WHEN OLDER .JAR FILES ARE BEING CLEANED UP IN SOME DIRECTORIES | CLOSED | This issue was addressed in the following JDBC RPM Releases:
It has been identified that in some instances, older .jar files can be referenced when left behind in some QRadar appliance directories. When cleanup of these old jars occurs, the Deploy function can sometimes timeout. To resolve this issue, QRadar administrators can run an auto update from Admin > Auto Update> Get updates now or review the latest available versions from IBM Fix Central to install on your QRadar Console using yum -y install {rpmname}. |
09 January 2019 |
USER INTERFACE / RULES | IJ12219 | "PARSE ERROR ...SYNTAXERROR: UNDETERMINED STRING LITERAL" WHEN LOADING RULE GROUPS IN THE LOG ACTIVITY TAB | OPEN: Reported in QRadar 7.3.0 Patch 6 and later | No workaround available. It has been identified that when using the Log Activity tab that adding the following filter can cause a parse error in the user interface Custom Rule equals a rule group, then a message similar to the following can sometimes be generated: Parse Error The following error occurred while parsing the server response: {0} SyntaxError: unterminated string literal |
09 January 2019 |
DEVICE SUPPORT MODULE (DSM) | IJ12129 | EVENTID=4776 DOES NOT UPDATE THE CORRECT ASSET WITH THE IDENTITY INFORMATION CONTAINED IN THE EVENT | OPEN: Reported in QRadar 7.3.1 versions | It has been identified that the Windows DSM with Windows EventID=4776 does not update the correct Asset with the identity information contained within the event. OriginatingComputer is being used instead of the Source Workstation. Using the OriginatingComputer data to populate the Asset is incorrect as the Source Workstation's usernames associated with that Asset need to be updated. Workaround
|
13 May 2019 |
DISK SPACE / HA SECONDARY | IJ11396 | THE / PARTITION ON A HIGH AVAILABILITY (HA) SECONDARY APPLIANCE CAN HAVE RESIDUAL DOCKER FILES CAUSING DISK SPACE ISSUES | OPEN: Reported in QRadar 7.3.0 and QRadar 7.3.1 versions | Contact Support for a possible workaround that might address this issue in some instances. It has been identified that after performing an upgrade to 7.3.x the / partition on a High Availability (HA) Secondary appliance can retain old docker files in the store directory, using multiple GB of space on / partition. This can sometimes cause the disk usage threshold to be exceeded on the appliance. An outage on failover to the Secondary can occur if disk usage exceeds threshold of 95%. |
31 December 2018 |
ASSETS | IJ09055 | INCORRECT RESULTS DISPLAYED WHEN ADDING THE ASSET FILTER "OPEN SERVICE 'DOES NOT EQUAL' " | CLOSED | Closed as Permanent restriction. No workaround available. It has been identified that incorrect results are displayed when applying the 'Assets with open service': 'Does not equal' filter value from the Assets tab. Expected behavior
The 'Does not Equal to' comparison for Assets with open services does not returns values that are outside the filter parameter. |
16 October 2018 |
BACKUP / RECOVERY | IJ07678 | AUTHENTICATION TOKENS CAN STOP WORKING AS EXPECTED AFTER A USERS CONFIG RESTORE HAS BEEN COMPLETED | OPEN: Reported in QRadar 7.2.8 and later | Contact Support for a possible workaround that might address this issue in some instances. It has been identified that after performing a QRadar 'users configuration' config restore, some managed hosts and/or Apps with authentication or services that use authentication tokens can stop working as expected. For example, Deploys fail to some Managed Hosts. Messages similar to the following might be visible in /var/log/qradar.log during a configuration restore when this issue occurs: [hostcontext.hostcontext] [BackupServices_restore] com.q1labs.hostcontext.backup.BackupRecoveryEngine: [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Completed extraction of files [hostcontext.hostcontext] [BackupServices_restore] com.q1labs.hostcontext.backup.BackupRecoveryEngine: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Unable read user session file |
19 July 2018 |
DEVICE SUPPORT MODULE (DSM) | IJ07034 | CISCO FIRESIGHT MANAGEMENT CENTER LOG SOURCES CAN SHOW IN ERROR STATE WHILE WORKING AS EXPECTED | OPEN: Reported in QRadar 7.3.0 Patch 5 and later | No workaround available. It has been identified that Cisco FireSIGHT Management Center log sources can sometimes display in error state while they are working as expected. There is an issue with clearing the error state of log sources that are using the CiscoFirepowerEstreamer protocol. Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs: [ecs-ec-ingress.ecs-ec-ingress] [Estreamer Connection to 127.0.0.1] at com.q1labs.semsources.sources.estreamer.connection. EstreamerExtendedRequestConnection: [ERROR] null [ecs-ec-ingress.ecs-ec-ingress] [Estreamer Connection to 127.0.0.1] at com.q1labs.semsources.sources.estreamer.exception.EstreamerVersionSupportException [ecs-ec-ingress.ecs-ec-ingress] [Estreamer Connection to 127.0.0.1] at com.q1labs.semsources.sources.estreamer.message.datamsg.record.d atablock.RNADataBlockFactory.createDataBlock(RNADataBlockFactory.java:38) [ecs-ec-ingress.ecs-ec-ingress] [Estreamer Connection to 127.0.0.1] at com.q1labs.semsources.sources.estreamer.message.datamsg.record.U serAddScanResultRecord.read(UserAddScanResultRecord.java:25) [ecs-ec-ingress.ecs-ec-ingress] [Estreamer Connection to 127.0.0.1] at com.q1labs.semsources.sources.estreamer.message.datamsg.record.datablock.IRNADataBlock: [ERROR] [127.0.0.1/- -] Encountered an Access Control Policy Rule ID Metadata Block (data block type: 15) with an empty body |
22 June 2018 |
ADVANCED SEARCH (AQL) | IJ06594 | 'SOURCEASSETNAME' ATTEMPTS TO USE A DEPRECATED ARIEL FUNCTION | OPEN: Reported in QRadar 7.3.0 Patch 5 and later | It has been identified that the "Source Asset Name" property used within QRadar attempts to use a deprecated ariel function and fails upon it's use. An Advanced Search (AQL) query trying to use sourceAssetName(ip), would return the error message No function matches the given name: 'sourceassetname' in catalog 'events' when trying to use this query: select sourceAssetName(sourceIP) from events Workaround: From the example above, the advanced query should be modified to be: 'assetHostName(sourceIP)'. For example: select assetHostName(sourceIP) from events |
24 May 2018 |
SYSTEM NOTIFICATIONS / NETWORK ADDRESS TRANSLATION (NAT) | IV96407 | SYSTEM NOTIFICATION 'PROCESS MONITOR: APPLICATION HAS FAILED TO START UP MULTIPLE TIMES' AFTER REMOVING NAT FROM MANAGED HOST | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) Workaround Contact Support for a possible workaround that might address this issue in some instances. Issue After removing NAT from an encrypted Managed Host, QRadar System Notifications might be generated that a process could not start. The message is similar to "Process Monitor: Application has failed to start up multiple times.". The process being referenced is a tunnel pointing to the old NAT IP address. NOTE: The QRadar identifier (QID) for the 'Process Monitor Application has failed' system notification is 38750043. Users or administrators can search for this QID to quickly locate a history of these notifications in QRadar and view the RAW payloads to see what process is reported. |
02 July 2019 |
OFFENSES / ASSET USERNAME | IJ01985 | SOME ASSET IDENTITY DATABASE INFORMATION IS NOT CLEANED UP AFTER ASSETS ARE UPDATED | OPEN | No workaround available. It has been identified that in some instances, residual identity data associated to an Asset can be left in the QRadar database after the Asset is updated. When this occurs, incorrect identity/username information associated with an Asset can sometimes be observed in generated Offenses. An example of this issue: View the Offense Summary screen (Offenses -> All Offenses). When the Offense Source Summary includes a username this does not correlate to the offense detected, it is based on the what is known about the asset. This displayed information does not represent the actual user(s) that contributed to the offense. To get the details for the username associated with the offense, on the right choose Event/Flow count -> X events, the next pop up displays the captured details. |
23 March 2018 |
DASHBOARD | IJ17814 | 'BLOCKING DOES NOT RESOLVE TO A SAVED SEARCH OR A KNOWN ARIEL QUERY HANDLE (AS EXPECTED)' MESSAGES IN QRADAR LOGGING | OPEN: Reported in QRadar 7.3.1 Patch 6 and later | No workaround available. It has been identifed that when a User Interface dashboard loads with a graph item configured with the Time Range as "Last Interval (auto refresh)", there are messages generated in QRadar logging (/var/log/qradar.log and /var/log/qradar.error) similar to the following: [tomcat.tomcat] [admin@127.0.0.1 (5771) /console/JSON-RPC/QRadar.updateResultsetGraphWidget QRadar.updateResultsetGraphWidget] com.q1labs.ariel.ui.UIArielServices: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/- -]searchId b4e2994e-8c2a-4c77-81e7-ecd143737c28-BLOCKING does not resolve to a saved search or a known ariel query handle (as expected). [tomcat.tomcat] [127.0.0.1admin@127.0.0.1 (5775) /console/JSON-RPC/QRadar.getDashboardSearch QRadar.getDashboardSearch] com.q1labs.ariel.ui.UIArielServices: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/- -]searchId 2963d217-dd34-4427-bf0a-ddc69ce9da6a-BLOCKING does not resolve to a saved search or a known ariel query handle (as expected). |
24 July 2019 |
ROUTING RULES | IJ12885 | ARIEL_TAGGED_FIELDS, ALONG WITH AQL AND QRADAR NETWORK INSIGHTS (QNI) CUSTOM PROPERTIES CANNOT BE USED IN JSON FORWARDING PROFILES | CLOSED | Closed as suggestion. It has been identified that AQL custom properties (in domain management) along with ariel_tagged_fields and QNI custom properties cannot be used in JSON forwarding profiles. A suggestion APAR identifies a function/operation that is not within the product specifications, for which a fix is not planned. Implementation of this modification would be a product enhancement. This APAR is considered for any future products/releases. |
18 January 2019 |
ROUTING RULES | IV94377 | EVENTS IN A TENANT DO NOT GET FORWARDED TO A FORWARDING DESTINATION | CLOSED | Closed as suggestion for future release. It has been observed that attempting to configure events in a tenant to forward to a forwarding destination does not work. Steps that reproduce this behavior:
|
19 July 2019 |
APPS | IJ17793 | QRADAR APPS CAN STOP RUNNING ON AN APP HOST AFTER IT IS SETUP WITH HIGH AVAILABILITY (HA) | OPEN | Contact Support for a possible workaround that might address this issue in some instances. | 28 May 2019 |
DATA NODES | IJ04179 | DATA NODE REBALANCING CAN SOMETIMES CREATE AN UNBALANCED CLUSTER WHEN WITHIN 5% OF BEING IN BALANCE | CLOSED | Closed as a suggestion for a future release. It has been identified that Data Node rebalancing can sometimes create an unbalanced cluster under certain conditions. This has been observed primarily in instances where the data "source" is much larger in size than the "destination" and the nodes start to rebalance when within 5% of being in balance. It could also occur when rebalancing is interrupted (communication failures, deploys, restarting tunnels, etc). |
30 November 2018 |
QUALYS SCANNER | IJ16409 | NIGHTLY VULNERABILITY SCAN USER INTERFACE STATUS MESSAGE DOES NOT GET UPDATED IF ONLY A SINGLE REPORT IS IMPORTED | CLOSED | An updated version of the Qualys Scanner rpm resolves APAR IJ16409. The RPM update for QualysQualysGuard-7.3-20190531123001.noarch.rpm (or later) is included in the July 25th QRadar weekly auto update. Most users will receive this update automatically. Administrators with Console appliances that do not have access to the Internet to get the automatic update can download the latest Auto Update bundle QRADAR-QRAUTO-1564067294 (or later) from IBM Fix Central. See this page for instructions on how to manually install an auto update bundle. Issue: It has been identified that a nightly vulnerability scan status message in the User Interface does not get updated when there is only one scan file to download and parse. The scanUpdate message only gets updated at the beginning of a "for" loop when processing reports. When this issue occurs, it incorrectly appears in the User Interface that the scan continuously runs (even though it completes) until another scan using the same scanner is kicked off. |
28 May 2019 |
PROTOCOL | IJ15400 | AKAMAI KONA REST API PROTOCOL FAILS WITH NULLPOINTEREXCEPTION IN QRADAR LOGGING | CLOSED | Resolves an issue in the Akamai Kona Rest API protocol to prevent a Null Pointer Exception that could cause event collection to stop. The release of this protocol update closes APAR IJ15400 and resolves the workaround where users needed to disable and enable their Akamai Kona log sources. Most users can wait for the QRadar weekly auto update to receive the protocol changes; however, administrators with Akamai Kona log sources can manually download and install the RPMs from IBM Fix Central. Issue resolved with the following RPM releases:
Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [ecs-ec-ingress.ecs-ec-ingress] [Akamai Kona REST API Protocol Provider Thread: class com.q1labs.semsources.sources.akamaikonarestapi.AkamaiKonaRESTAPIProvider] java.lang.NullPointerException [ecs-ec-ingress.ecs-ec-ingress] [Akamai Kona REST API Protocol Provider Thread: class com.q1labs.semsources.sources.akamaikonarestapi.AkamaiKonaRESTAPIProvider] com.q1labs.semsources.sources.akamaikonarestapi.AkamaiKonaRESTAPISource: [ERROR] [NOT:0000003000][IP ADDRESS/- -] [-/- -]There appears to have been a run-time issue with the provider connection 'class com.q1labs.semsources.sources.akamaikonarestapi.AkamaiKonaRESTAPIProvider' |
18 JULY 2019 |
DEVICE SUPPORT MODULE (DSM) | IJ17406 | CHANGES IN VCENTER AND COMMON DSM CAN CAUSE TLS SYSLOG LOG SOURCE LEGACY CONFIGURATION UI PAGE TO NOT LOAD CORRECTLY | CLOSED | This release resolves a problem where the VMware vCenter DSM or DSM Common framework RPM could impact what was protocol options were displayed to users creating new log sources. Several users reported that TLS Syslog was missing from the Protocol drop-down list when creating non-VMware log sources as described in APAR IJ17406. Users who do not have the VMware vCenter DSM installed or do selective DSM installs can also get this fix by updating to the latest version of DSM Common to resolve APAR IJ17406. This issue was only observed by users of the default log source user interface, not by users of the Log Source Management app. Local fix: The next QRadar weekly auto update will resolve this issue. QRadar 7.3.x users can manually install the updated RPMs from IBM Fix Central. |
18 JULY 2019 |
SYSTEM NOTIFICATIONS | IJ16822 | INTERMITTENT FALSE POSITIVE NOTIFICATION MESSAGES 'A CRE PROCESSOR THREAD GOT SHUT DOWN UNEXPECTEDLY...' | OPEN: Reported in QRadar 7.3.2 versions. | No workaround available. These System Notifications can be ignored. | 14 JUNE 2019 |
PERFORMANCE / SERVICES | IJ16824 | ARIEL_QUERY_SERVER PROCESS OUT OF MEMORY CAN OCCUR DUE TO LARGE NUMBER OF CONCURRENTPOOL OBJECTS IN JMX MBEAN | OPEN: Reported in QRadar 7.3.1 Patch 8 | It has been identified that the ariel_query_server process on a QRadar appliance can run out of memory due to a memory leak caused by a large number of remaining ConcurrentPool objects in JMX mbean server. Contact Support for a possible workaround that might address this issue in some instances. CASE REQUIREMENTS In order to correctly identify that this issue is the cause of an ariel_query_server process out of memory occurrence create a Support case with the affected appliance's get_logs output and the /store/jheap/ariel.ariel_query_server/ariel.ariel_query_server.system.dmp file that is created when the out of memory occurs. Only after these are examined by Support can the exact cause of the ariel_query_server process out of memory occurrence be correclty identified. |
10 June 2019 |
SEARCH | IJ16592 | ENABLING UNIQUE COUNTS FOR SAVED SEARCHES DOES NOT WORK AS EXPECTED | OPEN: Reported in QRadar 7.3.1 Patch 5 IF01 (7.3.1.20180720020816) | It has been identified that attempting to enable unique counts on a search in Log Activity does not work as expected. Enable unique counts on a search, navigate off of the search,
and then back to the search. The unique counts reverts to disabled. For example:
|
10 June 2019 |
RULES | IJ16618 | USING A CIDR IN 'COMMON' RULES FAILS AND GENERATES 'CIDRNETWORKEXCEPTION' IN QRADAR LOGGING | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) Workaround No workaround available. Issue It has been identified that attempting to use a CIDR in Common rules generates a CIDRNetworkException similar to the following in /var/log/qradar.log: [tomcat] [user@127.0.0.1 (8388) /console/do/rulewizard/saveCustomizeConditionParameter] com.q1labs.sem.ui.util.RuleConditionUtils: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Failed to get test parameter option text [tomcat] [user@127.0.0.1 (8388) /console/do/rulewizard/saveCustomizeConditionParameter] Caused by: /console/do/rulewizard/saveCustomizeConditionParameter] com.q1labs.frameworks.exceptions.CIDRNetworkException: Failed to parse IP address: 1.2.3.0/24 |
26 November 2020 |
UPGRADE / APP FRAMEWORK | IJ16653 | DUAL STACK NETWORK CONFIGURATION CAN CAUSE THE APP FRAMEWORK TO FAIL TO START SUCCESSFULLY AFTER PATCHING | OPEN: Reported in QRadar 7.3.2 versions | It is possible that the Application Framework fails to start due to none of the services being able to communicate with each other after patching QRadar in environments with an IPv6 and an IPv4 network interface configured. The following error messages might be visible in /var/log/qradar.log when this issue occurs: [21598]: time="2019-06-20T10:55:45-05:00" level=error msg="Provider connection error Get https://127.0.0.1:2376/v1.21/version: x509: certificate is valid for |
10 June 2019 |
AMAZON AWS CLOUDTRAIL | IJ16038 | AMAZON AWS S3 REST API PROTOCOL CAN GET INTO A STATE OF AN INFINITE LOOP CAUSING THE LOG SOURCE TO FAIL TO RECEIVE LOGS | OPEN: Reported in QRadar 7.3.1 Patch 5 IF01 (7.3.1.20180720020816) and later | It has been identified that Log Sources using the Amazon AWS S3 Rest API Protocol can get into a state of an infinite loop in the error handling and show as being in "Success" state, but
not be receiving any logs. Administrators who experience this issue should report the problem to QRadar Support in a case. Workaround: The administrator can disable, then enable the affected Log Source to temporarily get the Log Source to function again as expected. |
05 June 2019 |
REPORTS | IJ16414 | SCHEDULED REPORTS GENERATE WITH INCORRECT CHART DATA AND COLUMN NAME WITH SOME ADVANCED SEARCHES (AQL) | OPEN: Reported in QRadar 7.3.2 versions | It has been identified that when an aggregate function along with a mathematical operation is used in an Advanced Search (AQL), a separate column for every aggregate function is displayed in the report based on the search. In the following example, two columns with the same column name (as specified in the Alias) are displayed and both the columns contain different values which belong to the particular aggregate function. Workaround: Run the report immediately from in the Report Wizard so the report runs against raw data. On the Report Wizard page select "Yes - Run this report when the wizard is complete" check box. |
29 May 2019 |
JDBC PROTOCOL | IJ16291 | JDBC MSDE LOG SOURCES IN WARN STATUS WITH MESSAGE 'THERE IS A PROBLEM WITH THE SELECTED DATABASE DRIVER' | CLOSED | Closed as fixed if next. Contact Support for a possible workaround that might address this issue in some instances. It has been identified that after patching to QRadar 7.3.2, JDBC MSDE Log Sources can stop receiving events and be in WARN status with a message similar to "There is a problem with the selected database driver". Reported in QRadar 7.3.2 versions with PROTOCOL-JDBC-7.3-20190411121241 |
09 December 2019 |
SNMPv3 PROTOCOL | IJ06659 | NO ERROR LOGGING WHEN SNMPV3 TRAPS ARE MISCONFIGURED WITH EITHER AUTHENTICATION OR DECRYPTION PASSWORD | CLOSED | Workaround: For your QRadar versions, restart the ecs-ec service using on of the following commands:
This issue has been flagged as a permanent restriction. A workaround is provided which resolves the issue. It has been identified that when SNMPv3 traps are configured to be sent into and processed by QRadar, and there is either an authentication or decryption password that is misconfigured, the traps are not ingested by QRadar and no errors/messages are written into the QRadar logging indicating the issue. |
09 December 2019 |
LOG ACTIVITY / NETWORK ACTIVITY | IJ22501 | LOG ACTIVITY GRAPHING CAN SOMETIMES DISPLAY INCORRECTLY AT THE END OF THE GRAPH | OPEN: REPORTED IN QRADAR 7.3.1 PATCH 6 IF03 | No workaround available. Log Activity graphing can continue to show data values at the end of the graph when there are no events coming in. For example, when a search is run in a time frame that includes time after events were last seen, there is a triangle on the right that appears to be events. There are no events when performing a hover over and the 'Number of Results' is a fractional number. |
05 February 2020 |
RULES / QRADAR NETWORK INSIGHTS | IJ22500 | UNABLE TO EDIT FLOW RULE 'QNI: POTENTIAL SPAM/PHISHING SUBJECT DETECTED FROM MULTIPLE SENDING SERVERS' | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.4.0 (7.4.0.20200304205308) QRadar 7.3.3 Patch 2 (7.3.3.20200208135728) Workaround No workaround available. Issue Unable to edit flow rule "QNI : Potential Spam/Phishing Subject Detected from Multiple Sending Servers". A message in the QRadar User Interface can be generated similar to the following when this issue is occuring: 'Please do not mix lack of device events tests with any other event test conditions.' |
04 February 2020 |
FLOWS / NETWORK ACTIVITY | IJ22499 | FLOW RECORDS CAN SOMETIMES DISPLAY LAST PACKET TIME OF 'N/A' AND BYTE AND PACKET COUNT OF '0' IN NETWORK ACTIVITY | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210) QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709) Workaround No workaround available. Issue No workaround available. Flow records can sometimes display a last packet time as 'N/A', and Byte and Packet count as '0' in Network Activlty. |
04 February 2020 |
AQL / GEOLOCATION | IJ16434 | ADVANCED SEARCH (AQL QUERY) CONTAINING GEO::LOOKUP RETURNS AN EMPTY JSON STRING FOR 'CITY' VARIABLE | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) Workaround No workaround available. Issue It has been identified that performing an Advanced Search (AQL Query) using the GEO::LOOKUP can return no data for 'city' where the graph can display records. The 'city' variable returns only an empty JSON string in the table below the graph. QRadar 7.3.2 users can use the following advanced search to validate this reported issue: select GEO::LOOKUP(' |
29 May 2019 |
DEPLOYMENT | IJ16391 | ADDING A MANAGED HOST TO A DEPLOYMENT FAILS IF IT HAD BEEN REMOVED FROM THE DEPLOYMENT WHILE BEING INACCESSIBLE | CLOSED | Resolved in QRadar 7.4.0 (7.4.0.20200304205308) Workaround Install the latest software version or contact Support for a possible workaround that might address this issue if you are unable to upgrade at this time. Issue It has been identified that a Managed Host fails to successfully be added to a Deployment if that Managed Host was in the Deployment previously, but was inaccessible (eg. powered off) when it had been removed. |
29 May 2019 |
SEARCH / INDEXES | IJ16415 | /OPT/QRADAR/BIN/ARIEL_OFFLINE_INDEXER.SH CAN SOMETIMES FAIL TO CREATE SUPER INDEX DUE TO MAXIMUM FILE ULIMIT VALUE | CLOSED | Resolved in QRadar 7.4.0 (7.4.0.20200304205308) Issue It has been identifed that in some instances, the current default number of usable file limits per process is too low a value (1024). When the file value ulimit is hit, the ariel_offline_indexer.sh script can fail to successfully create a super index. Contact Support for a possible workaround that might address this issue in some instances. Messages similar to the following might be visible in /var/log/qradar.log when the ulimit is reached: [main] java.io.FileNotFoundException: /store/ariel/events/records/2019/06/30/22/super/Q1Tmpxxxxxx-xxxx-xxxx-xxxx-8e9792bb1a49 (Too many open files) |
29 May 2019 |
LOG SOURCE / USER INTERFACE | IJ16422 | CUSTOM DSM REMAINS LISTED IN AVAILABLE "LOG SOURCE TYPES" AFTER BEING DELETED | OPEN: Reported in QRadar 7.3.1 Patch 5 (7.3.1.20180720020816) and later | No workaround available. It has been identified that after a search is performed in "Log Activity" and a "Log Source Type" filter is added, any deleted Custom DSM's remain in the list of available Log Source Types. |
29 May 2019 |
RIGHT-CLICK | IJ10925 | RIGHT-CLICK FUNCTIONALITY FOR 'ADD TO BLACKLIST' FAILS WITH 'REFERENCESETUTIL CAUGHT AN ERROR...' MESSAGE | CLOSED | Closed as a documentation error. Manually run the ReferenceSetUtil.sh script via an SSH session to the QRadar console with arguments. Example: /opt/qradar/bin/ReferenceSetUtil.sh add Blacklist |
11 June 2019 |
SERVICE | IJ15446 | ARIEL_QUERY_SERVER CAN BE MANUALLY STARTED ON A QRADAR CONSOLE | CLOSED: Duplicate of IJ14988 | APAR IJ14988 is closed with the release of QRadar 7.3.2 Patch 4 (7.3.2.20190803012943) | 28 May 2019 |
RULES | IJ16392 | USERS WITHOUT 'MAINTAIN CUSTOM RULES' DO NOT SEE THE LOW-LEVEL CATEGORY OF THE DISPATCHED EVENT FROM RULE WIZARD | OPEN | No workaround available. It has been identified that QRadar users without "Maintain Custom Rules" in user role do not see the Low-level category of the dispatched event from the Rule Wizard when viewing the rule summary. |
28 May 2019 |
RULES | IJ17437 | LOW-LOWEL CATEGORY VALUE IN RULE SUMMARY IS BLANK FOR USERS WITH NON-ADMIN USER ROLE | CLOSED: Duplicate of IJ16392. | Subscribe to APAR IJ16392 to be alerted to status changes for this APAR. | 28 May 2019 |
INSTALL | IJ17438 | INSTALLATION OF QRADAR CAN FAIL DUE TO INCORRECT DETECTION OF BIOS CONFIGURATION | CLOSED | Issues such as this are slated to be addressed in the next
generation of QRadar SIEM that is due for General Availability
in 2023. This APAR will be closed due to exclusion from current
plans to remediate the issue within this generation of QRadar
SIEM. If you have further questions, please feel welcome to
reach out to your support representative. Thank you for your
understanding. It has been identified that with some Lenovo System Xseries M4 and M5 appliances, the QRadar installation can fail to properly detect that the BIOS configuration "Legacy Mode" is set. Workaround: Toggle the BIOS boot mode.
|
08 July 2019 |
CUSTOM EVENT PROPERTIES (CEP) | IJ16423 | JSON CUSTOM EVENT PROPERTY DISPLAYS "N/A" WHEN A BACKSLASH EXISTS IN THE EXTRACTED STRING FROM A PAYLOAD | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) Workaround If the "Enable this Property for use in Rules and Search Indexing" box is un-checked then the JSON Expression works as expected. Issue It has been identified that when a JSON Custom Event Property (CEP) is created and the string extracted from an event payload is assigned to the property and contains a backslash, (eg. Windows file paths) then the property is not populated and contains "N/A". |
12 July 2021 |
OFENSES | IJ17329 | RIGHT-CLICK OPTION FOR NAVIGATE VIEW SOURCE SUMMARY AND VIEW DESTINATION SUMMARY IS SOMETIMES GREYED OUT | CLOSED | Resolved in QRadar 7.4.0 (7.4.0.20200304205308) QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002) Workaround No workaround available. Issue It has been identified that the Navigate right-click menu from the Offense view has the 'View Source Summary' and 'View Destination Summary' options greyed out when IP and Log Source both belong to a domain other than "default Domain". |
28 JUNE 2019 |
GEOLOCATION / LOCALIZATION | IJ16183 | SOME COUNTRIES AS DISPLAYED WITHIN AREAS OF THE QRADAR USER INTERFACE (NETWORK HIERARCHY) ARE NOT CORRECTLY LOCALIZED | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) Workaround Administrators can install a software release that resolves this software issue. Issue It has been identified that some of the country information displayed within the QRadar User Interface (as pulled from Network Hierarchy data) are incorrectly localized and some are missing. Incorrectly localized countries: Hong Kong -> Hong Kong S.A.R of China Macau -> Macao S.A.R of China Korea -> South Korea Korea -> North Korea Macedonia -> North Macedonia Cote D'Ivoire -> Côte d'Ivoire. Missing localizations: BouvetIsland, Western Sahara, Congo-Kinshasa, Congo-Brazzaville |
26 November 2020 |
ENCRYPTED HOSTS / TUNNELS | IJ16082 | ATTACHING AN EVENT COLLECTOR TO A DIFFERENT EVENT PROCESSOR (EP) LEAVES OLD TUNNEL CONNECTIONS TO THE ORIGINAL EP | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) Workaround Contact Support for a possible workaround that might address this issue in some instances. Issue It has been identified that attaching an Event Collector to a different Event Processor (EP) does not remove all the tunnel connections to the original EP. |
16 May 2019 |
CUSTOM EVENT PROPERTY | IJ15399 | AN AQL BASED CUSTOM EVENT PROPERTY THAT HAS BEEN DISABLED CONTINUES TO BE DISPLAYED WITHIN SUBSEQUENT EVENTS | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) Workaround No workaround available. Administrators who experience this issue must upgrade to a software version where this issue is resolved. Issue It has been identified that when using an AQL Custom Event Property (CEP), it is displayed as expected within an associated event detail. When that AQL CEP is disabled, subsequent events ingested continue to have the disabled AQL CEP listed. For Example:
|
24 May 2021 |
OFFENSES | IJ15593 | OFFENSE SOURCE SUMMARY INFORMATION THAT IS PULLING ASSET DATA IS NOT DOMAIN AWARE FOR OFFENSES INDEXED BY USERNAME, MAC ADDRESS, OR HOSTNAME | CLOSED | Resolved in: QRadar 7.4.0 (7.4.0.20200304205308) QRadar 7.3.3 Patch 1 (7.3.3.20191203144110) QRadar 7.3.2 Patch 6 (7.3.3.20191224145010) Issue It has been identified that QRadar environments with domains configured can have users from one domain see data from assets from another domain in the offense summary for offenses indexed by username, MAC, or hostname. |
09 December 2019 |
NETWORK HIERARCHY / RULES | IJ15969 | FALSE POSITIVE RULE FIRING CAN OCCUR CAUSED BY NETWORK HIERARCHY IN DOMAIN ENVIRONMENTS | CLOSED | No workaround available. Sending events before any domains are defined will tag those events to the Default Domain. Events sent after the domains and network hierarchy are properly defined will get properly tagged. This function is working as designed. | 16 May 2019 |
CUSTOM ACTION SCRIPTS | IJ15568 | CUSTOMACTIONUSER FUNCTION WITHIN CUSTOM ACTION SCRIPTS CANNOT PERFORM DNS LOOKUPS | CLOSED | Resolved in QRadar 7.4.3 (7.4.3.20210517144015) Workaround If you are unable to upgrade to a release where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue. Issue It has been identified that customactionuser function with custom action scripts cannot perform dns lookups. |
24 May 2021 |
OFFENSES | IJ15648 | UNEXPECTED DUPLICATE ATTACKER NETWORKS GENERATED FOR OFFENSES DUE TO THE ADDITION OF IPV6 FIELD | CLOSED | Resolved in QRadar 7.4.0 (7.4.0.20200304205308) Workaround No workaround available. Issue It has been identified that duplicate offense attackers can be generated for an Offense and as a result, more source IPs listed against an Offense than actually caused by the Offense. This behavior is caused by the addition of the IPv6 field for the unique index on attackers. |
16 May 2019 |
WINCOLLECT | IJ12255 | EVENT ID FILTERS ENABLED WITHIN THE LOG SOURCE MANAGEMENT APP ARE NOT WORKING AS EXPECTED | Transitioning to closed | Resolved in WinCollect 7.2.9 | 14 February 2019 |
WINCOLLECT | IJ07257 | WINCOLLECT AGENTS INSTALLED ON OR POLLING FROM WINDOWS 10 VERSION 1803 (APRIL 2018 UPDATE) STOP RECEIVING SECURITY EVENTS | CLOSED | Resolved in WinCollect 7.2.9. Users who cannot update can see the local workaround to use XPATH or MSEVEN6 in your log sources to resolve this issue until you can update your agents. | 03 December 2018 |
WINCOLLECT | IV99860 | 'ERROR 1720' WHEN INSTALLING WINCOLLECT STANDALONE PATCH FILE TO WINCOLLECT 7.2.5 | CLOSED | Unreproducible in the WinCollect 7.2.9 release. | 09 January 2019 |
SYSTEM NOTIFICATIONS | IJ14249 | NOTIFICATION OF DROPPED FLOWS IS NOT OCCURRING IN QRADAR SYSTEM NOTIFICATIONS | CLOSED | Resolved in QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427) Workaround No workaround available. Issue It has been identified that in instances where flows are being dropped by a QRadar appliance, there are notifications written into QRadar logging, but no System Notification message is generated in the QRadar User Interface. Messages similar to the following might be visible in /var/log/qradar.log when flows are being dropped: [QRADAR] [16664] qflow: [WARNING] Unable to stream flows fast enough to {ip_address}:32010. Dropped 4393 flows. |
23 February 2022 |
RULES | IJ09018 | CRE PROCESSOR THREADS CAN DIE WHEN THE MAXMIND DATABASE IS UPDATED VIA AUTO UPDATE | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) QRadar 7.3.2 (7.3.2.20190201201121) QRadar 7.3.1 Patch 8 (7.3.1.20190228154648) Workaround When verified that a QRadar appliance(s) is experiencing the CRE issue as defined above, a restart of the ecs-ep service via command line (SSH) on the affected appliance(s) can be used to correct the issue: # systemctl restart ecs-epTo prevent this from reoccuring until a QRadar Fix Pack is released to address the issue, you can disable updates of the maxmind/geographic data file using these steps:
If you require assistance for diagnosing or correcting this issue, contact support. Issue It has been identified that CRE thread die when the Maxmind database (used for geolocation updates) is updated via Auto Update, QRadar processing issues with the Custom Rule Engine (CRE), including Offense generation can occur due to an uncaught thread exception Messages similar to the following might be visible in /var/log/qradar.error on affected appliances when this issue occurs after the Auto Update is performed: com.q1labs.frameworks.core.ThreadExceptionHandler: [ERROR] [NOT:0000003000][/- -] [-/- -]Exception was uncaught in thread: Preprocessor(events)_9 java.lang.InternalError: SIGBUS at com.maxmind.db.Reader.readNode(Reader.java:219) at com.maxmind.db.Reader.findAddressInTree(Reader.java:174) at com.maxmind.db.Reader.get(Reader.java:146) at com.maxmind.geoip2.DatabaseReader.get(DatabaseReader.java:151) at com.maxmind.geoip2.DatabaseReader.city(DatabaseReader.java:202) at com.q1labs.core.shared.location.LocationUtils.lookup(LocationUti ls.java:531) at com.q1labs.core.shared.location.LocationUtils.lookup(LocationUti ls.java:384) at com.q1labs.core.shared.location.LocationUtils.lookup(LocationUti ls.java:336) at com.q1labs.core.types.event.NormalizedEventProperties$SourceGeog raphicLocation.createKey(NormalizedEventProperties.java:73) |
17 January 2020 |
ADVANCED SEARCH (AQL) | IJ08960 | ADVANCED SEARCH (LOG ACTIVITY) CAN FAIL WHEN CALCULATING EPS AND SORTING ON EPS | CLOSED | Closed as suggestion for future release. Thrown "ArithmeticException: divide by zero" is expected behaviour for this query. This behaviour is consistent with industry standard SQL engines.
The workaround is to not divide by zero. For AQL like: ( max(endTime) - min(startTime) ) change the query to: ( max(endTime) - min(startTime) + 1) A suggestion APAR identifies a function/operation that is not within the product specifications, for which a fix is not planned. Implementation of this modification would be a product enhancement. This APAR is considered for any future products/releases. For more information on feature requests and QRadar, see the QRadar Support Request for Enhancement (RFE) FAQ page. |
18 December 2018 |
REFERNCE DATA | IJ01874 | ASSOCIATED RULES COUNT IN THE REFERENCE SET MANAGEMENT USER INTERFACE CAN APPEAR DIFFERENT THAN REFERENCE SET EDITOR SCREEN | CLOSED | Closed as suggestion for future release. This issue could not be replicated in QRadar 7.2.8 or QRadar 7.3.2 releases. There are a number of default reference sets which are attached to default custom rules. When one of the default custom rules is modified, a duplicate rule is created in the QRadar database (known as an override rule) which obsoletes the default rule. The Admin -> Reference Set Management page tallies both of these rules in the "Associated Rules" count that is displayed. A suggestion APAR identifies a function/operation that is not within the product specifications, for which a fix is not planned. Implementation of this modification would be a product enhancement. This APAR is considered for any future products/releases. For more information on feature requests and QRadar, see the QRadar Support Request for Enhancement (RFE) FAQ page. |
06 March 2019 |
UPGRADES | IJ08432 | BACKLEVEL JTDS JAR FILES IN QRADAR 7.3.1 CAN SOMETIMES CAUSE AN OUT OF MEMORY WITH ECS-EC-INGRESS PROCESS | CLOSED | This issue resolved in QRadar 7.3.1 Patch 7 (7.3.1.20181123182336) It has been reported that the older jtds-1.2.6.jar file can reside within multiple QRadar directories instead of the newer jtds-1.3.3i.jar after patching/upgrading QRadar. In instances where the two different versions of jtds .jar files are simultaneously present in working directories of QRadar, and Log Sources using JDBC are in use, the ecs-ec-ingress process can go out of memory. If you have issues, Contact Support for a possible workaround that might address this issue in some instances. |
29 November 2018 |
OFFENSES | IJ10545 | OFFENSE SOURCE SUMMARY DISPLAYS INCORRECTLY FOR OFFENSES INDEXED ON REGEX CUSTOM PROPERTIES WITH FIELD TYPE "IP" | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) QRadar 7.3.1 Patch 7 (7.3.1.20181123182336) QRadar 7.2.8 Patch 14 Workaround No workaround available. Issue It has been identified that when offenses are indexed on Regex custom properties with Field Type = 'IP', the Offense Source Summary -> "Custom property value" field on the Offense Summary page displays incorrectly. This problem affects both events and flows. For Example:
|
29 November 2018 |
SEARCHES | IJ07123 | INCONSISTENT RESULTS FOR ASSET SEARCHES 'ASSETS WITH OPEN SERVICE = DNS' VS 'ASSETS WITH OPEN SERVICE = DOMAIN' | CLOSED | Closed as suggestion for future release. Asset searching works the way it was designed. We have verified that using asset with Open service equals any of domain or DNS will fix this issue for customers. Closing as works as designed. A suggestion APAR identifies a function/operation that is not within the product specifications, for which a fix is not planned. Implementation of this modification would be a product enhancement. This APAR is considered for any future products/releases. For more information on feature requests and QRadar, see the QRadar Support Request for Enhancement (RFE) FAQ page. |
18 September 2018 |
REPORTS | IJ08219 | INCOMPLETE RESULTS IN REPORTS WHEN SELECTING 'DAY OF THE WEEK' TARGETED DATA SELECTION CONTAINER DETAILS | CLOSED | Closed as suggestion for future release. Workaround: Instead of selecting the day of the week under the Targeted Data Selection in the container details of the Report, if the day of the week parameter is included in the AQL query of the search, the completed report contains all the expected results for the day of the week specified in the AQL Query. Details: It has been identified that there can be incomplete or inconsistent results in reports when day of the Week is selected under the Targeted Data Selection in the container details of the report. For example:
Results
|
24 August 2018 |
VULNERABILITY SCAN | IJ08038 | OUTPOST24 VULNERABILITY SCAN STARTS AND THEN FAILS WITH NULLPOINTEREXCEPTION IN QRADAR.LOG | CLOSED | This fix is available in the weekly auto update for 9 February 2021 (Build 1612831588) and in the following RPM on IBM Fix Central: VIS-Outpost24VulnerabilityScanner-7.3-20200702211501.noarch.rpm | 05 March 2021 |
ASSETS | IV89674 | ASSET RECONCILIATION BLACKLIST REFERENCE SETS CAN BECOME BLOATED DUE TO NO EXPIRY DATE BEING SET | CLOSED | Install Baseline Maintenance Content Extension v1.0.5 or later | 8 August 2018 |
REPORTS | IJ06051 | 'WEEKLY SUCCESSFUL LOGIN EVENTS' REPORT CONTAINS QRADAR APP LOGINS | CLOSED | Install Baseline Maintenance Content Extension v1.0.5 or later | 8 August 2018 |
REPORTS | IJ02578 | ASSET DEVIATION REPORT LINK CONTAINED WITHIN A SYSTEM NOTIFICATION DOES NOT WORK | CLOSED | Install Baseline Maintenance Content Extension v1.0.5 or later | 28 August 2018 |
FLOWS | IJ06593 | QRADAR PACKET CAPTURE CAN SOMETIMES NOT INGEST/PROCESS PCAP FILES UNTIL A DEPLOY FULL CONFIGURATION IS PERFORMED | CLOSED as unreproducible | Complete a 'Deploy Full Configuration'. If you continue to experience this issue, contact QRadar Support. | 30 July 2018 |
INSTALL/UPGRADE | IJ01523 | QRADAR UPGRADE TO 7.3.0.X ON SOFTWARE APPLIANCES CAN FAIL WITH ERROR 'STORAGE CONFIGURATION FAILED' | CLOSED as Permanent restriction. | No workaround available. | 30 July 2018 |
USER BEHAVIOR ANALYTICS (UBA) | IJ02457 | UNPARSED CRE EVENTS CONTAINING 'WHERE CATEGORY BETWEEN..." OBSERVED WHEN USER BEHAVIOR ANALYTICS (UBA) APP INSTALLED | OPEN | Reopened due to additional users logging cases for this issue. No workaround available. It has been identified that frequent unparsed Custom Rule Engine (CRE) events containing "WHERE category BETWEEN 24000 and 25000" might be observed in Log Activity when the User Behavior Analytics (UBA) app is installed in the QRadar environment. |
01 October 2019 |
EVENTS | IJ02819 | '...SENT A TOTAL OF XXXX EVENT(S) DIRECTLY STORAGE...QUEUE IS AT 0 PERCENT CAPACITY" DURING OVER LICENSE EPS SPIKES | CLOSED | Resolved in: QRadar 7.3.1 Patch 5 (7.3.1.20180720020816) QRadar 7.3.1 Patch 4 Interim Fix 1 (7.3.1.20180601192933) |
27 July 2018 |
WINCOLLECT | IJ05619 | NETAPP DATA ONTAP EVENTS THAT ARE COLLECTED USING WINCOLLECT CAN BE MISSING EVENT PAYLOAD DATA FOLLOWING MESSAGE= | CLOSED | This issue is resolved in WinCollect 7.2.8 | 10 July 2018 |
WINCOLLECT | IJ03314 | WINCOLLECT AGENT STOPS SENDING EVENTS TO COLLECTOR 'COULD NOT RESTART AGENT PROCESS AFTER UNEXPECTED EXIT' IN LOGS | CLOSED | This issue is resolved in WinCollect 7.2.8 | 10 July 2018 |
WINCOLLECT | IJ02840 | UNABLE TO UPGRADE/INSTALL WINCOLLECT 7.2.7 ON WINDOWS SERVER CORE 2016 USING THE PATCH/CONFIGURATION CONSOLE INSTALLER | CLOSED | This issue is resolved in WinCollect 7.2.8 | 10 July 2018 |
WINCOLLECT | IJ02744 | WINCOLLECT CAN SOMETIMES STOP COLLECTING SECURITY EVENTS DUE TO AN ISSUE WITH SID TRANSLATION | CLOSED | This issue is resolved in WinCollect 7.2.8 | 10 July 2018 |
WINCOLLECT | IJ01529 | WINCOLLECT 7.2.7 LOG SOURCES CONFIGURED TO USE MSEVEN6 AND POLLING INTERVAL OF 1500 OR LOWER CAN STOP RECEIVING LOGS | CLOSED | This issue is resolved in WinCollect 7.2.8 | 10 July 2018 |
WINCOLLECT | IJ01089 | HIGH CPU LOAD OBSERVED AFTER UPGRADING WINCOLLECT TO VERSION 7.2.7 AND USING MSEVEN6 | CLOSED | This issue is resolved in WinCollect 7.2.8 | 10 July 2018 |
WINCOLLECT | IJ01531 | WINCOLLECT CAN SOMETIMES STOP GATHERING WINDOWS IIS LOGS UNTIL A RESTART OF THE AGENT OCCURS | CLOSED | This issue is resolved in WinCollect 7.2.8 | 10 July 2018 |
WINCOLLECT | IJ01528 | DUPLICATE WINCOLLECT HOSTNAMES CAN BE CREATED DURING A WINCOLLECT UPGRADE | CLOSED | This issue is resolved in WinCollect 7.2.8 | 10 July 2018 |
WINCOLLECT | IV96284 | UPGRADING THE WINCOLLECT .SFS CAN REQUIRE AN ADDITIONAL 'DEPLOY FULL CONFIGURATION' TO COMPLETE SOME AGENT INSTALLATIONS | CLOSED | This issue is resolved in WinCollect 7.2.8 and later. See WinCollect 101 for the latest software release. | 10 July 2018 |
WINCOLLECT | IJ06382 | INSTALLING WINCOLLECT 7.2.7 ON QRADAR 7.3.1.X REQUIRES THE ECS-EC-INGRESS PROCESS TO BE RESTARTED | CLOSED | This issue is resolved in WinCollect 7.2.8 | 10 July 2018 |
WINCOLLECT | IJ01186 | WINCOLLECT AGENT STATUS DISPLAYED IN THE QRADAR USER INTERFACE CAN BE INACCURATE | CLOSED | This issue is resolved in WinCollect 7.2.8 | 10 July 2018 |
WINCOLLECT | IJ01921 | WINCOLLECT VERSION 7.2.6 AND HIGHER LOG SOURCES CONFIGURED WITH MSEVEN6 PROTOCOL USE A DYNAMIC PORT RANGE 49152 TO 65535 | CLOSED | This issue is resolved in WinCollect 7.2.8 | 10 July 2018 |
LOG SOURCE GROUPS | IJ10154 | A'ERROR OCCURRED WHILE SEARCHING FOR DEPENDENTS' MESSAGE WHEN DELETING AN EMPTY LOG SOURCE GROUP | CLOSED | Resolved in QRadar 7.5.0 (7.5.0.20211220195207) QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944) Workaround If you are unable to upgrade to a version where this issue is resolved, contact QRadar Support for a possible workaround. Issue It has been identified that the error message "Error occurred while searching for dependents" can be generated when attempting to delete an empty Log Source Group. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [tomcat.tomcat] [pool-1-thread-4] com.q1labs.core.shared.datadeletion.LogSourceGroupDeletion: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Error while getting Saved Search dependents for this Log Source Group: 103523 [tomcat.tomcat] [pool-1-thread-4] java.lang.RuntimeException: java.lang.RuntimeException: Error processing criteria sourceIP [tomcat.tomcat] [pool-1-thread-4] at com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSearchForm.java:1135) [tomcat.tomcat] [pool-1-thread-4] at com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSearchForm.java:780) [tomcat.tomcat] [pool-1-thread-4] at com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSearchForm.java:737) [tomcat.tomcat] [pool-1-thread-4] at com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSearchForm.java:731) [tomcat.tomcat] [pool-1-thread-4] at com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSearchForm.java:722) [tomcat.tomcat] [pool-1-thread-4] at com.q1labs.core.shared.datadeletion.LogSourceGroupDeletion.getArielSavedSearchDependentsByGroupId(LogSourceGroup [tomcat.tomcat] [pool-1-thread-4] at com.q1labs.core.shared.datadeletion.LogSourceGroupDeletion.getUsage(LogSourceGroupDeletion.java:53) [tomcat.tomcat] [pool-1-thread-4] at com.q1labs.core.shared.datadeletion.task.FindDependentsTask.getActualUsage(FindDependentsTask.java:244) [tomcat.tomcat] [pool-1-thread-4] at com.q1labs.core.shared.datadeletion.task.FindDependentsTask.getChildUsage(FindDependentsTask.java:196) [tomcat.tomcat] [pool-1-thread-4] at com.q1labs.core.shared.datadeletion.task.FindDependentsTask.getDefaultUsage(FindDependentsTask.java:153) [tomcat.tomcat] [pool-1-thread-4] at com.q1labs.core.shared.datadeletion.task.FindDependentsTask.runTask(FindDependentsTask.java:106) [tomcat.tomcat] [pool-1-thread-4] at com.ibm.si.frameworks.taskmanagement.Task.run(Task.java:108) [tomcat.tomcat] [pool-1-thread-4] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:522) [tomcat.tomcat] [pool-1-thread-4] at java.util.concurrent.FutureTask.run(FutureTask.java:277) [tomcat.tomcat] [pool-1-thread-4] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160) [tomcat.tomcat] [pool-1-thread-4] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) [tomcat.tomcat] [pool-1-thread-4] at java.lang.Thread.run(Thread.java:811) [tomcat.tomcat] [pool-1-thread-4] Caused by: [tomcat.tomcat] [pool-1-thread-4] java.lang.RuntimeException: Error processing criteria sourceIP [tomcat.tomcat] [pool-1-thread-4] at com.q1labs.cve.utils.CriteriaBuilder.getCriteria(CriteriaBuilder.java:1275) [tomcat.tomcat] [pool-1-thread-4] at com.q1labs.cve.utils.CriteriaBuilder.getQueryParams(CriteriaBuilder.java:350) [tomcat.tomcat] [pool-1-thread-4] at com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSearchForm.java:1055) [tomcat.tomcat] [pool-1-thread-4] ... 16 more [tomcat.tomcat] [pool-1-thread-4] Caused by: [tomcat.tomcat] [pool-1-thread-4] java.lang.IllegalStateException: Unable to load reference set with id:45 [tomcat.tomcat] [pool-1-thread-4] at com.q1labs.cve.utils.CriteriaBuilder.updateCriteria_Expression(CriteriaBuilder.java:880) [tomcat.tomcat] [pool-1-thread-4] at com.q1labs.cve.utils.CriteriaBuilder.updateCriteria(CriteriaBuilder.java:1077) [tomcat.tomcat] [pool-1-thread-4] at com.q1labs.cve.utils.CriteriaBuilder.getCriteria(CriteriaBuilder.java:1182) [tomcat.tomcat] [pool-1-thread-4] ... 18 more |
12 July 2021 |
OFFENSES | IJ10956 | 'OFFENSES' COUNT NUMBER DISPLAYED ON THE OFFENSE SUMMARY SCREEN CAN BE INCORRECT IN MULTI-DOMAIN ENVIRONMENTS | OPEN: REPORTED IN QRADAR 7.2.8 | No workaround available. | 28 November 2018 |
APP FRAMEWORK | IJ10675 | QRADAR APPS FAIL TO INSTALL WHEN THE EXTENSION VALIDATION KEYSTORE PASSWORD CANNOT BE DECRYPTED | CLOSED | This APAR was closed as won't fix. Please contact our support to fix the issue. | 28 November 2018 |
SEARCH | IJ10924 | SEARCH DATA CONFIGURED TO BE ACCUMULATED (TIME SERIES) CAN FAIL TO DISPLAY DUE TO INVALID REGEX | CLOSED | No workaround available. We were unable to reproduce this issue. In case it happens again, deleting the corrupted GV resolves the issue. Closed as Permanent restriction. | 28 November 2018 |
MSRPC PROTOCOL | IJ11495 | DISABLED MSRPC CONNECTIONS DO NOT ALWAYS CLOSE THE CONNECTION BETWEEN THE QRADAR HOST AND THE WINDOWS SYSTEM | CLOSED | The MSRPC protocol has been updated. The published protocol fixes can be found in: 7.3.0-QRADAR-PROTOCOL-WindowsEventRPC-7.3-20190228190632.noarch.rpm and later versions 7.2.0-QRADAR-PROTOCOL-WindowsEventRPC-7.2-20190228140723.noarch.rpm and later versions |
23 November 2018 |
API | IJ11393 | USING THE API TO UPDATE LOG SOURCES CAN RETURN: COULD NOT UPDATE LOGSOURCE {NUMBER}. THE TOTAL MAXIMUM...' | CLOSED | The fix for this issue is contained in the TLSSyslog update PROTOCOL-TLSSyslog-7.3-20190731171226.noarch.rpm and later versions. | 21 November 2018 |
DASHBOARD | IJ11170 | DASHBOARD SEARCHES CONTAINING SEARCHES WITH UNIQUE COUNTS ENABLED CAN DISPLAY INCONSISTENT RESULTS | CLOSED | Resolved in QRadar 7.4.0 (7.4.0.20200304205308) Workaround No workaround available. Issue It has been identified that Dashboards and Reports created with searches using unique counts can display results that are different than what is displayed for the same search run in Log Source activity. Dashboard results over longer periods also have significantly lower values displayed than a more recent time period when this issue occurs. |
05 March 2019 |
OFFENSES | IJ10557 | OFFENSE PAGE CAN BE SLOW TO LOAD WHEN THERE ARE TOO MANY INACTIVE OFFENSES REMAINS AFTER RETENTION PERIOD ELAPSED | ClOSED | There are no plans to address the performance issues related to the existing Offense Screens in QRadar. Closing this APAR as won't fix. | 21 November 2018 |
ADVANCED SEARCH (AQL) | IJ11113 | AQL SEARCH CAN GENERATE A "FAILED TO INSTANTIATE FUNCTION 'INOFFENSE'" ERROR MESSAGE | CANCELLED | Unable to reproduce the problem on the reported release. It has been determined that this AQL query issue is not reproducible or falls outside the intended functionality of QRadar. | 16 November 2018 |
SEARCH | IJ10582 | SEARCH WITH FILTER 'USERNAME IS NOT N/A' IN REPORTS AND DASHBOARDS CAN CAUSE 'ACCUMULATOR FALLING BEHIND' SYSTEM NOTIFICATIONS | OPEN: REPORTED IN QRADAR 7.3.1 PATCH 6 IF 1 | Where possible, do not use the search filter "Username is not N/A" until the fix pack is released that addresses this issue. | 16 November 2018 |
SYSTEM TIME | IJ10892 | MANUALLY SETTING APPLIANCE SYSTEM DATE IN THE QRADAR USER INTERFACE CAN CHANGE THE DATE TO -1 DAY AFTER SERVICES ARE RESTARTED | CLOSED | Resolved in QRadar 7.4.2 (7.4.2.20201113144954) QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722) Workaround Administrators can install the software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances. Issue It has been identified that when setting the system date for a QRadar appliance in the User Interface (System and License Management screen), after the required backend services are restarted the appliance system date is changed to one day previous to the date than what was entered. The defined timezone and time are not affected/changed, only the date. This has been observed for some timezones that are either one day ahead, or one day behind UTC. |
26 November 2020 |
NETWORK HIERARCHY / SECURITY PROFILE | IJ10376 | NAME CHANGE MADE TO A NETWORK HIERARCHY OBJECT IS NOT REFLECTED IN THE QRADAR ADMIN - SECURITY PROFILES | CLOSED | Closed as Permanent restriction. No workaround available. | 1 November 2018 |
FLOWS | IJ10404 | FLOWS EXCEEDING 4GB IN SIZE DISPLAY INCORRECT PACKET AND BYTE NUMBERS | OPEN: REPORTED IN QRADAR 7.3.0 AND QRADAR 7.3.1 VERSIONS | Contact QRadar Support for a possible workaround that might address this issue in some instances. | 1 November 2018 |
REPORTS | IJ09185 | REPORTS CREATED FROM AN AQL QUERY ON ACCUMULATED OR RAW DATA THAT CONTAIN A SUB-SELECT QUERY FAIL TO GENERATE | CLOSED | Closed as Permanent restriction. No workaround available. | 31 OCTOBER 2018 |
USER INTERFACE ACCESS | IJ09375 | TOMCAT OUT OF MEMORY CAN OCCUR WHEN API GET REQUEST PULLS A VERY LARGE /LOCAL_DESTINATION_ADDRESSES | CLOSED | Closed as Permanent restriction. No workaround available. | 1 NOVEMBER 2018 |
COMMAND LINE | IJ10111 | FALSE POSITIVE (BENIGN) QRADAR LOG MESSAGES THAT APPEAR TO INDICATE A PROBLEM WITH QRADAR MAGISTRATE (MPC) AFTER DEPLOY | CLOSED | Closed as Permanent restriction. Administrators who see the transaction exception error messages defined in the APAR can ignore these benign log messages. No workaround available. | 31 OCTOBER 2018 |
MICROSOFT OFFICE 365 | IJ08977 | MICROSOFT OFFICE 365 LOG SOURCE CAN STOP COLLECTING WITH 'ERROR -AN ERROR OCCURRED INDICATING THAT THE REQUIRED CERTIFICATE..' | CLOSED | This issue has been resolved in the following protocol updates delivered via QRadar weekly auto updates:
This update resolves multiple issues: 1. Resolves an issue where the protocol could retrieve duplicate events when polling for data. 2. Resolves an issue where the protocol could ask for a range of data larger than what the Office 365 API would allow. This issue was caused by a change on the Office 365 by Microsoft. 3. Resolves a issue where Office 365 could incorrectly change how other protocols validate certificates. 4. Resolves an issue where the Log source API could treat the client secret as a text field instead of password field in QRadar 7.3.x versions. 5. This update requires the admin to first install the latest version of the Protocol Common framework to be installed on the QRadar Console if you are manually updating protocol RPMs. |
09 January 2019 |
SEARCH | IJ10377 | FILTERING BY MULTIPLE REFERENCE SETS USING 'DOES NOT EXIST IN ANY OF' DOES NOT WORK AS EXPECTED | CLOSED | Closed as suggestion for future release. It has been identified that using a reference set search filter that uses "Does not exist in any of" with multiple reference sets does not filter the results as expected. It has been noted in the comments that users can leverage the search value Does not exist in all of to resolve the issue in the APAR comments. A suggestion APAR identifies a function/operation that is not within the product specifications, for which a fix is not planned. Implementation of this modification would be a product enhancement. This APAR is considered for any future products/releases. For more information on feature requests and QRadar, see the QRadar Support Request for Enhancement (RFE) FAQ page. |
11 June 2019 |
AUTO UPDATE | IJ10791 | MANIFEST REQUIRES VERSION 8.9 BUT THE SCRIPTS ONLY CONTAIN 8.8. CANNOT CONTINUE' AFTER AUTOUPDATE IS RUN | CLOSED | Download the file autoupdate-8.9-2.noarch.rpm from IBM Fix Central and copy it to the QRadar Console. After the file is copied onto the QRadar console, install it via an SSH session to the QRadar console using the following command: yum -y install autoupdate-8.9-2.noarch.rpm | 27 OCTOBER 2018 |
WINCOLLECT | IJ10748 | THE WINCOLLECT FILE FORWARDER CAN SOMETIMES STOP FORWARDING LESS ACTIVELY UPDATED FILES/DIRECTORIES | CLOSED | Resolved in WinCollect 7.2.8 Patch 1. See WinCollect 7.2.8 Patch 2 release notes to update as Fix Central no longer lists WinCollect 7.2.8 Patch 1 for download. | 7 DECEMBER 2018 |
WINCOLLECT | IJ12128 | WINCOLLECT BUILD NUMBER IS NOT DISPLAYED IN THE WINCOLLECT AGENT VERSION FIELD | CLOSED | Resolved in WinCollect 7.2.8 Patch 2 | 19 December 2018 |
WINCOLLECT | IJ10390 | WINCOLLECT AGENTS DO NOT COMPLETE INSTALLATION DUE TO UNSUCCESSFUL PULL OF THE REQUIRED .PEM FILE | CLOSED | Resolved in WinCollect 7.2.8 Patch 1. See WinCollect 7.2.8 Patch 2 release notes to update. IBM Fix Central no longer lists WinCollect 7.2.8 Patch 1 for download. | 25 OCTOBER 2018 |
HIGH AVAILABILITY (HA) | IJ10367 | HIGH AVAILABILITY (HA) FAILOVER CAN OCCUR WHEN A PING TEST FAILS FROM THE ACTIVE NODE AND SUCCEEDS FROM THE STANDBY | OPEN: REPORTED IN MULTIPLE QRADAR 7.2.8 VERSIONS | Contact QRadar Support for a possible workaround that might address this issue in some instances. | 20 OCTOBER 2018 |
DATA NODE | IJ09057 | 'TUNNEL HAS FAILED TO START' MESSAGES AFTER REASSIGNING AN ENCRYPTED DATA NODE TO A DIFFERENT EVENT PROCESSOR | CLOSED | Resolved in QRadar 7.4.1 (7.4.1.20200716115107) Workaround Contact QRadar Support for a possible workaround that might address this issue in some instances. Issue It has been identified that residual tunnel configuration data exists on an Event Processor (EP) after reassigning an encrypted Data Node from that EP to a different EP. Messages similar to the following might be visible in /var/log/qradar.log when this occurs: [hostcontext.hostcontext] [ProcessMonitor] com.q1labs.hostcontext.processmonitor.ProcessManager: [ERROR] [127.0.0.1/- -] Process tunnel.tunnel7 has failed to start for 1884 intervals. Continuing to try to start... [hostcontext.hostcontext] [ProcessMonitor] com.q1labs.hostcontext.processmonitor.ProcessManager: [ERROR] [127.0.0.1/- -] Process tunnel.tunnel6 has failed to start for 1884 intervals. Continuing to try to start... |
16 OCTOBER 2018 |
RIGHT-CLICK | IJ08964 | RIGHT CLICK FOR "X-FORCE EXCHANGE LOOKUP" IS NOT DISPLAYED ON URL ITEM FROM AN AQL QUERY SEARCH IN LOG ACTIVITY | OPEN | No workaround available. | 16 OCTOBER 2018 |
JDBC PROTOCOL | IJ10114 | 'TABLE NOT FOUND' MESSAGE WHEN USING UPPER CASE TABLE NAMES TO JOIN WITH POSTGRES (LOWER CASE) | OPEN: REPORTED IN QRADAR 7.2.8 AND QRADAR 7.3.1 VERSIONS | Administrators can verify with the database administrator if the tables are case sensitive before they connect using the JDBC protocol. | 12 OCTOBER 2018 |
OFFENSE MANAGER | IJ09316 | SOURCE IPS AND DESTINATION IPS DISPLAY 'UNAUTHORIZED' IN OFFENSES TAB FOR USERS WITH APPROPRIATE RIGHTS | CLOSED | Closed as Permanent restriction. Avoid duplicate names within the Network Hierarchy, Network Group names. | 9 OCTOBER 2018 |