page-brochureware.php

QRADAR APARS 101


QRadar information related to known issues, important alerts and problem resolutions.


What are APARs?

QRadar uses Authorized Program Analysis Reports (APARs) to track issues reported by users. These problem reports include the status of the issue for the end user, either as an ONGOING or CLOSED problem. This page is intended to help users locate known issues who have not yet subscribed to IBM My Notifications or to view alerts on APARs that QRadar Support feels are important.

Searching the APAR table

The QRadar Support team created this QRadar APARs 101 page to make APARs more searchable for users and administrators. The search field in the table below allows you to search for specific versions or keywords. Administrators who want to filter by a specific version can use a combination of keywords or use the version buttons and sort by keyword using the Search bar.


Last update: 14 April 2020 – Closed 22 APARs related to the release of QRadar 7.4.0 Fix Pack 1 (FP1) and 7.3.3 Fix Pack 3 (FP3). Added 7 APARs for the release of QRadar 7.3.2 Fix Pack 7. To search for CVEs, use the search term security bulletin and click a QRadar version.
Component Number Description Status More information Date
SECURITY BULLETIN CVE-2020-4294 IBM QRADAR SIEM IS VULNERABLE TO SERVER-SIDE REQUEST FORGERY (SSRF) CLOSED Resolved in
QRadar 7.4.0 (7.4.0.20200304205308)
QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)
QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)
QRadar Incident Forensics 7.4.0 (SFS) (7.4.0.20200304205308)
QRadar Incident Forensics 7.4.0 (ISO) (7.4.0.20200304205308)

Affected versions
IBM QRadar 7.3.0 to 7.3.3 Patch 2

Issue
IBM QRadar SIEM is vulnerable to Server Side Request Forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.
14 April 2020
SECURITY BULLETIN CVE-2020-4274 IBM QRADAR SIEM IS VULENRABLE TO AUTHORIZATION BYPASS CLOSED Resolved in
QRadar 7.4.0 (7.4.0.20200304205308)
QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)
QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)
QRadar Incident Forensics 7.4.0 (SFS) (7.4.0.20200304205308)
QRadar Incident Forensics 7.4.0 (ISO) (7.4.0.20200304205308)

Affected versions
IBM QRadar 7.3.0 to 7.3.3 Patch 2

Issue
IBM QRadar SIEM could allow an authenticated user to access data and perform unauthorized actions due to inadequate permission checks.
14 April 2020
SECURITY BULLETIN CVE-2020-4272 IBM QRADAR SIEM IS VULNERABLE TO INSTANTIATION OF ARBITRARY OBJECTS CLOSED Resolved in
QRadar 7.4.0 (7.4.0.20200304205308)
QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)
QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)
QRadar Incident Forensics 7.4.0 (SFS) (7.4.0.20200304205308)
QRadar Incident Forensics 7.4.0 (ISO) (7.4.0.20200304205308)

Affected versions
IBM QRadar 7.3.0 to 7.3.3 Patch 2

Issue
IBM QRadar could allow a remote attacker to include arbitrary files. A remote attacker could send a specially-crafted request specify a malicious file from a remote system, which could allow the attacker to execute arbitrary code on the vulnerable server.
14 April 2020
SECURITY BULLETIN CVE-2020-4271 IBM QRADAR SIEM IS VULNERABLE TO PHP OBJECT INJECTION CLOSED Resolved in
QRadar 7.4.0 (7.4.0.20200304205308)
QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)
QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)
QRadar Incident Forensics 7.4.0 (SFS) (7.4.0.20200304205308)
QRadar Incident Forensics 7.4.0 (ISO) (7.4.0.20200304205308)

Affected versions
IBM QRadar 7.3.0 to 7.3.3 Patch 2

Issue
IBM QRadar could allow an authenticated user to send a specially crafted command which would be executed as a lower privileged user.
14 April 2020
SECURITY BULLETIN CVE-2020-4270 IBM QRADAR SIEM IS VULNERABLE TO PRIVILEGE ESCALATION CLOSED Resolved in
QRadar 7.4.0 (7.4.0.20200304205308)
QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)
QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)
QRadar Incident Forensics 7.4.0 (SFS) (7.4.0.20200304205308)
QRadar Incident Forensics 7.4.0 (ISO) (7.4.0.20200304205308)

Affected versions
IBM QRadar 7.3.0 to 7.3.3 Patch 2

Issue
IBM QRadar could allow a local user to gain escalated privileges due to weak file permissions.
14 April 2020
SECURITY BULLETIN CVE-2020-4269 IBM QRADAR SIEM CONTAINS HARD-CODED CREDENTIALS CLOSED Resolved in
QRadar 7.4.0 (7.4.0.20200304205308)
QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)
QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)
QRadar Incident Forensics 7.4.0 (SFS) (7.4.0.20200304205308)
QRadar Incident Forensics 7.4.0 (ISO) (7.4.0.20200304205308)

Affected versions
IBM QRadar 7.3.0 to 7.3.3 Patch 2

Issue
IBM QRadar contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.
14 April 2020
SECURITY BULLETIN CVE-2020-4151 IBM QRADAR SIEM IS VULNERABLE TO IMPROPER INPUT VALIDATION CLOSED Resolved in
QRadar 7.4.0 (7.4.0.20200304205308)
QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)
QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)
QRadar Incident Forensics 7.4.0 (SFS) (7.4.0.20200304205308)
QRadar Incident Forensics 7.4.0 (ISO) (7.4.0.20200304205308)

Affected versions
IBM QRadar 7.3.0 to 7.3.3 Patch 2

Issue
IBM QRadar SIEM is vulnerable to improper input validation, allowing an authenticated attacker to perform unauthorized actions.
14 April 2020
SECURITY BULLETIN CVE-2019-2989
CVE-2019-2975
CVE-2019-2981
CVE-2019-2973
CVE-2019-2964
MULTIPLE VULNERABILITIES IN IBM JAVA SDK AND IBM JAVA RUNTIME AFFECT IBM QRADAR SIEM CLOSED Resolved in
QRadar 7.4.0 (7.4.0.20200304205308)
QRadar 7.3.3 Fix Pack 2 (7.3.3.20200208135728)
QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)
QRadar Incident Forensics 7.4.0 (SFS) (7.4.0.20200304205308)
QRadar Incident Forensics 7.4.0 (ISO) (7.4.0.20200304205308)

Affected versions
IBM QRadar 7.3.0 to 7.3.3 Patch 1

Issue
There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 8 and IBM® Runtime Environment Java™ Version 8 used by IBM QRadar SIEM. IBM QRadar SIEM has addressed the applicable CVEs.
14 April 2020
SECURITY BULLETIN 2019-4654 IBM QRADAR SIEM IS VULNERABLE TO INVALID CERTIFICATE VALIDATION CLOSED Resolved in
QRadar 7.4.0 (7.4.0.20200304205308)
QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)
QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)
QRadar Incident Forensics 7.4.0 (SFS) (7.4.0.20200304205308)
QRadar Incident Forensics 7.4.0 (ISO) (7.4.0.20200304205308)

Affected versions
IBM QRadar 7.3.0 to 7.3.3 Patch 2

Issue
IBM QRadar does not validate, or incorrectly validates, a certificate which could allow an attacker to spoof a trusted entity by using a man-in-the-middle (MITM) attack.
14 April 2020
SECURITY BULLETIN CVE-2019-4593 IBM QRADAR SIEM IS VULNERABLE TO INFORMATION EXPOSURE CLOSED Resolved in
QRadar 7.4.0 (7.4.0.20200304205308)
QRadar 7.3.3 Fix Pack 2 (7.3.3.20200208135728)
QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)
QRadar Incident Forensics 7.4.0 (SFS) (7.4.0.20200304205308)
QRadar Incident Forensics 7.4.0 (ISO) (7.4.0.20200304205308)

Affected versions
IBM QRadar 7.3.0 to 7.3.3 Patch 2

Issue
IBM QRadar generates an error message that includes sensitive information that could be used in further attacks against the system.
14 April 2020
SECURITY BULLETIN CVE-2019-4594 IBM QRADAR SIEM IS VULNERABLE TO INFORMATION EXPOSURE CLOSED Resolved in
QRadar 7.4.0 (7.4.0.20200304205308)
QRadar 7.3.3 Fix Pack 2 (7.3.3.20200208135728)
QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)
QRadar Incident Forensics 7.4.0 (SFS) (7.4.0.20200304205308)
QRadar Incident Forensics 7.4.0 (ISO) (7.4.0.20200304205308)

Affected versions
IBM QRadar 7.3.0 to 7.3.3 Patch 1

Issue
IBM QRadar could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques.
14 April 2020
SECURITY BULLETIN CVE-2017-3164 IBM QRADAR SIEM IS VULNERABLE TO USING COMPONENTS WITH KNOWN VULNERABILITIES CLOSED Resolved in
QRadar 7.4.0 (7.4.0.20200304205308)
QRadar 7.3.3 Fix Pack 2 (7.3.3.20200208135728)
QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)
QRadar Incident Forensics 7.4.0 (SFS) (7.4.0.20200304205308)
QRadar Incident Forensics 7.4.0 (ISO) (7.4.0.20200304205308)

Affected versions
IBM QRadar 7.3.0 to 7.3.3 Patch 1

Issue
Apache Solr is vulnerable to server-side request forgery, caused by not having corresponding whitelist mechanism in the shards parameter. By using a specially-crafted argument, an attacker could exploit this vulnerability to conduct SSRF attack.
14 April 2020
RULES IJ20330 RULES THAT COMPARE FIELD ‘SOURCE OR DESTINATION IP’ AGAINST IP TYPE REFERENCE DATA FOR SUPERFLOWS FAIL CLOSED Resolved in
QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)

Workaround
Use a hard-coded IP in the rule test instead of using a reference set.

Issue
It has been identified that a rule that tests for the presence of source/destination IP against an IP type reference set for superflows fails with exception: Failed to parse IP address: Multiple (X)
13 December 2019
FLOWS / QRADAR NETWORK INSIGHTS (QNI) IJ20540 QRADAR NETWORK INSIGHTS (QNI) FLOWS INTO QRADAR ARE DECREASED AND/OR STOP SENDING ENTIRELY CLOSED Resolved in
QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)

Workaround
Temporarily change from Advanced (High) inspection to Enriched (Med) inspection.

Issue
It has been identified that in some instances QRadar Network Insights can decrease and/or stop sending flows into QRadar when associated decapper/tika threads are in a stuck state.
27 March 2020
BACKUP / RECOVERY IJ21252 BACKUP/RESTORE PAGE IN THE QRADAR USER INTERFACE CAN FAIL TO LOAD ‘PLEASE WAIT WHILE THE REQUESTED INFORMATION IS GATHERED’ CLOSED Resolved in
QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)

Workaround
Reduce the number of backups available to the QRadar system.

Issue
It has been identified that the QRadar User Interface “Backup and Recovery” page in environments with a very large number of backups (multiple thousand) hangs while loading for an extended period of time. The page partially loads with a message similar to the following “Please wait while the requested information is gathered…”.
09 December 2019
INSTALL / UPGRADE IJ23224 IPV6 MANAGED HOSTS DO NOT AUTOMATICALLY PATCH WHEN USING THE “PATCH ALL” OPTION CLOSED Resolved in
QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)

Workaround
After verifiying the Console is successfully patched, copy the patch SFS to the Managed Host, and perfrom the patch process steps manually on affected Managed Hosts.

Issue
Managed Hosts configured with IPV6 addresses fail to patch automatically when the “Patch All” option is selected for the patching process.
Status Summary of Hosts
+---------+-------------------+
|Hostname |Status             |
|---------+-------------------|
||No Action Performed|
||Patch Successful   |
+---------+-------------------+
Sep 26 11:17:05 2018: Sep 26 11:17:05 2018:[DEBUG](posthost)
ip=
Sep 26 11:17:05 2018: Sep 26 11:17:05 2018:[DEBUG](posthost)
starting
Sep 26 11:17:05 2018: Sep 26 11:17:05 2018:[DEBUG](posthost)
Found 0 patch report files.
Sep 26 11:17:05 2018: Sep 26 11:17:05 2018:[DEBUG](posthost)
Patch Report for , appliance type: 3199
 :  patch test succeeded.
-secondary :  patch test succeeded.
 :  patch succeeded.
-secondary :  patch succeeded.
Tried 3 times to copy file but md5 sums never matched after
copy operations.
Sep 26 11:17:05 2018: Sep 26 11:17:05 2018:[DEBUG](posthost) pr=
Patch Report for (ipv6_address),
appliance type: 3199
 :  patch test succeeded.
-secondary :  patch test succeeded.
 :  patch succeeded.
-secondary :  patch succeeded.
Tried 3 times to copy file but md5 sums never matched after
copy operations.
13 March 2020
INSTALL / UPGRADE IJ23465 PATCH PRETEST VALIDATE_HOSTNAME.SH CAN FAIL ON A SECONDARY MANAGED HOST APPLIANCE CAUSING PATCH PROCESS TO FAIL CLOSED Resolved in
QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)

Workaround
Contact Support for a possible workaround that might address this issue in some instances.

Issue
During the QRadar patch pretest, the validate_hostname.sh script can fail when running on a Secondary Managed Host appliance in a High Availability pair causing the patch to fail. Messages similar to the following might be visible when this issue occurs:
[INFO](testmode) Running pretest 7/8: Validate deployment
hostnames
ERROR: This patch requires SSH access to all Managed Hosts to
validate hostnames.
ERROR: The following Managed Hosts are not accessible via SSH:
- {appliance}
[ERROR](testmode) Patch pretest 'Validate deployment hostnames'
failed. (validate_hostname.sh)
[INFO](testmode) Running pretest 8/8: Check for QIF appliances
in deployment
[ERROR](testmode) Failed 1/8 pretests. Aborting the patch.
[ERROR](testmode) Failed pretests
[ERROR](testmode) Pre Patch Testing shows a configuration
issue. Patching this host cannot continue.
[INFO](testmode) Set ip-135-56 status to 'Patch Test Failed'
[ERROR](testmode) Patching can not continue
Status Summary of Hosts
+----------+-------------------+
|Hostname  |Status             |
|----------+-------------------|
|appliance |Patch Test Failed  |
|appliance |No Action Performed|
+----------+-------------------+
Patch Report for {ipaddress}, appliance type: 500
Patch pretest 'Validate deployment hostnames' failed.
(validate_hostname.sh)
{appliance}:  patch test failed.
23 March 2020
RULES IJ23642 PERFORMANCE IMPROVEMENTS WITH REFERENCE DATA AND CUSTOM RULE ENGINE PROCESSING CLOSED Resolved in
QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)

Workaround
No workaround available.

Issue
QRadar requires an improvement with the performance of Custom Rule Engine processing of Reference Data.
17 March 2019
INSTALL / UPGRADE IJ23684 QRADAR PATCHING PROCESS CAN FAIL ON DB_UPDATE.187085.HOSTNAMETYPE_UPDATE.SQL CLOSED Resolved in
QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)

Workaround
Contact Support for a possible workaround that might address this issue in some instances.

Issue
QRadar patching process can fail on db_update.187085.hostnametype_update.sql
23 March 2020
INSTALL / UPGRADE IJ23685 QRADAR PATCHING PROCESS CAN FAIL ON DB_UPDATE_740.ARIEL_GENERICLIST_PROPERTY_EXPRESSION.SQL CLOSED Resolved in
QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)

Workaround
Contact Support for a possible workaround that might address this issue in some instances.

Issue
QRadar patching process can fail on db_update_740.ariel_genericlist_property_expression.sql
23 March 2020
LICENSE IJ21568 NO WARNING OF UPCOMING EPS/FPS LICENSE EXPIRING CLOSED Resolved in
QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)

Workaround
Contact Support for a possible workaround that might address this issue in some instances.

Issue
No warning message for a QRadar license nearing expiration for an Event Processor when the EPS/FPM expires. This causes the license pool to become over-allocated without appropriate notice.

For example:
There is no warning message that the license is going to expire soon. Only a message that the license is expired. Current behavior: License “{LicenseIdentity}” allocated to host {IP ADDRESS} has expired.
20 December 2019
AUTHENTICATION / LDAP IJ20982 QRADAR LDAP AUTHENTICATION CAN FAIL DUE TO SHA1 CERTIFICATES BEING BLOCKED CLOSED Resolved in
QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)

Workaround
Contact Support for a possible workaround that might address this issue in some instances.

Issue
It has been identified that SHA1 certificates can be blocked due to invalid algorithms. QRadar LDAP authentication can fail when this issue occurs. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
tomcat[25530]: at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
tomcat[25530]: at
org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java)
tomcat[25530]: at
org.apache.coyote.AbstractProcessorLight.process(AbstractProcess
orLight.java:66)
tomcat[25530]: at
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(Abs
tractProtocol.java:806)
tomcat[25530]: at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(Nio
Endpoint.java:1498)
tomcat[25530]: at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcess
orBase.java:49)
tomcat[25530]: at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec
utor.java:1160)
tomcat[25530]: at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe
cutor.java:635)
tomcat[25530]: at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(T
askThread.java:61)
tomcat[25530]: at java.lang.Thread.run(Thread.java:812)
tomcat[25530]: Caused by:
tomcat[25530]: javax.net.ssl.SSLHandshakeException:
java.security.cert.CertificateException: Certificates does not
conform to algorithm constraints
tomcat[25530]: at com.ibm.jsse2.k.a(k.java:42)
tomcat[25530]: at com.ibm.jsse2.av.a(av.java:688)
tomcat[25530]: at com.ibm.jsse2.D.a(D.java:495)
tomcat[25530]: at com.ibm.jsse2.D.a(D.java:534)
tomcat[25530]: at com.ibm.jsse2.E.a(E.java:151)
tomcat[25530]: at com.ibm.jsse2.E.a(E.java:401)
tomcat[25530]: at com.ibm.jsse2.D.r(D.java:444)
tomcat[25530]: at com.ibm.jsse2.D.a(D.java:399)
tomcat[25530]: at com.ibm.jsse2.av.a(av.java:1006)
tomcat[25530]: at com.ibm.jsse2.av.i(av.java:574)
tomcat[25530]: at com.ibm.jsse2.av.a(av.java:468)
tomcat[25530]: at com.ibm.jsse2.i.write(i.java:17)
tomcat[25530]: at
java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java)
tomcat[25530]: at
java.io.BufferedOutputStream.flush(BufferedOutputStream.java)
tomcat[25530]: at
com.sun.jndi.ldap.Connection.writeRequest(Connection.java:455)
tomcat[25530]: at
com.sun.jndi.ldap.Connection.writeRequest(Connection.java:428)
tomcat[25530]: at
com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:371)
tomcat[25530]: at
com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:226)
tomcat[25530]: ... 84 more
tomcat[25530]: Caused by:
tomcat[25530]: java.security.cert.CertificateException:
Certificates does not conform to algorithm constraints
tomcat[25530]: at com.ibm.jsse2.aB.a(aB.java:18)
tomcat[25530]: at com.ibm.jsse2.aB.a(aB.java:82)
tomcat[25530]: at
com.ibm.jsse2.aB.checkServerTrusted(aB.java:45)
tomcat[25530]: at com.ibm.jsse2.E.a(E.java:757)
tomcat[25530]: ... 97 more
13 November 2019
ROUTING RULES / FORWARDED EVENTS IJ22899 OFFLINE FORWARDED NORMALIZED EVENTS DO NOT HAVE ASSOCIATED EVENT PROCESSOR ID IN LOG ACTIVITY OF DESTINATION HOST CLOSED Resolved in
QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)

Workaround
No workaround available.

Issue
Offline forwarded normalized events display unknown Event Processor (EP) in the Log Activity of the destination host. As there is no associated Event Processor ID, this can cause event investigation issues during drill down in Offenses, rule triggering correlation, etc.
14 February 2020
QRADAR DEPLOYMENT INTELLIGENCE APP (QDI) IJ22709 QRADAR DEPLOYMENT INTELLIGENCE (QDI) APP ADVANCED HEALTH QUERY DISPLAYS BLANK GRAPHS FOR ENCRYPTED MANAGED HOSTS OPEN: Reported as an issue in QRadar 7.3.2 Patch 6 and later. Workaround
No workaround available.

Issue
The QRadar Deployment Intelligence (QDI) App displays blank graphs when attempting to perform an advanced health query on an encrypted Managed Host.

This is caused by the advanced health querying using the Managed Host primary IP instead of the VIP (tunnel IP).
14 February 2020
SYSTEM NOTIFICATIONS IJ22344 ‘NO SEARCH WAS FOUND WITH ID SYSTEM-LOGS. DROPPING BACK TO DEFAULT SEARCH’ IN SYSTEM NOTIFICATIONS AND LOGGING OPEN: Reported as an issue in QRadar 7.3.2 Patch 5 and later. Workaround
No workaround available.

Issue
Messages similar to the following might be visible in QRadar System Notifications and in /var/log/qradar.error after applying a QRadar patch:
[tomcat.tomcat] [admin@xx.xx.xx.xx(8380)
/console/do/ariel/arielSearch]
com.q1labs.ariel.ui.action.ArielSearch: [WARN]
[NOT:0000004000][xx.xx.xx.xx/- -] [-/- -]No search was found
with id SYSTEM-LOGS. Dropping back to default search.
14 February 2020
RULES / PEFORMANCE VISUALIZATION IJ22339 RULE PERFORMANCE INFORMATION FOR MODIFIED DEFAULT/SYSTEM RULES IS STORED IN THE ORIGINAL RULE NOT IN THE UPDATED RULE OPEN: Reported as an issue in QRadar 7.3.2 and later. Workaround
No workaround available.

Issue
Rule performance data for modified System/Default Rules is stored in the original rule, not the modified rule. This can lead to incorrect Rule Performance visualization data.
14 February 2020
AUDIT LOG IJ22766 EVENT MAPPING ADDS OR EDITS PERFORMED USING THE ‘MAP EVENT’ BUTTON IN LOG ACTIVITY ARE NOT AUDITED OPEN: Reported as an issue in QRadar 7.2 and later versions. Workaround
No workaround available.

Issue
Event mapping adds or edits performed using Log Activity -> View Event Information -> Click on Map Event are not audited in /var/log/audit/audit.log
14 February 2020
JDBC PROTOCOL / LOG SOURCE MANAGEMENT APP IJ20450 LOG SOURCE MANAGEMENT APP IS NOT ABLE TO CREATE JDBC LOG SOURCE WHEN ‘NONE’ IS CHOSEN FROM THE ‘QUERYLIST’ CLOSED Resolved in
PROTOCOL-JDBC-7.3-20200110201324.noarch.rpm or later. This protocol update is available through QRadar weekly auto updates.

Workaround
Use the legacy Log Source management user interface to create JDBC log sources where the Predefined Query field must be set to None.

Issue
It has been identified that creating a JDBC Log Source using the Log Source Management app fails when ‘none’ is chosen from the Predefined Query field. Using the legacy Log Source User Interface (UI) to create the same Log Source works as expected.
23 October 2019
ORACLE DATABASE LISTENER PROTOCOL IJ22710 REPEATED ‘CAUGHT SIGPIPE, RESET CONNECTION’ EVENTS BEING GENERATED WHEN USING PROTOCOL ORACLE DATABASE LISTENER OPEN: Reported in QRadar 7.3.1 Patch 8 and later. Workaround
No workaround available.

Issue
When using Log Sources configured with the Oracle Database Listener Protocol, the oracle_osauditlog_fwdr.pl script is causing repeated “caught sigpipe, reset connection” events to be generated.
19 February 2020
LOG ACTIVITY IJ22898 POPUP “ERROR! NO NODE SENT TO TREE METHOD’EXPANDNODE()” IN LOG ACTIVITY TAB WHEN USING DOUBLE BYTE CHARACTER SET LOCALE OPEN: Reported in QRadar 7.3.2 Patch 6 and later. Workaround
No workaround available.
Note: This does not occur when using the English locale in QRadar.

Issue
A Client Exception popup message can occur in the QRadar User Interface on the Log Activity tab when QRadar is configured to use double byte character set locales and attempting a navigation path as follows:
  1. Click the Log Activity tab.
  2. From the navigation menu, select Search > New Search
  3. In the Search Parameters field, select Source Network.
  4. From the Operator drop-down, select Equals.
  5. In the Value drop-down, attempt to select a value entry. Results
    The following error popup is generated:
    Client Exception
    The following client exception occurred while handling the server response:
    {0} Error: ERROR! No node sent to Tree method "expandNode()"
28 February 2020
APACHE KAFKA / LOG SOURCE MANAGEMENT APP IJ22711 MULTILINE LOG SOURCE IDENTIFIER PATTERN FOR APACHE KAFKA PROTOCOL NOT WORKING WITH LOG SOURCE MANAGEMENT APP OPEN: Reported in QRadar 7.3.2 Patch 4 and later. Workaround
Use the legacy Log Sources User Interface instead of the Log Source Management App.

Issue
The Log Source Management App saves Multiline Log Source Identifier Pattern without valid line break regex for the Apache Kafka Protocol.
28 February 2020
APPLICATION FRAMEWORK / CERTIFICATES IJ23059 APPS CAN FAIL TO LOAD DUE TO CERTIFICATES NOT BEING RENEWED AS EXPECTED WHEN THE QRADARCA-MONITOR SERVICE HANGS CLOSED Resolved in
QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)

Workaround
A restart of the qradarca-monitor service running on the QRadar Console can often correct the stuck service.
# systemctl restart qradarca-monitor


Issue
QRadar Apps can fail to load due to expired certificates not being renewed if the qradarca-monitor service is in a stuck state. Messages similar to the following might be visible in /var/log/messages when this issue occurs:
bash[119986]: net.runtime_pollWait(0x7f9c451ffe70, 0x72, 0x8)
bash[119986]:
/root/.gradle/go/binary/1.8.3/go/src/runtime/netpoll.go:164 +0x59
bash[119986]: net.(*pollDesc).wait(0xc4202a81b8, 0x72, 0x8cdfc0, 0x8ca560)
bash[119986]: /root/.gradle/go/binary/1.8.3/go/src/net/fd_poll_runtime.go:75
+0x38
bash[119986]: net.(*pollDesc).waitRead(0xc4202a81b8, 0xc42028eab8, 0x1)
bash[119986]: /root/.gradle/go/binary/1.8.3/go/src/net/fd_poll_runtime.go:80
+0x34
bash[119986]: net.(*netFD).Read(0xc4202a8150, 0xc42028eab8,
0x1, 0x1, 0x0, 0x8cdfc0, 0x8ca560)
bash[119986]: /root/.gradle/go/binary/1.8.3/go/src/net/fd_unix.go:250 +0x1b7
bash[119986]: net.(*conn).Read(0xc4202aa038, 0xc42028eab8,
0x1, 0x1, 0x0, 0x0, 0x0)
bash[119986]: /root/.gradle/go/binary/1.8.3/go/src/net/net.go:181 +0x70
bash[119986]: io.ReadAtLeast(0x7f9c45200170, 0xc4202aa038,
0xc42028eab8, 0x1, 0x1, 0x1, 0x6f3a40, 0x1, 0xc42028eab8)
bash[119986]: /root/.gradle/go/binary/1.8.3/go/src/io/io.go:307 +0xa9
bash[119986]: io.ReadFull(0x7f9c45200170, 0xc4202aa038,
0xc42028eab8, 0x1, 0x1, 0x40, 0x53c8e0, 0x7f9c45200170)
bash[119986]: /root/.gradle/go/binary/1.8.3/go/src/io/io.go:325 +0x58
bash[119986]: q1git.canlab.ibm.com/pi/si-qradarca/vendor/golang.org/x/crypto/s
sh.readVersion(0x7f9c45200170, 0xc4202aa038, 0xc4202aa038,
0x7f9c45200170, 0xc4202aa038, 0x0, 0x0)
bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/q1git.canlab
.ibm.com/pi/si-qradarca/vendor/golang.org/x/crypto/ssh/transport
.go:317 +0x101
bash[119986]: q1git.canlab.ibm.com/pi/si-qradarca/vendor/golang.org/x/crypto/s
sh.exchangeVersions(0x8ced40, 0xc4202aa038, 0xc42028ead0, 0xa,
0x10, 0x10, 0x0, 0x8, 0x5, 0x8)
bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/q1git.canlab
.ibm.com/pi/si-qradarca/vendor/golang.org/x/crypto/ssh/transport
.go:301 +0x111
bash[119986]: q1git.canlab.ibm.com/pi/si-qradarca/vendor/golang.org/x/crypto/s
sh.(*connection).clientHandshake(0xc4202a4a80, 0xc42028ea80,
0x10, 0xc420322a90, 0x0, 0x0)
bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/q1git.canlab
.ibm.com/pi/si-qradarca/vendor/golang.org/x/crypto/ssh/client.go
:100 +0xf7
bash[119986]: q1git.canlab.ibm.com/pi/si-qradarca/vendor/golang.org/x/crypto/s
sh.NewClientConn(0x8d2ee0, 0xc4202aa038, 0xc42028ea80, 0x10,
0xc42016c230, 0x8d2ee0, 0xc4202aa038, 0x0, 0x0, 0xc42028ea80,...)
bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/q1git.canlab
.ibm.com/pi/si-qradarca/vendor/golang.org/x/crypto/ssh/client.go
:83 +0x103
bash[119986] q1git.canlab.ibm.com/pi/si-qradarca/vendor/golang.org/x/crypto/s
sh.Dial(0x764983, 0x3, 0xc42028ea80, 0x10, 0xc42016c230,
0xc42028ea80, 0x10, 0xc42031e000)
bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/q1git.canlab
.ibm.com/pi/si-qradarca/vendor/golang.org/x/crypto/ssh/client.go
:177 +0xb3
bash[119986]: q1git.canlab.ibm.com/pi/si-qradarca/localca.connectToHost(0x764c
0e, 0x4, 0xc42019ca86, 0xd, 0x1, 0xc420292840, 0x31, 0xdd)
bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/q1git.canlab
.ibm.com/pi/si-qradarca/localca/util.go:281 +0x260
bash[119986]: q1git.canlab.ibm.com/pi/si-qradarca/localca.CheckRemoteFileExist
ed(0x764c0e, 0x4, 0xc42019ae80, 0x20, 0xc42019ca86, 0xd,
0xc42016c400, 0x0, 0x0)
bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/q1git.canlab
.ibm.com/pi/si-qradarca/localca/remote.go:62 +0x136
bash[119986]: q1git.canlab.ibm.com/pi/si-qradarca/localca.checkCertificateOnRe
mote(0xc42019ca86, 0xd, 0xc4201937d0, 0x9, 0xc42019ae60, 0x12,
0xc4201937e0, 0x9, 0x764b6a, 0x4, ...)
bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/q1git.canlab
.ibm.com/pi/si-qradarca/localca/check.go:94 +0x2a6
bash[119986]: q1git.canlab.ibm.com/pi/si-qradarca/localca.regenerateCertFromCS
R(0x3, 0xc4201506b8, 0x6, 0xc4201423c0, 0x29, 0xc4201426f0,
0x21, 0x2, 0x9211a0, 0x0, ...)
bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/q1git.canlab
.ibm.com/pi/si-qradarca/localca/monitor.go:228 +0x421
bash[119986]: q1git.canlab.ibm.com/pi/si-qradarca/localca.(*checkmap).monitorA
ndRegenerateCert(0xc42016d978, 0x3, 0xc4201506b8, 0x6,
0xc4201423c0, 0x29, 0xc4201426f0, 0x21, 0x2, 0x9211a0, ...)
bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/q1git.canlab
.ibm.com/pi/si-qradarca/localca/monitor.go:177 +0x307
bash[119986]: q1git.canlab.ibm.com/pi/si-qradarca/localca.monitorCert(0xc42015
00a0, 0x0, 0x1, 0xc420164000)
bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/q1git.canlab
.ibm.com/pi/si-qradarca/localca/monitor.go:228 +0x421
bash[119986]: q1git.canlab.ibm.com/pi/si-qradarca/localca.(*checkmap).monitorA
ndRegenerateCert(0xc42016d978, 0x3, 0xc4201506b8, 0x6,
0xc4201423c0, 0x29, 0xc4201426f0, 0x21, 0x2, 0x9211a0, ...)
bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/q1git.canlab
.ibm.com/pi/si-qradarca/localca/monitor.go:177 +0x307
bash[119986]: q1git.canlab.ibm.com/pi/si-qradarca/localca.monitorCert(0xc42015
00a0, 0x0, 0x1, 0xc420164000)
bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/q1git.canlab
.ibm.com/pi/si-qradarca/localca/monitor.go:197 +0x49e
bash[119986]: q1git.canlab.ibm.com/pi/si-qradarca/localca.(*monitor).MonitorCe
rtificates(0x9211a0, 0xc4201500a0, 0x0, 0xc4201500b0, 0x0)
bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/q1git.canlab
.ibm.com/pi/si-qradarca/localca/monitor.go:46 +0x41
bash[119986]: main.cmdExecutor(0x4062fc, 0xc4200b2058)
bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/q1git.canlab
.ibm.com/pi/si-qradarca/main.go:462 +0x3d79
bash[119986]: main.main(
bash[119986]: goroutine 9 [select, 46859 minutes]:
bash[119986]: q1git.canlab.ibm.com/pi/si-qradarca/vendor/golang.org/x/crypto/s
sh.(*handshakeTransport).kexLoop(0xc4200d09a0)
bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/q1git.canlab
.ibm.com/pi/si-qradarca/vendor/golang.org/x/crypto/ssh/handshake
.go:268 +0x823
bash[119986]: created by
q1git.canlab.ibm.com/pi/si-qradarca/vendor/golang.org/x/crypto/ssh.newClientTransport
bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/q1git.canlab
.ibm.com/pi/si-qradarca/vendor/golang.org/x/crypto/ssh/handshake
.go:135 +0x1c8
bash[119986]: goroutine 25 [chan receive, 46859 minutes]:
bash[119986]: q1git.canlab.ibm.com/pi/si-qradarca/vendor/golang.org/x/crypto/s
sh.(*Client).handleChannelOpens(0xc4201c0580, 0xc4201e8300)
bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/q1git.canlab
.ibm.com/pi/si-qradarca/vendor/golang.org/x/crypto/ssh/client.go
:147 +0x68
28 February 2020
EVENT PIPELINE / DISK SPACE IJ23194 EVENT COLLECTION ON APPLIANCES CAN STOP DUE TO AN INCORRECT PIPELINEDISKMONITOR FREE SPACE CALCULATION CLOSED Resolved in
QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)

Workaround
Run the following from the command line on all QRadar appliances:
# sed -i.bak 's/du -sB/du -xsB/' /opt/qradar/bin/pipelineDiskMonitor.py


Issue
The event collection service ecs-ec-ingress on QRadar appliances can stop sending events as a result of an incorrect calculation performed by the pipelineDiskMonitor.py script not taking into account that there can be filesystems mounted under store.

Note: Seeing "percents=" in the error message below with a value greater than 100% is an indication that this can be the cause for event collection stopping. Example below: "percents=148%"

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[ecs-ec-ingress.ecs-ec-ingress] [PipelineDiskMonitor]
com.ibm.si.ecingress.destinations.SECStoreForwardDestination(ecs
-ec-ingress/EC_Ingress/TCP_TO_ECParse): [WARN]
[NOT:0060005100][10.1.17.76/- -] [-/- -]PipelineDiskMonitor has
detected that spillover queue threshold is crossed
(total=70252554 MB, used=103749251  MB, free=-33496697  MB,
percents=148%, ingress=1%, ec=1%). The ecs-ec-ingress starts
dropping events until disk issue resolved.
13 March 2020
OUTPOST24 VULNERABILITY SCANNER IJ23038 LAST SCAN DATE DISPLAYED FOR OUTPOST24 VULNERABILITY SCANNER WITHIN QRADAR CAN BE INCORRECT OPEN: Reported in QRadar 7.3.2 Patch 5 and later. Workaround
No workaround available.

Issue
Incorrect Last Scan date value is displayed in QRadar for an Outpost24 vulnerability scan.

To replication this reported issue:
  1. Configure Outpost24 to run on date Jan 20, 2020 and get the scan results into QRadar.
  2. Run a new scan on Outpost24 on Feb 20, 2020 and get the scan results in QRadar.

    Results
    QRadar does not update the lastSan date value to the appropriate date.
06 March 2020
OFFENSES / DASHBOARD IJ23415 'APPLICATION ERROR' WHEN ATTEMPTING TO CLOSE OPEN OFFENSES USING DASHBOARD WIDGET OPEN: Reported in QRadar 7.3.2 Patch 6 and later. Workaround
Close the Offense via the Offense tab in the QRadar User Interface.

Issue
'Application Error' can occur when attempting to close open offenses using Dashboard widget.

To recreate this issue:
  1. Go to Dashboard
  2. Show dashboard -> Threat and Security Monitoring
  3. Pick offense via the offense widgets (Most recent/Most severe offenses)
  4. When in the offense, select Actions -> Close
  5. Results
    An application error is displayed in the user interface.
Messages similar to the following might be visible in /car/log/qradar.log when this issue occurs:
[tomcat.tomcat] [user@127.0.0.1 (8795)
/console/do/sem/properties]
com.q1labs.uiframeworks.action.ExceptionHandler: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]An exception occurred
while processing the request:
[tomcat.tomcat] [user@127.0.0.1 (8795)
/console/do/sem/properties]
com.ibm.si.content_management.utils.ApplicationErrorStateExcepti
on
[tomcat.tomcat] [user@127.0.0.1 (8795)
/console/do/sem/properties]    at
com.q1labs.sem.ui.action.MaintainProperties.findNextForward(Main
tainProperties.java:230)
[tomcat.tomcat] [user@127.0.0.1 (8795)
/console/do/sem/properties]    at
com.q1labs.sem.ui.action.MaintainProperties.updatePropertiesSecu
re(MaintainProperties.java:80)
[tomcat.tomcat] [user@127.0.0.1 (8795)
/console/do/sem/properties]    at
com.q1labs.sem.ui.action.MaintainProperties.updateProperties(Mai
ntainProperties.java:213)
[tomcat.tomcat] [user@127.0.0.1 (8795)
/console/do/sem/properties]    at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[tomcat.tomcat] [user@127.0.0.1 (8795)
/console/do/sem/properties]    at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessor
Impl.java:90)
[tomcat.tomcat] [user@127.0.0.1 (8795)
/console/do/sem/properties]    at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod
AccessorImpl.java:55)
[tomcat.tomcat] [user@127.0.0.1 (8795)
/console/do/sem/properties]    at
java.lang.reflect.Method.invoke(Method.java:508)
[tomcat.tomcat] [user@127.0.0.1 (8795)
/console/do/sem/properties]    at
org.apache.struts.actions.DispatchAction.dispatchMethod(Dispatch
Action.java:280)
[tomcat.tomcat] [user@127.0.0.1 (8795)
/console/do/sem/properties]    at
org.apache.struts.actions.DispatchAction.execute(DispatchAction.
java:216)
[tomcat.tomcat] [user@127.0.0.1 (8795)
/console/do/sem/properties]    at
com.q1labs.uiframeworks.actions.DispatchAction.execute(DispatchA
ction.java:64)
[tomcat.tomcat] [user@127.0.0.1 (8795)
/console/do/sem/properties]    at
org.apache.struts.action.RequestProcessor.processActionPerform(R
equestProcessor.java:484)
[tomcat.tomcat] [user@127.0.0.1 (8795)
/console/do/sem/properties]    at
com.q1labs.uiframeworks.action.RequestProcessor.processActionPer
form(RequestProcessor.java:101)
[tomcat.tomcat] [user@127.0.0.1 (8795)
/console/do/sem/properties]    at
org.apache.struts.action.RequestProcessor.process(RequestProcess
or.java:275)
[tomcat.tomcat] [user@127.0.0.1 (8795)
/console/do/sem/properties]    at
org.apache.struts.action.ActionServlet.process(ActionServlet.jav
a:1482)
[tomcat.tomcat] [user@127.0.0.1 (8795)
/console/do/sem/properties]    at
com.q1labs.uiframeworks.action.ActionServlet.process(ActionServl
et.java:122)
[tomcat.tomcat] [user@127.0.0.1 (8795)
/console/do/sem/properties]    at
org.apache.struts.action.ActionServlet.doPost(ActionServlet.java)
[tomcat.tomcat] [user@127.0.0.1 (8795)
/console/do/sem/properties]    at
javax.servlet.http.HttpServlet.service(HttpServlet.java:661)
[tomcat.tomcat] [user@127.0.0.1 (8795)
/console/do/sem/properties]    at
javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
[tomcat.tomcat] [user@127.0.0.1 (8795)
/console/do/sem/properties]    at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
(ApplicationFilterChain.java:231)
[tomcat.tomcat] [user@127.0.0.1 (8795)
/console/do/sem/properties]    at
org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
tionFilterChain.java:166)
[tomcat.tomcat] [user@127.0.0.1 (8795)
/console/do/sem/properties]    at
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java)
[tomcat.tomcat] [user@127.0.0.1 (8795)
/console/do/sem/properties]    at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
(ApplicationFilterChain.java:193)
[tomcat.tomcat] [user@127.0.0.1 (8795)
/console/do/sem/properties]    at
org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
tionFilterChain.java:166)
[tomcat.tomcat] [user@127.0.0.1 (8795)
/console/do/sem/properties]    at
com.q1labs.uiframeworks.servlet.AddUserHeaderFilter.doFilter(Add
UserHeaderFilter.java:86)
[tomcat.tomcat] [user@127.0.0.1 (8795)
/console/do/sem/properties]    at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
(ApplicationFilterChain.java:193)
[tomcat.tomcat] [user@127.0.0.1 (8795)
/console/do/sem/properties]    at
org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
tionFilterChain.java:166)
[tomcat.tomcat] [user@127.0.0.1 (8795)
/console/do/sem/properties]    at
com.q1labs.uiframeworks.servlet.ThreadNameFilter.doFilter(Thread
NameFilter.java:53)
[tomcat.tomcat] [user@127.0.0.1 (8795)
/console/do/sem/properties]    at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
(ApplicationFilterChain.java:193)
[tomcat.tomcat] [user@127.0.0.1 (8795)
/console/do/sem/properties]    at
org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
tionFilterChain.java:166)
[tomcat.tomcat] [user@127.0.0.1 (8795)
/console/do/sem/properties]    at
com.q1labs.core.ui.filters.StrutsParamFilter.doFilter(StrutsPara
mFilter.java:41)
[tomcat.tomcat] [user@127.0.0.1 (8795)
/console/do/sem/properties]    at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
(ApplicationFilterChain.java:193)
[tomcat.tomcat] [user@127.0.0.1 (8795)
/console/do/sem/properties]    at
org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
tionFilterChain.java:166)
[tomcat.tomcat] [user@127.0.0.1 (8795)
/console/do/sem/properties]    at
com.q1labs.uiframeworks.postauthredirect.PostLoginRedirectFilter
.doFilter(PostLoginRedirectFilter.java:70)
[tomcat.tomcat] [user@127.0.0.1 (8795)
/console/do/sem/properties]    at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
(ApplicationFilterChain.java:193)
[tomcat.tomcat] [user@127.0.0.1 (8795)
/console/do/sem/properties]    at
org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
tionFilterChain.java:166)
[tomcat.tomcat] [user@127.0.0.1 (8795)
/console/do/sem/properties]    at
com.q1labs.uiframeworks.auth.AuthenticationVerificationFilter.do
Filter(AuthenticationVerificationFilter.java:304)
[tomcat.tomcat] [user@127.0.0.1 (8795)
/console/do/sem/properties]    at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
(ApplicationFilterChain.java:193)
[tomcat.tomcat] [user@127.0.0.1 (8795)
/console/do/sem/properties]    at
org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
tionFilterChain.java:166)
[tomcat.tomcat] [user@127.0.0.1 (8795)
/console/do/sem/properties]    at
com.q1labs.uiframeworks.auth.PersistentSessionFilter.doFilter(Pe
rsistentSessionFilter.java:89)
[tomcat.tomcat] [user@127.0.0.1 (8795)
/console/do/sem/properties]    at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
(ApplicationFilterChain.java:193)
[tomcat.tomcat] [user@127.0.0.1 (8795)
/console/do/sem/properties]    at
org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
tionFilterChain.java:166)
[tomcat.tomcat] [user@127.0.0.1 (8795)
/console/do/sem/properties]    at
com.q1labs.uiframeworks.auth.SecAuthenticationFilter.doFilter(Se
cAuthenticationFilter.java:132)
[tomcat.tomcat] [user@127.0.0.1 (8795)
/console/do/sem/properties]    at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
(ApplicationFilterChain.java:193)
[tomcat.tomcat] [user@127.0.0.1 (8795)
/console/do/sem/properties]    at
com.ibm.si.console.cors.ProcessCorsFilter.doFilter(ProcessCorsFi
lter.java:159)
[tomcat.tomcat] [user@127.0.0.1 (8795)
/console/do/sem/properties]    at
org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
tionFilterChain.java:166)
[tomcat.tomcat] [user@127.0.0.1 (8795)
/console/do/sem/properties]    at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
(ApplicationFilterChain.java:193)
[tomcat.tomcat] [user@127.0.0.1 (8795)
/console/do/sem/properties]    at
org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
tionFilterChain.java:166)
[tomcat.tomcat] [user@127.0.0.1 (8795)
/console/do/sem/properties]    at
com.q1labs.uiframeworks.encoding.AddEncodingToRequestFilter.doFi
lter(AddEncodingToRequestFilter.java:56)
[tomcat.tomcat] [user@127.0.0.1 (8795)
/console/do/sem/properties]    at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
(ApplicationFilterChain.java:193)
[tomcat.tomcat] [user@127.0.0.1 (8795)
/console/do/sem/properties]    at
org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
tionFilterChain.java:166)
[tomcat.tomcat] [user@127.0.0.1 (8795)
/console/do/sem/properties]    at
com.q1labs.uiframeworks.servlet.DestroySessionFilter.doFilter(De
stroySessionFilter.java:26)
[tomcat.tomcat] [user@127.0.0.1 (8795)
/console/do/sem/properties]    at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
(ApplicationFilterChain.java:193)
[tomcat.tomcat] [user@127.0.0.1 (8795)
/console/do/sem/properties]    at
org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
tionFilterChain.java:166)
[tomcat.tomcat] [user@127.0.0.1 (8795)
/console/do/sem/properties]    at
com.q1labs.uiframeworks.servlet.AddHSTSHeaderFilter.doFilter(Add
HSTSHeaderFilter.java:22)
11 March 2020
OFFENSES / EMAIL ALERTS IV49730 IT IS NOT POSSIBLE TO CUSTOMIZE OFFENSE RULE EMAIL ALERTS CLOSED Resolved in
QRadar 7.4.0 (7.4.0.20200304205308)

Workaround
Install QRadar 7.4 where features added in this version resolve this reported APAR.

Issue
Currently you can modify email alerts for event and flow rules using /store/configservices/staging/globalconfig/templates/ custom_alerts/alert-config.xml but it is not possible to customize the email alerts for offense based rules.
21 April 2015
CONTENT MANAGEMENT TOOL (CMT) IV80631 CONTENT MANAGEMENT TOOL IMPORTS CAN SOMETIMES TAKE LONGER THAN EXPECTED AND/OR FAIL AFTER RUNNING FOR A LONG PERIOD OF TIME CLOSED Note: This issue is currently tagged closed as a suggestion for a future release.
In the current implementation we are not looking to maintain the legacy CMT. Performance is a paramount concern in our rewrite of the CMT so this type of issue should not re-occur when support for import is written in the new implementation.

Workaround
If possible, do not have Reference Set elements in the Content Management Tool (CMT) export prior to attempting the bundled CMT import.

Issue
Content Management Tool imports that include Reference Set elements can sometimes run for an unexpectedly long period of time. In some instances, it has been known cause an Out Of Memory occurance after attempting to complete the import over a period of multiple days.
03 January 2020
DEPLOY CHANGES IV87562 A QRADAR 'DEPLOY' FUNCTION CAN RESTART TUNNELS UNEXPECTEDLY CLOSED Resolved in
QRadar 7.4.0 (7.4.0.20200304205308)

Workaround
No workaround available.

Issue
It has been observed that a QRadar 'Deploy' function can sometimes restart tunnels unnecessarily when changes are made in the User Interface that should not require a tunnel restart.

For example, tunnels restart after a regular 'Deploy Changes with the following user actions':
  1. When adding a new user
  2. After updating the Network Hierarchy
04 August 2016
DASHBOARD IV94448 DASHBOARDS ELEMENTS/WIDGETS THAT HAVE BEEN SHARED CAN SOMETIMES FAIL TO LOAD IN THE QRADAR USER INTERFACE CLOSED Resolved in
QRadar 7.4.0 (7.4.0.20200304205308)
QRadar 7.3.2 (7.3.2.20190201201121).

Issue
After sharing Dashboards, it has been observed that some of the shared Dashboard elements/widgets can fail to load and exceptions in /var/log/qradar.error similar to the following might be visible upon user login:
[tomcat] [admin@127.0.0.1 (3814)
/console/JSON-RPC/QRadar.getDashboardSearch
QRadar.getDashboardSearch]
com.q1labs.qradar.ui.widget.graph.ArielSearchGraphWidget:
[WARN] [NOT:0000004000][127.0.0.1/- -] [-/- -]Could not parse
'items to graph' from user data:
[tomcat] admin@127.0.0.1 (3814)
/console/JSON-RPC/QRadar.getDashboardSearch
QRadar.getDashboardSearch] java.lang.NumberFormatException: For
input string: ""
[tomcat] [admin@127.0.0.1 (3814)
/console/JSON-RPC/QRadar.getDashboardSearch
QRadar.getDashboardSearch]    at
java.lang.NumberFormatException.forInputString(NumberFormatException.java)
03 January 2020
DASHBOARD IV96788 SETTING UP DISPLAYED DASHBOARD RESTRICTIONS BY USER ROLE IS NOT HONORED CLOSED Note: This issue is currently tagged closed as a suggestion for a future release.

When a user is created/deployed, they inherit a copy of the out-of-the-box dashboard templates. These are modifiable because they are a user-owned copy of the template. The User Role dashboard sharing feature only applies to user-created dashboards. When shared using 'Share' option, the dashboards are read-only (if you are not the owner, you should not be able to delete it). In the future dashboard will be moved to Pulse app.

Issue
It has been observed after configuring Dashboards for QRadar users, and attempting to restrict the Available Dashboards by User Role, that the Dashboard viewing restrictions are not honored.
05 June 2018
QRADAR VULNERABILITY MANAGER / SCAN REPORT IV98492 QRADAR VULNERABILITY MANAGER SCAN CAN SOMETIMES NOT DETECT MS17-010 VULNERABILITY CLOSED Resolved in
QRadar 7.4.0 (7.4.0.20200304205308)

Workaround
Create a scan policy and include only the netbios tool group.

Issue
It has been identified that QVM vulnerability scans do not detect the "CVE-2017-0143 - MS17-010 - Microsoft - Windows - EternalBlue Issue" vulnerability when a scan policy contains only the "smb - EternalBlue - MS17-010" tool.
31 July 2017
MANAGED HOST / HOSTCONEXT SERVICES IJ02072 QRADAR LOGGING REPORTS HOSTCONTEXT '...TOO MANY OPEN FILES' MESSAGES CLOSED Resolved in
QRadar 7.4.0 (7.4.0.20200304205308)

Workaround
No workaround available.

The file handle issue was partially addressed in APAR IV94782, but an outstanding issue causing the same behavior could still be present.

Issue
It has been observed in some customer environments that Hostcontext can run out of available file handles due to code relating to nva.conf.

Repetitive messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[hostcontext.hostcontext] [ProcessMonitor] java.io.IOException:
error=24, Too many open files
13 December 2017
DEPLOY CHANGES IJ02476 REMOVING ENCRYPTION FROM A MANAGED HOST CAUSES DEPLOY FUNCTION TO FAIL TO THAT MANAGED HOST CLOSED Resolved in
QRadar 7.4.0 (7.4.0.20200304205308)

Workaround
From the System and License Management interface, encrypt the host connection on the Managed Host and Deploy changes.

Issue
It has been identified that the QRadar deploy function to a Managed Host fails (times out) after removing encryption from that Managed Host (Encrypt Host Connection option).

To replicate this issue:
  1. Click the Admin tab.
  2. Click the System and License Management icon.
  3. Click on the Managed Host and then Deployment Actions.
  4. Click Edit Host.
  5. Un-check Encrypt Host Connection and save the changes.
  6. Click Deploy Changes.

    Results
    The Deploy Changes function for that Managed Host times out.


  7. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurrs:
    [hostcontext.hostcontext]
    [f83a84ed-53ae-4592-ade5-8fa6ee3f1620/SequentialEventDispatcher] at
    com.q1labs.frameworks.events.SequentialEventDispatcher$DispatchT
    hread.run(SequentialEventDispatcher.java)
    [hostcontext.hostcontext]
    [f83a84ed-53ae-4592-ade5-8fa6ee3f1620/SequentialEventDispatcher]
    Caused by:
    [hostcontext.hostcontext]
    [f83a84ed-53ae-4592-ade5-8fa6ee3f1620/SequentialEventDispatcher]
    com.q1labs.hostcontext.exception.HostContextConfigException:
    Failed to download new configuration set
    [hostcontext.hostcontext]
    [f83a84ed-53ae-4592-ade5-8fa6ee3f1620/SequentialEventDispatcher] at
    com.q1labs.hostcontext.configuration.ConfigSetUpdater.downloadAn
    dProcessGlobalSets(ConfigSetUpdater.java)
    [hostcontext.hostcontext]
    [f83a84ed-53ae-4592-ade5-8fa6ee3f1620/SequentialEventDispatcher] at
    com.q1labs.hostcontext.configuration.ConfigSetUpdater.prepareNon
    ConsoleGlobalSets(ConfigSetUpdater.java)
    [hostcontext.hostcontext]
    [f83a84ed-53ae-4592-ade5-8fa6ee3f1620/SequentialEventDispatcher] ... 10 more
    [hostcontext.hostcontext]
    [f83a84ed-53ae-4592-ade5-8fa6ee3f1620/SequentialEventDispatcher]
    Caused by:
    [hostcontext.hostcontext]
    [f83a84ed-53ae-4592-ade5-8fa6ee3f1620/SequentialEventDispatcher]
    com.q1labs.hostcontext.exception.HostContextConfigException:
    Timeout on deployment token synchronization
    [hostcontext.hostcontext]
    [f83a84ed-53ae-4592-ade5-8fa6ee3f1620/SequentialEventDispatcher] at
    com.q1labs.hostcontext.configuration.ConfigSetUpdater.downloadAn
    dProcessGlobalSets(ConfigSetUpdater.java)
    [hostcontext.hostcontext]
    [f83a84ed-53ae-4592-ade5-8fa6ee3f1620/SequentialEventDispatcher] ... 11 more
    [hostcontext.hostcontext]
    [f83a84ed-53ae-4592-ade5-8fa6ee3f1620/SequentialEventDispatcher]
    com.q1labs.hostcontext.util.HostContextUtilities: [INFO]
    [NOT:0000006000][127.0.0.1/- -] [-/- -]Removing file hostcontext.NODOWNLOAD
    [hostcontext.hostcontext]
    [f83a84ed-53ae-4592-ade5-8fa6ee3f1620/SequentialEventDispatcher]
    com.q1labs.hostcontext.configuration.ConfigChangeObserver:
    [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Following message
    suppressed 1 times in 300000 milliseconds
    [hostcontext.hostcontext]
    [f83a84ed-53ae-4592-ade5-8fa6ee3f1620/SequentialEventDispatcher]
    com.q1labs.hostcontext.configuration.ConfigChangeObserver:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Failed to
    download and apply new configuration
    [hostcontext.hostcontext]
    [f83a84ed-53ae-4592-ade5-8fa6ee3f1620/SequentialEventDispatcher]
    com.q1labs.hostcontext.exception.HostContextConfigException:
    Unable to create flag file to denote a hostcontext restart to
    create tunneled frameworks connections
12 December 2017
OFFENSES IJ02571 OFFENSE RULE SNMP RESPONSES DO NOT REFLECT THE OFFENSE DATA CLOSED This issue has been closed as an expired issue and no fix is planned at this time.

Workaround
No workaround available.

Issue
It has been observed, that after an offense rule is created and an SNMP response is configured for that rule to modify the offenseCRE.snmp.xml file to configure OIDs (properties) that are sent in the SNMP trap, the response coding in QRadar uses the asset model to attempt to populate these values for the Offense.

When this occurs, the SNMP trap does not always contain the expected data that is visible in the Offense.
12 December 2017
LOG ACTIVITY / SEARCH IJ05192 LOG ACTIVITY SEARCH ERRORS '...PROBLEM CONNECTING TO THE QUERY SERVER' AND '...INVALID WHITE SPACE CHARACTER...' IN THE LOGS CLOSED Resolved in
QRadar 7.4.0 (7.4.0.20200304205308)
QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)

Workaround
No workaround available.

Issue
It has been observed that Log Activity searches can sometimes fail with a message similar to: "There was a problem connecting to the query server. please try again later"

This error message and coincide with error messages in /var/log/qradar.error:
[ariel.ariel_proxy_server]
[ariel_query_13:cf3b383b-17ba-4895-a0ef-ef31b99c12f7]
com.thoughtworks.xstream.io.StreamException:
[ariel.ariel_proxy_server]
[ariel_query_13:cf3b383b-17ba-4895-a0ef-ef31b99c12f7] Caused by:
[ariel.ariel_proxy_server]
[ariel_query_13:cf3b383b-17ba-4895-a0ef-ef31b99c12f7]
com.ctc.wstx.exc.WstxIOException: Invalid white space character
(0x11) in text to output
[ariel.ariel_proxy_server]
[ariel_query_13:cf3b383b-17ba-4895-a0ef-ef31b99c12f7] at
com.ctc.wstx.sw.BaseStreamWriter.writeCharacters(BaseStreamWriter.java)
[ariel.ariel_proxy_server]
[ariel_query_13:cf3b383b-17ba-4895-a0ef-ef31b99c12f7] at
com.thoughtworks.xstream.io.xml.StaxWriter.setValue(StaxWriter.java)
[ariel.ariel_proxy_server]
[ariel_query_13:cf3b383b-17ba-4895-a0ef-ef31b99c12f7] ... 77 more
10 February 2020
OFFENSES / PERFORMANCE IJ09192 OFFENSE SUMMARY PAGE CAN SOMETIMES TAKE LONGER THAN EXPECTED TO LOAD FOR OFFENSES WITH A LARGE NUMBER OF ATTACKERS CLOSED Resolved in
QRadar 7.4.0 (7.4.0.20200304205308)

Workaround
No workaround available.

Issue
It has been identified that loading the offense summary of a single offense can sometimes take longer than expected (multiple minutes) for Offenses with a large number of attackers.
04 December 2018
DEPLOYMENT / REMOVE HOST IJ12277 PROCESSOR MANAGED HOSTS INSTALLED AS TYPE "SOFTWARE" GENERATE ERROR WHEN ATTEMPTING TO BE REMOVED FROM DEPLOYMENT CLOSED Resolved in
QRadar 7.4.0 (7.4.0.20200304205308)

Workaround
Install the latest software version or contact Support for a possible workaround that might address this issue if you cannot upgrade at this time.

Issue
It has been identified that attempting to a remove a QRadar processor (Event or Flow) from a QRadar deployment can fail and generate an error similar to the following if they if was built as type "Software" at version 7.2.x and then upgraded to 7.3.1.

When this issue occurs, the following error messages can be displayed in the user interface:

  • There are not enough unallocated EPS in the pool to maintain the event rate limits that are assigned to managed hosts
    or
  • There are not enough unallocated FPM in the pool to maintain the flow rate limits that are assigned to managed hosts
16 September 2019
VULNERABILITY SCAN / QRADAR VULNERABILITY MANAGER IJ19254 TXSENTRY ERRORS CAN OCCUR DURING VULNERABILITY IMPORTS OF A LARGE NUMBER OF ASSETS WITH VULNERABILITY EXCEPTIONS CLOSED Resolved in
QRadar 7.4.0 (7.4.0.20200304205308)

Workaround
Avoid importing thousands of assets that require the same vulnerability exception at once by staggering the vulnerability imports.

Issue
It has been identified that a TxSentry can occur during vulnerability imports of a large number of assets (multiple thousand) with vulnerability exceptions. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
com.q1labs.hostcontext.tx.TxSentry: [WARN]
[NOT:0000004000][127.0.0.1/- -] [-/- -]  Lock acquired on host
127.0.0.1: rel=vulninstance age=623 granted=t mode=RowShareLock
query='SELECT exception_rule.config_update();
16 September 2019
RULES / RULES WIZARD IJ19268 LOADING RULES FROM EVENTS GENERATES '[UNKNOWN RULE NAME]' AND 'INVALID XML CONTENT' MESSAGES IN QRADAR LOGGING CLOSED Resolved in
QRadar 7.4.0 (7.4.0.20200304205308)

Workaround
Upgrade to the latest software version or contact Support for a possible workaround that might address this issue in some instances if you are unable to upgrade at this time.

Issue
It has been identified that when loading Rules from within events, messages containing "UNKNOWN RULE NAME" might be displayed. These errors have been observed when control characters are present in data within the rule_data database table.

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069)
/console/restapi/api/analytics/rules] Caused by:
[tomcat.tomcat]
[Token: UBA@127.0.0.1 (24205069)
/console/restapi/api/analytics/rules] com.q1labs.restapi_annotat
ions.content.exceptions.endpointExceptions.ServerProcessingExcep
tion: An error occured while trying to retrieve the
rule
[tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069)
/console/restapi/api/analytics/rules] at com.q1labs.core.api.imp
l.customrule.CustomRuleAPIImpl.getCustomRules(CustomRuleAPIImpl.java)
[tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069)
/console/restapi/api/analytics/rules] at com.q1labs.core.api.R2_
2016.customrule.CustomRuleAPI.getCustomRules(CustomRuleAPI.java)
[tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069)
/console/restapi/api/analytics/rules] at
sun.reflect.GeneratedMethodAccessor526.invoke(Unknown Source)
[tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069)
/console/restapi/api/analytics/rules] at sun.reflect.DelegatingM
ethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java)
[tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069)
/console/restapi/api/analytics/rules] at
java.lang.reflect.Method.invoke(Method.java:508)
[tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069)
/console/restapi/api/analytics/rules] at com.q1labs.restapi.serv
let.utilities.APIRequestHandler.invokeMethod(APIRequestHandler.java)
[tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069)
/console/restapi/api/analytics/rules] at com.q1labs.restapi.serv
let.utilities.APIRequestHandler.redirectRequest(APIRequestHandler.java)
[tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069)
/console/restapi/api/analytics/rules] ... 46 more
[tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069)
/console/restapi/api/analytics/rules] Caused by:
[tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069)
/console/restapi/api/analytics/rules]
[openjpa-2.2.2-r422266:1468616 fatal general error]
org.apache.openjpa.persistence.PersistenceException: ERROR:
invalid XML content
 Detail: line 1: xmlParseCharRef: invalid xmlChar value 6
lt;a href='javascript:editParameter("12", "3")'
class='dynamic'>metadata
 ^
line 1: xmlParseCharRef:
invalid xmlChar value 6
ns multiselect="false" source="user"
format="user"/][userSelection]metadata
 ^
line 1: chunk is
not well balanced {prepstmnt 1473478204 SELECT * FROM
custom_rule WHERE (CAST( xpath( '/rule[@buildingBlock="false"]',
CAST( (encode(rule_data, 'escape')) AS XML)) AS text ARRAY) !=
'{}' AND rule_type NOT IN (6, 7, 8)) ORDER BY id ASC} 
26 September 2019
RULES / RULES WIZARD IJ20232 ' ? ' CHARACTERS DISPLAYED AT THE END OF EACH LINE OF "RULE NOTES" THAT CONTAIN LINE BREAKS CLOSED Resolved in
QRadar 7.4.0 (7.4.0.20200304205308)

Workaround
No workaround available.

Issue
It has been identified that when configuring a rule that includes a line break in the "Rule Notes" section, question mark '?' characters are displayed at the end of each line.
17 October 2019
ROUTING RULES IJ20466 EVENTS CONFIGURED TO BE DROPPED BY ROUTING RULES ARE NOT BEING DROPPED DURING A HOSTCONTEXT RESTART OPEN: Reported in QRadar 7.3.2 versions Workaround
Contact Support for a possible workaround that might address this issue in some instances.

Issue
It has been identified that Events which are configured to be dropped by routing rules are not being dropped during a hostcontext restart.
08 November 2019
RULES / RULES WIZARD IJ20767 'AN ERROR HAS OCCURRED SAVING YOUR RULE. PLEASE TRY AGAIN LATER' WHEN ATTEMPTING TO SAVE A RULE CLOSED Resolved in
QRadar 7.4.0 (7.4.0.20200304205308)

Workaround
No workaround available.

Issue
It has been identified that when saving a Rule, the following message might be observed due to rule_data not being validated prior to persisting it to the database: "An error has occurred saving your rule. Please try again later."

To replicate this issue:
  1. Use "sss" as a rule's Annotate event under Rule Action.
  2. Click Next until the Summary page, and click Finish.

    Results
    The save rule error is displayed in the user interface and the following messages are /var/log/qradar.log when this issue occurs: [tomcat.tomcat] [admin@127.0.0.1 (9437) /console/do/rulewizard] com.q1labs.sem.ui.action.RuleWizard: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Unable to save rule. Reason: Invalid control character(s) found in the xml object representing the rule sss. This will prevent the rule from being loaded to CRE. [tomcat.tomcat] [admin@127.0.0.1 (9437) /console/do/rulewizard] com.q1labs.sem.ui.action.RuleWizard: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Failed to Save rule [tomcat.tomcat] [admin@127.0.0.1 (9437) /console/do/rulewizard] java.lang.RuntimeException: Invalid control character(s) found in the xml object representing the rule sss. This will prevent the rule from being loaded to CRE. [tomcat.tomcat] [admin@127.0.0.1 (9437) /console/do/rulewizard] at com.q1labs.core.shared.cre.CREServices.validateRuleData(CREServi ces.java) [tomcat.tomcat] [admin@127.0.0.1 (9437) /console/do/rulewizard] at com.q1labs.core.shared.cre.CREServices.updateRule(CREServices.java) [tomcat.tomcat] [admin@127.0.0.1 (9437) /console/do/rulewizard] at com.q1labs.core.shared.cre.CREServices.updateRule(CREServices.java) [tomcat.tomcat] [admin@127.0.0.1 (9437) /console/do/rulewizard] at com.q1labs.sem.ui.action.RuleWizard.saveWizard(RuleWizard.java) [tomcat.tomcat] [admin@127.0.0.1 (9437) /console/do/rulewizard] at com.q1labs.sem.ui.action.RuleWizard.executeAction(RuleWizard.java) [tomcat.tomcat] [admin@127.0.0.1 (9437) /console/do/rulewizard] at com.q1labs.uiframeworks.actions.WizardAction.execute(WizardActio n.java) [tomcat.tomcat] [admin@127.0.0.1 (9437) /console/do/rulewizard] at org.apache.struts.action.RequestProcessor.processActionPerform(R equestProcessor.java)
13 November 2019
API IJ20152 NETWORK ID FETCHED BY API '/ASSET_MODEL/ASSETS" AND 'CONFIG/NETWORK_HIERARCHY/NETWORKS' ARE DIFFERENT CLOSED Resolved in
QRadar 7.4.0 (7.4.0.20200304205308)

Workaround
No workaround available.

Issue
It has been identified that the network id fetched by the API /asset_model/assets and /config/network_hierarchy/networks are different. This can produce unexpected or incorrect data being returned for queries using the API.
17 October 2019
DISK SPACE IJ20632 A QRADAR APP BACKUP SCRIPT CAN SOMETIMES FAIL CAUSING /STORE PARTITION FREE SPACE ISSUES CLOSED Resolved in
QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)
QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)

Workaround
No workaround available.

Issue
It has been identified that in some instances the app-volume-backup.py does not clean up failed/incomplete backups. When this issue occurs, it is possible that the /store partition can fill.
12 November 2019
MANAGED HOST / ADD HOST IJ22140 ADD HOST CAN FAIL WITH PASSWORD DECODING ERROR CLOSED Resolved in
QRadar 7.4.0 (7.4.0.20200304205308)
QRadar 7.3.3 Patch 2 (7.3.3.20200208135728)

Workaround: Contact Support for a possible workaround that might address this issue in some instances.

Issue: The QRadar Add Host process can fail due to a password decoding issue that occurs during the Add Host processes. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[hostcontext.hostcontext]
[6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
java.lang.IllegalArgumentException: Last unit does not have
enough valid bits
[hostcontext.hostcontext]
[6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
   at java.util.Base64$Decoder.decode0(Base64.java:745)
[hostcontext.hostcontext]
[6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
   at java.util.Base64$Decoder.decode(Base64.java:537)
[hostcontext.hostcontext]
[6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
   at java.util.Base64$Decoder.decode(Base64.java:560)
[hostcontext.hostcontext]
[6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
   at
com.ibm.si.mks.KeyStoreCrypto.decrypt(KeyStoreCrypto.java:98)
[hostcontext.hostcontext]
[6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
   at com.ibm.si.mks.Crypto.decrypt(Crypto.java:55)
[hostcontext.hostcontext]
[6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
   at
com.q1labs.frameworks.crypto.CryptoUtils.decrypt(CryptoUtils.jav
a:46)
[hostcontext.hostcontext]
[6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
   at
com.q1labs.frameworks.core.FrameworksContext.decrypt(FrameworksC
ontext.java:1122)
[hostcontext.hostcontext]
[6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
   at
com.q1labs.configservices.capabilities.AddHost.getPresenceComman
d(AddHost.java:2143)
[hostcontext.hostcontext]
[6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
   at
com.q1labs.configservices.capabilities.AddHost.executePresence(A
ddHost.java:2103)
[hostcontext.hostcontext]
[6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
   at
com.q1labs.configservices.capabilities.AddHost.add(AddHost.java:
1530)
[hostcontext.hostcontext]
[6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
   at
com.q1labs.configservices.capabilities.AddHost.addManagedHost(Ad
dHost.java:324)
[hostcontext.hostcontext]
[6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
   at
com.q1labs.hostcontext.core.executor.AddHostExecutor.addManagedH
ost(AddHostExecutor.java:74)
[hostcontext.hostcontext]
[6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
   at
com.q1labs.hostcontext.core.executor.AddHostExecutor.invoke(AddH
ostExecutor.java:51)
[hostcontext.hostcontext]
[6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
   at
com.q1labs.configservices.hostcontext.core.requests.BaseHostRequ
est.invoke(BaseHostRequest.java:71)
[hostcontext.hostcontext]
[6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
   at
com.q1labs.configservices.hostcontext.core.HostContextServices.m
essageReceived(HostContextServices.java:489)
[hostcontext.hostcontext]
[6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
   at
com.q1labs.frameworks.events.jms.JMSMessageEvent.dispatchEvent(J
MSMessageEvent.java:107)
[hostcontext.hostcontext]
[6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
   at
com.q1labs.frameworks.events.SequentialEventDispatcher$DispatchT
hread.run(SequentialEventDispatcher.java:129)
[hostcontext.hostcontext]
[6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
com.q1labs.configservices.capabilities.AddHost: [ERROR]
[NOT:0000003000][x.x.x.x/- -] [-/- -]Unable to add managed
host. The ip of the host is: x.x.x.x
[hostcontext.hostcontext]
[6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
com.q1labs.configservices.hostcontext.core.HostContextServices:
[ERROR] [NOT:0000003000][x.x.x.x/- -] [-/- -]Error retrieving
message
[hostcontext.hostcontext]
[6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
com.q1labs.configservices.hostcontext.exception.HostContextExcep
tion: Could not get executor object
com.q1labs.hostcontext.core.executor.AddHostExecutor
[hostcontext.hostcontext]
[6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
   at
com.q1labs.configservices.hostcontext.core.requests.BaseHostRequ
est.invoke(BaseHostRequest.java:76)
[hostcontext.hostcontext]
[6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
   at
com.q1labs.configservices.hostcontext.core.HostContextServices.m
essageReceived(HostContextServices.java:489)
[hostcontext.hostcontext]
[6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
   at
com.q1labs.frameworks.events.jms.JMSMessageEvent.dispatchEvent(J
MSMessageEvent.java:107)
[hostcontext.hostcontext]
[6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
   at
com.q1labs.frameworks.events.SequentialEventDispatcher$DispatchT
hread.run(SequentialEventDispatcher.java:129)
[hostcontext.hostcontext]
[6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
Caused by:
[hostcontext.hostcontext]
[6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
com.q1labs.configservices.hostcontext.exception.HostContextExcep
tion: Command exited with non-zero value (4): add_host
[hostcontext.hostcontext]
[6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
   at
com.q1labs.hostcontext.core.executor.AddHostExecutor.addManagedH
ost(AddHostExecutor.java:80)
17 January 2020
ACCESS / USER LOG IN IJ21731 QRADAR USERS CAN BE UNABLE TO LOGIN TO THE USER INTERFACE WHEN MULTIPLE HOST LOCKS OCCUR AT THE SAME TIME CLOSED Resolved in
QRadar 7.4.0 (7.4.0.20200304205308)
QRadar 7.3.3 Patch 2 (7.3.3.20200208135728)
QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)

Workaround
A tomcat service restart on the QRadar console via an SSH connection can be performed to enable logins to be successful again when this issue occurs:
systemctl restart tomcat
NOTE: The QRadar user interface becomes available again after all required process are running as expected.

Issue
QRadar users can be prevented from performing a successful login when the QRadar cleanup job for authentication fails to run as expected when multiple host locks occur at the same time.
19 December 2019
CUSTOM EVENT PROPERTIES IJ19261 JSON EXPRESSIONS CAN MATCH IN CUSTOM EVENT PROPERTY UI PAYLOAD TESTS BUT DO NOT MATCH ON RECEIVED EVENTS CLOSED Resolved in
QRadar 7.4.0 (7.4.0.20200304205308)
QRadar 7.3.3 Patch 2 (7.3.3.20200208135728)

Workaround: Ensure the correct expression is being used. Not all expressions that provide a result while using test button in the QRadar User Interface provide the expected results when events are processed.

Issue: It has been identified that putting a "/" before the index doesn't invalidate the match when testing JSON expressions in the Custom Event Property UI (CEP). This can result in false positives in the CEP user interface (Admin > Data Sources > Custom Event Properties).

For example:
  • Correct:
    /"object"[0]/"desiredPropertyName"
  • Incorrect:
    /"object"/[0]/"desiredPropertyName"
In this example, the second expression includes an extra forward slash "/", the Custom Event Property interface will generate a false positive match, which will result in seeing "N/A" when an event is processed through the event pipeline.
26 September 2019
HTTP INSPECTOR / QRADAR NETWORK INSIGHTS IJ20823 QRADAR NETWORK INSIGHTS (QNI) COREDUMP CAN OCCUR DUE TO HTTP INSPECTOR CLOSED Resolved in
QRadar Netowrk Insights 7.4.0 (7.4.0.20200304205308)
QRadar Netowrk Insights 7.3.3 Patch 2 (7.3.3.20200208135728)

Workaround: No workaround available.

Issue: It has been identified that the QRadar Network Insights (QNI) HTTP inspector component can cause QNI core dump instances in /store/jheap on the QNI appliance. QNI cannot process flow traffic as expected while the decapper service is not running.
13 November 2019
UPGRADE / HIGH AVAILABILITY (HA) IJ21673 HIGH AVAILABILITY (HA) CROSSOVER NO LONGER ENABLED AFTER PATCHING OPEN: Reported in QRadar 7.3.2 Patch 4 Workaround: Re-enable the crossover after the patching process is completed using the following command from an SSH session:
/opt/qradar/ha/bin/qradar_nettune.pl crossover enable
How to verify crossover status on HA: https://ibm.biz/BdqBSg

Issue:
After patching to QRadar 7.3.3, High Availability (HA) pairs configured with a crossover cable connection can have the crossover no longer enabled after the appliance reboot processes are complete.
22 January 2020
FLOWS IJ21657 'LAST PROXY IPV4' AND 'LAST PROXY IPV6' FLOW DATA IS NOT PARSED CORRECTLY CLOSED Resolved in
QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)
QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)

Workaround
Contact Support for a possible workaround that might address this issue in some instances.

Issue
At QRadar version 7.3.2+, the "Last Proxy IPv4" and "Last Proxy IPv6" fields from flows are not properly parsed. When this occurs, new and previous searches configured to use that data no longer function as expected.
19 December 2019
DSM EDITOR IJ21643 DSM EDITOR PAGE 'EXPORT' BUTTON IS MISSING CLOSED Resolved in
QRadar 7.4.0 (7.4.0.20200304205308)
QRadar 7.3.3 Patch 2 (7.3.3.20200208135728)

Workaround
Contact Support for a possible workaround that might address this issue in some instances.

Issue
The DSM Editor page 'Export" button is missing after upgrading to QRadar 7.3.3 from 7.3.2 p4+.
20 December 2019
DSM EDITOR IJ21610 DSM EDITOR USER INTERFACE REGEX VALIDATION CAN DIFFER FROM THE QRADAR PIPELINE CLOSED Resolved in QRadar 7.4.0 (7.4.0.20200304205308)

Workaround
Contact Support for a possible workaround that might address this issue in some instances or upgrade to the latest software version.

Issue
The DSM Editor User Interface and the Pipeline can sometimes disagree as to what constitutes a valid regex. This has been observed when a character that doesn't have any special meaning from a regex perspective is escaped unecessarly. Example: username\=(\S+) <-- the = sign here does not require to be escaped and while this would pass most regex engines, QRadar might consider this invalid regex.
18 December 2019
INSTALL IJ21608 QRADAR SOFTWARE INSTALL CAN FAIL DUE TO PARTITION SIZE CHECK FAILURE OPEN: Reported in QRadar 7.3.2 versions Workaround: Install QRadar at an earlier version (example 7.3.1 Patch 5) and then patch up.

Issue:
QRadar software installation with an SDA disk smaller than a certain size fails with message similar to:
Initializing...
Starting setup session in screen
EULA accepted on Thu Jan  4 19:30:16 UTC 2018
About to install QRadar version 7.3.0.20171205025101
Install started on Thu Jan  4 19:30:17 UTC 2018 but was not
completed.
Attempting to continue...
done.
Checking that SELinux is disabled...
OK: SELinux is disabled.
Checking that system language is set to en_US.UTF-8...
OK: System language is set to en_US.UTF-8
Checking for minimum disk size...
ERROR: Boot disk sda is only 32768 MiB but must be at least
78125 MiB.
ERROR: This version does not support small drives. You must
replace the drive before trying again.
Press enter to close screen
20 December 2019
QRADAR RISK MANAGER / ADAPTER BACKUP IJ21606 QRADAR RISK MANAGER (QRM) DEVICE ADAPTER BACKUPS CAN FAIL WHEN STRICT SSH KEY EXCHANGE ALGORITHMS ARE EMPLOYED TO RESTRICT COMM OPEN: Reported in QRadar 7.3.3 versions Workaround: No workaround available.

Issue:
QRadar Risk Manager (QRM) is unable to discover or back up devices when strict SSH key exchange algorithms are employed to restrict communication.

"Couldn't agree a key exchange algorithm" is present on the Configuration Source Management's Backup Error Detail dialog, and if the backup was initiated on the Configuration Monitor screen, in the Recent Activity Adapter Backup log viewer.
16 December 2019
QRADAR VULNERABILITY INSIGHTS APP IJ21604 QRADAR VULNERABILITY INSIGHTS APP REPORT IN FAILED "ERROR" STATUS OPEN: Reported in QRadar Vulnerbility Insights App v1.1.0 Workaround: Contact Support for a possible workaround that might address this issue in some instances.

Issue:
QRadar Vulnerability Insights scan compare report can fail to generate with only 'error' text being shown against the report in the User Interface when vulnerability critical details contains "::" characters.
20 December 2019
USER INTERFACE IJ21588 "TYPEERROR: DOMAPI.GETELM IS NOT A FUNCTION" WHEN ON THE QRADAR ADMIN TAB AND USING FIREFOX WEB BROWSER OPEN: Reported in QRadar 7.3.3 Workaround: No workaround available.

Issue:
It is possible that clicking on the Admin tab when you are already on the Admin tab will throw a Client exception with the message similar to:
The following client exception occurred while handling the
server response:
{0}
TypeError: domapi.getElm is not a function

This has been observed on Firefox version 68.0.1 as well as Firefox version 71.0 on Windows 10.
20 December 2019
AQL CUSTOM PROPERTY / USER INTERFACE IJ21571 APPLICATION ERROR IN THE UI CAN BE GENERATED WHEN OPENING AN EVENT RETURNED FROM A SEARCH WITH AQL CUSTOM PROPERTY OPEN: Reported in QRadar 7.3.1 and later Workaround: No workaround available.

Issue:
An Application Error can be generated in the QRadar User Interface when opening an Event returned from a search containing an AQL Custom Property. This can occur when a backend exception is generated by an AQL Custom Property that results in a divide by zero occurence. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[tomcat.tomcat] [admin@127.0.0.1(18133002)
/console/do/ariel/arielDetails] Caused by:
[tomcat.tomcat] [admin@127.0.0.1(18133002)
/console/do/ariel/arielDetails] java.lang.ArithmeticException:
divide by zero
[tomcat.tomcat] [admin@127.0.0.1(18133002)
/console/do/ariel/arielDetails]    at
com.q1labs.ariel.ql.parser.ArithmeticFunctions$DivideLong.calcul
ate(ArithmeticFunctions.java:352)
[tomcat.tomcat] [admin@127.0.0.1(18133002)
/console/do/ariel/arielDetails]    at
com.q1labs.ariel.ql.parser.ArithmeticFunctions$ArithmeticFunctio
nLong.calculate(ArithmeticFunctions.java:223)
[tomcat.tomcat] [admin@127.0.0.1(18133002)
/console/do/ariel/arielDetails]    at
com.q1labs.ariel.ql.parser.ArithmeticFunctions$ArithmeticFunctio
nLong.calculate(ArithmeticFunctions.java:205)
[tomcat.tomcat] [admin@127.0.0.1(18133002)
/console/do/ariel/arielDetails]    at
com.q1labs.ariel.ql.parser.ArithmeticFunction.calculateValue(Ari
thmeticFunctions.java:32)
[tomcat.tomcat] [admin@127.0.0.1(18133002)
/console/do/ariel/arielDetails]    at
com.q1labs.ariel.ql.parser.ArithmeticFunction.calculate(Arithmet
icFunctions.java:39)
[tomcat.tomcat] [admin@127.0.0.1(18133002)
/console/do/ariel/arielDetails]    at
com.q1labs.ariel.ql.parser.ArithmeticFunction.calculate(Arithmet
icFunctions.java:19)
[tomcat.tomcat] [admin@127.0.0.1(18133002)
/console/do/ariel/arielDetails]    at
com.q1labs.ariel.metadata.Metadata$ScalarFunctionBase.call(Metad
ata.java:71)
[tomcat.tomcat] [admin@127.0.0.1(18133002)
/console/do/ariel/arielDetails]    ... 65 more
[tomcat.tomcat] [admin@127.0.0.1(18133002)
/console/do/ariel/arielDetails]
com.q1labs.uiframeworks.action.ExceptionHandler: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]Root cause:
[tomcat.tomcat] [admin@127.0.0.1(18133002)
/console/do/ariel/arielDetails] java.lang.ArithmeticException:
divide by zero
20 December 2019
APPLICATION FRAMEWORK IJ21569 QRADAR APP BACKUPS CAN BE LEFT IN AN UNUSABLE STATE OPEN: Reported in QRadar 7.3.1 and later Workaround: No workaround available.

Issue:
QRadar Apps that are running can delete files from their /store/docker/volumes directory while the marathon backup script is running, creating unusable backups. The app backups will not be successful and leave a untarred directory for that day in the /store/backup/marathon directory. Messages similar to the following might be visible in QRadar logging when this issue occurs:
Jul 13 02:31:23 **** marathon-volume-backup.py[26247]: File
"/usr/local/bin/marathon-volume-backup.py", line 365, in
Jul 13 02:31:23 **** marathon-volume-backup.py[26247]:
args.function(args)
Jul 13 02:31:23 **** marathon-volume-backup.py[26247]: File
"/usr/local/bin/marathon-volume-backup.py", line 213, in
backup_volumes
Jul 13 02:31:23 **** marathon-volume-backup.py[26247]:
tar_dir(archive_path, host_path)
Jul 13 02:31:23 **** marathon-volume-backup.py[26247]: File
"/usr/local/bin/marathon-volume-backup.py", line 315, in tar_dir
Jul 13 02:31:23 **** marathon-volume-backup.py[26247]:
tar.add(source_dir)
Jul 13 02:31:23 **** marathon-volume-backup.py[26247]: File
"/usr/lib64/python2.7/tarfile.py", line 1998, in add
Jul 13 02:31:23 **** marathon-volume-backup.py[26247]:
recursive, exclude, filter)
Jul 13 02:31:23 **** marathon-volume-backup.py[26247]: File
"/usr/lib64/python2.7/tarfile.py", line 1991, in add
Jul 13 02:31:23 **** marathon-volume-backup.py[26247]:
self.addfile(tarinfo, f)
Jul 13 02:31:23 **** marathon-volume-backup.py[26247]: File
"/usr/lib64/python2.7/tarfile.py", line 2020, in addfile
Jul 13 02:31:23 **** marathon-volume-backup.py[26247]:
copyfileobj(fileobj, self.fileobj, tarinfo.size)
Jul 13 02:31:23 **** marathon-volume-backup.py[26247]: File
"/usr/lib64/python2.7/tarfile.py", line 274, in copyfileobj
Jul 13 02:31:23 **** marathon-volume-backup.py[26247]: raise
IOError("end of file reached")
Jul 13 02:31:23 **** marathon-volume-backup.py[26247]: IOError:
end of file reached
20 December 2019
LICENSE IJ21588 NO WARNING OF UPCOMING EPS/FPS LICENSE EXPIRING OPEN: Reported in QRadar 7.3.0 and later Workaround: Contact Support for a possible workaround that might address this issue in some instances.

Issue:
No warning message for a QRadar license nearing expiration for an Event Processor when the EPS/FPM expires. This causes the license pool to become over-allocated without appropriate notice.

For example, administrators do not receive a warning message that the license is going to expire soon. Only a message that the license is expired.

Current behavior: License "{LicenseIdentity}" allocated to host {IP} has expired.
20 December 2019
APPLICATION FRAMEWORK IJ21567 RESET OF QRADAR CERTIFICATES CAN FAIL WHEN QRADARCA-MONITOR SERVICE IS RUNNING AT THE SAME TIME OPEN: Reported in QRadar 7.3.2 versions Workaround: Contact Support for a possible workaround that might address this issue in some instances.

Issue:
The reset-qradar-ca.sh script can fail to reset all certificates properly if it encounters the same time as qradarca-monitor service is running.

Messages similar to the following might be visible in /var/log/localca.log when this issue occurs:
time="2019-10-03T12:36:57-04:00" level=debug msg="Start loading
configurations from /opt/qradar/ca/conf.d/conman-server.json"
time="2019-10-03T12:36:57-04:00" level=debug msg="Checking
certificate /etc/conman/tls/conman_ca.crt expiration status for
local host"
time="2019-10-03T12:36:57-04:00" level=warning msg="Certificate
/etc/conman/tls/conman_ca.crt was not found. Preparing to
generate new certificate"
time="2019-10-03T12:36:57-04:00" level=debug msg="Certificate
/etc/conman/tls/conman_ca.crt is close to expire. Regenerate
the certificate"
time="2019-10-03T12:36:57-04:00" level=debug msg="Regenerating
dependent certificate id=4, type=intermediate,
file=/etc/conman/tls/conman_ca.crt,
cfg=/opt/qradar/ca/conf.d/conman-server.json"
time="2019-10-03T12:36:57-04:00" level=debug msg="Start loading
configurations from /opt/qradar/ca/conf.d/conman-server.json"
time="2019-10-03T12:36:57-04:00" level=info msg="Setup
intermediate CA for service conman"
time="2019-10-03T12:37:00-04:00" level=debug msg="127.0.0.1->
{fqdn}" action=command
time="2019-10-03T12:37:00-04:00" level=debug msg="Appliance
Type: 4000\tProduct Version: 7.3.2.20190522204210"
action=command
time="2019-10-03T12:37:00-04:00" level=debug msg=" 12:36:56 up
83 days,  1:43,  0 users,  load average: 2.33, 2.35, 2.19"
action=command
time="2019-10-03T12:37:00-04:00" level=debug
msg=------------------------------------------------------------
------------ action=command
time="2019-10-03T12:37:00-04:00" level=debug action=command
time="2019-10-03T12:37:00-04:00" level=info msg="Setup CSR
/etc/vault-qrd/tls/vault-qrd.csr for service vault-qrd under
host IP ADDRESS"
time="2019-10-03T12:37:01-04:00" level=debug msg="INFO:
Retrieving /etc/vault-qrd/tls/vault-qrd.csr from each server,
will be placed in separate from-x.x.x.x directories under
/opt/qradar/ca/certs" action=pull
time="2019-10-03T12:37:01-04:00" level=debug action=pull
time="2019-10-03T12:37:01-04:00" level=debug msg="IP ADDRESS"
-> xxxxxxx.xxxxxx.com" action=pull
time="2019-10-03T12:37:01-04:00" level=debug msg="Appliance
Type: 1400\tProduct Version: 7.3.2.20190522204210" action=pull
time="2019-10-03T12:37:01-04:00" level=debug msg=" 12:37:00 up
83 days, 14:38,  0 users,  load average: 2.45, 2.48, 2.57"
action=pull
time="2019-10-03T12:37:01-04:00" level=warning msg="CSR path
/opt/qradar/ca/certs/from-IPADDRESS/vault-qrd.csr does not
exist"
time="2019-10-03T12:37:01-04:00" level=debug
msg=------------------------------------------------------------
------------ action=pull
time="2019-10-03T12:37:01-04:00" level=debug msg="rsync:
change_dir \"/etc/vault-qrd/tls\" failed: No such file or
directory (2)" action=pull
time="2019-10-03T12:37:01-04:00" level=debug msg="rsync error:
some files/attrs were not transferred (see previous errors)
(code 23) at main.c(1650) [Receiver=3.1.2]" action=pull
time="2019-10-03T12:37:01-04:00" level=debug msg="rsync:
[Receiver] write error: Broken pipe (32)" action=pull
time="2019-10-03T12:37:01-04:00" level=debug action=pull
time="2019-10-03T12:37:01-04:00" level=info msg="Run command
/opt/ibm/si/vault-qrd/bin/tls-certs-updated.sh"
time="2019-10-03T12:37:04-04:00" level=error msg="Failed to
generate intermediate CA for service conman" error="exit status
1"
time="2019-10-03T12:37:04-04:00" level=error msg="Failed to
regenerate the intermediate certificate
/etc/conman/tls/conman_ca.crt"
And In the /var/log/setup-xxx/configure-qradar-ca.log:
[configure-qradar-ca.sh] [RunAndLog] /opt/qradar/bin/si-vault
write -format=json
conman-int-pki/intermediate/generate/exported
common_name="CONMAN-CA" ttl=26280h key_bits=4096
exclude_cn_from_sans=true > /tmp/tmp.xxxxxxx
[configure-qradar-ca.sh] Export intermediate CA key file to
/var/tmp/qradar_int.key
[configure-qradar-ca.sh] [RunAndLog] /opt/qradar/bin/si-vault
write -format=json qradar-pki/root/sign-intermediate
csr="@/var/tmp/qradar_int.csr" common_name="CONMAN-CA"
ttl=26280h > /tmp/tmp.33wItN4riu
Error writing data to qradar-pki/root/sign-intermediate: Error
making API request.
20 December 2019
INSTALL / PRE-CHECK IJ21518 QRADAR NETWORK INSIGHTS (QNI) INSTALLATIONS CAN FAIL AT STORAGE PRE-CHECK OPEN: Reported in QRadar 7.3.0 and later Workaround: Contact Support for a possible workaround that might address this issue in some instances.

Issue:
It has been identified that QRadar Network Insights (QNI) installations can fail at storage pre-check for one or more reasons.
  1. Large databases being replicated to the QNI managed host
  2. Coredumps
  3. QNI appliances having only 200 GB or 240 GB of storage
  4. 7.3.2 fresh install environments have 32GB in the /recovery partition which decreases the size of /store
10 December 2019
USERS / RULES IJ21487 RULE FIRING FALSE POSITIVE/NEGATIVE CAN OCCUR DUE TO A RULE WITH A USER THAT NO LONGER EXISTS IN THE DEPLOYMENT OPEN: Reported in QRadar 7.3.2 Patch 4 Workaround: Contact Support for a possible workaround that might address this issue in some instances.

Issue:
It has been identified that Rules are not being properly loaded when the origin user does not exist anymore in the QRadar deployment. This has been observed after Content Managment Tool (CMT) imports have been performed as it allows the import of data even if a user does not exist.

False positive/negative Rule firing can be experienced when this issue occurs. Messages similar to the following might be visble in /var/log/qradar.log:
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:41338]
com.ibm.si.ariel.aql.metadata.exceptions.InsufficientUserCapabil
itiesException: User "xxxxx@domain.com" does not have required
capabilities to access catalog "events"
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:41338]    at
com.ibm.si.ariel.aql.metadata.MetadataFactory.createUserCatalog(
MetadataFactory.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:41338]    at
com.ibm.si.ariel.aql.metadata.MetadataFactory.getCatalogByName(M
etadataFactory.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:41338]    at
com.q1labs.ariel.ql.parser.Parser.getMetadata(Parser.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:41338]    at
com.q1labs.ariel.ql.parser.Parser.getMetadata(Parser.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:41338]    at
com.q1labs.ariel.protocol.ClientData.initColumns(ClientData.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:41338]    at
com.q1labs.ariel.protocol.SearchAlias.clientData(SearchAlias.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:41338]    at
com.q1labs.ariel.searches.tasks.Result.resultForAlias(Result.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:41338]    at
com.q1labs.ariel.protocol.SearchAlias.result(SearchAlias.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:41338]    at
com.q1labs.ariel.searches.AccessManager.updateResult(AccessManag
er.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:41338]    at
com.q1labs.ariel.searches.AccessManager.findQueryResult(AccessMa
nager.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:41338]    at
com.q1labs.ariel.ConnectedClient.findQueryResult(ConnectedClient
.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:41338]    at
com.q1labs.ariel.ConnectedClient.findQueryResult(ConnectedClient
.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:41338]    at
com.q1labs.ariel.ConnectedClient.processMessage(ConnectedClient.
java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:41338]    at
com.q1labs.ariel.ConnectedClient.run(ConnectedClient.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:41338]    at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec
utor.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:41338]    at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe
cutor.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:41338]    at java.lang.Thread.run(Thread.java)
16 December 2019
API / QRADAR VULNERABILITY MANAGER IJ21464 QRADAR VULNERABILITY MANAGER (QVM) API THROWS ILLEGAL ARGUMENT EXCEPTION WHEN REQUESTING VULNERABILITIES THAT HAVE A RISK OF 'CRITICAL' OPEN: Reported in QRadar 7.3.2 Patch 4 Workaround: Exception all Critical vulnerabilities in QVM or remove the critical vulnerabilities from the asset view.

Issue:
It has been identified that the QVM Vulninstance API throws an illegal argument exception when the vulnerability information requested includes vulnerabilities that have Critical Risk. The vulnerability content could have came from 3rd party scanner or from using the vulnerability triage feature in QVM and changing risk of some vulnerabilities to Critical. This affects Apps like QRadar Vulnerability Insights (QVI) that query vulnerabilities through the API or any other integrations that use the QVM Vulninstance API. QVI App data sync would report errors on data sync and have zero counts on the dashboard.

Messages similar to the following might be visible in /var/log/qradar.error when an API call is made:
[tomcat.tomcat] [pool-1-thread-1]
java.lang.IllegalArgumentException: Invalid RiskFactor name:
Critical
[tomcat.tomcat] [pool-1-thread-1]    at
com.q1labs.assetprofile.api.r1_2017.pojo.RiskFactorDTO.forName(R
iskFactorDTO.java)
[tomcat.tomcat] [pool-1-thread-1]    at
com.q1labs.assetprofile.api.r1_2017.R1_2017VulnInstanceDTOAdapte
r.doConvert(R1_2017VulnInstanceDTOAdapter.java)
[tomcat.tomcat] [pool-1-thread-1]    at
com.q1labs.assetprofile.api.vulninstance.common.AbstractVulnInst
anceDTOAdapter.dtoConvert(AbstractVulnInstanceDTOAdapter.java)
[tomcat.tomcat] [pool-1-thread-1]    at
com.q1labs.assetprofile.api.vulninstance.common.VulninstancesAPI
Task.runTask(VulninstancesAPITask.java)
[tomcat.tomcat] [pool-1-thread-1]    at
com.ibm.si.frameworks.taskmanagement.Task.run(Task.java)
[tomcat.tomcat] [pool-1-thread-1]    at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.ja
va)
[tomcat.tomcat] [pool-1-thread-1]    at
java.util.concurrent.FutureTask.run(FutureTask.java)
[tomcat.tomcat] [pool-1-thread-1]    at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec
utor.java)
[tomcat.tomcat] [pool-1-thread-1]    at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe
cutor.java)
[tomcat.tomcat] [pool-1-thread-1]    at
java.lang.Thread.run(Thread.java)
06 December 2019
OFFENSES IJ21461 DUPLICATE OFFENSE RULE RESPONSE CAN OCCUR 30 MINUTES AFTER INITIAL OFFENSE TRIGGERING OPEN: Reported in QRadar 7.3.1 Patch 5 and later Workaround: No workaround available.

Issue:
It has been identified that a duplicate Offense Rule response can sometimes unexpectedly occur 30 minutes after the initial Offense Rule response occurs.

For example, receiving a duplicate (second) e-mail response for one time offense update 30 minutes after the first one after verifying that nothing updated in the offense (no second event that cause offense generation). In this example, second e-mail response is a false positive.
11 December 2019
ROUTING RULES / EVENT FORWARDING IJ21459 ONLINE AND OFFLINE TCP SELECTIVE FORWARDING CAN LOSE AN EVENT DURING A CONNECTION RESET OPEN: Reported in QRadar 7.3.1 and later Workaround: No workaround available.

Issue:
It has been identified that Online and Offline TCP selective forwarding can lose an event if the connection is reset at the remote end as QRadar views this event as received.
16 December 2019
CONTENT MANAGEMENT TOOL (CMT) IJ21456 CONTENT MANAGEMENT TOOL IMPORT CONTAINING A DELETED/DISABLED BULK ADD LOG SOURCE CAN FAIL CLOSED Resolved in:
QRadar 7.4.0 (7.4.0.20200304205308)
QRadar 7.3.3 Patch 2 (7.3.3.20200208135728)

Workaround: No workaround available.

Issue: It has been identified that a Content Managment Tool (CMT) import with a deleted/disabled Bulk Add log source can fail with a null pointer exception. The following two conditions must be met:
  1. A deleted log source has to be the first among log sources with the same bulk_added_id.
  2. The target system has at least one bulk group in sensordevicebulkadd postgress table with the bulk_group_name same as the bulk group name of the imported log source.
Messages such as the following might be visibile in /var/log/qradar.log when this issue occurs:
[tomcat.tomcat] [] com.ibm.si.content_management.ContentCustom:
[ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Failed to apply
custom logic.
[tomcat.tomcat] java.lang.NullPointerException
[tomcat.tomcat]   at
com.ibm.si.content_management.ContentCustom.importSensorDevice(C
ontentCustom.java)
[tomcat.tomcat]   at
com.ibm.si.content_management.ContentCustom.importCustom(Content
Custom.java)
[tomcat.tomcat]   at
com.ibm.si.content_management.Content.importCustomContent(Conten
t.java)
[tomcat.tomcat]   at
com.ibm.si.content_management.ContentManager.importContent(Conte
ntManager.java)
[tomcat.tomcat]   at
com.ibm.si.content_management.ContentManager.doImport(ContentMan
ager.java)
09 December 2019
APPLICATION FRAMEWORK IJ21454 ERROR "SSL.CERTIFICATEERROR: HOSTNAME '{IPADDRESS}' DOESN'T MATCH '{FQDN}'" WHEN APP-VOLUME-BACKUP.PY SCRIPT RUNS OPEN: Reported in QRadar 7.3.2 Patch 2 versions Workaround: Contact Support for a possible workaround that might address this issue in some instances.

Issue:
It has been identified that the app-volume-backup.py backup script can fail with an error similar to:
ssl.CertificateError: hostname '{IP Address}' doesn't match '{FQDN}'.

When this issue occurs, QRadar App data backups do not complete successfully.

This is caused when the script requests the IP address but it's not contained in the SAN in customer's certificate.
16 December 2019
REFERENCE SETS IJ21446 REFERENCE SETS INCORRECTLY DISPLAY " 0 " IN 'NUMBER OF ELEMENTS' AND 'ASSOCIATED RULES' OPEN: Reported in QRadar 7.3.2 versions Workaround: Add a value (then remove it, if desired) to the Reference Set(s). This should repair the reference set tables involved and display the proper # of Elementts or Rules associated.

Issue:
It has been identified that the "Associated Rules" column and the "Number of Elements" column in the Reference Set Management user interface can sometimes display " 0 " when there are rules and/or elements associated with the Reference Set.
13 December 2019
REPORTS IJ21445 'APPLICATION ERROR' WHEN MODIFYING REPORTS CREATED BY A DIFFERENT USER OR ASSIGNING REPORT TO A NEW GROUP CLOSED Resolved in:
QRadar 7.4.0 (7.4.0.20200304205308)
QRadar 7.3.3 Patch 2 (7.3.3.20200208135728)

Workaround Either modify the report by the original user who created it without adding new groups, or while modifying the report unassign it from all existing groups

Issue
It has been identified that an "Application Error" can be generated when clicking the "Finish" button during modification of Reports in certain scenarios.
  1. Criteria of reports where modification can cause this issue: Report created by a different user, and the current user is modifying them for 1st time
    OR
  2. Trying to assign the report to new Group AND
  3. The report has VirtualViewReferenceID associated to it.

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[tomcat.tomcat] [ /console/do/reportwizard]
com.q1labs.uiframeworks.action.ExceptionHandler: [ERROR]
Chained SQL Exception [1/1]: You can't operate on a closed
Statement!!!
[tomcat.tomcat] [ /console/do/reportwizard]
com.q1labs.uiframeworks.action.ExceptionHandler: [ERROR]
[NOT:0000003000][-/- -]An exception occurred while processing
the request:
[tomcat.tomcat] [ /console/do/reportwizard]
java.sql.SQLException: You can't operate on a closed
Statement!!!
[tomcat.tomcat] [ /console/do/reportwizard]    at
com.mchange.v2.sql.SqlUtils.toSQLException(SqlUtils.java)
[tomcat.tomcat] [ /console/do/reportwizard]    at
com.mchange.v2.sql.SqlUtils.toSQLException(SqlUtils.java)
[tomcat.tomcat] [ /console/do/reportwizard]    at
com.mchange.v2.c3p0.impl.NewProxyPreparedStatement.setString(New
ProxyPreparedStatement.java)
[tomcat.tomcat] [ /console/do/reportwizard]    at
org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.setStrin
g(DelegatingPreparedStatement.java)
[tomcat.tomcat] [ /console/do/reportwizard]    at
org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator$LoggingCo
nnection$LoggingPreparedStatement.setString(LoggingConnectionDec
orator.java)
[tomcat.tomcat] [ /console/do/reportwizard]    at
org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.setStrin
g(DelegatingPreparedStatement.java)
[tomcat.tomcat] [ /console/do/reportwizard]    at
org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.setStrin
g(DelegatingPreparedStatement.java)
[tomcat.tomcat] [ /console/do/reportwizard]    at
org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.setStrin
g(DelegatingPreparedStatement.java)
[tomcat.tomcat] [ /console/do/reportwizard]    at
com.q1labs.frameworks.session.PreparedStatementWrapper.setString
(PreparedStatementWrapper.java)
[tomcat.tomcat] [ /console/do/reportwizard]    at
com.q1labs.core.shared.group.FgroupTypeFactory.assignItemsToGrou
ps(FgroupTypeFactory.java)
[tomcat.tomcat] [ /console/do/reportwizard]    at
com.q1labs.reports.ui.util.ReportGroupFactory.assignItemsToGroup
s(ReportGroupFactory.java)
[tomcat.tomcat] [ /console/do/reportwizard]    at
com.q1labs.reports.ui.action.ReportWizard.generateReport(ReportW
izard.java)
[tomcat.tomcat] [ /console/do/reportwizard]    at
com.q1labs.reports.ui.action.ReportWizard.fetchPageToDisplay(Rep
ortWizard.java)
[tomcat.tomcat] [ /console/do/reportwizard]    at
com.q1labs.reports.ui.action.ReportWizard.executeAction(ReportWi
zard.java)
[tomcat.tomcat] [ /console/do/reportwizard]    at
com.q1labs.uiframeworks.actions.WizardAction.execute(WizardActio
n.java)
[tomcat.tomcat] [ /console/do/reportwizard]    at
org.apache.struts.action.RequestProcessor.processActionPerform(R
equestProcessor.java)
[tomcat.tomcat] [ /console/do/reportwizard]    at
com.q1labs.uiframeworks.action.RequestProcessor.processActionPer
form(RequestProcessor.java)
[tomcat.tomcat] [ /console/do/reportwizard]    at
org.apache.struts.action.RequestProcessor.process(RequestProcess
or.java)
[tomcat.tomcat] [ /console/do/reportwizard]    at
org.apache.struts.action.ActionServlet.process(ActionServlet.java)
[tomcat.tomcat] [ /console/do/reportwizard]    at
com.q1labs.uiframeworks.action.ActionServlet.process(ActionServl
et.java)
[tomcat.tomcat] [ /console/do/reportwizard]    at
org.apache.struts.action.ActionServlet.doPost(ActionServlet.java)
[tomcat.tomcat] [ /console/do/reportwizard]    at
javax.servlet.http.HttpServlet.service(HttpServlet.java)
[tomcat.tomcat] [ /console/do/reportwizard]    at
javax.servlet.http.HttpServlet.service(HttpServlet.java)
[tomcat.tomcat] [ /console/do/reportwizard]    at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
(ApplicationFilterChain.java)
[tomcat.tomcat] [ /console/do/reportwizard]    at
org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
tionFilterChain.java)
[tomcat.tomcat] [ /console/do/reportwizard]    at
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.ja
va)
[tomcat.tomcat] [ /console/do/reportwizard]    at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
(ApplicationFilterChain.java:193)
[tomcat.tomcat] [ /console/do/reportwizard]    at
org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
tionFilterChain.java)
[tomcat.tomcat] [ /console/do/reportwizard]    at
com.q1labs.uiframeworks.postauthredirect.PostLoginRedirectFilter
.doFilter(PostLoginRedirectFilter.java:70)
[tomcat.tomcat] [ /console/do/reportwizard]    at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
(ApplicationFilterChain.java)
[tomcat.tomcat] [ /console/do/reportwizard]    at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostVa
lve.java)
[tomcat.tomcat] [ /console/do/reportwizard]    at
com.q1labs.uiframeworks.valve.ErrorReportValve.invoke(ErrorRepor
tValve.java)
[tomcat.tomcat] [ /console/do/reportwizard]    at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngi
neValve.java)
[tomcat.tomcat] [ /console/do/reportwizard]    at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapte
r.java)
[tomcat.tomcat] [ /console/do/reportwizard]    at
org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java)
[tomcat.tomcat] [ /console/do/reportwizard]    at
org.apache.coyote.AbstractProcessorLight.process(AbstractProcess
orLight.java)
[tomcat.tomcat] [ /console/do/reportwizard]    at
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(Abs
tractProtocol.java)
[tomcat.tomcat] [ /console/do/reportwizard]    at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(Nio
Endpoint.java)
[tomcat.tomcat] [ /console/do/reportwizard]    at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcess
orBase.java)
[tomcat.tomcat] [ /console/do/reportwizard]    at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec
utor.java)
[tomcat.tomcat] [ /console/do/reportwizard]    at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe
cutor.java)
[tomcat.tomcat] [ /console/do/reportwizard]    at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(T
askThread.java)
[tomcat.tomcat] [ /console/do/reportwizard]    at
java.lang.Thread.run(Thread.java)
[tomcat.tomcat] [ /console/do/reportwizard] Caused by:
[tomcat.tomcat] [ /console/do/reportwizard]
java.lang.NullPointerException
[tomcat.tomcat] [ /console/do/reportwizard]    at
com.mchange.v2.c3p0.impl.NewProxyPreparedStatement.maybeDirtyTra
nsaction(NewProxyPreparedStatement.java)
[tomcat.tomcat] [ /console/do/reportwizard]    at
com.mchange.v2.c3p0.impl.NewProxyPreparedStatement.setString(New
ProxyPreparedStatement.java:961)
[tomcat.tomcat] [ /console/do/reportwizard]    ... 74 more
[tomcat.tomcat] [ /console/do/reportwizard]
com.q1labs.uiframeworks.action.ExceptionHandler: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]Root cause:
[tomcat.tomcat] [ /console/do/reportwizard]
java.lang.NullPointerException
[tomcat.tomcat] [ /console/do/reportwizard]    at
com.mchange.v2.c3p0.impl.NewProxyPreparedStatement.maybeDirtyTra
nsaction(NewProxyPreparedStatement.java)
[tomcat.tomcat] [ /console/do/reportwizard]    at
com.mchange.v2.c3p0.impl.NewProxyPreparedStatement.setString(New
ProxyPreparedStatement.java:961)
[tomcat.tomcat] [ /console/do/reportwizard]    at
org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.setStrin
g(DelegatingPreparedStatement.java)
[tomcat.tomcat] [ /console/do/reportwizard]    at
org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator$LoggingCo
nnection$LoggingPreparedStatement.setString(LoggingConnectionDec
orator.java)
[tomcat.tomcat] [ /console/do/reportwizard]    at
org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.setStrin
g(DelegatingPreparedStatement.java)
[tomcat.tomcat] [ /console/do/reportwizard]    at
org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.setStrin
g(DelegatingPreparedStatement.java)
[tomcat.tomcat] [ /console/do/reportwizard]    at
org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.setStrin
g(DelegatingPreparedStatement.java)
[tomcat.tomcat] [ /console/do/reportwizard]    at
com.q1labs.frameworks.session.PreparedStatementWrapper.setString
(PreparedStatementWrapper.java)
[tomcat.tomcat] [ /console/do/reportwizard]    at
com.q1labs.core.shared.group.FgroupTypeFactory.assignItemsToGrou
ps(FgroupTypeFactory.java)
[tomcat.tomcat] [ /console/do/reportwizard]    at
com.q1labs.reports.ui.util.ReportGroupFactory.assignItemsToGroup
s(ReportGroupFactory.java)
[tomcat.tomcat] [ /console/do/reportwizard]    at
com.q1labs.reports.ui.action.ReportWizard.generateReport(ReportW
izard.java)
[tomcat.tomcat] [ /console/do/reportwizard]    at
com.q1labs.reports.ui.action.ReportWizard.fetchPageToDisplay(Rep
ortWizard.java)
[tomcat.tomcat] [ /console/do/reportwizard]    at
com.q1labs.reports.ui.action.ReportWizard.executeAction(ReportWi
zard.java)
[tomcat.tomcat] [ /console/do/reportwizard]    at
com.q1labs.uiframeworks.actions.WizardAction.execute(WizardActio
n.java)
[tomcat.tomcat] [ /console/do/reportwizard]    at
org.apache.struts.action.RequestProcessor.processActionPerform(R
equestProcessor.java)
[tomcat.tomcat] [ /console/do/reportwizard]    at
com.q1labs.uiframeworks.action.RequestProcessor.processActionPer
form(RequestProcessor.java)
[tomcat.tomcat] [ /console/do/reportwizard]    at
org.apache.struts.action.RequestProcessor.process(RequestProcess
or.java)
[tomcat.tomcat] [ /console/do/reportwizard]    at
org.apache.struts.action.ActionServlet.process(ActionServlet.jav
a)
06 December 2019
RULES IJ21420 QRADAR DEPENDENCY CHECKER SOMETIMES DOES NOT FIND DEPENDENT RULES OR BUILDING BLOCKS OPEN: Reported in multiple QRadar versions Workaround: Create a new rule test that includes the building block not being picked up by the QRadar dependency checker.

Issue:
It has been identified that the QRadar dependency checker does not find rules or building blocks referenced in a system rule if a newly added building block is added to an original rule test (instead of a new rule test). For example:
  1. Create a building block.
  2. Have a system rule that uses a rule test that references other rules (eg. Multiple Failed Logins to a Compliance Asset).
  3. Using that example rule, click on the rule test that references other building blocks and add the building block created in step1. Save it.
  4. Go to the building block and try to delete it. View the rule dependents.

    Results
  • Actual: The dependency checker does not include Multiple Failed Logins to a Compliance Asset rule
  • Desired: The dependency checker to also include Multiple Failed Logins to a Compliance Asset rule
16 December 2019
RULES IJ21352 RULE NAMES IN 'LIST OF RULES CONTRIBUTING TO OFFENSE' CAN BE INCORRECT OPEN: Reported in multiple QRadar versions Workaround: Close the original offense after modifying the rule name. The next time the rule is triggered it creates a new offense that has the updated rule name in the list.

Note: The offense name might be different based on what option for offense naming is chosen in the Rule Wizard.

Issue:
It has been identified that in some instances Rule Names in "List of Rules Contributing to Offense" are incorrect. For example:
  1. Have a rule that creates an offense.
  2. Trigger the rule for the first time to create an offense.
  3. Edit the rule name.
  4. When the rule is triggered again, the rule name in the "List of Rules Contributing to Offense" page displays the old rule name.
13 December 2019
ROUTING RULES IJ21347 ROUTING RULES CAN FAIL TO WORK AS EXPECTED WHEN A HUNG THREAD DOES NOT RESTART AS EXPECTED OPEN: Reported in QRadar 7.3.1 Patch 8 Workaround: From SSH command line session, restart the ecs-ec service manually using the following command:
systemctl restart ecs-ec


Note: The offense name might be different based on what option for offense naming is chosen in the Rule Wizard.

Issue:
It has been identified that in some instances an RPC call from the event collection service can fail to restart as expected. When this issue is occuring, routing rules can fail to work as expected until the ecs-ec service is restarted successfully. Messages similar to the following might be visible in qradar logging when this issue occurs:
"87393acc-aa0a-4cd2-97da-6c6a8a65454f/SequentialEventDispatcher"
Id=83 in BLOCKED on lock=java.util.HashMap@8607f58e
     owned by SelectiveForwardingStatisticsReportingTimer Id=89
    at
com.q1labs.semsources.selectiveforwarding.SelectiveForwardingCom
municator.notifyStatisticsUpdated(SelectiveForwardingCommunicato
r.java:268)
    at
com.q1labs.core.shared.selectiveforwardingset.SelectiveForwardin
gSetCache.notifyDestinationChangeListener(SelectiveForwardingSet
Cache.java:591)
    at
com.q1labs.core.shared.selectiveforwardingset.SelectiveForwardin
gSetCache.messageReceived(SelectiveForwardingSetCache.java)
    at
com.q1labs.frameworks.events.jms.JMSMessageEvent.dispatchEvent(J
MSMessageEvent.java)
    at
com.q1labs.frameworks.events.SequentialEventDispatcher$DispatchT
hread.run(SequentialEventDispatcher.java:129)
"SelectiveForwardingStatisticsReportingTimer" Id=89 in RUNNABLE
(running in native)
    at java.net.SocketInputStream.socketRead0(Native Method)
    at
java.net.SocketInputStream.socketRead(SocketInputStream.java)
    at
java.net.SocketInputStream.read(SocketInputStream.java)
    at
java.net.SocketInputStream.read(SocketInputStream.java)
    at com.ibm.jsse2.b.a(b.java:262)
    at com.ibm.jsse2.b.a(b.java:33)
    at com.ibm.jsse2.av.a(av.java:579)
      - locked java.lang.Object@47749733
    at com.ibm.jsse2.av.i(av.java:574)
      - locked java.lang.Object@91bc8eee
    at com.ibm.jsse2.av.a(av.java:280)
    at com.ibm.jsse2.av.startHandshake(av.java:431)
    at
com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java)
    at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java)
    at
sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(Htt
pURLConnection.java)
      - locked com.ibm.net.ssl.www2.protocol.https.e@93c90c60
    at
sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Http
URLConnection.java)
      - locked com.ibm.net.ssl.www2.protocol.https.e@93c90c60
    at
com.ibm.net.ssl.www2.protocol.https.b.getOutputStream(b.java)
      - locked com.ibm.net.ssl.www2.protocol.https.b@2111733
    at
com.q1labs.core.shared.jsonrpc.RPC.executeMethod(RPC.java)
    at
com.q1labs.core.shared.jsonrpc.RPC.executeMethod(RPC.java)
    at
com.q1labs.core.shared.jsonrpc.RPC.executeMethodWithTimeout(RPC.
java)
    at
com.q1labs.core.shared.jsonrpc.RPC.executeMethod(RPC.java)
    at
com.q1labs.semsources.selectiveforwarding.SelectiveForwardingCom
municator.reportStats(SelectiveForwardingCommunicator.java)
      - locked java.util.HashMap@8607f58e
    at
com.q1labs.semsources.selectiveforwarding.SelectiveForwardingCom
municator$1.run(SelectiveForwardingCommunicator.java)
    at java.util.TimerThread.mainLoop(Timer.java)
    at java.util.TimerThread.run(Timer.java)
13 December 2019
LOG SOURCE GROUPS IJ21333 UNABLE TO DELETE LOG SOURCE GROUP DUE TO FAILED DEPENDENCY CHECK OPEN: Reported in QRadar 7.3.2 Patch 4 Workaround: Contact Support for a possible workaround that might address this issue in some instances.

Note: The offense name might be different based on what option for offense naming is chosen in the Rule Wizard.

Issue:
It has ben identified that in some instances Log Source groups cannot be deleted due to dependency check failure caused by a customviewparams (SELECTIVE_FORWARDING-events-xxx) that uses arielsearchlite class. This customviewparam does not have proper database name structure.

Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs:
[tomcat.tomcat] [pool-1-thread-5]
com.q1labs.core.shared.datadeletion.LogSourceGroupDeletion:
[ERROR] [NOT:0000003000][xxx.xxx.xxx.xxx/- -] [-/- -]Error
while getting Saved Search dependents for this Log Source
Group: 104460
[tomcat.tomcat] [pool-1-thread-5] java.lang.RuntimeException:
java.lang.RuntimeException: Could not locate the configuration
for ariel database null
[tomcat.tomcat] [pool-1-thread-5]    at
com.q1labs.core.shared.ariel.ArielSearchLite.toQueryParams(Ariel
SearchLite.java:682)
[tomcat.tomcat] [pool-1-thread-5]    at
com.q1labs.core.shared.ariel.ArielSearchLite.toQueryParams(Ariel
SearchLite.java:369)
[tomcat.tomcat] [pool-1-thread-5]    at
com.q1labs.core.shared.ariel.ArielSearchLite.toQueryParams(Ariel
SearchLite.java:363)
[tomcat.tomcat] [pool-1-thread-5]    at
com.q1labs.core.shared.ariel.ArielSearchLite.toQueryParams(Ariel
SearchLite.java:358)
[tomcat.tomcat] [pool-1-thread-5]    at
com.q1labs.core.shared.ariel.ArielSearchLite.toQueryParams(Ariel
SearchLite.java:353)
[tomcat.tomcat] [pool-1-thread-5]    at
com.q1labs.core.shared.datadeletion.LogSourceGroupDeletion.getAr
ielSavedSearchDependentsByGroupId(LogSourceGroupDeletion.java)
[tomcat.tomcat] [pool-1-thread-5]    at
com.q1labs.core.shared.datadeletion.LogSourceGroupDeletion.getUs
age(LogSourceGroupDeletion.java:58)
[tomcat.tomcat] [pool-1-thread-5]    at
com.q1labs.core.shared.datadeletion.task.FindDependentsTask.getA
ctualUsage(FindDependentsTask.java:291)
[tomcat.tomcat] [pool-1-thread-5]    at
com.q1labs.core.shared.datadeletion.task.FindDependentsTask.getC
hildUsage(FindDependentsTask.java:212)
[tomcat.tomcat] [pool-1-thread-5]    at
com.q1labs.core.shared.datadeletion.task.FindDependentsTask.getD
efaultUsage(FindDependentsTask.java:169)
[tomcat.tomcat] [pool-1-thread-5]    at
com.q1labs.core.shared.datadeletion.task.FindDependentsTask.runT
ask(FindDependentsTask.java:122)
[tomcat.tomcat] [pool-1-thread-5]    at
com.ibm.si.frameworks.taskmanagement.Task.run(Task.java:108)
[tomcat.tomcat] [pool-1-thread-5]    at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.ja
va:522)
[tomcat.tomcat] [pool-1-thread-5]    at
java.util.concurrent.FutureTask.run(FutureTask.java:277)
[tomcat.tomcat] [pool-1-thread-5]    at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec
utor.java:1160)
[tomcat.tomcat] [pool-1-thread-5]    at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe
cutor.java:635)
[tomcat.tomcat] [pool-1-thread-5]    at
java.lang.Thread.run(Thread.java:812)
[tomcat.tomcat] [pool-1-thread-5] Caused by:
[tomcat.tomcat] [pool-1-thread-5] java.lang.RuntimeException:
Could not locate the configuration for ariel database null
[tomcat.tomcat] [pool-1-thread-5]    at
com.q1labs.core.shared.ariel.ArielUtils.getProperties(ArielUtils
.java:713)
[tomcat.tomcat] [pool-1-thread-5]    at
com.q1labs.core.shared.ariel.ArielSearchLite.loadProperties(Arie
lSearchLite.java:897)
[tomcat.tomcat] [pool-1-thread-5]    at
com.q1labs.core.shared.ariel.ArielSearchLite.toQueryParams(Ariel
SearchLite.java:385)
[tomcat.tomcat] [pool-1-thread-5]    ... 16 more
10 December 2019
AQL IJ21332 AQL SEARCHES RETURNING INCORRECT RESULTS DUE TO CONVERT TO AQL NOT ADDING PERCENT ( % ) SYMBOL IN ILIKE STATEMENTS OPEN: Reported in QRadar 7.3.2 Patch 2 Workaround: No workaround available.

Issue:
It has been identified that the Convert to AQL is not adding the percent ( % ) symbol in ilike statements causing searches to return incorrect or no results in an Advanced Search (AQL). The same searches performed in the QRadar User Interface works as expected.
09 December 2019
DEPLOY CHANGES IJ21674 'DEPLOY' FUNCTION CAN FAIL AFTER A CONFIGURATION RESTORE IS PERFORMED OPEN: Reported in QRadar 7.3.2 Patch 4 Workaround: Contact Support for a possible workaround that might address this issue in some instances.

Issue:
QRadar "deploy" function can fail after a configuration restore has been performed.

These instances of "deploy" failure occur due to missing bandwidth_egress_filter database table entries during the restore process.

Messages similar to the following might be visible in QRadar logging when this issue occurs:
com.q1labs.frameworks.exceptions.FrameworksException: Failed to
get next filter ID for hostID=677 and wildcard device
  at
com.q1labs.core.shared.bm.BandwidthConfigurationUtilities.update
BMForAQSDeployment(BandwidthConfigurationUtilities.java:155)
  at
com.q1labs.configservices.config.globalset.ibm.BandwidthManagerT
ransformer.updateDeploymentAQSConfig(BandwidthManagerTransformer
.java:110)
  ... 80 more
Caused by:
com.q1labs.frameworks.exceptions.FrameworksException: Failed to
execute query for next valid class ID
  at
com.q1labs.core.shared.bm.BandwidthConfigurationUtilities.getNex
tValidFilterID(BandwidthConfigurationUtilities.java:942)
  at
com.q1labs.core.shared.bm.BandwidthConfigurationUtilities.update
BMForAQSDeployment(BandwidthConfigurationUtilities.java:151)
  ... 81 more
Caused by:

org.apache.openjpa.persistence.ArgumentException: Cannot load
object with id
"com.q1labs.core.dao.bm.BandwidthEgressFilter-com.q1labs.
core.dao.bm.BandwidthEgressFilterCompKey@b055f". Instance
"com.q1labs.core.dao.bm.BandwidthEgressFilter@31a91e2c" with
the same id already exists in the L1 cache. This can occur when
you assign an existing id to a new instance, and before
flushing attempt to load the existing instance for that id.
22 January 2020
AQL IJ21676 QRADAR ERROR WHEN ATTEMPTING TO EXECUTE A LONG AQL QUERY OPEN: Reported in QRadar 7.3.2 Patch 4 Workaround: The problem can be avoided by reducing the length of the search criteria used (eg. reduce the number of "or" clauses").

Issue:
QRadar ERROR can occur when executing a long AQL query. An 'Application Error' can be generated in the QRadar User Interface when executing AQL and an API error can occur in API.

Messages similar to the following might be visible in /var/log/httpd/error.log when this issue occurs:
[proxy_ajp:error] [pid 4251] ajp_msg_append_cvt_string():
BufferOverflowException 4 631
22 January 2020
RULES / APP CONTENT EXTENSIONS IJ21677 MODIFIED RULES FROM INSTALLED CONTENT PACK AND THEN UNINSTALLING CONTENT PACK CAUSES NULLPOINTEREXCEPTION OPEN: Reported in QRadar 7.3.2 Patch 3 and later Workaround: Contact Support for a possible workaround that might address this issue in some instances.

Issue:
Rules modified after installing a content pack in which they are contained, and then uninstalling that content pack can result in NullPointerException(s). Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[ecs-ep.ecs-ep] [Thread-127]
com.q1labs.core.dao.cre.CustomRule: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]Error while
unmarshalling rule id 500 from DB table custom_rule
[ecs-ep.ecs-ep] [Thread-127] java.lang.NullPointerException
[ecs-ep.ecs-ep] [Thread-127]    at
com.q1labs.core.dao.cre.CustomRule.getRule(CustomRule.java:299)
[ecs-ep.ecs-ep] [Thread-127]    at
com.q1labs.core.shared.cre.CREServices.getCustomRules(CREService
s.java:1955)
[ecs-ep.ecs-ep] [Thread-127]    at
com.q1labs.core.shared.cre.CREServices.getCustomRules(CREService
s.java:1974)
[ecs-ep.ecs-ep] [Thread-127]    at
com.q1labs.core.shared.cre.CREServices.getAllFlowAndEventRules(C
REServices.java:1801)
[ecs-ep.ecs-ep] [Thread-127]    at
com.q1labs.semsources.cre.CustomRuleReader.readRules(CustomRuleR
eader.java:332)
[ecs-ep.ecs-ep] [Thread-127]    at
com.q1labs.semsources.cre.CustomRuleReader.run(CustomRuleReader.
java:225)
02 January 2020
SEARCH IJ21678 ARIEL SEARCHES IN QRADAR CAN TAKE LONGER THAN EXPECTED TO COMPLETE WHEN USING A LOG SOURCE TYPE FILTER OPEN: Reported in QRadar 7.3.2 Patch 4 Workaround: Contact Support for assistance in identifying if this issue is the cause of slow searches when using Log Source type filters.

Issue:
Searches can take longer than expected to complete when using a Log Source type filter in an Ariel search. This has been identified as being caused by ariel becoming single threaded in some instances.
02 January 2020
UPGRADE / APP FRAMEWORK IJ21697 DOCKER CAN FAIL TO START DURING QRADAR PATCHING PROCESSES OPEN: Reported in QRadar 7.3.2 versions Workaround: Contact Support for a possible workaround that might address this issue in some instances.

Issue:
In some instances, Docker can fail to start during the QRadar patching processes. When this occurs, QRadar Apps cannot be used or installed until the issue with Docker is corrected.
02 January 2020
DECAPPER / SYSTEM IJ21698 QRADAR NETWORK INSIGHTS (QNI) DECAPPER CAN CRASH AND GENERATE A COREDUMP CLOSED Resolved in
QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)

Workaround
No workaround available.

Issue
The QRadar Network Insights (QNI) decapper can crash and generate a coredump. These particular decapper coredump instances are related to a DTLS error. Support can analyze the coredump that is generated to futher determine if this is the issue affecting the QNI decapper. Messages similar to the following might be visible in /var/log/messages and /var/log/qradar.log when this issue occurs:

Example from messages log file where multiple core dump messages appear:
[578]: Process 5298 (decapper) of user 99 killed by SIGABRT - dumping core
[691]: Process 8687 (decapper) of user 99 killed by SIGABRT - dumping core
[351]: Process 5846 (decapper) of user 99 killed by SIGABRT - dumping core
[466]: Process 4250 (decapper) of user 99 killed by SIGABRT - dumping core
[830]: Process 4891 (decapper) of user 99 killed by SIGABRT - dumping core
[649]: Process 4823 (decapper) of user 99 killed by SIGABRT - dumping core
[868]: Process 6960 (decapper) of user 99 killed by SIGABRT - dumping core
[450]: Process 7803 (decapper) of user 99 killed by SIGABRT - dumping core
[995]: Process 9482 (decapper) of user 99 killed by SIGABRT - dumping core

Example from qradar.log:
decapper - INFO - rtf for rtf0 died - return code: -6
decapper - INFO - Started rtf process for case rtf0
decapper: [main] decapper.keybag: [INFO] Reading keybag
configuration......
decapper: [main] decapper.APPID: [INFO] Reading signature
file....
decapper: [main] decapper.yara: [INFO] YaraRules: Reading rule
file......
decapper: [main] decapper.yara: [WARN] YaraRules: Config file
is empty.
decapper: [main] decapper: [INFO] rtf0: Processing napatech
[hostcontext.hostcontext] [Server Host Status Processor]
com.q1labs.configservices.controller.ServerHostS
tatusUpdater: [INFO] [NOT:0000006000][127.0.0.1/- -] [-/-
-]Sent update status of host 127.0.0.1 to ACTIVE
decapper: [] decapper.capture: [INFO] rtf1: [1] Packet Capture
Stats 60 sec: (Read: Packets(1938480, 32297/sec), Oct
ets(909349284, 15150791/sec)) (Dropped: Packets(0, 0/sec),
Octets(0, 0/sec))
decapper: [] decapper.capture: [INFO] rtf1: [1] Content Scan
Stats 60 sec: Requests(8873, 147/sec) Throttled(0, 0/se
c) Filtered(2, 0/sec)
decapper: [] decapper.capture: [INFO] rtf1: [1] Flow Report
Stats 60 sec: Std(33000, 549/sec, 10406 unique) Content(
32041, 533/sec) Dropped(0, 0/sec)
02 January 2020
SEARCH IJ22582 CHANGING THE DISPLAY (GROUP BY) OF AN EXISTING SEARCH CAN RETURN INACCURATE RESULTS UNTIL 'UPDATE' BUTTON SELECTED OPEN Workaround: Click the Update button to see the correct search results after grouping by a specific category.

Issue: After executing a Search using filters and a "Results Limit", if the "Display" field is changed to a "group by" ("Low Level Category" for example), some search results are not returned until the Update button is selected/clicked.
06 February 2020
UPGRADE IJ22566 QRADAR PATCHING CAN FAIL AND ROLLBACK ON BLANK TABLES IN A QVM FUSION DATABASE OPEN: Reported in multiple QRadar verisons. Workaround: Contact Support for a possible workaround that might address this issue in some instances.

Issue: The QRadar patching process can fail and rollback when there are unexpected blank tables within a QVM fusion database. Messages similar to the following might be visble during the patch process and also within the most recent /var/log/setup-7.3.3.xxxxxxxxx/patches.log

Dec 2 11:57:21 2019: Dec 2 11:57:21 2019:[DEBUG]
ip=
Dec 2 11:57:21 2019: Dec 2 11:57:21 2019:[DEBUG] starting
Dec 2 11:57:21 2019: Dec 2 11:57:21 2019:[DEBUG] Found 0 patch
report files.
Dec 2 11:57:21 2019: Dec 2 11:57:21 2019:[DEBUG]
Patch Report for 172.16.77.26, appliance type: 1202
: patch test succeeded.
1 SQL script errors were detected; Error applying script [3/3]
'/media/updates/opt/qvm/db/sql/functions/all_functions.sql' for
Test_fusionvm database.; details:
WARNING: SET TRANSACTION can only be used in transaction blocks
ERROR: insert or update on table "toolsuitecomponents" violates
foreign key constraint
"fk_toolsuitecomponents_toolsuite_l7protocolcodes"
DETAIL: Key (l7protocolcode)=(18) is not present in table
"toolsuite_l7protocolcodes".
CONTEXT: SQL statement "INSERT INTO ToolSuiteComponents VALUES
(10001,5,'netbios -
ports','/bin/netbios/netbios_ports.pl','1.0',TRUE,TRUE,18,'','',
1,5,10000,2,10,2)"
PL/pgSQL function enable_netbios_ports() line 4 at SQL statement
 : patch rolled back.
Dec 2 11:57:21 2019: Dec 2 11:57:21 2019:[DEBUG] pr=
Patch Report for , appliance type: 1202
 : patch test succeeded.
1 SQL script errors were detected; Error applying script [3/3]
'/media/updates/opt/qvm/db/sql/functions/all_functions.sql' for
Test_fusionvm database.; details:
WARNING: SET TRANSACTION can only be used in transaction blocks
ERROR: insert or update on table "toolsuitecomponents" violates
foreign key constraint
"fk_toolsuitecomponents_toolsuite_l7protocolcodes"
DETAIL: Key (l7protocolcode)=(18) is not present in table
"toolsuite_l7protocolcodes".
CONTEXT: SQL statement "INSERT INTO ToolSuiteComponents VALUES
(10001,5,'netbios -
ports','/bin/netbios/netbios_ports.pl','1.0',TRUE,TRUE,18,'','',
1,5,10000,2,10,2)"
PL/pgSQL function enable_netbios_ports() line 4 at SQL statement
{hostname} : patch rolled back.
05 February 2020
API IJ22370 TRAFFICANALYSIS API IN QRADAR CAN GENERATE ERROR 'CODE: 500 MESSAGE: UNEXPECTED INTERNAL SERVER ERROR' CLOSED Resolved in QRadar 7.4.0 (7.4.0.20200304205308)

Workaround: No workaround available.

Issue: The QRadar TrafficAnalysis API can fail with an error similar to {"http_response": {"code": 500, "message": "Unexpected internal server error"}, "code": 1020, "description": "An error occurred during the attempt to update the Autodetection Config Record.", "details": {}, "message": "An error occured while trying to update the Autodetection Config Record with id: 513"}

Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs:
[tomcat.tomcat] [127.0.0.1(4690)
/console/restapi/api/config/event_sources/log_source_management/
autodetection/config_records/43] Caused by:
[tomcat.tomcat] [127.0.0.1(4690)
/console/restapi/api/config/event_sources/log_source_management/
autodetection/config_records/43]
java.lang.IllegalArgumentException: Parameter position 1 is not
declared in query "select MIN(a.taOrder) from
TrafficAnalysisConfigRecord a where a.taOrder > 10000 and 0 =
(select COUNT(b) from TrafficAnalysisConfigRecord b where
b.taOrder = a.taOrder + 1)". Declared parameter keys are "[]".
[tomcat.tomcat] [127.0.0.1(4690)
/console/restapi/api/config/event_sources/log_source_management/
autodetection/config_records/43]    at
org.apache.openjpa.persistence.AbstractQuery.getParameter(Abstra
ctQuery.java)
[tomcat.tomcat] [127.0.0.1(4690)
/console/restapi/api/config/event_sources/log_source_management/
autodetection/config_records/43]    at
org.apache.openjpa.persistence.AbstractQuery.setParameter(Abstra
ctQuery.java)
[tomcat.tomcat] [127.0.0.1(4690)
/console/restapi/api/config/event_sources/log_source_management/
autodetection/config_records/43]    at
org.apache.openjpa.persistence.AbstractQuery.setParameter(Abstra
ctQuery.java)
[tomcat.tomcat] [127.0.0.1(4690)
/console/restapi/api/config/event_sources/log_source_management/
autodetection/config_records/43]    at
com.q1labs.frameworks.session.JPASessionDelegate.namedQueryForSi
ngleResult(JPASessionDelegate.java)
[tomcat.tomcat] [127.0.0.1(4690)
/console/restapi/api/config/event_sources/log_source_management/
autodetection/config_records/43]    at
com.q1labs.core.dao.qidmap.TrafficAnalysisConfigRecord.getTAConf
igRecordForTAConfigRecordPrecedence(TrafficAnalysisConfigRecord.
java)
[tomcat.tomcat] [127.0.0.1(4690)
/console/restapi/api/config/event_sources/log_source_management/
autodetection/config_records/43]    at
com.ibm.si.data_ingestion.api.impl.trafficanalysis.validation.Tr
afficAnalysisConfigRecordValidator.validatePrecedence(TrafficAna
lysisConfigRecordValidator.java)
[tomcat.tomcat] [127.0.0.1(4690)
/console/restapi/api/config/event_sources/log_source_management/
autodetection/config_records/43]    at
com.ibm.si.data_ingestion.api.v10_0.trafficanalysis.impl.Traffic
AnalysisAPIImpl.updatePrecedence(TrafficAnalysisAPIImpl.java)
[tomcat.tomcat] [127.0.0.1(4690)
/console/restapi/api/config/event_sources/log_source_management/
autodetection/config_records/43]    at
com.ibm.si.data_ingestion.api.v10_0.trafficanalysis.impl.Traffic
AnalysisAPIImpl.updateTAConfigRecordWithoutNotificationMask(Traf
ficAnalysisAPIImpl.java)
[tomcat.tomcat] [127.0.0.1(4690)
/console/restapi/api/config/event_sources/log_source_management/
autodetection/config_records/43]    at
com.ibm.si.data_ingestion.api.v10_0.trafficanalysis.impl.Traffic
AnalysisAPIImpl.updateTAConfigRecord(TrafficAnalysisAPIImpl.java)
[tomcat.tomcat] [127.0.0.1(4690)
/console/restapi/api/config/event_sources/log_source_management/
autodetection/config_records/43]    ... 68 more
05 February 2020
RULES / PERFORMANCE IJ22342 QRADAR USER INTERFACE RULES PAGE CAN TAKE LONGER THAN EXPECTED TO LOAD OPEN: Reported in QRadar 7.3.2 Patch 4 Workaround: No workaround available.

Issue: The QRadar User Interface "Rules" page can take over 20 seconds to populate due to multiple inefficiencies in how the data needed for the Rules page is gathered/loaded.
28 January 2020
SEARCH IJ22156 'RUNTIME EXCEPTION PROCESSING REQUEST GET QUERY STATUS - QUERYSTATUSWAIT' DURING ARIEL SEARCHES IN QRADAR LOGGING OPEN: Reported in QRadar 7.3.2 Patch 4 Workaround: No workaround available. Instances of these specific NullPointerException errors generated during Ariel searches have been investigated and found to be benign.

Issue: A 'Runtime exception processing request Get query status - QueryStatusWait' error can be generated during the running of Ariel searches.

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:49444] com.q1labs.ariel.ConnectedClient: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]Runtime exception
processing request Get query status - QueryStatusWait
[Id=e253ffee-2feb-4b96-89f5-825e4fa86ca3, waitMillis=0]: u=admin
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:49444] java.lang.NullPointerException
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:49444] at
com.ibm.si.ariel.aql.metadata.CatalogDatabase.userHasAccess(Meta
dataFactory.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:49444] at
com.ibm.si.ariel.aql.metadata.MetadataFactory.getCatalogByName(M
etadataFactory.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:49444] at
com.ibm.si.ariel.aql.metadata.MetadataFactory.createUserCatalog(
MetadataFactory.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:49444] at
com.q1labs.ariel.ql.parser.Parser.getMetadata(Parser.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:49444] at
com.q1labs.ariel.ql.parser.Parser.getMetadata(Parser.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:49444] at
com.q1labs.ariel.protocol.ClientData.initColumns(ClientData.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:49444] at
com.q1labs.ariel.protocol.SearchAlias.clientData(SearchAlias.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:49444] at
com.q1labs.ariel.searches.tasks.Result.resultForAlias(Result.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:49444] at
com.q1labs.ariel.protocol.SearchAlias.result(SearchAlias.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:49444] at
com.q1labs.ariel.searches.AccessManager.updateResult(AccessManag
er.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:49444] at
com.q1labs.ariel.searches.AccessManager.findQueryResult(AccessMa
nager.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:49444] at
com.q1labs.ariel.ConnectedClient.findQueryResult(ConnectedClient
.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:49444] at
com.q1labs.ariel.ConnectedClient.findQueryResult(ConnectedClient
.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:49444] at
com.q1labs.ariel.ConnectedClient.processMessage(ConnectedClient.
java:278)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:49444] at
com.q1labs.ariel.ConnectedClient.run(ConnectedClient.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:49444] at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec
utor.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:49444] at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe
cutor.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:49444] at java.lang.Thread.run(Thread.java)
17 January 2020
OPERATING SYSTEM IJ22145 NEWLY CREATED QRADAR OUT OF MEMORY JAVA HEAP DUMPS DO NOT OVERWRITE PREVIOUSLY EXISTING ONES IN /STORE/JHEAP OPEN: Reported in QRadar 7.3.1 Patch 3 and later Workaround: No workaround available.

Issue: Newly created QRadar "out of memory" java heap dumps do not overwrite older/existing heap dumps found in /store/jheap. This issue can cause an accumulation of unneeded files and file space consumed in /store/jheap on QRadar appliances.
31 January 2020
MANAGED HOSTS / ADD HOST IJ22140 ADD HOST CAN FAIL WITH PASSWORD DECODING ERROR OPEN: Reported in QRadar 7.3.3 initial release (GA) and later Workaround: Contact Support for a possible workaround that might address this issue in some instances.

Issue: The QRadar Add Host process can fail due to a password decoding issue that occurs during the Add Host processes. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:

[hostcontext.hostcontext]
[6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
java.lang.IllegalArgumentException: Last unit does not have
enough valid bits
[hostcontext.hostcontext]
[6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
   at java.util.Base64$Decoder.decode0(Base64.java)
[hostcontext.hostcontext]
[6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
   at java.util.Base64$Decoder.decode(Base64.java)
[hostcontext.hostcontext]
[6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
   at java.util.Base64$Decoder.decode(Base64.java)
[hostcontext.hostcontext]
[6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
   at
com.ibm.si.mks.KeyStoreCrypto.decrypt(KeyStoreCrypto.java)
[hostcontext.hostcontext]
[6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
   at com.ibm.si.mks.Crypto.decrypt(Crypto.java)
[hostcontext.hostcontext]
[6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
   at
com.q1labs.frameworks.crypto.CryptoUtils.decrypt(CryptoUtils.jav
a)
[hostcontext.hostcontext]
[6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
   at
com.q1labs.frameworks.core.FrameworksContext.decrypt(FrameworksC
ontext.java)
[hostcontext.hostcontext]
[6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
   at
com.q1labs.configservices.capabilities.AddHost.getPresenceComman
d(AddHost.java)
[hostcontext.hostcontext]
[6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
   at
com.q1labs.configservices.capabilities.AddHost.executePresence(A
ddHost.java)
[hostcontext.hostcontext]
[6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
   at
com.q1labs.configservices.capabilities.AddHost.add(AddHost.java)
[hostcontext.hostcontext]
[6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
   at
com.q1labs.configservices.capabilities.AddHost.addManagedHost(Ad
dHost.java:324)
[hostcontext.hostcontext]
[6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
   at
com.q1labs.hostcontext.core.executor.AddHostExecutor.addManagedH
ost(AddHostExecutor.java)
[hostcontext.hostcontext]
[6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
   at
com.q1labs.hostcontext.core.executor.AddHostExecutor.invoke(AddH
ostExecutor.java)
[hostcontext.hostcontext]
[6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
   at
com.q1labs.configservices.hostcontext.core.requests.BaseHostRequ
est.invoke(BaseHostRequest.java)
[hostcontext.hostcontext]
[6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
   at
com.q1labs.configservices.hostcontext.core.HostContextServices.m
essageReceived(HostContextServices.java)
[hostcontext.hostcontext]
[6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
   at
com.q1labs.frameworks.events.jms.JMSMessageEvent.dispatchEvent(J
MSMessageEvent.java)
[hostcontext.hostcontext]
[6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
   at
com.q1labs.frameworks.events.SequentialEventDispatcher$DispatchT
hread.run(SequentialEventDispatcher.java)
[hostcontext.hostcontext]
[6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
com.q1labs.configservices.capabilities.AddHost: [ERROR]
[NOT:0000003000][x.x.x.x/- -] [-/- -]Unable to add managed
host. The ip of the host is: xxx.xxx.xxx.xxx
[hostcontext.hostcontext]
[6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
com.q1labs.configservices.hostcontext.core.HostContextServices:
[ERROR] [NOT:0000003000][x.x.x.x/- -] [-/- -]Error retrieving
message
[hostcontext.hostcontext]
[6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
com.q1labs.configservices.hostcontext.exception.HostContextExcep
tion: Could not get executor object
com.q1labs.hostcontext.core.executor.AddHostExecutor
[hostcontext.hostcontext]
[6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
   at
com.q1labs.configservices.hostcontext.core.requests.BaseHostRequ
est.invoke(BaseHostRequest.java)
[hostcontext.hostcontext]
[6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
   at
com.q1labs.configservices.hostcontext.core.HostContextServices.m
essageReceived(HostContextServices.java)
[hostcontext.hostcontext]
[6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
   at
com.q1labs.frameworks.events.jms.JMSMessageEvent.dispatchEvent(J
MSMessageEvent.java)
[hostcontext.hostcontext]
[6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
   at
com.q1labs.frameworks.events.SequentialEventDispatcher$DispatchT
hread.run(SequentialEventDispatcher.java)
[hostcontext.hostcontext]
[6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
Caused by:
[hostcontext.hostcontext]
[6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
com.q1labs.configservices.hostcontext.exception.HostContextExcep
tion: Command exited with non-zero value (4): add_host
[hostcontext.hostcontext]
[6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
   at
com.q1labs.hostcontext.core.executor.AddHostExecutor.addManagedH
ost(AddHostExecutor.java)
[hostcontext.hostcontext]
[6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
   at
com.q1labs.hostcontext.core.executor.AddHostExecutor.invoke(AddH
ostExecutor.java)
[hostcontext.hostcontext]
[6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
   at
com.q1labs.configservices.hostcontext.core.requests.BaseHostRequ
est.invoke(BaseHostRequest.java)
[hostcontext.hostcontext]
[6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
   ... 3 more
17 January 2020
PROTOCOL INSPECTOR / QRADAR NETWORK INSIGHTS (QNI) IJ22087 SOME SMTP AND FTP FLOWS RECEIVED BY QRADAR NETWORK INSIGHTS (QNI) MISCLASSIFIED AS IRC TRAFFIC CLOSED Resolved in
QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)

Workaround
Contact Support for a possible workaround that might address this issue in some instances.

Issue: Some SMTP and FTP flows received by QRadar Network Insights (QNI) are being misclassified as IRC traffic. The application "determination algorithm" for these flows displays as "QNI Inspectors".
17 January 2020
DEPLOY CHANGES IJ22083 'DEPLOY' BUTTON DOES NOT FUNCTION FOM THE 'ADMIN TAB > DATA SOURCES > EVENTS' WINDOW OPEN: Reported in QRadar 7.3.3 initial release (GA) Workaround: Navigate to another User Interface window that prompts the Deploy changes to be performed.

Issue: When in the Admin > Data Sources > Events view, the Deploy changes button does not function.
17 January 2020
AQL IJ22082 'APPLICATION ERROR' WHEN RUNNING SOME LONG AQL QUERIES USING CHROME, FIREFOX, AND SAFARI WEB BROWSERS OPEN: Reported in QRadar 7.3.1 Patch 7 and later Workaround: Shorten the AQL to see if it completes when using Chrome, Firefox, Safari or attempt the query using Internet Explorer or Edge web browser.

Issue: Some longer AQL queries that work using the web browsers Internet Explorer and Edge can fail when using the Chrome, Firefox, and Safari Web Browsers with an 'Application Error' in the QRadar User Interface.
31 January 2020
SEARCH IJ22001 SEARCHES CAN CAUSE A RUNTIME EXCEPTION WITH A NULLPOINTEREXCEPTION GENERATED IN QRADAR LOGGING OPEN: Reported in QRadar 7.3.2 Patch 3 Workaround: No workaround available.

Issue: In some instances, searches performed within QRadar can generate a NullPointerException in QRadar logging similar to:
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:35464] com.q1labs.ariel.ConnectedClient: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]Runtime exception
processing request Get query status - QueryStatusWait
[Id=7b08480a-770f-4a0d-942f-f214e5f88660, waitMillis=0]: u=admin
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:35464] java.lang.NullPointerException
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:35464]    at
com.ibm.si.ariel.aql.metadata.CatalogDatabase.userHasAccess(Meta
dataFactory.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:35464]    at
com.ibm.si.ariel.aql.metadata.MetadataFactory.createUserCatalog(
MetadataFactory.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:35464]    at
com.ibm.si.ariel.aql.metadata.MetadataFactory.getCatalogByName(M
etadataFactory.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:35464]    at
com.q1labs.ariel.ql.parser.Parser.getMetadata(Parser.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:35464]    at
com.q1labs.ariel.ql.parser.Parser.getMetadata(Parser.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:35464]    at
com.q1labs.ariel.protocol.ClientData.initColumns(ClientData.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:35464]    at
com.q1labs.ariel.protocol.SearchAlias.clientData(SearchAlias.jav
a)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:35464]    at
com.q1labs.ariel.searches.tasks.Result.resultForAlias(Result.jav
a)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:35464]    at
com.q1labs.ariel.protocol.SearchAlias.result(SearchAlias.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:35464]    at
com.q1labs.ariel.searches.AccessManager.updateResult(AccessManag
er.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:35464]    at
com.q1labs.ariel.searches.AccessManager.findQueryResult(AccessMa
nager.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:35464]    at
com.q1labs.ariel.ConnectedClient.findQueryResult(ConnectedClient
.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:35464]    at
com.q1labs.ariel.ConnectedClient.findQueryResult(ConnectedClient
.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:35464]    at
com.q1labs.ariel.ConnectedClient.processMessage(ConnectedClient.
java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:35464]    at
com.q1labs.ariel.ConnectedClient.run(ConnectedClient.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:35464]    at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec
utor.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:35464]    at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe
cutor.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:35464]    at java.lang.Thread.run(Thread.java)
31 January 2020
FLOWS IJ21982 FLOWS CAN CONTAIN INCORRECT VALUES FOR PACKET TIMES, IP ADDRESSES, PROTOCOLS, SIZE, SOURCE OR DESTINATION PORT CLOSED Resolved in
QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)
QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)

Workaround
Restarting the qflow process on affectd QRadar Console, Flow Processor or Flow Collector can be used to rectify this behavior temporarily, but the behavior can re-occur:
systemctl restart qflow
Note: Restarting qflow service results in an interruption in flow collection.

Issue: Flows can get incorrect first packet time or unusual IP addresses, values and bytes. The source bytes or destination bytes display as either 4G in size or 0. The source and destination port displays as 0.

This behavior has predominately been observed in flows received from QRadar Network Insights appliances.
14 January 2020
GEOGRAPHIC DATA IJ21884 GEODATA UPDATES NO LONGER OCCURING WITH '401 UNAUTHORIZED AT /OPT/QRADAR/BIN/GEOIPUPDATE-PUREPERL.PL' IN QRADAR LOGGING OPEN: Reported in QRadar 7.3.2 Patch 3 Workaround: Sign up for a MaxMind account and configured QRadar system settings. For more information, see: Configuring a MaxMind account for geographic data updates (APAR IJ21884)

Issue: QRadar geographic updates for GeoLite2-City.mmdb can fail to be obtained and installed from maxmind.com due to a login failure with the default userid and license key used within QRadar.

To verify if this issue occurs, on the QRadar Console command line, run the geodata update command:
/opt/qradar/bin/geodata_update.sh

Messages similar to the following are displayed:
401 Unauthorized at /opt/qradar/bin/geoipupdate-pureperl.pl line
222, <$fh> line 37
06 January 2020
SEARCH IJ21739 'PAYLOAD CONTAINS' AQL FILTER FROM A BASIC SEARCH CAN GENERATE AN ILLEGAL ARGUMENT EXCEPTION AND INCORRECT RESULTS OPEN: Reported in QRadar 7.3.2 Patch 2 Workaround: Enable store payload in the Log Sources.

Issue: Using the 'Payload Contains' AQL filter generated from a basic search generates an illegal argument exception and has incorrect search results when compared with the results of the basic search. For example:
  1. Create a basic search
  2. Add the filter "Payload Contains" Admin
  3. Add the payload column
  4. Save the search and run it
  5. Notice the expected output of the payload column
  6. Convert the search to AQL from Log Activity > Edit Search > Show AQL
  7. Use the SHOW AQL and leverage the output in a new search:
    select "payload" as 'Payload',QIDNAME(qid) as 'Event
    Name',logsourcename(logSourceId) as 'Log Source',"eventCount"
    as 'Event Count',"startTime" as 'Start
    Time',categoryname(category) as 'Low Level Category',"sourceIP"
    as 'Source IP',"sourcePort" as 'Source Port',"destinationIP" as
    'Destination IP',"destinationPort" as 'Destination
    Port',"userName" as 'Username',"magnitude" as 'Magnitude' from
    events where icu4jsearch('Admin', payload) != -1 order by
    "startTime" desc LIMIT 1000 last 5 minutes
  8. Run the AQL search.

    Results
    An illegal argument exception is generated and the payload is incorrect.

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:

com.q1labs.frameworks.nio.exceptions.ExtendedRuntimeException:
Error calling function
com.q1labs.ariel.ql.parser.ICU4jSearch([B@e6bc0507):
java.lang.IllegalArgumentException
at com.q1labs.frameworks.util.Utils.icu4jSearch(Utils.java)
at com.q1labs.frameworks.util.Utils.icu4jSearch(Utils.java)
at
com.q1labs.ariel.ql.parser.ICU4jSearch.calculate(Functions.java)
at
com.q1labs.ariel.ql.parser.ICU4jSearch.calculate(Functions.java)
31 December 2019
OFFENSES IJ21725 QRADAR USER INTERFACE INTERRUPTION CAN OCCUR WHEN PERFORMING SEARCHES ON THE OFFENSE TAB BY 'DESTINATION IP' OPEN: Reported in QRadar 7.3.2 Patch 4 Workaround: Contact Support for a possible workaround that might address this issue in some instances.

Issue: The QRadar User Interface can experience an interruption caused by a tomcat TxSentry occurrence after performing searches by 'Destination IP' on the Offense tab.

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[hostcontext.hostcontext]
[78695a45-e04b-4ee0-8189-4a2b7eeb1490/SequentialEventDispatcher]
com.q1labs.hostcontext.tx.TxSentry: [WARN]
[NOT:0000004000][xx.xx.xx.xx/- -] [-/- -]  TX on host
xx,xx,xx,xx: pid=25311 age=928 IP=127.0.0.1 port=48623 locks=31
query='SELECT op.id FROM offense_properties op JOIN
offense_target_link otl ON otl.offense_id=op.id JOIN
target_view t ON t.id=otl.target_id JOIN offense o ON
op.id=o.id WHERE (INET(ip2address(network)) <<=
INET('xx.xx.xx.xx/32')) OR (INET(ip2address(network)) <<=
INET('x..x.xx.xx/27')) OR (INET(ip2address(network)) <<=
INET('xx.xx.xx.xx/32')) OR (INET(ip2address(network)) <<=
INET('xx.xx.xx.xx/32')) OR (INET(ip2address(network)) <<=
INET('xx.xx.xx.xx/27')) OR (INET(ip2address(network)) <<=
INET('xx.xx.xxxx/32')) OR (INET(ip2address(network)) <<=
INET('xx.xx.xx.xx/32')) OR (INET(ip2address(network)) <<=
INET('xx.xx.xx.xx/32')) OR (INET(ip2address(network)) <<=
INET('xx.xx.xx.xx/32')) OR (INET(ip2address(network)) <<=
INET('xx.xx.xx.xx/32')) OR (INET(ip2address(network)) <<=
INET('xx.xx.xx.xx/27')) OR (INET(ip2address(network)) <<=
INET('xx.xx.xx.xx/32')) OR (INET(ip2address(network)) <<=
INET('xx.xx.xx.xx/32')) OR (INET(ip2address(network)) <<=
INET('xx.xx.xx.xx/27')) OR (INET(ip2address'
[hostcontext.hostcontext]
[78695a45-e04b-4ee0-8189-4a2b7eeb1490/SequentialEventDispatcher]
com.q1labs.hostcontext.tx.TxSentry: [WARN]
[NOT:0000004000][xx.xx.xx.xx/- -] [-/- -]  Lock acquired on
host xx.xx.xx.xx: rel=domains_pkey age=928 granted=t
mode=AccessShareLock query='SELECT op.id FROM
offense_properties op JOIN offen'
[hostcontext.hostcontext]
[78695a45-e04b-4ee0-8189-4a2b7eeb1490/SequentialEventDispatcher]
com.q1labs.hostcontext.tx.TxSentry: [WARN]
02 January 2020
RULES IJ21724 'WHEN THE SOURCE IP IS PART OF ANY OF THE FOLLOWING REMOTE NETWORKS / SERVICES' CAN WORK INCORRECTLY WITH DOMAINS OPEN: Reported in QRadar 7.3.2 Patch 4 Workaround: No workaround available.

Issue: The following issue manifests when an event originates from any other domain other than the default domain.
Rule condition (used in Building Block):
When the source IP is part of any of the following remote networks / remote services is matching to events that should be excluded.
When this Building Block is used in a rule with other conditions:

The IP in question is added to the remote network with /32 cidr and it is matching the event that should be excluded based on the source ip, but when the destination ip is the one (source IP and destination IP is same) it is matching them regardless.
19 December 2019
AQL CUSTOM PROPERTIES IJ21723 AQL PROPERTY WITH FUNCTION CONTAINING MULTIPLE ARGUMENTS CANNOT BE USED AS AN AGGREGATED PROPERTY IN THRESHOLD RULE CREATION OPEN: Reported in QRadar 7.3.2 Patch 2 Workaround: No workaround available.

Issue: An AQL property that has a function with multiple arguments cannot be selected as an aggregated property in a Threshold Rule in the Rule Wizard page.

For example, the following example AQL is stored as a saved search and threshold monitoring rule is created on it.
SELECT sourceip, SUM(LONG("eventcount") + LONG("sourceport"))
AS total FROM events GROUP BY sourceip LAST 5 MINUTES

When the aggregation has two components that are summarized in one value (as above), the Rule Wizard is unable to select it and it fails to save the rule configuration. The rule can be saved and it works successfully when there is only a single aggregated parameter, such as SUM(LONG("eventcount"))
02 January 2020
LOG SOURCES IJ21722 AUTO DISCOVERED LOG SOURCES ARE NOT AUTO DISCOVERED AGAIN IF DELETED USING THE LOG SOURCE MANAGEMENT APP CLOSED Resolved in:
QRadar 7.4.0 (7.4.0.20200304205308)
QRadar 7.3.3 Fix Pack 2 (7.3.3.20200208135728)
QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)

Workaround
  1. Use Log Source legacy User Interface (UI) to delete log source(s).
    OR
  2. If the auto discovered log source has already been deleted using Log Source Management App, a tomcat restart is required to clear cached data:
    Admin tab > select Advanced > Restart Web Server

Note: The QRadar UI only becomes available again after all required process are running as expected after a "Restart We Server" has been completed.

Issue: Using the Log Source Management App to delete a Log Source causes it to not be auto discovered again.
19 December 2019
SYSTEM NOTIFICATIONS IJ21721 REPEATED SYSTEM NOTIFICATION MESSAGES FROM MANAGED HOST(S) INDICATING SYNCHRONIZATION TO CONSOLE 'TLSDATE TIMED OUT' OPEN: Reported in multiple QRadar versions Workaround: Contact Support for a possible workaround that might address this issue in some instances.

Repeated System Notifications can be generated from Managed Hosts regarding time synchronization to the QRadar console. time_sync.sh reports 'tlsdate timed out' when httpd does not respond within 5 seconds.

This issue can generate a large number of events if communication to the QRadar console is unavailable for a period of time.

Notificaiton is similar to:
[hostcontext.hostcontext]: [ERROR] [NOT:0150003100] Time
Synchronization to Console has failed - tlsdate timed out
19 December 2019
APP HOST IJ21720 QRADAR APP HOST CANNOT BE REMOVED FROM THE DEPLOYMENT IF ALL APPS HAVE BEEN UNINSTALLED OPEN: Reported in QRadar 7.3.2 Patch 4 Workaround:
  1. Install a QRadar App.
  2. Migrate the App to the Console.
  3. Perform App Host removal.
  4. Remove the QRadar App now installed on Console, if not needed.

Issue:
A QRadar App Host cannot be removed from the Deployment if all Apps have been uninstalled. The option Admin > System and License Management > highlight app host > Deployment Actions > 'Remove Host' is grayed out
19 December 2019
RULES / QRADAR ON CLOUD IJ21717 QRADAR ON CLOUD USERS ARE UNABLE TO DELETE ANOMALY DETECTION ENGINE RULES OPEN: Reported in QRadar 7.3.1 and later Workaround: Contact Support and request them to delete the appropriate ADE rule.

QRadar on Cloud users with appropriate rights assigned are not able to delete Anomaly Detection Engine (ADE ) rules. Users are able to delete other rule types, but no pop-up window is displayed when attempting to delete an ADE rule.
02 January 2020
TOPOLOGY / QRADAR RISK MANAGER (QRM) IJ21704 SUBNETS CAN INTERMITTENTLY APPEAR AND DISAPPEAR ON THE QRADAR RISK MANAGER TOPOLOGY SCREEN CLOSED Resolved in
QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)
QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)

Workaround
Contact Support for a possible workaround that might address this issue if you are unable to upgrade to resolve this issue through a fix pack update.

Issue
Subnets can appear and disappear intermittently on the QRadar Risk Manager Topology screen.
19 December 2019
HIGH AVAILABILITY (HA) IJ21703 ADDED OR EDITED NTP SERVER SETTINGS ARE NOT IMPLEMENTED ON HIGH AVAILABILITY (HA) STANDBY APPLIANCE OPEN: Reported in QRadar 7.3.2 Patch 4 Workaround: Restart the chrony service manually via SSH connection command line for affected HA standy appliances:
systemctl restart chronyd

After adding or updating a NTP server in QRadar for a High Availability (HA) appliance (using the steps in System and License Management on the Active HA appliance), the chrony service on the High Availability Standby appliance needs to be restarted for the chrony config change to be implemented.
02 January 2020
DATA OBFUSCATION IJ21702 UNABLE TO ADD NEW DATA OBFUSCATION EXPRESSION TO AN EXISTING DATA OBFUSCATION PROFILE OPEN: Reported in QRadar 7.3.2 Patch 4 Workaround:
  1. Open the Obfuscation Management Administration page.
  2. Unlock.
  3. Click add.
  4. Firefox browser use F12 and go to inspector or elements in Chrome browser.
  5. With the element selector, find the required field that is blank and fill in the proper value in the HTML (eg. manually added a -1 for {Any}).
  6. Click send.

  7. Results
    New obfuscation expression should be added.

Issue:
Users might be unable to add a new Data Obfuscation expression to an existing obfuscation profile in QRadar environments with a very large number of Log Sources. The error message generated in the QRadar User Interface is similar to: java.lang.NumberFormatException: empty String Example of steps that lead to this issue:
  1. Admin > Data Obfuscation
  2. Unlock the Data Obfuscation profile
  3. Click Add to add a new expression
  4. Select regex.
    Note that the Log Source type does not fully load and Log Source field is empty.
  5. Fill out all required settings, click Save.
  6. Error message is generated: java.lang.NumberFormatException: empty String
02 January 2020
LOG ACTIVITY / NETWORK ACTIVITY IJ21700 REGEX ' + ' (PLUS) SYMBOL TO MATCH ONE OR MORE OF ANYTHING IS HIDDEN AFTER FILTER IS APPLIED OPEN: Reported in QRadar 7.3.2 Workaround: No workaround available.

Issue: The regex expression \w+ is being displayed in 'add filter' as \w and not \w+. For example:
  1. Click the Log Activity tab.
  2. Click Add filter.
  3. Use "Process File URL (custom)" Matches any of expressions \w+\.exe

    Result
    Displayed in the filter area of the user interface is \w \.exe rather than the expected \w+\.exe.

    NOTE: This only occurs on the QRadar Log/Network Activity User Interface windows. The filter is applied correctly otherwise. On the DSM Editor screen, the plus sign is displayed correctly.
19 December 2019
SECURITY BULLETIN CVE-2018-0734 OpenSSL as used in IBM QRadar SIEM is vulnerable to a timing side channel attack CLOSED Resolved in:
QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).
09 January 2020
SECURITY BULLETIN CVE-2019-1559 OpenSSL as used by IBM QRadar SIEM is Missing a Required Cryptographic Step CLOSED Resolved in:
QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).
09 January 2020
SECURITY BULLETIN CVE-2019-4508 IBM QRadar SIEM uses weak credential storage in some instances CLOSED Resolved in:
QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

09 January 2020
SECURITY BULLETIN CVE-2019-2816
CVE-2019-2762
CVE-2019-2769
Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM QRadar SIEM CLOSED Resolved in:
QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

09 January 2020
SECURITY BULLETIN CVE-2019-4559 IBM QRadar SIEM is vulnerable to information disclosure CLOSED Resolved in:
QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

09 January 2020
SECURITY BULLETIN CVE-2018-15473 OpenSSH as used by IBM QRadar SIEM is vulnerable to information exposure CLOSED Resolved in:
QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

09 January 2020
USERS IJ20771 UNABLE TO REASSIGN CUSTOM EVENT PROPERTY TO ANOTHER USER WHEN DELETING A USER OPEN: Reported in multiple QRadar versions No workaround available. If the user needs to be deleted, you have to delete the Custom Event Property not reassign it.

It has been identified that when trying to delete a non admin/admin user who has a Custom Event Property, you cannot reassign that Custom Event Property to another user. The page hangs at the dependency reassign and does not reassign the Custom Event Property successfully.
08 November 2019
SYSLOG REDIRECT IJ03249 AUTODISCOVERED LOG SOURCES CREATED BY SYSLOG REDIRECT CAN HAVE INCORRECT LOG SOURCE IDENTIFIERS Closed as program error. It has been identified that autodiscovered Log Sources created using the Syslog Redirect Protocol, can have incorrect Log Source Identifiers listed due to a regex issue used within the Protocol. The issue is resolved with the following version of the Syslog Redirect RPM: 13 November 2019
UPGRADE IJ00366 APPLYING A QRADAR .SFS PATCH CAN FAIL WHEN WGET HAS A PROXY SERVER CONFIGUREDCONFIGURED OPEN: Reported in QRadar 7.3.2 Patch 4 Workaround: Via an SSH session to the QRadar console: Temporarily disable to wget proxy settings in /etc/wgetrc

It has been identified that the check_undeployed script used within the QRadar patch framework can fail when there is a proxy server configured for wget to use. The check_undeployed script attempts to use that proxy to reach localhost and fails.

Messages similar to the following might be visible in the /var/log/setup-7.x.x.../patches.log when this issue occurs:
Verifying if there are any un-deployed changes...
ERROR: Could not determine undeployed changes, response was invalid.
--2018-03-28 12:11:34--
https://127.0.0.1/console/services/configservices?method=hasUndeployedChanges
Connecting to {proxyIP:port}... connected.
Proxy tunneling failed: Service UnavailableUnable to establish
SSL connection.
An error was encountered attempting to process patches.
Please contact customer support for further assistance.
29 March 2018
UPGRADE / SCANNER IJ10746 QRADAR UPGRADE CAN HANG IF IT'S UNABLE TO REACH A CONFIGURED SCANNER OVER THE INTERNET CLOSED Closed as Permanent restriction. Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that a QRadar upgrade can hang at message: 'System upgrade is in progress - DO NOT REBOOT or shutdown now!' if the QRadar upgrade process is unable to reach an internet configured scanner. QRadar attempts to retrieve a certificate during the upgrade and if internet connectivity is not allowed, the upgrade cannot reach the external scanner to complete the process.
09 December 2019
API / OFFENSES IJ05914 OFFENSE API DOES NOT RETURN EXPECTED OFFENSES WHEN USING "ID" AND "INACTIVE" FIELD IF OFFENSE ACTIVE_CODE IS 'DORMANT' CLOSED Resolved in:
QRadar 7.4.0 (7.4.0.20200304205308)
QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

Workaround
  1. Do not use the inactive attribute
  2. Use the status attribute to filter closed or non-closed offenses.
Issue
It has been identified that the Offense API does not return all expected offenses when using "id" and "inactive" field when the offense active_code is set as "dormant" in the database for the Offense. To further explain this reported issue, users can compare API results to the QRadar database:
qradar=# select count(*) from offense;
count
-------
  1515
(1 row)

qradar=# select count(*) from offense where active_code=1;
count
-------
     0
(1 row)

qradar=# select count(*) from offense where active_code=2;
count
-------
   148
(1 row)

qradar=# select count(*) from offense where active_code=3;
count
-------
  1367
(1 row)


API results display: status = open returns 149 status = closed returns 1366 status="OPEN" and inactive=true returns 1 status="OPEN" and inactive=false returns 0

Using inactive = false gives incorrect results. The active code value in the User Interface can be:
  • 1 (active /status open)
  • 2 (dormant, status open but inactive)
  • 3 (inactive / status closed).
In the API you have status = OPEN, CLOSED, HIDDEN etc. and inactive = true / false
09 December 2019
SYSTEM NOTIFICATIONS IJ20362 'SAR SENTINEL: THRESHOLD CROSSED FOR DRBD0' SYSTEM NOTIFICATIONS CLOSED Resolved in:
QRadar 7.4.0 (7.4.0.20200304205308)
QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

It has been identified that QRadar can report "SAR Sentinel: Threshold crossed for drbd0" system notifications for managed hosts in a High Availability (HA) pair.

Investigation has determined that these messages can be excessively and erroneously generated due to a change made within the fix for APAR IJ06526.
09 December 2019
SEARCH / SERVICES IJ21718 ARIEL SEARCHES FAIL AND EVENTS ARE NOT PROCESSED/WRITTEN TO DISK WHEN A CONCURRENT MODIFICATION EXCEPTION OCCURS CLOSED Resolved in:
QRadar 7.4.0 (7.4.0.20200304205308)
QRadar 7.3.3 Patch 2 (7.3.3.20200208135728)
QRadar 7.3.3 Patch 1 Interim Fix 01 (7.3.3.20191220154048)
QRadar 7.3.2 Patch 5 Interim Fix 01 (7.3.2.20191220232616)

Workaround
A flash notice has been issued for APAR IJ21718. For more information, see: QRadar: Custom property concurrency can cause search and ariel data loss (APAR IJ21718). Administrators can complete a Deploy Full Configuration to ensure a service restart until an interim fix is available on IBM Fix Central.

Issue
An uncaught ConcurrentModificationException can occur within the QRadar Ariel Writer thread. When this occurs, events received into QRadar fail to be processed and written to disk, and failure exceptions occur during ariel/event searches within QRadar.

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[ecs-ep.ecs-ep] [Ariel Writer#events]
com.q1labs.frameworks.core.ThreadExceptionHandler: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]Exception was uncaught
in thread: Ariel Writer#events
[ecs-ep.ecs-ep] [Ariel Writer#events]
java.util.ConcurrentModificationException
[ecs-ep.ecs-ep] [Ariel Writer#events] at
gnu.trove.TPrimitiveIterator.nextIndex(TPrimitiveIterator.java)
[ecs-ep.ecs-ep] [Ariel Writer#events] at
gnu.trove.TIterator.hasNext(TIterator.java)
[ecs-ep.ecs-ep] [Ariel Writer#events] at
com.q1labs.core.types.networkevent.mapping.NetworkEventMappingUt
ils.writeCustomProperties(NetworkEventMappingUtils.java)
[ecs-ep.ecs-ep] [Ariel Writer#events] at
com.q1labs.core.types.event.mapping.NormalizedEventMappingV2.put
CustomProperties(NormalizedEventMappingV2.java)
[ecs-ep.ecs-ep] [Ariel Writer#events] at
com.q1labs.core.types.event.mapping.NormalizedEventMappingV2.put
Event(NormalizedEventMappingV2.java)
[ecs-ep.ecs-ep] [Ariel Writer#events] at
com.q1labs.core.types.event.mapping.NormalizedEventMappings$Exlu
deCachedResults.putData(NormalizedEventMappings.java)
[ecs-ep.ecs-ep] [Ariel Writer#events] at
com.q1labs.core.types.event.mapping.NormalizedEventMappingV2.put
(NormalizedEventMappingV2.jav)
[ecs-ep.ecs-ep] [Ariel Writer#events] at
com.q1labs.core.types.event.mapping.NormalizedEventMappingV2.put
(NormalizedEventMappingV2.java)
[ecs-ep.ecs-ep] [Ariel Writer#events] at
com.q1labs.ariel.io.NIOFileWriter.write(NIOFileWriter.java:110)
[ecs-ep.ecs-ep] [Ariel Writer#events] at
com.q1labs.ariel.io.SimpleWriter.writeRecord(SimpleWriter.java)
[ecs-ep.ecs-ep] [Ariel Writer#events] at
com.q1labs.ariel.io.BucketWriter.writeRecord(BucketWriter.java)
[ecs-ep.ecs-ep] [Ariel Writer#events] at
com.q1labs.ariel.io.AbstractDatabaseWriter.put(AbstractDatabaseW
riter.java)
[ecs-ep.ecs-ep] [Ariel Writer#events] at
com.q1labs.ariel.DatabaseWriterAsync.processRecord(DatabaseWrite
rAsync.java)
[ecs-ep.ecs-ep] [Ariel Writer#events] at
com.q1labs.ariel.ScatteringDatabaseWriter.access$401(ScatteringD
atabaseWriter.java)
[ecs-ep.ecs-ep] [Ariel Writer#events] at
com.q1labs.ariel.ScatteringDatabaseWriter$Node.writeRecord(Scatt
eringDatabaseWriter.java)
[ecs-ep.ecs-ep] [Ariel Writer#events] at
com.q1labs.ariel.ScatteringDatabaseWriter$Node.processRecord(Sca
tteringDatabaseWriter.java)
[ecs-ep.ecs-ep] [Ariel Writer#events] at
com.q1labs.ariel.ScatteringDatabaseWriter$Node.access$1100(Scatt
eringDatabaseWriter.java)
[ecs-ep.ecs-ep] [Ariel Writer#events] at
com.q1labs.ariel.ScatteringDatabaseWriter$DataNodes.processRecor
d(ScatteringDatabaseWriter.java)
[ecs-ep.ecs-ep] [Ariel Writer#events] at
com.q1labs.ariel.ScatteringDatabaseWriter.processRecord(Scatteri
ngDatabaseWriter.java)
[ecs-ep.ecs-ep] [Ariel Writer#events] at
com.q1labs.ariel.DatabaseWriterAsync.run(DatabaseWriterAsync.java)
[ecs-ep.ecs-ep] [Ariel Writer#events]
java.lang.Thread.run(Thread.java)
19 December 2019
APPLICATION SIGNATURES / QRADAR NETWORK INSIGHTS IJ20455 FALSE POSITIVE MATCHES FOR SIGNATURES CAN OCCUR AS QRADAR NETWORK INSIGHTS (QNI) CAN SKIPS SRC/DST PORT SPECIFIERS IN SIGNATURE.XML CLOSED Resolved in:
QRadar 7.4.0 (7.4.0.20200304205308)
QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

It has been identified that the QRadar Network Insights processing of signatures.xml skips srcPort / dstPort specifiers. This can cause false positive matches for some signatures.
09 December 2019
ASSETS / UPGRADE IJ20458 QRADAR PATCH AND OR REPLICATION PROCESS CAN FAIL WHEN MULTIPLE DUPLICATED ASSET.ASSETVIEW DATA EXISTS CLOSED Resolved in:
QRadar 7.4.0 (7.4.0.20200304205308)
QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

It has been identified that a QRadar patch and or replication process can fail when there are more than one duplicated asset.assetview database entry with the same (domain_id, network_addr and ipv6) values on the console.
09 December 2019
VULNERABILITY SCANS IJ21607 VULNERABILITY MANAGER (QVM) SCANS CAN STAY AT 100% AND NEVER COMPLETE CLOSED Resolved in:
QRadar 7.4.0 (7.4.0.20200304205308)
QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

Vulnerability Manager scans can stay in the running state at 100% and never go to a Stopped state. Due to a timing issue, two threads try to determine if they are the last tool to run within a job and the jobtracking endtime never gets set, and the scan never finishes.
When this occurs, the vulnerability data does not get sent to the asset DB, vulnerability counts remain at zero on screen, and the scan duration keeps increasing even though the scan has finished.
19 December 2019
WINCOLLECT IV99859 WINCOLLECT AGENTS ARE DOWNGRADED TO VERSION 7.2.3 AFTER A CONFIGURATION RESTORE ON THE QRADAR CONSOLE CLOSED Resolved in:
QRadar 7.4.0 (7.4.0.20200304205308)
QRadar 7.3.3 Fix Pack 1 (7.3.3.20191203144110)
QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)

Issue
It has been identified that WinCollect agents that have been upgraded above version 7.2.3 are downgraded to version 7.2.3 after performing a Configuration Restore of QRadar 7.2.8.

This is caused by the older WinCollect 7.2.3 agent core files being installed when the Config Restore is performed.
09 December 2019
SYSTEM NOTIFICATIONS / LICENSE IJ07448 'THE APPLIANCE EXCEEDED THE EPS OR FPM ALLOCATION WITHIN THE LAST HOUR' MESSAGES CAN BE CAUSED BY HEALTH METRICS EVENTS CLOSED Resolved in:
QRadar 7.4.0 (7.4.0.20200304205308)
QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)

Issue
It has been identified that System Notifications similar to 'The appliance exceeded the EPS or FPM allocation within the last hour' can sometimes be caused by Health Metrics events generated/processed by QRadar. System Notifications generated by the increased number of Health Metric events in QRadar 7.3.1, are false positives. QRadar is not properly calculating the license giveback for Health Metric events in relation to EPS/FPM license warning System Notifications.
09 December 2019
BACKUP / RESTORE IJ14189 DATA BACKUPS CAN FAIL (TIME OUT) WHEN A BACKEND "PS" COMMAND HANGS CLOSED Resolved in QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)

It has been identified that data backups can fail when a backend ps command hangs.

QRadar system notifications similar to "Backup: last backup exceeded execution threshold error." and messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:

[hostcontext.hostcontext] [Backup]
com.q1labs.hostcontext.backup.core.BackupUtils: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]Cannot execute 'ps -e -o
pid -o ppid -o cmd'
[hostcontext.hostcontext] [Backup]
java.lang.InterruptedException
[hostcontext.hostcontext] [Backup] at
java.lang.Object.wait(Native Method)
[hostcontext.hostcontext] [Backup] at
java.lang.Object.wait(Object.java)
[hostcontext.hostcontext] [Backup] at
java.lang.UNIXProcess.waitFor(UNIXProcess.java)
[hostcontext.hostcontext] [Backup] at
com.q1labs.hostcontext.backup.core.BackupUtils.getPsProcesses(Ba
ckupUtils.java)
[hostcontext.hostcontext] [Backup] at
com.q1labs.hostcontext.backup.BackupRecoveryEngine.cleanup(Backu
pRecoveryEngine.java)
[hostcontext.hostcontext] [Backup] at
com.q1labs.hostcontext.backup.BackupRecoveryEngine$BackupThread.
run(BackupRecoveryEngine.java)
[hostcontext.hostcontext] [Backup]
com.q1labs.hostcontext.backup.BackupRecoveryEngine: [INFO]
[NOT:0000006000][127.0.0.1/- -] [-/- -]Cancel process
'/bin/bash /opt/qradar/bin/run_command.sh
/opt/qradar/bin/determine_partition.sh
/store/backup/store/tmp/backup/determine_partition' if exists
09 December 2019
BURST DATA / EVENT COLLECTORS IJ12229 EVENT COLLECTORS CAN EXPERIENCE PIPLELINE PERFORMANCE ISSUES DUE TO NOT HAVING AN APPLIANCE CAPABILITY CONFIGURED CLOSED Resolved in QRadar 7.4.0 (7.4.0.20200304205308)

Issue
It has been identified that Event Collectors (EC) do not have an appliance level capability set. Because of this, QRadar pipeline processes are not protected from bursts in the incoming event rate (EPS).

Event Collectors inherit their licensing limits from the connected Event Processor (EP) and frequently EPs have a much higher capability and license than an EC can handle. The lack of appliance capability limitiations being configured for ECs can expose them to pipeline performance issues.
09 December 2019
FORWARDED EVENTS / NETWORK IJ18585 SOME FORWARDED EVENTS CAN FAIL TO FORWARD SUCCESSFULLY WHEN A CONNECTION DROP OCCURS TO THE EVENT FORWARDING RECEIVER CLOSED Resolved in:
QRadar 7.4.0 (7.4.0.20200304205308)
QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

It has been identified that a network device can sometimes break the long connection between QRadar and a configured event forward target. Some events are not forwarded prior to the connection being recovered.

Warning messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[ecs-ep.ecs-ep]
com.q1labs.sem.selectiveforwarding.SelectiveForwardingCommunicat
orThread: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/-
-]2019-07-15 15:50:20.0368 [:127.0.0.1:514] Exceeded
maximum number of retries, dropping event[1].
[ecs-ep.ecs-ep]
com.q1labs.sem.selectiveforwarding.SelectiveForwardingCommunicat
orThread: [INFO] [NOT:0000006000][127.0.0.1/- -] [-/-
-]Following message suppressed 1 times in 300000 milliseconds
[ecs-ep.ecs-ep]
com.q1labs.sem.selectiveforwarding.SelectiveForwardingCommunicat
orThread: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/-
-][:127.0.0.1:514] Exceeded Timeouts number[5], resetting
connection.
[ecs-ep.ecs-ep]
com.q1labs.sem.selectiveforwarding.SelectiveForwardingCommunicat
orThread: [INFO] [NOT:0000006000][127.0.0.1/- -] [-/-
-][:127.0.0.1:514] Established connection
[ecs-ep.ecs-ep]
com.q1labs.sem.selectiveforwarding.SelectiveForwardingCommunicat
orThread: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/-
-]2019-07-15 20:56:24.0403 [:127.0.0.1:514] Exceeded
maximum number of retries, dropping event[1].
[ecs-ep.ecs-ep]
com.q1labs.sem.selectiveforwarding.SelectiveForwardingCommunicat
orThread: [INFO] [NOT:0000006000][127.0.0.1/- -] [-/-
-]Following message suppressed 1 times in 300000 milliseconds
[ecs-ep.ecs-ep]
com.q1labs.sem.selectiveforwarding.SelectiveForwardingCommunicat
orThread: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/-
-][:127.0.0.1:514] Exceeded Timeouts number[5], resetting
connection.
[ecs-ep.ecs-ep]
com.q1labs.sem.selectiveforwarding.SelectiveForwardingCommunicat
orThread: [INFO] [NOT:0000006000][127.0.0.1/- -] [-/-
-][:127.0.0.1:514] Established connection
[ecs-ep.ecs-ep]
com.q1labs.sem.selectiveforwarding.SelectiveForwardingCommunicat
orThread: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/-
-]2019-07-16 00:21:29.0281 [:127.0.0.1:514] Exceeded
maximum number of retries, dropping event[1].
[ecs-ep.ecs-ep]
com.q1labs.sem.selectiveforwarding.SelectiveForwardingCommunicat
orThread: [INFO] [NOT:0000006000][127.0.0.1/- -] [-/-
-]Following message suppressed 1 times in 300000 milliseconds
[ecs-ep.ecs-ep]
com.q1labs.sem.selectiveforwarding.SelectiveForwardingCommunicat
orThread: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/-
-][:127.0.0.1:514] Exceeded Timeouts number[5], resetting
connection.
[ecs-ep.ecs-ep]
com.q1labs.sem.selectiveforwarding.SelectiveForwardingCommunicat
orThread: [INFO] [NOT:0000006000][127.0.0.1/- -] [-/-
-][:127.0.0.1:514] Established connection
09 December 2019
DSM EDITOR IJ19112 DIFFERENCES IN HOW DSM EDITOR PARSES VERSUS HOW THE PIPELINE PARSES CAN PREVENT PROPER DSM EDITOR REGEX WRITING/TESTING CLOSED Resolved in:
QRadar 7.4.0 (7.4.0.20200304205308)
QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

It has been identified that the DSM editor parses differently versus the pipeline due to a trailing LF (line feed) or a space contained in payloads.

These differences in parsing behavior can inhibit the proper writing and testing of regex when using the DSM Editor.
09 December 2019
AUTHENTICATION (LDAP) / ACCESS IJ13595 LDAP LOGINS CAN FAIL IF PAGINATION IS DISABLED FOR BIND USERS CLOSED Resolved in:
QRadar 7.4.0 (7.4.0.20200304205308)
QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

Workaround
Enable paging for the bind user, or change the bind user to one that has paging allowed. It has been identified that the DSM editor parses differently versus the pipeline due to a trailing LF (line feed) or a space contained in payloads.

Issue
It has been identified that QRadar LDAP logins can fail if pagination is disabled for bind user. In the LDAP authentication setup, test connection to the backend server succeeds. If group authentication is used, group load fails.
09 December 2019
LOG SOURCES / LOG SOURCE MANAGEMENT APP IJ15429 TOMCAT OUT OF MEMORY CAN OCCUR WHEN PERFORMING AN ENABLE OR DISABLE OF A LOG SOURCE CLOSED Resolved in:
QRadar 7.4.0 (7.4.0.20200304205308)
QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

It has been identified that performing an enable or disable of a Log Source using either the API (Log Source Management App) or the legacy Log Source management page can sometimes cause a tomcat out of memory in QRadar environments with a very large number of Log Sources.
09 December 2019
OFFENSES IJ16002 THE OFFENSE PAGE IN THE QRADAR USER INTERFACE CAN BE SLOW TO OPEN AFTER PATCHING TO QRADAR 7.3.2 CLOSED Resolved in:
QRadar 7.4.0 (7.4.0.20200304205308)
QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

Issue
It has been identified that after patching to QRadar 7.3.2, that opening the Offense page in the QRadar User Interface can take longer than expected.
09 December 2019
EVENT LOGS / TRAFFIC ANALYSIS IJ21155 EXCESSIVE LOGGING OF MESSAGE 'TRAFFIC ANALYSIS WILL CREATE NEW DEVICES WITH EVENT COALESCING TURNED ON' CLOSED Resolved in:
QRadar 7.3.3 (7.3.3.20191031163225)
QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

Workaround: You can turn off logging for the TrafficaAnalysisFilter class from the command line of the QRadar Console to prevent it from filling the logs.
  1. To edit traffic analysis, type: /opt/qradar/support/mod_log4j.pl
  2. Type your name for audit purposes
  3. Select option 3 - Advanced Menu.
  4. Select option 2 - Add a new Logger.
  5. Type the classpath com.ibm.si.ec.filters.trafficanalysis.TrafficAnalysisFilter
  6. Select option 4 - Off
  7. Select * - All of the above

Issue: It has been identified that excessive logs similar to the following might be visible in /var/log/qradar.log:
[ecs-ec.ecs-ec]
[[type=com.eventgnosis.system.ThreadedEventProcessor][parent=l3r
tc.canlab.ibm.com:ecs-ec/EC/TrafficAnalysis1/TrafficAnalysis]]
com.ibm.si.ec.filters.trafficanalysis.TrafficAnalysisFilter:
[INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Traffic analysis
will create new devices with event payload storage turned on
[ecs-ec.ecs-ec]
[[type=com.eventgnosis.system.ThreadedEventProcessor][parent=l3r
tc.canlab.ibm.com:ecs-ec/EC/TrafficAnalysis1/TrafficAnalysis]]
com.ibm.si.ec.filters.trafficanalysis.TrafficAnalysisFilter:
[INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Traffic analysis
will create new devices with event coalescing turned on
28 November 2019
CUSTOM PROPERTIES / SYSTEM NOTIFICATIONS IJ15775 REGEXMONITOR FEATURE CAN SOMETIMES DISABLE CUSTOM PROPERTIES WITHOUT ANY SYSTEM NOTIFICATION CLOSED Resolved in:
QRadar 7.4.0 (7.4.0.20200304205308)
QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

It has been identified that in the RegexMonitor feature that is designed to automatically disable expensive custom properties to prevent performance issues can sometimes disable inexpensive custom properties and without generating a System Notification.
09 December 2019
DASHBOARD / USER INTERFACE IJ18066 QRADAR USER INTERFACE CAN BECOME INACCESSIBLE DUE TO TOMCAT TXSENTRY WHEN USING 'TOP CATEGORY TYPES' DASHBOARD ITEM CLOSED Resolved in:
QRadar 7.4.0 (7.4.0.20200304205308)
QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

It has been identified that in some instances the "Top Category Types" Dashboard item can lead to a TXSentry killing the tomcat process. When this occurs, the QRadar User Interface can become inaccessible.

Messages similar to the following might be visble in /var/log/qradar.log when this issue occurs:
TX on host 1console_ip: pid=5919 age=616 IP=127.0.0.1
port=40362 locks=42 query='SELECT id, parent_id, category_name,
chain_name, offense_count, attacker_count, target_count,
event_count, start_time, end_time FROM
category_type_summary_proc(323, true, '1,2') WHERE parent_id
NOT IN(10000,11000,14000) AND id NOT IN(10000,11000,14000) AND
MOD(id, 1000)<>0 ORDER BY offense_count desc LIMIT 5 '
09 December 2019
RULES / USER INTERFACE IJ17357 HTTP 504 ERROR IN QRADAR USER INTERFACE WHEN SELECTING CUSTOM RULES OR WHEN OPENING RULES IN THE RULE WIZARD CLOSED Resolved in:
QRadar 7.4.0 (7.4.0.20200304205308)
QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)

It has been identified that in some instances selecting or opening a custom rule from the Rule Wizard can fail with a 504 error being generated in the QRadar User Interface window. This can occur if you have a large number of reference data elements.
09 December 2019
APPLICATION FRAMEWORK IJ21495 QRADAR APPS CAN GO OUT OF MEMORY DUE TO A RHEL KERNEL BUG WITH DENTRY SLAB CACHE CLOSED Resolved in:
QRadar 7.4.0 (7.4.0.20200304205308)
QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)

It has been identified that in some instances QRadar Apps can experience out of memory occurences due to Red Hat Enterprise Linux (RHEL) kernel bug with dentry slab cache where kernel memory does not get freed as expected.

For more information, see: https://access.redhat.com/solutions/55818
09 December 2019
ROUTING RULES / OFFLINE FORWARDER IJ18101 CUSTOM AQL EVENT/FLOW PROPERTIES WHILE USING OFFLINE FORWARDER WITH JSON FORWARDED DESTINATIONS CAN CAUSE PERFORMANCE ISSUES CLOSED Resolved in:
QRadar 7.4.0 (7.4.0.20200304205308)
QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
QRadar 7.3.2 Patch 2 (7.3.2.20190522204210)

It has been identified that QRadar environments with custom AQL Event/Flow properties can experience system performance issues with offline forwarder when using JSON forwarded destinations after 7.3.2 p2 upgrade.
09 December 2019
UPGRADE / SNMP IJ17204 ECS-EP PROCESS FAILS TO START AFTER PATCHING TO QRADAR 7.3.2 (OR LATER) WHEN CUSTOM SNMP TRAP EVENTS WERE CONFIGURED CLOSED Resolved in:
QRadar 7.4.0 (7.4.0.20200304205308)
QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

It has been identified that the ecs-ep service can fail to start after patching to QRadar 7.3.2 when custom snmp trap events were configured.

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[ecs-ep.ecs-ep] [ECS Runtime Thread] Caused by:
java.io.FileNotFoundException:
/opt/ibm/si/services/ecs-ep/current/frameworks_conf/customCRE.sn
mp.xml (No such file or directory)
[ecs-ep.ecs-ep] [ECS Runtime Thread] at
java.io.FileInputStream.open(FileInputStream.java:212)
[ecs-ep.ecs-ep] [ECS Runtime Thread] at
java.io.FileInputStream.(FileInputStream.java:152)
[ecs-ep.ecs-ep] [ECS Runtime Thread] at
java.io.FileInputStream.(FileInputStream.java:104)
[ecs-ep.ecs-ep] [ECS Runtime Thread] at
sun.net.www.protocol.file.FileURLConnection.connect(FileURLConne
ction.java:103)
[ecs-ep.ecs-ep] [ECS Runtime Thread] at
sun.net.www.protocol.file.FileURLConnection.getInputStream(FileU
RLConnection.java:201)
[ecs-ep.ecs-ep] [ECS Runtime Thread] at
org.apache.xerces.impl.XMLEntityManager.setupCurrentEntity(Unkno
wn Source)
[ecs-ep.ecs-ep] [ECS Runtime Thread] at
org.apache.xerces.impl.XMLVersionDetector.determineDocVersion(Un
known Source)
[ecs-ep.ecs-ep] [ECS Runtime Thread] at
org.apache.xerces.parsers.XML11Configuration.parse(Unknown
Source)
[ecs-ep.ecs-ep] [ECS Runtime Thread] at
org.apache.xerces.parsers.XML11Configuration.parse(Unknown
Source)
[ecs-ep.ecs-ep] [ECS Runtime Thread] at
org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
[ecs-ep.ecs-ep] [ECS Runtime Thread] at
org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown
Source)
[ecs-ep.ecs-ep] [ECS Runtime Thread] at
org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown
Source)
[ecs-ep.ecs-ep] [ECS Runtime Thread] at
com.sun.xml.bind.v2.runtime.unmarshaller.UnmarshallerImpl.unmars
hal0(UnmarshallerImpl.java:211)
[ecs-ep.ecs-ep] [ECS Runtime Thread] ... 17 more
09 December 2019
OFFENSES IJ16819 OFFENSES CAN FAIL TO GENERATE AND OR UPDATE WHEN USERNAME OR HOSTNAME IN ASSET EXCEEDS 255 CHARACTERS CLOSED Resolved in:
QRadar 7.4.0 (7.4.0.20200304205308)
QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)

It has been identified that Offenses can fail to generate and or Offense data can fail to update when a username or hostname in an asset exceeds 255 characters.
When this issue occurs, the magistrate (MPC) continuously attempts to recover and repeatedly experiences a TX Sentry reported in /var/log/qradar.log with entries similar to:
'Multiple (101) TX's found, attempting recovery'


Messages similar to the following might be visible in qradar-sql.log when this issue occurs:
postgres[49684]: [3-1] ERROR: value too long for type
character varying(255)
postgres[49684]: [3-2] CONTEXT:  SQL statement "INSERT into
offense_target_link (offense_id, target_id, add_time,
macaddress, hostname, username)
postgres[49684]: [3-3] values (p_offense, v_target, extract
(epoch from now())::int8, substring (v_identity.macaddress
from 1 for 17), v_identity.hostname, v_identity.username)"
postgres[49684]: [3-4] PL/pgSQL function
link_offense_targets(bigint,character varying,integer) line 34
at SQL statement
postgres[49684]: [3-5] STATEMENT:  select * from
link_offense_targets($1,$2, $3, $4)  as result
09 December 2019
DEPLOY CHANGES / QFLOW IJ15630 DEPLOY FUNCTION TIMEOUT CAUSED BY INCORRECT DEPLOYMENT.XML COMPONENT DATA AFTER A QFLOW SOURCE IS REMOVED CLOSED Resolved in:
QRadar 7.4.0 (7.4.0.20200304205308)
QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)

It has been identified that QRadar 'Deploy' function can fail (timeout) after removing a QFlow source that has connections to QRadar Network Insights (QNI) in Deployment.xml. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[tomcat.tomcat] [user@127.0.0.1 (9488)
/console/JSON-RPC/QRadar.scheduleDeployment
QRadar.scheduleDeployment] at
java.lang.Thread.run(Thread.java:812)
[tomcat.tomcat] [user@127.0.0.1  (9488)
/console/JSON-RPC/QRadar.scheduleDeployment
QRadar.scheduleDeployment] Caused by:
[tomcat.tomcat] [user@127.0.0.1  (9488)
/console/JSON-RPC/QRadar.scheduleDeployment
QRadar.scheduleDeployment] java.lang.NullPointerException
[tomcat.tomcat] [user@127.0.0.1 9488)
/console/JSON-RPC/QRadar.scheduleDeployment
QRadar.scheduleDeployment] at
com.q1labs.configservices.util.forensics.QniDtlsHelper.getQflowD
tlsConnectionsList(QniDtlsHelper.java)
[tomcat.tomcat] [user@127.0.0.1  (9488)
/console/JSON-RPC/QRadar.scheduleDeployment
QRadar.scheduleDeployment] at
com.q1labs.configservices.config.globalset.forensics.QniDtlsConf
igurationTransformer.configureDtlsConnections(QniDtlsConfigurati
onTransformer.java)
09 December 2019
LOG SOURCES / USER INTERFACE IJ16162 QRADAR USER INTERFACE BECOMES UNRESPONSIVE DURING BULK CHANGES MADE TO A LARGE NUMBER OF LOG SOURCES USING THE API CLOSED Resolved in:
QRadar 7.4.0 (7.4.0.20200304205308)
QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)

It has been identified that the QRadar User Interface can sometimes become unresponsive due to a session leak caused during a large amount of bulk changes made to Log Sources using the QRadar Log Source Management App (API) in QRadar environments with hundreds of thousands of Log Sources. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[tomcat.tomcat] [LogSourceServices_PersisterTimer]
com.q1labs.rpcservices.LogSourceServices: [ERROR]
[NOT:0000003000][IP ADDRESS/- -] [-/- -]Unable to get session
context to update device last seen times
[tomcat.tomcat] [LogSourceServices_PersisterTimer]
java.util.ConcurrentModificationException
[tomcat.tomcat] [LogSourceServices_PersisterTimer] at
gnu.trove.impl.hash.THashIterator.nextIndex(THashIterator.java)
[tomcat.tomcat] [LogSourceServices_PersisterTimer] at
gnu.trove.impl.hash.THashIterator.hasNext(THashIterator.java)
[tomcat.tomcat] [LogSourceServices_PersisterTimer] at
java.lang.Iterable.forEach(Iterable.java:85)
[tomcat.tomcat] [LogSourceServices_PersisterTimer] at
com.q1labs.rpcservices.LogSourceUpdate.closePreparedStatements(L
ogSourceUpdate.java)
[tomcat.tomcat] [LogSourceServices_PersisterTimer] at
com.q1labs.rpcservices.LogSourceServices$PersistLogSourceUpdateT
ask.persistLogSourceUpdates(LogSourceServices.java)
[tomcat.tomcat] [LogSourceServices_PersisterTimer] at
com.q1labs.rpcservices.LogSourceServices$PersistLogSourceUpdateT
ask.run(LogSourceServices.java)
[tomcat.tomcat] [LogSourceServices_PersisterTimer] at
java.util.TimerThread.mainLoop(Timer.java:566)
[tomcat.tomcat] [LogSourceServices_PersisterTimer] at
java.util.TimerThread.run(Timer.java)
[tomcat.tomcat] [LogSourceServices_PersisterTimer]
com.q1labs.frameworks.session.SessionContext: [ERROR]
[NOT:0000003000][x.x.x.x/- -] [-/- -]28012 leak(s) detected in
session context: 640axxxx-xxxx-xxxx-xxxx-e33fc1xxxx
[tomcat.tomcat] [LogSourceServices_PersisterTimer]
com.q1labs.frameworks.session.SessionContext: [ERROR]
[NOT:0000003000][x.x.x.x/- -] [-/- -]java.sql.PreparedStatement
leak detected. Object created in following code path
[tomcat.tomcat] [LogSourceServices_PersisterTimer]
java.lang.Exception
[tomcat.tomcat] [LogSourceServices_PersisterTimer] at
com.q1labs.frameworks.session.BaseWrapper.(BaseWrapper.java)
[tomcat.tomcat] [LogSourceServices_PersisterTimer] at
com.q1labs.frameworks.session.PreparedStatementWrapper.(Pr
eparedStatementWrapper.java)
[tomcat.tomcat] [LogSourceServices_PersisterTimer] at
com.q1labs.frameworks.session.ConnectionWrapper.prepareStatement
(ConnectionWrapper.java)
[tomcat.tomcat] [LogSourceServices_PersisterTimer] at
com.q1labs.rpcservices.LogSourceUpdate.getPreparedStatement(LogS
ourceUpdate.java)
[tomcat.tomcat] [LogSourceServices_PersisterTimer] at
com.q1labs.rpcservices.LogSourceServices$PersistLogSourceUpdateT
ask.persistLogSourceUpdates(LogSourceServices.java)
[tomcat.tomcat] [LogSourceServices_PersisterTimer] at
com.q1labs.rpcservices.LogSourceServices$PersistLogSourceUpdateT
ask.run(LogSourceServices.java)
[tomcat.tomcat] [LogSourceServices_PersisterTimer] at
java.util.TimerThread.mainLoop(Timer.java)
[tomcat.tomcat] [LogSourceServices_PersisterTimer] at
java.util.TimerThread.run(Timer.java:516)
09 December 2019
FLOWS / USER INTERFACE IJ21572 NO FLOW SOURCE ALIAS ARE DISPLAYED IN THE QRADAR USER INTERFACE CLOSED Resolved in:
QRadar 7.3.3 (7.3.3.20191031163225)
QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

A fresh install or patch to QRadar version 7.3.2 can experience an issue where no Flow Alias are displayed in the QRadar User Interface -> Admin -> Flow Source Alias page.
19 December 2019
ROUTING RULES IJ21049 ROUTING RULES FOR ASSET HOSTNAME FILTERING ON SPECIFIC EVENT COLLECTOR APPLIANCES DOES NOT WORK AS EXPECTED CLOSED Resolved in:
QRadar 7.4.0 (7.4.0.20200304205308)
QRadar 7.3.3 (7.3.3.20191031163225)

Workaround
Contact Support for a possible workaround that might address this issue in some instances.

Issue
It has been identified that Routing rule for asset hostname filtering is not working due to the asset.hostname table not being replicated to all hosts (event collectors). Creating a routing rule over the event collector around EC for destination asset hostname or source asset hostname equals hostname and selecting drop; the drop does not happen as the asset.hostname table is empty on the EC.
06 December 2019
CUSTOM PROPERTIES IJ21052 REPLICATION FOR ARIEL_PROPERTY_LEEF_EXPRESSION AND ARIEL_PROPERTY_CEP_EXPRESSION NOT WORKING AS EXPECTED CLOSED Resolved in:
QRadar 7.4.0 (7.4.0.20200304205308)
QRadar 7.3.3 (7.3.3.20191031163225)

It has been identified that replication for ariel_property_leef_expression and ariel_property_cep_expression is not working on the Event Collector appliance as expected, as the tables are not replicated to all hosts (event collectors). This can cause routing rule drops to not work as expected as events are not parsing those fields properly.
06 December 2019
REFERENCE DATA IJ20134 REFERENCE SET DATA CAN BE MISSING FROM EVENT COLLECTORS DUE TO MISSING DATABASE TABLE FIELDS WITHIN REPLICATION CLOSED Resolved in:
QRadar 7.4.0 (7.4.0.20200304205308)
QRadar 7.3.3 (7.3.3.20191031163225)
QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

It has been identified that some database table fields containing Reference Set data is omitted from the data being replicated to QRadar collector managed hosts. When this issue occurs, there is Reference Set data missing on event collector appliances causing the potential for QRadar rule functionality to not work as expected.
06 December 2019
EVENT COLLECTOR / ROUTING RULES IJ21053 EVENT COLLECTOR IS NOT AWARE OF NETWORK NAME/RANGE AS THE TABLE IS NOT REPLICATED TO THE EVENT COLLECTOR(S) CLOSED Resolved in:
QRadar 7.4.0 (7.4.0.20200304205308)
QRadar 7.3.3 (7.3.3.20191031163225)
QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

It has been identified that Event Collector(s) are not aware of network name/range as the network database table is not replicated on the Event Collector(s). This can cause routing rules to not work as expected as Event Collector(s) do not have the appropriate database table information.
06 December 2019
QRADAR DEPLOYMENT INTELLIGENCE IJ20138 HEALTH METRIC DATA CAN BE MISSING FROM EVENT COLLECTORS DUE TO MISSING DATABASE TABLE FIELDS WITHIN REPLICATION CLOSED Resolved in:
QRadar 7.4.0 (7.4.0.20200304205308)
QRadar 7.3.3 (7.3.3.20191031163225)
QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

It has been identified that some database table fields containing Health Metric data is omitted from the data being replicated to QRadar collector managed hosts. When this issue occurs, there is Health Metric data missing on event collector appliances causing QRadar Deployment Intelligence (QDI) to not report any information from Event Collectors.
06 December 2019
DOMAINS / TENANTS IJ18325 QRADAR LOG MANAGER DOMAIN MANAGEMENT 'ADD' BUTTON DOES NOT WORK AS EXPECTED CLOSED Resolved in:
QRadar 7.4.0 (7.4.0.20200304205308)
QRadar 7.3.3 (7.3.3.20191031163225)
QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

It has been identified that within a QRadar Log Manager, the Admin -> Domain Management -> Add button does not work as expected. When the 'Add' button is selected, the next pop up window does not appear.
06 December 2019
TOPOLOGY / QRADAR RISK MANAGER IJ17290 'VIEW TOPOLOGY' WHEN SELECTED FROM ASSET DETAILS DIALOG NEVER COMPLETES CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225).

Workaround: Perform a host search for the asset on the Topology screen.

It has been identified that when "View Topology" is selected in the Asset Details dialog, no results are returned. The Network Topology dialog that is launched displays either "Wait for data to be retrieved" or "[key not defined: srm.modelDefinition.pleaseWaitForModel]" and never completes.
06 December 2019
FLOWS IJ15964 QFLOW CAN SOMETIMES PARSE NETFLOW/JFLOW INCORRECTLY CLOSED Resolved in:
QRadar 7.3.3 (7.3.3.20191031163225)
QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

It has been identified that in some instances invalid IP data or other incorrect data can be observed for flows that are received/parsed in the Network Activity tab. When this issue occurs, the following might be displayed in the user interface when viewing NETFLOW or JFLOW records:

  • IP addresses for flows might be displayed as 0.x.x.x addresses
  • Source bytes for the flow is only 10 bytes, but there are over 4 million packets.
06 December 2019
DOMAINS / TENANTS IJ17186 EVENTS CAN SOMETIMES BE DROPPED WHEN AN EVENT COLLECTOR IS USED FOR MULTIPLE TENANTS CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225).

It has been identified that events can be dropped when an Event Collector is configured for use by Log Sources for multiple tenants. Messages similar to the following might be visible in /var/log/qradar.log when this issue is occurring:
[ecs-ec.ecs-ec]
com.q1labs.semsources.filters.TenantQueuedEventThrottleFilter:
[WARN] [Tenant:1:] Event dropped while attempting to add
to Tenant Event Throttle queue. The Tenant Event Throttle queue is full.
06 December 2019
USER INTERFACE / PERFORMANCE IJ17018 QRADAR USER INTERFACE CAN BECOME INACCESSIBLE DUE TO AN OUT OF MEMORY OCCURING WHEN USING THE ASSET API CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225).

It has been identiifed that in some instances the Asset API can cause tomcat to experience an Out of Memory issue. When this occurs the QRadar User Interface is inaccessible until required services are working as expected. For example, this issue has been reported cases where asset integration was completed through the Watson Advisor for QRadar application.
06 December 2019
MANAGE VULNERABILITIES / QRADAR VULNERABILITY MANAGER IJ16602 EXCEPTIONED VULNERABILITIES REAPPEAR IN MANAGE VULNERABILITIES TAB AFTER RESCANNING CLOSED Resolved in:
QRadar 7.3.3 (7.3.3.20191031163225)
QRadar 7.3.2 Patch 4 (7.3.2.20190803012943)

It has been identified that vulnerabilities that have been exceptioned reappear in the Manage Vulnerabilities tabs after rescanning.
06 December 2019
DATA NODE IJ16438 DATA NODES ADDED TO AN EVENT PROCESSOR IN PROCESSING ONLY MODE SHOW AS REBALANCING COMPLETED WITHOUT REBALANCE OCCURRING SUGGESTION Note: This issue is currently tagged closed as a suggestion for a future release.

Issue: It has been identified that after adding a Data Node to an Event Processor that is in Processing Only mode, rebalancing appears to complete quickly, but rebalancing of data to the new Data Node did not acutally happen.

Comment: The goal of rebalancing is not to make free space % exactly equal across the cluster. The behavior mentioned works as designed.
06 December 2019
DEPLOY CHANGES IJ16640 QRADAR DEPLOY FUNCTIONS CAN TIMEOUT WHEN THE CERTIFICATE VALIDATOR FAILS DUE TO EMPTY CERTIFICATES BEING PRESENT CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225).

Workaround: Remove the empty certificates from /opt/qradar/trusted_certificates and retry the deploy function. Contact Support if assistance is required with this task.

It has been identified that test_tomcat_connection.sh can take longer than expected time to complete when empty certificates are present in /opt/qradar/trusted_certificates/. The Certificate Validator does not work and can lead to QRadar deploy functions timing out. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[tomcat.tomcat] [localhost-startStop-1]
java.security.cert.CertificateException: Unable to initialize,
java.io.IOException: Short read of DER length
[tomcat.tomcat] [localhost-startStop-1] at
com.ibm.security.x509.X509CertImpl.(X509CertImpl.java:268)
[tomcat.tomcat] [localhost-startStop-1] at
com.ibm.crypto.provider.X509Factory.engineGenerateCertificate(Unknown Source)
06 December 2019
ADVANCED SEARCH (AQL) IJ16172 ADVANCED SEARCH (AQL) FAILS WHEN USING THE LABELS OF A CUSTOM EVENT PROPERTY FIELDS IN A GROUP BY CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225).

It has been identified that an Advanced Search (AQL) fails when using the labels (alias) of Custom Event Properties in a 'group by'.
06 December 2019
LOG SOURCE MANAGEMENT APP / USER INTERFACE IJ16160 TOMCAT OUT OF MEMORY CAN OCCUR WHEN ASSIGNING LOG SOURCES TO GROUPS IN SYSTEMS WITH VERY LARGE NUMBER OF LOG SOURCES CLOSED Resolved in:
QRadar 7.3.3 (7.3.3.20191031163225)
QRadar 7.3.2 Patch 5 (7.3.2.20191022133252)

It has been identified that a Tomcat process out of memory can sometimes occur in QRadar environments with hundreds of thousands of Log Sources when assigning Log Sources to Log Source Groups using the Log Source Management App. When a Tomcat out of memory occurs, the QRadar User Interface becomes unavailable until all related services are running as expected.
06 December 2019
LICENSE IJ15970 QRADAR VULNERABILITY MANAGER (QVM) LICENSE WARNING BANNER CAN DISPLAY WHEN IT SHOULD NOT CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225).

It has been identified that a QRadar Vulnerability Manager (QVM) license warning banner can be displayed when interfaces have been added to assets that have not been scanned by QVM. The asset count incorrectly includes the assets. The message appears similar to the following: WARNING: You have scanned {number} assets but are only licensed to scan {number} assets. License Update Required!
06 December 2019
API IJ16954 THE REST API FOR 'USERS' INCORRECTLY CHECKS USER NAMES FOR VALIDATION WHEN UPDATING FIELDS CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225).

It has been identified that the REST API for 'users' in QRadar incorrectly checks user names for validation when updating fields. API response messages similar to the following can be observed when usernames with invalid characters (created using LDAP) exist:
{"http_response":{"code":500,"message":"Unexpected internal
server error"},"code":12,"description":"","details":{},"message" :
"Endpoint invocation returned an unexpected error"}


Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[tomcat.tomcat] [admin@127.0.0.1 (942)
/console/restapi/api/staged_config/access/users/3]
com.q1labs.restapi.servlet.apidelegate.APIDelegate:
[ERROR] [-/- -]Request Exception
[tomcat.tomcat] [admin@127.0.0.1 (942)
/console/restapi/api/staged_config/access/users/3]
com.q1labs.restapi_annotations.content.exceptions.APIMappedExcep
tion: Endpoint invocation returned an unexpected error
[tomcat.tomcat] [admin@127.0.0.1 (942)
/console/restapi/api/staged_config/access/users/3]    at
com.q1labs.restapi.exceptionmapper.ExceptionMapper.mapException(
ExceptionMapper.java)
[tomcat.tomcat] [admin@127.0.0.1 (942)
/console/restapi/api/staged_config/access/users/3]    at
com.q1labs.restapi.servlet.utilities.APIRequestHandler.processEn
dpointException(APIRequestHandler.java)
06 December 2019
USER INTERFACE / LOGIN IJ16944 QRADAR USER INTERFACE LOGIN MESSAGE LINE FORMATTING IS NOT WORKING AS EXPECTED CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225).

It has been identified that when a line break is entered into a QRadar User Interface 'Login Message' it is converted into the line feed symbol (\n). When the request is made to generate the Console login page, the line feed remains in the html as is and no new lines are created. For example:
  1. Navigate to the Admin tab.
  2. Go to System Settings.
  3. Scroll to Login Message, and click Edit.
  4. Enter a new Login Message which contains line breaks.
  5. Save and deploy the changes.
  6. Log out of QRadar.

    Result
    The line breaks are not being detected.
06 December 2019
RULES / PERMISSIONS IJ16943 QRADAR USER CAN ACCESS CUSTOM RULE INFORMATION WHEN NOT GIVEN ACCESS TO 'VIEW CUSTOM RULES' AND 'MAINTAIN CUSTOM RULES' CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225).

It has been identified that QRadar users can access custom rules even when their access has not been granted to View Custom Rules and Maintain Custom Rules.

To replicate or validate this reported issue:
  1. Log in to the QRadar Console.
  2. Click the User Roles icon.
  3. Create a user with following user role permissions disabled:
    • View Custom Rules
    • Maintain Custom Rules
  4. Save the changes.
  5. Click Deploy Changes from the Admin tab.
  6. Login with that user.
  7. Navigate to the Offense tab.
  8. Click Offense search.

  9. Results
    The User cannot open the rules definitions or view the rules summary page but the user can view all the rule Groups and list all available rules on the system. The names of the rules can be quite informative and specific for a particular domain and tenancy and should not be exposed to a user with this specific role settings.
06 December 2019
BACKUP / RESTORE IJ17940 PERFORMING A RESTORE AND SELECTING 'CUSTOM RULE CONFIGURATION' ONLY DOES NOT INCLUDE REFERENCE DATA DEPENDENCIES CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225).

It has been identified that performing a restore from a configuration backup and selecting the Custom Rule Configuration does not include reference data structures, and reference_data_rules and the restore fails. Messages similar to the following might be visible in /var/log/qradar.log when this issue is occurring:
[hostcontext.hostcontext] [BackupServices_restore]
com.q1labs.hostcontext.backup.BackupRecoveryEngine:
[ERROR][127.0.0.1/- -] [-/- -]Unable to execute restore request
[hostcontext.hostcontext] [BackupServices_restore]
com.q1labs.configservices.hostcontext.exception.RestoreException
: Unable to restore backup archive
[hostcontext.hostcontext] [BackupServices_restore] at
com.q1labs.hostcontext.backup.BackupRecoveryEngine.restore(Backu
pRecoveryEngine.java:4423)
[hostcontext.hostcontext] [BackupServices_restore] at
com.q1labs.hostcontext.backup.BackupRecoveryEngine.doRestore(Bac
kupRecoveryEngine.java:5872)
[hostcontext.hostcontext] [BackupServices_restore] at
com.q1labs.hostcontext.core.executor.RestoreExecutor$1.run(Resto
reExecutor.java:70)
[hostcontext.hostcontext] [BackupServices_restore] Caused by:
[hostcontext.hostcontext] [BackupServices_restore]
com.q1labs.configservices.hostcontext.exception.RestoreException:
Test database restore failed... aborting restore process
[hostcontext.hostcontext] [BackupServices_restore] at
com.q1labs.hostcontext.backup.BackupRecoveryEngine.restore(Backu
pRecoveryEngine.java:4307)
[hostcontext.hostcontext] [BackupServices_restore] ... 2 more
[hostcontext.hostcontext] [BackupServices_restore] Caused by:
[hostcontext.hostcontext] [BackupServices_restore]
com.q1labs.configservices.hostcontext.exception.RestoreException
: Test backup failed
[hostcontext.hostcontext] [BackupServices_restore] at
com.q1labs.hostcontext.backup.BackupRecoveryEngine.restoreOnTopO
fTestDb(BackupRecoveryEngine.java:2881)
[hostcontext.hostcontext] [BackupServices_restore] at
com.q1labs.hostcontext.backup.BackupRecoveryEngine.doTestRestore
(BackupRecoveryEngine.java:2647)
[hostcontext.hostcontext] [BackupServices_restore] at
com.q1labs.hostcontext.backup.BackupRecoveryEngine.restore(Backu
pRecoveryEngine.java:4303)
[hostcontext.hostcontext] [BackupServices_restore] ... 2 more
[hostcontext.hostcontext] [BackupServices_restore] Caused by:
[hostcontext.hostcontext] [BackupServices_restore]
com.q1labs.configservices.hostcontext.exception.RestoreException
: Unable to restore database
[hostcontext.hostcontext] [BackupServices_restore] at
com.q1labs.hostcontext.backup.BackupRecoveryEngine.doDbRestore(B
ackupRecoveryEngine.java:3007)
[hostcontext.hostcontext] [BackupServices_restore] at
com.q1labs.hostcontext.backup.BackupRecoveryEngine.restoreOnTopO
fTestDb(BackupRecoveryEngine.java:2868)
[hostcontext.hostcontext] [BackupServices_restore]... 4 more
[hostcontext.hostcontext] [BackupServices_restore] Caused by:
[hostcontext.hostcontext] [BackupServices_restore]
com.q1labs.configservices.hostcontext.exception.RestoreException
: Unable to restore database
[hostcontext.hostcontext] [BackupServices_restore] at
com.q1labs.hostcontext.backup.BackupRecoveryEngine.doDbRestore(B
ackupRecoveryEngine.java:2996)
[hostcontext.hostcontext] [BackupServices_restore]... 5 more
[hostcontext.hostcontext] [BackupServices_restore] Caused by:
[hostcontext.hostcontext] [BackupServices_restore]
java.lang.Exception: unable to execute sql statement: ALTER
TABLE public.reference_data_rules ADD CONSTRAINT
reference_data_rules_rule_id_fkey FOREIGN KEY (rule_id)
REFERENCES public.custom_rule(id) ON DELETE CASCADE;
[hostcontext.hostcontext] [BackupServices_restore] at
com.q1labs.hostcontext.capabilities.PostgresAction.executeSql(Po
stgresAction.java:668)
[hostcontext.hostcontext] [BackupServices_restore] at
com.q1labs.hostcontext.capabilities.PostgresAction.applyConstrai
nts(PostgresAction.java:287)
[hostcontext.hostcontext] [BackupServices_restore] at
com.q1labs.hostcontext.backup.BackupRecoveryEngine.doDbRestore(B
ackupRecoveryEngine.java:2974)
[hostcontext.hostcontext] [BackupServices_restore]... 5 more
[hostcontext.hostcontext] [BackupServices_restore] Caused by:
[hostcontext.hostcontext] [BackupServices_restore]
org.postgresql.util.PSQLException: ERROR: insert or update on
table "reference_data_rules" violates foreign key constraint
"reference_data_rules_rule_id_fkey"
  Detail: Key (rule_id)=(126720) is not present in table
"custom_rule".
[hostcontext.hostcontext] [BackupServices_restore] at
org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(Qu
eryExecutorImpl.java:2440)
[hostcontext.hostcontext] [BackupServices_restore] at
org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExe
cutorImpl.java:2183)
[hostcontext.hostcontext] [BackupServices_restore] at
org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorIm
pl.java:308)
[hostcontext.hostcontext] [BackupServices_restore] at
org.postgresql.jdbc.PgStatement.executeInternal(PgStatement.java
:441)
[hostcontext.hostcontext] [BackupServices_restore] at
org.postgresql.jdbc.PgStatement.execute(PgStatement.java:365)
[hostcontext.hostcontext] [BackupServices_restore] at
org.postgresql.jdbc.PgStatement.executeWithFlags(PgStatement.java)
[hostcontext.hostcontext] [BackupServices_restore] at
org.postgresql.jdbc.PgStatement.executeCachedSql(PgStatement.jav)
[hostcontext.hostcontext] [BackupServices_restore] at
org.postgresql.jdbc.PgStatement.executeWithFlags(PgStatement.java)
[hostcontext.hostcontext] [BackupServices_restore] at
org.postgresql.jdbc.PgStatement.execute(PgStatement.java)
[hostcontext.hostcontext] [BackupServices_restore] at
com.q1labs.hostcontext.capabilities.PostgresAction.executeSql(Po
stgresAction.java)
[hostcontext.hostcontext] [BackupServices_restore]... 7 more
06 December 2019
USER MANAGEMENT IJ16672 UNABLE TO CREATE USERNAMES CONTAINING WHITESPACE CHARACTERS AND AN INCORRECT WARNING MESSAGE IS DISPLAYED WHEN ATTEMPTED CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225).

It has been identified that attempting to create usernames containing whitespace(s) no longer works as expected and the error message displayed when attempted does not clearly identify that is the reason for the failure to create. The message generated is similar to:
"Username must not contain any of the following non-whitespace characters:
/ ' \ "
06 December 2019
LOGS / DISK SPACE IJ14984 LOGROTATE CONFIGURATION NEEDS TO BE UPDATED TO BETTER HANDLE /VAR/LOG/CRON.LOG CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225).

It has been identified that QRadar's logrotate configuration needs to be updated to better handle rotation of the /var/log/cron.log file to prevent it from growing too large.
06 December 2019
REPORTS IJ15667 REPORTS WITH ONLY ONE OUTPUT COLUMN FAIL TO GENERATE IN XLS FORMAT CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225).

Workaround: Do not use the defaults. Attempt to run the report with lower configured limits (use less than 1000).

It has been identified that reports that only have one column when created, fail to generate in XLS format. CSV and PDF reports with one column are created without issue. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[report_runner] [main] com.q1labs.reporting.ReportServices:
[ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]REPORT
[MANUAL#^#admin#$#79d06981-1cca-4954-a46b-18694b6afc1c#^#1553011
304019]: An error was encountered rendering the XLS version of the report
[MANUAL#^#admin#$#79d06981-1cca-4954-a46b-18694b6afc1c#^#1553011
304019].java.lang.IllegalArgumentException: Merged region A1 must contain 2 or more cells
[report_runner] [main] com.q1labs.reporting.ReportServices:
[ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]REPORT
[MANUAL#^#admin#$#79d06981-1cca-4954-a46b-18694b6afc1c#^#1553011
304019]: Report Exception:
admin#$#79d06981-1cca-4954-a46b-18694b6afc1c.xml
[report_runner] [main] java.lang.RuntimeException: REPORT
[MANUAL#^#admin#$#79d06981-1cca-4954-a46b-18694b6afc1c#^#1553011
304019]: Failed to generate report version.
[report_runner] [main] at
com.q1labs.reporting.Report.process(Report.java:668)
[report_runner] [main] at
com.q1labs.reporting.ReportRunner.main(ReportRunner.java:246)
[report_runner] [main] com.q1labs.reporting.ReportRunner:
[ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Run report
"admin#$#79d06981-1cca-4954-a46b-18694b6afc1c" Error
[report_runner] [main] java.lang.RuntimeException: REPORT
[MANUAL#^#admin#$#79d06981-1cca-4954-a46b-18694b6afc1c#^#1553011
304019]: Failed to run using template
[admin#$#79d06981-1cca-4954-a46b-18694b6afc1c.xml]
[report_runner] [main] at
com.q1labs.reporting.Report.process(Report.java:675)
[report_runner] [main] at
com.q1labs.reporting.ReportRunner.main(ReportRunner.java:246)
[report_runner] [main] Caused by:
[report_runner] [main] java.lang.RuntimeException: REPORT
[MANUAL#^#admin#$#79d06981-1cca-4954-a46b-18694b6afc1c#^#1553011
304019]: Failed to generate report version.
[report_runner] [main] at
com.q1labs.reporting.Report.process(Report.java:668)
[report_runner] [main] ... 1 more
[report_runner] [main] com.q1labs.reporting.ReportRunner:
[ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Error
initializing ReportRunner
[report_runner] [main] java.lang.Throwable:
java.lang.RuntimeException: REPORT
[MANUAL#^#admin#$#79d06981-1cca-4954-a46b-18694b6afc1c#^#1553011
304019]: Failed to run using template
[admin#$#79d06981-1cca-4954-a46b-18694b6afc1c.xml]
[report_runner] [main] at
com.q1labs.reporting.ReportRunner.main(ReportRunner.java:300)
[report_runner] [main] Caused by:
[report_runner] [main] java.lang.RuntimeException: REPORT
[MANUAL#^#admin#$#79d06981-1cca-4954-a46b-18694b6afc1c#^#1553011
304019]: Failed to run using template
[admin#$#79d06981-1cca-4954-a46b-18694b6afc1c.xml]
[report_runner] [main] at
com.q1labs.reporting.Report.process(Report.java:675)
[report_runner] [main] at
com.q1labs.reporting.ReportRunner.main(ReportRunner.java:246)
[report_runner] [main] Caused by:
[report_runner] [main] java.lang.RuntimeException: REPORT
[MANUAL#^#admin#$#79d06981-1cca-4954-a46b-18694b6afc1c#^#1553011
304019]: Failed to generate report version.
[report_runner] [main] at
com.q1labs.reporting.Report.process(Report.java:668)
[report_runner] [main]... 1 more
06 December 2019
SYSTEM NOTIFICATIONS / MANAGED HOSTS IV94033 MANAGED HOSTS CONFIGURED USING IPV6 CANNOT PROPERLY TIME SYNC TO THE QRADAR CONSOLE CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225).

It has been observed that Managed Hosts that are added to a QRadar deployment and configured using IPV6 networking cannot properly time sync with their QRadar Console.

System Notification messages similar to the following might be visible when this issue occurs:
Low Level Category: Alert
Payload: Aug 29 14:40:04 127.0.0.1  [ERROR] [NOT:0150003100]
Time Synchronization to Console has failed - rdate: timeout
08 December 2019
UPGRADE / OFFENSES IJ14779 REQUIRED APPLIANCE REBOOT DURING QRADAR PATCHING CAN SOMETIMES CAUSE DATA LOSS, A SOFT CLEAN SIM, OR FILE CORRUPTION CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225).

It has been identified that when a required appliance reboot occurs during QRadar patches (kernel update) there is the possibility of data loss, a corrupted offense model (forcing a Soft Clean SIM), or other file corruption. This issue can occur when QRadar processes are not allowed to shut down successfully prior to the appliance reboot.
06 December 2019
UPGRADE / LOG MANAGER IJ15560 UNABLE TO CONFIGURE BONDED MANAGEMENT INTERFACE USING QCHANGE AFTER MOVING FROM A 8028 TO 3128 APPLIANCE TYPE CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225).

It has been identfied that a bonded management interface cannot be configured using qchange_netsetup after moving from a QRadar Log Manager 8028 appliance type to a QRadar 3128 appliance type.

Following the wizard - when brought to the "assign by functionality" window by selecting the All-in-one option the following error is presented: "Cannot switch an appliance id from 8028 to 3128" By selecting Log Manager Console 8028 the error message displayed is:
Template change from Enterprise to Logger is not supported
06 December 2019
ADVANCED SEARCH (AQL) IJ15467 AQL OUTPUT IS INCORRECT WHEN USING SOURCEASSETNAME FILTER BASED ON PAYLOAD CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225).

It has been identified that performing an AQL search that contains the 'sourceassetname' filter based on payload generates incorrect AQL output when the Show AQL button output is pasted into Advanced Search.
06 December 2019
RULES / USER INTERFACE IJ15514 QRADAR RULES PAGE CAN TAKE LONGER THAN EXPECTED TO LOAD CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225).

It has been identified that the QRadar Rules page in the User Interface can take longer than expected to load in instances where thousands of rules exist. Timeouts can sometimes occur while the Rules are being gathered by QRadar backend processes.

NOTE: A duplicate APAR IJ15515 was also created and sent via IBM My Notifications. Users who received this notice should refer to IJ15514 for the resolution to this issue.
06 December 2019
API / LOG SOURCE IJ15494 BULK EDITING/ADDING/DELETING A LARGE NUMBER OF LOG SOURCES CAN GENERATE A JVM EXCEPTION IN QRADAR LOGGING CLOSED Resolved in:
QRadar 7.3.3 (7.3.3.20191031163225).
QRadar 7.3.2 Patch 4 (7.3.2.20190803012943).


It has been identified that when performing a bulk edit (including an add or delete) on a large number of Log Sources using the API or the Log Source Management app, a message similar to the following can sometimes be generated in /var/log/qradar.log:
tomcat[20763]: 05-Feb-2019 19:58:57.275 WARNING
[ServerHostServices_PersisterTimer]
com.sun.messaging.jmq.jmsclient.
ExceptionHandler.logCaughtException [I500]: Caught JVM
Exception: com.sun.messaging.jms.JMSException:
[ADD_PRODUCER_REPLY(19)] [C4036]: A broker error occurr
ed. :[409] [B4183]: Producer can not be added to destination
objectChangeNotifications2 [Topic], limit of 100 producers
would be exceeded user=qradar, broker
=127.0.0.1:7676(7677)
08 December 2019
SEACH / REFERENCE DATA IJ14001 IDENTITY EXCLUSION RULES ARE NOT LOADED WHEN THE FILTER CONTAINS A REFERENCE DATA RELATED SEARCH CLOSED Resolved in:
QRadar 7.3.3 (7.3.3.20191031163225)
QRadar 7.3.2 Patch 4 (7.3.2.20190803012943)

It has been identified that the identity exclusion rules are not loaded when the filter contains a reference data related search. For example:
  1. Run a real time search with a filter containing a reference map.
  2. Add that search to the identity exclusion from Admin > Asset Profile Configuration > Manage Identity Exclusion.
  3. Modify the search and add the hasIdentity=true filter then save it to another search.
  4. Add the saved search from step 3 to manage identity exclusion.

    Results
    Events matching the hasIdentity=true filter are not be displayed as expected.
06 December 2019
GEOGRAPHIC DATA / RULES IJ13413 GEOGRAPHIC RULE TESTS USING 'AND NOT WHEN THE SOURCE IS LOCATED IN OTHER' ARE NOT WORKING AS EXPECTED CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225).

Workaround: Users can leverage the geographic rule test "and when the source IP is a part of any of the following geographic network locations" as this function works as expected.

Issue: It has been identified that Rule tests for "and NOT when the source is located in other" matches all events, regardless of whether the Network Hierarchy has the GEO defined for the IP range or not.
06 December 2019
VULNERABILITY DETAILS / QRADAR VULNERABILITY MANAGER IJ16571 VULNERABILITY HISTORY LIST DATE ORDERING IS INCORRECT CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225).

It has been identified that when viewing vulnerability history lists, the ordering by date is incorrect.
In QRadar 7.3.1 versions an error similar to the following is written to qradar logging when this occurs:
[tomcat.tomcat] [admin@127.0.0.1 (9556)
/console/JSON-RPC/QVM.getVulnerabilityHistoryList
QVM.getVulnerabilityHistoryList]
com.q1labs.assetprofile.service.ui.UIVulnerabilityService:
[ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Unparseable
date: "25 May 2019, 17:05:13"
[tomcat.tomcat] [admin@127.0.0.1 (9556)
/console/JSON-RPC/QVM.getVulnerabilityHistoryList
QVM.getVulnerabilityHistoryList]
com.q1labs.assetprofile.service.ui.UIVulnerabilityService:
[ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Unparseable
date: "25 May 2019, 13:09:37"


NOTE:In QRadar 7.3.2 versions, the ordering by date is also incorrect, but the error is not present in the QRadar logs.
06 December 2019
QRADAR VULNERABILITY MANAGER / VULNERABILITY EXPORT IJ13700 VULNERABILITY SCAN RESULT CSV FILE CAN INCORRECTLY DISPLAY IP ADDRESSES ACROSS MULTIPLE COLUMNS CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225).

It has been identified that when a scan result is exported from the Vulnerability Tab in CSV format, the generated .csv file can somtimes contain IP addresses across multiple columns and the results are incorrect.

When this occurs, the scan result is not readable.
06 December 2019
REPORTS IJ11779 QRADAR VULNERABILITY MANAGER: REPORTRUNNER OUT OF MEMORY CAN OCCUR WHEN RUNNING THE DEFAULT SCAN SUMMARY REPORT CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225).

It has been identified that a ReportRunner Out of Memory can sometimes occur when the default Scan Summary Report is run with the default limits configured.
06 December 2019
REPORTS IJ12226 FAILED XLS TABLE REPORT WITH "MERGED REGION A1 MUST CONTAIN 2 OR MORE CELLS" MESSAGES IN QRADAR LOGGING CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225).

It has been identified that when attempting to generate an XLS table report which has no data accumulated for the period it is being generated for (i.e. weekly or monthly), the report fails and generates exception messages in QRadar logging. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[report_runner] [main] com.q1labs.reporting.ReportServices:
[ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]REPORT
[WEEKLY#^#abc#$#09095b15-f5a3-486f-a7d7-15b57513fb3e#^#154321211
4517]: An error was encountered rendering the XLS version of
the report
[WEEKLY#^#abc#$#09095b15-f5a3-486f-a7d7-15b57513fb3e#^#154321211
4517].java.lang.IllegalArgumentException: Merged region A1 must
contain 2 or more cells
[report_runner] [main] com.q1labs.reporting.ReportServices:
[ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Unable to send
report "09095b15-f5a3-486f-a7d7-15b57513fb3e" to test@email.com
[report_runner] [main]
com.q1labs.frameworks.exceptions.FrameworksException: Unable to
send mail message to: [test@email.com]
[report_runner] [main] at
com.q1labs.frameworks.util.SMTPMail.send(SMTPMail.java)
[report_runner] [main] at
com.q1labs.frameworks.util.SMTPMail.send(SMTPMail.java)
[report_runner] [main] at
com.q1labs.frameworks.util.SMTPMail.sendMessage(SMTPMail.java)
[report_runner] [main] at
com.q1labs.reporting.Report.sendMail(Report.java)
[report_runner] [main] at
com.q1labs.reporting.Report.process(Report.java)
[report_runner] [main] at
com.q1labs.reporting.ReportRunner.main(ReportRunner.java)
[report_runner] [main] Caused by:
[report_runner] [main] javax.mail.MessagingException:
IOException while sending message;
  nested exception is:
    java.io.FileNotFoundException:
/store/tmp/reporting/WEEKLY#^#abc#$#09095b15-f5a3-486f-a7d7-15b5
7513fb3e#^#1543212114517/XLS/09095b15-f5a3-486f-a7d7-15b57513fb3
e.xls (No such file or directory)
[report_runner] [main] at
com.sun.mail.smtp.SMTPTransport.sendMessage(SMTPTransport.java)
[report_runner] [main] at
com.q1labs.frameworks.util.SMTPMail.send(SMTPMail.java)
[report_runner] [main] ... 5 more
[report_runner] [main] com.q1labs.reporting.ReportServices:
[ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]REPORT
[WEEKLY#^#abc#$#09095b15-f5a3-486f-a7d7-15b57513fb3e#^#154321211
4517]: Report Exception:
abc#$#09095b15-f5a3-486f-a7d7-15b57513fb3e.xml
[report_runner] [main] java.lang.RuntimeException: REPORT
[WEEKLY#^#abc#$#09095b15-f5a3-486f-a7d7-15b57513fb3e#^#154321211
4517]: Failed to generate report version.
[report_runner] [main] at
com.q1labs.reporting.Report.process(Report.java)
[report_runner] [main] at
com.q1labs.reporting.ReportRunner.main(ReportRunner.java)
[report_runner] [main] com.q1labs.reporting.ReportRunner:
[ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Run report
"abc#$#09095b15-f5a3-486f-a7d7-15b57513fb3e" Error
[report_runner] [main] java.lang.RuntimeException: REPORT
[WEEKLY#^#abc#$#09095b15-f5a3-486f-a7d7-15b57513fb3e#^#154321211
4517]: Failed to run using template
[abc#$#09095b15-f5a3-486f-a7d7-15b57513fb3e.xml]
[report_runner] [main] at
com.q1labs.reporting.Report.process(Report.java)
[report_runner] [main] at
com.q1labs.reporting.ReportRunner.main(ReportRunner.java)
[report_runner] [main] Caused by:
[report_runner] [main] java.lang.RuntimeException: REPORT
[WEEKLY#^#abc#$#09095b15-f5a3-486f-a7d7-15b57513fb3e#^#154321211
4517]: Failed to generate report version.
[report_runner] [main] at
com.q1labs.reporting.Report.process(Report.java)
[report_runner] [main] ... 1 more
[report_runner] [main] com.q1labs.reporting.ReportRunner:
[ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Error
initializing ReportRunner
[report_runner] [main] java.lang.Throwable:
java.lang.RuntimeException: REPORT
[WEEKLY#^#abc#$#09095b15-f5a3-486f-a7d7-15b57513fb3e#^#154321211
4517]: Failed to run using template
[abc#$#09095b15-f5a3-486f-a7d7-15b57513fb3e.xml]
[report_runner] [main] at
com.q1labs.reporting.ReportRunner.main(ReportRunner.java)
[report_runner] [main] Caused by:
[report_runner] [main] java.lang.RuntimeException: REPORT
[WEEKLY#^#abc#$#09095b15-f5a3-486f-a7d7-15b57513fb3e#^#154321211
4517]: Failed to run using template
[abc#$#09095b15-f5a3-486f-a7d7-15b57513fb3e.xml]
[report_runner] [main] at
com.q1labs.reporting.Report.process(Report.java)
[report_runner] [main] at
com.q1labs.reporting.ReportRunner.main(ReportRunner.java)
[report_runner] [main] Caused by:
[report_runner] [main] java.lang.RuntimeException: REPORT
[WEEKLY#^#abc#$#09095b15-f5a3-486f-a7d7-15b57513fb3e#^#154321211
4517]: Failed to generate report version.
06 December 2019
LOG ACTIYITY IJ15905 USING THE 'UPDATE' BUTTON ON A LOG ACTIVITY SEARCH PAGE THE DAY OF A DST (TIME) CHANGE MOVES THE START/END TIME ONE HOUR CLOSED Resolved in:
QRadar 7.3.3 (7.3.3.20191031163225)
QRadar 7.3.2 Patch 4 (7.3.2.20190803012943)
QRadar 7.3.1 Patch 8 IF03 (7.3.1.20190612151858)


Workaround: Edit the search Start/End times to adjust for the one hour change made by clicking the update button.

Issue: It has been observed that when the 'Update' button is clicked on a Log Activity search the day that a DST change has a occured, the 'Start Time' and 'End Time' can shift by one hour.
06 December 2019
PERFORMANCE / CUSTOM PROPERTIES IJ11734 SOME SPECIFIC ARIEL CUSTOM EVENT PROPERTIES INDEXING CAN CAUSE ARIEL INDEXING AND RULE EVALUATION DEGRADATION CLOSED Resolved in:
QRadar 7.3.3 (7.3.3.20191031163225)
QRadar 7.3.2 Patch 5 (7.3.2.20191022133252)

It has been identified that some Custom Event Properties (CEPs) indexing functions within QRadar can cause extra CPU overhead during Ariel Indexing and rule evaluation. When this occurs, QRadar performance degradation can sometimes be observed causing events to be routed directly to storage.
06 December 2019
SYSTEM NOTIFICATIONS / QRADAR VULNERABILITY MANAGER IJ10950 SYSTEM NOTIFICATION 'UNABLE TO DETERMINE ASSOCIATED LOG SOURCE' CREATED FOR SOME INFORMATIONAL VULNERABILITY EVENTS CLOSED Resolved in:
QRadar 7.3.3 (7.3.3.20191031163225)
QRadar 7.3.2 Patch 4 (7.3.2.20190803012943)

It has been identified that some Vulnerability Manager information events are not parsed correctly by QRadar. The information events are similar to the following:
Message: Oct 10 10:09:28 127.0.0.1
[[type=com.eventgnosis.system.ThreadedEventProcessor][parent={ho
stname} : e cs-ec/EC/TrafficAnalysis1/TrafficAnalysis]]
com.q1labs.semsources.filters.trafficanalysis.TrafficAnalysisFilter:
[WARN][127.0.0.1/- -] [-/- -]Unable to determine associated
log source for IP address {IP_ADDR}. Unable to automatically
detect the associated log source for IP address.
Messages similar to the following might be visible in
/var/log/qradar.log when this issue is occurring:
[qvmprocessor.qvmprocessor] [main]
com.q1labs.qvm.workflow.util.DecryptPropertyConfigurer: [INFO]
Loading properties file from URL
[file:/opt/qradar/conf/frameworks.properties]
[qvmprocessor.qvmprocessor] [main]
com.q1labs.qvm.workflow.util.DecryptPropertyConfigurer: [INFO]
Loading properties file from URL
[file:/opt/qradar/conf/qvmprocessor.properties]
[qvmprocessor.qvmprocessor] [main]
com.q1labs.qvm.workflow.util.DecryptPropertyConfigurer: [INFO]
Loading properties file from URL
[file:/opt/qvm/console/conf/qvmkeystore.properties]
[qvmprocessor.qvmprocessor] [main]
com.q1labs.qvm.workflow.util.DecryptPropertyConfigurer: [INFO]
Loading properties file from URL
[file:/opt/qvm/db/conf/qvmdb.properties]
[qvmprocessor.qvmprocessor] [main]
com.q1labs.qvm.workflow.util.DecryptPropertyConfigurer: [INFO]
Loading properties file from URL
[file:/opt/qradar/conf/nva.conf]
[qvmprocessor.qvmprocessor] [main]
com.q1labs.qvm.workflow.util.DecryptPropertyConfigurer: [INFO]
Loading properties file from URL
[file:/opt/qradar/conf/nva.hostcontext.conf]
[qvmprocessor.qvmprocessor] [main]
com.q1labs.qvm.workflow.util.DecryptPropertyConfigurer: [INFO]
Loading properties file from URL
[file:/opt/qradar/conf/qvmhostedscanner.properties]
[qvmprocessor.qvmprocessor] [main]
com.q1labs.qvm.workflow.util.DecryptPropertyConfigurer: [INFO]
Loading properties file from URL
[file:/opt/qradar/conf/qvmscanner.properties]
08 December 2019
API IJ10417 QRADAR VULNERABILITY MANAGER: API DOES NOT FACTOR RISK SCORE FOR RETURNED RESULTS CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225)

It has been identified that when executing saved_searches against the QVM vuln_instances API that contain the risk score search parameter, the results ignore what is set for this parameter. For example:

If the risk score is set for greater than or equal to 7, results with risk scores less than 7 are returned when using the QVM API.
06 December 2019
CONNECTIONS IJ09314 QRADAR RISK MANAGER: '[REPORTING THREAD - SIMEVENT/SIMARC BUNDLE1]...PROFILER DROPPED XXXX EVENTS' MESSAGES IN QRADAR LOGGING CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225)

It has been identified that in some instances the QRadar Risk Manager arc builder thread/queue that processes events does not remove events from the queue quickly enough to prevent the queue from filling up. Messages similar to the following are generated in /var/log/qradar.log when this issue occurs:
[Reporting Thread - SimEvent bundle1]
com.q1labs.semsources.filters.arc.NetworkModelsServices$SimEvent
sBundle: [INFO] [NOT:0000006000][Oth.erE.C&EP.29/- -] [-/-
-]Profiler stats: timestamp=1527102000000,
numRecordsCreated=1418, numFlowsProcessed=0,
numNormalizedEventsProcessed=3249953,
numNormalizedEventsSeen=3252830, numFlowsSeen=0,
numEventsDropped=23376
[Reporting Thread - SimEvent bundle1]
com.q1labs.semsources.filters.arc.NetworkModelsServices$SimEvent
sBundle: [WARN] [NOT:0080004102][Oth.erE.C&EP.29/- -] [-/-
-]profiler dropped 23376 events in the last profiling interval
[Ariel Writer#simevent]
com.q1labs.ariel.searches.service.io.buffers.SharedBuffers:
[INFO] [NOT:0000006000][Oth.erE.C&EP.29/- -] [-/- -]LZ4 segment
is set to 16 pages
[Reporting Thread - SimArc bundle1]
com.q1labs.semsources.filters.arc.NetworkModelsServices$ArcsBund
le: [INFO] [NOT:0000006000][Oth.erE.C&EP.29/- -] [-/-
-]Profiler stats: timestamp=1527102000000,
numRecordsCreated=300000, numFlowsProcessed=0,
numNormalizedEventsProcessed=981487,
numNormalizedEventsSeen=9401352, numFlowsSeen=0,
numEventsDropped=23376, numAllowArcsCreated=0,
numDenyArcsCreated=300000
May 23 19:53:57 ::ffff:Oth.erE.C&EP.29
[arc_builder.arc_builder] [Reporting Thread - SimArc bundle1]
com.q1labs.semsources.filters.arc.NetworkModelsServices$ArcsBund
le: [WARN][Oth.erE.C&EP.29/- -] [-/-
-]profiler dropped 23376 events in the last profiling interval
06 December 2019
QRADAR OPERATIONS APP IJ17924 INACTIVE REPORT CAN CAUSE A 'NULLPOINTEREXCEPTION' IN QRADAR LOGGING AND QRADAR OPERATIONS APP FAILS TO DISPLAY EPS RATE CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225)

Workaround: Enable the inactive report identified in the error logs. For example:
Error calling function com.q1labs.cve.aql.GlobalViewFunction({REPORT_NAME}):
java.lang.NullPointerException


Issue: In some instances an inactive report can cause a NullPointerException to be generated in the QRadar logs. When this issue occurs, the IBM QRadar Operations app can fail to display Event Per Second (EPS) data. Messages similar to the following might be visible in /var/log/qradar.log:
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:50872]
com.q1labs.frameworks.nio.exceptions.ExtendedRuntimeException:
Error calling function
com.q1labs.cve.aql.GlobalViewFunction():
java.lang.NullPointerException
......
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:50872] java.lang.NullPointerException
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:50872] at
com.q1labs.cve.aql.GlobalViewFunction.calculate(GlobalViewFunction.java)
or
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:50872] java.lang.NullPointerException
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:50872] at
com.q1labs.cve.aql.GlobalViewFunction.calculate(GlobalViewFunction.java)
06 December 2019
ADVANCED SEACH (AQL) IJ08965 AQL QUERIES CONTAINING ASSET FUNCTIONS CAN FAIL WHEN RUN AGAINST LARGE ASSET MODELS CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225)

It has been identified that AQL queries containing ASSET functions can fail against large asset models.

When this occurs, applications such as UBA might display: 404 error messages, instead of usage data. Queries made on the Log Activity page might show "An error occurred during the search." instead of the intended search results. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[ariel_proxy.ariel_proxy_server]
[ariel_query_14:0ebaccb8-e31a-44c3-90f3-5aebffcb19f5]
com.q1labs.frameworks.nio.exceptions.ExtendedRuntimeException:
GenericAssetFunction function: Error during initialization
com.q1labs.core.aql.AssetUserFunction
[ariel_proxy.ariel_proxy_server]
[ariel_query_14:0ebaccb8-e31a-44c3-90f3-5aebffcb19f5]    at
com.q1labs.core.aql.GenericAssetFunction.initialize(GenericAsset
Function.java)
06 December 2019
DEPLOY CHANGES IJ15811 DEPLOY FULL CONFIGURATION DOES NOT COMPLETE (TIME OUT) WHEN THE FILE HOSTCONTEXT.NODOWNLOAD IS PRESENT CLOSED Resolved in:
QRadar 7.3.2 Patch 5 (7.3.2.20191022133252).
QRadar 7.3.3 (7.3.3.20191031163225).

Workaround: Remove the file /opt/qradar/conf/hostcontext.NODOWNLOAD on any affected Managed Host (or Console) and attempt the Deploy Full Configuration again. For full details, review the support technical note.
06 December 2019
PERFORMANCE / NETWORK INTERFACE IJ14133 INCORRECT RX AND TX RING BUFFER SETTINGS CAN CAUSE PERFORMANCE ISSUES ON BOND0 OR BOND1 MANAGEMENT INTERFACES CLOSED Resolved in:
QRadar 7.3.3 (7.3.3.20191031163225)
QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

It has been identified that using bond0 for a QRadar management interface or bond1 for a crossover interface can have ethtool incorrectly set hardware parameters for the NIC driver tx and rx ring buffers for the bond interface instead of the underlying slave interfaces.
As it is the actual slave interfaces that have the hardware parameters set, and it possible to bond different NICs (Broadcom, Intel 1 GB, Intel 10Gb), etc., in some cases the hardware interfaces will default to boot up driver values. Intel NICs can sometimes default to a setting of 256 out of 4096 for both tx and rx ring buffer settings.
When this situation occurs, SAR sentinel - threshold crossed messages referencing dropped packets or other performance related issues can sometimes be observed with QRadar.

To read more, see this forum discussion.
08 December 2019
FLOWS / NETWORK ACTIVITY IJ15473 FLOW SOURCE COLUMN AND FLOW INTERFACE COLUMN CAN DISPLAY 'HOST_NAME" INSTEAD OF THE EXPECTED HOSTNAME CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225)

It has been identified that Flow Source column and Flow Interface column in the Network Activity tab can display "HOST_NAME" instead of the expected hostname.
08 December 2019
UPGRADE IJ03411 POST_INSTALL.SH SCRIPT THAT RUNS DURING THE PATCH PROCESS CAN CAUSE MULTIPLE LOGROTATE FILES TO BE CREATED CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225)

The post_install.sh script that runs during the QRadar patch updates can sometimes not complete cleanly. When this occurs, two logrotate files can be created (logrotate.orig and logrotate.rej) in the same directory.

Having multiple logrotate files under /etc/cron.hourly can cause multiple conflicts and race conditions within QRadar.

Messages similar to the following might be visible in the patches.log file when this issue occurs:

Sat Dec  9 10:54:38 ADT 2017: [create_nobody_dirs] mkdir -p /store/sentry/db
Sat Dec  9 10:54:38 ADT 2017: [create_nobody_dirs] chown nobody.nobody /store/sentry/db
patching file /etc/cron.hourly/logrotate
Hunk #1 succeeded at 3 with fuzz 1.
Sat Dec  9 10:54:38 ADT 2017 [post_install.sh]: mkdir -p /tmp
Sat Dec  9 10:54:38 ADT 2017 [post_install.sh]: mkdir -p /var/log/audit
Sat Dec  9 10:54:38 ADT 2017 [post_install.sh]: mkdir -p /var/log/dca/old
08 December 2019
SCAN RESULTS / QRADAR VULNERABILITY MANAGER IJ02466 'AN ERROR OCCURRED EXECUTING THE QVM SCAN. PLEASE TRY AGAIN LATER' WHEN RUNNING ON DEMAND SCAN CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225)

It has been identified that when the QVM processor is not running on the Console server, an asset is right-clicked and the Run Vulnerability Scan option is chosen, the scan runs as expected but an error message similar to the following might be generated in the user interface window: "An Error occurred executing the QVM Scan. Please try again. If this error persists please contact Customer Support."

Messages similar to the following might also be visible in /var/log/qradar.log when this issue occurs:
[tomcat] [admin@127.0.0.1 (323)
/console/do/assetprofile/QVMScanForm]
com.q1labs.assetprofile.bean.action.QVMScanAction:
[ERROR][127.0.0.1/- -] [-/- -]An error occured executing QVM On-Demand Scan.
[tomcat] [admin@127.0.0.1 (323)
/console/do/assetprofile/QVMScanForm]
com.q1labs.console.qvm.QVMClientException: An error occurred
executing operation.
[tomcat] [admin@127.0.0.1 (323)
/console/do/assetprofile/QVMScanForm] at
com.q1labs.console.qvm.QVMClientImpl.executeOperation(QVMClientImpl.java)
[tomcat] [admin@127.0.0.1 (323)
/console/do/assetprofile/QVMScanForm] at
com.q1labs.sem.ui.semservices.QVMServicesImpl.runOnDemandScan(QV
MServicesImpl.java)
[tomcat] [admin@127.0.0.1 (323)
/console/do/assetprofile/QVMScanForm] at
com.q1labs.assetprofile.bean.action.QVMScanAction.runOnDemandSca
n(QVMScanAction.java)
[tomcat] [admin@127.0.0.1 (323)
/console/do/assetprofile/QVMScanForm] at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[tomcat] [admin@127.0.0.1 (323)
/console/do/assetprofile/QVMScanForm] at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java)
[tomcat] [admin@127.0.0.1 (323)
/console/do/assetprofile/QVMScanForm] at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod
AccessorImpl.java)
[tomcat] [admin@127.0.0.1 (323)
/console/do/assetprofile/QVMScanForm] at
java.lang.reflect.Method.invoke(Method.java)
[tomcat] [admin@127.0.0.1 (323)
/console/do/assetprofile/QVMScanForm] at
org.apache.struts.actions.DispatchAction.dispatchMethod(Dispatch
Action.java)
[tomcat] [admin@127.0.0.1 (323)
/console/do/assetprofile/QVMScanForm] at
org.apache.struts.actions.DispatchAction.execute(DispatchAction.java)
[tomcat] [admin@127.0.0.1 (323)
/console/do/assetprofile/QVMScanForm] at
com.q1labs.uiframeworks.actions.DispatchAction.execute(DispatchA
ction.java)
[tomcat] [admin@127.0.0.1 (323)
/console/do/assetprofile/QVMScanForm] at
org.apache.struts.action.RequestProcessor.processActionPerform(R
equestProcessor.java)
[tomcat] [admin@127.0.0.1 (323)
/console/do/assetprofile/QVMScanForm] at
com.q1labs.uiframeworks.action.RequestProcessor.processActionPer
form(RequestProcessor.java)
[tomcat] [admin@127.0.0.1 (323)
/console/do/assetprofile/QVMScanForm] at
org.apache.struts.action.RequestProcessor.process(RequestProcess
or.java)
[tomcat] [admin@127.0.0.1 (323)
/console/do/assetprofile/QVMScanForm] at
org.apache.struts.action.ActionServlet.process(ActionServlet.java)
[tomcat] [admin@127.0.0.1 (323)
/console/do/assetprofile/QVMScanForm] at
com.q1labs.uiframeworks.action.ActionServlet.process(ActionServlet.java)
[tomcat] [admin@127.0.0.1 (323)
/console/do/assetprofile/QVMScanForm] at
org.apache.struts.action.ActionServlet.doPost(ActionServlet.java)
[tomcat] [admin@127.0.0.1 (323)
/console/do/assetprofile/QVMScanForm] at
javax.servlet.http.HttpServlet.service(HttpServlet.java)
[tomcat] [admin@127.0.0.1 (323)
/console/do/assetprofile/QVMScanForm] at
javax.servlet.http.HttpServlet.service(HttpServlet.java)
08 December 2019
BACKUP / RESTORE IJ12106 RESTORING A CONFIGURATION BACKUP DOES NOT RESTORE CUSTOM_FUNCTION TABLES CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225)

It has been identified that the custom_functions tables are not restored correctly when using a configuration backup on the QRadar Console.
08 December 2019
SCAN RESULTS / QRADAR VULNERABILITY MANAGER IV96156 PATCH SCANNING RETURNS SUGGESTION FOR AN AIX PATCH THAT DOES NOT EXIST CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225)

It has been observed in some instances that QRadar Vulnerability Manager patch scanning can suggest patches for AIX that are not currently available.
08 December 2019
SCAN EXCLUSIONS IV93272 QRADAR VULNERABILITY MANAGER: SCAN EXCLUSION PAGE CAN SOMETIMES HANG FOR AN EXTENDED PERIOD OF TIME WHEN ADDING MULTIPLE, LARGE IP RANGES CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225)

Workaround: Adding one IP range per scan exclusion can help to alleviate the User Interface page unresponsiveness.

Issue: It has been observed when adding multiple, large IP ranges (example: x.x.x.1-255) to a Scan Exclusion belonging to a Domain containing other scanners, that the Scan Exclusion page can hang (be unresponsive) for an extended period of time.
08 December 2019
FORWARDED EVENTS / MANAGED HOST IV84190 EVENT/FLOW FORWARDING USING ENCRYPTED OFFSITE SOURCE AND TARGET CAN NOT BE ACCOMPLISHED SUCCESSFULLY CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225)

Workaround: Where possible: Do not use the encryption option for offsite source and target event/flow forwarding until this issue is resolved.

Issue: Forwarding normalized Events and Flows using encrypted offsite source and targets cannot be configured successfully to an event collector on a managed host.

The initial configuration process succeeds in the User Interface, but the authorized_keys file in /root/.ssh are overwritten without including the offsite sources keys during the required Deploy changes function after configuration.
08 December 2019
SECURITY BULLETIN CVE-2019-4509 IBM QRadar SIEM is vulnerable to incorrect authorization in some components CLOSED Resolved in QRadar 7.3.2 Patch 5 (7.3.2.20191022133252). 06 November 2019
SECURITY BULLETIN CVE-2019-9500
CVE-2019-11810
CVE-2019-11599
CVE-2019-7222
CVE-2019-5489
CVE-2019-3900
CVE-2019-3882
CVE-2019-3460
CVE-2019-3459
CVE-2018-18281
CVE-2018-16885
CVE-2018-16658
CVE-2018-15594
CVE-2018-14734
CVE-2018-14625
CVE-2018-13095
CVE-2018-13094
CVE-2018-13093
CVE-2018-13053
CVE-2018-10853
CVE-2018-9517
CVE-2018-9516
CVE-2018-9363
CVE-2018-8087
CVE-2018-7755
CVE-2019-11811
CVE-2019-11085
CVE-2018-16884
CVE-2018-16871
CVE-2019-1125
IBM QRadar SIEM is vulnerable to multiple Kernel vulnerabilities CLOSED Resolved in QRadar 7.3.2 Patch 5 (7.3.2.20191022133252). 06 November 2019
SECURITY BULLETIN CVE-2017-7656
CVE-2017-7657
CVE-2017-7658
CVE-2018-12536
IBM QRadar SIEM is vulnerable to Jetty Vulnerabilities CLOSED Resolved in:
QRadar 7.3.2 Patch 5 (7.3.2.20191022133252)
QRadar 7.2.8 Patch 17 (7.2.8.20190910154321)
06 November 2019
SECURITY BULLETIN CVE-2019-4454 IBM QRadar SIEM is vulnerable to cross site scripting (XSS) CLOSED Resolved in QRadar 7.3.2 Patch 5 (7.3.2.20191022133252). 06 November 2019
SECURITY BULLETIN CVE-2019-4470 IBM QRadar SIEM is vulnerable to cross site scripting (XSS) CLOSED Resolved in QRadar 7.3.2 Patch 5 (7.3.2.20191022133252). 06 November 2019
SECURITY BULLETIN CVE-2019-4581 IBM QRadar SIEM is vulnerable to cross site scripting (XSS) CLOSED Resolved in QRadar 7.3.2 Patch 5 (7.3.2.20191022133252). 05 November 2019
SECURITY BULLETIN CVE-2019-10088
CVE-2019-10093
CVE-2019-10094
Apache Tika as used by IBM QRadar SIEM is vulnerable to denial of service CLOSED Resolved in QRadar 7.3.2 Patch 5 (7.3.2.20191022133252). 06 November 2019
SECURITY BULLETIN CVE-2018-12126
CVE-2018-12127
CVE-2018-12130
CVE-2019-11091
IBM QRadar SIEM is vulnerable to Intel Microarchitectural Data Sampling (MDS) Vulnerabilites CLOSED Resolved in:
QRadar 7.3.2 Patch 5 (7.3.2.20191022133252)
QRadar 7.2.8 Patch 17 (7.2.8.20190910154321)
06 November 2019
SECURITY BULLETIN CVE-2019-10173 XStream as used by IBM QRadar SIEM is vulnerable to OS command injection CLOSED Resolved in QRadar 7.3.2 Patch 5 (7.3.2.20191022133252). 20 November 2019
REPORTS IJ18488 REPORT DOES NOT CHART THE TOP 5 DESTINATION PORTS FOR TIME VS COUNT CLOSED Resolved in:
QRadar 7.3.2 Patch 5 (7.3.2.20191022133252).
QRadar 7.3.3 (7.3.3.20191031163225).

It has been identified that Reports do not chart the top 5 destination ports for Time vs Count as expected. The chart is generated, but it charts 5 destination ports at random instead of the expected top 5 destination ports by Time vs Count.

Note: Running the Saved Search on which the report is based returns the proper results, ordered by top 5 destination ports (by count).
05 November 2019
MANAGED HOSTS IJ10406 ATTEMPTING TO RE-ADD A MANAGED HOST (MH) THAT ORIGINALLY FAILED TO ADD DUE TO TIMEOUT CAN LEAVE THE MH IN A STUCK STATE CLOSED Resolved in:
QRadar 7.3.2 Patch 5 (7.3.2.20191022133252).
QRadar 7.3.3 (7.3.3.20191031163225).

It has been identified that when a Managed Host fails to add due to timeout, re-attempting to add it again can fail and cause the Managed Host to be in a stuck state, unable to successfully add to the deployment. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[tomcat.tomcat] [IPADDRESS] com.q1labs.configservices.capabilities.CapabilitiesHandler:
[ERROR][IPADDRESS/- -] [-/- -]Failed to inject deployment model for appliance type 1599
[tomcat.tomcat] [127.0.0.1] com.q1labs.configservices.common.ConfigServicesException: Failed to inject deployment [default]. Managed host IPADDRESS already exists in deployment model[default].
[tomcat.tomcat] [127.0.0.1] at com.q1labs.configservices.schemaext.DeploymentExtension.injectDeploymentModel(DeploymentExtension.java:1320)
05 November 2019
APPLICATION FRAMEWORK IJ20143 DOCKER IPTABLES CAN GROW UNEXPECTEDLY IN SIZE WHEN APPS ARE INSTALLED/MIGRATED/REMOVED CAUSING DEPLOYS TO FAIL CLOSED Resolved in:
QRadar 7.4.0 (7.4.0.20200304205308)
QRadar 7.3.3 (7.3.3.20191031163225)
QRadar 7.3.2 Patch 5 (7.3.2.20191022133252)

It has been identified that /etc/docker/docker_iptables.sh can grow in size unexpectedly when QRadar Apps are installed/migrated/removed. Performing QRadar Deploy functions can sometimes fail when this issue is occurring.
05 November 2019
UPGRADE / PRETEST IJ16960 THE QRADAR PATCH PRETEST FAILS WHEN A BACKUP IS IN 'MISSING' STATE IN THE DATABASE CLOSED Resolved in:
QRadar 7.3.3 (7.3.3.20191031163225)
QRadar 7.3.2 Patch 5 (7.3.2.20191022133252)

It has been identified that /etc/docker/docker_iptables.sh can grow in size unexpectedly when QRadar Apps are installed/migrated/removed. Performing QRadar Deploy functions can sometimes fail when this issue is occurring.
05 November 2019
UPGRADE / INSTALL IJ16041 QRADAR INSTALLATION HANGS WHEN USING COMPRESSED IPV6 ADDRESS CLOSED Resolved in:
QRadar 7.3.3 (7.3.3.20191031163225)
QRadar 7.3.2 Patch 5 (7.3.2.20191022133252)

It has been identified that when using compressed IPv6 on a QRadar installation, the installation hangs during the local CA generation.
05 November 2019
GEOGRAPHIC DATA IJ11947 GEOGRAPHIC LOCATION IS USING IPV4 ADDRESS WHEN CONFIGURED IN RULES INSTEAD OF THE IPV6 ADDRESS CLOSED Resolved in:
QRadar 7.3.3 (7.3.3.20191031163225)
QRadar 7.3.2 Patch 5 (7.3.2.20191022133252)

It has been identified that only IPv4 addresses are being queried for source/destination geographic location under NormalizedEventProperties.java This can cause QRadar to use the geographic location of an IPv4 address for use in rules instead of the actual expected IPv6 source address location.

For example:
1. Have events that are sending logs containing both a source IP and source IPv6 address, and the source IP having different country as the source IPv6.
2. Create a search, adding source geographic location column.
3. The source geographic location should be taking source IPv6 address's country by default, but it takes the source IP's country instead.
05 November 2019
HIGH AVAILABILITY (HA) / PORT SCAN IJ14440 'EXCEPTION NOT HANDLED. UNDEFINED BEHAVIOR' MESSAGE IN LOGGING ON QRADAR HIGH AVAILABILITY APPLIANCES CLOSED Resolved in:
QRadar 7.3.2 Patch 5 (7.3.2.20191022133252).
QRadar 7.3.3 (7.3.3.20191031163225).

It has been identified that messages similar to the following might be visilbe in /var/log/qradar.log on High Availability (HA) appliances when Qualys scanner is configured to target a wide range of ports, including port 10101:
[ha_manager] [NIOServer:10101] com.q1labs.ha.manager.nio.NIOServer:
[WARN][/- -] [-/- -]read socket Socket[addr=/QUALYS_SCANNER,port=57459,localport=10101] returns -1
[ha_manager] [HeartbeatWorkerThread] com.q1labs.ha.manager.HAManager: [FATAL] [/- -] [-/- -]Exception not handled.
Undefined behavior [ha_manager] [HeartbeatWorkerThread] com.q1labs.ha.manager.protocol.ProtocolException: Unknown protocol version -128.49
05 November 2019
RULES / LOG SOURCE IJ15665 DEVICE (+TYPE +GROUP) STOPPED SENDING EVENTS RULE TEST IS NO LONGER FIRING THE PROPER 'DEVICE STOPPED SENDING EVENTS' EVENT CLOSED Resolved in:
QRadar 7.3.3 (7.3.3.20191031163225)
QRadar 7.3.2 Patch 5 (7.3.2.20191022133252)

It has been identified that QRadar is sometimes not generating the proper 'device stopped sending events' event when the rule test fires (QID 38750074). A new event is generated if the "new event" response is selected, but it does not contain any identifiable information about the log source that stopped sending.
05 November 2019
OFFENSES / DOMAIN MANAGEMENT IJ16738 USERS ASSIGNED TO A DOMAIN DO NOT HAVE ACCESS TO OFFENSES WHERE THE TARGET IS FROM THE NETWORK "OTHER" CLOSED Resolved in:
QRadar 7.3.3 (7.3.3.20191031163225)
QRadar 7.3.2 Patch 5 (7.3.2.20191022133252)

It has been identified that when a user is assigned to a Domain, that user cannot view an Offense where the target is from the Network "Other".
05 November 2019
SCAN PROFILE / QRADAR VULNERABILITY MANAGER IJ17416 SCAN PROFILES WHICH USE PUBLIC KEY AUTHENTICATION DO NOT WORK CORRECTLY AFTER UPGRADING TO QRADAR VULNERABILITY MANAGER (QVM) 7.3.2 CLOSED Resolved in:
QRadar 7.3.3 (7.3.3.20191031163225)
QRadar 7.3.2 Patch 5 (7.3.2.20191022133252)

Workaround: Edit the Scan Profiles to remove the credentials, then add new credentials containing only a user name.

Issue: It has been identified that Scan Profiles which use public key authentication do not work correctly after upgrading to QRadar 7.3.2. The upgrade results in an invalid password being added to the Scan Profiles, resulting in authentication failures during a scan.

When this occurs, variances in scan results prior and post application of QRadar 7.3.2 can be observed.
05 November 2019
DEPLOY CHANGES IJ18582 'UNABLE TO DEPLOY CHANGES, COULD NOT RETRIEVE UNDEPLOYED CHANGE LIST -- THE REQUEST TIMED OUT. CLOSED Resolved in:
QRadar 7.3.3 (7.3.3.20191031163225)
QRadar 7.3.2 Patch 5 (7.3.2.20191022133252)

It has been identified that in some instances, QRadar Vulnerability Manager .rpm files contained within an AutoUpdate installation can take longer than expected to install and generate messages in the QRadar User Interface similar to:

"Unable to deploy changes, Could not retrieve undeployed change list -- the request timed out."
05 November 2019
OFFENSES / USER AUTHENTICATION (LDAP) IJ17323 SOURCE IP OR DESTINATION IP FILTER IS NOT AN AVAILABLE TEST OPTION FOR 'COMMON' RULES CLOSED Resolved in:
QRadar 7.3.3 (7.3.3.20191031163225)
QRadar 7.3.2 Patch 5 (7.3.2.20191022133252)

It has been identified that QRadar users (LDAP) created with invalid characters cannot assign or close Offenses. Invalid characters characters are defined as this regular expression:
[\t\n\f\r\p{Z}-[ ]]

A message similar to the following is generated in the QRadar User Interface:
Application error
An error has occurred. Return and attempt the action again. If the problem persists, please contact customer support for assistance.


Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [tomcat.tomcat] [admin@127.0.0.1 (1286) /console/do/sem/properties] java.lang.IllegalArgumentException: userName is not a valid user or authorized service: user@domain
05 November 2019
REPORTS IJ17229 SHORT REPORTS CONFIGURED WITH LINE OR BAR CHARTS CAN FAIL TO GENERATE WITH AN SQL EXCEPTION WRITTEN TO QRADAR LOGGING CLOSED Resolved in:
QRadar 7.3.3 (7.3.3.20191031163225)
QRadar 7.3.2 Patch 5 (7.3.2.20191022133252)

It has been identified that short reports (hourly or manual reports that are run on raw data) return errors when executing and fail to generate when configured to use line or bar graphs. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:

[report_runner] [main] com.q1labs.reporting.ReportServices:
[ERROR][-/- -]Error generating SQL chart
[report_runner] [main] java.lang.RuntimeException:
Error generating SQL chart
[report_runner] [main] at
com.q1labs.dal.charts.SQLChart.getChartData(SQLChart.java)
[report_runner] [main] at
com.q1labs.dal.charts.AbstractChart.createChart(AbstractChart.java)
[report_runner] [main] at
com.q1labs.dal.charts.SQLChart.(SQLChart.java)
[report_runner] [main] at
com.q1labs.dal.charts.SQLChart.(SQLChart.java)
[report_runner] [main] at
com.q1labs.reporting.charts.ArielChart.
processResultSet(ArielChart.java)
[report_runner] [main] at com.q1labs.reporting.charts.ArielChart.
 getData(ArielChart.java)
[report_runner] [main] at com.q1labs.reporting.Chart.
 getXML(Chart.java)
[report_runner] [main] at
com.q1labs.reporting.Report.createData(Report.java)
[report_runner] [main] at
com.q1labs.reporting.Report.process(Report.java)
[report_runner] [main] at
com.q1labs.reporting.ReportRunner.main(ReportRunner.java)
[report_runner] [main] Caused by:
[report_runner] [main] java.sql.SQLException: Unable get Long
value for [com.q1labs.core.dao.util.Host]
[report_runner] [main] at
com.q1labs.cve.resultset.CVEResultSet.getLong(CVEResultSet.java)
[report_runner] [main] at
com.q1labs.cve.resultset.CVEResultSet.getLong(CVEResultSet.java)
[report_runner] [main] at
com.q1labs.dal.charts.SQLChart.getChartDataForTimeSeries(SQLChart.java)
[report_runner] [main] at
com.q1labs.dal.charts.SQLChart.getChartData(SQLChart.java:293)
[report_runner] [main] ... 9 more
05 November 2019
REPORTS IJ17199 REPORT Y-AXIS VALUE PLOTTED CAN BE PULLED FROM DIFFERENT COLUMN THAN WHAT WAS CONFIGURED FOR THE REPORT CLOSED Resolved in:
QRadar 7.3.3 (7.3.3.20191031163225)
QRadar 7.3.2 Patch 5 (7.3.2.20191022133252)

It has been identified that QRadar plots the 2nd column of a saved search result as the Y-axis interval in the bar chart of a report regardless of the parameter selected. To confirm or replicate this issue:

Create a search
  1. Create a search Group By: Username.
  2. Run the search for last hour and confirm barchart Y-Axis uses the Count value.
  3. Save the search as Test2.
  4. Create an hourly report with top and bottom sections.
  5. Create a report with two contains for graph data.

For the top chart container:
  1. Chart Type: Event/Logs
  2. Use saved search Test2
  3. Graph Type: Bar
  4. Horizontal (X) Axis: Username
  5. Vertical (Y) Axis: Count

For the bottom chart container:
  1. Use saved search Test2
  2. Graph Type: Table

Results
Expected: The Y-Axis uses the values 'Count'
Actual: Y-Axis incorrectly uses the 'Event Name (Unique Count)'
05 November 2019
LOG MESSAGES IJ15784 'NO JESSIONID PASSED WITH COOKIE' MESSAGES IN QRADAR LOGS CLOSED Resolved in:
QRadar 7.3.3 (7.3.3.20191031163225)
QRadar 7.3.2 Patch 5 (7.3.2.20191022133252)

It has been identified that repeated messages similar to the following might be visible in /var/log/qradar.error and qradar.log:
[hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] com.q1labs.core.shared.jsonrpc.RPC:
[WARN][127.0.0.1/- -] [-/- -]No JSESSIONID passed with cookie.
[ecs-ec.ecs-ec] [LastEventSeenProcessor] com.q1labs.core.shared.jsonrpc.RPC:
[WARN] [127.0.0.1/- -] [-/- -]No JSESSIONID passed with cookie.
05 November 2019
SYSLOG REDIRECT PROTOCOL IJ03249 AUTODISCOVERED LOG SOURCES CREATED BY SYSLOG REDIRECT CAN HAVE INCORRECT LOG SOURCE IDENTIFIERS OPEN: Reported in PROTOCOL-SyslogRedirect-7.2-20170426083458 No workaround available.

It has been identified that autodiscovered Log Sources created using the Syslog Redirect Protocol, can have incorrect Log Source Identifiers listed due to a regex issue used within the Protocol.

This issue is to be corrected in a future release of the SyslogRedirect Protocol.
28 March 2018
IPv6 / UNIVERSAL DSM / OFFENSES IJ11715 OFFENSES CAN STOP GENERATING WITH ‘FAILED TO CREATE/READ OFFENSE DEVICE FOR ID : 0’ EXCEPTION MESSAGE IN LOGS OPEN: Reported in QRadar 7.3.1 Patch 6 When Offenses are not being generated and caused by this specific issue, performing a Soft Clean of the SIM model can correct the behavior. See the following for more information regarding performing a Soft Clean of the SIM model: https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.1/com.ibm.qradar.doc/t_tuning_guide_tuning_cleaning_sim_model.html

It has been identified that offenses can stop being generated due to the QRadar GenericDSM parsing process not handling IPv6 addresses correctly when setting host source address. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[ecs-ep.ecs-ep] [MPC/PersisterThread@0000186609]
com.q1labs.sem.magi.contrib.commands.offense.OffenseDeviceCreateCommand:
[ERROR] [-/- -]Failed to create/read offense device for id: 0
[ecs-ep.ecs-ep] [MPC/PersisterThread@0000186609]
com.q1labs.sem.magi.contrib.ModelPersister:
[WARN] [-/- -]Exception encounted when executing transaction 186609.
[ecs-ep.ecs-ep] [MPC/PersisterThread@0000186609] java.lang.NullPointerException
[ecs-ep.ecs-ep] [MPC/PersisterThread@0000186609]  at
com.q1labs.sem.magi.contrib.ModelPersister.flushDirtyLightDAOBatchUpdate(ModelPersister.java)
[ecs-ep.ecs-ep] [MPC/PersisterThread@0000186609]  at
com.q1labs.sem.magi.contrib.ModelPersister.flushDirtyOffenseKeys
(ModelPersister.java)
[ecs-ep.ecs-ep] [MPC/PersisterThread@0000186609]  at
com.q1labs.sem.magi.contrib.ModelPersister.persistDirtyModel(ModelPersister.java)
[ecs-ep.ecs-ep] [MPC/PersisterThread@0000186609]  at
com.q1labs.sem.magi.contrib.ModelPersister.process(ModelPersister.java)
[ecs-ep.ecs-ep] [MPC/PersisterThread@0000186609]  at
com.q1labs.sem.magi.contrib.ModelPersister.processCurrentTransac
tion(ModelPersister.java)
[ecs-ep.ecs-ep] [MPC/PersisterThread@0000186609]  at
com.q1labs.sem.magi.contrib.ModelPersister.processCommands(ModelPersister.java)
[ecs-ep.ecs-ep] [MPC/PersisterThread@0000186609]  at
com.q1labs.sem.magi.contrib.ModelPersister.process(ModelPersister.java)
[ecs-ep.ecs-ep] [MPC/PersisterThread@0000186609]  at
com.q1labs.sem.magi.contrib.TxStateManager.playCurrent(TxStateManager.java)
[ecs-ep.ecs-ep] [MPC/PersisterThread@0000186609]  at
com.q1labs.sem.magi.contrib.ModelPersister$Persister.playCurrent
(ModelPersister.java)
[ecs-ep.ecs-ep] [MPC/PersisterThread@0000186609]  at
com.q1labs.sem.magi.contrib.ModelPersister$Persister.run(ModelPersister.java)
03 December 2018
DASHBOARD IJ12103 STAT FILTER INTERVAL PEAK VALUES CAN BE INCORRECT CAUSING INACCURATE EPS TO BE REPORTED CLOSED Resolved in QRadar Baseline Maintenance extension v1.0.5 or later.

Administrators can review the official documentation for a change list of updates related to the Baseline Maintenance Content Extension.

Issue: It has been identified that Stat Filter data values can sometimes be inaccurate on interval peak value. When this occurs, EPS values reported in QRadar can be incorrect or inconsistent with actual event counts.
26 August 2019
DASHBOARD IJ17440 STATFILTER EVENT PER SECOND (EPS) REPORTING CAN VARY IN ACCURACY OPEN: Reported in QRadar 7.2.8 No workaround available.

Issue: It has been identified that due to the way StatFilter calculates Event Per Second (EPS), variances in the performance of the appliance it is running on, can cause differences in the accuracy of the EPS metrics that are calculated and reported.
05 July 2019
MANAGED HOST IJ07896 CONFIGSERVICES PASSWORD CONTAINING MULTI-BYTE CHARACTERS CAUSES ‘ADD HOST’ PROCESS TO FAIL CLOSED Resolved in QRadar 7.3.2 (7.3.2.20190201201121)

It has been identified that the Add Host process (Admin > System and License Management > Deployment Actions > Add Host) fails when the configservices password (used within QRadar) has been changed to include multi-byte characters.Messages similar to the following might be visible in /var/log/qradar.error when attempting to add a Managed Host to the QRadar deployment when the configservices password includes multi-byte characters:
[hostcontext.hostcontext]
[d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
com.q1labs.configservices.capabilities.AddHost: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]Add host failed trying to add
[hostcontext.hostcontext]
[d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
java.lang.ArrayIndexOutOfBoundsException
[hostcontext.hostcontext]
[d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
at
javax.xml.bind.DatatypeConverterImpl.guessLength(DatatypeConverterImpl.java)
[hostcontext.hostcontext]
[d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
at
javax.xml.bind.DatatypeConverterImpl._parseBase64Binary(Datatype
ConverterImpl.java)
[hostcontext.hostcontext]
[d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
at
javax.xml.bind.DatatypeConverterImpl.parseBase64Binary(DatatypeConverterImpl.java)
[hostcontext.hostcontext]
[d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
at
javax.xml.bind.DatatypeConverter.parseBase64Binary(DatatypeConverter.java)
[hostcontext.hostcontext]
[d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
at com.ibm.si.mks.KeyStoreCrypto.decrypt(KeyStoreCrypto.java)
[hostcontext.hostcontext]
[d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
at com.ibm.si.mks.Crypto.decrypt(Crypto.java)
[hostcontext.hostcontext]
[d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
at com.q1labs.frameworks.crypto.CryptoUtils.decrypt(CryptoUtils.java)
[hostcontext.hostcontext]
[d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
at com.q1labs.frameworks.core.FrameworksContext.decrypt(FrameworksContext.java)
[hostcontext.hostcontext]
[d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
at
com.q1labs.configservices.capabilities.AddHost.getPresenceCommand(AddHost.java)
[hostcontext.hostcontext]
[d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
at
com.q1labs.configservices.capabilities.AddHost.executePresence(AddHost.java)
[hostcontext.hostcontext]
[d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
at com.q1labs.configservices.capabilities.AddHost.add(AddHost.java)
[hostcontext.hostcontext]
[d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
at com.q1labs.configservices.capabilities.AddHost.addManagedHost(AddHost.java)
[hostcontext.hostcontext]
[d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
at com.q1labs.hostcontext.core.executor.AddHostExecutor.addManagedHost(AddHostExecutor.java)
[hostcontext.hostcontext]
[d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
at com.q1labs.hostcontext.core.executor.AddHostExecutor.invoke(AddHostExecutor.java)
[hostcontext.hostcontext]
[d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
at com.q1labs.configservices.hostcontext.core.requests.BaseHostRequest.invoke
(BaseHostRequest.java)
[hostcontext.hostcontext]
[d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
at com.q1labs.configservices.hostcontext.core.HostContextServices.m
essageReceived(HostContextServices.java)
[hostcontext.hostcontext]
[d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
at
com.q1labs.frameworks.events.jms.JMSMessageEvent.dispatchEvent(J
MSMessageEvent.java)
[hostcontext.hostcontext]
[d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
at
com.q1labs.frameworks.events.SequentialEventDispatcher$DispatchT
hread.run(SequentialEventDispatcher.java)
[hostcontext.hostcontext]
[d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
com.q1labs.configservices.capabilities.AddHost:
[ERROR] [-/- -]Unable to add managed host. The ip of the host is:a.b.a.c.dd
[hostcontext.hostcontext]
[d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
com.q1labs.configservices.hostcontext.core.HostContextServices:
[ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Error retrieving message
[hostcontext.hostcontext]
[d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
com.q1labs.configservices.hostcontext.exception.HostContextException:
Could not get executor object
com.q1labs.hostcontext.core.executor.AddHostExecutor
[hostcontext.hostcontext]
[d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
at
com.q1labs.configservices.hostcontext.core.requests.BaseHostRequ
est.invoke(BaseHostRequest.java)
[hostcontext.hostcontext]
[d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
at
com.q1labs.configservices.hostcontext.core.HostContextServices.m
essageReceived(HostContextServices.java)
[hostcontext.hostcontext]
[d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
at
com.q1labs.frameworks.events.jms.JMSMessageEvent.dispatchEvent(J
MSMessageEvent.java)
[hostcontext.hostcontext]
[d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
at
com.q1labs.frameworks.events.SequentialEventDispatcher$DispatchT
hread.run(SequentialEventDispatcher.java)
[hostcontext.hostcontext]
[d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
Caused by:
[hostcontext.hostcontext]
[d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
com.q1labs.configservices.hostcontext.exception.HostContextExcep
tion: Command exited with non-zero value (4): add_host
[hostcontext.hostcontext]
[d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
at com.q1labs.hostcontext.core.executor.AddHostExecutor.addManagedH
ost(AddHostExecutor.java)
[hostcontext.hostcontext]
[d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
at
com.q1labs.hostcontext.core.executor.AddHostExecutor.invoke(AddH
ostExecutor.java)
[hostcontext.hostcontext]
[d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
at
com.q1labs.configservices.hostcontext.core.requests.BaseHostRequ
est.invoke(BaseHostRequest.java)
[hostcontext.hostcontext]
[d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
   ... 3 more
[tomcat.tomcat] [Thread-2051]
com.ibm.si.configservices.api.v3_0.deployment.DeploymentAPI:
[ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]unable to add
managed host: null
19 July 2018
SECURITY BULLETIN CVE-2019-11477
CVE-2019-11478
CVE-2019-11479
LINUX KERNEL AS USED IN IBM QRADAR NETWORK PACKET CAPTURE IS VULNERABLE TO DENIAL OF SERVICE CLOSED Resolved in:
QRadar Network Packet Capture 7.3.2 Patch 2 (7.3.2.5019)
QRadar Network Packet Capture 7.2.8 Patch 5 (7.2.8.60)
19 September 2019
SECURITY BULLETIN CVE-2018-12126
CVE-2018-12127
CVE-2018-12130
CVE-2019-11091
IBM QRADAR NETWORK PACKET CAPTURE IS VULNERABLE TO INTEL MICROARCHITECTURAL DATA SAMPLING (MDS) VULNERABILITES CLOSED Resolved in:
QRadar Network Packet Capture 7.3.2 Patch 2 (7.3.2.5019)
QRadar Network Packet Capture 7.2.8 Patch 5 (7.2.8.60)
19 September 2019
AMAZON AWS S3 REST API PROTOCOL IJ18861 LOGS STOP COLLECTING AND A ‘REQUESTTIMETOOSKEWED’ ERROR IN QRADAR LOGGING WHEN USING AMAZON AWS S3 REST API PROTOCOL OPEN: Reported in QRadar 7.3.1 Patch 3 and later Workaround: If possible, implement an AWS V4 REST API connection to avoid the issue.

Issue: It has been identified that logs can stop being collected when using the Amazon AWS S3 REST API Protocol. Messages similar to the following might be visible in /var/log/qradar.log when this issue is occurs:

[ecs-ec-ingress.ecs-ec-ingress] [Amazon AWS S3 REST API
Protocol Provider Thread: class com.q1labs.semsources.sources.amazonawsrest.AmazonAWSRESTProvider]
com.q1labs.semsources.sources.amazonawsrest.utils.web.SimpleRestV2InputStream:
[ERROR][-/--] <?xml version="1.0"encoding="UTF-8"?>
<Error><Code>RequestTimeTooSkewed</Code>
<Message>The difference between the request time and the current time is too large.</Message>
<RequestTime> Fri, 10 Aug 2019 24:09:49 +0000</RequestTime>
<ServerTime> 2019-08-10T00:09:51Z</ServerTime>
17 September 2019
LOG SOURCE MANAGEMENT APP (LSM) / OPSEC LEA PROTOCOL IJ19050 ‘INVALID CERTIFICATE FILENAME’ WHEN USING THE LOG SOURCE MANAGEMENT APP TO CONFIGURE A CHECK POINT LOG SOURCE OPEN: Reported in QRadar 7.3.1 Patch 3 and later Workaround: Use the legacy Log Source User Interface to edit your Check Point log source as this issue is only seen when using the Log Source Management App.

Issue: It has been identified that when using the Log Source Management App to configure a Check Point Log Source, messages similar to the following might be returned on POST:

curl -s -X POST -u user-H 'Content-Type: application/json' -H
'Version: 9.1' -H 'Accept: application/json' --data-binary '{
description: "New Description for CheckPoint Firewall" }'
'https://server.domain.com/api/config/event_sources/log_source_m
anagement/log_sources/8311'
Response:
{
"http_response": {
"code": 422,
"message": "The request was well-formed but was unable to be
followed due to semantic errors"
},
"code": 1021,
"description": "The protocol parameter value does not match the
allowed pattern.",
"details": {
"parameter_value": "opsec_cert_10.10.10.10.p12",
"parameter_name": "certificateFilename",
"parameter_id": 2080
},
"message": "Invalid certificate file name"
}
09 September 2019
WINCOLLECT IJ18859 WINCOLLECT AGENT CAN STOP SENDING EVENTS UNEXPECTEDLY OPEN: Reported in WinCollect 7.2.9 Workaround: Restarting the WinCollect Agent can resume event sending processes with the affected Agent in these instances. Note: This is a temporary workaround. If the same issue arises with Microsoft Windows “EvtSubscribe”, the WinCollect Agent can stop sending events again.

Issue: It has been identified that in some instances a WinCollect Agent can stop sending events unexpectedly when Microsoft Windows “EvtSubscribe” fails to send notifications that new events have arrived.
09 September 2019
UPGRADE IJ00884 WHEN PATCHING FROM 7.2.4 TO 7.2.8 OR GREATER THE PATCH MAY FAIL IF THE NON-ADMIN ROLE HAS API PERMISSIONS CLOSED This issue has been closed as a cancelled APAR.

Workaround: Either uncheck the API permissions in all user roles that use it, or delete the roles themselves.

When a QRadar version 7.2.4 is patched to 7.2.8 or above the patch or upgrade may fail as a result of a Non-Admin user having API permissions in their user role. To determine if you are seeing this after a failed patch or upgrade check /var/log/setup-7.x.x.x.x.x.x/qradar_setup.log for messages similar to this.
Running pretest 'QVM Flatten Check'
removing /tmp/qvmsqlskip if it exists
QVM Database schema is OK - no flatten will happen during patching
Done running pretest 'QVM Flatten Check'
Running precheck scripts: (1/14)
Precheck failed:
"/media/updates/scripts/725_patch_80235.install --mode
  precheck"
[ERROR](testmode) The patch has been aborted at the user's request.
[ERROR](testmode) Pre Patch Testing shows a configuration issue.
Patching this host cannot continue.
[INFO](testmode) Set qradarconsole status to 'Patch Test Failed'
[ERROR] Failed to apply patch on localhost, not checking any
managed hosts.
10 April 2018
CUSTOM ACTION SCRIPTS IJ15444 EDITING THE CUSTOM FIXED PARAMETERS IN A CUSTOM ACTION SCRIPT CHANGES THE ORDER OF DATA OUTPUT WHEN THE SCRIPT IS RUN CLOSED Resolved in QRadar 7.3.2 Patch 2 (7.3.2.20190522204210)

Workaround: Remove all the parameters and add them in the desired (original) order. You can also change the script variables order to match the required parameters.

It has been identified that after editing the custom Fixed Property parameters in a custom action script, the incorrect data order is output when the custom action script is run.
16 May 2019
INSTALLATION IJ18833 QRADAR INSTALLATION CAN FAIL DURING GET_MYVER CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been identified that a QRadar installation can fail with an error similar to the following being displayed on screen:
Failed. Exit code:1. Message:
ERROR: Failed to run '/opt/qradar/bin/qradar_setup' script: 1
Traceback (most recent call last)
  File "/opt/qradar/bin/qradar_netsetup.py", line 3913, in {module}
    main ()
  File "/opt/qradar/bin/qradar_netsetup.py", line 3910, in main
    qradarNetsetup.finalBlock(exc=e)
  File "/opt/qradar/bin/qradar_netsetup.py", line 3753, in
finalBlock
    myvermap = get_myver()
  File "/opt/qradar/bin/ibm_os_utils.py", line 272, in get_myver
    map = eval(buffer)
  File "{string}", line 1
    Device "ens192
                           ^
SyntaxError: EOL while scanning string literal
System setup failed. Please logout/login on the console
terminal to reconfigure system.
05 September 2019
SEARCH IJ05777 NEW ARIEL SEARCHES ARE UNABLE TO START DURING DELETE OF /TRANSIENT CURSOR FILES OPEN: Reported in QRadar 7.3.0, 7.3.1, and 7.3.2 versions No workaround available.

It has been identified that new QRadar searches are unable to start while cursor files from /transient are currently being deleted as ariel connection issues are experienced. Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs:
[tomcat.tomcat] [Token: Local Health Console@127.0.0.1 (60)
/console/restapi/api/ariel/searches]
com.q1labs.restapi_annotations.content.exceptions.APIMappedException:
Failed to connect to ariel server. Please try again later

During the same time stamps as the message above, messages similar to the following are being generated in /var/log/qradar.log:
[ariel_proxy.ariel_proxy_server] [main]
com.q1labs.ariel.searches.Locations: [INFO]
[NOT:0000006000][127.0.0.1/- -] [-/- -]
Data for xxxx-xxxx-xxxx-xxxxxx
was deleted, 7 KB was freed on hard drive,
reason: data is expired, exp.date: 18-02-19,15:49:14
[ariel_proxy.ariel_proxy_server] [main]
com.q1labs.ariel.searches.Locations: [INFO]
[NOT:0000006000][127.0.0.1/- -] [-/- -]Data for
xxxx-xxxx-xxxx-xxxxxx was deleted, 8 KB was
freed on hard drive, reason: data is expired, exp.date:
18-02-19,15:49:15
17 April 2018
PROTOCOL / AMAZON AWS REST API IJ16603 AMAZON CLOUD TRAIL LOG SOURCE UNABLE TO PULL LOGS FROM AN S3 BUCKET WHEN A TILDE ” ~ ” EXISTS IN A FILENAME OR DIRECTORIES OPEN: Reported in PROTOCOL-AmazonAWSRESTAPI-7.3-20180627173947 Workaround: Modify directories and filenames to avoid using tilde ‘~’ characters.

It has been identified that Amazon CloudTrail Log Source type is unable to pull logs from the S3 bucket when a tilde ‘~’ is used in filenames or directories. The Log Source message when this occurs is similar to the following:
ERROR - Error authenticating with Amazon S3 Bucket - update
configuration and save or disable/enable the log source to retry
ERROR - SignatureDoesNotMatch - The request signature we
calculated does not match the signature you provided. Check
your key and signing method.
28 August 2019
LOG SOURCE MANAGEMENT APP / PROTOCOL IJ15594 ‘SOURCE NAME REGEX’ AND ‘SOURCE NAME FORMATTING STRING’ DISPLAYED WHEN SHOW ADVANCED OPTIONS IS SET TO ‘NO’. OPEN: Reported in PROTOCOL-UDPMultilineSyslog-7.3-20170321173400 Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that when using the Log Source Management App, the UDP Multiline Syslog protocol type has the Source Name Regex and Source Name Formatting String displayed in the user interface when Show Advanced Options is set to No. The advanced options should only be visible to users when Show Advanced Options is set to Yes.
28 August 2019
REPORTS / ADVANCED SEARCH (AQL) IJ17433 ADVANCED SEARCH (AQL) THAT INCLUDES ‘HAVING’ CLAUSE GENERATES AN APPLICATION ERROR WHEN USED IN SCHEDULED REPORTS OPEN: Reported in QRadar 7.3.2 Patch 1 Workaround: Reports generate as expected when using the manual report option instead of scheduled, or using AQL without the “HAVING” clause.

It has been identified that an ‘Application Error’ dialogue is generated in the Report Wizard when using a scheduled report with an AQL that includes “HAVING” clause.

To recreate this issue:
  1. From the Log Activity tab, create a search using a HAVING clause in AQL. For example:
    select count(*) as '# event count', QIDNAME(qid) As 'event
    name',CATEGORYNAME(category) as
    'LLC',sourceip,destinationip,LOGSOURCENAME(logsourceid) as 'log source'
    from events where LOGSOURCENAME(logsourceid) ILIKE 'SIM Audit%'
    GROUP BY QIDNAME(qid)
    HAVING "LLC" = 'SIM User Action' and "# event count" < '10.0'
  2. From the Reports tab, click Actions -> Create -> Next, and select Weekly.
  3. Use the standard time parameters and click Next.
  4. Select a container type for the report.
  5. From the Chart Type list box, select Events/Logs, then click Define.
  6. Select the saved search that contains the AQL from Step 1, provide a name and save the container.
  7. At the end of the Report Wizard, click Finish.

    Results
    An 'Application Error' dialog pop up occurs, and does not generate the report.


Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[tomcat.tomcat] [Admin@127.0.0.1 (2727)
/console/do/reportwizard]
com.q1labs.reports.ui.action.ReportWizard: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]Error setting chart data
for chart Events/Logs
[tomcat.tomcat] [Admin@127.0.0.1 (2727)
/console/do/reportwizard] java.lang.IllegalArgumentException:
key should not be null
[tomcat.tomcat] [Admin@127.0.0.1 (2727)
/console/do/reportwizard]    at
com.q1labs.ariel.IndexTree.(IndexTree.java:166)
[tomcat.tomcat] [Admin@127.0.0.1 (2727)
/console/do/reportwizard]    at
com.q1labs.ariel.IndexTree.(IndexTree.java:143)
[tomcat.tomcat] [Admin@127.0.0.1 (2727)
/console/do/reportwizard]    at
com.q1labs.ariel.IndexTree.create(IndexTree.java:115)
[tomcat.tomcat] [Admin@127.0.0.1 (2727)
/console/do/reportwizard]    at
com.q1labs.ariel.IndexTree.create(IndexTree.java:124)
[tomcat.tomcat] [Admin@127.0.0.1 (2727)
/console/do/reportwizard]    at
com.q1labs.cve.aggregation.CVEAggregator$HavingProcessor$Criceri
aProcessor.process(CVEAggregator.java:74)
[tomcat.tomcat] [Admin@127.0.0.1 (2727)
/console/do/reportwizard]    at
com.q1labs.cve.aggregation.CVEAggregator$HavingProcessor$Criceri
aProcessor.process(CVEAggregator.java:69)
[tomcat.tomcat] [Admin@127.0.0.1 (2727)
/console/do/reportwizard]    at
com.q1labs.ariel.IndexTree.useTree(IndexTree.java:254)
[tomcat.tomcat] [Admin@127.0.0.1 (2727)
/console/do/reportwizard]    at
com.q1labs.ariel.IndexTree.useTree(IndexTree.java:256)
[tomcat.tomcat] [Admin@127.0.0.1 (2727)
/console/do/reportwizard]    at
com.q1labs.cve.aggregation.CVEAggregator$HavingProcessor.process
Criceria(CVEAggregator.java:131)
[tomcat.tomcat] [Admin@127.0.0.1 (2727)
/console/do/reportwizard]    at
com.q1labs.cve.accumulation.definition.VirtualViewDefinition.cre
ateAggregator(VirtualViewDefinition.java:782)
[tomcat.tomcat] [Admin@127.0.0.1 (2727)
/console/do/reportwizard]    at
com.q1labs.cve.accumulation.definition.GlobalViewConfiguration.a
ttach2Config(GlobalViewConfiguration.java:384)
[tomcat.tomcat] [Admin@127.0.0.1 (2727)
/console/do/reportwizard]    at
com.q1labs.cve.accumulation.definition.GlobalViewConfiguration.c
reateVirtualView(GlobalViewConfiguration.java:361)
[tomcat.tomcat] [Admin@127.0.0.1 (2727)
/console/do/reportwizard]    at
com.q1labs.cve.accumulation.definition.GlobalViewsManager.create
View(GlobalViewsManager.java:312)
[tomcat.tomcat] [Admin@127.0.0.1 (2727)
/console/do/reportwizard]    at
com.q1labs.cve.accumulation.definition.GlobalViewsManager.create
ViewWithReference(GlobalViewsManager.java:392)
[tomcat.tomcat] [Admin@127.0.0.1 (2727)
/console/do/reportwizard]    at
com.q1labs.reporting.charts.ArielChart.createVirtualView(ArielChart.java)
[tomcat.tomcat] [Admin@127.0.0.1 (2727)
/console/do/reportwizard]    at
com.q1labs.reporting.charts.ArielChart.setData(ArielChart.java)
[tomcat.tomcat] [Admin@127.0.0.1 (2727)
/console/do/reportwizard]    at
com.q1labs.reports.ui.action.ReportWizard.generateReport(ReportWizard.java)
[tomcat.tomcat] [Admin@127.0.0.1 (2727)
/console/do/reportwizard]    at
com.q1labs.reports.ui.action.ReportWizard.fetchPageToDisplay(ReportWizard.java)
[tomcat.tomcat] [Admin@127.0.0.1 (2727)
/console/do/reportwizard]    at
com.q1labs.reports.ui.action.ReportWizard.executeAction(ReportWizard.java:261)
[tomcat.tomcat] [Admin@127.0.0.1 (2727)
/console/do/reportwizard]    at
com.q1labs.uiframeworks.actions.WizardAction.execute(WizardAction.
java)
08 July 2019
EMAIL NOTIFICATIONS IJ16965 QRADAR CAN STOP SENDING EMAIL NOTIFICATIONS WHEN SMBTAIL HAS TOO MANY OPEN PORT CONNECTIONS OPEN: Reported in QRadar 7.2.8 versions Workaround: Performing a restart of the ecs-ec service from an SSH connection to the QRadar Console can temporarily correct this condition.

It has been identified that in some instances, SMBTail configured Log Sources in Error state can use up too many port connections causing QRadar to stop sending email notifications. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[ecs-ep]
[[type=com.eventgnosis.system.ThreadedEventTerminator]
[parent={host}:ecs-ep/EP/EmailDestination]]
com.q1labs.sem.util.EmailSender: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]Exception attempting to
send email: Sending the email to the following server failed :
localhost:25
[ecs-ep]
[[type=com.eventgnosis.system.ThreadedEventTerminator]
[parent={host}:ecs-ep/EP/EmailDestination]]
org.apache.commons.mail.EmailException: Sending the email to
the following server failed : localhost:25
[ecs-ep]
[[type=com.eventgnosis.system.ThreadedEventTerminator]
[parent={host}:ecs-ep/EP/EmailDestination]]   at
org.apache.commons.mail.Email.sendMimeMessage(Email.java:1242)
[ecs-ep]
[[type=com.eventgnosis.system.ThreadedEventTerminator]
[parent={host}:ecs-ep/EP/EmailDestination]]   at
org.apache.commons.mail.Email.send(Email.java:1267)
[ecs-ep]
[[type=com.eventgnosis.system.ThreadedEventTerminator]
[parent={host}:ecs-ep/EP/EmailDestination]]   at
com.q1labs.sem.util.EmailSender.send(EmailSender.java:137)
[ecs-ep]
[[type=com.eventgnosis.system.ThreadedEventTerminator]
[parent={host}:ecs-ep/EP/EmailDestination]]   at
com.q1labs.semsources.destinations.EmailDestination.outputEvent(
EmailDestination.java:42)
[ecs-ep]
[[type=com.eventgnosis.system.ThreadedEventTerminator]
[parent={host}:ecs-ep/EP/EmailDestination]]   at
com.eventgnosis.system.ThreadedEventTerminator.run(ThreadedEvent
Terminator.java:51)
[ecs-ep]
[[type=com.eventgnosis.system.ThreadedEventTerminator]
[parent={host}:ecs-ep/EP/EmailDestination]]   at
java.lang.Thread.run(Thread.java:785)
[ecs-ep]
[[type=com.eventgnosis.system.ThreadedEventTerminator]
[parent={host}:ecs-ep/EP/EmailDestination]] Caused by:
[ecs-ep]
[[type=com.eventgnosis.system.ThreadedEventTerminator]
[parent={host}:ecs-ep/EP/EmailDestination]]
javax.mail.MessagingException: Could not connect to SMTP host:
localhost, port: 25;
nested exception is:
   java.net.BindException: Address already in use (Bind failed)
[ecs-ep]
[[type=com.eventgnosis.system.ThreadedEventTerminator]
[parent={host}:ecs-ep/EP/EmailDestination]]   at
com.sun.mail.smtp.SMTPTransport.openServer(SMTPTransport.java)
[ecs-ep]
[[type=com.eventgnosis.system.ThreadedEventTerminator]
[parent={host}:ecs-ep/EP/EmailDestination]]   at
com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.ja
va:311)
[ecs-ep]
[[type=com.eventgnosis.system.ThreadedEventTerminator]
[parent={host}:ecs-ep/EP/EmailDestination]]   at
javax.mail.Service.connect(Service.java:233)
[ecs-ep]
[[type=com.eventgnosis.system.ThreadedEventTerminator]
[parent={host}:ecs-ep/EP/EmailDestination]]   at
javax.mail.Service.connect(Service.java:134)
[ecs-ep]
[[type=com.eventgnosis.system.ThreadedEventTerminator]
[parent={host}:ecs-ep/EP/EmailDestination]]   at
javax.mail.Service.connect(Service.java:86)
[ecs-ep]
[[type=com.eventgnosis.system.ThreadedEventTerminator]
[parent={host}:ecs-ep/EP/EmailDestination]]   at
com.sun.mail.smtp.SMTPTransport.connect(SMTPTransport.java:144)
[ecs-ep]
[[type=com.eventgnosis.system.ThreadedEventTerminator]
[parent={host}:ecs-ep/EP/EmailDestination]]   at
javax.mail.Transport.send0(Transport.java:150)
[ecs-ep]
[[type=com.eventgnosis.system.ThreadedEventTerminator]
[parent={host}:ecs-ep/EP/EmailDestination]]   at
javax.mail.Transport.send(Transport.java:80)
[ecs-ep]
[[type=com.eventgnosis.system.ThreadedEventTerminator]
[parent={host}:ecs-ep/EP/EmailDestination]]   at
org.apache.commons.mail.Email.sendMimeMessage(Email.java:1232)
[ecs-ep]
[[type=com.eventgnosis.system.ThreadedEventTerminator]
[parent={host}:ecs-ep/EP/EmailDestination]] ... 5 more
28 August 2019
REPORTS IJ18481 'DAILY "START TIME" MUST BE BEFORE "END TIME"' MESSAGE WHEN SELECTING PREVIOUS DAY START TIME BETWEEN 12AM AND 12:45AM OPEN: Reported in QRadar 7.3.1 Patch 5 No workaround available.

It has been identified that the Report container can fail to save and generates a pop up message similar to '"Daily "Start Time" must be before "End Time"' when using "Data of previous day" and any start time between 12:00AM and 12:45AM is selected in daily scheduling of a report.
26 August 2019
DEVICE SUPPORT MODULE (DSM) IJ16412 MICROSOFT OFFICE 365 DSM IS POPULATING THE IPV4 LOG SOURCE ADDRESS AS SOURCE IP WHEN IT SHOULD BE USING IPV6 ADDRESS OPEN: Reported in DSM-MicrosoftOffice365-7.3-20190226183934 Workaround: From the Admin tab > DSM Editor user interface, create an override for the Source IP in QRadar to substitute 0.0.0.0 when an IPv6 address is present in the ClientIP of the event payload. This change prevents the packet IP address being entered in to the Source IP address field in IPv4 format when an IPv6 address is available.

  • Regex: ClientIP":"((?:[0-9a-fA-F]{0,4}:){2,7}[0-9a-fA-F]{0,4})
  • Format string: 0.0.0.0
For a screen capture of the override from this APAR, see this DSM Editor example.

It has been identified that the QRadar Microsoft Office 365 DSM successfully parses the IPv6 address from the an Office 365 event payloads and adds it as IPv6 on the properties, but it places the Log Source (Packet) IPv4 address in the Source IP field of the user interface.
28 August 2019
SCHEDULED SCAN / QRADAR VULNERABILITY MANAGER (QVM) IJ17942 VULNERABILITY SCHEDULED SCANS CAN FAIL AND THE SCAN DATA APPEARS TO HANG OPEN: Reported in QRadar 7.3.1 Patch 8 Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that Vulnerability Manager scheduled scans can fail with the scan data hanging. When this occurs, affected scans have no results to be processed and scans sit at 'stopped' and the duration continues counting up. Cancelling an affected scan during its run time causes it to stay at 100% with duration counting up and providing no results again. Hovering over the Progress bar, the "Estimated time to Process" appears but the time that is displayed continues to rise with the duration. Manually run scans complete as expected when this behavior is affecting scheduled scans.

Messages similar to the following might be visible in /var/log/qradar-sql.log when this issue occurs:
postgres[23015]: [1161-1] ERROR:  out of shared memory
postgres[23015]: [1161-2] HINT:  You might need to increase
max_locks_per_transaction.
postgres[23015]: [1161-3] CONTEXT:  SQL statement "SELECT (NOT
EXISTS(SELECT jo.JobOrderID
postgres[23015]: [1161-4] FROM JobOrders jo....
postgres[4285]: [3478-1] ERROR: relation "tt_table9" does not
exist
postgres[4285]: [3478-2] CONTEXT:  SQL statement "truncate
table tt_TABLE9"
postgres[4285]: [3478-3]  PL/pgSQL function
cwf_orgunit_getallcompanynodesabove_maint(integer) line 18 at
SQL statement
postgres[4285]: [3478-4]  SQL statement "INSERT INTO
tt_new_rows_mapped_q1_exclusion_rules
30 July 2019
WINCOLLECT IJ17949 WINCOLLECT AGENT ONLY RUNS A DNS LOOKUP WHEN THE AGENT IS RESTARTED OPEN: Reported in multiple WinCollect versions No workaround available.

It has been identified that there are instances where a WinCollect Agent should run a refresh DNS Lookup. When using Event Forwarding, the current WinCollect Agents behaves as follows:

The WinCollect Agent runs and does a DNS look-up when it gets its first event from the Windows Computer in an attempt to resolve the proper IP and then cache this IP. This IP is used in the originating computer field in the payload. If the Windows Computer is switched between a wired/wireless connection it effectively receives a new IP address. The WinCollect Agent caches the event, and does not perform a DNS query for a new IP. The Windows Computer asset does not get a new IP address registered for it until the WinCollect Agent is restarted.
12 August 2019
GEOGRAPHIC DATA IJ17989 QRADAR CONTINUES TO USE THE GEO2LITE MAXMIND DATABASE FOR GEODATA INFORMATION WHEN MAXMIND SUBSCRIPTION CONFIGURED OPEN: Reported in QRadar 7.3.1 and 7.3.2 versions Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that QRadar continues to use the Geo2Lite MaxMind database even when a paid subscription to MaxMind is configured in the QRadar User Interface -> System Settings.
07 August 2019
TELNET FLOW INSPECTOR IJ18004 QRADAR NETWORK INSIGHTS (QNI) TELNET INSPECTOR CAN INCORRECTLY CLASSIFY SOME LDAP FLOW TRAFFIC AS TELNET TRAFFIC OPEN: Reported in QRadar 7.3.2 versions Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that in some instances, the QRadar Network Insights (QNI) Telnet Inspector can incorrectly classify LDAP flow traffic as Telnet traffic. When this occurs, false positives can sometimes occur within rule functionality.
13 August 2019
REPORTS IJ18005 LEFT TAB REPORT FILTER OPTIONS IN THE REPORTING TAB ARE NOT WORKING AS EXPECTED USING A GROUP THAT HAS BEEN SHARED OPEN: Reported in QRadar 7.3.1 and 7.3.2 versions Workaround: Sort the reporting tab by "Schedule" to see relevant reports.

It has been identified that the left tab filters in the Reporting tab (Manual, Hourly, Weekly, Monthly) are not filtering the report list as expected.

For example:
  1. When selecting "Manual", reports that are Daily and Weekly are displayed.
  2. When selecting "Monthly", reports that are Weekly, Daily, and Hourly are displayed.
These incorrect reports are displayed when using a Group that has been shared across users. (Reports > Manage Groups > select a group > Share > Share with "Users matching the following criteria")
07 August 2019
X-FORCE UPDATES / PROXY IJ18011 MANUAL SCASERVER PROXY CONFIG SETTINGS ARE OVERWRITTEN BY /OPT/QRADAR/SYSTEMD/BIN/SCASERVER_UPDATE_SETTINGS.SH OPEN: Reported in multiple QRadar versions Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that the scaserver fails to connect to *.xforce-security.com using an authenticated proxy when /opt/qradar/systemd/bin/scaserver_update_settings.sh runs and overwrites the required manual changes that were made in:
  • /opt/qradar/dca/dca/init/dca_license/dca_license_settings_user.txt
    and
  • /opt/qradar/dca/dca/init/dca_update/dca_update_settings_user.txt
This issue can prevent proxy config settings in /opt/qradar/dca/server.ini from connecting to *.xforce-security.com. For the support article that describes how to configure an authenticated proxy for X-Force Updates, see: QRadar: X-Force Frequently Asked Questions (FAQ)
07 August 2019
PROTOCOL / TIVOLI ENDPOINT MANAGER SOAP IJ18014 BIGFIX LOG SOURCE RECEIVING LOGIN SUCCESS EVENTS AND NOT RECEIVING ACTION EVENTS OPEN: Reported in PROTOCOL-IBMBigFixSOAP-7.3-20180914130641 No workaround available.

It has been identified that BigFix Log Sources are only receiving Login Success events and not receiving Action events.
16 August 2019
HIGH AVAILABILITY (HA) IJ18040 ADDING HIGH AVAILABILITY TO AN APPLIANCE CAN FAIL DURING THE REMOTE VERSION CHECK OPEN: Reported in QRadar 7.3.2 versions Contact Support for a possible workaround that might address this issue in some instances.

ERROR DESCRIPTION:Ø It has been identified that adding High Availability (HA) to an appliance can fail due to the remote version check incorrectly reporting the QRadar version of the appliance that is to become the Secondary HA appliance.

Messgages similar to the following might be visible in the qradar_hasetup.log file on the "Primary" appliance when this issue occurs:
[HA Setup (P-M----)] ESC[31m[ERROR] Remote system is version
root@1.1.1
7.3.2 but we are 7.3.2.
You must re-install the standby system with the latest version.
08 August 2019
RESOURCE RESTRICTION / SEARCH IJ18069 CONFIGURED RESTRICTION DOES NOT CANCEL SEARCHES AS EXPECTED AND THE SEARCH RUNS UNTIL A TIMEOUT LIMIT IS REACHED OPEN: Reported in QRadar 7.3.2 versions Workaround: Modify the search using further filtering so as not to hit the Admin -> Resource Restriction "Record Limit" that is configured.

It has been identified that the Admin -> Resource Restrictions for Record Limit set within the QRadar User Interface is not working as expected. When a search hits the configured Resource Restriction it does not immediately cancel. The search still shows as in progress with 100% until it hits the default execution timeout limit. Messages similar to the following might be visible in QRadar logging when this issue occurs:
ariel_client /127.0.0.1:41920 | [Action] [Search]
[SearchExecuted] query starts,
description="User:tkmau,Source:UI,Params:Id:xxxxx-xxxx-xxxx-
xxxx-xxxxx,DB:, Time:<9:19 AM to 9:19 AM>,
Columns:Associated With Offense, Event Name, Log Source, Event
Count, Time, Category, Source IP, Source Port, Destination IP,
Destination Port, Username, Magnitude"
aqw_remote_27:xxxxx-xxxx-xxxx-xxxx-xxxxx | [Action]
[Search] [SearchCanceled] query canceled,
details="Id:xxxxx-xxxx-xxxx-xxxx-xxxxx,
Reason:Maximum processed records number for query w
as exceeded"
ariel_query_22:xxxxx-xxxx-xxxx-xxxx-xxxxx | [Action]
[Search] [SearchCanceled] query canceled,
details="Id:xxxxx-xxxx-xxxx-xxxx-xxxxx, Reason:Query
execution time limit was exceeded"


The actual cancelled message is located after the read timeout is displayed:
ariel_query_22:xxxxx-xxxx-xxxx-xxxx-xxxxx | [Action]
[Search] [SearchCompleted] query finished, status=CANCELED,
stat details="Id:xxxxx-xxxx-xxxx-xxxx-xxxxx,
FileStats [dataFileCount=22, compressedDataFileCount=0,
indexFileCount=11, dataTotalSize=130746346KB,
compressedDataTotalSize=0KB, indexTotalSize=101139786KB,
progress=100.0%, totalResult=27, totalResultDataSize=18KB,
searchTime=45800ms]", concurrent queries="5"
[ariel_proxy.ariel_proxy_server]
[AsynchronousReceiver:localhost/127.0.0.1:32023]
com.q1labs.frameworks.nio.network.Communicator: [ERROR]
[NOT:0000003000][x.x.x.x/- -] [-/- -]Read timeout (45000 ms)
expired, Port: 52760, localhost/127.0.0.1:32023
[ariel_proxy.ariel_proxy_server]
[AsynchronousReceiver:localhost/127.0.0.1:32023]
java.net.SocketTimeoutException: Read timeout (45000 ms)
expired, Port: 52760, localhost/127.0.0.1:32023
[ariel_proxy.ariel_proxy_server]
[AsynchronousReceiver:localhost/127.0.0.1:32023]    at
com.q1labs.frameworks.nio.network.protocol.Protocol$Asynchronous
Receiver.readBlockFromChannel(Protocol.java:1577)
[ariel_proxy.ariel_proxy_server]
[AsynchronousReceiver:localhost/127.0.0.1:32023]    at
com.q1labs.frameworks.nio.network.protocol.Protocol$Asynchronous
Receiver.read(Protocol.java:1597)
[ariel_proxy.ariel_proxy_server]
[AsynchronousReceiver:localhost/127.0.0.1:32023]    at
com.q1labs.frameworks.nio.network.protocol.Protocol$Asynchronous
Receiver.run(Protocol.java:1657)
[ariel_proxy.ariel_proxy_server]
[AsynchronousReceiver:localhost/127.0.0.1:32023]    at
java.lang.Thread.run(Thread.java:812)
[ariel_proxy.ariel_proxy_server]
[aqw_remote_14:ff3ee225-1044-4c88-9523-55e902cce450]
com.q1labs.ariel.searches.service.ids.Slave:
[INFO] [-/- -]Error closing remote server [localhost:32023]
[ariel_proxy.ariel_proxy_server]
[aqw_remote_14:xxxxx-xxxx-xxxx-xxxx-xxxxx]
java.util.concurrent.ExecutionException:
java.net.SocketTimeoutException: Read timeout (45000 ms)
expired, Port: 52760, localhost/127.0.0.1:32023
[ariel_proxy.ariel_proxy_server]
[aqw_remote_14:xxxxx-xxxx-xxxx-xxxx-xxxxx]    at
com.q1labs.frameworks.nio.network.protocol.ProtocolProcessor.rep
ortError(ProtocolProcessor.java:409)
[ariel_proxy.ariel_proxy_server]
[aqw_remote_14:xxxxx-xxxx-xxxx-xxxx-xxxxx]    at
com.q1labs.frameworks.nio.network.protocol.Protocol$Asynchronous
Receiver.run(Protocol.java:1664)
[ariel_proxy.ariel_proxy_server]
[aqw_remote_14:xxxxx-xxxx-xxxx-xxxx-xxxxx]    at
java.lang.Thread.run(Thread.java:812)
[ariel_proxy.ariel_proxy_server]
[aqw_remote_14:xxxxx-xxxx-xxxx-xxxx-xxxxx] Caused by:
[ariel_proxy.ariel_proxy_server]
[aqw_remote_14:xxxxx-xxxx-xxxx-xxxx-xxxxx]
java.net.SocketTimeoutException: Read timeout (45000 ms)
expired, Port: 52760, localhost/127.0.0.1:32023
[ariel_proxy.ariel_proxy_server]
[aqw_remote_14:xxxxx-xxxx-xxxx-xxxx-xxxxx]    at
com.q1labs.frameworks.nio.network.protocol.Protocol$Asynchronous
Receiver.readBlockFromChannel(Protocol.java:1577)
[ariel_proxy.ariel_proxy_server]
[aqw_remote_14:xxxxx-xxxx-xxxx-xxxx-xxxxx]    at
com.q1labs.frameworks.nio.network.protocol.Protocol$Asynchronous
Receiver.read(Protocol.java:1597)
[ariel_proxy.ariel_proxy_server]
[aqw_remote_14:xxxxx-xxxx-xxxx-xxxx-xxxxx]    at
com.q1labs.frameworks.nio.network.protocol.Protocol$Asynchronous
Receiver.run(Protocol.java:1657)
[ariel_proxy.ariel_proxy_server]
[aqw_remote_14:xxxxx-xxxx-xxxx-xxxx-xxxxx]
... 1 more
09 August 2019
RULES / RULE WIZARD IJ18085 THE RULE EDITOR DOES NOT DISPLAY THE SPECIAL SYMBOL " + " WHEN DISPLAYING RULE CONDITIONS OPEN: Reported in QRadar 7.3.1 Patch 7 No workaround available.

It has been identified that the Rule editor does not display the regex special symbol " + " when displaying the rule conditions in the stack.

To replicate this issue:
  1. Log in to QRadar.
  2. Select Offenses -> Actions -> New event Rule.
  3. Type filter "event matches this search filter" add "when the event matches this search filter".
  4. Click "this search filter" select Payload Matches Regular Expression input "Test\s+Test2\s+"Test3\s+Test4"\s+Test5\s+(Test6|123)".
  5. Click "Add +".

    Result
    All of the " + " symbols in the regular expression are removed in the "Current filters"

    Note: The issue described above is visual in nature only, the regex provided in the rule works as expected.
02 August 2019
REPORTS / QRADAR VULNERABILITY MANAGER (QVM) IJ18087 'MISSING PATCHES' REPORT CAN FAIL TO GENERATE WHEN THERE IS A LARGE SET OF VULNERABILITY SCAN DATA OPEN: Reported in QRadar 7.3.2 Patch 2 Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that when there is a large set of vulnerability data from vulnerability scans and the default 'Missing Patches' report is run, the report shows as 'Generating' until it stops and never actually generates. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[hostcontext.hostcontext]
[xxxxx-xxxx-xxxx-xxxx-xxxxx/SequentialEventDispatcher]
com.q1labs.hostcontext.tx.TxSentry: [WARN]
[NOT:0000004000][127.0.0.1/- -] [-/- -]Found a process on host
127.0.0.1 report_runner, pid=65806, TX age=651 secs
02 August 2019
REPORTS IJ18097 REPORTS CAN FAIL TO GENERATE WHEN REQUIRED SPILLOVER FOLDER WITH PERMISSIONS FAILS TO BE CREATED OPEN: Reported in QRadar 7.3.2 Patch 2 Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that reports can fail to generate due to a required spillover folder with proper permissions not being generated as expected. The folder is required for proper report_runner functionality. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[report_runner] [main]
com.q1labs.cve.accumulation.definition.GlobalViewConfiguration:
[ERROR] [-/- -]Error reading custom properities.
[report_runner] [main]
com.q1labs.frameworks.cache.SpilloverCacheException:
java.lang.Exception: Unable to create cache directory in
/store/transient/report_runner/CustomPropertyCache.
Possibly insufficient permissions?
[report_runner] [main]    at
com.q1labs.frameworks.cache.ChainAppendCache.commitCurrentBuffer
ToDisk(ChainAppendCache.java)
[report_runner] [main]    at
com.q1labs.frameworks.cache.ChainAppendCache.addDiskEntry(ChainA
ppendCache.java:1129)
[report_runner] [main]    at
com.q1labs.frameworks.cache.ChainAppendCache.access$100(ChainApp
endCache.java)
[report_runner] [main]    at
com.q1labs.frameworks.cache.ChainAppendCache$1.removeEldestEntry
(ChainAppendCache.java:465)
[report_runner] [main]    at
java.util.LinkedHashMap.afterNodeInsertion(LinkedHashMap.java)
[report_runner] [main]    at
java.util.HashMap.putVal(HashMap.java)
[report_runner] [main]    at
java.util.HashMap.put(HashMap.java)
[report_runner] [main]    at
com.q1labs.frameworks.cache.ChainAppendCache$1.put(ChainAppendCa
che.java)
[report_runner] [main]    at
com.q1labs.frameworks.cache.ChainAppendCache$1.put(ChainAppendCa
che.java:)
[report_runner] [main]    at
com.q1labs.frameworks.cache.ChainAppendCache.put(ChainAppendCach
e.java)
[report_runner] [main]    at
com.q1labs.core.shared.ariel.CustomPropertyServices.constructAnd
CacheProperty(CustomPropertyServices.java)
[report_runner] [main]    at
com.q1labs.core.shared.ariel.CustomPropertyServices.loadCustomPr
operty(CustomPropertyServices.java)
[report_runner] [main]    at
com.q1labs.core.shared.ariel.CustomPropertyServices.getCustomPro
pertyNoCache(CustomPropertyServices.java)
[report_runner] [main]    at
com.q1labs.cve.accumulation.definition.GlobalViewConfiguration.t
estCustomEventProperties(GlobalViewConfiguration.java)
[report_runner] [main]    at
com.q1labs.cve.accumulation.definition.GlobalViewConfiguration.r
ead(GlobalViewConfiguration.java)
[report_runner] [main]    at
com.q1labs.cve.accumulation.definition.GlobalViewConfiguration.l
oad(GlobalViewConfiguration.java)
[report_runner] [main]    at
com.q1labs.cve.accumulation.definition.GlobalViewConfiguration.g
etInstance(GlobalViewConfiguration.java)
[report_runner] [main]    at
com.q1labs.reporting.charts.ArielChart.setData(ArielChart.java)
[report_runner] [main]    at
com.q1labs.reporting.ReportTemplate.rebuildTemplate(ReportTempla
te.java)
[report_runner] [main]    at
com.q1labs.reporting.ReportTemplate.read(ReportTemplate.java)
[report_runner] [main]    at
com.q1labs.reporting.ReportServices.reload(ReportServices.java)
[report_runner] [main]    at
com.q1labs.reporting.ReportRunner.main(ReportRunner.java)
[report_runner] [main] Caused by:
[report_runner] [main] java.lang.Exception: Unable to create
cache directory in
/store/transient/report_runner/CustomPropertyCache.
Possibly insufficient permissions?
[report_runner] [main]    at
com.q1labs.frameworks.cache.ChainAppendCache.commitCurrentBuffer
ToDisk(ChainAppendCache.java)
[report_runner] [main]    ... 21 more
09 August 2019
WINCOLLECT IJ18099 WINCOLLECT LOG SOURCES CAN BE MISSING A DAILY LOG FILE OPEN: Reported in WinCollect 7.2.8.145 and later No workaround available.

It has been identified that WinCollect Log Sources can sometimes be missing one day of data when the WinCollect Agent is pulling daily log files. The WinCollect plugin can incorrectly identify that there are two active day log files and when this occurs it only processes the log file that is the latest, thereby skipping a day log file.
12 August 2019
OFFENSES / NETWORK HIERARCHY IJ18103 THE QRADAR OFFENSE MODEL CAN EXPERIENCE REDUCED RESPONSIVENESS AFTER AN UPDATE IS MADE TO A LARGE NETWORK HIERARCHY OPEN: Reported in QRadar 7.3.1 Patch 6 IF01 No workaround available.

It has been identified that when changes/updates are made to a large Network Hierarchy, the QRadar Offense model can experience an unexpected reduction in responsiveness and in some instances, a TxSentry can also be experienced.

Messages similar to the following might be visible in /var/log/qradar.log when a related TxSentry occurs:
com.q1labs.hostcontext.tx.TxSentry: [WARN]
[NOT:0000004000][127.0.0.1/- -] [-/- -]Found a process on host
console: ecs-ep.ecs-ep, pid=106257 children= immediately=false,
TX age=600 secs
com.q1labs.hostcontext.tx.TxSentry: [WARN]
[NOT:0000004000][127.0.0.1/- -] [-/- -] TX on host console:
pid=106257 age=600 IP=127.0.0.1 port=54026 locks=113
query='SELECT id, network FROM
clean_netid_network_details_proc()'
com.q1labs.hostcontext.tx.TxSentry: [WARN]
[NOT:0000004000][127.0.0.1/- -] [-/- -] Lock acquired on host
console: rel=attacker_tplu_idx age=600 granted=t
mode=RowExclusiveLock query='SELECT id, network FROM
clean_netid_network_detail'
14 August 2019
ADVANCED SEARCH (AQL) IJ18156 QRADAR ADVANCED SEARCH FAILS WHEN THERE IS MORE THAN ONE OPERATOR IN A CONDITION CLOSED: Duplicate of IJ16392. Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

Issue
It has been identified that the QRadar Advanced Search (AQL) fails with a NullPointerException when there is more than one operator in a condition. Example of an Advanced Search resulting in NullPointerException:
SELECT LOGSOURCETYPENAME(devicetype) AS "LogSourceType",
LOGSOURCENAME(logsourceid) AS "LogSourceName",
SUM(IF "File Hash" IS NULL AND "PANW-file-hash" IS NULL AND
"PANW-traps-file-hash" IS NULL THEN 1 ELSE 0 END) AS "HashCount"
FROM events
GROUP BY logsourceid LAST 1 HOURS

Messages similar to the following might be visible in /var/log/qradar.log when this issue is occurring:
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:51760] com.q1labs.ariel.ql.parser.Parser: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/-
-]java.lang.NullPointerException:null
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:51760] java.lang.NullPointerException
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:51760] at
com.q1labs.ariel.IndexTree.useTree(IndexTree.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:51760] at
com.q1labs.ariel.IndexTree.createPredicate(IndexTree.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:51760] at
com.q1labs.ariel.IndexTree.createPredicate(IndexTree.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:51760] at
com.q1labs.ariel.ql.parser.FieldInfoCondition.getKeyCreator(Fiel
dInfoCondition.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:51760] at
com.q1labs.ariel.ql.parser.FieldInfoBase.getObjectType(FieldInfo
Base.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:51760] at
com.q1labs.ariel.ql.parser.ParserBase.createAggregateFunctionInf
o(ParserBase.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:51760] at
com.q1labs.ariel.ql.parser.ParserBase.processScalarFunction(Pars
erBase.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:51760] at
com.q1labs.ariel.ql.parser.ParserBase.processExpression(ParserBa
se.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:51760] at
com.q1labs.ariel.ql.parser.ParserBase.processExpression(ParserBa
se.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:51760] at
com.q1labs.ariel.ql.parser.ParserBase.processColumnContext(Parse
rBase.java:428)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:51760] at
com.q1labs.ariel.ql.parser.ParserBase.processQueryContext(Parser
Base.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:51760] at
com.q1labs.ariel.ql.parser.ParserBase.createQueryParams(ParserBa
se.java:1409)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:51760] at
com.q1labs.ariel.ql.parser.ParserBase.parseBatch(ParserBase.java
:1636)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:51760] at
com.q1labs.ariel.ql.parser.Parser.parseStatement(Parser.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:51760] at
com.q1labs.ariel.ql.parser.Parser.executeStatement(Parser.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:51760] at
com.q1labs.ariel.ConnectedClient.processStatement(ConnectedClien
t.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:51760] at
com.q1labs.ariel.ConnectedClient.processMessage(ConnectedClient.
java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:51760] at
com.q1labs.ariel.ConnectedClient.run(ConnectedClient.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:51760] at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec
utor.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:51760] at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe
cutor.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:51760] at java.lang.Thread.run(Thread.java)
14 August 2019
EARLY WARNINGS / QRADAR VULNERABILITY MANAGER (QVM) IJ18159 THE QRADAR VULNERABILITY MANAGER (QVM) EARLY WARNINGS PROCESS CAN CAUSE UNEXPECTED SLOWNESS IN LOADING VULNERABILITY USER INTERFACE PAGES CLOSED Resolved in QRadar 7.4.0 (7.4.0.20200304205308)

Workaround
Install the latest version or contact Support for a possible workaround that might address this issue if you are unable to ugprade.

Issue
It has been identified that the QRadar Vulnerability Manager (QVM) early warnings process can cause QVM performance issues that sometimes lead to User Interface pages not loading data. Some performance degradation examples:

  • Unexpected slowness while loading the Scan Results screen
  • Unexpected slowness on screens under the Administrative menu on the Vulnerabilities tab
  • Nightly QVM backup taking longer than expected
  • Scans not starting as expected.
07 August 2019
RULES IJ18161 CUSTOM RULE FAILS TO LOAD DUE TO ORPHANED LINK_UUID IN THE CUSTOM_RULE DATABASE TABLE CLOSED: Duplicate of IJ15968. Duplicate of IJ15968 and resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

Issuebr /> It has been identified that a QRadar custom rule fails to load when it is associated with an orphaned link_uuid within the custom_rule table of the database.

Messages similar to the following might be visible in /var/log/qradar.log whe this issue occurs:
[ecs-ep.ecs-ep]
[xxxx-xxxx-xxxx-xxxx-xxxx/SequentialEventDispatcher]
com.q1labs.core.dao.cre.CustomRule: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]Error while
unmarshalling rule id 108018 from DB table custom_rule
[ecs-ep.ecs-ep]
[xxxx-xxxx-xxxx-xxxx-xxxx//SequentialEventDispatcher]
java.lang.NullPointerException
[ecs-ep.ecs-ep]
[xxxx-xxxx-xxxx-xxxx-xxxx//SequentialEventDispatcher]
   at
com.q1labs.core.dao.cre.CustomRule.getRule(CustomRule.java)
[ecs-ep.ecs-ep]
[xxxx-xxxx-xxxx-xxxx-xxxx//SequentialEventDispatcher]
at com.q1labs.core.shared.cre.CREServices.getCustomRules(CREServices.
java)
[ecs-ep.ecs-ep]
[xxxx-xxxx-xxxx-xxxx-xxxx//SequentialEventDispatcher]
at com.q1labs.core.shared.cre.CREServices.getCustomRules(CREServices
.java)
[ecs-ep.ecs-ep]
[xxxx-xxxx-xxxx-xxxx-xxxx//SequentialEventDispatcher]
at com.q1labs.core.shared.cre.CREServices.getAllFlowAndEventRules(C
REServices.java)
[ecs-ep.ecs-ep]
[xxxx-xxxx-xxxx-xxxx-xxxx//SequentialEventDispatcher]
at com.q1labs.semsources.cre.CustomRuleReader.readRules(CustomRuleR
eader.java:)
[ecs-ep.ecs-ep]
[xxxx-xxxx-xxxx-xxxx-xxxx//SequentialEventDispatcher]
at
com.q1labs.semsources.cre.CustomRuleReader.objectChanged(CustomR
uleReader.java)
[ecs-ep.ecs-ep]
[xxxx-xxxx-xxxx-xxxx-xxxx//SequentialEventDispatcher]
at
com.q1labs.frameworks.events.config.ConfigurationChangeEvent.dis
patchEvent(ConfigurationChangeEvent.java)
[ecs-ep.ecs-ep]
[xxxx-xxxx-xxxx-xxxx-xxxx//SequentialEventDispatcher]
at
com.q1labs.frameworks.events.SequentialEventDispatcher$DispatchT
hread.run(SequentialEventDispatcher.java)
14 August 2019
RULES / BUILDING BLOCKS IJ18167 'URL (CUSTOM) IS CATEGORIZED BY X-FORCE AS ONE OF THE FOLLOWING CATEGORIES' IS DEFAULTED IN BUILDING BLOCK WHEN CREATING A RULE OPEN: Reported in QRadar 7.3.1 Patch 8 No workaround available.

It has been identified that the following rule test can sometimes be defaulted in the Building Block when creating a rule: "and when URL (custom) is categorized by X-Force as one of the following categories"

After attempting to change the default Custom Event Property (URL) to another Custom Event Property, the URL (custom) remains in the database and is still used by the rule.
30 August 2019
HIGH AVAILABILITY (HA) IJ18179 LOG COLLECTION ON A HIGH AVAILABILITY SECONDARY CAN FAIL TO OCCUR AFTER INITIAL FAILOVER DUE TO MISSING JAR FILES OPEN: Reported in QRadar 7.3.1 versions Workaround:
  1. From the Admin -> Advanced drop down menu:
  2. Select Deploy Full Configuration
  3. Wait for the full deploy to complete.
  4. Select Advanced -> Restart Event Collection Services.

It has been identified that some required jar files are not copied to opt/ibm/si/services/ecs-ec-ingress/eventgnosis/lib/q1labs on a High Availability (HA) secondary appliance until a Deploy Full Configuration is performed after the HA secondary becomes active.
14 August 2019
RULES / AQL IJ18181 UNABLE TO EDIT AQL FILTER IN A RULE WHEN '%\U' OR '%\X%' PARAMETERS ARE USED IN THE LIKE CLAUSE OPEN: Reported in QRadar 7.3.1 Patch 7 IF01 No workaround available.

It has been identified that an AQL filter in a Rule cannot be edited when '%\u%' or '%\x%' parameters are used in the Like clause.

For example:
  1. Create a Custom Event Property called New Process Name.
  2. Create a rule that has the following AQL filter test.
  3. "New Process Name" ILIKE '%\u%' and Submit it.
  4. Attempt to edit the AQL filter by clicking on the filter Query.

    Results
    A blank screen is displayed. Note: The same behavior is observed when AQL Filter "New Process Name" ILIKE '%\x%' is used..
16 August 2019
SCAN RESULTS / QRADAR VULNERABILITY MANAGER (QVM) IJ18208 SELECTING 'SCAN RESULTS' ON THE VULNERABILITIES TAB CAN GENERATE 'APPLICATION ERROR' OR 'HTTP ERROR 404' CLOSED Resolved in QRadar Vulnerability Manager 7.4.0 (7.4.0.20200304205308)

Workaround
Select the Vulnerabilities tab to display the scan results.

It has been identified that selecting Scan Results on the Vulnerabilities tab can result in either "Application Error" or "HTTP ERROR 404" being displayed. This occurs when the host name in the Web browser's URL starts with "console". For example: console-12345.qradar.test.com.

Note: The timezones are displayed correctly in the QRadar user interface, this issue only affects the timezone values that are included within the vulnerability export file.
07 August 2019
MANAGE VULNERABILITIES / DATA EXPORT IJ18235 TIMEZONE VALUES IN THE EXPORTED VULNERABILITIES FILE FROM QRADAR VULNERABILITY MANAGER (QVM) ARE GMT TIMEZONE INSTEAD OF THE SYSTEM TIMEZONE CLOSED Resolved in QRadar Vulnerability Manager 7.4.0 (7.4.0.20200304205308)

Workaround
No workaround available.

Issue
It has been identified that when vulnerabilities are exported from the Manage Vulnerabilities -> By Asset -> By Vulnerability Instance window in the QRadar User Interface (UI), the "first seen date" and "last seen date" time stamp values in the export file are in the GMT timezone instead of the system timezone.

Note: The timezones are displayed correctly in the QRadar user interface, this issue only affects the timezone values that are included within the vulnerability export file.
12 August 2019
REPORTS / DAILY IJ18239 THE LEGEND FOR DAILY STACKED BAR CHART REPORTS WITH X-AXIS AS 'TIME' DOES NOT SORT AS EXPECTED OPEN: Reported in QRadar 7.3.1 Patch 8 Workaround: Do not use the Time X-Axis for daily reports using stacked bar charts.

It has been identified that the legend for daily stacked bar chart reports with X-axis using Time, does not sort as expected. The legend does not always correlate with the table results displayed.
19 August 2019
UPGRADE / RULES IJ18241 AFTER UPGRADE TO 7.3.2 PATCH 2, QRADAR USER INTERFACE RULE PAGE CAN FAIL TO LOAD AFTER A MANAGED HOST HAS BEEN REPLACED OPEN: Reported in QRadar 7.3.2 Patch 2 Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that the Rule page can fail to load in the QRadar User Interface after upgrading to QRadar 732 p2. This is due to the presence of an old hostid in the basehostid column of the custom rule table after a Managed Host has been replaced.

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[tomcat.tomcat [admin@127.0.0.1 (1593749)
/console/do/rulewizard/maintainRules]
com.q1labs.uiframeworks.action.ExceptionHandler: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]An exception occurred
while processing the request:
[tomcat.tomcat] [admin@127.0.0.1 (1593749)
/console/do/rulewizard/maintainRules]
java.lang.NullPointerException
[tomcat.tomcat] [admin@127.0.0.1 (1593749)
/console/do/rulewizard/maintainRules] at
com.q1labs.sem.ui.semservices.RuleWizardForm.getAnalysis(RuleWiz
ardForm.java)
[tomcat.tomcat] [admin@127.0.0.1 (1593749)
/console/do/rulewizard/maintainRules] at
com.q1labs.sem.ui.semservices.RuleWizardForm.copyInitialDataFrom
DAO(RuleWizardForm.java:2139)
[tomcat.tomcat] [admin@127.0.0.1 (1593749)
/console/do/rulewizard/maintainRules] at
com.q1labs.sem.ui.semservices.RuleWizardForm.summaryCopyFromDAO(
RuleWizardForm.java)
[tomcat.tomcat] [admin@127.0.0.1 (1593749)
/console/do/rulewizard/maintainRules] at
com.q1labs.sem.ui.action.MaintainRules.getAllRules(MaintainRules.java)
[tomcat.tomcat] [admin@127.0.0.1 (1593749)
/console/do/rulewizard/maintainRules] at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[tomcat.tomcat] [admin@127.0.0.1 (1593749)
/console/do/rulewizard/maintainRules] at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessor
Impl.java)
[tomcat.tomcat] [admin@127.0.0.1 (1593749)
/console/do/rulewizard/maintainRules] at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod
AccessorImpl.java)
[tomcat.tomcat] [admin@127.0.0.1 (1593749)
/console/do/rulewizard/maintainRules] at
java.lang.reflect.Method.invoke(Method.java)
19 August 2019
ROUTING RULES / EVENT COLLECTORS (15xx) IJ18322 ONLINE SELECTIVE FORWARDING GENERATES NULLPOINTEREXCEPTION WHEN EVENTS ARE COLLECTED AND 'STORE EVENT PAYLOAD' IS NOT SELECTED CLOSED Resolved in QRadar 7.4.0 (7.4.0.20200304205308)

Workaround
Open the Log Source(s) collecting the event(s) and ensure that 'Store Event Payload' is selected.

Issue
It has been identified that Online Selective Forwarding, reports dropped events and generates a NullPointerException in the /var/log/qradar.error log when an event(s) is collected with 'Store Event Payload' option unchecked for the Log Source.

Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs:
selectiveforwarding.SelectiveForwardingCommunicatorThread:
[WARN] [-/--]Exceeded maximum number of retries, dropping event.
and also:
[ecs-ec.ecs-ec] [SelectiveForwardingCommunictorThread_60]
.sem.selectiveforwarding.SelectiveForwardingCommunicatorThread:
[ERROR] [-/--]SelectiveForwardingSender disconnected because of:
[ecs-ec.ecs-ec] [SelectiveForwardingCommunictorThread_60]
java.lang.NullPointerException
[ecs-ec.ecs-ec] [SelectiveForwardingCommunictorThread_60] at
java.util.regex.Matcher.getTextLength(Matcher.java)
[ecs-ec.ecs-ec] [SelectiveForwardingCommunictorThread_60] at
java.util.regex.Matcher.reset(Matcher.java)
[ecs-ec.ecs-ec] [SelectiveForwardingCommunictorThread_60] at
java.util.regex.Matcher.{init}(Matcher.java)
[ecs-ec.ecs-ec] [SelectiveForwardingCommunictorThread_60] at
java.util.regex.Pattern.matcher(Pattern.java)
[ecs-ec.ecs-ec] [SelectiveForwardingCommunictorThread_60] at
com.q1labs.core.dao.selectiveforwarding.light.SelectiveForwardin
gDestination.isPayloadHeaderMissing(SelectiveForwardingDestinati
on.java)
[ecs-ec.ecs-ec] [SelectiveForwardingCommunictorThread_60] at
com.q1labs.sem.forwarding.mapping.ForwardingPayloadMapping.put(F
orwardingPayloadMapping.java)
[ecs-ec.ecs-ec] [SelectiveForwardingCommunictorThread_60] at
com.q1labs.sem.forwarding.network.ForwardingUDPConnector.send(Fo
rwardingUDPConnector.java)
[ecs-ec.ecs-ec] [SelectiveForwardingCommunictorThread_60] at
com.q1labs.sem.selectiveforwarding.SelectiveForwardingCommunicat
orThread.process(SelectiveForwardingCommunicatorThread.java)
[ecs-ec.ecs-ec] [SelectiveForwardingCommunictorThread_60] at
com.q1labs.sem.selectiveforwarding.SelectiveForwardingCommunicat
orThread.run(SelectiveForwardingCommunicatorThread.java)
[ecs-ec.ecs-ec] [SelectiveForwardingCommunictorThread_60]
com.q1labs.sem.selectiveforwarding.SelectiveForwardingCommunicat
orThread: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/-
-]Exceeded maximum number of retries, dropping event.
19 August 2019
DATA EXPORT / LOG ACTIVITY IJ18323 LOG ACTIVITY CSV DATA EXPORT DOES NOT CONTAIN THE COLUMN NAME FOR 'PAYLOAD' OPEN: Reported in QRadar 7.3.1 Patch 6 No workaround available.

It has been identified that output from Log Activity -> Actions -> Export to CSV does not contain the header/column name for 'Payload'.
19 August 2019
AUTHENTICATION (LDAP) / ACCESS IJ18324 QRADAR USER FAILS TO LOGIN SUCCESSFULLY WHEN USERNAME DOES NOT MATCH CASE WHEN USING EXTERNAL AUTHENTICATION IN 7.3.2 PATCH 3 OPEN: Reported in QRadar 7.3.2 Patch 3 and later Workaround: Login with a username that exactly matches the case of the QRadar user delegate.

It has been identified that when external authentication is active/enabled in QRadar 7.2.3 Patch 3 (eg. LDAP Authentication), QRadar users attempting to log in with usernames that do not exactly match the case of their QRadar user delegate cause a NullPointerExpection to be generated and the user login attempt fails.

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[tomcat.tomcat] [TestTest@127.0.0.1  (2271)
/console/login] java.lang.NullPointerException
[tomcat.tomcat] [TestTest@127.0.0.1  (2271) /console/login]
at com.q1labs.uiframeworks.auth.UserNamePasswordAuthentication.
authenticate(UserNamePasswordAuthentication.java)
[tomcat.tomcat] [TestTest@127.0.0.1  (2271) /console/login]
at com.q1labs.uiframeworks.auth.LoginEndpoint.authenticate
(LoginEndpoint.java)
[tomcat.tomcat] [TestTest@127.0.0.1  (2271) /console/login]
at com.q1labs.uiframeworks.auth.LoginEndpoint.login
(LoginEndpoint.java)
[tomcat.tomcat] [TestTest@127.0.0.1  (2271) /console/login]
at com.q1labs.uiframeworks.auth.LoginEndpoint.doPost
(LoginEndpoint.java)
13 August 2019
AUTO UPDATE / DISK SPACE IJ18327 WHEN AUTOUPDATE EXPERIENCES AN OUT OF MEMORY INSTANCE THE RESULTING DUMP FILE IS CREATED IN THE ROOT " / " PARTITION OPEN: Reported in QRadar 7.3.2 versions Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that in instances of AutoUpdate experiencing an Out Of Memory occurrence, the resulting dump file (e.g. core.20190109.005124.183434.0001.dmp) is written to the Root " / " partition.

Note: Required services on a QRadar appliance are stopped when less than 5% free space is detected in a monitored partion until the free space issue is corrected.
14 August 2019
AUTO UPDATE / PROXY IJ18339 QRADAR AUTOUPDATE CAN FAIL TO RUN WHEN A PROXY SERVER IS CONFIGURED DUE TO MISSING LIBRARY OPEN: Reported in QRadar 7.3.2 versions Workaround: Contact Support for a possible workaround that might address this issue in some instances or see the following technical note for more information: Auto Update Proxy Issues "500 SSL NEGOTIATION FAILED" (Updated).

It has been identified that in some instances, AutoUpdate can fail to run when configured to connect using a proxy server. The specific instances in this APAR of AutoUpdate failing to run when configured to use a proxy server are due to the missing library:
LWP-Protocol-connect-6.09
Messages similar to the following might be visible in the Autoupdate logs when this issue occurs:
[DEVEL] Attempting to retrieve
https://qmmunity.q1labs.com/autoupdates/manifest_list?version=7.
3.2.20190522204210&customer=&lastau=1561730898&la
stpatch=1561730898&vendor=Q1%20Labs
[WARN] Could not retrieve "manifest_list": 500 Can't connect to
{proxy_server}:3128 (Crypt-SSLeay can't verify hostnames)
14 August 2019
DATA EXPORT / QRADAR ON CLOUD IJ18449 UNABLE TO DOWNLOAD EXPORTS MESSAGE 'YOUR EXPORT JOB HAS COMPLETED. THE FILE SIZE EXCEEDS THE EMAIL ATTACHMENT LIMIT...' OPEN: Reported in QRadar 7.3.2 versions Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that exports can be too large for email making them unable to be downloaded within QRadar on Cloud environments. Messages similar to the following might be visible in the user interface when this issue occurs:
'Your export job has completed. The file size
exceeds the email attachment limit, you can download the
results using the below link.

Note that the link is valid for one download only.'
https:///console/exportData?jobId=xxxxxx-xxxx-xxxx
26 August 2019
ADVANCED SEARCH (AQL) IJ18455 RUNTIMEEXCEPTION GENERATED IN QRADAR LOGGING WHEN AN INVALID AQL IS RUN RATHER THAN PROPER AQL PARSER REJECTION OPEN: Reported in QRadar 7.3.2 Patch 3 No workaround available.

It has been identified that a runtime exception is generated when executing an invalid Advanced Search (AQL) that has aggregate functions in the WHERE clause instead of being rejected by the AQL parser. Messages similar to the following might be visible in /var/log/qardar.log when this issue occurs:
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:59740] com.q1labs.ariel.ConnectedClient:
[WARN] [-/- -]Ariel Server cannot decode command,
cmd=Execute statement - AQLRequest ["select qid
from events where max(qid)!=0", PARSE]
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:59740] java.lang.RuntimeException:
Unable to write Serializable
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:59740] at
com.q1labs.frameworks.nio.network.protocol.
Mappings$SerializableMapping.put(Mappings.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:59740] at
com.q1labs.frameworks.nio.network.protocol.Mappings$Serializable
Mapping.put(Mappings.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:59740] at
com.q1labs.frameworks.nio.network.
protocol.Protocol.putMappable(Protocol.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:59740] at
com.q1labs.frameworks.nio.network.protocol.Protocol.
write(Protocol.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:59740] at
com.q1labs.frameworks.nio.network.protocol.
Protocol.writeAndFlush(Protocol.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:59740] at
com.q1labs.frameworks.nio.network.
CommunicatorBase.writeAndFlush(CommunicatorBase.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:59740] at
com.q1labs.frameworks.nio.network.Communicator.
writeAndFlush(Communicator.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:59740] at
com.q1labs.ariel.ConnectedClient.processMessage
(ConnectedClient.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:59740] at
com.q1labs.ariel.ConnectedClient.run(ConnectedClient.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:59740] at
java.util.concurrent.ThreadPoolExecutor.runWorker
(ThreadPoolExecutor.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:59740] at
java.util.concurrent.ThreadPoolExecutor$Worker.run
(ThreadPoolExecutor.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:59740] at java.lang.Thread.run(Thread.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:59740] Caused by:
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:59740] java.io.NotSerializableException:
com.q1labs.ariel.ql.parser.AggregateFunctionInfo
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:59740] at
java.io.ObjectOutputStream.writeObject0
(ObjectOutputStream.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:59740] at
java.io.ObjectOutputStream.defaultWriteFields
(ObjectOutputStream.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:59740] at
java.io.ObjectOutputStream.writeSerialData
(ObjectOutputStream.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:59740] at
java.io.ObjectOutputStream.writeOrdinary
Object(ObjectOutputStream.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:59740] at
java.io.ObjectOutputStream.writeObject0
(ObjectOutputStream.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:59740] at
java.io.ObjectOutputStream.defaultWriteFields
(ObjectOutputStream.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:59740] at
java.io.ObjectOutputStream.writeSerialData
(ObjectOutputStream.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:59740 at
java.io.ObjectOutputStream.writeOrdinaryObject
(ObjectOutputStream.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:59740] at
java.io.ObjectOutputStream.writeOrdinaryObject
(ObjectOutputStream.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:59740] at
java.io.ObjectOutputStream.writeObject0
(ObjectOutputStream.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:59740] at
java.io.ObjectOutputStream.writeObject
(ObjectOutputStream.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:59740] at
com.q1labs.frameworks.nio.network.protocol.
Mappings$SerializableMapping.put(Mappings.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:59740] 
26 August 2019
QRADAR ADVISOR WITH WATSON IJ18462 QRADAR ADVISOR WITH WATSON APP TAB IS BLANK WITH 'FAILED TO LOAD INVESTIGATIONS' MESSAGE OPEN: Reported in QRadar 7.3.1 Patch 6 Interim Fix 02 Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that in instances where the QRadar Offense API is attempting to handle very large queries, the QRadar Advisor With Watson App tab can sometimes be blank with only the message 'Failed to load investigations' being displayed.
26 August 2019
SCAN RESULTS / QRADAR VULERABILITY MANAGER (QVM) IJ18486 RED TRIANGLE 'ASSET MODEL HAS NOT BEEN UPDATED' CAN BE INCORRECTLY DISPLAYED FOR SCAN RESULTS FROM QRADAR VULERABILITY MANAGER (QVM) OPEN: Reported in QRadar 7.3.1 and later Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that in some instances where the asset model has been updated, the "Asset Model has not been updated" red warning triangle is incorrectly displayed on the QRadar Vulnerability Manager Scan Results.
30 August 2019
ADAPTER / QRADAR RISK MANAGER (QRM) IJ18490 BACKUP OF CISCO NEXT-GENERATION INTRUSION PREVENTION SYSTEM DEVICE CAN FAIL DUE TO A COMMAND TIMEOUT IN QRADAR RISK MANAGER (QRM) OPEN: Reported in Adapter Bundle #13 No workaround available.

A Cisco Next-Generation Intrusion Prevention System device backup can fail with the following error appearing on the Configuration Source Management User Interface window:
IPC::Run: timeout on timer #1 at
/usr/share/perl5/vendor_perl/IPC/Run.pm line 2956. at
/usr/share/ziptie-server/core/org.ziptie.adapters.common_2019.06
_04-17062537/scripts/ZipTie/SSH.pm line 473. at
org.ziptie.server.job.PerlErrorParserElf.parse(PerlErrorParserEl
f.java) at
org.ziptie.server.job.AbstractAdapterTask.execute(AbstractAdapte
rTask.java) at
org.ziptie.server.dispatcher.Operation.execute(Operation.java) at
org.ziptie.server.dispatcher.OperationExecutor$JobThread.
runJob(OperationExecutor.java) at
org.ziptie.server.dispatcher.OperationExecutor$
JobThread.run(OperationExecutor.java)


This error occurs when the adapter receives a response that ends with the "--More--" prompt and it fails to recognize the format of the control characters that are embedded within the "--More--" prompt. This results in a command timing out, and the backup failing.
26 August 2019
RULE TEST / DISK SPACE IJ18492 /VAR/LOG PARTITION CAN FILL WITH EXCEPTION THROWN WHEN USING 'CHAINED EXPLOIT FOLLOWED BY SUSPICIOUS EVENTS' RULE TEST OPEN: Reported in QRadar 7.3.2 Patch 2 No workaround available.

It has been identified that an exception is thrown during the test of the Custom Rule Engine rule "Chained Exploit Followed by Suspicious Events". As events are tested against rules, the following exception is thrown for every test and can quickly fill up the /var/log partition. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[ecs-ep.ecs-ep] [CRE Processor [4]]
com.q1labs.semsources.cre.CustomRule:
[ERROR] [-/- -]Exception in rule 100106
- Chained Exploit Followed by Suspicious Events:
Entry.next=null, data[removeIndex]={ipaddress}=package
com.q1labs.semsources.cre.tests.gen.RuleSequence_SourceIP_In@a57
ddb4a previous={ipaddress}=package
com.q1labs.semsources.cre.tests.gen.RuleSequence_SourceIP_In@a57
ddb4a key={ipaddress}value=package
com.q1labs.semsources.cre.tests.gen.RuleSequence_SourceIP_In@af1
35446 size=25000 maxSize=25000 Please check that your keys are
immutable, and that you have used synchronization properly. If
so, then please report this to commons-dev@jakarta.apache.org
as a bug.
[ecs-ep.ecs-ep] [CRE Processor [4]]
java.lang.IllegalStateException: Entry.next=null,
data[removeIndex]={ipaddress}=package
com.q1labs.semsources.cre.tests.gen.RuleSequence_SourceIP_In@a57
ddb4a previous={ipaddress}=package
com.q1labs.semsources.cre.tests.gen.RuleSequence_SourceIP_In@a57
ddb4a key={ipaddress} value=package
com.q1labs.semsources.cre.tests.gen.RuleSequence_SourceIP_In@af1
35446 size=25000 maxSize=25000 Please check that your keys are
immutable, and that you have used synchronization properly. If
so, then please report this to commons-dev@jakarta.apache.org
as a bug.
[ecs-ep.ecs-ep] [CRE Processor [4]] at
org.apache.commons.collections.map.LRUMap.reuseMapping
(LRUMap.java)
[ecs-ep.ecs-ep] [CRE Processor [4]] at
com.q1labs.frameworks.cache.LFUMap.reuseMapping(LFUMap.java)
[ecs-ep.ecs-ep] [CRE Processor [4]] at
org.apache.commons.collections.map.LRUMap.addMapping
(LRUMap.java)
[ecs-ep.ecs-ep] [CRE Processor [4]] at
org.apache.commons.collections.map.AbstractHashedMap.
put(AbstractHashedMap.java)
[ecs-ep.ecs-ep] [CRE Processor [4]] at
com.q1labs.frameworks.cache.LFUMap.put(LFUMap.java)
[ecs-ep.ecs-ep] [CRE Processor [4]] at
com.q1labs.semsources.cre.tests.DoubleSequenceFunction_Test.test
(DoubleSequenceFunction_Test.java)
[ecs-ep.ecs-ep] [CRE Processor [4]]    at
com.q1labs.semsources.cre.tests.CREStatefulEventTest.test(CRESta
tefulEventTest.java)
[ecs-ep.ecs-ep] [CRE Processor [4]]    at
com.q1labs.semsources.cre.gen.TestExecutor_1_0.test(TestExecutor
_1_0.java)
[ecs-ep.ecs-ep] [CRE Processor [4]]    at
com.q1labs.semsources.cre.CustomRule.test(CustomRule.java:519)
[ecs-ep.ecs-ep] [CRE Processor [4]]    at
com.q1labs.semsources.cre.CustomRule.test(CustomRule.java:476)
[ecs-ep.ecs-ep] [CRE Processor [4]]    at
com.q1labs.semsources.cre.CustomRuleSetExecutor.testRule(CustomR
uleSetExecutor.java:342)
[ecs-ep.ecs-ep] [CRE Processor [4]]    at
com.q1labs.semsources.cre.CustomRuleSetExecutor.test(CustomRuleS
etExecutor.java:210)
[ecs-ep.ecs-ep] [CRE Processor [4]]    at
com.q1labs.semsources.cre.LocalRuleExecutor.processEventInProper
tyMode(LocalRuleExecutor.java:229)
[ecs-ep.ecs-ep] [CRE Processor [4]]    at
com.q1labs.semsources.cre.LocalRuleExecutor.processEvent(LocalRu
leExecutor.java:158)
[ecs-ep.ecs-ep] [CRE Processor [4]]    at
com.q1labs.semsources.cre.CREEventProcessor.processEvent(CustomR
uleEngine.java:521)
[ecs-ep.ecs-ep] [CRE Processor [4]]    at
com.q1labs.semsources.cre.CREEventProcessor.run(CustomRuleEngine
.java:464)
26 August 2019
QRADAR APPS / HIGH AVAILABILITY (HA) IJ18520 QRADAR APPS CAN FAIL TO LOAD AFTER A FAILOVER IS PERFORMED TO A REBUILT PRIMARY HIGH AVAILABILITY APPLIANCE OPEN: Reported in QRadar 7.3.2 Patch 2 Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that when a High Availability Primary appliance is rebuilt, after the first failover back to that Primary appliance is performed, QRadar Apps can fail to load. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[hostcontext.hostcontext] [pool-1-thread-2]
com.ibm.si.api.workload.v1.ApiException:
java.net.UnknownHostException: [xxxxxxxxx].localdeployment:
.localdeployment: unknown error
26 August 2019
ADVANCED SEARCH (AQL) IJ18551 ADVANCED SEARCH (AQL) THAT USES A REFERENCE SET ASSIGNED TO A TENANT FAILS TO RETURN RESULTS AND GENERATES ERROR OPEN: Reported in QRadar 7.3.2 Patch 2 Workaround: Advanced Search (AQL) which uses a filter based on Reference Set assigned to Shared and Domain works as expected.

It has been identified that running a search based on AQL using a Reference Set that is assigned to a Tenant fails with an error similar to:
"ReferenceSetfunction : Unknown reference data collection '{reference_set}'
Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:40510]
com.q1labs.ariel.ql.parser.Parser: [ERROR][-/- -]ReferenceSet function:
Unknown reference data collection {reference_set}'
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:40510]
com.q1labs.frameworks.nio.exceptions.ExtendedRuntimeException:
ReferenceSet function: Unknown reference data collection
{reference_set}
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:40510]    at
com.q1labs.core.aql.AbstractRefDataCollectionFunction.
load(AbstractRefDataCollectionFunction.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:40510] at
com.q1labs.core.aql.ReferenceSet$1.call(ReferenceSet.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:40510] at
com.q1labs.core.aql.ReferenceSet$1.call(ReferenceSet.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:40510] at
com.q1labs.core.aql.AbstractRefDataCollectionFunction.
exceptionWrapper(AbstractRefDataCollectionFunction.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:40510] at
com.q1labs.core.aql.ReferenceSet.
getArgumentTypes(ReferenceSet.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:40510] at
com.q1labs.ariel.ql.parser.ScalarFunctionInfo.create(ScalarFunct
ionInfo.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:40510] at
com.q1labs.ariel.ql.parser.ParserBase.
processScalarFunction(ParserBase.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:40510] at
com.q1labs.ariel.ql.parser.ParserBase.processBooleanExpression(P
arserBase.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:40510] at
com.q1labs.ariel.ql.parser.ParserBase.processBooleanExpression(P
arserBase.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:40510] at
com.q1labs.ariel.ql.parser.ParserBase.
processBooleanExpression(ParserBase.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:40510] at
com.q1labs.ariel.ql.parser.ParserBase.
processBooleanExpression(ParserBase.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:40510] at
com.q1labs.ariel.ql.parser.ParserBase.
processBooleanExpression(ParserBase.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:40510] at
com.q1labs.ariel.ql.parser.ParserBase.createQueryParams(ParserBa
se.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:40510] at
com.q1labs.ariel.ql.parser.ParserBase.parseBatch(ParserBase.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:40510] at
com.q1labs.ariel.ql.parser.Parser.parseStatement(Parser.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:40510] at
com.q1labs.ariel.ql.parser.Parser.executeStatement(Parser.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:40510] at
com.q1labs.ariel.ConnectedClient.processStatement
(ConnectedClient.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:40510] at
com.q1labs.ariel.ConnectedClient.processMessage
(ConnectedClient.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:40510] at
com.q1labs.ariel.ConnectedClient.run(ConnectedClient.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:40510] at
java.util.concurrent.ThreadPoolExecutor.runWorker
(ThreadPoolExecutor.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:40510] at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe
cutor.java)
[ariel_proxy.ariel_proxy_server] [ariel_client
/127.0.0.1:40510] at java.lang.Thread.run(Thread.java)
26 August 2019
REFERENCE SETS IJ18553 INSTANCES OF NO SEARCH RESULTS RETURNED CAN OCCUR FOR USER ROLES WITH 'READ ONLY' PERMISSIONS ON REFERENCE SETS OPEN: Reported in QRadar 7.3.2 Patch 2 Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that users of a particular user role with read only access can experience issues when searching through reference sets. When opening the "View Reference Sets" window through the Log Activity -> Add Filter -> Reference Set -> View Reference Set window they are able to enter a name to search on the reference set names, but after pressing enter, the window does not update to reflect the search that has been performed. When selecting a field to sort on (Name,Type....) the window updates to reflect the search.
26 August 2019
APPLICATION FRAMEWORK / APP INSTALL IJ18610 APPS CONTAINING A NULL PAYLOAD IN ARIEL_PROPERTY_EXPRESSION DATABASE TABLE FAIL TO INSTALL AT QRADAR 7.3.2 PATCH 3 CLOSED Resolved in QRadar 7.3.2 Patch 4 (7.3.2.20190803012943)

It has been identified that after patching to QRadar 7.3.2 Patch 3, QRadar Apps that have a null payload in the database table ariel_property_expression (eg. Cb Defense App for IBM QRadar) fail to install. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[tomcat.tomcat] [admin@127.0.0.1]
com.ibm.si.content_management.Content: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]Failed to import
[device_ext]
[tomcat.tomcat] [admin@127.0.0.1] java.lang.NullPointerException
[tomcat.tomcat] [admin@127.0.0.1] at
com.ibm.si.content_management.utils.ContentMgmtChangeTracker.
buildChanges(ContentMgmtChangeTracker.java)
[tomcat.tomcat] [admin@127.0.0.1] at
com.ibm.si.content_management.utils.ContentMgmtChangeTracker.bui
ldUpdateChanges(ContentMgmtChangeTracker.java)
[tomcat.tomcat] [admin@127.0.0.1] at
com.ibm.si.content_management.Content.updateContent(Content.java)
[tomcat.tomcat] [admin@127.0.0.1] at
com.ibm.si.content_management.Content.importContent(Content.java)
[tomcat.tomcat] [admin@127.0.0.1] at
com.ibm.si.content_management.Content.importCustom
Content(Content.java)
[tomcat.tomcat] [admin@127.0.0.1] at
com.ibm.si.content_management.ContentManager.importContent(Conte
ntManager.java)
[tomcat.tomcat] [admin@127.0.0.1] at
com.ibm.si.content_management.ContentManager.doImport
(ContentManager.java)
[tomcat.tomcat] [admin@127.0.0.1] at
com.ibm.si.data_ingestion.api.impl.cmt.install.
ExtensionInstaller.doImport(ExtensionInstaller.java)
[tomcat.tomcat] [admin@127.0.0.1] at
com.ibm.si.data_ingestion.api.impl.cmt.install.
ExtensionInstaller.installExtension(ExtensionInstaller.java)
[tomcat.tomcat] [admin@127.0.0.1] at
com.ibm.si.data_ingestion.api.impl.cmt.tasks.
InstallExtensionTask.runTask(InstallExtensionTask.java)
[tomcat.tomcat] [admin@127.0.0.1] at
com.ibm.si.frameworks.taskmanagement.Task.run(Task.java)
[tomcat.tomcat] [admin@127.0.0.1] at
java.util.concurrent.Executors$RunnableAdapter.
call(Executors.java)
[tomcat.tomcat] [admin@127.0.0.1] at
java.util.concurrent.FutureTask.run(FutureTask.java)
[tomcat.tomcat] [admin@127.0.0.1] at
java.util.concurrent.ThreadPoolExecutor.runWorker
(ThreadPoolExecutor.java)
[tomcat.tomcat] [admin@127.0.0.1] at
java.util.concurrent.ThreadPoolExecutor$Worker.run
(ThreadPoolExecutor.java)
[tomcat.tomcat] [admin@127.0.0.1] at
java.lang.Thread.run(Thread.java)
[tomcat.tomcat] [admin@127.0.0.1]
com.q1labs.frameworks.session.SessionContext:
[WARN] [-/- -]Attempt made to begin nested read-write transaction
[tomcat.tomcat] [admin@127.0.0.1] java.lang.Exception
[tomcat.tomcat] [admin@127.0.0.1] at
com.q1labs.frameworks.session.SessionContext.
beginTransaction(SessionContext.java)
[tomcat.tomcat] [admin@127.0.0.1] at
com.ibm.si.content_management.utils.ContentMgmtChangeTracker.
buildChanges(ContentMgmtChangeTracker.java)
[tomcat.tomcat] [admin@127.0.0.1] at
com.ibm.si.content_management.utils.ContentMgmtChangeTracker.
buildUpdateChanges(ContentMgmtChangeTracker.java)
[tomcat.tomcat] [admin@127.0.0.1] at
com.ibm.si.content_management.Content.updateContent(Content.java)
[tomcat.tomcat] [admin@127.0.0.1] at
com.ibm.si.content_management.Content.importContent(Content.java)
[tomcat.tomcat] [admin@127.0.0.1] at
com.ibm.si.content_management.Content.importCustomContent(Content.java)
[tomcat.tomcat] [admin@127.0.0.1] at
com.ibm.si.content_management.ContentManager.
importContent(ContentManager.java)
[tomcat.tomcat] [admin@127.0.0.1] at
com.ibm.si.content_management.ContentManager.
doImport(ContentManager.java)
[tomcat.tomcat] [admin@127.0.0.1] at
com.ibm.si.data_ingestion.api.impl.cmt.install.
ExtensionInstaller.doImport(ExtensionInstaller.java)
[tomcat.tomcat] [admin@127.0.0.1] at
com.ibm.si.data_ingestion.api.impl.cmt.install.
ExtensionInstaller.installExtension(ExtensionInstaller.java)
[tomcat.tomcat] [admin@127.0.0.1] at
com.ibm.si.data_ingestion.api.impl.cmt.tasks.
InstallExtensionTask.runTask(InstallExtensionTask.java)
[tomcat.tomcat] [admin@127.0.0.1] at
com.ibm.si.frameworks.taskmanagement.Task.run(Task.java)
[tomcat.tomcat] [admin@127.0.0.1] at
java.util.concurrent.Executors$RunnableAdapter.
call(Executors.java)
[tomcat.tomcat] [admin@127.0.0.1] at
java.util.concurrent.FutureTask.run(FutureTask.java:277)
[tomcat.tomcat] [admin@127.0.0.1] at
java.util.concurrent.ThreadPoolExecutor.runWorker
(ThreadPoolExecutor.java)
[tomcat.tomcat] [admin@127.0.0.1] at
java.util.concurrent.ThreadPoolExecutor$Worker.
run(ThreadPoolExecutor.java)
[tomcat.tomcat] [admin@127.0.0.1] at
java.lang.Thread.run(Thread.java)
30 August 2019
HIGH AVAILABILITY (HA) IJ18607 ADDING AN APPLIANCE INTO HIGH AVAILABILITY FAILS WHEN HOSTNAME ENDS WITH [.LOCALDOMAIN] OPEN: Reported in QRadar 7.3.1 Patch 5 Workaround: Do not have appliance hostnames ending in . The following technical note explains the functionality of using qchange_netsetup:
QRadar: Changing the network settings of managed hosts.

It has been identified that adding an appliance into High Availability (HA) fails when the appliance hostname ends in .[localdomain]. Messages similar to the following might be visible in the ha_setup.log file when this issue occurs:
[HA Setup (S-M----)] [ERROR] Unexpected error.
Failed to calculate maximum secondary size
30 August 2019
AUTHENTICATION / HIGH AVAILABILITY (HA) IJ18609 ACTIVE DIRECTORY AUTHENTICATION LOGIN FAILS AFTER A FAILOVER TO HIGH AVAILABILITY SECONDARY CONSOLE OPEN: Reported in QRadar 7.3.1 versions Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that in some instances QRadar Active Directory authentication can fail after a failover to a high availability secondary console has occurred. In these specific instances of Active Directory failure to login, the /etc/krb5.conf file has been emptied out, and is a 0 byte file.
30 August 2019
SCHEDULED SCANS IJ18337 QRADAR VULNERABILITY MANAGER (QVM) SCAN JOBS THAT USE ADVANCED RUN SCHEDULE OPTION FAIL TO RUN OPEN: Reported in QRadar 7.3.2 versions Workaround: Edit the scan profile to use a daily, weekly, or monthly schedule.

It has been identified that QRadar Vulnerability Manager scan jobs that use the advanced run schedule option fail to run. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[qvmprocessor.qvmprocessor] [qvmScheduler_Worker-1]
org.quartz.core.JobRunShell:
[ERROR] Job qvmScheduling.113 threw an unhandled Exception:
[qvmprocessor.qvmprocessor] [qvmScheduler_Worker-1]
java.lang.NoSuchMethodError:
com/q1labs/core/shared/permissions/UserManager.getDeployedUserBy
Id(J)Lcom/q1labs/core/dao/permissions/light/User; (loaded from
file:/opt/qradar/jars/q1labs_core.jar by
sun.misc.Launcher$AppClassLoader@ccd55a90) called from class
com.q1labs.qvm.workflow.processor.security.user.UserManagerUserL
ocator (loaded from
file:/opt/qradar/jars/q1labs_qvmworkflow.jar by
sun.misc.Launcher$AppClassLoader@ccd55a90).
[qvmprocessor.qvmprocessor] [qvmScheduler_Worker-1] at
com.q1labs.qvm.workflow.processor.security.user.UserManagerUserL
ocator.getUserByUserId(UserManagerUserLocator.java:44)
[qvmprocessor.qvmprocessor] [qvmScheduler_Worker-1] at
com.q1labs.qvm.workflow.processor.ws.scanprofile.ScanProfileServ
iceImpl.setLastUserName(ScanProfileServiceImpl.java)
[qvmprocessor.qvmprocessor] [qvmScheduler_Worker-1] at
com.q1labs.qvm.workflow.scheduler.ScheduleScan.
executeInternal(ScheduleScan.java:50)
[qvmprocessor.qvmprocessor] [qvmScheduler_Worker-1] at
org.springframework.scheduling.quartz.QuartzJobBean.
execute(QuartzJobBean.java:114)
[qvmprocessor.qvmprocessor] [qvmScheduler_Worker-1] at
org.quartz.core.JobRunShell.run(JobRunShell.java:206)
[qvmprocessor.qvmprocessor] [qvmScheduler_Worker-1] at
org.quartz.simpl.SimpleThreadPool$WorkerThread.run
(SimpleThreadPool.java
19 August 2019
BACKUP & RECOVERY IJ14189 DATA BACKUPS CAN FAIL (TIME OUT) WHEN A BACKEND "PS" COMMAND HANGS CLOSED Resolved in:
QRadar 7.4.0 (7.4.0.20200304205308)
QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

It has been identified that data backups can fail when a backend ps command hangs. QRadar notifications similar to "Backup: last backup exceeded execution threshold error." and messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[hostcontext.hostcontext] [Backup]
com.q1labs.hostcontext.backup.core.BackupUtils:
[ERROR] [-/- -]Cannot execute 'ps -e -o pid -o ppid -o cmd'
[hostcontext.hostcontext] [Backup]
java.lang.InterruptedException
[hostcontext.hostcontext] [Backup]    at
java.lang.Object.wait(Native Method)
[hostcontext.hostcontext] [Backup]    at
java.lang.Object.wait(Object.java:189)
[hostcontext.hostcontext] [Backup]    at
java.lang.UNIXProcess.waitFor(UNIXProcess.java)
[hostcontext.hostcontext] [Backup]    at
com.q1labs.hostcontext.backup.core.BackupUtils.
getPsProcesses(Ba ckupUtils.java)
[hostcontext.hostcontext] [Backup]    at
com.q1labs.hostcontext.backup.BackupRecoveryEngine
.cleanup(BackupRecoveryEngine.java)
[hostcontext.hostcontext] [Backup]    at
com.q1labs.hostcontext.backup.BackupRecoveryEngine
$BackupThread.run(BackupRecoveryEngine.java)
[hostcontext.hostcontext] [Backup]
com.q1labs.hostcontext.backup.BackupRecoveryEngine: [INFO]
[-/- -]Cancel process '/bin/bash /opt/qradar/bin/run_command.sh
/opt/qradar/bin/determine_partition.sh
/store/backup/store/tmp/backup/determine_partition' if exists
09 December 2019
DEPLOY CHANGES / LOG SOURCES IJ17858 AUTOUPDATE FAILS TO DEPLOY INSTALLED UPDATES ON QRADAR ENVIRONMENTS THAT HAVE A PROXY SERVER CONFIGURED OPEN: Reported in QRadar 7.3.2 versions Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that QRadar deploys can fail/hang after receiving/running the autoupdate-deploy-1607112703-00 script contained within AutoUpdate.

NOTE: A Support ticket needs to be logged to confirm that the number of flow sources is the reason for hostcontext out of memory occurrences.
06 August 2019
AUTO UPDATE / PROXY IJ17855 AUTOUPDATE FAILS TO DEPLOY INSTALLED UPDATES ON QRADAR ENVIRONMENTS THAT HAVE A PROXY SERVER CONFIGURED OPEN: Reported in QRadar 7.3.2 versions Workaround: Perform a manual "Deploy Changes" from the Admin tab after the weekly auto update has downloaded and installed.

It has been identified that in QRadar environments where a proxy server is configured, AutoUpdates that have been downloaded/installed do not get deployed out to the Managed Hosts automatically. User Interface messages similar to "There are undeployed changes. Click 'Deploy Changes' to deploy them".

NOTE: A Support ticket needs to be logged to confirm that the number of flow sources is the reason for hostcontext out of memory occurrences.
26 July 2019
FLOWS / SERVICE IJ17432 HOSTCONTEXT CAN EXPERIENCE AN OUT OF MEMORY OCCURRENCE WHEN A VERY LARGE NUMBER OF FLOW SOURCES EXIST OPEN: Reported in QRadar 7.3.1 Patch 8 Interim Fix 01 Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that the hostcontext process can experience an out of memory occurence in QRadar environments that have a very large number of flow sources (hundreds of thousands).

NOTE: A Support ticket needs to be logged to confirm that the number of flow sources is the reason for hostcontext out of memory occurrences.
08 July 2019
BACKUP & RECOVERY / MIGRATION IJ17414 PERFORMING A CONFIGURATION RESTORE ON A CONSOLE THAT HAS A NEW IP ADDRESS CAN MODIFY SIMILAR IP ADDRESSES IN QRADAR CONFIG FILE OPEN: Reported in QRadar 7.3.1 Patch 8 Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that when a config restore is performed on a QRadar Console that has had the IP address changed, similar IP addresses can sometimes be incorrectly modified in the configuration file "deployment.xml".

Example scenario deployment:
  • Console: 127.0.0.1
  • New Console IP: 127.0.0.24
  • 1899 Appliance 1: 127.0.0.40
  • 1899 Appliance 2: 127.0.0.129

Reported issues
  1. During the config restore using the backup file from the original console (127.0.0.1) on the new console (127.0.0.24), Deploy Changes fail to complete.
  2. The IP address for appliance 2 is incorrectly updated in the deployments. xml configuration file. Any issue in the configuration restore can change the IP address from 127.0.0.129 to 127.0.0.2429.
08 July 2019
QRADAR VULNERABILITY INSIGHTS APP IJ17410 X-FORCE USER LIMITS EXCEEDED WHEN USING QRADAR VULNERABILITY INSIGHTS (QVI) APP OPEN: Reported in QRadar 7.3.1 Patch 8 No workaround available.

It has been identified that when using the QRadar Vulnerability Insights application, the records limit of 5000 for the Xforce user can be exceeded. When this occurs, any new requessts to X-Force fail.
08 July 2019
HIGH AVAILABILITY (HA) IJ17408 ENABLING CROSSOVER ON HIGH AVAILABILITY PAIR CAN CAUSE NETWORK COMMUNICATION FAILURE ON THE PRIMARY NODE OPEN: Reported in QRadar 7.3.1 Patch 8 Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that in some instances enabling High Availability (HA) crossover caused network communication to fail on the primary HA node. This occurs if the HA crossover becomes set as the default route, disrupting expected network communications.
08 July 2019
OFFENSES / PERFORMANCE IJ17380 ATTEMPTING TO OPEN AN OFFENSE CAN FAIL WHEN THERE ARE A LARGE NUMBER OF NETWORKS ASSOCIATED TO IT OPEN: Reported in QRadar 7.3.2 versions Workaround: Where possible, modify the user needing access to the Offense to be an Admin

It has been identified that attempting to load an Offense can fail when an offense has a large number of networks associated with it. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[tomcat.tomcat] [user@127.0.0.1 (2281)
/console/do/sem/offensesummary] Caused by:
[tomcat.tomcat] [user@127.0.0.1 (2281)
/console/do/sem/offensesummary] java.lang.StackOverflowError
[tomcat.tomcat] [user@127.0.0.1 (2281)
/console/do/sem/offensesummary] at
org.apache.openjpa.lib.util.J2DoPrivHelper$
59.run(J2DoPrivHelper.java)
[tomcat.tomcat] [user@127.0.0.1 (2281)
/console/do/sem/offensesummary] at
org.apache.openjpa.lib.util.J2DoPrivHelper$
59.run(J2DoPrivHelper.java)
[tomcat.tomcat] [user@127.0.0.1 (2281)
/console/do/sem/offensesummary] at
java.security.AccessController.doPrivileged
(AccessController.java)
[tomcat.tomcat] [user@127.0.0.1 (2281)
/console/do/sem/offensesummary] at
org.apache.openjpa.persistence.AnnotationPersistenceXML
MetaDataParser.parseXMLClassAnnotations
(AnnotationPersistenceXMLMetaDataParser.java)
[tomcat.tomcat] [user@127.0.0.1 (2281)
/console/do/sem/offensesummary] at
org.apache.openjpa.persistence.AnnotationPersistenceXML
MetaDataParser.parse(AnnotationPersistenceXMLMeta
DataParser.java)
[tomcat.tomcat] [user@127.0.0.1 (2281)
/console/do/sem/offensesummary] at
org.apache.openjpa.persistence.PersistenceMetaData
Factory.loadXMLMetaData(PersistenceMeta
DataFactory.java)
[tomcat.tomcat] [user@127.0.0.1 (2281)
/console/do/sem/offensesummary] at
org.apache.openjpa.meta.MetaDataRepository.get
XMLMetaDataInternal(MetaDataRepository.java)
[tomcat.tomcat] [user@127.0.0.1 (2281)
/console/do/sem/offensesummary] at
org.apache.openjpa.meta.MetaDataRepository.getXMLMeta
Data(MetaDataRepository.java)
[tomcat.tomcat] [user@127.0.0.1 (2281)
/console/do/sem/offensesummary] at
org.apache.openjpa.kernel.exps.AbstractExpression
Builder.traversePath(AbstractExpressionBuilder.java)
[tomcat.tomcat] [user@127.0.0.1 (2281)
/console/do/sem/offensesummary] at
org.apache.openjpa.kernel.jpql.JPQLExpressionBuilder.getPath(JPQ
LExpressionBuilder.java:2000)
[tomcat.tomcat] [user@127.0.0.1 (2281)
/console/do/sem/offensesummary] at
org.apache.openjpa.kernel.jpql.JPQLExpressionBuilder.getPathOrCo
nstant(JPQLExpressionBuilder.java)
[tomcat.tomcat] [user@127.0.0.1 (2281)
/console/do/sem/offensesummary] at
org.apache.openjpa.kernel.jpql.JPQLExpressionBuilder.eval(JPQLEx
pressionBuilder.java)
[tomcat.tomcat] [user@127.0.0.1
08 July 2019
LICENSE / EVENT COLLECTOR IJ17363 QRADAR EVENT COLLECTOR APPLIANCE DOES NOT INHERIT THE LICENCE LIMITS FROM THE EVENT PROCESSOR AFTER THE IP ADDRESS HAS BEEN CHANGED OPEN: Reported in QRadar 7.3.2 versions Workaround
  1. Connect the EC to the console. Deploy the changes.
  2. Reconnect the EC to the EP and Deploy the changes.

It has been identified that after an Event Processor (EP) has had the IP address changed, when an Event Collector (EC) is added to it, that EC does not inherit the license limits from the EP.
08 July 2019
CUSTOM ACTION SCRIPTS IJ17358 CUSTOM ACTION SCRIPTS REFERENCING THE QRADAR CONSOLE HOSTNAME FAIL IN QRADAR 7.3.2 OPEN: Reported in QRadar 7.3.2 versions Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that Custom Action Scripts referencing the hostname of the QRadar console that worked as expected in 7.3.1 fails to work in QRadar 7.3.2 versions.
08 July 2019
OFFENSES / SECURITY PROFILE IJ17332 OFFENSES FOR NON-ADMIN USER FAIL TO LOAD WHEN A SECURITY PROFILE HAS 'NO RESTRICTIONS' CONFIGURED OPEN: Reported in QRadar 7.3.2 versions Workaround: In instances where possible, modify the user to be an admin user.

It has been identified that Offenses for non-admin user fail to load with a security profile that has No Restrictions configured. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[tomcat.tomcat] [user@127.0.0.1 (2281)
/console/do/sem/offensesummary] Caused by:
[tomcat.tomcat] [user@127.0.0.1 (2281)
/console/do/sem/offensesummary] java.lang.StackOverflowError
[tomcat.tomcat] [user@127.0.0.1 (2281)
/console/do/sem/offensesummary] at
org.apache.openjpa.lib.util.J2DoPrivHelper$59.
run(J2DoPrivHelper)
[tomcat.tomcat] [user@127.0.0.1 (2281)
/console/do/sem/offensesummary] at
org.apache.openjpa.lib.util.J2DoPrivHelper$59.run
(J2DoPrivHelper.java)
[tomcat.tomcat] [user@127.0.0.1 (2281)
/console/do/sem/offensesummary] at
java.security.AccessController.doPrivileged
(AccessController.java)
[tomcat.tomcat] [user@127.0.0.1 (2281)
/console/do/sem/offensesummary] at
org.apache.openjpa.persistence.AnnotationPersistence
XMLMetaDataParser.parseXMLClassAnnotations
(AnnotationPersistenceXMLMetaDataParser.java)
[tomcat.tomcat] [user@127.0.0.1 (2281)
/console/do/sem/offensesummary] at
org.apache.openjpa.persistence.AnnotationPersistence
XMLMetaDataParser.parse(AnnotationPersistenceXML
MetaDataParser.java)
[tomcat.tomcat] [user@127.0.0.1 (2281)
/console/do/sem/offensesummary] at
org.apache.openjpa.persistence.PersistenceMetaDataFactory.
loadXMLMetaData(PersistenceMetaDataFactory.java)
[tomcat.tomcat] [user@127.0.0.1 (2281)
/console/do/sem/offensesummary] at
org.apache.openjpa.meta.MetaDataRepository.getXMLMeta
DataInternal(MetaDataRepository.java)
[tomcat.tomcat] [user@127.0.0.1 (2281)
/console/do/sem/offensesummary] at
org.apache.openjpa.meta.MetaDataRepository.getXMLMeta
Data(MetaDataRepository.java)
[tomcat.tomcat] [user@127.0.0.1 (2281)
/console/do/sem/offensesummary] at
org.apache.openjpa.kernel.exps.AbstractExpression
Builder.traversePath(AbstractExpressionBuilder.java)
[tomcat.tomcat] [user@127.0.0.1 (2281)
/console/do/sem/offensesummary] at
org.apache.openjpa.kernel.jpql.JPQLExpression
Builder.getPath(JPQLExpressionBuilder.java)
[tomcat.tomcat] [user@127.0.0.1 (2281)
/console/do/sem/offensesummary] at
org.apache.openjpa.kernel.jpql.JPQLExpression
Builder.getPathOrConstant(JPQLExpressionBuilder.java)
[tomcat.tomcat] [user@127.0.0.1 (2281)
/console/do/sem/offensesummary] at
org.apache.openjpa.kernel.jpql.JPQLExpressionBuilder.
eval(JPQLExpressionBuilder.java)
[tomcat.tomcat] [user@127.0.0.1 (2281)
/console/do/sem/offensesummary] at
org.apache.openjpa.kernel.jpql.JPQLExpression
Builder.getValue(JPQLExpressionBuilder.java)
08 July 2019
DISK UTILITIES IJ17331 DISKMAINTENANCE.PL SCRIPT DOES NOT HONOR FILES IN THE PATH_TO_KEEP DEFINED IN /OPT/QRADAR/CONF/DISKMAINTD.CONF OPEN: Reported in multiple QRadar versions Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that diskmaintd.pl deletes files that are older than 6 hours in paths identified in path_to_keep as defined in /opt/qradar/conf/diskmaintd.conf.
08 July 2019
SERVER DISCOVERY IJ17324 DUPLICATE 'SERVER TYPE' CAN SOMETIMES BE DISPLAYED IN SERVER DISCOVERY DROP DOWN OPEN: Reported in QRadar 7.3.2 versions Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that duplicate entries in the 'Server Type' drop down in Asset -> Server Discovery can sometimes be observed.
08 July 2019
RULES / COMMON IJ17309 SOURCE IP OR DESTINATION IP FILTER IS NOT AN AVAILABLE TEST OPTION FOR 'COMMON' RULES OPEN: Reported in multiple QRadar versions No workaround available.

It has been identified that Source IP and Destination IP filters are not available for Common Rules for "when the event matches this search filter" rule test, but is available as an option in Event Rule and Flow Rule.
05 July 2019
PROTOCOL / DISCONNECTED LOG COLLECTOR (DLC) IJ17308 AUTOUPDATE DEPLOY SCRIPT PERFORMS A RESTART OF THE ECS-EC PROCESS WHEN IT IS SOMETIMES NOT REQUIRED OPEN: Reported in QRadar 7.3.2 version using PROTOCOL-IBMQRadarDLC.7.3-2018121713325 No workaround available.

It has been identified that when the PROTOCOL-IBM-QRadarDLC is installed in a QRadar environment, a new autoupdate-deploy script is employed. That script, when run, has been found to perform ecs-ec process restarts in instances where the process restart is not required.
04 July 2019
APP FRAMEWORK / APP INSTALL IJ17231 LARGER QRADAR APPS CAN FAIL TO INSTALL DUE TO A TIMEOUT VALUE BEING REACHED DURING THE INSTALLATION CLOSED Resolved in QRadar 7.4.0 (7.4.0.20200304205308)

Workaround
Install the latest software version or contact Support for a possible workaround that might address this issue in some instances if you cannot upgrade at this time.

Issue
It has been identified that in some instances, large QRadar Apps (eg Pulse, UBA) can fail to install due to a timeout value being reached during the installation process. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:

Pulse App Error
[tomcat.tomcat] [pool-1-thread-4]
com.q1labs.uiframeworks.application.api.service.builders.shared.
AsyncBuildStageTask: [ERROR] [-/- -]
An exception occurred while building app asynchronously.
Triggering rollback.
[tomcat.tomcat] [admin@127.0.0.1
com.ibm.si.content_management.utils.AppFrameworkAPIClient:
[ERROR] [-/- -]Install of app 1354 did not complete
cat.tomcat] [pool-1-thread-4]
com.q1labs.uiframeworks.application.api.exception.AppDockerImage
BuildException: An error occurred while building docker image.
Task state is PROCESSING
[tomcat.tomcat] [pool-1-thread-4] at
com.q1labs.uiframeworks.application.api.service.builders.shared.
DockerBuildProcessor.process(DockerBuildProcessor.java)
[tomcat.tomcat] [pool-1-thread-4] at
com.q1labs.uiframeworks.application.api.service.builders.shared.
AsyncBuildStageTask.runTask(AsyncBuildStageTask.java)
[tomcat.tomcat] [pool-1-thread-4] at
com.ibm.si.frameworks.taskmanagement.Task.run(Task.java)
[tomcat.tomcat] [pool-1-thread-4] at
java.util.concurrent.Executors$RunnableAdapter.
call(Executors.java)
[tomcat.tomcat] [pool-1-thread-4] at
java.util.concurrent.FutureTask.run(FutureTask.java)
[tomcat.tomcat] [pool-1-thread-4] at
java.util.concurrent.ThreadPoolExecutor.runWorker
(ThreadPoolExecutor.java)
[tomcat.tomcat] [pool-1-thread-4] at
java.util.concurrent.ThreadPoolExecutor$Worker.run
(ThreadPoolExecutor.java)
[tomcat.tomcat] [pool-1-thread-4] at
java.lang.Thread.run(Thread.java:812)
[tomcat.tomcat] [admin@127.0.0.1]
com.ibm.si.content_management.ContentManager:
[ERROR][-/- -]Failed to import
content file [/store/tmp/cmt/out/Pulse_2/extension_zip.xml]
[tomcat.tomcat] [admin@127.0.0.1]
com.ibm.si.data_ingestion.api.impl.cmt.tasks.InstallExtensionTask:
[ERROR][-/- -]installing extension with id = 301 failed: An error
occurred installing application.
Please see error logs for details.
[tomcat.tomcat] [admin@127.0.0.1] java.lang.Exception: An error
occurred installing application.
Please see error logs for details.
[tomcat.tomcat] [admin@127.0.0.1] at
com.ibm.si.data_ingestion.api.impl.cmt.tasks.InstallExtensionTas
k.runTask(InstallExtensionTask.java)
[tomcat.tomcat] [admin@127.0.0.1] at
com.ibm.si.frameworks.taskmanagement.Task.run(Task.java)
[tomcat.tomcat] [admin@127.0.0.1] at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java)
[tomcat.tomcat] [admin@127.0.0.1] at
java.util.concurrent.FutureTask.run(FutureTask.java)
[tomcat.tomcat] [admin@127.0.0.1] at
java.util.concurrent.ThreadPoolExecutor.runWorker
(ThreadPoolExecutor.java)


UBA App Error
[tomcat.tomcat] [pool-1-thread-9]
com.q1labs.uiframeworks.application.api.exception.AppDockerImage
BuildException: An error occurred while building docker image.
Task state is PROCESSING
[tomcat.tomcat] [pool-1-thread-9] at
com.q1labs.uiframeworks.application.api.service.builders.shared.
DockerBuildProcessor.process(DockerBuildProcessor.java)
[tomcat.tomcat] [pool-1-thread-9] at
com.ibm.si.frameworks.taskmanagement.Task.run(Task.java)
[tomcat.tomcat] [pool-1-thread-9] at
com.q1labs.uiframeworks.application.api.service.builders.shared.
AsyncBuildStageTask.runTask(AsyncBuildStageTask.java)
[tomcat.tomcat] [pool-1-thread-9] at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java)
[tomcat.tomcat] [pool-1-thread-9] at
java.util.concurrent.FutureTask.run(FutureTask.java)
[tomcat.tomcat] [pool-1-thread-9] at
java.util.concurrent.ThreadPoolExecutor.runWorker
(ThreadPoolExecutor.java)
[tomcat.tomcat] [pool-1-thread-9] at
java.util.concurrent.ThreadPoolExecutor$Worker.run
(ThreadPoolExecutor.java)
[tomcat.tomcat] [pool-1-thread-9] at
java.lang.Thread.run(Thread.java)
[tomcat.tomcat] [admin@127.0.0.1]
com.ibm.si.content_management.utils.AppFrameworkAPIClient:
[ERROR][-/- -]Install of app 1602 did not complete
[tomcat.tomcat] [admin@127.0.0.1]
com.ibm.si.content_management.ContentManager:
[ERROR][-/- -]Failed to import content file
[/store/tmp/cmt/out/User_Behavior_Analytics/ubaApp-3143-release-
3.2.0-201903211320.xml]
[tomcat.tomcat] [admin@127.0.0.1]
com.ibm.si.data_ingestion.api.impl.cmt.tasks.InstallExtensionTask:
[ERROR][-/--]installing extension with id = 551 failed:
An error occurred installing application.
Please see error logs for details.
[tomcat.tomcat] [admin@127.0.0.1] java.lang.Exception:
An error occurred installing application.
Please see error logs for details.
[tomcat.tomcat] [admin@127.0.0.1] at
com.ibm.si.data_ingestion.api.impl.cmt.tasks.InstallExtension
Task.runTask(InstallExtensionTask.java)
[tomcat.tomcat] [admin@127.0.0.1] at
com.ibm.si.frameworks.taskmanagement.Task.run(Task.java:108)
[tomcat.tomcat] [admin@127.0.0.1] at
java.util.concurrent.Executors$RunnableAdapter.
call(Executors.java)
[tomcat.tomcat] [admin@127.0.0.1] at
java.util.concurrent.FutureTask.run(FutureTask.java:277)
[tomcat.tomcat] [admin@127.0.0.1] at
java.util.concurrent.ThreadPoolExecutor.runWorker
(ThreadPoolExecutor.java)
26 June 2019
DISK SPACE / EVENT QUEUE IJ17202 /STORE/PERSISTENT_QUEUE CAN RUN OUT OF DISK SPACE DUE TO ECS AND EC-INGRESS SPILLOVER QUEUE CONFIGURATION CLOSED Resolved in QRadar 7.4.0 (7.4.0.20200304205308)

Install the latest software version or contact Support for a possible workaround that might address this issue if you are unable to ugprade at this time.

It has been identified that /store/persistent_queue/ can run out of free space due the configuration of tuning parameters for the event queues:
  • applyECSpilloverQueueChanges
  • applyECIngressSpilloverQueueChanges
25 June 2019
ADVANCED SEARCH (AQL) IJ17196 ADVANCED SEARCH (AQL) RETURNS ERROR 'REQUEST-URL TOO LARGE' OPEN: Reported in multiple QRadar versions No workaround available.

It has been identified that an Advanced Search (AQL) in the Log Activity or Network Activity tab can return an error message that is similar to: "Request-URI Too Large".

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856]
org.antlr.v4.runtime.Parser:
[ERROR] [-/- -]Parse error:  and
(INCIDR('127.0.0.1/23', KL_source_...
[ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856]
com.q1labs.ariel.ql.parser.AQLParserException: Unrecognized
context (Line: 1, Position: 130): " and (INCIDR('127.0.0.1/23',
My_source_..."
[ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856]
at com.q1labs.ariel.ql.parser.ParserBase.parseStatement
(ParserBase.java)
[ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856]
at com.q1labs.ariel.ql.parser.Parser.processRequest(Parser.java)
[ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856]
at com.q1labs.ariel.ql.parser.Parser.executeStatement(Parser.java)
[ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856]
at com.q1labs.ariel.ConnectedClient.processStatement(ConnectedClien
t.java)
[ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856]
at com.q1labs.ariel.ConnectedClient.processMessage(ConnectedClient.
java)
[ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856]
at com.q1labs.ariel.ConnectedClient.run(ConnectedClient.java)
[ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856]
at java.util.concurrent.ThreadPoolExecutor.runWorker
(ThreadPoolExecutor.java)
[ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856]
at java.util.concurrent.ThreadPoolExecutor$Worker.
run(ThreadPoolExecutor.java)
[ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856]
at java.lang.Thread.run(Thread.java)
26 June 2019
PROTOCOL / UDP MULTILINE SYSLOG IJ17839 'LISTEN PORT MUST BE AN INTEGER BETWEEN 1 AND 65535' MESSAGE WHEN CONFIGURING PORT 514 FOR UDP MULTILINE PROTOCOL LOG SOURCES CLOSED An updated version of UDP Multiline Syslog protocol has been published to IBM Fix Central to resolve this issue:
PROTOCOL-UDPMultilineSyslog-7.3-20190412134523

Administrators who have QRadar weekly auto updates enabled will receive this RPM file during the next weekly update. However, users experiencing this issue can download and manually install the RPM on the QRadar Console appliance using: yum -y install {rpmname}.

Issue: It has been identified that when editing a Log Source that uses the UDP Multiline Syslog protocol, QRadar can generate an error when the user attempts to assign a listen port value of 514. The QRadar generates an error similar to the following:
Listen port must be an integer between 1 and 65535.

Port 514 is the default Syslog listeners in QRadar and the error presented when trying to assign port 514 should be more clearly defined. This is a benign error message and users need to select a different port to use for the UDP Multiline Syslog protocol. The protocol requires an update to provide a better error message for a portin use, such as: There is already a listener using that port.
26 July 2019
API / PERFORMANCE IJ17016 QRADAR INCIDENT FORENSICS RECOVERY HANGS WITH 'RUNNING' STATUS OPEN: Reported in QRadar Packet Capture 7.3.2 versions No workaround available.

It has been identified that in some instances, a timeout occurs with Incident Forensics in the backend while attempting to retrieve required PCAP data. When this issue occurs a Forensics Recovery can hang in 'Running' status.
05 July 2019
RULES / FLOWS IJ16995 REFERENCE SET RULE TEST DOES NOT WORK AS EXPECTED WITH SUPERFLOWS OPEN: Reported in multiple QRadar versions No workaround available.

It has been identified that Reference Set rule tests only use the first IP reflected in a Superflow.

Example with having 2 rules:
  1. The first rule evaluates the source IP of flow against a reference set to determine that the data is contained in the reference set. For example, and when any source IP is contained in {myreferenceset}.
  2. The second rule test evaluates if source IP is a specific value from the flow. The specific value is contained in the reference set. For example, and when the source IP is one of the following {x.x.x.x in the myreferenceset}.

    Results
    When the source IP is that specific value, the expected result is that both rule 1 and 2 would be matched and return results, but actual result is that the less restrictive any Source IP from rule 1 does not match the superflow.
25 June 2019
SCANNER / VIS IJ16994 VA SCANNER STAYS AT 'PENDING' STATE WHEN ATTEMPTING TO START IT FROM A FLOW COLLECTOR APPLIANCE OPEN: Reported in QRadar 7.3.1 Patch 7 No workaround available.

It has been identified that flow collectors are listed in the QRadar User Interface options for configuring a VA scanner, but attempting to start a scanner from a flow collector does not work as expected, and stays at 'Pending' state.

When attempting to start the vis service on a flow collector, a command line error similar to the following is returned:
"Job for vis.service failed because the control process exited
with error code. See "systemctl status vis.service" and
"journalctl -xe" for details.|"
Flow collectors do not have VIS components enabled, and should not have been available to select when configuring a scanner.
03 July 2019
DNS SETTINGS IJ16968 DNS SETTINGS MODIFIED ON AN EVENT COLLECTOR APPLIANCE (15XX) DO NOT PERSIST AFTER THE APPLIANCE REBOOTS CLOSED Closed as an invalid issue. Administrators must unmanaged and use qchange_netsetup to update their DNS settings.

It has been identified that when DNS settings are modified on Event Collector appliances (15xx) do not persist after an appliance reboot. Changes to resolv.conf are not supported and do not persist on Event Collector appliances after a reboot. Invalid issues are not publicly visible, so the link to the APAR has been removed and left in the table for reference purposes.
05 July 2019
AQL / X-FORCE IJ16967 ADVANCED SEARCH (AQL) USING XFORCE_IP_CONFIDENCE FUNCTION DOES NOT WORK AS EXPECTED WHEN RUN USING LOCALES OTHER THAN ENGLISH (UNITED STATES) OPEN: Reported in QRadar 7.3.2 versions Workaround
Click the user icon in the top right hand corner of the UI, then go to User preferences -> locale. Change this to English (United States). Refresh your browser and confirm the functions work as expected.

Issue
It has been identified that using the XFORCE_IP_CONFIDENCE function does not work as expected in an Advanced Search (AQL) when QRadar is configured to use a locale other than English (United States).
05 July 2019
INSTALL / QRADAR PACKET CAPTURE IJ16966 QRADAR PACKET CAPTURE: /ROOT/RESET_INTERFACES.SH SCRIPT ON PCAP APPLIANCES DOES NOT WORK AS EXPECTED OPEN: Reported in QRadar Network Packet Capture 7.3.2 Patch 1 Contact Support for a possible workaround that might address this issue in some instances.

The /root/Reset_Interfaces.sh script on PCAP appliances was introduced to correct issues that incorrect udev naming can sometimes cause. It has been observed that the script does not perform all expected tasks but does complete, then prompts for a reboot.
05 July 2019
DASHBOARDS IJ16962 UNABLE TO ADD THE 'EVENTS BY SEVERITY' DASHBOARD INTO THE QRADAR USER INTERFACE OPEN: Reported in QRadar 7.3.2 versions No workaround available.

It has been identified that attempting to add the 'Events by Severity' dashboard into the QRadar User Interface (UI) fails and does not provide any error or feedback in the UI.
26 June 2019
SIMULATION / QRADAR RISK MANAGER (QRM) IJ16947 WHEN 'USE CONNECTION DATA' IS CONFIGURED THE SIMULATION DOES NOT COMPLETE AND GENERATES AN ILLEGALARGUMENTEXCEPTION OPEN: Reported in QRadar 7.3.2 versions Workaround: Do not use the selection 'Use Connection Data' in the simulation.

It has been identified that a Risk Manager simulation can fail to complete when 'Use Connection Data' is selected. The Configuration Monitor screen displays "No Results" in the Results column. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[tomcat-rm.tomcat-rm] [SimulationRunner-10001-Test]
com.q1labs.simulator.simulation.SimulationRunner:
[ERROR] [-/- -]Error executing simulation 10001:Points below
the dimension's min value are not allowed
(using + PortRangeEnumerator enumerator)
[tomcat-rm.tomcat-rm] [SimulationRunner-10001-Test]
java.lang.IllegalArgumentException: Points below the
dimension's min value are not allowed (using +
PortRangeEnumerator enumerator)
[tomcat-rm.tomcat-rm] [SimulationRunner-10001-Test]    at
com.q1labs.simulator.topology.MultiRange.__createFromPoints(Mult
iRange.java:723)
[tomcat-rm.tomcat-rm] [SimulationRunner-10001-Test]    at
com.q1labs.simulator.topology.MultiRange.createFromPoints(MultiR
ange.java:682)
[tomcat-rm.tomcat-rm] [SimulationRunner-10001-Test]    at
com.q1labs.simulator.iag.impl.InferredAccessGraph$ArcProcessor.g
etPortResults(InferredAccessGraph.java:1151)
[tomcat-rm.tomcat-rm] [SimulationRunner-10001-Test]    at
com.q1labs.simulator.iag.impl.InferredAccessGraph.findReachable(
InferredAccessGraph.java:1231)
17 June 2019
INSTALL / QRADAR NETWORK INSIGHTS IJ18213 QRADAR NETWORK INSIGHTS 1920 INSTALL MENU DOES NOT DISPLAY THE OPTION FOR A QNI 6200 APPLIANCE CLOSED Resolved in QRadar Network Insights 7.4.0 (7.4.0.20200304205308)

Workaround
Review IBM QRadar Network Insights: Install Menu does not Display a Select Option for QNI 6200 Appliances (APAR IJ18213) for additional installation instructions.

Issue
It has been identified that the QRadar Network Insights (QNI) install menu on a fresh install of QRadar 7.3.2 patch 2 displays the options for a 6000 and 6100 appliance type, but not a QNI 6200 appliance. If you continue to experience issues, Contact Support for additional assistance.
16 August 2019
SCANNER / TENABLE IJ17829 TENABLE SECURITY SCANNER IMPORT FAILS DUE TO CHANGES IN THE ALLOWED CIPHER SUITES ON THE TENABLE SERVER CLOSED The fix for this issue is released in the following RPM package update: VIS-TenableSecurityCenter-7.3-20190725180412.noarch.rpm.

This update will be delivered in the next QRadar weekly auto update, but is available on IBM Fix Central now. Administrators who require an immediate resolution to this issue should ensure they have installed the latest version of the VIS-TenableSecurityCenter rpm file on their Console from IBM Fix Central using the command:
yum -y install 7.3.0-QRADAR-VIS-TenableSecurityCenter-7.3-20190725180412.noarch.rpm


Issue: It has been identified that Tenable Security scan imports can fail. This is caused by changes in the list of allowed Cipher Suites on the Tenable Server.
22 August 2019
AUTHENTICATION / USER ROLES IJ16851 USER LOGIN FAILURE AFTER DELETING A QRADAR USER ROLE OR SECURITY PROFILE WHEN LDAP GROUP AUTH IS ACTIVE OPEN: Reported in QRadar 7.3.2 versions Workaround: From the Admin tab > Authentication window, open each affected LDAP Repository for editing, and immediately save. A deploy changes is required for the changes to take effect.

It has been identified that user login failure can occur after deleting a QRadar user role or security profile when LDAP group authorization is active.
14 June 2019
SYSTEM SETTINGS / DEPLOY CHANGES IJ18436 UNABLE TO SAVE CHANGES MADE TO QRADAR SYSTEM SETTINGS AND 'INTERNAL ERROR: SAVE FAILED" MESSAGE IS DISPLAYED CLOSED This auto update script issue was addressed in the following RPM release on IBM Fix Central:
DSM-ArborNetworksPravail-7.3-20190822144538

Administrators who have QRadar weekly auto updates enabled will receive this RPM file during the next weekly update. However, users experiencing this issue can download and manually install the RPM on the QRadar Console appliance using: yum -y install {rpmname}.

Issue: It has been identified that an Auto Update action script can change the owernship of nva.conf in the staging directory to root during a Deploy function. When ownership of nva.conf is changed, administrators can experience a user interface issue when they attempt to save changes made to some parameters in System Settings. The QRadar User Interface can fail to save System Settings with the error message:'Internal Error: save failed'

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
Unable to write system settings:
java.io.IOException: Failed to write
nva.conf/store/configservices/staging/globalconfig/nva.conf
(Permission denied)
26 August 2019
FLOWS / DEPLOY CHANGES IJ16823 UNABLE TO CONFIGURE DTLS FOR QRADAR NETWORK INSIGHTS (QNI) FLOW CONFIGURATION WHEN FLOW SOURCE IS FROM THE CONSOLE CLOSED Resolved in:
QRadar 7.4.0 (7.4.0.20200304205308)
QRadar 7.3.3 Patch 2 (7.3.3.20200208135728)
QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)

Workaround
From a command line interface (SSH), connect to the QRadar Console appliance as the root user and type the following command:
chown -R nobody:nobody /opt/qradar/conf/dtls
After you have set the ownership, you can successfully complete a Deploy Changes from the Admin tab.

Issue
It has been identified that attempting to enable DTLS on QRadar Network insights (QNI) flow configuration can cause the required Deploy Changes to fail when flow source is from the Console appliance. Administrators can attempt to verify this issue by changing the Console's default netflow to use a Linking Protocol = DTLS. For example:
  1. Click the Admin tab.
  2. Click the Flow Sources icon.
  3. Update the QNI connection to use the Console and default netflow as the flow source.
  4. Save the changes.
  5. From the Admin tab, click Deploy Changes.

    Results
    The deploy function fails and the QNI appliance is unable to send the flows to Console. See the workaround above to asssit with this issue.
08 July 2019
UPGRADE IJ16821 QRADAR PATCH FAILS TO COMPLETE SUCCESSFFULLY WHEN A HTTP_PROXY ENVIRONMENT VARIABLE IS CONFIGURED OPEN: Reported in QRadar 7.3.2 versions Workaround: Prior to attempting the QRadar patching process, unset the environment variable http_proxy before running patch. Ensure sure that it is not being set in the root users profile when logging in. If a QRadar patch has already failed, roll back the patch to prior 7.3.x version, unset http_proxy, and re-run the patch.

It has been identified that QRadar patching can fail to complete successfully when there is a http_proxy configured in /etc/environment Messages similar to the following might be visible when this issue occurs:
[WARN](patchmode) time="2019-03-07T22:20:47+04:00" level=fatal
msg="Error checking for blob
sha256:fbbe1dc3535f2e4cfd3606016df4b075ae74e3bf39f8490cdbc073d93
at destination: pinging docker registry returned: Get
https://xxxxxxxxxxx.localdeployment:5000/v2/:Forbidden"
[DEBUG](patchmode) WARN: Failed to deliver images to the registry
[DEBUG](patchmode) ERROR: Failed to push images to the registry.
14 June 2019
RULES / RULE TEST IJ16820 RULE CONDITION 'WHEN THE EVENT MATCHES DESTINATION GEOGRAPHIC COUNTRY/REGION' IS NOT WORKING CORRECTLY FOR TURKEY OPEN: Reported in QRadar 7.3.2 Patch 1 No workaround available.

It has been identified that the Rule Condition when the event matches Destination Geographic Country/Region is not working correctly for the country of Turkey. This can cause unexpected rule responses and or Offense behavior.

For example: When events have Destination IP addess within Turkey the events match rules that include the rule condition: when the event matches Destination Geographic Country/Region is not Turkey.
14 June 2019
LOG SOURCE MANAGEMENT APP IJ17859 USING THE 'DON'T SHOW ME AGAIN' BUTTON ON THE LOG SOURCE MANAGEMENT APP BANNER DOES NOT WORK AS EXPECTED CLOSED Closed as a suggestion for future release.

It has been identified that the "Don't Show Me Again" button that can be displayed on a Log Source Management (LSM) app banner message does not work as expected. The banner message that was selected for 'Don't Show Me Again' is displayed when the web browser used for the QRadar User Interface is restarted.
16 August 2019
HIGH AVILABILITY (HA) / EVENT COLLECTOR IJ16785 POSTGRESQL DATABASE ON QRADAR COLLECTOR APPLIANCE (15XX) CAN BE OUT OF SYNC ON STANDBY APPLIANCE CAUSING ISSUES AFTER FAILOVER OPEN: Reported in multiple QRadar versions Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that after a failover occurs from an active to a standby Event Collector appliance (15XX), the QRadar postgresql database can be out of sync in some instances and requests a FULL replication transaction. This can lead to various issues within QRadar occuring after an appliance failover, such as incorrect EPS license setting to ecs-ec-ingress, incorrect Log Source configurations, or missing routing rules.
14 June 2019
API IJ16784 RESTAPI WITH BASIC AUTHENTICATION CAN FAIL TO GET USER CAPABILITIES WHEN USING LDAP AUTH 'LOCAL AUTHORIZATION' OPEN: Reported in QRadar 7.3.1 Patch 3 No workaround available.

It has been identified that using RESTAPI to get endpoint resources with basic authentication fails to get user capabilities when using LDAP authentication with local authorization. A message similar to the following is returned:
{"http_response":{"code":403,"message":"Your account is not
authorized to access the requested resource"},"code":26,
"description":"","details":{},"message":
"User has insufficient capabilities to access this endpoint resource"}


Messages similar to the following might also be visible in /var/log/qradar.log when this issue occurs:
[tomcat.tomcat] [ou=People,dc=my-domain,dc=com\ldapuser1@127.0.0.1 (189)
/console/restapi/api/reference_data/tables]
com.q1labs.core.shared.capabilities.CapabilityConfiguration:
[INFO] [-/- -]user ou=People,dc=my-domain,dc=com\ldapuser1
does not exist. Returning false
[tomcat.tomcat]
[ou=People,dc=my-domain,dc=com\ldapuser1@127.0.0.1 (189)
/console/restapi/api/reference_data/tables]
com.q1labs.core.shared.capabilities.CapabilityConfiguration:
[INFO] [-/- -]user ou=People,dc=my-domain,dc=com\ldapuser1
does not exist. Returning false
14 June 2019
OFFENSES IJ16742 OFFENSES CAN FAIL TO BE UPDATED AFTER A CONSOLE APPLIANCE REBOOT CLOSED Resolved in
QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)

Workaround
Perform a Soft Clean SIM. See the following documentation for steps and results of performing a Soft Clean SIM, Cleaning the SIM data model.

It has been identified that in some instances, Offenses can fail to update after a Console appliance reboot has occurred (controlled or uncontrolled) due to a required file becoming corrupted and deleted. Messages similar to the following might be visble in /var/log/qrdar.error when this issue occurs:
[ecs-ep.ecs-ep] [ECS Runtime Thread]
com.q1labs.core.shared.storage.BaseStorageContext:
[ERROR] [-/- -] Error reading file /store/mpc/core/
CounterProcessor/dormant-handles-index.ser, deleting it...
[ecs-ep.ecs-ep] [ECS Runtime Thread] java.io.EOFException
[ecs-ep.ecs-ep] [ECS Runtime Thread] at java.io.ObjectInputStream
$PeekInputStream.readFully(ObjectInputStream.java)
[ecs-ep.ecs-ep] [ECS Runtime Thread] at
java.io.ObjectInputStream$BlockDataInputStream
.readShort(ObjectInputStream.java)
 [ecs-ep.ecs-ep] [ECS Runtime Thread] at
java.io.ObjectInputStream.readStreamHeader(ObjectInputStream.java)
 [ecs-ep.ecs-ep] [ECS Runtime Thread] at
java.lang.Thread.run(Thread.java:812)
 [ecs-ep.ecs-ep] [ECS Runtime Thread]
com.q1labs.core.shared.storage.BaseStorageContext:
[ERROR][-/- -]Error reading file /store/mpc/core/
CounterProcessor/active-handles-index.ser, deleting it...
[ecs-ep.ecs-ep] [ECS Runtime Thread] java.io.EOFException
[ecs-ep.ecs-ep] [ECS Runtime Thread] at
java.io.ObjectInputStream$PeekInputStream.readFully
(ObjectInputStream.java)
[ecs-ep.ecs-ep] [ECS Runtime Thread] at
java.io.ObjectInputStream$BlockDataInputStream.
readShort(ObjectInputStream.java)
14 June 2019
RULES / FLOW DIRECTION IJ16741 RULES DEPENDENT UPON FLOW DIRECTION CAN FIRE UNEXPECTEDLY DUE TO QRADAR NETWORK INSIGHTS (QNI) LOGGING REVERSED FLOW DIRECTION OPEN: Reported in QRadar 7.3.2 versions No workaround avaialble.

It has been identified that in instances of Content Flow generated by QRadar Network Insights, reversed flow direction with 0 byte payload lengths are observed. i.e. The flow direction is from server to client, when the server should be destination, but shows server as source. When this occurs, rules dependent on flow direction can fire in instances they should not have.
08 July 2019
AUTHENTICATION / ACTIVE DIRECTORY (AD) IJ16739 ACTIVE DIRECTORY REPOSITORY SETUP PAGE FIELD NAME 'LOGIN DN' CAN CAUSE CONFUSION AS TO IT'S PROPER USE OPEN: Reported in QRadar 7.3.2 versions Workaround: Use a Windows account name (also known as sAMAccountName) in the 'Login DN' field.

It has been identified that on the Admin > Authentication > Active Directory setup page, the field 'Login DN' can be confused as to its proper usage (connection testing). When setting up an Active Directory repository, entering a full Distinguished Name (DN) in the "Login DN" field causes the test connection to fail. Both the 'Login DN' field and associated password field are directly tied to the "Test connection" button and are not used at any other time.
14 June 2019
USER INTERFACE / QRADAR VULNERABILITY MANAGER IJ16670 'CRITICAL' IS NOT AN OPTION IN RISK LIST OF VULNERABILITY MANAGER'S 'REMEDIATION TIMES' WINDOW OPEN: Reported in QRadar 7.3.1 Patch 6 No workarond available.

It has been identified that the use of 'Critical' is inconsistent within the QRadar Vulnerabiulity Manager user interface windows and options. For Example: 'Critical' is not listed on the 'Remediation Times' window in Vulnerability Manager.
17 June 2019
POLICY MONITOR / QRADAR RISK MANAGER IJ16610 QRADAR RISK MANAGER (QRM) POLICY QUESTION DOES NOT RETURN ALL MATCHING RULES FOR CONDITION SPECIFIED OPEN: Reported in QRadar 7.3.1 Patch 6 No workarond available.

It has been identified that a Risk Manager Policy Monitor question with a return type of Device/Rules and a condition "allow connections to the following IP addresses" does not find a rule that should match this condition if the rule uses an object group to reference the IP addresses.
18 June 2019
RISK FACTOR / QRADAR VULNERABILITY MANAGER IJ16594 ASSET PROFILER EXCEPTION CAUSED BY NEW 'CRITICAL RISK FACTOR' CLASSIFICATION IN QRADAR VULNERABILITY MANAGER (QVM) OPEN: Reported in QRadar 7.3.1 Patch 7 Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that the new PCI Severity and Risk Factor classification 'Critical' causes the asset profiler to throw an Invalid RiskFactor Exception in QRadar logging when a vulnerability is assigned a Critical Risk Factor. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[tomcat.tomcat] [pool-1-thread-6] com.q1labs.assetprofile.
api.vulninstance.common.VulninstancesAPITask:
[ERROR][-/- -]An unhandled exception was thrown during the
execution of task: 258
[tomcat.tomcat] [pool-1-thread-6]
java.lang.IllegalArgumentException:
Invalid RiskFactor name: Critical
[tomcat.tomcat] [pool-1-thread-6] at
com.q1labs.assetprofile.api.r1_2017.pojo.RiskFactorDTO.forName
(RiskFactorDTO.java)
[tomcat.tomcat] [pool-1-thread-6] at
com.q1labs.assetprofile.api.r1_2017.R1_2017VulnInstanceDTOAdapte
r.doConvert(R1_2017VulnInstanceDTOAdapter.java)
07 June 2019
FLOWS / FLOW SOURCE ALIAS IJ18233 A MANUALLY ADDED OR EDITED FLOW SOURCE ALIAS DOES NOT WORK AS EXPECTED OPEN: Reported in QRadar 7.3.0 and 7.3.1 versions Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that a manually added or edited Flow Source alias does not work as expected. When a flow source alias is manually created or edited, the flow collector component is not being properly populated on the associated managed host and the edited alias is not listed in the search filter for the flow interface. Associated flows are not received when this issue is occurring.
19 August 2019
DOMAIN MANAGEMENT IJ18345 LOG SOURCES WITHIN A LOG SOURCE GROUP DO NOT INHERIT DOMAIN MEMBERSHIP WHEN THE LOG SOURCE GROUP IS ADDED TO A DOMAIN CLOSED Resolved in:
QRadar 7.3.1 Patch 7 (7.3.1.20181123182336)
QRadar 7.3.2 (7.3.2.20190201201121)

Workaround: From the Admin tab, open Domain Management interface to select the Log Sources you would like to add, then manually add the log soures.

It has been identified that adding Log Source Groups to a Domain does not cause the log sources contained inside the Log Source Group or it's Sub Groups to inherit that Domain membership, even if the Log Source is not within another Domain.
15 August 2019
SECURITY BULLETIN CVE-2019-10072 APACHE TOMCAT AS USED IN IBM QRADAR SIEM IS VULNERABLE TO A DENIAL OF SERVICE CLOSED Resolved in QRadar 7.3.2 Patch 4 (7.3.2.20190803012943) 15 August 2019
BACKUP / RECOVERY IJ18357 CHANGE TO FILE PERMISSION ON GEOLITE2-CITY.MMDB CAN OCCUR AFTER A CONFIG RESTORE AND DEPLOY IS SUCCESSFULLY PERFORMED OPEN: Reported in QRadar 7.3.2 Patch 4 Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that in some instances, the file permissions for /store/configservices/deployed/globalconfig/GeoLite2-City.mmdb can be changed from "nobody nobody" to "root root" after a successful Configuration Restore and a Deploy Changes has been performed. When this issue occurs, permission errors can be observed in the logs when users attempt to save changes from the Admin > System Settings window in QRadar. Messages similar to the following might be visible in /var/log/qradar.log:
[tomcat.tomcat][LocationUtils_Timer]
com.q1labs.core.shared.location.LocationUtils:
[ERROR][-/- -]Error occurred while reloading the LocationUtils database
[tomcat.tomcat] [LocationUtils_Timer] java.io.IOException: Destination
'/store/configservices/deployed/globalconfig/GeoLite2-City.mmdb' exists
but is read-only
[tomcat.tomcat] [LocationUtils_Timer] at org.apache.commons.io.
   FileUtils.copyFile(FileUtils.java)
[tomcat.tomcat] [LocationUtils_Timer] at org.apache.commons.io.
   FileUtils.copyFile(FileUtils.java)
[tomcat.tomcat] [LocationUtils_Timer] at com.q1labs.core.shared.
   location.LocationUtils.getCorrectCurrentGeoLiteFile(LocationUtils.java)
[tomcat.tomcat] [LocationUtils_Timer] at com.q1labs.core.shared.location.
   LocationUtils.reload(LocationUtils.java)
[tomcat.tomcat] [LocationUtils_Timer] at com.q1labs.core.shared.location.
   LocationUtils$LocationUtilsReloadTask.run(LocationUtils.java)
[tomcat.tomcat] [LocationUtils_Timer] at
   java.util.TimerThread.mainLoop(Timer.java)
[tomcat.tomcat] [LocationUtils_Timer] at
   java.util.TimerThread.run(Timer.java)
15 August 2019
SCAN RESULTS IJ16518 QRADAR VULNERABILITY MANAGER (QVM) SCAN RESULT RECORDS LISTED IN THE USER INTERFACE ARE NEVER PURGED OPEN: Reported in multiple QRadar versions No workaround available.

It has been identified that vulnerability scan results records that are listed in the User Interface continue to be displayed after the 'Purge Scan Results After Period' purges the backed data.
31 May 2019
OFFENSES IJ16941 OFFENSES CAN FAIL TO GENERATE WHEN EXPECTED, WHEN SPILLOVER FROM MEMORY TO DISK DURING CACHING OCCURS CLOSED Resolved in QRadar 7.3.2 Patch 4 (7.3.2.20190803012943)

It has been identified that Offenses can be slow to generate or fail to generate when expected when QRadar experiences a cache spillover from memory to disk. Messages similar to the following might be visible in /var/log/qradar.log when this specifc issue occurs:
[ecs-ep.ecs-ep] [MPC/PersisterThread@0000050540]
com.q1labs.frameworks.cache.ChainAppendCache:
[WARN][-/- -]TargetIPtoID is experiencing heavy COLLISIONS
exceeding configured threshold (this may have negative
performance impact) threshold = 5.0
average collisions = 7.0
[ecs-ep.ecs-ep] [MPC/PersisterThread@0000050540]
com.q1labs.frameworks.cache.ChainAppendCache:
[WARN][-/- -]LightTarget is experiencing heavy COLLISIONS
exceeding configured threshold (this may have negative
performance impact) threshold = 5.0
average collisions = 6.0
19 June 2019
TUNNELS / DEPLOY CHANGES IJ00025 DEPLOY FUNCTION CAN SOMETIMES FAIL DUE TO TUNNELS NOT STARTING CORRECTLY WHEN ENCRYPTION IS ENABLED CLOSED Resolved in QRadar 7.3.2 Patch 4 (7.3.2.20190803012943)

It has been identified that on encrypted managed hosts with QRadar 7.3.0.x versions that the generate_tunnel_environment.sh script can sometimes fail to start tunnels correctly. When this occurs, there is no connectivity between QRadar Managed Hosts and the Console causing deploys and all traffic between the Console and the encrypted Managed Hosts to fail.
02 April 2018
CUSTOM PROPERTIES / PARSE IN ADVANCE IJ16411 QRADAR DEPENDENCY CHECKER CAN FAIL WHEN USERS WITH NO LOCALE CONFIGURED ATTEMPTS TO MODIFY A CUSTOM EVENT PROPERTY CLOSED Resolved in QRadar 7.3.2 Patch 4 (7.3.2.20190803012943)

Workaround: Have the user configure a user locale and retry the "un-select" for the Custom Event Property.

It has been identified that the QRadar dependency checker can launch when "Parse in advance for rules, reports and searches' check box is cleared from the Property Definition section in the user interface and can generate an error message "1.Found Custom Rules: 0" or "2. Error occured while finding Ariel Indexing". This issue can occur in cases where the QRadar user who created the custom property has no locale configured. Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs:
[tomcat.tomcat] [pool-1-thread-10]
com.q1labs.core.shared.datadeletion.task.FindDependentsTask:
[ERROR][-/- -]Error trying to find Dependents
for id: [347902bb-f6c0-4b07-9791-f3a8b0a94f17],
and type: EVENT_REGEX_PROPERTY_DEPENDENCY
[tomcat.tomcat] [pool-1-thread-10]
java.lang.NullPointerException
[tomcat.tomcat] [pool-1-thread-10] at
java.util.Locale.(Locale.java)
[tomcat.tomcat] [pool-1-thread-10] at
java.util.Locale.(Locale.java)
[tomcat.tomcat] [pool-1-thread-10] at
com.q1labs.core.shared.datadependency.CustomPropertyDependency.g
etArielIndexingByPropertyId(CustomPropertyDependency.java)
[tomcat.tomcat] [pool-1-thread-10] at
com.q1labs.core.shared.datadependency.CustomPropertyDependency.g
etUsage(CustomPropertyDependency.java)
28 May 2019
FLOWS / SIGNATURES IJ17359 MANUAL CHANGES MADE TO SIGNATURES.XML ARE OVERWRITTEN DURING AN AUTOUPDATE FUNCTION CLOSED Closed as a documentation issue.

Users who include custom signature values for source and destination ports to identify flow traffic should ensure that they have a signature ID (sigid) defined in their signatures.xml file to prevent the auto update from discarding the change. Customers can use a sigid value of 3000 or above to denote custom changes to the signatures.xml file. Including the sigid value will prevent xmldiff from merging signature.xml changes with the autoupdate version of the signatures.xml file when updates occur. For an example on including new source and destination ports for signature detection, see this technical note: QRadar: Detecting SMB1 & SMBv2 Traffic with QFlow (Updated)

Issue: It has been identified that when manual changes are made to signatures.xml using the Technote documented methods to preserve the changes, an AutoUpdate function overwrites the manual changes anyway.
09 August 2019
REPORTS IJ16290 A REPORT RUN ON RAW DATA CAN FAIL WITH 'STRING INCOMPATIBLE WITH COM.Q1LABS.FRAMEWORKS.NIO.COMPOSITEKEY' IN LOGGING OPEN: Reported in multiple QRadar versions No workaround available.

It has been identified that performing a "Run Report on RAW data' can fail and output an error to /var/log/qradar.log similar to the following:
[report_runner] [main] com.q1labs.cve.aggregation.
props.AggregatedRecordKeyProperty:
[ERROR][-/- -]About to cast key = IPADDRESS.hostname.lab:ecs-ec/EC/Processor2 to CompositeKey
[report_runner] [main] com.q1labs.reporting.ReportServices:
[ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]java.lang.String
incompatible with com.q1labs.frameworks.nio.CompositeKey
[report_runner] [main] java.lang.ClassCastException:
java.lang.String incompatible with com.q1labs.frameworks.nio.CompositeKey
[report_runner] [main] at
com.q1labs.cve.aggregation.props.AggregatedRecordKeyProperty.cre
ateKey(AggregatedRecordKeyProperty.java)
[report_runner] [main] at
com.q1labs.cve.aggregation.props.AggregatedRecordKeyProperty.cre
ateKey(AggregatedRecordKeyProperty.java)
[report_runner] [main] at
com.q1labs.cve.resultset.CVEResultSet.getObject(CVEResultSet.java)
[report_runner] [main] at
com.q1labs.cve.resultset.CVEResultSet.getLong(CVEResultSet.java)
[report_runner] [main] at
com.q1labs.cve.resultset.CVEResultSet.getLong(CVEResultSet.java)
[report_runner] [main] at
com.q1labs.dal.charts.SQLChart.getChartDataForTimeSeries(SQLChar
t.java)
[report_runner] [main] at
com.q1labs.dal.charts.SQLChart.getChartData(SQLChart.java)
[report_runner] [main] at
com.q1labs.dal.charts.AbstractChart.createChart(AbstractChart.java)
[report_runner] [main] at com.q1labs.dal.charts.SQLChart(SQLChart.java)
[report_runner] [main] at com.q1labs.dal.charts.SQLChart(SQLChart.java)
[report_runner] [main] at
com.q1labs.reporting.charts.ArielChart.processResultSet(ArielCha
rt.java)
[report_runner] [main] at
com.q1labs.reporting.charts.ArielChart.getData(ArielChart.java)
[report_runner] [main] at com.q1labs.reporting.Chart.getXML(Chart.java)
[report_runner] [main] at com.q1labs.reporting.Report.createData(Report.java)
[report_runner] [main] at
com.q1labs.reporting.Report.process(Report.java)
[report_runner] [main] at
com.q1labs.reporting.ReportRunner.main(ReportRunner.java)
15 May 2019
RULES / NETWORK HIERARCHY IJ16173 IPV6 NETWORK HIERARCHY GENERATES A NULLPOINTEREXCEPTION WHEN A RULE IS BASED OFF A NETWORK DEFINED IN REMOTENET.CONF OPEN: Reported in QRadar 7.3.2 No workaround available.

It has been identified that a IPv6 Network Hierarchy can sometimes throw NullPointerException errors in QRadar logging when a rule is based off a network defined in remotenet.conf. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[ecs-ep.ecs-ep] [CRE Processor [0]]
com.q1labs.semsources.cre.CustomRule:
[ERROR][-/- -]Exception in rule 1496 -
Connection to a Remote Proxy or Anonymization Service
(Outbound): null
[ecs-ep.ecs-ep] [CRE Processor [0]]
java.lang.NullPointerException
[ecs-ep.ecs-ep] [CRE Processor [0]] at
com.q1labs.semsources.cre.tests.NetworkViewAny.match(NetworkViewAny.java)
[ecs-ep.ecs-ep] [CRE Processor [0]] at
com.q1labs.semsources.cre.tests.NetworkView.testAny(NetworkView.java)
[ecs-ep.ecs-ep] [CRE Processor [0]] at
com.q1labs.semsources.cre.tests.gen.NetworkView_AnyAny.test(Netw
orkView_AnyAny.java)
[ecs-ep.ecs-ep] [CRE Processor [0]] at
com.q1labs.semsources.cre.tests.NetworkView_Test.test(NetworkVie
w_Test.java:56)
[ecs-ep.ecs-ep] [CRE Processor [0]] at
com.q1labs.semsources.cre.gen.TestExecutor_0_4.test(TestExecutor
_0_4.java)
[ecs-ep.ecs-ep] [CRE Processor [0]] at
com.q1labs.semsources.cre.CustomRule.test(CustomRule.java)
[ecs-ep.ecs-ep] [CRE Processor [0]] at
com.q1labs.semsources.cre.CustomRule.test(CustomRule.java)
[ecs-ep.ecs-ep] [CRE Processor [0]] at
com.q1labs.semsources.cre.CustomRuleSetExecutor.testRule(CustomR
uleSetExecutor.java)
[ecs-ep.ecs-ep] [CRE Processor [0]] at
com.q1labs.semsources.cre.CustomRuleSetExecutor.test(CustomRuleS
etExecutor.java)
[ecs-ep.ecs-ep] [CRE Processor [0]] at
com.q1labs.semsources.cre.LocalRuleExecutor.processEventInProper
tyMode(LocalRuleExecutor.java)
[ecs-ep.ecs-ep] [CRE Processor [0]] at
com.q1labs.semsources.cre.LocalRuleExecutor.processEvent(LocalRu
leExecutor.java)
[ecs-ep.ecs-ep] [CRE Processor [0]] at
com.q1labs.semsources.cre.CREEventProcessor.processEvent(CustomR
uleEngine.java)
[ecs-ep.ecs-ep] [CRE Processor [0]] at
com.q1labs.semsources.cre.CREEventProcessor.run(CustomRuleEngine.java)
15 May 2019
UPGRADE IJ16080 PATCHING QRADAR PACKET CAPTURE TO 7.3.1B322 CAN FAIL TO MOUNT /DEV/SDB1 PARTITION AFTER REBOOT OPEN: Reported in QRadar Packet Capture 7.3.1b322 Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that after patching QRadar Packet Capture appliance to 7.3.1b322, the /dev/sdb1 partition does not mount after reboot.
16 May 2019
DATABASE / DATA IJ16063 QRADAR PACKET CAPTURE APPLIANCE NOT STORING NETWORK DATA AS EXPECTED DUE TO MONGODB PROCESS FAILURE OPEN: Reported in QRadar Packet Capture 7.3.1b322 No workaround available.

It has been identified that in some instances a PCAP appliance appears to be storing network data, but any attempt to do a PCAP search (natively or as a Forensics Recovery) shows 0 results.

The required mongod process can coredump and sometimes fails to restart due to a pid/lock file issue. Messages similar to the following might be visible in /var/log/messages when this particular issue occurs:
abrt[5377]: Saved core dump of pid 5277
(/usr/local/mongodb-linux-x86_64-3.4.1/bin/mongod) to
/var/spool/abrt/ccpp-2019-02-28-16:28:41-5277 (215597056 bytes)
abrtd: Directory 'ccpp-2019-02-28-16:28:41-5277' creation detected
abrtd: Executable '/usr/local/mongodb-linux-x86_64-3.4.1/bin/mongod'
doesn't belong to any package and ProcessUnpackaged is set to 'no'
abrtd: 'post-create' on'/var/spool/abrt/ccpp-2019-02-28-16:28:41-5277' exited with 1
abrtd: Deleting problem directory '/var/spool/abrt/ccpp-2019-02-28-16:28:41-5277'
16 May 2019
LICENSE IJ16043 PCAP LICENSE REPORTS AS "EVALUATION" ON INSTALLATIONS OF VERSION 730B307+ THAT ARE PATCHED UP TO 731B322 OPEN: Reported in QRadar Packet Capture 7.3.1b322 No workaround available.

It has been identified that when a valid PCAP license is applied to PCAP version 730b307+ that has been patched up to 731b322, the license that was displaying as "permanent" at the earlier veersion, changes to displaying as "evaluation".
16 May 2019
PCAP EXPORT / PERMISSIONS IJ16042 QRADAR INCIDENT FORENSICS USER WITH SYSTEM ADMIN ROLE THAT IS NOT THE 'ADMIN' USER CANNOT PERFORM DOWNLOAD OF A PCAP FROM THE USER INTERFACE CLOSED Resolved in QRadar 7.3.2 Patch 4 (7.3.2.20190803012943)

Workaround: Create another user without "System Admin" role. Login with the newly created user to complete the recovery and download the pcap file.

It has been identified that a QRadar user that has the "System Admin" role but is not the user "admin" cannot successfully perform a PCAP download. A message similar to the following is displayed when the download is attempted:
Error "Failed to load resource; the server responded with a
status of 400 (Bad Request)" or "...404 (Not Found)".
24 May 2019
DOMAINS / MULTITENANCY IJ16001 INCONSISTENT BEHAVIOR IN DOMAIN ENVIRONMENTS WITH HOW DISPATCHED EVENTS AND OFFENSES ARE OCCURRING CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been identified that in a domain environment, there is an inconsistency in how dispatched events and offenses are tagged and handled. For example:
  • The dispatched events, networks, and offenses are generated in the Default Domain.
  • The dispatched events, networks, offenses are in the same domain as the original domain events.
19 AUGUST 2019
TOPOLOGY / RISK MANAGER IJ15529 DISPLAY OF THE TOPOLOGY SCREEN IS ALWAYS BASED ON ADMIN USER SET OPEN: Reported in QRadar Risk Manager (QRM) 7.3.1 versions No workaround available.

It has been identified that when the Topology screen is selected, the displayed topology is based on the topology properties that are set by the admin user. Another user can edit and save the properties, but the displayed topology continues to use the the admin user properties.
18 April 2019
VULNERABILITY SCAN IMPORT / SERVICE IJ15513 IMQ PROCESS CAN GO OUT OF MEMORY WHEN IMPORTING A LARGE AMOUNT OF SCAN RESULTS OPEN: Reported in multiple QRadar versions No workaround available.

It has been identified that importing a large amount of scan results can sometimes cause the imq process on a QRadar Console to experience an Out of Memory ccurrence. Messages similar to the following might be visible in /var/log.qradar.log when this issue occurs:
tomcat[31977]: 05-Feb-2019 10:58:40.758 WARNING
[configservices@127.0.0.1 (2778) /console/JSON-RPC
System.postScanResponse]
com.sun.messaging.jmq.jmsclient.ExceptionHandler.logCaughtExcept
ion [I500]: Caught JVM Exception:
com.sun.messaging.jms.JMSException: [ADD_PRODUCER_REPLY(19)]
[C4036]: A broker error occurred. :[500] Low memory
user=qradar, broker=127.0.0.1:7676(7677)
[tomcat.tomcat] [configservices@127.0.0.1 (2778)
/console/JSON-RPC System.postScanResponse]
com.q1labs.rpcservices.VisServices:
[ERROR][-/- -]Failed to post jms message
[tomcat.tomcat] [configservices@127.0.0.1 (2778)
/console/JSON-RPC System.postScanResponse]
com.sun.messaging.jms.JMSException: [ADD_PRODUCER_REPLY(19)]
[C4036]: A broker error occurred. :[500] Low memory
user=qradar, broker=127.0.0.1:7676(7677)
[tomcat.tomcat] [configservices@127.0.0.1 (2778)
/console/JSON-RPC System.postScanResponse]    at
com.sun.messaging.jmq.jmsclient.ProtocolHandler.throwServerError
Exception(ProtocolHandler.java:4093)
[tomcat.tomcat] [configservices@127.0.0.1 (2778)
/console/JSON-RPC System.postScanResponse]    at
com.sun.messaging.jmq.jmsclient.ProtocolHandler.createMessagePro
ducer(ProtocolHandler.java:1353)
[tomcat.tomcat] [configservices@127.0.0.1 (2778)
/console/JSON-RPC System.postScanResponse]    at
com.sun.messaging.jmq.jmsclient.ProtocolHandler.createMessagePro
ducer(ProtocolHandler.java:1247)
[tomcat.tomcat] [configservices@127.0.0.1 (2778)
/console/JSON-RPC System.postScanResponse]    at
com.sun.messaging.jmq.jmsclient.ProtocolHandler.createMessagePro
ducer(ProtocolHandler.java:1241)
23 April 2019
REPORTS / AQL IJ15497 FLOW SOURCE COLUMN AND FLOW INTERFACE COLUMN CAN DISPLAY 'HOST_NAME" INSTEAD OF THE EXPECTED HOSTNAME OPEN: Reported in QRadar 7.3.1 versions No workaround available.

It has been identified that the output in a report graph is ordered by event count instead of date as in the AQL that is used in the report. For example:
  1. Create a saved search using the following AQL query and provide a name to the search:
    Select DATEFORMAT(starttime, 'MM/dd/yyyy (E)') as "Date",
    SUM(eventcount) as "Event Count" from events WHERE qid =
    1003000005 Group by "Date" ORDER BY "Date" ASC last 7 DAYS
  2. Create a report with following settings
    • Chart type: Events/Log
    • Saved search: Type the query name created in step #1
    • Graph type: Bar
    • limit event/log to top: 50
    • Horizontal axis: Date
    • Vertical axis: Event Count
  3. Run the report.

    Results
    The report output is ordered by event count, instead of the ORDER BY "date" as defined in the advanced query (AQL).
26 April 2019
OFFENSES / COUNTS IJ15472 EVENT COUNT NUMBERS DOESN'T MATCH IN THE OFFENSE DETAILS SCREEN ON CLICKING THE EVENT/FLOW COUNT OPEN: Reported in QRadar 7.3.1 Patch 4 No workaround available.

It has been identified that the Event count in the Offense details screen does not match with the event count displayed when clicking the event/flow count. Rules using "when at least this many events are seen with the same event properties in this many minutes condition" are not matching the Event/Flow count in an Offense versus the Ariel search list of Events/Flows.
23 April 2019
DEVICE SUPPORT MODULE (DSM) IJ15445 CISCO ASA EVENTS CAN BE MISIDENTIFIED AS A POSSIBLE SECURITY INCEDENT DUE TO FLIPPED SOURCE AND DESTINATION IP OPEN: Reported in DSM-CiscoFirewallDevices-7.3-20181220154136.noarch No workaround available.

It has been identified that Cisco ASA 'Teardown TCP Connection' events are being misinterpreted as a potential security incident because the source and destination IP address are being flipped by QRadar. This issue can cause Rules/Offenses to be incorrectly fired/generated.
31 July 2019
DATA NODE IJ15414 OUT OF MEMORY OCCURRENCES ON DATANODE APPLIANCES CAN BE EXPERIENCED DUE TO DEFAULT JVM SETTINGS BEING USED CLOSED Resolved in QRadar 7.3.2 Patch 4 (7.3.2.20190803012943)

It has been identified that Data Node appliances can be using default JVM memory settings instead of the QRadar tuned settings. When this issue occurs, "Out of Memory" errors can sometimes be experienced on affected Data Node appliances.
13 May 2019
QRADAR VULNERABILITY MANAGER / ASSETS IJ15360 ASSET VIEW DISPLAYS DIFFERENT VULNERABILITY COUNT VS THE ASSET SUMMARY VIEW WHEN QVM EXCEPTION VULNERABILITIES IS USED OPEN: Reported in QRadar 7.3.1 Patch 7 and 7.3.2 Patch 1 No workaround available.

It has been identified that the Asset View screen displays a different Vulnerability count compared to the Asset Summary view Screen when QVM exception vulnerabilities is used. Details:
  1. The vulnerabilities count on the asset list page and the asset summary page do not match.
  2. Vulnerabilities Count on the asset view page includes exclusions/exceptioned vulnerabilties and the exceptioned vulnerabilities are not included in the asset summary page.
  3. Expected to view x number of of VULNs as displayed in the asset list page but the number appears to be low (x-vuln exclusions) inside the asset summary screen.
11 April 2019
REPORTS IJ15337 'APPLICATION ERROR: AN ERROR HAS OCCURED' WHEN OPENING AN EMAIL LINK TO DOWNLOAD AN EXPORTED REPORT CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

Workaround: When you receive the email, navigate to /store/exports on the QRadar Console and copy the file directly from the directory.

It has been identified that a message similar to "Application Error: an error has occurred." can be generated when clicking on an email link to an exported report. For example:
  1. Export a QRadar search and select Notify me when complete.
  2. Users receive the following notification email:
    Your export job has completed. The file size exceeds the email attachment limit, you can download the results using the link below.
    *Note that the link is valid for one download only. https://{ipaddress}/console/exportData?jobId=xxxx-xxxx-xxxx-xxx-xxxx
  3. When the user attempts to download the export with the provided link, an error message is generated: Application Error: an error has occurred.
26 April 2019
API / OFFENSES IJ15331 QRADAR OFFENSE API INEFFICIENCIES CAN CAUSE HIGHER THAN EXPECTED APPLIANCE SYSTEM LOAD CLOSED QRadar 7.3.1 Patch 8 (7.3.1.20190228154648)

It has been identified that inefficiencies in the QRadar Offense API (/api/siem/offenses) endpoint around processing security permissions can cause a higher than expected CPU usage and processing time.
26 April 2019
HIGH AVAILABILITY (HA) / DISK SPACE IJ15328 HIGH AVAILABILITY APPLIANCE SHOWS AS FAILED STATE WHEN /TMP PARTITION AT 100% USAGE CAUSES CONF FILE TRUNCATION OPEN: Reported in QRadar 7.3.1 Patch 7 Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that a High Availaibility (HA) appliance can display in failed state due to the /tmp partition filling to 100% usage. When this 100% /tmp usage situation occurs, the drbd.conf and ha.conf files, needed for proper HA functionality, can become truncated.
09 April 2019
OFFENSES / ANOMALY RULE IJ15298 ANOMALLY DETECTION ENGINE (ADE) RULES FIRE 2 OFFENSES INSTEAD OF 1 WHEN DEFAULT RULE RESPONSES ARE CONFIGURED OPEN: Reported in QRadar 7.3.2 No workaround available.

It has been identified that enabled Anomally Detection Engine (ADE) rules that are configured with the default Rule Response settings can see two offenses generated instead of one from a rule being fired. For example, when this issue occurs users might see the following:
  1. The offense that is expected to be seen.
  2. A second offense that is based off the Offense Source: Anomaly - Event CRE.
11 April 2019
WINCOLLECT IJ15297 MANAGED WINCOLLECT AGENTS DO NOT RECEIVE CONFIG UPDATES WHEN USING 'ENCRYPT HOST CONNECTIONS' IN CONSOLE SETTINGS OPEN: Reported in WinCollect 7.2.8 Patch 2 (7.2.8-145) No workaround available.

It has been identified that Managed WinCollect agents do not receive Config Updates if "Encrypt Host Connections" is selected under the "Console" appliance settings (System and License Management).

NOTE: "Encrypt Host Connections" has no benefit when this check box is selected on the QRadar Console appliance. This setting is specific to non-Console / managed host appliances and enables SSH tunnels for communication to managed hosts for data requested by the Console.
10 May 2019
RULES / RULE WIZARD IJ15295 CUSTOM/AQL ARITHMATIC PROPERTY IS NOT AVAILABLE TO SELECT IN THE RULE STACK TEST PAGE WHEN CREATING AN ANOMALY RULE IN THE RULE WIZARD OPEN: Reported in QRadar 7.3.1 Patch 7 No workaround available.

It has been identified that the sum of two fields is not getting populated for the "Accumulated property" at the Anomaly Rule Wizard > Rule Test Stack Editor page and a message "There are parameters in the test stack which have not been specified" is displayed. To reproduce or verify this issue, see the procedure below.
  1. In Network Activity tab, run the following advanced search:
    SELECT sourceip, SUM(sourcebytes+destinationbytes) AS TotalBytes FROM flows WHERE sourceip='IP_Address_Console' GROUP BY sourceip ORDER BY TotalBytes
  2. Save the criteria.
  3. Click Rule > Add Anomaly Rule.
  4. At the Rule Test Stack Editor, add the rule:
    Apply The_rule_Name when time series data is being aggregated by sourceip, TotalBytes and when the average value (per interval) of this accumulated property over the last 1 min
    Is at least 40% different from the average value (per interval) of the same property over the last 24 hours.
  5. Click on this accumulated property.
  6. Select the Accumulated Property for the anomaly:
    Test:SUM(AddDouble(DestinationBytes, SourceBytes))
  7. Click Submit, then Next.

    Results
    The error message: There are parameters in the test stack which have not been specified is generated in the User Interface.

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[tomcat.tomcat] [admin@127.0.0.1 (5048)
/console/do/rulewizard/saveCustomizeConditionParameter]
com.q1labs.sem.ui.util.RuleConditionUtils: [WARN]
[-/- -]No lookup results found for user selection(s)
SUM(SubtractDouble(SourceBytes, SourcePackets)) for method
com.q1labs.ariel.ui.RuleWizardUtils.getAggregatedSearchFields
09 April 2019
WINCOLLECT IJ15236 CYRILLIC TEXT IS DECODED INCORRECTLY WHEN WINCOLLECT FILE FORWARDING FILE CONTENT USES WINDOWS-1251 FORMATTING CLOSED Closed as unreproducible in next release. Upon further investigation for this issue as reported in WinCollect 7.2.2-2, this issue is working in a newer versions of WinCollect. WinCollect 7.2.9 was used to verify that the reported Cyrillic text issue could not be reproduced.

When configuring the File Forwarder plugin on WinCollect, switch the File Reader Encoding setting to use UTF8 (no conversion). The result was the Cyrillic characters were displayed in the payload on QRadar.
26 July 2019
ASSETS IJ15215 ASSET SAVED SEARCH CRITERIA THAT IS CONFIGURED AS DEFAULT CHANGES ON SUBSEQUENT RESULT PAGES OPEN: Reported in QRadar 7.3.1 Patch 6 No workaround available.

It has been identified that asset save search criteria which was set as default, returns to the original default values when viewing subsequent returned results pages (eg. page 2).
11 April 2019
HIGH AVAILABILITY (HA) IJ15214 HIGH AVAILABILITY FAILOVER CAN DISPLAY A GENERIC MESSAGE 'ERROR: COULDN'T UPDATE ROUTING TABLE' OPEN: Reported in multiple QRadar versions No workaround available.

It has been identified that a required script fails at start_routing during a High Availability failover due to missing or incorrect network configuration file content. A default message similar to the following is displayed:
ERROR: Couldn't update routing table.
15 May 2019
PROTOCOLS IJ15213 AUTOMATIC CERTIFICATE DOWNLOADER USES TLS 1.0 BY DEFAULT AND FAILS WHEN VENDOR HAS DISABLED TLS 1.0 OPEN: Reported as a Protocol Commmon RPM issue Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that the automatic certificate downloader uses TLS 1.0 to attempt to communicate by default. This fails when TLS 1.0 is disabled at the receiving end for obtaining the certificate. Using Netskop as an example of a failure as displayed in /var/log/qradar.log:
[ecs-ec-ingress.ecs-ec-ingress] [Thread-34177]
com.q1labs.semsources.sources.netskopeactiverestapi.NetskopeActi
veRESTAPIProvider: [ERROR][-/--]Unable to download certificate chain from
[example.goskope.com:443]
[ecs-ec-ingress.ecs-ec-ingress] [Thread-34177]
com.q1labs.semsources.sources.netskopeactiverestapi.NetskopeActi
veRESTAPIProvider: [ERROR][-/--]An error occured when trying to
configure a source connection for provider class
com.q1labs.semsources.sources.netskopeactiverestapi.NetskopeActi
veRESTAPIProvider254
[ecs-ec-ingress.ecs-ec-ingress] [Thread-34177]
java.lang.Exception: Server [[example.goskope.com:443]
presented no certificate chain!
[ecs-ec-ingress.ecs-ec-ingress] [Thread-34177]  at
com.q1labs.semsources.sources.utils.certificate.CertificateDownl
oader.getCertificate(CertificateDownloader.java)
[ecs-ec-ingress.ecs-ec-ingress] [Thread-34177] at
com.q1labs.semsources.sources.utils.certificate.CertificateDownl
oader.downloadCertificates(CertificateDownloader.java)
[ecs-ec-ingress.ecs-ec-ingress] [Thread-34177] at
com.q1labs.semsources.sources.utils.certificate.CertificateDownl
oader.downloadCertificates(CertificateDownloader.java)
[ecs-ec-ingress.ecs-ec-ingress] [Thread-34177] at
com.q1labs.semsources.sources.netskopeactiverestapi.NetskopeActi
veRESTAPIProvider.checkCerts(NetskopeActiveRESTAPIProvider.java)
[ecs-ec-ingress.ecs-ec-ingress] [Thread-34177] at
com.q1labs.semsources.sources.netskopeactiverestapi.NetskopeActi
veRESTAPIProvider.preExecuteConfigure(NetskopeActiveRESTAPIProvi
der.java:53)
[ecs-ec-ingress.ecs-ec-ingress] [Thread-34177]    at
com.q1labs.semsources.sources.base.SourceProvider.run(SourceProv
ider.java:179)
[ecs-ec-ingress.ecs-ec-ingress] [Thread-34177]
com.q1labs.semsources.sources.netskopeactiverestapi.NetskopeActi
veRESTAPISource: [ERROR][-/--] There appears to be a configuration
issue with the provider connection 'class
com.q1labs.semsources.sources.netskopeactiverestapi.NetskopeActi
veRESTAPIProvider254'.
27 May 2019
AUTO UPDATE / PROXY IJ14781 AUTOUPDATE PROXY SETTING PASSWORD CONTAINING A ' # ' (POUND) OR ' ? ' (QUESTION MARK) SYMBOL BREAKS THE PROXY CALL OPEN: Reported in multiple QRadar versions No workaround available.

It has been identified that when the AutoUpdate proxy password contains either a # (pound) or ? (question mark) symbol, it breaks the proxy call and can result in the password being displayed in autoupdate logs.
24 May 2019
UPGRADE / PRETEST IJ14475 QRADAR PATCH HANGS WHEN ONE OR MORE HOSTS IN THE DEPLOYMENT ARE UNREACHABLE CLOSED Resolved in QRadar 7.3.2 Patch 4 (7.3.2.20190803012943)

It has been identified that during a QRadar patch, the patch can hang for a longer than expected period of time when one or more Managed Hosts in the Deployment are not reachable via SSH (network issue, powered off, etc.). When this issue occurs, the following error message can be displayed:
Patch Report for {ApplianceIP}, appliance type: 3199
Patch pretest 'Validate deployment hostnames' failed. (validate_hostname.sh)
{Hostname} :  patch test failed.

Press enter to continue...
28 May 2019
SEARCH / SERVICES IJ14442 ARIEL PROXY OUT OF MEMORY OCCURRENCES CAN BE OBSERVED WHEN LARGE SEARCHES WITH AGGREGATIONS ARE PERFORMED OPEN: Reported in QRadar 7.3.1 Patch 8 No workaround available.

It has been identified that the ariel proxy service can experience Out of Memory occurrences when large searches are performed that include data aggregations (many columns, custom properties, etc.).

When 'Out of Memory' occurrences are experienced with the ariel proxy service, java heap dumps (/store/jheap) can be examined by QRadar Support to identify if these types of searched are the cause.
01 May 2019
LICENSE IJ14252 LARGE FLOW LICENSE CAN BE APPLIED TO QRADAR BUT ANY LICENSE AMOUNT OVER 1.2 MILLION FPM IS NOT HONORED BY QRADAR OPEN: Reported in QRadar 7.3.2 Patch 1 No workaround available.

It has been identified that applying flow licensing of larger than 1.2 million flows per minute (FPM) is not honored by QRadar. The system is capped at the 1.2 million FPM amount.
15 May 2019
DISK SPACE IJ14139 LOGROTATE CAN FAIL TO RUN WHEN PARTITION IS FULL AND "ALERT EXITED ABNORMALLY WITH [1]" IN /VAR/LOG/MESSAGES CLOSED Resolved in QRadar 7.3.2 Patch 4 (7.3.2.20190803012943)

It has been identified that logrotate can create a zero byte file in instances when the partition has filled and then subsequent logrotates fail. When this occurs, monitored partitions containing logs are more vulnerable to being filled.

IMPORTANT: When disk usage of a monitored partition reaches 95%, QRadar data collection and search processes are shut down to protect the file system from reaching 100%. Messages similar to the following might be visible in /var/log/messages when this issue occurs:
Feb 22 14:06:48 ip-191-172 logrotate: ALERT exited abnormally with [1]
16 May 2019
VULNERABILITY SCAN / SCAN TOOLS IJ14136 VULNERABILITY MANAGER SCANS DO NOT RESPECT CONFIGURED OPERATIONAL WINDOWS OPEN: Reported in multiple QRadar Vulnerability Manager versions It has been identified that QRadar Vulnerability Manager (QVM) scan tools that are launched within an operational window can continue to run beyond the end of the operational window. 27 February 2019
DEVICE SUPPORT MODULE (DSM) IJ13746 INCONSISTENT USER INTERFACE STATUS MESSAGES AND ISSUE WITH AUTO ACQUIRE CERTIFICATE USING THE OKTA RESTAPI PROTOCOL OPEN: Reported in QRadar 7.3.1 versions It has been identifed that there are inconsistent and confusing status messages that can sometimes be generated when using the Otka RESTAPI Protocol along with functionality issues with the Auto Aquire Certificate option in the user interface.
  1. In some instances Log Source which which should throw error, stay as success. Error message for an Okta Log Source recorded in qradar.error but nothing in User Interface (UI). When an error does appear for some Log Source in the UI, they can change from Error -> Success within few seconds (even when nothing is changed/refreshed for the Log source).
  2. User interface status messages can be vague. For example: "Error communicating with remote Okta API resource". This general message can appear when there is a connection Drop/Rejected, when there is a wrong proxyIP, or when there is a wrong ProxyHost.
  3. When an error appears for any Log Source in qradar.error log, the debug log for that log source displays the message "status changed from HEARTBEAT to HEARTBEAT" repeatedly. Also observed can be message "Polling time has arrived. Will now try to execute quer(y|ies)" when the Log Source shouldn't be in HEARTBEAT once it throws the error.
  4. When setting incorrect Okta IP or Hostname while configuring an Okta Log source, an error message is generated in the qradar.error log (error displayed depends on whether you are using proxy or not).
    - When using proxy: nullpointerexception
    - When not using proxy the expected error message appears in the logs: "The Okta Remote IP or Hostname provided could not be reached."
  5. Proxy. Creating a Log Source with correct proxy information, then updating it with an incorrect proxy password: No error is thrown and events are received without issue.
  6. API. There is UI validation for proxyServer, proxyUsername, and proxyPassword which restricts entering more than 255 characters. There is no restricton in API for proxyServer, proxyUsername, and proxyPassword that restricts entering more than 255 characters. Based on the sensorprotocolparameter proxyPort is required but proxy username is not required. Also proxyPassword is required, but proxy username is not required. If proxy port is required it becomes necessary to havve proxy IP as required and likewise if proxy password is required the proxy username should also be required.
26 February 2019
EMAIL IJ13589 SETTING A LARGE 'MAX EMAIL ATTACHMENT SIZE' CAN PREVENT POSTFIX FROM STARTING OPEN: Reported in QRadar 7.3.1 and 7.3.2 versions Workaround: Lower the "Max Email Attachment Size" limit in the QRadar User Interface: Admin tab > System Settings.

It has been identified that Setting "Max Email Attachment Size" in QRadar "Systems Setting" to a large number can prevent postfix from being started. Postfix has mailbox_size_limit and message_size_limit configuration properties where message_size_limit can go over mailbox_size_limit. Messages similar to the following might be visible in maillog when this issue occurs:
fatal: main.cf configuration error:
mailbox_size_limit is smaller than message_size_limit
15 May 2019
AUTHENTICATION / LDAP IJ13588 LDAP GROUP BASED AUTHENTICATION: 'SORRY, AN ERROR OCCURRED' WHEN A SECURITY PROFILE OR USER ROLE HAS AN '&' IN THE NAME OPEN: Reported in QRadar 7.3.1 and 7.3.2 versions Workaround: Change the name of the user role or security profile to use "and" instead of the '&' (ampersand) symbol.

It has been identified that when user roles or security profiles have an '&' (ampersand) in them (eg. R&D or Systems & Networking) and then LDAP based authentication is attempted to be configured, those security profiles or user roles are not visible nor are any others that come after them.
15 May 2019
HIGH AVAILABILITY (HA) IJ13486 REMOVE HA (HIGH AVAILABILTY) PROCESS CAN FAIL WHILE PERFORMING A PID CHECK ON THE HA_SETUP SCRIPT OPEN: Reported in QRadar 7.3.1 Patch 6 Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that attempting to perform a Remove HA (High Availability) from within the QRadar User Interface can sometimes fail when performing a PID check on the ha_setup script. This has been observed when a Deploy function is in progress when the Remove HA is performed. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[hostcontext.hostcontext] [Thread-1885552] ComponentOutput:
[ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
ha_setup.sh: Jan 29 10:35:10: [HA Setup (S-M----)] [ERROR]
Another instance of the HA setup script is already running.
[hostcontext.hostcontext]
[xxxxx-xxxx-xxxx-xxx-xxxxxxx/SequentialEventDispatcher]
com.q1labs.configservices.controller.ServerHostStatusUpdater:
[INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Sent update
status of host 127.0.0.1 to REMOVED_FAILED
15 May 2019
SCAN / CENTRALIZED CREDENTIALS IJ13412 WARNING ICON DISPLAYED NEXT TO A SCAN RESULT WHEN SNMP COMMUNITY STRING IS DEFINED IN CENTRALIZED CREDENTIALS OPEN: Reported in QRadar 7.3.1 Patch 7 Workaround: Use the Additional Credentials tab rather than Centralized Credentials.

It has been identified that when using SNMP community string for scans via centralized credentials, an error (Yellow warning triangle icon) is generated next to the scan results. The results can differ from those with the SNMP community string set in the Additional Creds tab when creating a Scan Profile.
12 February 2019
HIGH AVAILABILITY (HA) IJ13410 HIGH AVAILABILITY SECONDARY APPLIANCE DEPLOY CAN FAIL WITH 'ANOTHER INSTANCE OF THE HA SETUP SCRIPT IS ALREADY RUNNING' OPEN: Reported in QRadar 7.3.0 and 7.3.1 versions No workaround available.

It has been identified that when multiple deploys occur to a QRadar High Availability (HA) Secondary appliance (can sometimes happen with Autoupdate), a message similar to "Another instance of the HA setup script is already running. Skipping HA deploy operation." and a /opt/qradar/ha/.local_ha_failed token can be generated. When this situation occurs, the HA Secondary appliance can become unresponsive.
13 May 2019
SEARCH / GEOGRAPHIC DATA IJ13408 INCONSISTENT RESULTS FROM A SAVED SEARCH RUN AGAINST GEO DATA VS A REPORT RUN OFF THAT SAME SAVED SEARCH OPEN: Reported in QRadar 7.3.1 Patch 5 Interim Fix 01 No workaround available.

It has been identified that a Saved Search run against geo data returns less data then a Report running off that same Saved Search. Some of the data correlates between the Search results and the Report results but some data entries are missing in the Search results.
12 February 2019
CUSTOM PROPERTIES IJ13320 CUSTOM PROPERTY DEFINITION WINDOW 'LOG SOURCE FILTER' CANNOT ACCESS/DISPLAY ANY LOG SOURCES OPEN: Reported in QRadar 7.3.1 Patch 7 Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that when in the Custom Property Definition window and attempting to use the Select Log Source option from within Property Expression Definition, no Log Sources are displayed. For example:
  1. Open the Admin tab.
  2. Open the "Custom Event Properties" window, and select any CEP from within the window.
  3. Click on either the Edit or Add button.
  4. In "Custom Property Definition window" -> Property Expression Definition -> Select Log Source Type (eg. "Microsoft Windows Security Event Log" or "Universal DSM").
  5. Nothing is displayed in the log source.
  6. Put a Log Source name in "Log Source Filter". Same result, nothing is displayed.
28 May 2019
LICENSE IJ13319 LICENSE POOL MANAGEMENT CAN DISPLAY "N/A" FOR THE EPS RATE FOR SOME HOSTS WITH A NULL POINTER EXCEPTION IN THE LOGS OPEN: Reported in QRadar 7.2.8 and later versions No workaround available.

It has been identifed that in some instances the EPS rate for a host can display as "N/A" in the License Pool Management window. This has most often been observed with High Availability hosts. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs. Note that the the Global View (GV) number can vary in the log messages:
{hostname}[hostcontext.hostcontext]
[xxxx-xxxx-xxx-xxx-xxxxxxxx/SequentialEventDispatcher]
com.q1labs.hostcontext.licensing.LicenseMonitor: [INFO]
[NOT:0000006000][Con.sol.eIP.20/- -] [-/- -]Following message
suppressed 1 times in 300000 milliseconds
{hostname}[hostcontext.hostcontext]
[xxxx-xxxx-xxx-xxx-xxxxxxxx/SequentialEventDispatcher]
com.q1labs.hostcontext.licensing.LicenseMonitor: [ERROR]
[NOT:0000003000][Con.sol.eIP.20/- -] [-/- -]Cannot retrieve
data for GV_10023_HOURLY
{hostname}[hostcontext.hostcontext]
[xxxx-xxxx-xxx-xxx-xxxxxxxx/SequentialEventDispatcher]
java.lang.NullPointerException
{hostname}[hostcontext.hostcontext]
[xxxx-xxxx-xxx-xxx-xxxxxxxx/SequentialEventDispatcher]
at com.q1labs.hostcontext.licensing.Statistics.getIP(Statistics.jav
a)
{hostname}[hostcontext.hostcontext]
[xxxx-xxxx-xxx-xxx-xxxxxxxx/SequentialEventDispatcher]
at com.q1labs.hostcontext.licensing.Statistics.updateEPSorFPS(Stati
stics.java)
{hostname}[hostcontext.hostcontext]
[xxxx-xxxx-xxx-xxx-xxxxxxxx/SequentialEventDispatcher]
at com.q1labs.hostcontext.licensing.Statistics.getEpsFps(Statistics
.java)
06 February 2019
UPGRADE / HIGH AVAILABILITY (HA) IJ13316 OFFENSE INDEXING ON A CUSTOM EVENT PROPERTY (CEP) THAT HAS A UTF 0X00 (NULL) VALUE CAN CAUSE OFFENSES TO STOP GENERATING OPEN: Reported in QRadar 7.3.1 Patch 1 It has been identified that Offense generation in QRadar can stop occuring when Offenses are being indexed on a Custom Event Property (CEP) that have a utf 0x00 (null) value. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[ecs-ep.ecs-ep] [MPC/CleanupAndPersistence[1]]
com.q1labs.sem.magi.contrib.ModelPersister: [INFO]
[-/- -]Saving TX 0000035761 0.02MB
[ecs-ep.ecs-ep] [MPC/CleanupAndPersistence[1]]
com.q1labs.sem.magi.contrib.ModelPersister: [INFO]
[-/- -]Harvested 34 commands in 0:00:00.174
[ecs-ep.ecs-ep] [MPC/PersisterThread@0000035761]
com.q1labs.sem.magi.contrib.ModelPersister: [INFO]
[-/- -]Processing TX 0000035761 (1/1) 0.02MB
[ecs-ep.ecs-ep] [MPC/PersisterThread@0000035761]
com.q1labs.sem.magi.contrib.ModelPersister: [WARN]
[-/- -]Exception encounted when executing transaction 35761.
[ecs-ep.ecs-ep] [MPC/PersisterThread@0000035761]
com.q1labs.sem.magi.contrib.PersistenceException: Failed to
persist sem model
[ecs-ep.ecs-ep] [MPC/PersisterThread@0000035761] Caused by:
[ecs-ep.ecs-ep] [MPC/PersisterThread@0000035761]
org.postgresql.util.PSQLException: ERROR: invalid byte sequence
for encoding "UTF8": 0x00


Workaround:
  • Identifiy the rule that was triggered at the time the error log above (Problem Description) was generated.
  • Modify it to Index on a standard property instead of a CEP or modify the CEP so that it is not capturing null values.
A soft clean sim can be performed after the above modifications have been made for Offense generation to be corrected: Admin -> Advanced -> Clean SIM model -> Soft Clean
*NOTE: Performing a Soft Clean: Closes all offenses, but does not remove them from the system.
20 March 2019
QUICK FILTER / QVM IJ13234 QUICK SEARCH MENU BAR IN QRADAR VULNERABILITY MANAGEMENT (QVM) WINDOW DOES NOT EXIST FOR QRADAR LDAP USERS OPEN: Reported in QRadar 7.3.1 Patch 6 It has been identified that the Quick Search menu does not exist in the Vulnerability Management windows of the QRadar User Interface for users created from LDAP authentication.

  • Use a QRadar created user instead of an LDAP one.
    or
  • Contact Support for a possible workaround that might address this issue in some instances.
11 February 2019
UPGRADE / HIGH AVAILABILITY (HA) IJ12889 UPGRADE OF SECONDARY EVENT COLLECTOR CAN FAIL DUE TO PATCH_TEST_QRADAR AND PATCH_TEST_FUSIONVM OPEN: Reported in QRadar 7.3.1 Patch 1 Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that a QRadar upgrade can sometimes fail on a Secondary Event Collector when the patch_test_qradar and or patch_test_fusionvm database fails to start and then subsequent attempts fail because it already exists. Messages in the patches.log file similar to the following might be visible when this issue occurs:
2018:[DEBUG](s-ni-patchmode) isStoreMounted - yes, returning 1
2018:[DEBUG](s-ni-patchmode) Executing 'CREATE DATABASE
patch_test_qradar WITH TEMPLATE qradar OWNER qradar;' in root
single user mode for QRadar database.
Dec  6 14:03:24 2018:[DEBUG](s-ni-patchmode) read only line from
/store/postgres/data/postgresql.conf:
default_transaction_read_only = true
Dec  6 14:03:24 2018:[DEBUG](s-ni-patchmode) Running: "/bin/cp -f
/store/postgres/data/postgresql.conf
/store/postgres/data/postgresql.conf.bak"
Dec  6 14:03:24 2018:[DEBUG](s-ni-patchmode) Running: "sed -i
's/\s*\#*\s*default_transaction_read_only\s*=.*/default_transact
ion_read_only = false/g' /store/postgres/data/postgresql.conf"
Dec  6 14:03:24 2018: [DEBUG](s-ni-patchmode) Running SQL:
echo 'CREATE DATABASEpatch_test_qradar WITH TEMPLATE qradar
OWNER qradar;' | exec su postgres -c "/usr/pgsql-9.6/bin//postgres
 --single -O -D /store/postgres/data "
Dec  6 14:03:24 2018:
[WARN](s-ni-patchmode) ERROR: database "patch_test_qradar"
already exists
Dec  6 14:03:24 2018: [WARN](s-ni-patchmode) STATEMENT:
CREATE DATABASE patch_test_qradar WITH TEMPLATE qradar OWNER qradar;
20 March 2019
REPORTS IJ12888 REPORTS FAIL TO GENERATE AFTER A CONSOLE MIGRATION HAS BEEN PERFORMED CLOSED Resolved in
QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)

Workaround
Contact Support for a possible workaround that might address this issue in some instances.

Issue
It has been identified that after a console migration, Reports can sometimes fail to generate with an error message similar to the following in /var/log/qradar.log:
[reporting_executor.reporting_executor] [Report Queue]
com.q1labs.reporting.ReportServices: [ERROR][-/- -]"Lock to templates
folder is acquired by another process, skipping templates reload."
28 January 2019
RULE RESPONSE LIMITER IJ12546 ANOMALY DETECTION THRESHOLD RULES SOMETIMES ARE NOT RESPECTING THE SETTINGS CONFIGURED FOR THE RULE RESPONSE LIMITER OPEN: Reported in QRadar 7.3.1 Patch 6 No workaround available.

It has been identified that when an Anomaly Detection (ADE) rule is configured to dispatch an event AND have the dispatched event generate an offense, the responseLimiterHostType uses the offensetype instead of attacker or target, causing offensemappertype to be null. This behavior results in any Response Limiter settings to not be respected. When an ADE rule is configured to dispatch an event only (without generating an offense), the Response Limiter works as expected.
28 January 2019
RULES IJ12545 "BB:CATEGORYDEFINITION: AUTHENTICATION FAILURES" IS SOMETIMES NOT DISPLAYED IN THE RULE WIZARD OPEN: Reported in QRadar 7.3.1 versions No workaround available.

It has been identified that in some instances, the building Block "BB:CategoryDefinition: Authentication Failures" is displayed in the list of available building blocks on the Rules page, but is not displayed as an available option in the QRadar Rules wizard.
28 January 2019
SYSTEM NOTIFICATIONS IJ13237 SAR SENTINEL THRESHOLD CROSSED SYSTEM NOTIFICATION FOR DROPPED PACKETS CAN BE CAUSED BY RHEL7 PACKET HANDLING/REPORTING OPEN: Reported in QRadar 7.3.1 versions Workaround: Disable "Dropped Receive Packets" notification from Admin -> Global System Notifications

This has most often been observed in envrironments using bonded interfaces. For more information, see: https://access.redhat.com/solutions/2073223.
It has been identified that messages similar to the following can sometimes be generated in QRadar due to RHEL7 packet drop reporting/handling methods:
[hostcontext.hostcontext] [Thread-255]
com.q1labs.hostcontext.sar.SarSentinel: [WARN]
[NOT:0150124100][127.0.0.1/- -] [-/- -]Dropped receive packets
on interface eno1 has an average of 47.7 over the past 5
intervals, and has exceeded the configured threshold of 1.0.
To resolve: If your system continues to exhibit this behavior,
please contact Customer Support.
13 May 2019
OFFENSES IJ12521 SELECTING 'SHOW INACTIVE CATEGORIES' WHEN VIEWING OFFENSE 'BY CATEGORY' DISPLAYS RESULTS AS "NONE" OR "0" OPEN: Reported in QRadar 7.3.1 Patch 7 No workaround available. It has been identified that selecting the 'Show Inactive Categories' in Offense view 'By Category' displays either "None" or "0" for results. For example:

For example:
  1. Click the Offenses tab.
  2. Select By Category.
  3. Select Show inactive Categories.

    Results
    What is displayed is either a value of "0" or "None".
28 January 2019
SERVICE / EVENT COLLECTORS IJ18032 EC CAN FAIL TO PROCESS/PARSE EVENTS AFTER PATCHING TO 7.3.2 P3 IF YOU HAVE PRE-EXISTING ROUTING RULES CONFIGURED CLOSED Resolved in:
QRadar 7.4.0 (7.4.0.20200304205308)
QRadar 7.3.2 Patch 4 (7.3.2.20190803012943)

It has been identified that after patching to QRadar 7.3.2 Patch 3, events received by QRadar collector appliances can fail to be processed/parsed when an event forwarder or routing rule has been configured in QRadar. In these instances, the events are successfully received by the collector in the ecs-ec-ingress process, but are not sent to the ecs-ec process for parsing.

IMPORTANT UPDATE TO IJ18032
  1. It is advised that administrators who leverage Event Collector appliances (15xx) and routing rules wait for QRadar 7.3.2 Patch 4 (now released) as described in the QRadar Support Flash Notice.
  2. Administrators who have Event Collectors in their deployment with routing rules who have upgraded to QRadar 7.3.2 Patch 3 (7.3.2.20190705120852) can Contact Support for a hot fix to this issue.

The threadtop command can be run from the command line prompt on a QRadar Event Collector appliance:
/opt/qradar/support/threadTop.sh -p 7777 -e "ECS Runtime" -s -n 20


The following output from the threadtop command identifies that the QRadar Event Collector appliance is affected:
System Time: 31/07/2019 at 14:49:55.637
“ECS Runtime Thread” Id=67 in TIMED_WAITING (running in native)
at java.lang.Thread.sleep(Native Method)
at java.lang.Thread.sleep(Thread.java:942)
at com.q1labs.core.shared.ariel.ArielSearchLite.waitForArielClient(ArielSearchLite.java)
at com.q1labs.core.shared.ariel.ArielSearchLite.toQueryParams(ArielSearchLite.java)
at com.q1labs.core.shared.ariel.ArielSearchLite.toQueryParams(ArielSearchLite.java)
at com.q1labs.core.shared.ariel.ArielSearchLite.toQueryParams(ArielSearchLite.java)
at com.q1labs.core.shared.ariel.ArielSearchLite.toQueryParams(ArielSearchLite.java)
at com.q1labs.core.shared.ariel.ArielSearchLite.toQueryParams(ArielSearchLite.java)
at com.q1labs.core.shared.selectiveforwardingset.SelectiveForwardingSetCache.
   setQueryFilter(SelectiveForwardingSetCache.java)
at com.q1labs.core.shared.selectiveforwardingset.SelectiveForwardingSetCache.
   loadSearchForm(SelectiveForwardingSetCache.java)
at com.q1labs.core.shared.selectiveforwardingset.SelectiveForwardingSetCache.
   initializeSetCache(SelectiveForwardingSetCache.java)
   - locked java.lang.Object@35323b09
at com.q1labs.core.shared.selectiveforwardingset.SelectiveForwardingSetCache.
    onInit(SelectiveForwardingSetCache.java)
at com.q1labs.frameworks.naming.FrameworksNaming.initializeNewComponent
   (FrameworksNaming.java)
at com.q1labs.frameworks.naming.FrameworksNaming.getApplicationScopedComponent
   (FrameworksNaming.java) - locked com.q1labs.frameworks.naming.FrameworksNaming@1269d08c
at com.q1labs.frameworks.core.FrameworksContext.getSingletonInstance(FrameworksContext.java)
at com.q1labs.core.shared.selectiveforwardingset.SelectiveForwardingSetCache.
   getInstance(SelectiveForwardingSetCache.java)
   - locked java.lang.Object@d1bed3f
at com.q1labs.sem.selectiveforwarding.SelectiveForwardingCommunicator.
   onInit(SelectiveForwardingCommunicator.java)
at com.q1labs.frameworks.naming.FrameworksNaming.initializeNewComponent
   (FrameworksNaming.java)
at com.q1labs.frameworks.naming.FrameworksNaming.getApplicationScopedComponent
   (FrameworksNaming.java)
   - locked com.q1labs.frameworks.naming.FrameworksNaming@1269d08c
at com.q1labs.frameworks.core.FrameworksContext.getSingletonInstance(FrameworksContext.java)
31 July 2019
RULES IJ17939 RULE TEST 'WHEN ANY OF THESE EVENT PROPERTIES ARE CONTAINED IN ANY OF THESE REFERENCE SET(S)' CAN PRODUCE FALSE POSITIVE/NEGATIVE CLOSED Closed as suggestion for future release.

It has been identified that QRadar does not enforce proper validation for the 'when any of these event properties are contained in any of these reference set(s)' Custom Rule Engine (CRE) test. This issue can cause false positive or negative rule results.

Validation fields:
- Custom Properties can include: alphanumeric, numeric, IP, ports, or DateTime values
- Reference sets can include alphanumeric, case insensitive alpha numeric, numeric, IP, or ports

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[ecs-ep.ecs-ep] [CRE Processor [5]] com.q1labs.semsources.cre.CustomRule:
[ERROR][127.0.0.1/- -] Exception in test: Failed to test
[ecs-ep.ecs-ep] [CRE Processor [5]]
com.q1labs.jstl.base.exceptions.TestFailedException: Failed to test
[ecs-ep.ecs-ep] [CRE Processor [5]] at
com.q1labs.semsources.cre.tests.ReferenceSetTest.test(ReferenceSetTest.java)
[ecs-ep.ecs-ep] [CRE Processor [5]] at
com.q1labs.semsources.cre.tests.ReferenceSetTest.test(ReferenceS
etTest.java)
[ecs-ep.ecs-ep] [CRE Processor [5]] at
com.q1labs.semsources.cre.gen.TestExecutor_1_6.test(TestExecutor_1_6.java)
[ecs-ep.ecs-ep] [CRE Processor [5]] at
com.q1labs.semsources.cre.CustomRule.test(CustomRule.java)
[ecs-ep.ecs-ep] [CRE Processor [5]] at
com.q1labs.semsources.cre.CustomRuleSetExecutor.testRule(CustomRuleSetExecutor.java)
[ecs-ep.ecs-ep] [CRE Processor [5]] Caused by:
com.q1labs.frameworks.exceptions.CIDRNetworkException: Failed
to parse IP address: CUSTOM_PROPERTY_VALUE
[ecs-ep.ecs-ep] [CRE Processor [5]] at
com.q1labs.core.dao.util.Host.parseIPAddress(Host.java:207)
[ecs-ep.ecs-ep] [CRE Processor [5]] at
com.q1labs.core.dao.util.Host.fromString(Host.java:56)
[ecs-ep.ecs-ep] [CRE Processor [5]] at
com.q1labs.core.types.HostKeySerializer.keyFromString(HostKeySerializer.java:52)
[ecs-ep.ecs-ep] [CRE Processor [5]] Caused by:
java.lang.NumberFormatException: For input string: "CUSTOM_PROPERTY_VALUE"
[ecs-ep.ecs-ep] [CRE Processor [5]] at
java.lang.NumberFormatException.forInputString(NumberFormatException.java)
30 July 2019
CHECK POINT SMS HTTPS ADAPTER IJ16155 CHECK POINT HTTPS ADAPTER DOES NOT CLOSE THE API SESSION AFTER A BACKUP COMPLETES CLOSED Resolved in QRadar Risk Manager (QRM) adapters.bundle-2019.06-17062537 on IBM Fix Central.
To read adapter installation documentation, see: Installing Adapters.

It has been identified that the Check Point HTTPS adapter does not close the API session after a backup. When this occurs, sessions persist in the Check Point Smart Console user interface Sessions screen.
15 May 2019
CHECK POINT SMS HTTPS ADAPTER IJ13247 CHECK POINT HTTPS DEVICE CAN FAIL TO BACKUP WHEN INTERFACES HAVE NO IP ADDRESS CLOSED Resolved in QRadar Risk Manager (QRM) adapters.bundle-2019.06-17062537 on IBM Fix Central.
To read adapter installation documentation, see: Installing Adapters.

It has been identified that a Check Point HTTPS device backup fails if the device has interfaces without an IP address. The Device Backup log will contain the error message:
Error backing up device [Failed to parse interfaces for device [null]
FAILED : Failed to backup device

The Backup Error Detail will contain the error message:
Status:PARSE_WARNING
11 February 2019
F5 BIG-IP ADAPTER IJ10820 RISK MANAGER BACKUP FAILS FOR F5 ADAPTER WHEN THERE IS A LARGE LIST OF HOTFIXES CLOSED Resolved in QRadar Risk Manager (QRM) adapters.bundle-2019.06-17062537 on IBM Fix Central.
To read adapter installation documentation, see: Installing Adapters.

It has been identified that the backup function for an F5 adapter can fail when there is a large list of hotfixes and a subsequent timeout occurs:
2018-10-24 15:07:19 [ZipTie::SSH] ERROR: UNEXPECTED_RESPONSE encountered on the device '127.0.0.1'
2018-10-24 15:07:19 [ZipTie::SSH] [RESPONSE FROM THE DEVICE]
2018-10-24 15:07:19 [ZipTie::SSH] Timed-out after 300 seconds
(Started waiting at: Wed Oct 24 15:02:16 2018 -- Ended waiting
at: Wed Oct 24 15:07:17 2018 -- Command took 301 seconds) while
waiting to match the regular expression
'\@\(xxxxxxxxxxx\)\(cfg\-sync\
Standalone\)\(Active\)\(\/Common\)\(tmos\)\#'.
31 October 2018
JUNIPER JUNOS ADAPTER IJ12258 JUNIPER JUNOS BACKUP FAILS WHEN USING BORDER GATEWAY PROTOCOL (BGP) CLOSED Resolved in QRadar Risk Manager (QRM) adapters.bundle-2019.06-17062537 on IBM Fix Central.
To read adapter installation documentation, see: Installing Adapters.

It has been identified that a Juniper JUNOS device backup can time out if the device uses Border Gateway Protocol (BGP) and a large number of BGP routes are present.
21 December 2018
CISCO IOS ADAPTER IJ10888 BACKUP OF AN IOS DEVICE CAN FAIL WITH 'JAVA.LANG.EXCEPTION: NOT A HASH REFERENCE...' ERROR CLOSED Resolved in QRadar Risk Manager (QRM) adapters.bundle-2019.06-17062537 on IBM Fix Central.
To read adapter installation documentation, see: Installing Adapters.

It has been identified that the backup of an IOS device can fail with a "java.lang.Exception: Not a HASH reference at Parsers.pm line " error. Messages similar to the following might be visible in QRadar logs:
java.lang.Exception: Not a HASH reference at
/usr/share/ziptie-server/adapters/ziptie.adapters.cisco.ios_2018
.10.19110827/scripts/ZipTie/Adapters/Cisco/IOS/Parsers.pm line 2453.
at org.ziptie.server.job.AbstractAdapterTask.execute(AbstractAdapte
rTask.java)
at org.ziptie.server.dispatcher.Operation.execute(Operation.java)
at org.ziptie.server.dispatcher.OperationExecutor$JobThread.runJob(
OperationExecutor.java)
at org.ziptie.server.dispatcher.OperationExecutor$JobThread.run(Ope
rationExecutor.java)
Caused by: javax.xml.ws.soap.SOAPFaultException: Not a HASH
reference at
/usr/share/ziptie-server/adapters/ziptie.adapters.cisco.ios_2018
.10.19110827/scripts/ZipTie/Adapters/Cisco/IOS/Parsers.pm line
2453.
at com.sun.xml.ws.fault.SOAP11Fault.getProtocolException(SOAP11Faul
t.java)
at com.sun.xml.ws.fault.SOAPFaultBuilder.createException(SOAPFaultB
uilder.java)
31 October 2018
CISCO IOS ADAPTER IJ15701 BACKUP OF CISCO IOS DEVICE CAN FAIL WITH ERROR: "CAN'T USE STRING ("0") AS AN ARRAY REF WHILE 'STRICT REFS' IN USE" CLOSED Resolved in QRadar Risk Manager (QRM) adapters.bundle-2019.06-17062537 on IBM Fix Central.
To read adapter installation documentation, see: Installing Adapters.

It has been identified that backup of Cisco IOS devices can fail with an error message: Can't use string ("0") as an ARRAY ref while "strict refs". This occurs when a NAT source list references an Access Control List that does not exist. For example:
java.lang.Exception: Can't use string ("0") as an ARRAY ref
while "strict refs" in use at
/usr/share/ziptie-server/core/org.ziptie.adapters.common_2018.10
_03-19110827/scripts/ZipTie/Model/AddressTranslation.pm line 236.
at org.ziptie.server.job.AbstractAdapterTask.execute(AbstractAdapte
rTask.java)
at org.ziptie.server.dispatcher.Operation.execute(Operation.java)
at org.ziptie.server.dispatcher.OperationExecutor$JobThread.runJob(
OperationExecutor.java)
at org.ziptie.server.dispatcher.OperationExecutor$JobThread.run(Ope
rationExecutor.java)
Caused by: javax.xml.ws.soap.SOAPFaultException: Can't use
string ("0") as an ARRAY ref while "strict refs" in use at
/usr/share/ziptie-server/core/org.ziptie.adapters.common_2018.10
_03-19110827/scripts/ZipTie/Model/AddressTranslation.pm line
236
25 April 2019
CISCO IOS ADAPTER IJ15703 CISCO IOS DEVICE BACKUP CAN TIMEOUT WHEN THE DEVICE USES BGP AND A LARGE NUMBER OF BGP ROUTES ARE PRESENT CLOSED Resolved in QRadar Risk Manager (QRM) adapters.bundle-2019.06-17062537 on IBM Fix Central.
To read adapter installation documentation, see: Installing Adapters.

It has been identified that a Cisco IOS device backup can time out if the device uses BGP and a large number of BGP routes are present.
25 April 2019
CHECK POINT SMS HTTPS ADAPTER IJ15495 BACKUP OF CHECK POINT HTTPS DEVICE CAN FAIL WITH MESSAGE 'CAN'T USE AN UNDEFINED VALUE AS AN ARRAY REFERENCE' CLOSED Resolved in QRadar Risk Manager (QRM) adapters.bundle-2019.06-17062537 on IBM Fix Central.
To read adapter installation documentation, see: Installing Adapters.

It has been identified that a Check Point HTTPS device backup can fail with an error similar to:
java.lang.Exception: Can't use an undefined value as an ARRAY
reference at /usr/share/ziptie-server/adapters/ziptie.adapters.checkpoint.
https_2018.10.19110827/scripts/ZipTie/Adapters/CheckPoint/HTTPS/Utils.pm line 138.
at org.ziptie.server.job.AbstractAdapterTask.execute(AbstractAdapte
rTask.java)
at org.ziptie.server.dispatcher.Operation.execute(Operation.java)
at org.ziptie.server.dispatcher.OperationExecutor$JobThread.runJob(
OperationExecutor.java)
at org.ziptie.server.dispatcher.OperationExecutor$JobThread.run(Ope
rationExecutor.java)
Caused by: javax.xml.ws.soap.SOAPFaultException: Can't use an
undefined value as an ARRAY reference at
/usr/share/ziptie-server/adapters/ziptie.adapters.checkpoint.htt
ps_2018.10.19110827/scripts/ZipTie/Adapters/CheckPoint/HTTPS/Uti
ls.pm line 138.
at com.sun.xml.ws.fault.SOAP11Fault.getProtocolException(SOAP11Fault.java)
at com.sun.xml.ws.fault.SOAPFaultBuilder.createException(SOAPFaultB
uilder.java)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHan
dler.java)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java)
at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java)
at com.sun.proxy.$Proxy83.backup(Unknown Source)
at org.ziptie.server.job.backup.BackupTask.performTask(BackupTask.java)
at org.ziptie.server.job.AbstractAdapterTask.execute(AbstractAdapterTask.java)
16 April 2019
CHECK POINT SMS HTTPS ADAPTER IJ13701 CHECK POINT CLUSTERXL DEVICE IS UNABLE TO BACKUP SUCCESSFULLY WHEN IT HAS NO CLUSTER IP CONFIGURED CLOSED Resolved in QRadar Risk Manager (QRM) adapters.bundle-2019.06-17062537 on IBM Fix Central.
To read adapter installation documentation, see: Installing Adapters.

It has been identified in QRadar Risk Manager that a Check Point Cluster XL device discovered from Check Point SMS with Check Point HTTPS adapter fails to backup when running against a cluster IP that is not assigned to a valid interface.
21 February 2019
JUNIPER JUNOS ADAPTER IJ10745 JUNOS DEVICES WITH DHCP CONFIGURED DO NOT SUCCESSFULLY MERGE INTO THE RISK MANAGER TOPOLOGY CLOSED Resolved in QRadar Risk Manager (QRM) adapters.bundle-2019.06-17062537 on IBM Fix Central.
To read adapter installation documentation, see: Installing Adapters.

It has been identified that Juniper JUNOS devices with DHCP configured interfaces do not merge into the Risk Manager topology successfully. When this occurs the logs contain "PARSE_WARNING / No interfaces with assigned IP addresses were found".
24 October 2018
CHECK POINT SMS HTTPS ADAPTER IJ13703 CHECK POINT HTTPS ADAPTER UNABLE TO BACKUP A DEVICE WITHOUT SUPER USER PERMISSIONS CLOSED Resolved in QRadar Risk Manager (QRM) adapters.bundle-2019.06-17062537 on IBM Fix Central.
To read adapter installation documentation, see: Installing Adapters.

Workaround: Assign the user to the Super User permissions profile to complete a device configuration backup.

It has been identified that the Check Point HTTPS adapter in QRadar Risk Manager will fail to backup a device if the SMS is running R80.10 or greater and the user's permissions profile is not Super User.
27 February 2019
SEARCH IJ07013 COMPLETED SCANS OF ASSETS WITHIN QRADAR CAN AFFECT QRADAR'S SEARCH RESULTS OF THOSE ASSETS OPEN: Reported in multiple QRadar versions No workaround available. It has been identified that after assets have been scanned, subsequent searches of those assets can return incorrect/unexpected results.

Pre-conditions
A discovery, full, patch and web scan has been run against the same target (asset) and the Assets tab has been populated.

Example of steps that replicate this issue
  1. Navigate to the Assets tab.
  2. Click Search > New Search.
  3. Select 'Assets With Operating Systems', 'Does not equal' and input the OS of the target. (eg. Windows 7)
  4. Click Add Filter.
  5. Click Search.

Results
  • Expected: No Windows 7 Assets should be returned.
  • Actual: Windows 7 results are returned in the search.
12 June 2018
ADVANCED SEARCH (AQL) IJ16182 AN ADVANCED SEARCH (AQL) CONTAINING 'LOGSOURCETYPENAME' CALLED ON AN INVALID LOGSOURCEID CREATES REPEATED LOGGING ERRORS CLOSED Workaround: Function accepts the devicetype as a parameter, so use LOGSOURCETYPENAME(devicetype) in your AQL query.

NOTE: This APAR has been flagged as closed/cancelled as there is a workaround to resolve this issue.

It has been identified that if an Advanced Search (AQL) uses the function LOGSOURCETYPENAME() and calls on an invalid parameter (logsourceid) it should return "{unknown:no sensor device type xxxx}" instead of throwing an error for each event. For example:
"SELECT UTF8(payload) as RawLog FROM events WHERE
LOGSOURCETYPENAME(logsourceid) IMATCHES 'Cisco adaptive
security appliance.*?' LAST 3 DAYS"

Repeated errors for "Error fetching name of sensor device type for id XXX" are logged in /var/log/qradar.error and qradar.log. This behavior can potentially cause /var/log to be filled quickly.
16 May 2019
USER INTERFACE / AUTO UPDATE IJ15646 QRADAR USER INTERFACE CAN BECOME UNRESPONSIVE DUE TO A SERVICE PASSWORD AUTHENTICATION FAILURE OPEN: Reported as an issue in QRadar 7.3.1 Patch 7 Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that the QRadar User Interface can sometimes become unresponsive after an auto update has completed. Messages similar to the following might be visible in the Tomcat catalina logs when this issue occurs:
SEVERE [localhost-startStop-1] org.apache.tomcat.util.digester.Digester.startElement
Begin event threw exception java.lang.reflect.InvocationTargetException
Caused by: java.lang.ExceptionInInitializerError
at com.ibm.si.mks.MasterKeyStore$MasterKeyStoreHolder.(MasterKeyStore.java:34)
Caused by: com.ibm.si.mks.KeyStoreException: Failed to initialize keystore
13 May 2019
QRADAR DEPLOYMENT INTELLIGENCE (QDI) IJ15357 QDI APP CAN REPORT INCORRECT STATE OF QVM SCANNERS OPEN: Reported as an issue in QRadar 7.3.1 versions No workaround available.

It has been identified that in some instances, the QRadar Deployment Intelligence (QDI) App can report the incorrect state of QRadar Vulnerability Manager (QVM) Scanners.
15 April 2019
DEVICE BACKUP / RISK MANAGER IJ15260 RISK MANAGER CAN STALL/HANG ON THE BACKUP OF A DEVICE WITH A FIREWALL_DEVICE_CONFIG THAT HAS A HIGH ROW COUNT CLOSED Resolved in QRadar 7.3.2 Patch 4 (7.3.2.20190803012943)

It has been identified that performing a QRadar Risk Manager (QRM) backup on devices with a very high row count in firewall_device_config can cause QRM to stall/hang.
05 April 2019
ASSETS IJ15248 'TECHNICAL OWNER' AND 'TECHNICAL USER' FIELDS ARE NOT POPULATED IN THE ASSET SUMMARY IN SOME INSTANCES OPEN: Reported as an issue in QRadar 7.3.1 Patch 6 IF02 No workaround available.

It has been identified that the 'Technical Owner' and 'Technical User' fields are not populated in the Asset Summary when the Saved Search option is used in the Vulnerability Assignment tab. For Example:
  1. Assets tab, with assets populated.
  2. Search -> New Search -> select "Search Parameters" Asset ID Equals one asset (eg. 1003) -> Search.
  3. Save Criteria -> Enter the name of this search "Search1", check "include in my Quick Searches", DO NOT check share with everyone -> OK.
  4. Search -> New Search ->select "Search Parameters" Asset ID Equals one asset (eg. 1004) -> Search
  5. Save Criteria -> Enter the name of this search "Search2", check BOTH "include in my Quick Searches", and "share with everyone" -> OK
  6. Vulnerabilities tab -> Vulnerability Assignment
  7. Add -> Enter Name (eg. Vuln1) and Email (valid email address), check "Asset Search" and select "Search1" in the Asset Search drop down menu -> Save.
  8. Add -> Enter Name (eg. Vuln2) and Email (valid email address), check "Asset Search" and select "Search2" in the Asset Search drop down menu -> Save.
  9. Schedule -> update owner information every 1 hour -> Update Now -> Save.


Results
  1. Click Asset 1003 -> 'Technical Owner' and 'Technical User' are NOT populated in the asset summary.
  2. Click Asset 1004 -> 'Technical Owner' and 'Technical User' are populated in the asset summary.
05 April 2019
DEPLOYMENT VIEW IJ15210 QRADAR NETWORK INSIGHTS COMPONENTS CAN BE MISSING CONNECTION ARROWS TO IT'S FLOW PROCESSOR COMPONENT OPEN: Reported as an issue in QRadar 7.3.1 Patch 6 IF02 No workaround available.

It has been identified that when viewing QRadar Network Insights (QNI) appliance in the Deployment View, the connection arrow is missing from the QNI appliance to the corresponding Flow Processor.
15 May 2019
OPERATIONS APP IJ14479 OPERATIONS APP ERROR "FAILED TO LOAD THE FOLLOWING DATA" FOR EVENT AND FLOW GRAPH OPEN: Reported as an issue in QRadar 7.3.1 Patch 6 IF02 No workaround available.

It has been identified that in some instances the Event and Flow graph can display an error similar to: "Failed to load the following data EPS". Subsequent attempts to reload the data on the graph area can sometimes correct this issue.
15 May 2019
SMB FLOW INSPECTOR IJ13359 QRADAR NETWORK INSIGHTS (QNI) DECAPPER 'OUT OF MEMORY' INSTANCES CAUSED BY SMB INSPECTOR OPEN: Reported as an issue in QRadar 7.3.1 Patch 6 IF02 No workaround available.

It has been identified that the SMB inspector QRadar Network Insights (QNI) component can cause QNI decapper service Out of Memory instances and a coredump file to be generated in /store/jheap on the QNI appliance. QNI cannot process flow traffic as expected while the decapper service is not running.
28 May 2019
HTTP FLOW INSPECTOR IJ13358 QRADAR NETWORK INSIGHTS (QNI) DECAPPER 'OUT OF MEMORY' INSTANCES CAUSED BY HTTP INSPECTOR OPEN: Reported as an issue in QRadar 7.3.1 Patch 6 IF02 No workaround available.

It has been identified that the HTTP inspector QRadar Network Insights (QNI) component can cause QNI decapper service Out of Memory instances and a coredump file to be generated in /store/jheap on the QNI appliance. QNI cannot process flow traffic as expected while the decapper service is not running.
28 May 2019
LICENSE IJ13317 LICENSE POOL MANAGEMENT CAN DISPLAY "N/A" FOR THE EPS RATE FOR SOME HOSTS WITH A NULL POINTER EXCEPTION IN THE LOGS OPEN: Reported as an issue in QRadar 7.3.1 Patch 6 No workaround available.

It has been identifed that in some instances the EPS rate for a host can display as "N/A" in the License Pool Management window. This has most often been observed with High Availability hosts. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs. Note that the the GV number can vary in the log instances:
{hostname}[hostcontext.hostcontext][xxx-xxx-xxx-xxx/SequentialEventDispatcher]
com.q1labs.hostcontext.licensing.LicenseMonitor:
[INFO][-/- -]Following message suppressed 1 times in 300000 milliseconds
{hostname}[hostcontext.hostcontext][xxx-xxx-xxx-xxx/SequentialEventDispatcher]
com.q1labs.hostcontext.licensing.LicenseMonitor:
[ERROR][-/- -]Cannot retrieve data for GV_10023_HOURLY {hostname}
02 May 2019
SEARCH / USER INTERFACE IJ13245 UNABLE TO SAVE A SEARCH AFTER TRIED WITH BLANK IN NAME FIELD ON THE LOG ACTIVITY PAGE OPEN: Reported as an issue in QRadar 7.3.2 Workaround: Close the dialog box and click on "Save Criteria" again.

It has been identified that the ability to save a search with a name is not immediately possible if the "Save" button has been clicked with a blank name field first. For example:
  1. Go to the Log Activity tab.
  2. Select last 5 minutes search and click save criteria, do not input any name.
  3. A message "Please enter a name for the saved search" appears. However, it is not possible to save as the Save button has been disabled and replaced with Saving button in the user interface.
02 May 2019
AUDIT EVENTS IJ13147 NOT ALL APPPLIANCE LOGIN ATTEMPTS ARE LOGGED/AUDITED THE SAME WAY WITHIN QRADAR OPEN: Reported as an issue in QRadar 7.3.1 Patch 5 Not all login attempts (success or failure) into a QRadar appliance are logged the same way into the QRadar User Interface when logging in using SSH or by using the IMM. For example:

  1. Attempt to login successfully using ssh. You see the login in secure log and you will get an event "User Login" in the UI.
  2. Attempt a failed login using ssh. You see an event "Failed Login Attempt" in the UI.
  3. Attempt a successful login using the IMM. You see the login attempt and you will get an event in the UI "User Login"
  4. Attempt a failed login using the IMM. You see the failed attempt in the secure log but you do not get an event in the UI.
13 May 2019
UPGRADE / X-FORCE DATA IJ13125 XFORCE PROXY SETTINGS ARE NOT RETAINED DURING QRADAR PATCHING OPEN: Reported as an issue in QRadar 7.3.1 Patch 6 If X-Force feeds cannot update successfully after applying a QRadar patch when proxy settings are required, verify the RemoteProxy settings are still present in your ssl.conf file: QRadar X-Force FAQ: How to Configure X-Force Feeds with Proxy Servers.

It has been identified that X-Force proxy settings configured in QRadar are sometimes not preserved after applying a QRadar patch.
31 January 2019
ACCESS / AD AUTHENTICATION IJ17937 LOGIN ACCCESS TO QRADAR CAN BE RESTRICTED FROM LDAP/AD ENVIRONMENTS DUE TO DIFFERENCES IN DOMAIN REALMS CLOSED Resolved in:
QRadar 7.4.0 (7.4.0.20200304205308)
QRadar 7.3.2 Patch 4 (7.3.2.20190803012943)

To workaround this authentication issue, administrators can open the Admin tab, click the Authentication icon and edit the Domain input field in the Active Directory Authentication Module to use upper case letters.

It has been identified that LDAP users authentication for logging in to QRadar can fail after performing an update to QRadar 7.3.2 Patch 3 due to a changes in how QRadar handles AD authenticaiton when the domain name of QRadar is not matched to the domain name of the Active Directory (AD) server. This login issue can occur when the different domain for realms other than the domain in QRadar host. The Key Distribution Center (KDC) in QRadar complains that the client name is not matching. This can occur when more than one entry exists in the [realms] in the /opt/qradar/conf/kb5.conf file.
30 JULY 2019
LOG MESSAGES IJ12221 ARIELUTILS.JAVA REPEATEDLY WRITING UNNECESSARILY TO LOG FILES IN /VAR/LOG/ CLOSED Resolved in QRadar 7.4.0 (7.4.0.20200304205308)

Workaround
This logging can be disabled using the mod_log4j.pl via SSH to the Console:
  1. Run /opt/qradar/support/mod_log4j.pl
  2. Enter 3 for Advanced Menu
  3. Enter 2 for 'Add a new logger'
  4. Paste the class path: com.q1labs.core.shared.ariel.ArielUtils
  5. Enter 4 for 'OFF'
  6. Enter * for 'All of the above'
  7. Press Enter
  8. Type CQ for 'Commit changes and quit this program'

Issue
It has been identified that ArielUtils.java can repeatedly be writing unnecessarily to /var/log/qradar.error and qradar.log with messages similar to the following:
[ecs-ep.ecs-ep][xxxxxxx-xxxx/SequentialEventDispatcher] com.q1labs.core.shared.ariel.ArielUtils$UnknownPropertyException:
No property 'Account Locked Out Security ID' exists in set:
ACF2 rule key
APIContextPath
APIMethod...
09 January 2019
DEPLOY CHANGES IJ15655 DEPLOY FUNCTION CAN TIMEOUT WHEN OLDER .JAR FILES ARE BEING CLEANED UP IN SOME DIRECTORIES CLOSED This issue was addressed in the following JDBC RPM Releases:
  • PROTOCOL-JDBC-7.2-20190411081232.noarch.rpm
  • PROTOCOL-JDBC-7.3-20190411121241.noarch.rpm

It has been identified that in some instances, older .jar files can be referenced when left behind in some QRadar appliance directories. When cleanup of these old jars occurs, the Deploy function can sometimes timeout. To resolve this issue, QRadar administrators can run an auto update from Admin > Auto Update> Get updates now or review the latest available versions from IBM Fix Central to install on your QRadar Console using yum -y install {rpmname}.
09 January 2019
USER INTERFACE / RULES IJ12219 "PARSE ERROR ...SYNTAXERROR: UNDETERMINED STRING LITERAL" WHEN LOADING RULE GROUPS IN THE LOG ACTIVITY TAB OPEN: Reported in QRadar 7.3.0 Patch 6 and later No workaround available.

It has been identified that when using the Log Activity tab that adding the following filter can cause a parse error in the user interface Custom Rule equals a rule group, then a message similar to the following can sometimes be generated:
Parse Error
The following error occurred while parsing the server response: {0}
SyntaxError: unterminated string literal
09 January 2019
DEVICE SUPPORT MODULE (DSM) IJ12129 EVENTID=4776 DOES NOT UPDATE THE CORRECT ASSET WITH THE IDENTITY INFORMATION CONTAINED IN THE EVENT OPEN: Reported in QRadar 7.3.1 versions It has been identified that the Windows DSM with Windows EventID=4776 does not update the correct Asset with the identity information contained within the event. OriginatingComputer is being used instead of the Source Workstation. Using the OriginatingComputer data to populate the Asset is incorrect as the Source Workstation's usernames associated with that Asset need to be updated.

Workaround
  1. Run an update from Admin tab > Auto Update > Get updates now or manually update DSM-MicrosoftWindows RPM to the latest version from IBM Fix Central.
  2. On Each QRadar managed host, add disableOriginatingComputerIdentity=true to /opt/qradar/conf/WindowsAuthServer.properties and then restart ecs-ec to load the properties file. Administrators must complete this procedure on each host in the deployment collecting Windows events.
13 May 2019
DISK SPACE / HA SECONDARY IJ11396 THE / PARTITION ON A HIGH AVAILABILITY (HA) SECONDARY APPLIANCE CAN HAVE RESIDUAL DOCKER FILES CAUSING DISK SPACE ISSUES OPEN: Reported in QRadar 7.3.0 and QRadar 7.3.1 versions Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that after performing an upgrade to 7.3.x the / partition on a High Availability (HA) Secondary appliance can retain old docker files in the store directory, using multiple GB of space on / partition. This can sometimes cause the disk usage threshold to be exceeded on the appliance. An outage on failover to the Secondary can occur if disk usage exceeds threshold of 95%.
31 December 2018
QRADAR RISK MANAGER (QRM) IV93144 QRADAR RISK MANAGER DEVICE BACKUPS CAN FAIL WHEN THERE IS AN EMPTY VALUE IN AN PROTOCOL CONFIGURATION ADDRESS SET OPEN (Transitioning to closed) Resolved in QRadar 7.3.1 Patch 7 (7.3.1.20181123182336)

Workaround: Remove the empty value from the address set.
30 November 2018
ASSETS IJ09055 INCORRECT RESULTS DISPLAYED WHEN ADDING THE ASSET FILTER "OPEN SERVICE 'DOES NOT EQUAL' " OPEN: Reported in QRadar 7.2.8 and later No workaround available.

It has been identified that incorrect results are displayed when applying the 'Assets with open service': 'Does not equal' filter value from the Assets tab.

Expected behavior
  1. The 'Does not Equal' to comparison for Assets with open service should return correct values.
  2. The 'Does not Equal to any of' comparison for Assets with open service should return correct values.
Actual behavior
The 'Does not Equal to' comparison for Assets with open services does not returns values that are outside the filter parameter.
16 October 2018
BACKUP / RECOVERY IJ07678 AUTHENTICATION TOKENS CAN STOP WORKING AS EXPECTED AFTER A USERS CONFIG RESTORE HAS BEEN COMPLETED OPEN: Reported in QRadar 7.2.8 and later Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that after performing a QRadar 'users configuration' config restore, some managed hosts and/or Apps with authentication or services that use authentication tokens can stop working as expected. For example, Deploys fail to some Managed Hosts. Messages similar to the following might be visible in /var/log/qradar.log during a configuration restore when this issue occurs:
[hostcontext.hostcontext] [BackupServices_restore] com.q1labs.hostcontext.backup.BackupRecoveryEngine: [INFO]
[NOT:0000006000][127.0.0.1/- -] [-/- -]Completed extraction of files
[hostcontext.hostcontext] [BackupServices_restore]
com.q1labs.hostcontext.backup.BackupRecoveryEngine:
[ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Unable read user session file
19 July 2018
QRADAR RISK MANAGER / BACKUPS IJ07676 NIGHTLY BACKUP OF RISK MANAGER DATABASE CAN CAUSE /TMP PARTITION TO RUN OUT OF FREE SPACE CLOSED Resolved in QRadar 7.3.2 Patch 4 (7.3.2.20190803012943)

It has been identified that the nightly backup of the QRadar Risk Manager (QRM) database can sometimes cause the /tmp partition to run low on available free space. When this occurs, disk utilization System Notifications are generated within QRadar and the backup of the Risk Manager database can fail.
18 July 2018
DEVICE SUPPORT MODULE (DSM) IJ07034 CISCO FIRESIGHT MANAGEMENT CENTER LOG SOURCES CAN SHOW IN ERROR STATE WHILE WORKING AS EXPECTED OPEN: Reported in QRadar 7.3.0 Patch 5 and later No workaround available.

It has been identified that Cisco FireSIGHT Management Center log sources can sometimes display in error state while they are working as expected. There is an issue with clearing the error state of log sources that are using the CiscoFirepowerEstreamer protocol. Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs:
[ecs-ec-ingress.ecs-ec-ingress] [Estreamer Connection to 127.0.0.1] at
com.q1labs.semsources.sources.estreamer.connection.
EstreamerExtendedRequestConnection: [ERROR] null
[ecs-ec-ingress.ecs-ec-ingress] [Estreamer Connection to 127.0.0.1] at
com.q1labs.semsources.sources.estreamer.exception.EstreamerVersionSupportException
[ecs-ec-ingress.ecs-ec-ingress] [Estreamer Connection to 127.0.0.1] at
com.q1labs.semsources.sources.estreamer.message.datamsg.record.d
atablock.RNADataBlockFactory.createDataBlock(RNADataBlockFactory.java:38)
[ecs-ec-ingress.ecs-ec-ingress] [Estreamer Connection to 127.0.0.1] at
com.q1labs.semsources.sources.estreamer.message.datamsg.record.U
serAddScanResultRecord.read(UserAddScanResultRecord.java:25)
[ecs-ec-ingress.ecs-ec-ingress] [Estreamer Connection to 127.0.0.1] at
com.q1labs.semsources.sources.estreamer.message.datamsg.record.datablock.IRNADataBlock: 
[ERROR] [127.0.0.1/- -] Encountered an Access Control Policy Rule ID Metadata Block (data block type: 15) with an empty body
22 June 2018
ADVANCED SEARCH (AQL) IJ06594 'SOURCEASSETNAME' ATTEMPTS TO USE A DEPRECATED ARIEL FUNCTION OPEN: Reported in QRadar 7.3.0 Patch 5 and later It has been identified that the "Source Asset Name" property used within QRadar attempts to use a deprecated ariel function and fails upon it's use. An Advanced Search (AQL) query trying to use sourceAssetName(ip), would return the error message No function matches the given name: 'sourceassetname' in catalog 'events' when trying to use this query:
select sourceAssetName(sourceIP) from events

Workaround: From the example above, the advanced query should be modified to be: 'assetHostName(sourceIP)'.

For example:
select assetHostName(sourceIP) from events
24 May 2018
SYSTEM NOTIFICATIONS / NETWORK ADDRESS TRANSLATION (NAT) IV96407 SYSTEM NOTIFICATION 'PROCESS MONITOR: APPLICATION HAS FAILED TO START UP MULTIPLE TIMES' AFTER REMOVING NAT FROM MANAGED HOST OPEN Contact Support for a possible workaround that might address this issue in some instances.

After removing NAT from an encrypted Managed Host, QRadar System Notifications might be generated that a process could not start. The message is similar to "Process Monitor: Application has failed to start up multiple times.". The process being referenced is a tunnel pointing to the old NAT IP address.

NOTE: The QRadar identifier (QID) for the 'Process Monitor Application has failed' system notification is 38750043. Users or administrators can search for this QID to quickly locate a history of these notifications in QRadar and view the RAW payloads to see what process is reported.
02 July 2019
OFFENSES / ASSET USERNAME IJ01985 SOME ASSET IDENTITY DATABASE INFORMATION IS NOT CLEANED UP AFTER ASSETS ARE UPDATED OPEN No workaround available.

It has been identified that in some instances, residual identity data associated to an Asset can be left in the QRadar database after the Asset is updated. When this occurs, incorrect identity/username information associated with an Asset can sometimes be observed in generated Offenses.

An example of this issue:
View the Offense Summary screen (Offenses -> All Offenses). When the Offense Source Summary includes a username this does not correlate to the offense detected, it is based on the what is known about the asset.

This displayed information does not represent the actual user(s) that contributed to the offense. To get the details for the username associated with the offense, on the right choose Event/Flow count -> X events, the next pop up displays the captured details.
23 March 2018
DASHBOARD IJ17814 'BLOCKING DOES NOT RESOLVE TO A SAVED SEARCH OR A KNOWN ARIEL QUERY HANDLE (AS EXPECTED)' MESSAGES IN QRADAR LOGGING OPEN: Reported in QRadar 7.3.1 Patch 6 and later No workaround available.

It has been identifed that when a User Interface dashboard loads with a graph item configured with the Time Range as "Last Interval (auto refresh)", there are messages generated in QRadar logging (/var/log/qradar.log and /var/log/qradar.error) similar to the following:
[tomcat.tomcat] [admin@127.0.0.1 (5771) /console/JSON-RPC/QRadar.updateResultsetGraphWidget QRadar.updateResultsetGraphWidget] com.q1labs.ariel.ui.UIArielServices: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/- -]searchId b4e2994e-8c2a-4c77-81e7-ecd143737c28-BLOCKING does not resolve to a saved search or a known ariel query handle (as expected).
[tomcat.tomcat] [127.0.0.1admin@127.0.0.1 (5775) /console/JSON-RPC/QRadar.getDashboardSearch QRadar.getDashboardSearch] com.q1labs.ariel.ui.UIArielServices: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/- -]searchId 2963d217-dd34-4427-bf0a-ddc69ce9da6a-BLOCKING does not resolve to a saved search or a known ariel query handle (as expected).
24 July 2019
HIGH AVAILABILITY (HA) IJ00711 HA DOES ITS OWN LOG ROTATION OUTSIDE OF THE OPERATING SYSTEM LOG ROTATION PROCESS CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

In an HA environment, if a deploy is happening and the log file /var/log/qradar-ha.log is larger than 10 MB then the deploy process will cause a log rotation outside of the Operating system internal log rotation process. This results in the creation of /var/log/qradar-ha.log.2, which may be truncated during successive deploys. The normal log rotation process would rotate the file qradar-ha.log into the /var/log/qradar.old directory.
21 November 2017
TCP SYSLOG IJ02453 INCREASING 'MAX NUMBER OF TCP SYSLOG CONNECTIONS' CAN CAUSE APPLIANCE ECS SERVICE TO FAIL WITH 'TOO MAY OPEN FILES' CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been identified that increasing the 'Max Number of TCP Syslog Connections' (located in QRadar Admin tab -> System Settings) from the default of 2500, can lead to the ecs service reporting 'Too many open files' and the ecs (collection) service fails. Messages similar to the following might be visible when this issue occurs:

[ecs-ec.ecs-ec] [LastEventSeenProcessor] com.q1labs.semsources.filters.stat.StatFilter:
[ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]LastEventSeenProcessor encountered an error when attempting to update 8141 entries. Last event seen info will be stale until this issue is resolved.
Reason: /opt/qradar/conf/host.token (Too many open files)
13 December 2017
HIGH AVAILABILITY (HA) IV92230 QRADAR PATCHING PROCESS CAN STALL/HANG AT MESSAGE 'WAITING FOR HA SETUP SCRIPT TO FINISH' CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been observed in some customer environments that the QRadar patching process can stall/hang indefinately while waiting for the HA setup script to complete. This can sometimes result in the having to kill the patch process manually. QRadar Support can assist in determining if this step is required for end users.

The message displayed on screen where the patching process can hang indefinately is similar to:
Tue Dec  20 19:38:17 GMT 2016 [HA] Host is primary and is in the active state
Tue Dec  20 19:38:17 GMT 2016 [HA] Waiting for HA Setup script to finish...
12 January 2017
API IJ11169 QRADAR API SESSIONS ARE NOT AUTOMATICALLY BEING PURGED/DELETED FROM THE DATABASE CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been identified that QRadar API sessions are not automatically being deleted/purged from the database. This behavior has been observed to cause Tomcat process Out of Memory occurrences in some instances.
13 December 2018
OFFENSES IJ01150 SORTING IN 'MY OFFENSES' DOES NOT WORK AFTER A DEFAULT SEARCH IS SAVED CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

Workaround: Remove the default search in 'All Offenses'

When you save a search in the 'All Offenses' view and set it to be the default, the sorting functionality in 'My Offenses' does not work.
04 December 2017
LOGIN / ACCESS IJ01871 UNABLE TO LOGIN TO THE QRADAR USER INTERFACE DUE TO PREVIOUS LOGIN SESSIONS NOT YET EXPIRED CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been observed in some QRadar environments that a QRadar user is unable to login to the User Interface. These particular instances have been identified as being caused by an issue with old login sessions that are not expiring properly when "Unique User Account Login" is enabled in the QRadar User Interface -> Admin tab -> System Settings. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[tomcat] [@127.0.0.1(Session)] com.q1labs.core.shared.sessionmanager.SessionManager: [WARN][-/- -]User  attempted to authenticate from host 127.0.0.1 User  is already logged in from host 127.0.0.1 rejecting login.
10 January 2018
USER INTERFACE IV84706 QRADAR USER INTERFACE SESSIONS ARE BECOMING DISCONNECTED (SESSION TIMEOUT) UNEXPECTEDLY CLOSED Resolved in:
QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)
QRadar 7.3.0 Patch 6 (7.3.0.20171107151332)

It has been observed that QRadar User Interface sessions are becoming disconnected unexpectedly (session timeout).
14 August 2017
APPS IV96428 QRADAR APPS CAN INTERMITTENTLY FAIL TO RETURN DATA CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

Workaround: Reload the App's tab in the QRadar User Interface.

Due to an intermittent API session call failure, QRadar Apps can sometimes fail to load expected data into the App's tab.
14 August 2017
USER INTERFACE IV93169 QRADAR TOMCAT SERVICE OUT OF MEMORY AND/OR API SLOWNESS CAN SOMETIMES BE CAUSED BY SESSIONMANAGER CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been observed in some instances, that the QRadar API can experience slow responsiveness and/or the Tomcat service can go Out Of Memory. The QRadar User Interface is unavailable during a Tomcat Out Of Memory occurrence until the affected services recover. These particular instances have been identified as being associated to issues occurring in the QRadar SessionManager and are to be corrected in a future QRadar release.
31 March 2017
CUSTOM PROPERTIES / APPS IJ00775 INSTALLING A CONTENT PACK CONTAINING A CUSTOM PROPERTY WITH AN ALREADY EXISTING CEP CAUSES A FOREIGN KEY VIOLATION CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

Adding a QRadar Content Pack sometimes does not install Custom Properties if there is a name collision with a custom property already on the system. When this issue occurs the following exception can be displayed in the logs:
[tomcat.tomcat] [admin@localhost] com.q1labs.core.cmt.Content:
[ERROR] Chained SQL Exception [1/2]:
ERROR: insert or update on table "ariel_property_expression" violates
foreign key constraint "arielregexproperty_fkey"  Detail: Key (ap_id)=(Authorized_token)
is not present in table "ariel_regex_property".
{prepstmnt -868634278 insert into ariel_property_expression (ap_id,creationdate,
deviceid,qid,enabled,devicetypeid,capturegroup,regex,payload,
propertybase,rank,id,category,editdate,username) values( ?, ?, ?, ?, ?,
?, ?, ?, ?, ?, ?, ?, ?, ?, ?)}
10 April 2018
SYSTEM NOTIFICATIONS IJ06526 SAR SENTINEL NOTIFICATIONS MESSAGES 'AVERAGE TIME IN MS FOR I/O REQUESTS...' AFTER UPGRADING TO QRADAR 7.3.X CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

Workaround: SAR Sentinel messages, generated as detailed in the examples have been determined to be caused by changes in code that are included within versions 7.3.X+ of QRadar and/or the underlying Operating System. SAR Sentinel messages generated as above and containing 'Average time in ms for I/O requests for device...' are deemed to be benign and can be safely ignored.

It has been identified that after upgrading to QRadar 7.3.X, an increased occurence of QRadar 'SAR Sentinel' System Notifications referring to 'Average time in ms for I/O requests for device...' can sometimes be observed. Messages similar to the following can be visible in /var/log/qradar.log when this issue is occurring:
[hostcontext.hostcontext] [Thread-112] com.q1labs.hostcontext.sar.SarSentinel: [WARN] [-/- -] Average time in ms for I/O requests for device storerhel-store has an average of 2284.9 over the past 5 intervals, and has exceeded the configured threshold of 500.0. To resolve: If your system continues to exhibit this behavior, please contact Customer Support.
18 May 2018
HISTORICAL CORRELATION IV98246 HISTORICAL CORRELATION CAN SOMETIMES PRODUCE VARIED OFFENSE COUNT RESULTS CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been observed that Historical Correlation can sometimes fail to correctly complete searches and return all offenses when a small amount of data is returned. The identical Historical Correlation profile can be run over the same time period against the same rule and produce different numbers of offenses.
10 August 2017
ROUTING RULES IJ12885 ARIEL_TAGGED_FIELDS, ALONG WITH AQL AND QRADAR NETWORK INSIGHTS (QNI) CUSTOM PROPERTIES CANNOT BE USED IN JSON FORWARDING PROFILES CLOSED Closed as suggestion. It has been identified that AQL custom properties (in domain management) along with ariel_tagged_fields and QNI custom properties cannot be used in JSON forwarding profiles.

A suggestion APAR identifies a function/operation that is not within the product specifications, for which a fix is not planned. Implementation of this modification would be a product enhancement. This APAR is considered for any future products/releases.
18 January 2019
HIGH AVAILABILITY IJ07737 HOURLY ERROR MESSAGE WRITTEN TO QRADAR.ERROR ON HIGH AVAILABILITY (HA) PRIMARY APPLIANCE CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been identified that an error message can sometimes be written hourly to the /var/log/qradar.error log file of a High Availability (HA) primary appliance. The error message lines that are written to the /var/log/qradar.log are similar to:
stderr: cat: /etc/siemctl/ecs-ec-ingress.needs_update: No such file and directory
java.lang.Exception: Failed to run /bin/bash
/opt/qradar/bin/run_command.sh /usr/bin/ssh -F
/opt/qradar/ha/ha_ssh_config -q -o ConnectTimeout=5  ssh  'cat /etc/siemctl/ecs-ec-ingress.needs_update'
11 July 2018
ROUTING RULES IV94377 EVENTS IN A TENANT DO NOT GET FORWARDED TO A FORWARDING DESTINATION CLOSED Closed as suggestion for future release.

It has been observed that attempting to configure events in a tenant to forward to a forwarding destination does not work. Steps that reproduce this behavior:

  1. Create a forwarding destination.
  2. Create Routing Rule and select Offline mode.
  3. Create a Tenant.
  4. Create a domain.
  5. Assign Tenant to the Domain.
  6. When configured, the affected events become stored in:
    '/store/ariel/events/records/aux/2017/...' directory instead of '/store/ariel/events/records/2017/...' and do not get forwarded.
19 July 2019
GEOGRAPHIC DATA IJ08973 THE AQL GEO::LOOKUP DOES NOT WORK AS EXPECTED WHEN MULTIPLE DOMAINS ARE CONFIGURED IN QRADAR CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been identified that the AQL GEO::LOOKUP function is unable to query the network hierarchy in a multi-tenant QRadar environment. This issue also causes QRadar Apps using this function to not work properly in regards to geolocation mapping to the Network Hierarchy when expected.
19 July 2019
FLOWS IJ12533 INCORRECT LABELS FOR FLOWS ON THE LICENSE POOL MANAGEMENT PAGE CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been identified that there are instances where the flow acromyns are incorrectly labelled on the QRadar License Pool Management user interface.
  • Allocated FPM: {value} is displayed correctly
  • Average FPM: {value} should be identified as Average FPS (flows per second)
  • Peak FPM: should be identified as FPS (flows per second)
09 January 2019
API IJ10837 QRADAR VULNERABILITY MANAGER: SAVED SEARCHES RUN WITH THE 'RISK' SEARCH PARAMETER USING THE QVM API CAN GENERATE AN 'EXCEPTION' MESSAGE CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

Workaround: Remove the 'Risk equals' search parameter from saved search.

It has been identified that when using the QVM APIs to run saved searches with the 'Risk equals' search parameter, results can fail to be returned and an 'EXCEPTION' is displayed under the status. Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs:
[tomcat.tomcat] [pool-2-thread-5] com.q1labs.core.sql.queryframework.QueryFramework:
[ERROR] Chained SQL Exception [2/2]: ERROR: missing FROM-clause entry for table "vuln_business_data_mv" Position: 10725
[tomcat.tomcat] [pool-2-thread-5] com.q1labs.core.sql.queryframework.QueryFramework: [WARN]
[NOT:0000004000][127.0.0.1/- -] [-/--]QueryFramework.executeQuery(): Could not execute the above SQL statement.
[tomcat.tomcat] [pool-2-thread-5] org.apache.jpa.lib.jdbc.ReportingSQLException: ERROR: missing FROM-clause entry for table "vuln_business_data_mv"
31 October 2018
AQL / SHOW AQL BUTTON IJ14493 CONVERTING A SEARCH CRITERIA TO AQL USING "SHOW AQL" FUNCTIONALITY CAN GENERATE THE WRONG AQL IF A "PAYLOAD CONTAINS" FILTER EXISTS IN THE SEARCH CRITERIA CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

Workaround: Remove the additional "AND" output from the SHOW AQL results and attempt to run the query again.

It has been identified that performing an AQL search that contains a filter based on payload generates incorrect output due to the query unexpected adds an addition "AND" operator that is unexpectedly added to the SHOW AQL output.

For example:
Performing an AQL search that works as expected and then adding a filter for "payload Contains", then using SHOW AQL from the user interface adds an additional "AND" to the AQL search causing incorrect results to be output.
15 March 2019
PERFORMANCE IJ12791 AN UNREACHABLE, MOUNTED NFS SHARE CAN CAUSE QRADAR TO BECOME UNRESPONSIVE CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been identifed that if there is an NFS share mounted in QRadar and that NSF share becomes unreachable, the system load (observed by using the "top" command") continually grows higher. As the system load continues to grow, QRadar can eventually become unresponsive. During investigation of these scenarios, running a "ps-ef" displays many instances of the command "df -TP"

  1. Stop the df command using:
    killall df
  2. Either comment out the NFS share in /etc/fstab or restore connectivity to the remote file server.
  3. Contact Support if you require further assistance.
01 April 2019
VULNERABILITY SCAN IJ01153 QRADAR VULNERABILITY MANAGER: PERFORMANCE ISSUES RESULT IN SCANS BEING HELD 1 PERCENT COMPLETED CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

As a result of a large scan a table within QVM can get backed up. This causes the QVM scan to get held up at a set percentage.
02 November 2017
BACKUPS IV90362 QRADAR DATA BACKUPS ON MANAGED HOSTS CAN FAIL IF COMMUNICATION TO THE CONSOLE IS UNAVAILABLE CLOSED Resolved in QRadar 7.3.2 Patch 2 (7.3.2.20190522204210)

Data backups that are configured to run on QRadar Managed Hosts can fail when the backup process is unable to communicate to the QRadar Console for a required database write. Messages similar to the following might be visible in /var/log/qradar.log on the Managed Host when this issue is occurring:
[hostcontext.hostcontext] [Backup] com.q1labs.hostcontext.backup.core.BackupUtils: [ERROR] [127.0.0.1/- -] [-/- -] Cannot syncronize Console and managed host transaction (timeout):backup_,{UUID}
[hostcontext.hostcontext] [Backup] com.q1labs.hostcontext.backup.BackupRecoveryEngine: [ERROR][127.0.0.1/- -] [-/- -]Unable to process backup
02 November 2017
EXTERNAL SCAN IV97671 QRADAR VULNERABILITY MANAGER: EXTERNAL SCAN DOES NOT CONTINUE PAST 1% COMPLETED CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

Scan jobs that use the IBM external scanner can fail to run or stop at 1% completed after the following has occured in the QRadar deployment:
  1. A QVM scanner is added to, and then removed from, a managed host.
  2. The QVM processor is moved to the same managed host and the IBM external scanner is added.
  3. The IBM external scanner is selected within a scan profile.
03 July 2017
GEOGRAPHIC DATA IJ13502 SOURCE OR DESTINATION IP ADDRESS BEGINNING WITH 195.212.X.X CAN SOMETIMES DISPLAY AS 'NULL' IN THE QRADAR USER INTERFACE CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been identified that any IP address with the source IP beginning with 195.212.X.X does not show up a country or region in the Log Activity "Source Geographic Country/Region" column.

For example:
  1. Navigate to the Log Activity tab.
  2. Go to Search-> New search -> Add Source Geographic Country/Region, Destination Geographic Country/ Region and Geographic Continent Columns -> search
  3. Have known events that have IP 195.212.x.x and as a source or destination IP
  4. Observe that the Source Geographic Country/Region, or Destination Geographic Country/ Region and Geographic Continent Columns displays null.
16 May 2019
ERROR LOGS IJ14484 REPEATED 'CONTAINER@XXXXXXX.SERVICE FAILED' MESSAGES CAN BE OBSERVED IN /VAR/LOG/MESSAGES CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been identified that repeated messages similar to the following can sometimes be observed in /var/log/messages:
systemd[1]: Failed to load environment files: No such file or directory
systemd[1]: container@12143549859522470615.service failed to run
'start-pre' task: No such file or directory
systemd[1]: Failed to start Container created and managed by the conman service.
systemd[1]: Unit container@12143549859522470615.service entered failed state.
systemd[1]: container@12143549859522470615.service failed.
systemd[1]: Starting Container created and managed by the conman service...
systemd[1]: Failed to load environment files: No such file or directory
08 May 2019
AQL IJ15627 AQL CASE AND IF STATEMENTS WITH 'AND' / 'OR' KEYWORDS FAIL WITH 'GENERAL FAILURE. PLEASE TRY AGAIN' NULLPOINTEREXCEPTION CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been identified that Advanced Search (AQL) - CASE and IF statements with 'and' / 'or' keywords fail in QRadar 7.3.2. An error "General failure. Please try again. A java.lang.NullPointerException:null" is generated and messages similar to the following might be visible in /var/log/qradar.error:
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:50568] com.q1labs.ariel.ql.parser.Parser:
[ERROR] [NOT:0000003000][127.0.0.1/- -] [-/--]java.lang.NullPointerException:null
16 May 2019
OFFENSES IJ12887 "APPLICATION ERROR" WHEN NAVIGATING TO AN OFFENSES "EVENT DETAILS" WHEN AQL FUNCTIONS USED IN ANOMALY RULES CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

Workaround: Correct the AQL query to remove functions from the search before using in an Anomaly rule.

It has been identified that when using an Anomaly Threshold Rule with an AQL search containing AQL functions, an "Application Error" can sometimes occur when navigating to an associated Offense's "Event Details" window in the QRadar User Interface if the AQL query fails to parse correctly. A message similar to the following is visible in the QRadar UI:
"An error has occured. Return and attempt the action again. If the problem persists, please contact customer support for assistance"
28 January 2019
NETWORK ACTIVITY / FLOWS IJ14443 NO FLOWS ARE DISPLAYED IN THE NETWORK ACTIVITY TAB IF AN EVENT PROCESSOR'S ID MATCHES A FLOW PROCESSOR IN THE DEPLOYMENT CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been identified that filtering on Event Processor in the Network Activity tab can fail to display any flows if there is an Event Processor whose ID in the Deployment matches that of a Flow Processor managed host.
28 May 2019
OFFENSES IJ13367 LONG RUNNING TRANSACTION CAN CAUSE THE MAGISTRATE TO NOT SHUTDOWN PROPERLY AND OFFENSES CAN STOP GENERATING CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been identified that a long running transaction can cause the Magistrate to not shutdown cleanly (during a Deploy function for example). When this occurs, Offenses can stop being generated if the Magistrate is unable to start up as expected after the unclean shutdown.
28 May 2019
APPS IJ17793 QRADAR APPS CAN STOP RUNNING ON AN APP HOST AFTER IT IS SETUP WITH HIGH AVAILABILITY (HA) OPEN Contact Support for a possible workaround that might address this issue in some instances. 28 May 2019
SECURITY BULLETIN CVE-2019-4212 IBM QRADAR SIEM IS VULNERABLE TO CSRF ATTACK CLOSED Resolved in:
QRadar 7.2.8 Patch 16 (7.2.8.20190703194519)
QRadar 7.3.2 Patch 2 (7.3.2.20190522204210)
22 July 2019
SCHEDULED SCAN IV98896 VULNERABILITY SCANS CAN APPEAR TO NEVER COMPLETE AND/OR SOMETIMES TAKE LONGER THAN EXPECTED TO COMPLETE CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

These particular instances of long duration scans have been attributed to a "build reports" agent process that can cause qvmprocessor out of memory occurrences. Messages similar to following might be visible in /var/log/qradar.log when this issue is occurring:
Line 173170: Jun  5 00:42:29 {hostname} OutOfMemoryMonitor[10929]: Discovered out-of-memory error for qvmprocessor process.
10 August 2017
DATA NODES IJ04179 DATA NODE REBALANCING CAN SOMETIMES CREATE AN UNBALANCED CLUSTER WHEN WITHIN 5% OF BEING IN BALANCE CLOSED Closed as a suggestion for a future release.

It has been identified that Data Node rebalancing can sometimes create an unbalanced cluster under certain conditions.

This has been observed primarily in instances where the data "source" is much larger in size than the "destination" and the nodes start to rebalance when within 5% of being in balance. It could also occur when rebalancing is interrupted (communication failures, deploys, restarting tunnels, etc).
30 November 2018
LOG SOURCES IJ17197 TRAFFIC ANALYSIS IN QRADAR 7.3.2 INCORRECTLY IDENTIFIES EVENTS LEADING TO INCORRECTLY GENERATED LOG SOURCES CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been identified that in QRadar 7.3.2, Traffic Analysis can incorrectly identify incoming events more often than expected. When this event misidentification occurs, new Log Sources can be incorrectly created.
26 June 2019
DEPLOY CHANGES IJ16921 PERFORMING REPEATED 'DEPLOY' CHANGES PRIOR TO BACKEND DEPLOY TASKS COMPLETING CAN CAUSE A SIM RESET TO OCCUR CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been identified that a SIM reset can occur when the Deploy changes has been repeatedly performed prior to all backend Deploy changes functions completing successfully. It is possible that the Magistrate can fail to shutdown cleanly in these instances leading to the SIM reset.

Messages similar to the following might be visible in /var/log/qradar.log when this issue is occurring:
[ecs-ep.ecs-ep] [ECS Runtime Thread] com.q1labs.sem.magi.OffenseManagerDelegate: [WARN]
[NOT:0180003000][127.0.0.1/- -] [-/- -]Magistrate was not shutdown cleanly, repairing database tables and files to be logged.
[hostcontext.hostcontext] [reset_sim] com.q1labs.hostcontext.core.executor.BaseHostExecutor: [INFO]
[NOT:0000006000][127.0.0.1/- -] [-/- -]Invoking ResetSim request NOTE - A Support case is required to fully investigate and identify if this issue is the exact cause of a particular SIM reset occurence.
18 June 2019
REPORTS IJ12530 "NEXT" BUTTON DOES NOT WORK IN THE REPORT WIZARD 'REPORT FORMAT PAGE' WHEN ONLY CSV IS SELECTED CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been identified that the "Next" button on the "Report format page" in the Report Wizard does not respond (it's greyed out) when only CSV is selected. This occurs during report template editing and also during a new report template creation.
07 January 2019
ASSETS IJ14994 PERFORMING A 'DELETE LISTED' ON ASSETS SCREEN, IT DELETES ALL ASSETS IN ASSET MODEL WHEN USING SPECIFIED FILTERED ASSET CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been identified that when assets are displayed in the Asset Model using search filters, and then the option for Delete Listed is used, all assets in the Asset Model are deleted instead of only the assets that were displayed.
26 March 2019
FORWARDING IJ16946 FORWARDING USING TCP OVER SSL CAN FAIL AND NOT ATTEMPT RECONNECT CAUSING FOWARDING TO STOP UNEXPECTEDLY CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been identified that when QRadar event/offense is configured to use TCP over SSL, forwarding can stop occuring when an exception is experienced and it does not automatically recover as expected. Messages similar to the following might be visible in /var/log/qradar.log when this issue is occurring:

[ecs-ep.ecs-ep] [SelectiveForwardingCommunictorThread_104] com.q1labs.sem.forwarding.network.ForwardingTCPoverSSLConnector:
[ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]An error occured while writing to the socket.
19 June 2019
DEVICE SUPPORT MODULE (DSM) IJ08963 ASSET UPDATES CAN STOP OCCURRING WHEN INVALID IPV6 VALUES ARE SENT TO THE ASSETPROFILER FROM A LOG SOURCE EXTENSION (LSX) CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been identified that when a Log Source Extension (LSX) is created and returns invalid IPv6 addresses, they are sent forward from the DSM extension to the assetprofiler. When this occurs, asset updates can stop.
16 October 2018
UPGRADE IJ14482 PATCHING ERROR MESSAGE ' "ASSET_REPORTING.VULNINSTANCE_XXXXX" DOES NOT EXIST' AND A PATCH ROLLBACK THEN OCCURS CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been identified that a message similar to the following can occur during the QRadar patching/update process:
'ERROR: relation "asset_reporting.vulninstance_weekly" does not exist {hostname} : patch rolled back.'
[ERROR] Failed to apply patch on console ({hostname}). Exiting patch installer. An error was encountered attempting to process patches. Please contact customer support for further assistance. This issue can be observed with these three table descriptions:
asset_reporting.vulninstance_daily asset_reporting.vulninstance_weekly asset_reporting.vulninstance_monthly
11 March 2019
RULES IJ11173 QRADAR RULES CAN LOAD WHEN ONE OR MORE OF ITS TESTS FAIL LEADING TO FALSE POSITIVE RULE FIRING AND OFFENSES CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been identified that QRadar rules can still load when one or more of its rule tests fail. When this situation occurs within the QRadar rule engine, false positive rule firing can sometimes be observed and lead to invalid Offense creation.
24 May 2019
QUALYS SCANNER IJ16409 NIGHTLY VULNERABILITY SCAN USER INTERFACE STATUS MESSAGE DOES NOT GET UPDATED IF ONLY A SINGLE REPORT IS IMPORTED CLOSED An updated version of the Qualys Scanner rpm resolves APAR IJ16409. The RPM update for QualysQualysGuard-7.3-20190531123001.noarch.rpm (or later) is included in the July 25th QRadar weekly auto update. Most users will receive this update automatically. Administrators with Console appliances that do not have access to the Internet to get the automatic update can download the latest Auto Update bundle QRADAR-QRAUTO-1564067294 (or later) from IBM Fix Central. See this page for instructions on how to manually install an auto update bundle.

Issue: It has been identified that a nightly vulnerability scan status message in the User Interface does not get updated when there is only one scan file to download and parse. The scanUpdate message only gets updated at the beginning of a "for" loop when processing reports. When this issue occurs, it incorrectly appears in the User Interface that the scan continuously runs (even though it completes) until another scan using the same scanner is kicked off.
28 May 2019
PROTOCOL IJ15400 AKAMAI KONA REST API PROTOCOL FAILS WITH NULLPOINTEREXCEPTION IN QRADAR LOGGING CLOSED Resolves an issue in the Akamai Kona Rest API protocol to prevent a Null Pointer Exception that could cause event collection to stop. The release of this protocol update closes APAR IJ15400 and resolves the workaround where users needed to disable and enable their Akamai Kona log sources. Most users can wait for the QRadar weekly auto update to receive the protocol changes; however, administrators with Akamai Kona log sources can manually download and install the RPMs from IBM Fix Central. Issue resolved with the following RPM releases:

  • PROTOCOL-AkamaiKonaRESTAPI-7.2-20190226111026.noarch.rpm or later
  • PROTOCOL-AkamaiKonaRESTAPI-7.3-20190226161019 or later

  • Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:

    [ecs-ec-ingress.ecs-ec-ingress] [Akamai Kona REST API Protocol Provider Thread: class com.q1labs.semsources.sources.akamaikonarestapi.AkamaiKonaRESTAPIProvider] java.lang.NullPointerException
    [ecs-ec-ingress.ecs-ec-ingress] [Akamai Kona REST API Protocol Provider Thread: class com.q1labs.semsources.sources.akamaikonarestapi.AkamaiKonaRESTAPIProvider] com.q1labs.semsources.sources.akamaikonarestapi.AkamaiKonaRESTAPISource: [ERROR] [NOT:0000003000][IP ADDRESS/- -] [-/- -]There appears to have been a run-time issue with the provider connection 'class com.q1labs.semsources.sources.akamaikonarestapi.AkamaiKonaRESTAPIProvider'
18 JULY 2019
DEVICE SUPPORT MODULE (DSM) IJ17406 CHANGES IN VCENTER AND COMMON DSM CAN CAUSE TLS SYSLOG LOG SOURCE LEGACY CONFIGURATION UI PAGE TO NOT LOAD CORRECTLY CLOSED This release resolves a problem where the VMware vCenter DSM or DSM Common framework RPM could impact what was protocol options were displayed to users creating new log sources. Several users reported that TLS Syslog was missing from the Protocol drop-down list when creating non-VMware log sources as described in APAR IJ17406. Users who do not have the VMware vCenter DSM installed or do selective DSM installs can also get this fix by updating to the latest version of DSM Common to resolve APAR IJ17406. This issue was only observed by users of the default log source user interface, not by users of the Log Source Management app.

Local fix: The next QRadar weekly auto update will resolve this issue. QRadar 7.3.x users can manually install the updated RPMs from IBM Fix Central.
18 JULY 2019
SYSTEM NOTIFICATIONS IJ16822 INTERMITTENT FALSE POSITIVE NOTIFICATION MESSAGES 'A CRE PROCESSOR THREAD GOT SHUT DOWN UNEXPECTEDLY...' OPEN: Reported in QRadar 7.3.2 versions. No workaround available. These System Notifications can be ignored. 14 JUNE 2019
PERFORMANCE / SERVICES IJ16824 ARIEL_QUERY_SERVER PROCESS OUT OF MEMORY CAN OCCUR DUE TO LARGE NUMBER OF CONCURRENTPOOL OBJECTS IN JMX MBEAN OPEN: Reported in QRadar 7.3.1 Patch 8 It has been identified that the ariel_query_server process on a QRadar appliance can run out of memory due to a memory leak caused by a large number of remaining ConcurrentPool objects in JMX mbean server.

Contact Support for a possible workaround that might address this issue in some instances.


CASE REQUIREMENTS
In order to correctly identify that this issue is the cause of an ariel_query_server process out of memory occurrence create a Support case with the affected appliance's get_logs output and the /store/jheap/ariel.ariel_query_server/ariel.ariel_query_server.system.dmp file that is created when the out of memory occurs. Only after these are examined by Support can the exact cause of the ariel_query_server process out of memory occurrence be correclty identified.
10 June 2019
RULES IJ16698 NEW CUSTOM RULE ENGINE (CRE) THREAD THAT LOADS AFTER A THREAD FAILURE DOES NOT LOAD RULES CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been identified that when impacted by APAR IJ04898 it is possible that the CRE threads load without rule configuration. When this occurs, expected rule correlation of events and offense firing can fail to work as expected.

Messages similar to the following might be visible in the QRadar System Notifications (QID 38750163): 'A CRE Processor thread got shut down abruptly, but a replacement one was created' and the following errors are displayed in /var/log/qradar.log indicating this scenario exists in your QRadar environment:
[WARN] [NOT:0000004000][127.0.0.1/- -] [-/- -]CRE Thread CRE Processor [x] shut down unexpectedly. CRE Processor [9]] com.q1labs.semsources.cre.CREEventProcessor:
[INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Starting CRE Processor [27] on EP [212] with rule set [PROPERTY]

Workaround: A manual restart of the ecs-ep process from a command line interface connection corrects this condition on affected appliances. For example:
systemctl ecs-ep stop && systemctl start ecs-ep
27 June 2019
SEARCH IJ16592 ENABLING UNIQUE COUNTS FOR SAVED SEARCHES DOES NOT WORK AS EXPECTED OPEN: Reported in QRadar 7.3.1 Patch 5 IF01 (7.3.1.20180720020816) It has been identified that attempting to enable unique counts on a search in Log Activity does not work as expected. Enable unique counts on a search, navigate off of the search, and then back to the search. The unique counts reverts to disabled. For example:
  1. Create a new saved search.
  2. Create a basic report associated with saved search to enable the data accumulation for the saved search.
  3. Allow time to accumulate data for the search.
  4. Edit the saved search, enable unique counters.
  5. Run the search (search returns expected results).
  6. Edit the saved search.
Results: Observe that unique counts are disabled on the search.
10 June 2019
RULES IJ16618 USING A CIDR IN 'COMMON' RULES FAILS AND GENERATES 'CIDRNETWORKEXCEPTION' IN QRADAR LOGGING OPEN: Reported in QRadar 7.3.2 versions It has been identified that attempting to use a CIDR in Common rules generates a CIDRNetworkException similar to the following in /var/log/qradar.log:

[tomcat] [user@127.0.0.1 (8388) /console/do/rulewizard/saveCustomizeConditionParameter] com.q1labs.sem.ui.util.RuleConditionUtils: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]Failed to get test parameter option text
[tomcat] [user@127.0.0.1 (8388) /console/do/rulewizard/saveCustomizeConditionParameter] Caused by: /console/do/rulewizard/saveCustomizeConditionParameter]
com.q1labs.frameworks.exceptions.CIDRNetworkException: Failed to parse IP address: 1.2.3.0/24
10 June 2019
UPGRADE / APP FRAMEWORK IJ16653 DUAL STACK NETWORK CONFIGURATION CAN CAUSE THE APP FRAMEWORK TO FAIL TO START SUCCESSFULLY AFTER PATCHING OPEN: Reported in QRadar 7.3.2 versions It is possible that the Application Framework fails to start due to none of the services being able to communicate with each other after patching QRadar in environments with an IPv6 and an IPv4 network interface configured.

The following error messages might be visible in /var/log/qradar.log when this issue occurs:
[21598]: time="2019-06-20T10:55:45-05:00" level=error msg="Provider connection error Get https://127.0.0.1:2376/v1.21/version: x509: certificate is valid for , not 127.0.0.1
[21598]: error during connect
10 June 2019
AMAZON AWS CLOUDTRAIL IJ16038 AMAZON AWS S3 REST API PROTOCOL CAN GET INTO A STATE OF AN INFINITE LOOP CAUSING THE LOG SOURCE TO FAIL TO RECEIVE LOGS OPEN: Reported in QRadar 7.3.1 Patch 5 IF01 (7.3.1.20180720020816) and later It has been identified that Log Sources using the Amazon AWS S3 Rest API Protocol can get into a state of an infinite loop in the error handling and show as being in "Success" state, but not be receiving any logs. Administrators who experience this issue should report the problem to QRadar Support in a case.

Workaround: The administrator can disable, then enable the affected Log Source to temporarily get the Log Source to function again as expected.
05 June 2019
REPORTS IJ16414 SCHEDULED REPORTS GENERATE WITH INCORRECT CHART DATA AND COLUMN NAME WITH SOME ADVANCED SEARCHES (AQL) OPEN: Reported in QRadar 7.3.2 versions It has been identified that when an aggregate function along with a mathematical operation is used in an Advanced Search (AQL), a separate column for every aggregate function is displayed in the report based on the search. In the following example, two columns with the same column name (as specified in the Alias) are displayed and both the columns contain different values which belong to the particular aggregate function.

Workaround: Run the report immediately from in the Report Wizard so the report runs against raw data. On the Report Wizard page select "Yes - Run this report when the wizard is complete" check box.
29 May 2019
JDBC PROTOCOL IJ16291 JDBC MSDE LOG SOURCES IN WARN STATUS WITH MESSAGE 'THERE IS A PROBLEM WITH THE SELECTED DATABASE DRIVER' CLOSED Closed as fixed if next. Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that after patching to QRadar 7.3.2, JDBC MSDE Log Sources can stop receiving events and be in WARN status with a message similar to "There is a problem with the selected database driver". Reported in QRadar 7.3.2 versions with PROTOCOL-JDBC-7.3-20190411121241
09 December 2019
SNMPv3 PROTOCOL IJ06659 NO ERROR LOGGING WHEN SNMPV3 TRAPS ARE MISCONFIGURED WITH EITHER AUTHENTICATION OR DECRYPTION PASSWORD CLOSED Workaround: For your QRadar versions, restart the ecs-ec service using on of the following commands:
  • QRadar 7.2.8, type: service ecs-ec restart
  • QRadar 7.3.0, type: systemctl restart ecs-ec
  • QRadar 7.3.1 and later, type: systemctl restart ecs-ec-ingress

This issue has been flagged as a permanent restriction. A workaround is provided which resolves the issue. It has been identified that when SNMPv3 traps are configured to be sent into and processed by QRadar, and there is either an authentication or decryption password that is misconfigured, the traps are not ingested by QRadar and no errors/messages are written into the QRadar logging indicating the issue.
09 December 2019
LOG ACTIVITY / NETWORK ACTIVITY IJ22501 LOG ACTIVITY GRAPHING CAN SOMETIMES DISPLAY INCORRECTLY AT THE END OF THE GRAPH OPEN: REPORTED IN QRADAR 7.3.1 PATCH 6 IF03 No workaround available.

Log Activity graphing can continue to show data values at the end of the graph when there are no events coming in.

For example, when a search is run in a time frame that includes time after events were last seen, there is a triangle on the right that appears to be events. There are no events when performing a hover over and the 'Number of Results' is a fractional number.
05 February 2020
RULES / QRADAR NETWORK INSIGHTS IJ22500 UNABLE TO EDIT FLOW RULE 'QNI: POTENTIAL SPAM/PHISHING SUBJECT DETECTED FROM MULTIPLE SENDING SERVERS' CLOSED Resolved in:
QRadar 7.4.0 (7.4.0.20200304205308)
QRadar 7.3.3 Patch 2 (7.3.3.20200208135728)

strong>Workaround
No workaround available.

strong>Issue
Unable to edit flow rule "QNI : Potential Spam/Phishing Subject Detected from Multiple Sending Servers". A message in the QRadar User Interface can be generated similar to the following when this issue is occuring: 'Please do not mix lack of device events tests with any other event test conditions.'
04 February 2020
FLOWS / NETWORK ACTIVITY IJ22499 FLOW RECORDS CAN SOMETIMES DISPLAY LAST PACKET TIME OF 'N/A' AND BYTE AND PACKET COUNT OF '0' IN NETWORK ACTIVITY CLOSED Resolved in
QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)

strong>Workaround
No workaround available.

strong>Issue
No workaround available.

Flow records can sometimes display a last packet time as 'N/A', and Byte and Packet count as '0' in Network Activlty.
04 February 2020
LOG SOURCE MANAGEMENT APP IJ22447 LOG SOURCE TYPE ENTRIES CAN BE DISPLAYED MULTIPLE TIMES WITHIN THE LOG SOURCE MANAGEMENT APP OPEN: Reported in LSM app v5.0 No workaround available.

Individual Log Source types can be displayed/listed multiple times in the QRadar Log Source Management App.
04 February 2020
AQL / GEOLOCATION IJ16434 ADVANCED SEARCH (AQL QUERY) CONTAINING GEO::LOOKUP RETURNS AN EMPTY JSON STRING FOR 'CITY' VARIABLE OPEN: Reported in QRadar 7.3.2 versions No workaround available.

It has been identified that performing an Advanced Search (AQL Query) using the GEO::LOOKUP can return no data for 'city' where the graph can display records. The 'city' variable returns only an empty JSON string in the table below the graph. QRadar 7.3.2 users can use the following advanced search to validate this reported issue:
select GEO::LOOKUP(','city') as City,
GEO::LOOKUP('','city_name') as CityName from events
limit 1
29 May 2019
UPGRADE IJ15652 APPS NOT DISPLAYING AFTER UPGRADING TO VERSION 7.3.2 OF QRADAR CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been identified that after upgrading to QRadar 7.3.2, previously installed or newly installed applications can sometimes fail to display in the QRadar User Interface due to a certificate issue where the Local CA could not determine the domain name properly.
29 May 2019
DEPLOYMENT IJ16391 ADDING A MANAGED HOST TO A DEPLOYMENT FAILS IF IT HAD BEEN REMOVED FROM THE DEPLOYMENT WHILE BEING INACCESSIBLE CLOSED Resolved in QRadar 7.4.0 (7.4.0.20200304205308)

Workaround
Install the latest software version or contact Support for a possible workaround that might address this issue if you are unable to upgrade at this time.

Issue
It has been identified that a Managed Host fails to successfully be added to a Deployment if that Managed Host was in the Deployment previously, but was inaccessible (eg. powered off) when it had been removed.
29 May 2019
SEARCH / INDEXES IJ16415 /OPT/QRADAR/BIN/ARIEL_OFFLINE_INDEXER.SH CAN SOMETIMES FAIL TO CREATE SUPER INDEX DUE TO MAXIMUM FILE ULIMIT VALUE CLOSED Resolved in QRadar 7.4.0 (7.4.0.20200304205308)

Issue
It has been identifed that in some instances, the current default number of usable file limits per process is too low a value (1024). When the file value ulimit is hit, the ariel_offline_indexer.sh script can fail to successfully create a super index. Contact Support for a possible workaround that might address this issue in some instances.

Messages similar to the following might be visible in /var/log/qradar.log when the ulimit is reached:
[main] java.io.FileNotFoundException: /store/ariel/events/records/2019/06/30/22/super/Q1Tmpxxxxxx-xxxx-xxxx-xxxx-8e9792bb1a49 (Too many open files)
29 May 2019
LOG SOURCE / USER INTERFACE IJ16422 CUSTOM DSM REMAINS LISTED IN AVAILABLE "LOG SOURCE TYPES" AFTER BEING DELETED OPEN: Reported in QRadar 7.3.1 Patch 5 (7.3.1.20180720020816) and later No workaround available.

It has been identified that after a search is performed in "Log Activity" and a "Log Source Type" filter is added, any deleted Custom DSM's remain in the list of available Log Source Types.
29 May 2019
EVENTS IJ15965 QRADAR LOG SOURCES CAN BE IN A SUCCESS STATE BUT NOT RECEIVING LOGS DUE TO A PROTOCOL FAILURE CAUSED BY A MISSING JAR FILE CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been identified that in some instances, the file opencsv-1.8.jar is missing from appropriate locations on a QRadar Console or Managed Host appliance. When this occurs, multiple QRadar Protocols that require the jar file can fail. Log Sources can be in "Success" state, but not receiving any event data for the Log Source.
29 May 2019
RULES IJ15968 MODIFIED SYSTEM RULES CANNOT BE DELETED DUE TO INFORMATION STORED BY THE DEPENDENCY CHECKER CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been identified that System Rules (Building Blocks) that have been modified cannot be deleted due to information stored and used by the rule deletion dependency checker in QRadar.
29 May 2019
RIGHT-CLICK IJ10925 RIGHT-CLICK FUNCTIONALITY FOR 'ADD TO BLACKLIST' FAILS WITH 'REFERENCESETUTIL CAUGHT AN ERROR...' MESSAGE CLOSED Closed as a documentation error.

Manually run the ReferenceSetUtil.sh script via an SSH session to the QRadar console with arguments. Example:
/opt/qradar/bin/ReferenceSetUtil.sh add Blacklist 
11 June 2019
UPGRADE IJ15626 QRADAR PATCH FAILS 'ERROR: FAILED TO VERIFY THAT VAULT-QRD SERVICE IS CORECTLY CONFIGURED AND RUNNING' CLOSED Resolved in QRadar 7.3.2 Patch 4 (7.3.2.20190803012943) 28 May 2019
SERVICE IJ14988 ARIEL_QUERY_SERVER PROCESS IS ALLOWED TO BE STARTED ON THE QRADAR CONSOLE WHEN IT SHOULD NOT CLOSED Resolved in QRadar 7.3.2 Patch 4 (7.3.2.20190803012943) 28 May 2019
SERVICE IJ15446 ARIEL_QUERY_SERVER CAN BE MANUALLY STARTED ON A QRADAR CONSOLE CLOSED: Duplicate of IJ14988 APAR IJ14988 is closed with the release of QRadar 7.3.2 Patch 4 (7.3.2.20190803012943) 28 May 2019
UPGRADE / CONTENT IJ15334 EXTENSION MANAGEMENT UNINSTALLS CAN SOMETIMES CORRUPT RULES CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been identified that in some instances when Extension Management uninstalls are performed, rule corruption can occur due to a Content Management Tool issue. Extension Managment uninstalls are performed when Apps are uninstalled. When rule corruption has occured, false positives and/or false negatives can be experienced. An 'Application Error' can also sometimes occur when attempting to modify affected rules.
26 April 2019
RULES IJ16392 USERS WITHOUT 'MAINTAIN CUSTOM RULES' DO NOT SEE THE LOW-LEVEL CATEGORY OF THE DISPATCHED EVENT FROM RULE WIZARD OPEN No workaround available.
It has been identified that QRadar users without "Maintain Custom Rules" in user role do not see the Low-level category of the dispatched event from the Rule Wizard when viewing the rule summary.
28 May 2019
RULES IJ17437 LOW-LOWEL CATEGORY VALUE IN RULE SUMMARY IS BLANK FOR USERS WITH NON-ADMIN USER ROLE CLOSED: Duplicate of IJ16392. Subscribe to APAR IJ16392 to be alerted to status changes for this APAR. 28 May 2019
INSTALL IJ17438 INSTALLATION OF QRADAR CAN FAIL DUE TO INCORRECT DETECTION OF BIOS CONFIGURATION OPEN It has been identified that with some Lenovo System Xseries M4 and M5 appliances, the QRadar installation can fail to properly detect that the BIOS configuration "Legacy Mode" is set.

Workaround: Toggle the BIOS boot mode.
  1. During a reboot of the appliance, press F12 to display the BIOS boot mode.
  2. Select the Boot Manager and scroll down the screen.
  3. Toggle the Boot Mode setting to any option, then select Legacy.
  4. Save the BIOS changes and proceed with the QRadar installation.
08 July 2019
SECURITY BULLETIN CVE-2018-3180 A VULNERABILITY IN IBM JAVA SDK AND IBM JAVA RUNTIME AFFECTS IBM QRADAR SIEM CLOSED Resolved in:
QRadar 7.2.8 Patch 16 (7.2.8.20190703194519)
QRadar 7.3.1 Patch 8 (7.3.1.20190228154648)
QRadar 7.3.2 Patch 1 (7.3.2.20190410024210)
10 July 2019
SECURITY BULLETIN CVE-2018-2022 IBM QRADAR SIEM IS VULNERABLE TO AN INFORMATION EXPOSURE CLOSED Resolved in:
QRadar 7.2.8 Patch 16 (7.2.8.20190703194519)
QRadar 7.3.1 Patch 8 (7.3.1.20190228154648)
QRadar 7.3.2 Patch 1 (7.3.2.20190410024210)
10 July 2019
SECURITY BULLETIN CVE-2018-2021 IBM QRADAR INCIDENT FORENSICS IS VULNERABLE TO A PUBLICLY DISCLOSED VULNERABILITY IN APACHE TIKA CLOSED Resolved in:
QRadar 7.2.8 Patch 16 (7.2.8.20190703194519)
QRadar 7.3.1 Patch 8 (7.3.1.20190228154648)
QRadar 7.3.2 Patch 1 (7.3.2.20190410024210)
10 July 2019
SECURITY BULLETIN CVE-2018-17197 IBM QRADAR INCIDENT FORENSICS IS VULNERABLE TO A PUBLICLY DISCLOSED VULNERABILITY IN APACHE TIKA CLOSED Resolved in:
QRadar 7.2.8 Patch 16 (7.2.8.20190703194519)
QRadar 7.3.2 Patch 2 (7.3.2.20190522204210)
10 July 2019
SECURITY BULLETIN CVE-2019-4054 IBM QRADAR SIEM IS VULNERABLE TO AN INFORMATION EXPOSURE CLOSED Resolved in:
QRadar 7.2.8 Patch 16 (7.2.8.20190703194519)
QRadar 7.3.2 Patch 2 (7.3.2.20190522204210)
10 July 2019
SECURITY BULLETIN CVE-2018-15756 IBM QRADAR SIEM IS VULNERABLE TO A PUBLICLY DISCLOSED VULNERABILITY IN SPRING FRAMEWORK CLOSED Resolved in:
QRadar 7.2.8 Patch 16 (7.2.8.20190703194519)
QRadar 7.3.2 Patch 2 (7.3.2.20190522204210)
10 July 2019
SECURITY BULLETIN CVE-2018-11212
CVE-2018-12547
CVE-2019-2426
MULTIPLE VULNERABILITIES IN IBM JAVA SDK AND IBM JAVA RUNTIME AFFECT IBM QRADAR SIEM CLOSED Resolved in:
QRadar 7.2.8 Patch 16 (7.2.8.20190703194519)
QRadar 7.3.1 Patch 8 (7.3.1.20190228154648)
QRadar 7.3.2 Patch 1 (7.3.2.20190410024210)
10 July 2019
SECURITY BULLETIN CVE-2019-4211 IBM QRADAR SIEM IS VULNERABLE TO CROSS SITE SCRIPTING (XSS) CLOSED Resolved in:
QRadar 7.2.8 Patch 16 (7.2.8.20190703194519)
QRadar 7.3.2 Patch 2 (7.3.2.20190522204210)
10 July 2019
SECURITY BULLETIN CVE-2018-11761
CVE-2018-11762
CVE-2018-8017
CVE-2018-11796
IBM QRADAR INCIDENT FORENSICS IS VULNERABLE TO PUBLICLY DISCLOSED VULNERABILITIES FROM APACHE TIKA CLOSED Resolved in:
QRadar 7.3.1 Patch 8 (7.3.1.20190228154648)
QRadar 7.2.8 Patch 16 (7.2.8.20190703194519)
QRadar 7.3.2 Patch 1 (7.3.2.20190410024210)
10 July 2019
USER INTERFACE IJ16435 SENSORPROTOCOLSTATUS AND SENSORPROTOCOLSTATUSSENTRY DATABASE TABLES BLOAT AND SOMETIMES CAUSE USER INTERFACE OUTAGES Transitioning to closed Resolved in:
QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)
QRadar 7.3.2 Patch 2 Interim Fix 01 (7.3.2.20190617171807)
QRadar 7.3.1 Patch 8 Interim Fix 03 (7.3.1.20190612151858)

It has been identified that the QRadar User Interface can sometimes become unresponsive in instances where the sensorprotocolstatus and sensorprotocolstatusentry database tables bloat
28 May 2019
WINCOLLECT IJ17394 WINCOLLECT UNABLE TO REGISTER NEW AGENTS "...INVALID TOKEN ROLE" IN QRADAR LOGGING AFTER APPLYING QRADAR 7.3.2 PATCH 2 CLOSED Resolved in:
QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)
QRadar 7.3.2 Patch 2 Interim Fix 02 (7.3.2.20190710135412)
03 JULY 2019
SERVICE / DEPLOY IJ15699 NAPATECH SERVICE ON THE QRADAR NETWORK INSIGHTS (QNI) APPLIANCE CAN SOMETIMES FAIL TO START AFTER A PERFORMING A DEPLOY FULL CONFIGURATION CLOSED Resolved in:
QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)
QRadar 7.3.2 Patch 2 Interim Fix 01 (7.3.2.20190617171807)
30 APRIL 2019
CUSTOM EVENT PROPERTIES (CEP) IJ16423 JSON CUSTOM EVENT PROPERTY DISPLAYS "N/A" WHEN A BACKSLASH EXISTS IN THE EXTRACTED STRING FROM A PAYLOAD OPEN: Reported in QRadar 7.3.2 versions Workaround: If the "Enable this Property for use in Rules and Search Indexing" box is un-checked then the JSON Expression works as expected. 29 MAY 2019
INSTALL IJ16494 NEW ISO INSTALLATION/BUILD OF 7.3.2 PATCH 2 HAS BACKLEVEL VERSION OF SOME FORENSICS/QNI APPLIANCE RPMS CLOSED Resolved in:
QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)
QRadar 7.3.2 Patch 2 Interim Fix 01 (7.3.2.20190617171807)

It has been identified that when performing a fresh appliance install of QRadar 7.3.2 Patch 2 from the ISO file, QRadar Incident Forensics (QIF) and QRadar Network Insights (QNI) appliance installs are incorrectly identified as QRadar type appliances. When this occurs, newer RPMs that are included within the ISO for QIF and QNI are not installed as expected. The QRadar 7.3.2 Patch 2 IF01 update resolves this issue.
29 MAY 2019
OFENSES IJ17329 RIGHT-CLICK OPTION FOR NAVIGATE VIEW SOURCE SUMMARY AND VIEW DESTINATION SUMMARY IS SOMETIMES GREYED OUT CLOSED Resolved in QRadar 7.4.0 (7.4.0.20200304205308)

Workaround
No workaround available.

Issue
It has been identified that the Navigate right-click menu from the Offense view has the 'View Source Summary' and 'View Destination Summary' options greyed out when IP and Log Source both belong to a domain other than "default Domain".
28 JUNE 2019
RULES / UI IJ17330 ‘ARE YOU SURE YOU WISH TO ENABLE +1?’ MESSAGE WHEN ENABLING RULE PERFORMANCE CLOSED Resolved in QRadar 7.3.2 Patch 1 (7.3.2.20190410024210) 28 JUNE 2019
DEPLOY CHANGES IJ00919 QRADAR DEPLOY FUNCTION CAN TIMEOUT WITH 'FAILED TO REPORT HOST CAPABILITIES AFTER X ATTEMPTS' EXCEPTION IN THE LOGS CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

Example error message from /var/log/qradar.error:
[hostcontext.hostcontext] [Thread-27]com.q1labs.hostcontext.capabilities.
CapabilitiesReporter:
[ERROR][-/- -] Report capabilities thread: failed to report host capabilities after X attempts
06 NOVEMBER 2017
OPERATING SYSTEM / KERNEL IJ16696 UNEXPECTED REBOOT CAN OCCUR WITH 3.10.0-957.10.1.EL7.X86_64 RHEL KERNEL WHEN RUNNING CONCURRENT SEARCHES CANCELLED APAR IJ16696 has been cancelled. It has been determined that the RHEL Kernel issue does NOT apply to QRadar 7.3.2 Patch 2 and the APAR has been removed from the 'Known issues' list in the release notes. No impact to QRadar 7.3.2 Patch 2 (7.3.2.20190522204210). 07 JUNE 2019
FLOW SOURCES IJ07715 PCI NETWORK INTERFACES ARE NOT DISPLAYED IN FLOW SOURCE DROPDOWN FOR DELL APPLIANCES AFTER QRADAR 7.3.1 UPGRADE CLOSED Resolved in QRadar 7.3.2 Patch 2 (7.3.2.20190522204210). 03 JUNE 2019
LOG ACTIVITY / NETWORK ACTIVITY IJ09157 [LOG NETWORK ACTIVITY PAGE] QRADAR EVENT DETAILS SCREEN IS BLANK, 'APPLICATION ERROR' MESSAGE DISPLAYED CLOSED Resolved in QRadar 7.3.2 Patch 2 (7.3.2.20190522204210).

It had been identified in QRadar 7.2.8 that attempts to view the Event details page can sometimes fail to display any content and generate an 'Application Error' due to an exception to be displayed in the following situations:
  1. A custom property owner was deleted from QRadar or never existed (importing content bundles created by users that don't exist on the target system)
  2. A calculated custom property uses other custom properties that are disabled or deleted Messages in /var/log/qradar.error with "No property 'BytesSent' exists in set" might be visible when this issue is occurring.
03 JUNE 2019
REFERENCE SETS IJ10643 SOME QRADAR USERS ARE UNABLE TO VIEW VALUES COLUMN IN REFERENCE SETS CLOSED Resolved in QRadar 7.3.2 Patch 2 (7.3.2.20190522204210).

It has been identified that some QRadar users might be unable to view the Values column in the reference set editor User Interface from any browser on any computer system. Admin tab -> Reference Sets -> select any reference set -> edit. When the user interface is rendered, the Values column is not visible.

NOTE: This issue was intially reported in QRadar 7.3.1 Patch 5 and later. Administrators should consider an update to QRadar 7.3.2 to resolve the issue described in the APAR. For notes on upgrading, see https://ibm.biz/qradarchecklist.
03 JUNE 2019
ASSETS IJ10889 OUT OF MEMORY IN ASSETPROFILER WHEN IMPORTING SCAN DATA CLOSED Resolved in QRadar 7.3.2 Patch 2 (7.3.2.20190522204210). 03 JUNE 2019
QRADAR NETWORK INSIGHTS / SUPERFLOWS IJ12275 FLOWS RECEIVED FROM QRADAR NETWORK INSIGHTS (QNI) DO NOT GENERATE SUPERFLOWS CLOSED Resolved in QRadar 7.3.2 Patch 2 (7.3.2.20190522204210). 31 MAY 2019
CUSTOM RULES ENGINE / FLOW DETAILS IJ13215 RULE WIZARD DOES NOT DISPLAY WHILE IN AN ASSOCIATED FLOW FROM WITHIN AN OFFENSE CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

Return to the main QRadar interface to open the Rule Wizard. For example, Log Activity > Actions > Rules.
06 FEBRUARY 2019
SYSTEM NOTIFICATIONS / QFLOW IJ13246 "QFLOWXXX HAS FAILED TO START FOR X INTERVALS" NOTIFICATIONS WHEN RECEIVING IPFIX PACKETS WITH A LARGE AMOUNT OF FIELDS CLOSED Resolved in QRadar 7.3.2 Patch 2 (7.3.2.20190522204210). 03 JUNE 2019
ADVANCED SEARCH / AQL IJ13446 INVALID AQL SAVED SEARCHES CAN CAUSE SEVERAL USER INTERFACE SCREENS TO FAIL TO LOAD CLOSED Resolved in QRadar 7.3.2 Patch 2 (7.3.2.20190522204210)

Log error message:
qRuleWizardUtils: [ERROR] Could not retrieve aggregated search result fields with UI Ariel Services.
31 MAY 2019
QRADAR INCIDENT FORENSICS / PCAP UPLOAD IJ13905 UNABLE TO UPLOAD PCAP FILES USING THE ADMIN/FORENSICS/CASE MANAGEMENT TOOL: 'ERROR: EMPTY FILE UPLOAD RESULT' CLOSED Resolved in QRadar 7.3.2 Patch 2 (7.3.2.20190522204210). 15 FEBRUARY 2019
TIME SERIES GRAPH / SEARCH IJ14209 TIME SERIES DATA ERROR GENERATED WHEN FILTERING ON AN AGGREGATED CUSTOM PROPERTY USING MAXIMUM OR MINUMUM IN LOG ACTIVITY OR NETWORK ACTIVITY CLOSED Resolved in QRadar 7.3.2 Patch 2 (7.3.2.20190522204210).

It has been identified that viewing Time Series Data displays an error when filtering on an aggregated custom property using Maximum or Minimum. The error generated in the QRadar User Interface is similar to:
There was an issue with generating time series.
UIFrameworksException: unable to create TopN cursor


Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[tomcat.tomcat] [admin@127.0.0.1 (1719)
/console/JSON-RPC/QRadar.createTopNSearch
QRadar.createTopNSearch] createTopNSearch: [ERROR]
[NOT:0000003000][1.1.1.1/- -] [-/- -]Unable to create TopN
cursor.
05 MAY 2019
LOG ACTIVITY IJ14472 LOG ACTIVITY PAGE SEARCH RESULTS ARE ONLY DISPLAYED WHEN THE SEARCH COMPLETES INSTEAD OF STREAMING DURING SEARCHES CLOSED Resolved in QRadar 7.3.2 Patch 2 (7.3.2.20190522204210). 13 March 2019
OPERATING SYSTEM / KERNEL IJ14841 HOSTS CAN REBOOT SPONTANEOUSLY AND FILL /VAR/CRASH/ PARTITION DUE TO RED HAT ENTERPRISE LINUX KERNEL PANICS ISSUE CLOSED Resolved in: QRadar 7.3.2 Patch 2 (7.3.2.20190522204210)
QRadar 7.3.1 Patch 8 IF01 (7.3.1.20181217203039)

NOTE: Administrators who cannot update can disable the userspace hardening by adding the following parameter to the kernel command line:
hardened_usercopy=off
01 April 2019
QFLOW IJ14855 IPFIX FIELDS FOR QFLOW HAVE A LENGTH OF 0 WHEN USING "PAYLOAD" OPTION IN SYSTEM SETTINGS -> QFLOW SETTINGS CLOSED Resolved in QRadar 7.3.2 Patch 2 (7.3.2.20190522204210)

NOTE: Administrators who cannot update can use the setting "TLV" works as expected and "TLV" is the default mode for QRadar version 7.3.0 AND LATER VERSIONS.
26 April 2019
RULES / RULE PERFORMANCE IJ14856 RULE AND BUILDING BLOCK DEPENDENCY CHECK NOT WORKING AS EXPECTED WHEN 'RULE PERFORMANCE ANALYSIS' IS DISABLED CLOSED Resolved in QRadar 7.3.2 Patch 2 (7.3.2.20190522204210) 26 March 2019
ADVANCED SEARCH (AQL) IJ15591 THE 'IS NOT' OPERATOR DOES NOT WORK CORRECTLY WHEN USED IN THE 'SELECT' PART OF AN ADVANCED SEARCH (AQL) CLOSED Resolved in QRadar 7.3.2 Patch 2 (7.3.2.20190522204210) 01 May 2019
DEPLOY CHANGES IJ15735 HAVING AN ENCRYPTED MANAGED HOST WITHIN A DIFFERENT NAT GROUP THAN THE CONSOLE CAUSES DEPLOYS TO FAIL IN QRADAR 7.3.2 PATCH 1 AND LATER VERSIONS CLOSED Resolved in QRadar 7.3.2 Patch 2 (7.3.2.20190522204210) 01 May 2019
OPERATING SYSTEM IJ15781 REDHAT ENTERPRISE LINUX KERNEL ISSUE CAN CAUSE DATA GATEWAY ADD PROCESS TO HANG FOR AZURE ON HYPER-V INSTALLATIONS CLOSED Resolved in QRadar 7.3.2 Patch 4 (7.3.2.20190803012943). 22 May 2019
LOG SOURCES IJ16039 LOG SOURCES REQUIRING A PASSWORD CAN STOP WORKING AFTER MODIFYING OTHER LOG SOURCE FIELDS CLOSED Resolved in:
QRadar 7.3.2 Patch 2 (7.3.2.20190522204210)
QRadar 7.3.1 Patch 8 IF01 (7.3.1.20181217203039)
03 June 2019
DATA NODE IJ16159 OFFLINE FORWARDING FROM A MANAGED HOST WITH ATTACHED DATA NODE(S) FAILS TO FORWARD EVENTS FROM THE DATA NODE CLOSED Resolved in QRadar 7.3.2 Patch 2 (7.3.2.20190522204210) 15 May 2019
LOG SOURCE MANAGEMENT IJ16388 LOG SOURCE PARSING ORDER PAGE CAN FAIL TO LOAD CLOSED Resolved in QRadar 7.3.2 Patch 2 (7.3.2.20190522204210) 23 May 2019
QFLOW / SERVICE IJ16389 NAPATECH3 AND QFLOW PROCESS CAN FAIL TO START CLOSED Resolved in:
QRadar 7.3.1 Patch 8 IF02 (7.3.1.20190524193053)
QRadar 7.3.2 Patch 2 (7.3.2.20190522204210).
23 May 2019
USER INTERFACE IJ16167 QRADAR USER INTERFACE CAN BECOME UNAVAILABLE DUE TO TXSENTRY CAUSED BY A DEADLOCK IN USERMANAGER Transitioning to closed Resolved in:
QRadar 7.3.2 (7.3.2.20190201201121)
QRadar 7.3.1 Patch 8 IF02 (7.3.1.20190524193053)

Workaround
No workaround available.

Issue
It has been identified that in some instances the QRadar User Interface (UI) can become unavailable due to TxSentry killing the Tomcat process when a deadlock occurs with the threads inside UserManager. The QRadar UI becomes available again once all required process are running as expected. Contact Support so that they can positively identify this is the reason for an unexpected Tomcat (UI) outage.
29 May 2019
GEOLOCATION / LOCALIZATION IJ16183 SOME COUNTRIES AS DISPLAYED WITHIN AREAS OF THE QRADAR USER INTERFACE (NETWORK HIERARCHY) ARE NOT CORRECTLY LOCALIZED OPEN: Reported in QRadar 7.3.1 versions No workaround available. Incorrectly localized countries:
Hong Kong -> Hong Kong S.A.R of China
Macau -> Macao S.A.R of China
Korea -> South Korea
Korea -> North Korea
Macedonia -> North Macedonia
Cote D'Ivoire -> Côte d'Ivoire.


Missing localizations:
BouvetIsland, Western Sahara, Congo-Kinshasa, Congo-Brazzaville
16 May 2019
ENCRYPTED HOSTS / TUNNELS IJ16082 ATTACHING AN EVENT COLLECTOR TO A DIFFERENT EVENT PROCESSOR (EP) LEAVES OLD TUNNEL CONNECTIONS TO THE ORIGINAL EP OPEN: Reported in QRadar 7.3.1 Patch 6 IF01 Contact Support for a possible workaround that might address this issue in some instances. 16 May 2019
QRADAR NETWORK INSIGHTS / DISK SPACE IJ15644 /TMP PARTITION FILLING WITH APACHE-TIKA-XXXXX.TMP FILES ON QRADAR NETWORK INSIGHTS APPLIANCES CLOSED Resolved in QRadar 7.3.2 Patch 4 (7.3.2.20190803012943) 16 May 2019
CUSTOM EVENT PROPERTY IJ15399 AN AQL BASED CUSTOM EVENT PROPERTY THAT HAS BEEN DISABLED CONTINUES TO BE DISPLAYED WITHIN SUBSEQUENT EVENTS OPEN: Reported in QRadar 7.3.1 Patch 7 and QRadar 7.3.2 No workaround available. 16 May 2019
OFFENSES IJ15593 OFFENSE SOURCE SUMMARY INFORMATION THAT IS PULLING ASSET DATA IS NOT DOMAIN AWARE FOR OFFENSES INDEXED BY USERNAME, MAC ADDRESS, OR HOSTNAME CLOSED Resolved in:
QRadar 7.4.0 (7.4.0.20200304205308)
QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

Issue
It has been identified that QRadar environments with domains configured can have users from one domain see data from assets from another domain in the offense summary for offenses indexed by username, MAC, or hostname.
09 December 2019
NETWORK HIERARCHY / RULES IJ15969 FALSE POSITIVE RULE FIRING CAN OCCUR CAUSED BY NETWORK HIERARCHY IN DOMAIN ENVIRONMENTS OPEN: Reproducible in QRadar 7.3.1 Patch 6 and 7.3.1 Patch 7 versions No workaround available. 16 May 2019
CUSTOM ACTION SCRIPTS IJ15568 CUSTOMACTIONUSER FUNCTION WITHIN CUSTOM ACTION SCRIPTS CANNOT PERFORM DNS LOOKUPS OPEN: Reported in QRadar 7.3.2 Contact Support for a possible workaround that might address this issue in some instances. 16 May 2019
OFFENSES IJ15648 UNEXPECTED DUPLICATE ATTACKER NETWORKS GENERATED FOR OFFENSES DUE TO THE ADDITION OF IPV6 FIELD CLOSED Resolved in QRadar 7.4.0 (7.4.0.20200304205308)

Workaround
No workaround available.

Issue
It has been identified that duplicate offense attackers can be generated for an Offense and as a result, more source IPs listed against an Offense than actually caused by the Offense. This behavior is caused by the addition of the IPv6 field for the unique index on attackers.
16 May 2019
DEPLOY CHANGES IJ15527 DEPLOY FUNCTION CAN TIMEOUT WHEN A REQUIRED PROCESS IS UNABLE TO CONNECT TO QRADAR APPS OPEN Resolved in:
QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)
NOTE: Resolved in 7.3.2 Fix Pack 7. This APAR is listed as OPEN as there are 7.3.x and 7.4.x releases pending.

Workaround
No workaround available.

Issue
It has been identified that when QRadar Apps do not respond to a required process during a Deploy function, the Deploy can timeout. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[hostcontext.hostcontext]
[b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher]
com.q1labs.hostcontext.configuration.ConfigSetUpdater: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]Failed to execute db app
sync post deploy action
[hostcontext.hostcontext]
[b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher]
com.q1labs.configservices.process.ProcessException: Unable to
execute platform app sync.
[hostcontext.hostcontext]
[b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] at
com.q1labs.hostcontext.action.DBAppSyncPostDeployAction.executeA
ction(DBAppSyncPostDeployAction.java)
[hostcontext.hostcontext]
[b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] at
com.q1labs.hostcontext.configuration.ConfigSetUpdater.postDownlo
adAndApply(ConfigSetUpdater.java)
[hostcontext.hostcontext]
[b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] at
com.q1labs.hostcontext.configuration.ConfigSetUpdater.downloadAn
dApplyConfiguration(ConfigSetUpdater.java)
[hostcontext.hostcontext]
[b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] at
com.q1labs.hostcontext.configuration.ConfigSetUpdater.startDownl
oadAndApplyConfiguration(ConfigSetUpdater.java)
[hostcontext.hostcontext]
[b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] at
com.q1labs.hostcontext.configuration.ConfigChangeObserver.update
Configuration(ConfigChangeObserver.java)
[hostcontext.hostcontext]
[b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] at
com.q1labs.hostcontext.configuration.ConfigChangeObserver.update
(ConfigChangeObserver.java)
[hostcontext.hostcontext]
[b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] at
com.q1labs.hostcontext.observer.Subject.updateNotify(Subject.java)
[hostcontext.hostcontext]
[b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] at
com.q1labs.hostcontext.observer.JMSMessageSubject.messageReceive
d(JMSMessageSubject.java)
[hostcontext.hostcontext]
[b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] at
com.q1labs.frameworks.events.jms.JMSMessageEvent.dispatchEvent(J
MSMessageEvent.java)
[hostcontext.hostcontext]
[b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] at
com.q1labs.frameworks.events.SequentialEventDispatcher$DispatchT
hread.run(SequentialEventDispatcher.java)
[hostcontext.hostcontext]
[b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher]
Caused by:
[hostcontext.hostcontext]
[b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher]
com.ibm.si.application.conman.sync.ApplicationSyncException: An
error occurred while attempting to sync apps on host
[e7979a607d5e320f8c98.localdeployment]
[hostcontext.hostcontext]
[b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] at
com.ibm.si.application.conman.sync.DBConmanSyncService.syncAppsO
nHost(DBConmanSyncService.java)
[hostcontext.hostcontext]
[b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] at
com.ibm.si.application.conman.sync.DBConmanSyncService.performMa
nagedHostAppSync(DBConmanSyncService.java)
[hostcontext.hostcontext]
[b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] at
com.ibm.si.application.conman.sync.DBConmanSyncService.performSy
nc(DBConmanSyncService.java)
[hostcontext.hostcontext]
[b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] at
com.q1labs.hostcontext.action.DBAppSyncPostDeployAction.executeA
ction(DBAppSyncPostDeployAction.java)
[hostcontext.hostcontext]
[b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher]
   ... 9 more
[hostcontext.hostcontext]
[b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher]
Caused by:
[hostcontext.hostcontext]
[b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher]
com.ibm.si.application.platform.exception.ApplicationPlatformSer
viceException: 20 attempts across 10 minutes failed to connect
to these apps: 1004:[Reference Data Import - LDAP]
16 May 2019
DEPLOY CHANGES IV95108 DEPLOY CHANGES FUNCTION CAN TIMEOUT TO SOME MANAGED HOSTS AFTER PATCHING QRADAR DUE TO AN OPENJPA ERROR CLOSED Resolved in QRadar 7.3.2 (7.3.2.20190201201121). 14 May 2019
SERVICE / POSTGRES IV94508 POSTGRES DEADLOCKS CAN SOMETIMES LEAD TO SEARCH DATA RESULT INCONSISTENCY CLOSED Resolved in:
QRadar 7.3.1 Patch 8
QRadar 7.3.2 (7.3.2.20190201201121)
14 May 2019
SEARCH / QUICK FILTER IV91639 RULE RESPONSE LIMITER DOES NOT ALWAYS LIMIT RESPONSES AS CONFIGURED CLOSED Resolved in QRadar 7.3.2 (7.3.2.20190201201121) 14 May 2019
SEARCH / QUICK FILTER IJ07900 QUICK FILTER SEARCHES RUN AGAINST RECENT EVENTS CAN SOMETIMES APPEAR HUNG/STALLED CLOSED Resolved in QRadar 7.3.2 (7.3.2.20190201201121) 14 May 2019
SEARCH / NETWORK GROUP IJ06618 SEARCH WITH GROUP BY CONFIGURED AS 'SOURCE NETWORK GROUP' OR 'DESTINATION NETWORK GROUP' DISPLAYS 'N/A' IN COLUMN RESULTS CLOSED Resolved in QRadar 7.3.2 (7.3.2.20190201201121) 14 May 2019
REPORTS IJ06087 REPORTS AUTHORED BY NON-ADMIN USER AND SHARED TO OTHER NON-ADMIN USER ARE NOT VISIBLE AFTER AUTHOR DELETED CLOSED Resolved in QRadar 7.3.2 (7.3.2.20190201201121) 14 May 2019
APPS / HIGH-AVAILABILITY (HA) IJ04177 QRADAR APPS CAN FAIL TO LOAD AFTER A HIGH AVAILABILITY (HA) FAILOVER HAS OCCURRED CLOSED Resolved in QRadar 7.3.2 (7.3.2.20190201201121) 14 May 2019
CUSTOM EVENT PROPERTIES / JSON IJ15251 'APPLICATION ERROR' IN THE CUSTOM EVENT PROPERTIES WINDOW WHEN USING JSON KEYPATH EXTRACTION Transitioning to closed Resolved in QRadar 7.3.1 Patch 8 IF01. 06 February 2019
QRADAR VULNERABILITY MANAGER / EMAIL IJ13364 VULNERABILITY SCAN 'EMAIL ASSET OWNER' EMAILS FOR START AND STOP OF SCANS NOT BEING SENT Transitioning to closed Resolved in QRadar 7.3.1 Patch 8 IF01. 11 February 2019
WINCOLLECT IJ12255 EVENT ID FILTERS ENABLED WITHIN THE LOG SOURCE MANAGEMENT APP ARE NOT WORKING AS EXPECTED Transitioning to closed Resolved in WinCollect 7.2.9 14 February 2019
WINCOLLECT IJ07257 WINCOLLECT AGENTS INSTALLED ON OR POLLING FROM WINDOWS 10 VERSION 1803 (APRIL 2018 UPDATE) STOP RECEIVING SECURITY EVENTS CLOSED Resolved in WinCollect 7.2.9. Users who cannot update can see the local workaround to use XPATH or MSEVEN6 in your log sources to resolve this issue until you can update your agents. 03 December 2018
WINCOLLECT IV99860 'ERROR 1720' WHEN INSTALLING WINCOLLECT STANDALONE PATCH FILE TO WINCOLLECT 7.2.5 CLOSED Unreproducible in the WinCollect 7.2.9 release. 09 January 2019
SYSTEM NOTIFICATIONS IJ14249 NOTIFICATION OF DROPPED FLOWS IS NOT OCCURRING IN QRADAR SYSTEM NOTIFICATIONS OPEN No workaround available.

It has been identified that in instances where flows are being dropped by a QRadar appliance, there are notifications written into QRadar logging, but no System Notification message is generated in the QRadar User Interface. Messages similar to the following might be visible in /var/log/qradar.log when flows are being dropped:
[QRADAR] [16664] qflow: [WARNING] Unable to stream
flows fast enough to {ip_address}:32010. Dropped 4393 flows.
28 May 2019
API IJ13407 INTERNAL SERVER ERROR 500 OCCURS WHEN ATTEMPTING TO CREATE OR EDIT A LOG SOURCE WITH CUSTOM VALIDATION FROM USING API CLOSED Resolved in QRadar 7.3.2 (7.3.2.20190201201121). 28 March 2019
LOGS IJ16032 QRADAR LOGS FILLING WITH REPEATED MESSAGES SIMILAR TO "{HOSTNAME} {PROCESS}[PID]: RECEIVED " CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been identifed that repeated log messages can fill QRadar logs. Repeated messages similar to the following might be visible in /var/log/qradar.error and .log when this issue is occurring:
{hostname} tomcat[14144]: Received 210593
{hostname} tomcat[14144]: Received 210594
{hostname} tomcat[14144]: Received 210599
{hostname} ecs-ep[21513]: Received 480
{hostname} ecs-ep[21513]: Received 478
{hostname} ecs-ep[21513]: Received 481

Note: By default, the QRadar disk sentry check runs every 60 seconds and looks for high disk usage across monitored partitions (including /var/log). If the partition fills to 95%, it will stop the QRadar critical services.
31 December 2018
OFFENSE SEARCH - ASSIGNED TO USER IJ11954 ASSIGNING USERNAME THAT CONTAINS @ CHARACTER TO THE PARAMETER "ASSIGNED TO USER" IN OFFENSE SEARCH RESETS TO DEFAULT (ALL) CLOSED Resolved in QRadar 7.3.2 Patch 1 (7.3.2.20190410024210) 31 December 2018
QVM - SCAN EXPORTS IJ10677 IN QRADAR VULNERABILITY MANAGER, SCAN RESULT EXPORTS CAN BE MISSING SOME VULNERABILITY DATA CLOSED Resolved in QRadar 7.3.2 Patch 1 (7.3.2.20190410024210) 23 October 2018
QVM - SCAN PROFILE IJ10592 IN QRADAR VULNERABILITY MANAGER SCAN PROFILES, VULNERABILITY SCAN DAYS ARE DISPLAYED DIFFERENTLY THAN CONFIGURED CLOSED Resolved in QRadar 7.3.2 Patch 1 (7.3.2.20190410024210) 22 October 2018
QUICK SEARCH IV91635 QUICK SEARCHES CANNOT BE REMOVED FROM THE QUICK SEARCH LIST CLOSED Resolved in:
QRadar 7.3.2 Patch 1 (7.3.2.20190410024210)
QRadar 7.3.1 Patch 3 (7.3.1.20180327211425)
QRadar 7.2.8 Patch 4 (7.2.8.20170224202650)
4 April 2018
INSTALL IJ01116 QRADAR 7.3.0 DURING INSTALLATION, MAY NOT ALLOW ROOT PASSWORD TO USE SPECIAL CHARACTERS CLOSED Resolved in QRadar 7.3.2 Patch 1 (7.3.2.20190410024210). 26 April 2018
UPGRADE IJ14473 'DETECT CONFLICTING HOSTNAMES ON SYSTEM' FAILED." DURING QRADAR PATCHING CLOSED Resolved in QRadar 7.3.2 Patch 1 (7.3.2.20190410024210). 09 January 2019
AQL - ASSETHOSTNAME IJ12225 AQL QUERIES FOR ASSETHOSTNAME RETURN PREVIOUS HOSTNAME INSTEAD OF CURRENT HOSTNAME TRANSITIONING TO CLOSED, OPEN FOR 7.3.1 VERSIONS Resolved in QRadar 7.3.2 Patch 1 (7.3.2.20190410024210). 09 January 2019
ASSET TAB - DELETE ASSET IJ13341 'APPLICATION ERROR' CAN OCCUR WHEN DELETING AN ASSET IN PENDING STATE CLOSED Resolved in QRadar 7.3.2 Patch 1 (7.3.2.20190410024210). 13 February 2019
API / APP PERFORMANCE IJ14947 QRADAR USER INTERFACE CAN BECOME UNRESPONSIVE DUE TO TOMCAT RUNNING OUT OF USABLE FILE HANDLES CLOSED Resolved in:
QRadar 7.3.2 Patch 1 (7.3.2.20190410024210)
QRadar 7.3.2 Interim Fix 01 (7.3.2.20190322185336)
22 March 2019
OFFENSES / RULE RESPONSE IV92376 OFFENSES CAN SOMETIMES NOT GENERATE WHEN A RULE RESPONSE TO CREATE A NEW OFFENSE INDEXED BY HOSTNAME (CUSTOM) IS CONFIGURED CLOSED Resolved in:
QRadar 7.3.2 (7.3.2.20190201201121)
QRadar 7.3.1 Patch 8 (7.3.1.20190228154648)
QRadar 7.2.8 Patch 12 (7.2.8.20180416164940)
07 March 2019
SERVICES IJ13340 EVENTS CAN SOMETIMES BE DROPPED DUE TO A CONNECTION ISSUE BETWEEN ECS-EC-INGRESS AND TCP_TO_EC QUEUE CLOSED Resolved in QRadar 7.3.1 Patch 8 21 February 2019
VULNERABILITY SEARCH IJ13324 'APPLICATION ERROR' IS GENERATED WHEN SOME SPECIAL CHARACTERS ARE ENTERED INTO A "MY ASSIGNED VULNERABILITIES" SEARCH CLOSED Resolved in QRadar 7.3.1 Patch 8 11 February 2019
OFFENSE STATUS IJ12883 SIM RESET CAUSING OFFENSES TO BECOME INACTIVE CAN SOMETIMES OCCUR WHEN MULTIPLE DEPLOY FUNCTIONS ARE PERFORMED CLOSED Resolved in:
QRadar 7.3.2 Patch 1 (7.3.2.20190410024210)
QRadar 7.3.1 Patch 8 (7.3.1.20190228154648)
28 January 2019
FIREWALL RULE COUNTS IJ12122 QRADAR RISK MANAGER - COUNTING FAILS FOR NON-CISCO FIREWALLS WHERE EVENTS HAVE NO ASSOCIATED RULE ID CLOSED Resolved in QRadar 7.3.1 Patch 8 (7.3.1.20190228154648) 17 December 2018
NETWORK INTERFACE IJ12108 NAPATECH SERVICE CAN FAIL WITH 'ADAPTER 0: ERROR DETECTED ON BONDING INTERFACE. NIF LBW ERROR = 0X4' IN MESSAGES CLOSED Resolved in:
QRadar 7.3.2 (7.3.2.20190201201121)
QRadar 7.3.1 Patch 8 (7.3.1.20190228154648)
31 December 2018
SERVICES / GEOGRAPHIC DATA IJ12107 EXCEPTION THROWN AFTER MAXMIND DATABASE IS UPDATED CAN CAUSE MULTIPLE QRADAR PROCESSING ISSUES CLOSED Closed as a duplicate of APAR IJ04898. 09 August 2019
FORWARDED EVENTS IJ12098 FORWARDING EVENTS WITH LARGE PAYLOADS CAN CAUSE A MESSAGESIZEEXCEPTION ON THE TARGET APPLIANCE RECEIVING THE DATA CLOSED Resolved in:
QRadar 7.3.2 Patch 1 (7.3.2.20190410024210)
QRadar 7.3.1 Patch 8 (7.3.1.20190228154648)
QRadar 7.3.1 Patch 7 Interim Fix 01 (7.3.1.20181217203039)
31 December 2018
VULNERABILTY SCAN IJ11978 QRADAR VULNERABILITY MANAGER - VULNERABILITY SCAN RESULTS ONLY GENERATE FOR ONE INSTANCE OF A SERVICE RUNNING ON MORE THAN ONE PORT CLOSED Resolved in:
QRadar 7.3.2 Patch 1 (7.3.2.20190410024210)
QRadar 7.3.1 Patch 8 (7.3.1.20190228154648)
10 December 2018
ASSET SEARCH IJ11922 ADDITIONAL FILTERS CANNOT BE ADDED TO A LOADED ASSET SAVED SEARCH CLOSED Resolved in QRadar 7.3.1 Patch 8 (7.3.1.20190228154648). 31 December 2018
SERVICES IJ11494 QRADAR NETWORK INSIGHTS (QNI) DECAPPER 'OUT OF MEMORY' INSTANCES CAUSED BY 'MYSPACE' INSPECTOR CLOSED Resolved in:
QRadar 7.3.2 Patch 1 (7.3.2.20190410024210)
QRadar 7.3.1 Patch 8 (7.3.1.20190228154648)
30 November 2018
LOG SOURCE INTERFACE IJ11493 LOG SOURCE WINDOW CAN TAKE MINUTES TO LOAD DUE TO THREAD LOCK CLOSED Resolved in:
QRadar 7.3.1 Patch 8 (7.3.1.20190228154648)
QRadar 7.3.2 Patch 2 (7.3.2.20190522204210)

NOTE: Users who cannot update log source in the standard user interface can use the Log Source Management app to update log sources.
27 November 2018
REFERENCE DATA IJ11490 REFERENCE SET IS NOT PURGED AFTER TIME TO LIVE EXPIRES WHEN 'DO NOT LOG ELEMENTS' IS SELECTED AT CREATION CLOSED Resolved in QRadar 7.3.1 Patch 8 (7.3.1.20190228154648). 30 November 2018
LOG SOURCE - ORACLE IJ11423 ORACLE LOG SOURCES CAN DISPLAY AS STATUS 'SUCCESS' BUT ARE NOT REPORTING (ORAI18N-10.2.0.JAR REMOVAL) CLOSED Resolved in:
QRadar 7.3.2 (7.3.2.20190201201121)
QRadar 7.3.1 Patch 8 (7.3.1.20190228154648)
31 December 2018
DASHBOARD - VULNERABILITY SEARCH IJ11242 DASHBOARDS USING A SAVED VULNERABILITY SEARCH CONTAINING A REFERENCE SET CAN SOMETIMES BE BLANK CLOSED Resolved in QRadar 7.3.1 Patch 8 (7.3.1.20190228154648). 19 November 2018
EXPORT - CSV IJ11204 QRADAR VULNERABILITY MANAGER - COUNTS AND RESULTS CAN BE INCONSISTENT AND DO NOT MATCH CSV EXPORTS CLOSED Resolved in QRadar 7.3.1 Patch 8 (7.3.1.20190228154648). 13 November 2018
TUNNELS - ENCRYPTION IJ11168 QRADAR INCIDENT FORENSICS - ENCRYPTED INCIDENT FORENSICS APPLIANCES ARE MISSING THE REQUIRED HTTPS TUNNEL CONFIGURATION CLOSED Resolved in:
QRadar 7.3.2 Patch 1 (7.3.2.20190410024210)
QRadar 7.3.1 Patch 8 (7.3.1.20190228154648)
30 November 2018
HIGH-AVAILABILITY (HA) - APP FRAMEWORK IJ11030 QRADAR APPS CAN FAIL TO LOAD AFTER FAILOVER TO SECONDARY CLOSED Resolved in QRadar 7.3.1 Patch 8 (7.3.1.20190228154648). 27 November 2018
QFLOW IJ10867 FLOWS CAN APPEAR WITH EQUAL SOURCE AND DESTINATION BYTESAND PACKETS FOR IANA INFORMATION ELEMENTS 23 AND 240 CLOSED Resolved in:
QRadar 7.3.2 (7.3.2.20190201201121)
QRadar 7.3.1 Patch 8 (7.3.1.20190228154648)
QRadar 7.2.8 Patch 15 (7.2.8.20190118175747)
11 February 2019
USER ROLES - RIGHT-CLICK IJ10829 ENHANCED RIGHT-CLICK MENU IS ENABLED FOR USERS WITHOUT 'IP RIGHT CLICK MENU EXTENTIONS' PERMISSION CLOSED Resolved in:
QRadar 7.3.2 Patch 1 (7.3.2.20190410024210)
QRadar 7.3.1 Patch 8 (7.3.1.20190228154648)
31 December 2018
FLOWS IJ10747 NETFLOW V9 AND IPFIX TCP FLAGS ARE MISSING OR INCORRECT WHEN A SINGLE BYTE ENCODING IS USED CLOSED Resolved in QRadar 7.3.1 Patch 8 (7.3.1.20190228154648). 1 November 2018
OFFENSE - PERFORMANCE IJ10694 OFFENSE PAGES IN THE QRADAR USER INTERFACE CAN BE SLOW TO LOAD WHEN LARGE NETWORK HIERARCHIES EXIST CLOSED Resolved in:
QRadar 7.3.2 Patch 2 (7.3.2.20190522204210)
QRadar 7.3.1 Patch 8 (7.3.1.20190228154648)
15 November 2018
REPORTS IJ10645 REPORTS GENERATED BASED ON A SAVED SEARCH DISPLAY 'OTHER' IN THE 'DESTINATION NETWORK' FIELD CLOSED Resolved in:
QRadar 7.3.2 Patch 1 (7.3.2.20190410024210)
QRadar 7.3.1 Patch 8 (7.3.1.20190228154648)
01 November 2018
OFFENSE - PERFORMANCE IJ10622 OFFENSES TAB CAN BE SLOW TO LOAD THE USER INTERFACE WHEN HISTORICAL CORRELATION PROFILES EXIST CLOSED Resolved in:
QRadar 7.3.2 Patch 1 (7.3.2.20190410024210)
QRadar 7.3.1 Patch 8 (7.3.1.20190228154648)
01 November 2018
REPORTS IJ10609 "NO DATA FOR CHART" IN TIMESERIES REPORT WHEN 'TIME' VARIABLE IS THE HORIZONTAL AXIS OPEN (REOP) No workaround available. Reopened due to additional users logging cases for this issue.

It has been identified that timeseries reports with the Time variable configured for the X-Axis display "No data for Chart". For example, to replcate this issue:
  1. Click the Reports tab and create a weekly report.
  2. In the Chart Type, select Events/Logs.
  3. In the Container Details, select a pre-configured aggregated search (timeseries).
  4. Under Additional Details, select:
    • Graph Type: Bar
    • Limit Events/Logs to Top: 5
    • Horizontal (X) Axis: Time
    • Vertical (Y) Axis: Count
    • Timeline Interval: 1 day
  5. Save the report.
  6. Verify the data is being accumulated for the search.

    Results
    When the report runs as scheduled, it is generated with the "No Data for Chart" in the container message. The report is successfully generated when the user specifies any other variable in the Horizontal (X) axis instead of the "Time" variable.
28 August 2019
API - /SIEM/OFFENSES IJ10603 API CALLS TO THE OFFENSE MODEL FOR SOURCE_ADDRESSES/ID AND LOCAL_DESTINATION_ADDRESSES/ID CAN TAKE TOO LONG CLOSED Resolved in QRadar 7.3.1 Patch 8 (7.3.1.20190228154648). 01 November 2018
OFFENSE SEARCH IJ10580 CONVERTING FROM LOG MANAGER TO SIEM RESETS DATA RETENTION SETTINGS TO DEFAULT - DATA LOSS CAN OCCUR CLOSED Resolved in QRadar 7.3.1 Patch 8 (7.3.1.20190228154648). 15 November 2018
ADMIN - ASSET PROFILES IJ10402 'AN ERROR HAS OCCURRED. REFRESH YOUR BROWSER (PRES F5)' WHEN ACCESSING THE 'ASSET PROFILER CONFIGURATION' INTERFACE FROM THE ADMIN TAB CLOSED Resolved in:
QRadar 7.3.2 Patch 1 (7.3.2.20190410024210)
QRadar 7.3.1 Patch 8 (7.3.1.20190228154648)
31 October 2018
RULES - SUPERFLOWS IJ10372 [CUSTOM CRE] SUPERFLOWS DO NOT COUNT TOWARDS DOUBLE MATCH COUNT RULES CLOSED Resolved in:
QRadar 7.3.2 Patch 1 (7.3.2.20190410024210)
QRadar 7.3.1 Patch 8 (7.3.1.20190228154648)
12 October 2018
SEARCH - NETWORK ACTIVITY IJ10110 'THE SERVER ENCOUNTERED AN ERROR READING ON OR MORE FILES' WHEN PERFORMING A NETWORK ACTIVITY SEARCH AFTER UPGRADE CLOSED Resolved in:
QRadar 7.3.2 (7.3.2.20190201201121)
QRadar 7.3.1 Patch 8 (7.3.1.20190228154648)
07 October 2018
NETWORK HIERARCHY IJ09228 'AN ERROR OCCURRED STRING INDEX OUT OF RANGE' WHEN EXPANDING OR COLLAPSING NETWORK HIERARCHY CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)
16 October 2018
SERVICES - FLOW PROCESSORS IJ09226 [EC] FLOW PROCESSORS (17XX) WITH MANY CONNECTED FLOW COLLECTOR (12XX/13XX) APPLIANCES CAN RUNOUT OF USBABLE FILE HANDLES FOR THE ECS-EC PROCESS CLOSED Resolved in QRadar 7.3.1 Patch 8 (7.3.1.20190228154648) 03 October 2018
OFFENSES TAB - DISPLAY IJ09219 UNABLE TO VIEW OFFENSE 'CATEGORY NAME' COLUMN DATA AND 'NETWORK' COLUMN DATA IN ASSOCIATED OFFENSES TAB VIEWS CLOSED Resolved in QRadar 7.3.1 Patch 8 (7.3.1.20190228154648) 15 October 2018
ASSET TAB - DISPLAY IJ09053 SOME FIELD DETAILS THAT ARE DISPLAYED IN THE ASSET SUMMARY WINDOW ARE NOT DISPLAYED IN THE ASSET TABLE WINDOW CLOSED Resolved in:
QRadar 7.3.2 Patch 1 (7.3.2.20190410024210)
QRadar 7.3.1 Patch 8 (7.3.1.20190228154648)
16 October 2018
SERVICES / GEOGRAPHIC DATA IJ09018 CRE PROCESSOR THREADS CAN DIE WHEN THE MAXMIND DATABASE IS UPDATED VIA AUTO UPDATE CLOSED Resolved in:
QRadar 7.3.2 (7.3.2.20190201201121)
QRadar 7.3.1 Patch 8 (7.3.1.20190228154648)
13 December 2018
ADVANCED SEARCH (AQL) IJ08960 ADVANCED SEARCH (LOG ACTIVITY) CAN FAIL WHEN CALCULATING EPS AND SORTING ON EPS CLOSED Closed as suggestion for future release. Thrown "ArithmeticException: divide by zero" is expected behaviour for this query. This behaviour is consistent with industry standard SQL engines. The workaround is to not divide by zero.
For AQL like:
( max(endTime) - min(startTime) )

change the query to:
( max(endTime) - min(startTime)  + 1)

A suggestion APAR identifies a function/operation that is not within the product specifications, for which a fix is not planned. Implementation of this modification would be a product enhancement. This APAR is considered for any future products/releases. For more information on feature requests and QRadar, see the QRadar Support Request for Enhancement (RFE) FAQ page.
18 December 2018
OFFENSES - DISPLAY IJ08399 THE OFFENSE SUMMARY PAGE CAN SOMETIMES TAKE LONGER THAN EXPECTED TO DISPLAY A SINGLE OFFENSE (60 SECONDS) CLOSED Resolved in QRadar 7.3.1 Patch 8. 26 September 2018
APP NODE IJ03980 FAILED/UNRECOVERABLE APP NODE CANNOT BE REMOVED FROM QRADAR USER INTERFACE CLOSED Resolved in QRadar 7.3.1 Patch 8 (7.3.1.20190228154648). 25 May 2018
RULES - PERFORMANCE IJ06484 RULES CONTAINING TESTS AGAINST GEOGRAPHIC LOCATION CAN SOMETIMES CAUSE NEGATIVE CRE PIPELINE PERFORMANCE CLOSED Resolved in QRadar 7.3.1 Patch 8 (7.3.1.20190228154648). 18 May 2018
RULES - RESPONSE LIMITER IJ02748 'PLEASE ENTER A VALID OPTION PER INDEX' MESSAGE DISPLAYED WHEN ATTEMPTING TO SET A RULE RESPONSE LIMITER ON AN OFFENSE CLOSED Resolved in QRadar 7.3.1 Patch 8 (7.3.1.20190228154648). 21 December 2017
HIGH-AVAILABILITY (HA) IJ02465 ISSUES CAN BE ENCOUNTERED AFTER PATCHING A HIGH AVAILABILITY PRIMARY HOST THAT WAS REBUILT USING HA RECOVERY PROCEDURE CLOSED Resolved in QRadar 7.3.1 Patch 8 (7.3.1.20190228154648). 13 December 2017
CSV EXPORT IJ02468 EXPORT TO CSV CONTAINING NUMBERS WITH A SPACE SEPARATOR CAN DISPLAY INCORRECTLY IN MICROSOFT EXCEL CLOSED Resolved in QRadar 7.3.2 (7.3.2.20190201201121). 13 December 2017
REFERNCE DATA IJ01874 ASSOCIATED RULES COUNT IN THE REFERENCE SET MANAGEMENT USER INTERFACE CAN APPEAR DIFFERENT THAN REFERENCE SET EDITOR SCREEN CLOSED Closed as suggestion for future release.

This issue could not be replicated in QRadar 7.2.8 or QRadar 7.3.2 releases. There are a number of default reference sets which are attached to default custom rules. When one of the default custom rules is modified, a duplicate rule is created in the QRadar database (known as an override rule) which obsoletes the default rule. The Admin -> Reference Set Management page tallies both of these rules in the "Associated Rules" count that is displayed.

A suggestion APAR identifies a function/operation that is not within the product specifications, for which a fix is not planned. Implementation of this modification would be a product enhancement. This APAR is considered for any future products/releases. For more information on feature requests and QRadar, see the QRadar Support Request for Enhancement (RFE) FAQ page.
06 March 2019
RULES IV93954 RULE TEST 'WHEN AT LEAST [N] EVENTS ARE SEEN WITH THE SAME [PROPERTIES] IN [X] [MIN|HR|DAYS]' NOT FIRING WHEN EXPECTED CLOSED Resolved in QRadar 7.3.2 Patch 4 (7.3.2.20190803012943) 26 February 2019
PORT ORDER IJ13900 QRADAR NETWORK INSIGHTS: INCORRECT NETWORK PORT ORDER DISPLAYED IN 'CONFIGURE QNI PORTS' WINDOW COMPARED TO THE BACK OF THE QNI APPLIANCE CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

NOTE: Documentation updated to indicate the correct or expected port order for 1901, 1920 and 1920-C.
25 February 2019
DOMAIN MANAGEMENT IJ13244 EXCEPTION GENERATED IN QRADAR LOGGING WHEN CUSTOM EVENT PROPERTIES (CEP) ARE ADDED TO A DOMAIN OPEN: Reported in QRadar 7.3.2 No workaround available. Log keywords:
QRadar.saveDomain
com.q1labs.frameworks.session.SessionContext
[ERROR] leak(s) detected in session context
26 February 2019
CUSTOM ACTIONS IJ03208 CUSTOM ACTION PARAMETER SCRIPT ORDERING IS NOT HONORED CLOSED Resolved in QRadar 7.3.2 (7.3.2.20190201201121). 26 January 2018
DISK SPACE IJ12276 LUCENE INDEXES ARE NOT REMOVED BY ROUTINE QRADAR DISK MAINTENANCE CLOSED Resolved in:
QRadar 7.3.2 (7.3.2.20190201201121)
QRadar 7.3.1 Patch 8 (7.3.1.20190228154648)
11 February 2019
NETWORK INTERFACE - FIRMWARE IJ12105 QRADAR NETWORK INSIGHTS - NAPATECH3 SERVICE CAN FAIL ON NETWORK INSIGHTS APPLIANCES DUE TO FIRMWARE UPGRADE TEST SCRIPT TRANSITIONING TO CLOSED Resolved in:
QRadar 7.3.2 (7.3.2.20190201201121)
QRadar 7.3.1 Patch 8 (7.3.1.20190228154648)
11 February 2019
NETWORK INTERFACE IJ11384 QRADAR NETWORK INSIGHTS - NAPATECH3 SERVICE CAN DIE WHEN MULTIPLE NETWORK INSIGHTS APPLIANCES ARE IN A STACKED CONFIGURATION TRANSITIONING TO CLOSED Resolved in:
QRadar 7.3.2 (7.3.2.20190201201121)
QRadar 7.3.1 Patch 8 (7.3.1.20190228154648)
11 February 2019
USER INTERFACE / LOGIN IJ10166 USERS CANNOT LOG INTO QRADAR DUE TO THREAD DEADLOCK CLOSED Resolved in:
QRadar 7.3.1 Patch 7 (7.3.1.20181123182336)
QRadar 7.3.1 Patch 6 Interim Fix 2
29 November 2018
SEARCHES IJ10862 EXPORTED ASSET SEARCHES CONTAINING A NETWORK FILTER CAN GENERATE BLANK XML OR CSV FILES CLOSED Resolved in QRadar 7.3.1 Patch 7 (7.3.1.20181123182336)

It had been reported in QRadar 7.3.1 Patch 5 that when exporting data from the Asset tab after applying a network filter, the generated xml or CSV reports can sometimes be empty. Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs:
[tomcat.tomcat] [ExportJob-admin-308db28c-xxx-xxx-xxx-xxxxxxxxxx] com.q1labs.core.sql.queryframework.QueryFramework: [ERROR]
Chained SQL Exception [1/2]: ERROR: missing FROM-clause entry for table "netid"
29 November 2018
REPORTS IJ05334 TABLE REPORT VALUE FORMATTING CAN DISPLAY INCORRECTLY FOR AQL AGGREGATED DATA CLOSED This issue resolved in QRadar 7.3.1 Patch 7 (7.3.1.20181123182336) 29 November 2018
FLOWS IJ08471 QRADAR NETWORK INSIGHTS CONTENT FLOWS ARE COUNTED AGAINST FLOW LICENSE WHEN THEY SHOULDN'T BE CLOSED Resolved in:
QRadar 7.3.2 (7.3.1.20190201201121)
QRadar 7.3.1 Patch 7 (7.3.1.20181123182336)
QRadar 7.3.1 Patch 6 IF02 (7.3.1.20181019113425)
QRadar 7.3.1 Patch 6 IF01 (7.3.1.20181002221547)
29 November 2018
UPGRADES IJ08432 BACKLEVEL JTDS JAR FILES IN QRADAR 7.3.1 CAN SOMETIMES CAUSE AN OUT OF MEMORY WITH ECS-EC-INGRESS PROCESS CLOSED This issue resolved in QRadar 7.3.1 Patch 7 (7.3.1.20181123182336)

It has been reported that the older jtds-1.2.6.jar file can reside within multiple QRadar directories instead of the newer jtds-1.3.3i.jar after patching/upgrading QRadar. In instances where the two different versions of jtds .jar files are simultaneously present in working directories of QRadar, and Log Sources using JDBC are in use, the ecs-ec-ingress process can go out of memory. If you have issues, Contact Support for a possible workaround that might address this issue in some instances.
29 November 2018
OFFENSES IJ09017 OFFENSES NOT GENERATED WHEN USING A CUSTOM EVENT PROPERTY AS OFFENSE INDEX IN HISTORICAL CORRELATION CLOSED Resolved in:
QRadar 7.3.2 (7.3.2.20190201201121)
QRadar 7.3.1 Patch 7 (7.3.1.20181123182336)
QRadar 7.2.8 Patch 15 (7.2.8.20190118175747)
30 November 2018
REPORTS IJ09036 AQL QUERY WITH AN AGGREGATE THAT IS RUN AGAINST A CURSOR THAT CONTAINS AN AGGREGATE FAILS WITH 'GENRAL FAILURE' OPEN (Transitioning to closed) This issue resolved in QRadar 7.3.1 Patch 7 (7.3.1.20181123182336) 29 November 2018
DASHBOARD IJ08228 CREATING AN AQL QUERY WITH A SUB-SELECT CAN CAUSE DASHBOARD TIMESERIES TO FAIL DUE TO THE GLOBAL VIEW CREATED CLOSED This issue resolved in QRadar 7.3.1 Patch 7 (7.3.1.20181123182336) 29 November 2018
FLOWS IJ11163 NETFLOW V9 / IPFIX INITIATOR/RESPONDER OCTET/PACKET FIELD DATA IS NOT PROCESSED BY QRADAR OPEN (Transitioning to closed) Resolved in:
QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)
QRadar 7.3.1 Patch 7 (7.3.1.20181123182336)
QRadar 7.2.8 Patch 15 (7.2.8.20190118175747)
29 November 2018
FLOWS IJ10158 QRADAR NETWORK INSIGHTS (QNI) DECAPPER 'OUT OF MEMORY' INSTANCES CAUSED BY MULTIPLE INSPECTOR COMPONENTS CLOSED Resolved in:
QRadar 7.3.1 Patch 7 (7.3.1.20181123182336)
QRadar 7.3.1 Patch 6 Interim Fix 1 (7.3.1.20181002221547)
29 November 2018
APPLIANCES IJ00712 A STANDBY HA MANAGED HOST REBUILT FROM THE RECOVERY IMAGE MAY NOT MERGE /STORE/TRANSIENT CORRECTLY CAUSING HA ISSUES OPEN (Transitioning to closed) This issue resolved in QRadar 7.3.1 Patch 7 (7.3.1.20181123182336) 29 November 2018
EVENTS / GEOGRAPHIC DATA IJ04898 GEOGRAPHIC COUNTRY/REGION INDEXING CAN CAUSE UNEXPECTED EVENT COLLECTION INTERRUPTION WHEN GEODATA UPDATES OCCUR CLOSED Resolved in:
QRadar 7.3.2 Patch 1 (7.3.2.20190410024210)
QRadar 7.3.1 Patch 8 (7.3.1.20190228154648)
09 August 2019
DISK SPACE IJ03438 /OPT/QRADAR/SUPPORT CAN RUN OUT OF FREE SPACE AFTER UPGRADE DUE TO A LARGE NUMBER OF FAILED REPLICATION FILES CLOSED Resolved in QRadar 7.3.1 Patch 7 (7.3.1.20181123182336)

It has been identified that the monitored partition /opt/qradar/support can run out of free space after an upgrade when a large amount of failed replication files exist in that location (their default storage location). The /opt/qradar/ partition has a reduced file space size in 7.3.0.x and can be filled faster than expected when system issues cause multiple failed replication files in quick succession.

NOTE: Services on a QRadar appliance are stopped when less than 5% free space is detected in a monitored partion until the free space issue is corrected. For more information on QRadar Disk Space and resolving issues, see QRadar Disk Space 101.
29 November 2018
OFFENSES IJ10545 OFFENSE SOURCE SUMMARY DISPLAYS INCORRECTLY FOR OFFENSES INDEXED ON REGEX CUSTOM PROPERTIES WITH FIELD TYPE "IP" OPEN (Transitioning to closed) Resolved in:
QRadar 7.3.1 Patch 7 (7.3.1.20181123182336)
QRadar 7.2.8 Patch 14
29 November 2018
UPGRADES IJ10818 CHANGES MADE TO LOGROTATE IN QRADAR 7.3.1 PATCH 6 CAN CAUSE /VAR/LOG AND OR /OPT TO RUN OUT OF FREE SPACE OPEN (Transitioning to closed) Resolved in QRadar 7.3.1 Patch 7 (7.3.1.20181123182336) 29 November 2018
EVENTS IJ03211 HOSTCONTEXT SERVICES CAN FAIL TO START DURING A HIGH AVAILABILITY (HA) FAILOVER TO SECONDARY EP/FP APPLIAN CLOSED Resolved in QRadar 7.3.1 Patch 7 (7.3.1.20181123182336)

It has been identified that in some instances, hostcontext can fail to start during a High Availability (HA) failover to Secondary due to a race condition. This particular situation occurs when hostcontext tries to start, but the prerequisite "IMQ" is not yet in a running state.

Events/Flows are inacccessible in the User Interface from affected Managed Hosts until this issue is corrected.

Workaround: Restart the hostcontext service once it is confirmed that IMQ is running using the following commands from an SSH session to the Secondary appliance:
# systemctl status imq

If IMQ is in active (running) state then, type:
# systemctl restart hostcontext
29 November 2018
DATA IJ08827 HOSTCONTEXT STARTUP ON A MANAGED HOST CAN OCCUR PRIOR TO DATABASE VERIFICATION OPEN (Transitioning to closed) Resolved in QRadar 7.3.1 Patch 7 (7.3.1.20181123182336) 29 November 2018
SCANS IV99512 CONCURRENT SCHEDULED SCANS THAT INCLUDE IP EXCLUSIONS CAN FAIL TO START AT THE SCHEDULED TIME CLOSED Resolved in:
QRadar 7.3.2 Patch 1 (7.3.2.20190410024210)
QRadar 7.3.1 Patch 7 (7.3.1.20181123182336)
29 November 2018
SCANS IV91226 QVM SCAN CAN FAIL TO START/PROGRESS WHEN THERE ARE A LARGE NUMBER OF IP ADDRESS SCAN EXCLUSIONS DUE TO A POSTGRES EXCEPTION Transitioning to closed Resolved in QRadar 7.3.1 Patch 7 (7.3.1.20181123182336) 29 November 2018
REPORTS IJ09183 VULNERABILITY TRENDING REPORTS CAN SOMETIMES BE BLANK CLOSED Resolved in:
QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)
QRadar 7.3.1 Patch 7 (7.3.1.20181123182336)
29 November 2018
SEARCHES IJ08226 CLICKING 'VIEW IN BY' IN A VULNERABILITY SEARCH DASHBOARD NAVIGATES TO INCORRECT QRADAR WINDOW CLOSED Resolved in QRadar 7.3.1 Patch 7 (7.3.1.20181123182336) 29 November 2018
SCANS IJ07030 VULNERABILITY SCANS EXPERIENCE A DELAY PRIOR TO COMMENCING WHEN A HIGH NUMBER OF IP EXCLUSIONS ARE DEFINED CLOSED Resolved in:
QRadar 7.3.2 Patch 1 (7.3.2.20190410024210)
QRadar 7.3.1 Patch 7 (7.3.1.20181123182336)
29 November 2018
SCHEDULED SCAN IJ03246 QRADAR VULNERABILITY MANAGER - ALL SCHEDULED SCANS THAT RUN ON DECEMBER 1ST START AT MIDNIGHT NO MATTER WHAT TIME THEY ARE CONFIGURED TO START CLOSED Resolved in:
QRadar 7.3.1 Patch 7 (7.3.1.20181123182336)
QRadar 7.2.8 Patch 12 (7.2.8.20180416164940)

It has been identified that any QVM scan that is configured to run on December 1st starts at midnight ignoring the actual configured scan start time.
29 November 2018
DATA / RULES IJ10999 UPDATES TO REFERENCE DATA USING CUSTOM EVENT PROPERTIES (CEP) CAN CAUSE CEP AND RULES TO BE RELOADED/TMP CLOSED Resolved in:
QRadar 7.3.2 Patch 1 (7.3.2.20190410024210)
QRadar 7.3.1 Patch 7 (7.3.1.20181123182336)
29 November 2018
OFFENSES IJ10070 QRADAR CAN STOP GENERATING OFFENSES DUE TO AN INCORRECT NULL CHECK OPEN (Transitioning to closed) Resolved in QRadar 7.3.1 Patch 7 (7.3.1.20181123182336) 29 November 2018
RULES IJ08227 CUSTOM RULE ENGINE DOES NOT USE LOG SOURCES CONTAINED IN 'OTHER' LOG SOURCE GROUP FOR FUNCTIONAL TEST PARAMETERS CLOSED This issue resolved in QRadar 7.3.1 Patch 7 (7.3.1.20181123182336) 29 November 2018
USER INTERFACE IJ10532 WINCOLLECT AGENT 'LAST HEARTBEAT' STATUS DISPLAYS AS "UNAVAILABLE" WHEN WORKING AS EXPECTED OPEN (Transitioning to closed) Resolved in:
QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)
QRadar 7.3.1 Patch 7 (7.3.1.20181123182336)
QRadar 7.3.1 Patch 6 Interim Fix 2
QRadar 7.2.8 Patch 15
29 November 2018
DEPLOY CHANGES IJ10514 QRADAR VULNERABILITY MANAGER DEPLOY FUNCTION STAYS AT "INITIATING DEPLOYMENT" AFTER A MANUAL OR AUTOMATIC AUTOUPDATE CLOSED This issue resolved in QRadar 7.3.1 Patch 6 Interim Fix 2 24 October 2018
UPGRADES IJ09572 PATCH/UPGRADE TO QRADAR 7.3.1 PATCH 6 CAN HANG FOR AN EXTENDED PERIOD OF TIME (HOURS) WITH VULN_MAP_ASSET_MV DOES NOT EXIST CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
DOMAINS IJ07713 QRADAR DOES NOT ALLOW ALL TOP LEVEL DOMAINS IN EMAIL ADDRESS DATA VALIDATION, CAN RETURN 'EMAIL ADDRESS IS NOT VALID' CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
USER INTERFACE IJ06980 DASHBOARDS AND/OR QUICK SEARCHES CAN DISAPPEAR AFTER MODIFICATIONS HAVE BEEN MADE TO USER SETTINGS CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
SEARCHES IV54692 EVENT SEARCHES THAT FILTER BY THE EVENT PROCESSOR MIGHT DISPLAY UNEXPECTED GRAPH RESULTS CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
REPORTS IJ07276 RTF FORMATTED REPORTS CAN FAIL TO GENERATE WITH A NULLPOINTEREXCEPTION DISPLAYED IN THE LOGS CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
SEARCHES IJ07123 INCONSISTENT RESULTS FOR ASSET SEARCHES 'ASSETS WITH OPEN SERVICE = DNS' VS 'ASSETS WITH OPEN SERVICE = DOMAIN' CLOSED Closed as suggestion for future release. Asset searching works the way it was designed. We have verified that using asset with Open service equals any of domain or DNS will fix this issue for customers. Closing as works as designed.

A suggestion APAR identifies a function/operation that is not within the product specifications, for which a fix is not planned. Implementation of this modification would be a product enhancement. This APAR is considered for any future products/releases. For more information on feature requests and QRadar, see the QRadar Support Request for Enhancement (RFE) FAQ page.
18 September 2018
REPORTS IJ06862 REPORT RUNNER OUT OF MEMORY CAN OCCUR WHILE ATTEMPTING TO GENERATE VERY LARGE TABLE CHART PDF REPORTS CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
SEARCHES IJ06807 MODIFYING THE START TIME FOR A LOG ACTIVITY SEARCH CAUSES A BLANK UI WINDOW FOR SOME QRADAR USER LOCALES CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
ASSETS IJ05767 WHEN AN ASSET'S 'GIVEN NAME' IS SET ON THE 'EDIT ASSET PROFILE' WINDOW, IT CAN NO LONGER BE EDITED SUCCESSFULLY CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
ASSETS IJ05756 WHEN AN ASSET HAS A 'GIVEN NAME' ASSIGNED, ANY SUBSEQUENT ASSET NAME CHANGES DO NOT OCCUR IN 'EDIT ASSET PROFILE' WINDOW CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
SEARCHES IJ00800 "HTTP ERROR 400" ERROR WHEN DRILLING DOWN INTO SEARCH RESULTS USING INTERNET EXPLORER 11 AND EDGE WEB BROWSER CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
EVENTS IJ07456 EVENT DATA FROM SPILLOVER QUEUE CAN SOMETIMES FAIL TO PARSE WHEN PROCESSED BY THE REGULAR QRADAR PIPELINE CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
HOSTS IJ07127 QRADAR HOSTS CAN TAKE A LONGER THAN EXPECTED TIME TO RECONNECT AFTER A VPN CONNECTION RESET OR INTERRUPTION HAS OCCURRED CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
QUERIES IJ06633 SNMPD DAEMON CRASH OCCURS WHEN PERFORMING A WIDE QUERY CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
DATA IJ02816 APPLICATION DATA CONTINUES TO BE SENT TO THE ASSET MODEL AFTER DISABLING 'CLIENT APPLICATION PROFILING' CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
DASHBOARD IJ05151 DASHBOARD WIDGETS AND REPORTS CAN BE EMPTY AFTER A COMPLETED UPGRADE FROM 7.2.8P1+ TO 7.3.0+ OR 7.3.1+ CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
DATA IJ03225 DATA BACKUPS CAN TAKE LONGER THAN EXPECTED OR FAIL TO COMPLETE CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
EVENTS IJ02598 MISSING THE FILE /STORE/PERSISTENT_QUEUE/ECS-EC.ECS-EC CAUSES EVENT PROCESSING/STORAGE TO FAIL CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
SERVICES IJ07138 QRADAR INCIDENT FORENSICS - PACKET CAPTURE FAILS DUE TO NAPATECH3 SERVICE FAILING TO START CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
DISK SPACE / NETFLOW IJ08089 QFLOW PROCESS CAN FAIL ON A MANAGED HOST WHILE APPENDING MESSAGE TEXT SEQUENCE NUMBERS WHEN RECEIVING NETFLOW CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
RULES IJ04902 GEOGRAPHIC RULE TESTS CONTAINING COUNTRIES WITH SPACES IN THEIR NAMES (MULTIPLE WORDS) ARE NOT BEING MATCHED CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
USER INTERFACE IJ04174 APPS TABS CAN BE SLOW TO LOAD AND/OR OR FAIL TO LOAD IN THE USER INTERFACE DUE TO DOCKER FREE SPACE PROVISIONING CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
LOG SOURCES IV87195 SOME QRADAR CONFIGURATIONS CONTAINING A LARGE NUMBER OF LOG SOURCES CAN SOMETIMES EXPERIENCE PERFORMANCE DEGRADATION CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
DATA IJ06757 IMPORTED REFERENCE DATA DOES NOT EXPIRE AT ITS TIME TO LIVE WHEN THE REFERENCE DATA STRUCTURE IS IMPORTED USING CMT CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
DATABASE IJ04182 CONTENT MANAGEMENT TOOL CAN FAIL DURING THE IMPORT OF CUSTOM_ACTION TABLES CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
UPGRADES IV99773 QRADAR DEPLOY FUNCTION REQUIRED AFTER UPGRADE CAN FAIL IF THERE IS NOT ENOUGH FREE SPACE IN /TMP CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
UPGRADES IJ07254 BUILD OR REBUILD OF A DISCONNECTED HIGH AVAILABILITY (HA) SECONDARY APPLIANCE (500) FROM QRADAR 7.2.8P1 TO 7.3.1 CAN FAIL CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
LOGS IJ06866 LOG ROTATE NEEDS TO RUN MORE FREQUENTLY CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
QUERIES IJ06633 SNMPD DAEMON CRASH OCCURS WHEN PERFORMING A WIDE QUERY CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
APPLIANCES IJ06268 DBUS COMPONENT OF SYSTEMD CAN SOMETIMES ENTER A HUNG STATE CAUSING SOME RHEL COMMANDS TO FAIL TO RUN AS EXPECTED CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
UPGRADES IJ06082 QRADAR UPGRADE TO 7.3.1.X CAN FAIL DURING THE INSTALLATION PROCESSES INCLUDED WITHIN "34-POSTGRESQL-UPGRADE.SH" CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
SEARCHES IJ06148 'THERE WAS AN ERROR DOWNLOADING THIS ITEM' MESSAGE WHEN USING AN AQL SEARCH WITH TABLE, BAR, OR PIE CHARTS FOR A DASHBOARD CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
APPLIANCES IJ02752 RUNNING THE QFLOW_DTLS_CERT_SETUP.PY AS PART OF A QNI APPLIANCE SETUP CAN FAIL CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
BACKUP IJ06480 RISK MANAGER BACKUP PROCESS FAILS WHEN IT IS INSTALLED ON A QRADAR SOFTWARE INSTALL VS APPLIANCE INSTALL CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
SIMULATIONS IJ06008 QRADAR RISK MANAGER SIMULATION CAN FAIL WITH 'NO RESULTS' IN THE SIMULATIONS SCREEN CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
SEARCHES IJ06914 LEFT AND RIGHT KEYBOARD ARROW KEYS DO NOT RESPOND APPROPRIATELY WHILE BEING USED WITHIN SOME QRADAR SEARCH FIELDS CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
DEVICES IJ03313 QRADAR VULNERABILITY MANAGER - 'APPLICATION ERROR' WHEN PERFORMING A NORMALIZED DEVICE COMPARISON FOR A PALO ALTO DEVICE CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
LICENSE / QRADAR VULNERABILITY MANAGER IJ01180 VULNERABILITY MANAGER 'TRY IT OUT' ICON IS STILL PRESENT AFTER APPLYING A PROPER VULNERABILITY MANAGER LICENSE CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
OFFENSES IV90797 DISPLAYING OFFENSE COUNT BY CATEGORY AND/OR NETWORK DOES NOT RESPECT USER ACCOUNT DOMAIN CONFIGURATION CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
EVENTS IJ07174 "(1026) INVALID DATA" WHEN ADDING COMMA SEPARATED IP ADDRESSES TO AN EVENT RULE CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
OFFENSES IJ06833 OFFENSES CAN HAVE AN INCORRECT START TIME THAT IS PRIOR TO THE OFFENSE CREATION TIME WHEN USING "MATCH COUNT" RULES CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
EVENTS IJ05592 NETWORK NAME AND EVENT 'DIRECTION' CAN BE DISPLAYED INCORRECTLY WHEN EVENTS CONTAIN IPV6 ADDRESSES CLOSED Resolved in QRadar 7.3.1 Patch 6 18 September 2018
USER INTERFACE IJ04928 HOVERING OVER AN IP ADDRESS DOES NOT SHOW THE NETWORK NAME IF THE COUNTRY FIELD IS NOT POPULATED IN NETWORK HIERARCHY CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
OFFENSES IJ08032 QRADAR USERS WITHOUT THE 'MANAGE OFFENSE CLOSING' USER ROLE OPTION SELECTED CAN CLOSE OFFENSES CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
AUTHENTICATION IJ07975 LDAP LOGIN CAN FAIL FOR USERS WITH INTERNAL OR OPERATIONAL ATTRIBUTES CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
SERVICES IJ08436 PROCESS RUNNING OUT OF MEMORY DOES NOT CREATE SYSTEM.DMP FILE CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
SEARCHES IJ08828 NON-ADMIN USERS ARE UNABLE TO USE SEARCH FILTER 'LOG SOURCE GROUP', THE LIST DOES NOT LOAD CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
RULES IJ08845 /VAR/LOG/ FILLING WITH 'COM.Q1LABS.CORE.AQL.XFORCEFUNCTIONS: [ERROR]' MESSAGES CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
REPORTS IJ08219 INCOMPLETE RESULTS IN REPORTS WHEN SELECTING 'DAY OF THE WEEK' TARGETED DATA SELECTION CONTAINER DETAILS CLOSED Closed as suggestion for future release.

Workaround: Instead of selecting the day of the week under the Targeted Data Selection in the container details of the Report, if the day of the week parameter is included in the AQL query of the search, the completed report contains all the expected results for the day of the week specified in the AQL Query.

Details: It has been identified that there can be incomplete or inconsistent results in reports when day of the Week is selected under the Targeted Data Selection in the container details of the report.

For example:
  1. From the Log Activity tab, create a new search A for which data is not being accumulated (i.e. without the Group by clause)
  2. From the Reports tab, create a new monthly report based on the search.
  3. In the Container details of the report, check the Targeted Data Selection checkbox. Then select day of the week (e.g. Saturday and Sunday)
  4. Select Tables in the Graph Type dropdown box. Select 65,000 in the Limit Events/Logs to Top dropdown box.
  5. Run the report. Verify the records in the report.

Results
  • Expected: The report should contain records for all the Saturdays and Sundays of the previous month.
  • Actual: The report contains only records for the last Sunday of the month.
24 August 2018
APP FRAMEWORK IJ08034 USING THE STIG SCRIPTS ON A QRADAR CONSOLE CAN CAUSE THE APP FRAMEWORK TO FAIL OPEN Contact Support for a possible workaround 20 August 2018
VULNERABILITY SCAN IJ08038 OUTPOST24 VULNERABILITY SCAN STARTS AND THEN FAILS WITH NULLPOINTEREXCEPTION IN QRADAR.LOG OPEN No workaround available. 14 August 2018
APP FRAMEWORK IJ08092 ZOOKEEPER CAN FAIL TO START WHEN ZERO-LENGTH FILES ARE PRESENT IN LOGS DIRECTORY CAUSING MICROSERVICES INSTALLATION TO FAIL CLOSED Resolved in:
QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)
QRadar 7.3.0 Patch 6 (7.3.0.20171107151332)

It had been identified in QRadar 7.3.0 versions that zookeeper can fail to start due to an exception that occurs while starting a new session if zero length log files exist in the /var/lib/zookeeper/verson-2 directory. When this exception occurs, microservices installation fails. Messages similar to the following might be visible when checking the marathon logs on journalctl:
marathon[17960]: [2017-07-20 15:19:10,929] WARN Session 0x0 for server {hostname}/{ipaddress}:2181, unexpected error, closing socket connection and example.net:2181
marathon[17960]: java.net.ConnectException: Connection refused
marathon[17960]: at sun.nio.ch.SocketChannelImpl.checkConnect(Native Method)
marathon[17960]: at sun.nio.ch.SocketChannelImpl.finishConnect(SocketChannelImpl.java:731)
marathon[17960]: at org.apache.zookeeper.ClientCnxnSocketNIO.doTransport(ClientCnxnSocketNIO.java:356)
marathon[17960]: at org.apache.zookeeper.ClientCnxn$SendThread.run(ClientCnxn.java:1192)


Optionally. The following exception might also be visible in the logs using: journalctl -u zookeeper
zookeeper[27112]: 2017-07-20 15:21:58,580 [myid:] - ERROR [main:ZooKeeperServerMain@64] - Unexpected exception, exiting abnormally
zookeeper[27112]: java.io.EOFException
zookeeper[27112]: at java.io.DataInputStream.readFully(DataInputStream.java:208)
zookeeper[27112]: at java.io.DataInputStream.readInt(DataInputStream.java:398)>/pre>
27 February 2019
ASSETS IV89674 ASSET RECONCILIATION BLACKLIST REFERENCE SETS CAN BECOME BLOATED DUE TO NO EXPIRY DATE BEING SET CLOSED Install Baseline Maintenance Content Extension v1.0.5 or later 8 August 2018
REPORTS IJ06051 'WEEKLY SUCCESSFUL LOGIN EVENTS' REPORT CONTAINS QRADAR APP LOGINS CLOSED Install Baseline Maintenance Content Extension v1.0.5 or later 8 August 2018
REPORTS IJ02578 ASSET DEVIATION REPORT LINK CONTAINED WITHIN A SYSTEM NOTIFICATION DOES NOT WORK CLOSED Install Baseline Maintenance Content Extension v1.0.5 or later 28 August 2018
PERFORMANCE IV87193 QRADAR SYSTEM DEGRADATION AND/OR DROPPED EVENTS CAN BE CAUSED BYSOME VULNERABILITY CRE TESTS CLOSED Resolved in 7.2.8 Patch 11 24 August 2018
SEARCH IJ00698 LOG ACTIVITY SEARCH SHOWS TWO OR MORE ROWS WITH SAME EVENT NAME CLOSED Resolved in 7.3.1 Patch 5 31 July 2018
FLOWS IJ06593 QRADAR PACKET CAPTURE CAN SOMETIMES NOT INGEST/PROCESS PCAP FILES UNTIL A DEPLOY FULL CONFIGURATION IS PERFORMED CLOSED as unreproducible Complete a 'Deploy Full Configuration'. If you continue to experience this issue, contact QRadar Support. 30 July 2018
INSTALL/UPGRADE IJ01523 QRADAR UPGRADE TO 7.3.0.X ON SOFTWARE APPLIANCES CAN FAIL WITH ERROR 'STORAGE CONFIGURATION FAILED' CLOSED as Permanent restriction. No workaround available. 30 July 2018
SEACH IJ05806 SOME LOG ACTIVITY SEARCHES STOP RETURNING RESULTS FROM LOG SOURCE GROUPS AFTER PATCH/UPGRADE TO QRADAR 7.3.1 CLOSED Resolved in 7.3.1 Patch 5 29 July 2018
RULE RESPONSE IJ04903 'THIS INFORMATION SHOULD SET OR REPLACE THE NAME OF THE ASSOCIATED OFFENSE' NOT ALWAYS WORKING AS EXPECTED CLOSED Resolved in 7.3.1 Patch 5 29 July 2018
REPORTS IJ05109 USING A FILTER CONTAINING A COMMA OPERATOR IN THE REGEX DOES NOT WORK WITH 'WHEN THE EVENT MATCHES THIS SEARCH FILTER' RULE CLOSED Resolved in 7.3.1 Patch 5 29 July 2018
REPORTS IJ04906 USING THE RIGHT-CLICK FILTER 'SOURCE OR DESTINATION IP IS...' IN A LOG ACTIVITY SEARCH DOES NOT WORK AS EXPECTED CLOSED Resolved in 7.3.1 Patch 5 29 July 2018
INSTALL/UPGRADE IJ05110 A FAILED AND ROLLED BACK PATCH ATTEMPT FROM 7.3.0.X TO 7.3.1.X CAN CAUSE ISSUES WHEN ATTEMPTING TO PATCH AGAIN CLOSED Resolved in 7.3.1 Patch 4 IF01 and ported to 7.3.1 Patch 5 29 July 2018
USER INTERFACE IJ05185 UNABLE TO EDIT QRADAR LDAP CONFIGURATION AFTER A PREVIOUSLY MAPPED USER ROLE OR SECURITY PROFILE IS DELETED CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
USER INTERFACE IV97787 THE QRADAR ASSET TAB CAN BE SLOW TO LOAD WHEN THERE ARE A LARGE NUMBER OF ASSET VULNERABILITY INSTANCES CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
SEARCHES IJ06611 POP UP WINDOW WITH NO SEARCH RESULTS WHEN DRILLING DOWN INTO SEARCH RESULTS CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
SEARCHES IJ05806 SOME LOG ACTIVITY SEARCHES STOP RETURNING RESULTS FROM LOG SOURCE GROUPS AFTER PATCH/UPGRADE TO QRADAR 7.3.1 CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
REPORTS IJ06278 RUNNING A LOG SOURCE REPORT AGAINST AN EMPTY LOG SOURCE GROUP RETURNS ALL LOG SOURCES CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
REPORTS IJ05341 'EXPORT TO XML' OR 'EXPORT TO CSV' FROM THE QRADAR ASSETS TAB CAN SOMETIMES UNEXPECTEDLY STOP/FAIL CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
SEARCHES IJ04906 USING THE RIGHT-CLICK FILTER 'SOURCE OR DESTINATION IP IS...' IN A LOG ACTIVITY SEARCH DOES NOT WORK AS EXPECTED CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
SEARCHES IJ03405 AQL SEARCHES THAT COMPLETE FROM THE LOG ACTIVITY PAGE CAN DISPLAY UNEXPECTED HTML CHARACTERS CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
SEARCHES IJ00489 COMMAS ARE SWITCHED TO 'OR' WHEN MULTIPLE CUSTOM EVENT PROPERTIES ARE CONTAINED IN A SEARCH CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
OFFENSES IV99417 OFFENSE START TIMES CAN JUMP BACK IN TIME IF CUSTOMER HAS LONG RUNNING OFFENSES AND LONG DELAY BETWEEN START AND STORAGE TIME. CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
SEARCHES IV85637 TOP SOURCES AND TOP DESTINATION DASHBOARD SEARCHES REPORT DATA FROM ALL DOMAINS NOT JUST THE CONFIGURED ONES CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
FLOWS IV84601 CATEGORIZATION OF OFF-SITE SOURCE AND TARGET FOR FLOWS DISPLAYS AS 'UNKNOWN' AND APPLICATION DISPLAYS AS 'OTHER' CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
EVENTS IJ06381 EVENTS FORWARDED VIA AN OFFENSE RULE DO NOT HAVE A VALID SYSLOG HEADER APPENDED CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
EVENTS IJ05338 EVENT COLLECTION CAN STOP DUE TO A BUFFER UNDERFLOW EXCEPTION IN ECS-EC REQUIRING AN ECS-EC-INGRESS SERVICE RESTART CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
LOG SOURCES IJ04654 LOGFILE PROTOCOL LOG SOURCES CAN STOP WORKING, FAIL TO CONNECT WITH ERROR 'ALGORITHM NEGOTIATION FAIL' IN CONFIG WINDOW CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
OFFENSES IJ04225 USING THE QRADAR API "GET /SIEM/OFFENSE" TO RETRIEVE A LIST OF OFFENSES CAN TAKE LONGER THAN EXPECTED TO COMPLETE CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
OFFENSES IJ00971 AN APPLICATION ERROR MAY OCCUR IN THE OFFENSE TAB WHEN THE END TIME FOR AN OFFENSE IS IN THE FUTURE CLOSED This issue resolved in QRadar 7.3.1 Patch 5, QRadar 7.3.1 Patch 4, and QRadar 7.2.8 Patch 12 2 August 2018
CUSTOM EVENTS IJ00878 CUSTOM EVENT PROPERTY WITH SPACE IN ITS NAME IS NOT FORWARDED TO THE DESTINATION CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
SEARCHES IJ05096 QUICK SEARCHES CONTAINING AN 'AND' OPERATOR CAN SOMETIMES FAIL TO PROGRESS TO COMPLETION CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
LICENSES IJ03439 CLICKING THE 'SUSPECT CONTENT' ICON DISPLAYS A BLANK PAGE WHEN NO APPROPRIATE LICENSE IS INSTALLED/CONFIGURED CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
TRAFFIC IJ01001 QNI CLASSIFIES LDAP TRAFFIC AS FTP TRAFFIC CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
FLOWS IJ02836 NO FLOWS BEING RECEIVED FROM A QFLOW APPLIANCE CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
DATABASE IJ04314 QRADAR DATABASE REPLICATION TO MANAGED HOSTS CAN FAIL WHEN THE CONSOLE /STORETMP HAS INSUFFICIENT FREE SPACE AVAILABLE CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
DATA IJ03316 DATA BACKUPS FAIL WHEN EVENT/FLOW LOG HASHING IS ENABLED CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
LOG SOURCES IJ02749 'TARGET EXTERNAL DESTINATIONS' BECOMES UNSELECTED AFTER PERFORMING A 'BULK EDIT' OF LOG SOURCES CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
RULES IJ02262 RULES IMPORTED FROM A SYSTEM WITH CONFIGURED DOMAINS TO A SYSTEM WITHOUT DOMAINS CAN SEE REFERENCE SET DATA ISSUES CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
UPGRADE IJ06277 UPGRADE TO 7.3.X FAILS AND PROMPTS FOR REDHAT ISO WHEN /VAR/LOG/INSTALL.LOG IS MISSING CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
UPGRADES IJ05311 GARP REQUEST DURING HA_SETUP.SH CAN SOMETIMES BE BLOCKED BY A NETWORK SWITCH PREVENTING ARP TABLES FROM BEING UPDATED CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
UPGRADES IJ05110 A FAILED AND ROLLED BACK PATCH ATTEMPT FROM 7.3.0.X TO 7.3.1.X CAN CAUSE ISSUES WHEN ATTEMPTING TO PATCH AGAIN CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
UPGRADES IJ04472 RECOVERY REINSTALL ON A HIGH AVAILABILITY PRIMARY CAN FAIL DISPLAYING AS 'UNKNOWN' STATE IN SYSTEM AND LICENSE WINDOW CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
UPGRADES IJ03981 QRADAR UPGRADE AND/OR PATCH FAILS WITH 'ERROR EXECUTING 34-POSTGRESQL-UPGRADE.SH' WHEN UNEXPECTED DATABASE EXIST CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
UPGRADES IJ00104 QRADAR UPGRADE TO 7.3.0.X CAN FAIL "...GENERATE_ENVIRONMENT.SH: OPTION REQUIRES AN ARGUMENT -- N" CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
APPLIANCES IJ05193 SOME QRADAR SOFTWARE APPLIANCES ARE NOT ABLE TO ADD A QVM SCANNER IN THE QRADAR USER INTERFACE CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
SECURITY IJ01123 Q1X509TRUSTMANAGER LEAKS FILE HANDLES IF THERE IS A TRUST STORE IN /OPT/QRADAR/CONF/TRUSTED_CERTIFICATES CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
DEVICES IJ02635 'APPLICATION ERROR' WHEN PERFORMING A NORMALIZED DEVICE COMPARISON FOR A PALO ALTO DEVICE CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
QVM SCANS IJ06302 SCAN EXPORT DOES NOT HONOR SPECIFIED VULNERABILITIES THAT ARE CONFIGURED IN THE SCAN POLICY CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
ASSETS IJ00941 EXCEPTIONED VULNERABILITIES ARE STILL APPEARING IN MANAGE VULNERABILITY VIEW FOR SOME ASSETS CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
EVENTS / USER BEHAVIOR ANALYTICS (UBA) IJ02457 UNPARSED CRE EVENTS CONTAINING 'WHERE CATEGORY BETWEEN..." OBSERVED WHEN USER BEHAVIOR ANALYTICS (UBA) APP INSTALLED OPEN Reopened due to additional users logging cases for this issue.

No workaround available.

It has been identified that frequent unparsed Custom Rule Engine (CRE) events containing "WHERE category BETWEEN 24000 and 25000" might be observed in Log Activity when the User Behavior Analytics (UBA) app is installed in the QRadar environment.
25 October 2018
REPORTS IJ04421 REPORTS CAN FAIL TO RUN WHEN EVENT AND/OR FLOW HASHING WITH HMAC IS ENABLED IN ARIEL DATABASE SETTINGS CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
LOGS IV98932 /VAR/LOG/ PARTITION CAN BECOME FILLED DUE TO REPEATED TEST EXCEPTION MESSAGES BEING LOGGED CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
SCANS IV97516 'WHEN THE DESTINATION IS VULNERABLE TO CURRENT EXPLOIT ON ANY PORT' RULE TEST STOPS WORKING AFTER VULNERABILITY SCAN CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
USER INTERFACE IJ06084 SETTING A DELEGATED ADMINISTRATION PERMISSION FOR 'MANAGE REFERECE DATA' ONLY DOES NOT ALLOW ACCESS TO ADMIN TAB CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
API IJ06032 CHANGES MADE WITHIN THE INCLUDED QRADAR API CHANGED HOW SOME QRADAR APPS FETCH DATA (EG. USER BEHAVIOR ANALYTICS - UBA) CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
SEARCHES IJ05712 QRADAR REFERENCE SET DATA FILTER SEARCHES (MANUAL AND WITHIN SOME APPS) CAN TAKE LONGER THAN EXPECTED TO COMPLETE CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
SEARCHES IJ05109 USING A FILTER CONTAINING A COMMA OPERATOR IN THE REGEX DOES NOT WORK WITH 'WHEN THE EVENT MATCHES THIS SEARCH FILTER' RUL CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
EVENTS IJ04903 'THIS INFORMATION SHOULD SET OR REPLACE THE NAME OF THE ASSOCIATED OFFENSE' NOT ALWAYS WORKING AS EXPECTED CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
SEARCHES IJ03209 'ADD' BUTTON DOES NOT WORK WHEN AN 'EQUALS ANY OF' CONDITION IS PRESENT WITHIN THE RULE WIZARD WITH MORE THAN ONE PROPERTY CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
RULES IJ02670 RULE TEST 'AND WHEN THE URL (CUSTOM) IS CATEGORIZED BY X-FORCE AS ONE OF THE FOLLOWING CATEGORIES' CAN SOMETIMES FAIL TO FIRE CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
REFERENCE SETS IJ02533 ERROR 'JAVA.LANG.NUMBERFORMATEXCEPTION:EMPTY STRING' IS GENERATED WHEN ATTEMPTING TO ADD REFERENCE SET VALUES CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
RULES IJ02437 BUILDING BLOCKS CAN FAIL TO WORK AS EXPECTED WHILE RULES ARE BEING RELOADED CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
RULES IJ00772 REGULAR EXPRESSIONS IN THE RULE EDITOR DO NOT WORK WITH JAPANESE CHARACTORS CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
SERVICES IJ02782 REQUIRED SERVICES RESTART IS NOT PERFORMED AFTER SWITCH FROM DAYLIGHT SAVING TIME TO STANDARD TIME CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
USER INTERFACE IJ07150 REPORT GROUPS ARE SOMETIMES NOT SHAREABLE FROM AN ADMIN TO A NON-ADMIN USER CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
FORENSICS DECAPPER IJ07872 QRADAR NETWORK INSIGHTS STOPS PROCESSING FLOWS, PACKETS DROPPED BY THE DECAPPER CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
EVENTS IJ02819 '...SENT A TOTAL OF XXXX EVENT(S) DIRECTLY STORAGE...QUEUE IS AT 0 PERCENT CAPACITY" DURING OVER LICENSE EPS SPIKES CLOSED Resolved in:
QRadar 7.3.1 Patch 5 (7.3.1.20180720020816)
QRadar 7.3.1 Patch 4 Interim Fix 1 (7.3.1.20180601192933)
27 July 2018
WINCOLLECT IJ05619 NETAPP DATA ONTAP EVENTS THAT ARE COLLECTED USING WINCOLLECT CAN BE MISSING EVENT PAYLOAD DATA FOLLOWING MESSAGE= CLOSED This issue is resolved in WinCollect 7.2.8 10 July 2018
WINCOLLECT IJ03314 WINCOLLECT AGENT STOPS SENDING EVENTS TO COLLECTOR 'COULD NOT RESTART AGENT PROCESS AFTER UNEXPECTED EXIT' IN LOGS CLOSED This issue is resolved in WinCollect 7.2.8 10 July 2018
WINCOLLECT IJ02840 UNABLE TO UPGRADE/INSTALL WINCOLLECT 7.2.7 ON WINDOWS SERVER CORE 2016 USING THE PATCH/CONFIGURATION CONSOLE INSTALLER CLOSED This issue is resolved in WinCollect 7.2.8 10 July 2018
WINCOLLECT IJ02744 WINCOLLECT CAN SOMETIMES STOP COLLECTING SECURITY EVENTS DUE TO AN ISSUE WITH SID TRANSLATION CLOSED This issue is resolved in WinCollect 7.2.8 10 July 2018
WINCOLLECT IJ01529 WINCOLLECT 7.2.7 LOG SOURCES CONFIGURED TO USE MSEVEN6 AND POLLING INTERVAL OF 1500 OR LOWER CAN STOP RECEIVING LOGS CLOSED This issue is resolved in WinCollect 7.2.8 10 July 2018
WINCOLLECT IJ01089 HIGH CPU LOAD OBSERVED AFTER UPGRADING WINCOLLECT TO VERSION 7.2.7 AND USING MSEVEN6 CLOSED This issue is resolved in WinCollect 7.2.8 10 July 2018
WINCOLLECT IJ01531 WINCOLLECT CAN SOMETIMES STOP GATHERING WINDOWS IIS LOGS UNTIL A RESTART OF THE AGENT OCCURS CLOSED This issue is resolved in WinCollect 7.2.8 10 July 2018
WINCOLLECT IJ01528 DUPLICATE WINCOLLECT HOSTNAMES CAN BE CREATED DURING A WINCOLLECT UPGRADE CLOSED This issue is resolved in WinCollect 7.2.8 10 July 2018
WINCOLLECT IV96284 UPGRADING THE WINCOLLECT .SFS CAN REQUIRE AN ADDITIONAL 'DEPLOY FULL CONFIGURATION' TO COMPLETE SOME AGENT INSTALLATIONS CLOSED This issue is resolved in WinCollect 7.2.8 and later. See WinCollect 101 for the latest software release. 10 July 2018
WINCOLLECT IJ06382 INSTALLING WINCOLLECT 7.2.7 ON QRADAR 7.3.1.X REQUIRES THE ECS-EC-INGRESS PROCESS TO BE RESTARTED CLOSED This issue is resolved in WinCollect 7.2.8 10 July 2018
WINCOLLECT IJ01186 WINCOLLECT AGENT STATUS DISPLAYED IN THE QRADAR USER INTERFACE CAN BE INACCURATE CLOSED This issue is resolved in WinCollect 7.2.8 10 July 2018
WINCOLLECT IJ01921 WINCOLLECT VERSION 7.2.6 AND HIGHER LOG SOURCES CONFIGURED WITH MSEVEN6 PROTOCOL USE A DYNAMIC PORT RANGE 49152 TO 65535 CLOSED This issue is resolved in WinCollect 7.2.8 10 July 2018
CONFIGURATION SERVER PROTOOL (WINCOLLECT) IV99280 CHANGES MADE TO THE WINCOLLECT SERVER CONFIGURATION ARE NOT PUSHED OUT TO WINCOLLECT AGENTS CLOSED This issue is resolved in QRadar 7.2.8 Patch 14 24 October 2018
WINCOLLECT IV96608 WINCOLLECT 7.2.6 STOPS COLLECTING EVENTS ON WINDOWS COMPUTERS AFTER THEY REBOOT/RESTART CLOSED Resolved in:
WinCollect 7.2.7
WinCollect 7.2.6

NOTE: Older versions of WinCollect are removed, so links on older APARs might not resolve. For the latest WinCollect version, see WinCollect 101.
8 September 2017
WINCOLLECT IV98218 WINCOLLECT PULLS INCOMPLETE PAYLOADS FROM 32 BIT VERSIONS OF MICROSOFT WINDOWS SERVER OS DNS EVENT LOGS CLOSED This issue is resolved in WinCollect 7.2.7 8 September 2017
WINCOLLECT IV91737 KOREAN LANGUAGE CHARACTERS DO NOT DISPLAY CORRECTLY IN EVENTS THAT ARE GATHERED USING WINCOLLECT FILE FORWARDING CLOSED Resolved in WinCollect 7.2.6 29 May 2017
WINCOLLECT IV92211 EVENT PAYLOAD IS TRUNCATED AFTER 'MESSAGE=' FOR WINDOWS EVENT ID 4688 WHEN USING AN XPATH QUERY IN A WINCOLLECT LOG SOURCE CLOSED This issue is resolved in WinCollect 7.2.6 29 May 2017
WINCOLLECT IV96364 THE WINCOLLECT 7.2.6 .SFS FOR QRADAR 7.3 NEEDS TO BE APPLIED AFTER UPGRADING QRADAR FROM 7.2.8.X TO 7.3.0.X CLOSED This issue is resolved in WinCollect 7.2.6 29 May 2017
SEARCH IJ10953 ADD +' BUTTON CAN STOP RESPONDING WHEN USING THE 'SEARCH FILTER' RULE TEST WITH 'EQUALS ANY OF' OPTION OPEN: FOUND IN QRADAR 7.2.8 Use/create a Building Block to match multiple entries to apply as a single test condition to the rule. 28 November 2018
LOG SOURCE GROUPS IJ10154 A'ERROR OCCURRED WHILE SEARCHING FOR DEPENDENTS' MESSAGE WHEN DELETING AN EMPTY LOG SOURCE GROUP OPEN: REPORTED IN QRADAR 7.2.7 Contact QRadar Support for a possible workaround that might address this issue in some instances. 28 November 2018
DISK SPACE / HA SECONDARY IJ10640 /VAR/LOG/ PARTITION CAN FILL ON HIGH AVAILABILITY SECONDARIES DUE TO /VAR/LOG/SYSTEMSTABMON NOT BEING ROTATED CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

Users who see HA secondary appliances in an Unknown state unexcpectely should consider upgrading to resolve this log rotation issue.
28 November 2018
GEOGRAPHIC DATA IJ11032 HOVER OVER OF AN IP ADDRESS'S GEOGRAPHIC FLAG CAN SOMETIMES SHOW INCORRECT INFORMATION CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852) 28 November 2018
COMMAND LINE IJ11110 BENIGN ERROR IN QRADAR LOGGING 'RUNTIME EXCEPTION PROCESSING REQUEST GET QUERY STATUS - QUERYSTATUSWAIT...' CLOSED Resolved in QRadar 7.3.2 (7.3.2.20190201201121). 14 May 2019
OFFENSES IJ10956 'OFFENSES' COUNT NUMBER DISPLAYED ON THE OFFENSE SUMMARY SCREEN CAN BE INCORRECT IN MULTI-DOMAIN ENVIRONMENTS OPEN: REPORTED IN QRADAR 7.2.8 No workaround available. 28 November 2018
APP FRAMEWORK IJ10675 QRADAR APPS FAIL TO INSTALL WHEN THE EXTENSION VALIDATION KEYSTORE PASSWORD CANNOT BE DECRYPTED OPEN: REPORTED IN QRADAR 7.3.1 No workaround available. 28 November 2018
APP FRAMEWORK IJ10949 QRADAR APPS CAN SOMETIMES FAIL TO LOAD DUE TO A RACE CONDITION AFTER THE TOMCAT SERVICE HAS BEEN RESTARTED OPEN: REPORTED IN QRADAR 7.3.1 PATCH 5 IF01 A manual restart of select services from the command line of the QRadar Console can sometimes correct the issue. To restart services, log in as root and type: 1. systemctl stop hostcontext, 2: systemctl restart tomcat, 3: systemctl start hostcontext. The QRadar user interface will be inaccessible until all required services are successfully restarted. If you are unsure of this procedure, Contact QRadar Support. 28 November 2018
SEARCH IJ10924 SEARCH DATA CONFIGURED TO BE ACCUMULATED (TIME SERIES) CAN FAIL TO DISPLAY DUE TO INVALID REGEX OPEN: REPORTED IN QRADAR 7.3.0 AND 7.3.1 VERSIONS No workaround available. 28 November 2018
MSRPC PROTOCOL IJ11495 DISABLED MSRPC CONNECTIONS DO NOT ALWAYS CLOSE THE CONNECTION BETWEEN THE QRADAR HOST AND THE WINDOWS SYSTEM OPEN: REPORTED IN PROTOCOL-WINDOWSEVENTRPC-7.3-20170818183912 No workaround available. 23 November 2018
API IJ11393 USING THE API TO UPDATE LOG SOURCES CAN RETURN: COULD NOT UPDATE LOGSOURCE {NUMBER}. THE TOTAL MAXIMUM...' OPEN: REPORTED IN QRADAR 7.3.1 PATCH 3 No workaround available. 21 November 2018
DASHBOARD IJ11170 DASHBOARD SEARCHES CONTAINING SEARCHES WITH UNIQUE COUNTS ENABLED CAN DISPLAY INCONSISTENT RESULTS CLOSED Resolved in QRadar 7.4.0 (7.4.0.20200304205308)

Workaround
No workaround available.

Issue
It has been identified that Dashboards and Reports created with searches using unique counts can display results that are different than what is displayed for the same search run in Log Source activity. Dashboard results over longer periods also have significantly lower values displayed than a more recent time period when this issue occurs.
05 March 2019
OFFENSES IJ10557 OFFENSE PAGE CAN BE SLOW TO LOAD WHEN THERE ARE TOO MANY INACTIVE OFFENSES REMAINS AFTER RETENTION PERIOD ELAPSED OPEN: REPORTED IN QRADAR 7.2.8 For more details on Offense retention, see the QRadar Knowledge Center 21 November 2018
ADVANCED SEARCH (AQL) IJ11113 AQL SEARCH CAN GENERATE A "FAILED TO INSTANTIATE FUNCTION 'INOFFENSE'" ERROR MESSAGE CANCELLED Unable to reproduce the problem on the reported release. It has been determined that this AQL query issue is not reproducible or falls outside the intended functionality of QRadar. 16 November 2018
SEARCH IJ10582 SEARCH WITH FILTER 'USERNAME IS NOT N/A' IN REPORTS AND DASHBOARDS CAN CAUSE 'ACCUMULATOR FALLING BEHIND' SYSTEM NOTIFICATIONS OPEN: REPORTED IN QRADAR 7.3.1 PATCH 6 IF 1 Where possible, do not use the search filter "Username is not N/A" until the fix pack is released that addresses this issue. 16 November 2018
SYSTEM DATE / TIME IJ10892 MANUALLY SETTING APPLIANCE SYSTEM DATE IN THE QRADAR USER INTERFACE CAN CHANGE THE DATE TO -1 DAY AFTER SERVICES ARE RESTARTED OPEN: REPORTED IN QRADAR 7.3.1 PATCH 5 Contact QRadar Support for a possible workaround that might address this issue in some instances. 7 November 2018
USER INTERFACE IJ10395 HOVER-TEXT DISPLAYS 'NO EXTRA DATA FOR COULD BE LOCATED FOR THIS ITEM' INSTEAD OF LDAP USERNAME IN DOMAIN ENVIRONMENT CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852) 1 November 2018
NETWORK HIERARCHY / SECURITY PROFILE IJ10376 NAME CHANGE MADE TO A NETWORK HIERARCHY OBJECT IS NOT REFLECTED IN THE QRADAR ADMIN - SECURITY PROFILES OPEN: REPORTED IN QRADAR 7.2.8 No workaround available. 1 November 2018
APP FRAMEWORK IJ10112 QRADAR APPS FAIL TO LOAD WITH 'UNAUTHORIZED: AUTHENTICATION REQUIRED' IN QRADAR LOGS OPEN: REPORTED IN QRADAR 7.3.0 AND QRADAR 7.3.1 VERSIONS Contact QRadar Support for a possible workaround that might address this issue in some instances. 1 November 2018
FLOWS IJ10404 FLOWS EXCEEDING 4GB IN SIZE DISPLAY INCORRECT PACKET AND BYTE NUMBERS OPEN: REPORTED IN QRADAR 7.3.0 AND QRADAR 7.3.1 VERSIONS Contact QRadar Support for a possible workaround that might address this issue in some instances. 1 November 2018
EVENT RETENTION IJ07162 CONFIGURED DATA RETENTION DELETE SETTINGS ARE NOT HONORED FOR MULTI-TENANCY CLOSED Resolved in:
QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)
QRadar 7.3.1 Patch 6 (7.3.1.20180912181210)

The search can be run either using ILIKE in AQL or 'matches any' for a faster results when using non-English locale for the QRadar User Interface.
31 OCTOBER 2018
SEARCH IJ10743 SEARCH WITH 'CONTAINS ANY OF' CAN BE SLOWER TO COMPLETE WHEN USING SOME NON-ENGLISH LOCALES FOR QRADAR CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

The search can be run either using ILIKE in AQL or 'matches any' for a faster results when using non-English locale for the QRadar User Interface.
31 OCTOBER 2018
OFFENSES IJ09472 OFFENSES CAN FAIL TO GENERATE AFTER CHANGES ARE MADE TO THE NETWORK HIERARCHY CLOSED Resolved in:
QRadar 7.3.2 (7.3.2.20190201201121)
QRadar 7.3.1 Patch 5 (7.3.1.20180720020816)

Workaround: Performing a restart of the Console's ecs-ep process from an SSH session or doing a Deploy Full Configuration (User Interface) should correct this issue. This action can be completed from the command line or the user interface.

Command line: systemctl restart ecs-ep
QRadar User Interface: Admin -> Advanced drop down -> Deploy Full Configuration

NOTE: Proper QRadar functionality requires all neccessary QRadar services to be in running state. Restarting services or performing a Deploy Full Configuration can cause an interuption of collection, processing and/or storage of events/flows until all required services are functioning as required.
31 OCTOBER 2018
REPORTS IJ09185 REPORTS CREATED FROM AN AQL QUERY ON ACCUMULATED OR RAW DATA THAT CONTAIN A SUB-SELECT QUERY FAIL TO GENERATE OPEN: REPORTED IN QRADAR 7.3.1 PATCH 1 No workaround available. 31 OCTOBER 2018
USER INTERFACE ACCESS IJ09375 TOMCAT OUT OF MEMORY CAN OCCUR WHEN API GET REQUEST PULLS A VERY LARGE /LOCAL_DESTINATION_ADDRESSES OPEN: REPORTED IN QRADAR 7.3.1 PATCH 1 No workaround available. 1 NOVEMBER 2018
COMMAND LINE IJ10111 FALSE POSITIVE (BENIGN) QRADAR LOG MESSAGES THAT APPEAR TO INDICATE A PROBLEM WITH QRADAR MAGISTRATE (MPC) AFTER DEPLOY OPEN: REPORTED IN QRADAR 7.3.1 PATCH 4 Administrators who see the transaction exception error messages defined in the APAR can ignore these benign log messages. No workaround available. 31 OCTOBER 2018
RULES IJ10827 DISABLED CUSTOM EVENT PROPERTIES (CEP) IN RULES OR CALCUATED CEP'S CAN CAUSE RULES NOT TO FIRE AS EXPECTED CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

From an SSH session to the QRadar Console appliance can locate the properties, then enable them in the user interface with the following command:
grep -r "UnknownPropertyException" /var/log/ | grep -o -E "No property '[a-zA-Z0-9 ]+' exists" | sort | uniq
1 NOVEMBER 2018
MICROSOFT OFFICE 365 IJ08977 MICROSOFT OFFICE 365 LOG SOURCE CAN STOP COLLECTING WITH 'ERROR -AN ERROR OCCURRED INDICATING THAT THE REQUIRED CERTIFICATE..' CLOSED This issue has been resolved in the following protocol updates delivered via QRadar weekly auto updates:
  • PROTOCOL-Office365RESTAPI-7.3-20190527145902.noarch.rpm or later
  • PROTOCOL-Office365RESTAPI-7.2-20190527145902.noarch.rpm or later

This update resolves multiple issues:
1. Resolves an issue where the protocol could retrieve duplicate events when polling for data. 2. Resolves an issue where the protocol could ask for a range of data larger than what the Office 365 API would allow. This issue was caused by a change on the Office 365 by Microsoft. 3. Resolves a issue where Office 365 could incorrectly change how other protocols validate certificates. 4. Resolves an issue where the Log source API could treat the client secret as a text field instead of password field in QRadar 7.3.x versions. 5. This update requires the admin to first install the latest version of the Protocol Common framework to be installed on the QRadar Console if you are manually updating protocol RPMs.

09 January 2019
SEARCH IJ10377 FILTERING BY MULTIPLE REFERENCE SETS USING 'DOES NOT EXIST IN ANY OF' DOES NOT WORK AS EXPECTED CLOSED Closed as suggestion for future release. It has been identified that using a reference set search filter that uses "Does not exist in any of" with multiple reference sets does not filter the results as expected. It has been noted in the comments that users can leverage the search value Does not exist in all of to resolve the issue in the APAR comments.

A suggestion APAR identifies a function/operation that is not within the product specifications, for which a fix is not planned. Implementation of this modification would be a product enhancement. This APAR is considered for any future products/releases. For more information on feature requests and QRadar, see the QRadar Support Request for Enhancement (RFE) FAQ page.
11 June 2019
AUTO UPDATE IJ10791 MANIFEST REQUIRES VERSION 8.9 BUT THE SCRIPTS ONLY CONTAIN 8.8. CANNOT CONTINUE' AFTER AUTOUPDATE IS RUN OPEN: REPORTED IN QRADAR 7.3.1 VERSIONS Download the file autoupdate-8.9-2.noarch.rpm from IBM Fix Central and copy it to the QRadar Console. After the file is copied onto the QRadar console, install it via an SSH session to the QRadar console using the following command: yum -y install autoupdate-8.9-2.noarch.rpm 27 OCTOBER 2018
WINCOLLECT IJ10748 THE WINCOLLECT FILE FORWARDER CAN SOMETIMES STOP FORWARDING LESS ACTIVELY UPDATED FILES/DIRECTORIES CLOSED Resolved in WinCollect 7.2.8 Patch 1. See WinCollect 7.2.8 Patch 2 release notes to update as Fix Central no longer lists WinCollect 7.2.8 Patch 1 for download. 7 DECEMBER 2018
WINCOLLECT IJ12128 WINCOLLECT BUILD NUMBER IS NOT DISPLAYED IN THE WINCOLLECT AGENT VERSION FIELD CLOSED Resolved in WinCollect 7.2.8 Patch 2 19 December 2018
WINCOLLECT IJ10390 WINCOLLECT AGENTS DO NOT COMPLETE INSTALLATION DUE TO UNSUCCESSFUL PULL OF THE REQUIRED .PEM FILE CLOSED Resolved in WinCollect 7.2.8 Patch 1. See WinCollect 7.2.8 Patch 2 release notes to update. IBM Fix Central no longer lists WinCollect 7.2.8 Patch 1 for download. 25 OCTOBER 2018
REPORTS IJ06125 A REPORT RUNNER OUT OF MEMORY CAN SOMETIMES OCCUR WHILE CREATINGA REPORT WITH PDF FORMAT WITH VERY HIGH LIMITS (65K) RECORDS CLOSED Duplicate of IJ06862 and resolved in QRadar 7.3.1 Patch 6 25 OCTOBER 2018
HIGH AVAILABILITY (HA) IJ10367 HIGH AVAILABILITY (HA) FAILOVER CAN OCCUR WHEN A PING TEST FAILS FROM THE ACTIVE NODE AND SUCCEEDS FROM THE STANDBY OPEN: REPORTED IN MULTIPLE QRADAR 7.2.8 VERSIONS Contact QRadar Support for a possible workaround that might address this issue in some instances. 20 OCTOBER 2018
DOMAINS & TENANTS IJ09193 NON-ADMIN TENANT USER CANNOT SEE FLOW OFFENSES IN THE DOMAIN THEY HAVE PERMISSIONS FOR OPEN No workaround available. 16 OCTOBER 2018
REPORTS IJ08958 REPORT FAILS WITH RESULTSET OBJECT DOES NOT CONTAIN COLUMN "SINGLEARGSCALARFUNCTIONADAPTER(SUM(EVENTCOUNT))" OPEN: REPORTED IN QRADAR 7.3.1 PATCH 4 No workaround available. 16 OCTOBER 2018
SEARCH - AQL CUSTOM PROPERTIES IJ08858 'APPLICATION ERROR' WHEN VIEWING EVENTS AFTER A QRADAR USER HAS BEEN REMOVED THAT CREATED AQL CUSTOM PROPERTIES CLOSED Resolved in:
QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)
QRadar 7.3.2 (7.3.2.20190201201121)
16 OCTOBER 2018
DATA NODE IJ09057 'TUNNEL HAS FAILED TO START' MESSAGES AFTER REASSIGNING AN ENCRYPTED DATA NODE TO A DIFFERENT EVENT PROCESSOR OPEN Contact QRadar Support for a possible workaround that might address this issue in some instances.

It has been identified that residual tunnel configuration data exists on an Event Processor (EP) after reassigning an encrypted Data Node from that EP to a different EP. Messages similar to the following might be visible in /var/log/qradar.log when this occurs:
[hostcontext.hostcontext] [ProcessMonitor] com.q1labs.hostcontext.processmonitor.ProcessManager:
[ERROR] [127.0.0.1/- -] Process tunnel.tunnel7 has failed to start for 1884 intervals. Continuing to try to start...
[hostcontext.hostcontext] [ProcessMonitor] com.q1labs.hostcontext.processmonitor.ProcessManager:
[ERROR] [127.0.0.1/- -] Process tunnel.tunnel6 has failed to start for 1884 intervals. Continuing to try to start...
16 OCTOBER 2018
RIGHT-CLICK IJ08964 RIGHT CLICK FOR "X-FORCE EXCHANGE LOOKUP" IS NOT DISPLAYED ON URL ITEM FROM AN AQL QUERY SEARCH IN LOG ACTIVITY OPEN: REPORTED IN QRADAR 7.2.8 PATCH 12 No workaround available. 16 OCTOBER 2018
HIGH AVAILABILITY (HA) IJ08975 /STORE ON ISCSI MOUNT CAN EXPERIENCE CORRUPTION DURING A HIGH AVAILABILITY (HA) FAILOVER OPEN: REPORTED IN QRADAR 7.3.0 AND 7.3.1 VERSIONS No workaround available. 16 OCTOBER 2018
REPORTS IJ09156 SOME OUT OF THE BOX QRADAR REPORTS COMPLETE SUCCESSFULLY WHILE GENERATING A RUNTIMEEXCEPTION IN QRADAR LOGS CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been identified that some out of the box QRadar reports complete successfully, but generate a "RuntimeException" in the QRadar logs. List of affected reports:

Daily reports
  • Daily Top Applications (Internet)
  • Daily Geographic Traffic Distribution
  • Daily User Authentication Activity
  • Top_IDSIPS_Alerts_Daily
Weekly reports
  • Top Applications (Internet) Weekly
  • Top IDS/IPS Alerts (Weekly)
  • Top IDS/IPS Alerts by Geography (Weekly)
Messages similar to the following might be visible in /var/log/qradar.log when this issue is occurring for reports:
[report_runner] [main] com.q1labs.reporting.ReportServices: [WARN] [NOT:0000004000127.0.0.1/- -] [-/- -]Error occurred creating Accumulated Result Set. Trying to fall back to raw query if possible.
16 OCTOBER 2018
OFFENSES - HISTORICAL CORRELATION IJ08422 OFFENSE NAMES CREATED FROM HISTORICAL CORRELATION USE EVENT/FLOW LOW LEVEL CATEGORY INSTEAD OF EVENT NAME CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852) 16 OCTOBER 2018
USER BEHAVIOR ANALYTICS APPLICATION IJ08911 MACHINE LEARNING FAILS DURING USER BEHAVIOR ANALYTICS (UBA) INSTALLATION ON QRADAR 7.3.1 PATCH 5 OPEN: REPORTED IN QRADAR 7.2.8 PATCH 5 See the following technical note: User Behavior Analytics: Troubleshooting Machine Learning after message 'Installation has failed' in QRadar 7.3.1 Patch 5 16 OCTOBER 2018
BACKUP / RECOVERY IJ08864 CONFIG RESTORE WITH ONLY THE 'INSTALLED APPLICATIONS CONFIGURATION' CHECK BOX SELECTED CLOSES ALL OFFENSES OPEN: Reported in QRadar 7.3.1 Patch 4 No workaround available.

It has been identified that when a config restore is performed with only the 'Installed Applications Configuration' check box selected, all Offenses are set to closed status. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[hostcontext.hostcontext] [BackupServices_restore]
com.q1labs.hostcontext.backup.BackupRecoveryEngine: [INFO][127.0.0.1/- -]Current task: reset sim
16 October 2018
WINCOLLECT IJ10392 WINCOLLECT 7.2.8 NOT RECEIVING WINDOWS IAS LOGS WHEN CONFIGURED USING "IAS LEGACY" FORMAT. OPEN: REPORTED IN WINCOLLECT 7.2.8 No workaround available. 15 OCTOBER 2018
JDBC PROTOCOL IJ10114 'TABLE NOT FOUND' MESSAGE WHEN USING UPPER CASE TABLE NAMES TO JOIN WITH POSTGRES (LOWER CASE) OPEN: REPORTED IN QRADAR 7.2.8 AND QRADAR 7.3.1 VERSIONS Administrators can verify with the database administrator if the tables are case sensitive before they connect using the JDBC protocol. 12 OCTOBER 2018
OFFENSE MANAGER IJ09316 SOURCE IPS AND DESTINATION IPS DISPLAY 'UNAUTHORIZED' IN OFFENSES TAB FOR USERS WITH APPROPRIATE RIGHTS OPEN: REPORTED IN QRADAR 7.3.1 PATCH 6 Avoid duplicate names within the Network Hierarchy, Network Group names. 9 OCTOBER 2018
LOG SOURCE GROUPS IJ08218 A NON-ADMIN USER WITH NON-ADMIN USER ROLE AND WITH ADMIN ROLE PERMISSIONS CAN SOMETIMES NOT CHANGE A LOG SOURCE GROUP CLOSED Resolved in QRadar 7.3.2 (7.3.2.20190201201121)

Where possible: use admin user role instead of non-admin user role with admin permissions until a software update can be released.
9 OCTOBER 2018
LOG SOURCE GROUPS IJ07879 QRADAR APP GRAPHING STOPS, DISPLAYS A BLANK SCREEN CLOSED Resolved in:
QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)
QRadar 7.3.2 (7.3.2.20190201201121)
QRadar 7.3.1 Patch 8 IF01 (7.3.1.20181217203039)
19 OCTOBER 2018
GEOGRAPHIC DATA IJ08974 QRADAR GEOGRAPHIC FILTERS DO NOT WORK FOR COUNTRY NAMES THAT DO NOT MATCH THE MAXMIND DATABASE CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)
26 SEPTEMBER 2018
AUDIT EVENTS IJ09486 SIM AUDIT BACKEND SECURITY EVENTS DO NOT EASILY ALLOW FOR SYSTEM IDENTIFICATION CLOSED This issue has been resolved in the following Device Support Module (DSM) updates:

  • DSM-SIMAudit-7.2-20190307101941.noarch.rpm or later
  • DSM-SIMAudit-7.3-20190307131138.noarch.rpm or later

Details: It has been identified that the SIM Audit Backend events do not easily allow for system identification as to which QRadar appliance the commands were run on. There is no identifying information (such as system IP address) as to which system commands were run in the QRadar environment. For example:
Aug 21 11:27:45 127.0.0.1 127.0.0.1 root@127.0.0.1 38666 22 | [Backend] [Command] [CommandExecuted] : ls -ltr /store/
Aug 21 11:28:21 127.0.0.1 127.0.0.1 root@127.0.0.1 59414 22 | [Backend] [Command] [CommandExecuted] : rm -fv /tmp/activationkey.*

Administrators will receive updates for this issue from QRadar weekly auto updates. QRadar Console appliances without access to the Internet can download the files from the AutoUpdate bundle posted to IBM Fix Central and manually install the weekly update on their QRadar Console appliance.


26 SEPTEMBER 2018
SERVICES / DATA PIPELINE IJ05649 'DEPLOY CHANGES' CAN SOMETIMES CAUSE A DROP IN CONNECTION BETWEEN ECS-EC AND ECS-EP LEADING TO EVENTS BEING DROPPED CLOSED Resolved in QRadar 7.3.1 patch 6. 27 SEPTEMBER 2018
SEARCH / HISTORICAL CORRELATION IJ08851 NULLPOINTER EXCEPTION IN LOGS WHEN LOADING A SAVED SEARCH THAT CONTAINS SEARCH CRITERIA THAT INCLUDES A PURGED OFFENSE CLOSED Resolved in:
QRadar 7.3.2 (7.3.2.20190201201121)
QRadar 7.3.1 Patch 8 (7.3.1.20190228154648)

It had been reported by QRadar 7.3.0 users that a nullpointerexception can occur when a Saved Search is loaded that contains search criteria that includes a previously purged offense. This can result incorrect results from the affected search when loaded and also cause historical correlation to fail to run.

Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs. View the APAR for full error logs:
[tomcat.tomcat] [ArielQueryManager] com.q1labs.ariel.ui.bean.EventSearchDelegate:
[ERROR][-/- -]Error processing offenseId parameter for offense EQ 4391
[tomcat.tomcat] [ArielQueryManager] java.lang.NullPointerException
[tomcat.tomcat] [ArielQueryManager]  at com.q1labs.ariel.ui.bean.IUIArielSearchDelegate
  $OffenseProcessor.addOffenseSearchCriteria(IUIArielSearchDelegate.java:106)
[tomcat.tomcat] [ArielQueryManager]  at com.q1labs.ariel.ui.bean.QueryHandleSerializer
  .deserialize(Query HandleSerializer.java:34)
[tomcat.tomcat] [ArielQueryManager]  at com.google.gson.TreeTypeAdapter.read(TreeTypeAdapter.java:58)
07 March 2019
SERVICES - ARIEL PROXY IJ08848 ARIEL_PROXY_SERVER CAN GO OUT OF MEMORY DURING SEARCHES ON LARGE MULTI-CPU APPLIANCES DUE TO DEFAULT TUNING PARAMETER CLOSED This issue was resolved in QRadar 7.3.1 patch 6. 18 SEPTEMBER 2018
LOG SOURCES - WINDOWS IJ07877 DELETING A BULK ADDED WINDOWS LOG SOURCE CAN CAUSE THE ASSOCIATED ACTIVE DIRECTORY ACCOUNT TO BECOME LOCKED OUT CLOSED Resolved in:
QRadar 7.3.2 (7.3.2.20190201201121)
QRadar 7.3.1 Patch 6 (7.3.1.20180912181210)
QRadar 7.2.8 Patch 14 (7.2.8.20181017162208)

It had been identified that Active Directory (AD) passwords used in bulk grouped MSRPC Log sources can become locked out after deleting one of the associated Log Sources. When deleting a bulk added MSRPC Log Source, there are hash values returned to the User Interface (UI) for the Active Directory password field surpassing the 100 character limit. After you click Save with the hash value displayed in the password field of the Log Source edit screen, the database entry for the AD password is changed. QRadar attempts to log in to the remote Windows computers with that incorrect password and causes the account to be locked out.

Workaround: Manually enter the correct AD password into the password field prior to clicking Save while deleting the MSRPC bulk added Log Source. The following article describes the issue and how to resolve it manually: https://www.ibm.com/support/docview.wss?uid=ibm10743761.
11 June 2019
SERVICES - APP FRAMEWORK IJ08847 QRADAR APP TABS CAN BE BLANK AFTER A 'RESTART WEB SERVER' IS PERFORMED FROM THE ADMIN TAB CLOSED Resolved in QRadar 7.3.1 patch 6.

It had been identified in QRadar 7.3.0 Patch 5 that after a Tomcat / Restart Web Server is completed from the Admin tab that apps could display blank tabs when the user logged back in to QRadar. The following error message might be displayed in /var/log/qradar.error:
[tomcat.tomcat] [gui_app_startup_thread] com.q1labs.uiframeworks.util.ApplicationStartupThread:[ERROR][127.0.0.1/- -]
Error occurred processing [QRadar_App_Name] 1652
[tomcat.tomcat] [gui_app_startup_thread]com.q1labs.restapi_annotations.content.exceptions.endpointExceptions.
InvalidParameterException: Application requested 4096(mb) of memory, but only 628(mb) is available.
[tomcat.tomcat] [gui_app_startup_thread] at com.q1labs.uiframeworks.application.api.validation.handlers.AppResourceHandler. validateMemory(AppResourceHandler.java:70)
18 SEPTEMBER 2018

IBM prides itself on delivering world class software support with highly skilled, customer-focused people. QRadar Support is available 24×7 for all high severity issues. For QRadar resources, technical help, guidance, and information, see our QRadar Support 101 pages.