page-brochureware.php

QRADAR APARS 101

QRadar information related to known issues, important alerts and problem resolutions.

What are APARs?

QRadar uses Authorized Program Analysis Reports (APARs) to track issues reported by users. These problem reports include the status of the issue for the end user, either as an ONGOING or CLOSED problem. This page is intended to help users locate known issues who have not yet subscribed to IBM My Notifications or to view alerts on APARs that QRadar Support feels are important.

Searching the APAR table

The QRadar Support team created this QRadar APARs 101 page to make APARs more searchable for users and administrators. The search field in the table below allows you to search for specific versions or keywords. Administrators who want to filter by a specific version can use a combination of keywords or use the version buttons and sort by keyword using the Search bar.


Last update: 6 September 2022: Closed a number of issues resolved with the release of QRadar 7.5.0 Update Pack 3.
Component Number Description Status More information Date
AUTHENTICATION IJ41753 AFTER UPGRADING TO 7.5.0 UP2, GROUP-BASED LDAP AUTHENTICATION WITH ACTIVE DIRECTORY MIGHT STOP WORKING CLOSED Resolved in
QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022)

Workaround
No workaround available. APARs identified as ‘No workaround available’ require a software delivery to resolve. Administrators can subscribe to the APAR to receive updates when software releases are published for this issue.

Issue
After upgrading to 7.5.0 UP2, login to QRadar by group-based LDAP using Active Directory may no longer work.
06 September 2022
LOG SOURCE IJ41064 UNABLE TO EDIT OR ENABLE/DISABLE LOG SOURCE EXTENSIONS ON 7.5.0 UP2 CLOSED Resolved in
QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022)

Workaround
If you are unable to upgrade, contact QRadar Support for a possible workaround that might address this issue in some instances.

Issue
On QRadar 7.5.0 Update Pack 2, the UI displays a blank extension edit page when attempting to edit, enable, or disable log source extensions.

Steps to reproduce:
  • From the Admin tab, select Log Source Extensions.
  • Select an extension and attempt to edit it.

    Result
    A blank page is displayed, preventing users from editing the extension.
06 September 2022
QRADAR INCIDENT FORENSICS IJ41029 FORENSICS ANALYSIS ACTIONS NOT PERFORMING ON A STANDALONE QRADAR INCIDENT FORENSICS 7.4.3 FP6 AND 7.5.0 UP2 CLOSED Resolved in
QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022)

Workaround
If you are unable to upgrade, contact QRadar Support for a possible workaround that might address this issue in some instances.

Issue
On a standalone QRadar Incident Forensics appliance (6100) running 7.4.3 Fix Pack 6 or 7.5.0 Update Pack 2, the forensics analysis feature stops functioning. The link and file analysis is stuck on the “Performing Link Analysis. 0 of x Documents Processed. Please Wait…” message. Image analysis works but displaying entropy images will fail.

For more information about the analysis function in QRadar Incident Forensics, see https://ibm.biz/forensicsanalysis.
06 September 2022
USER INTERFACE IJ41043 QRADAR TABS MIGHT BE SLOW DUE TO CACHE CHANGES IN QRADAR 7.3.3 FP12, 7.4.3 FP6, AND 7.5.0 UP2 CLOSED Resolved in
QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022)

Workaround
If you are unable to upgrade, contact QRadar Support for a possible workaround that might address this issue in some instances.

Issue
Users might notice a significant slow down in loading QRadar tabs every time they are loaded. This is due to a change introduced in QRadar versions: 7.3.3 FP12, 7.4.3 FP6, AND 7.5.0 UP2, which misconfigured the cache setting related to loading the tabs.
06 September 2022
OFFENSES IJ41136 OFFENSES SUMMARY PAGE LOADS SLOW IN 7.5.0 UP1 AND HIGHER CLOSED Resolved in
QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022)

Workaround
If you are unable to upgrade, contact QRadar Support for a possible workaround that might address this issue in some instances.

Issue
Loading the offense summary pages can experience a slowdown if there are a large number of offenses that contribute to the naming of the associated offenses in QRadar 7.5.0 UP1 or higher.
06 September 2022
USERS IJ41096 UNABLE TO LOAD USER MANAGEMENT IN NON-ENGLISH LOCALES CLOSED Resolved in
QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022)

Workaround
If you are unable to upgrade, contact QRadar Support for a possible workaround that might address this issue in some instances.

Issue
User Management page cannot be loaded in non-English locales. The application works with English locales. When the issue occurs, the User Management screen appears blank.
  1. Login to QRadar UI.
  2. From the QRadar user interface select Preferences, User Preferences, Locale and select a language other than English (‘espanol’ for example).
  3. Click the Admin tab.
  4. Under User Management click Users.

    Result
    The User Management screen is blank.
06 September 2022
UPGRADE IJ42203 DSM AND PROTOCOL RPMS MIGHT NOT BE INSTALLED DUE TO INCOMPATIBLE VERSION ERROR WHEN UPDATING FROM 7.3.X TO 7.5.0 UP2 CLOSED Resolved in
QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022)

Workaround
Important: You cannot upgrade directly from QRadar V7.3.x to V7.5.0 Update Pack 2. First upgrade from 7.3.x to 7.4.3 (latest), complete a manual auto update, then install QRadar V7.5.0 Update Pack 2.

If you attempted to update from 7.3.x to 7.5.0 Update Pack 2 directly and experience issues with log sources, contact QRadar Support for a workaround for this issue.

Issue
Users who attempt to update from QRadar 7.3.2 or 7.3.3 to 7.5.0 Update Pack 2 can experience an issue where RPMs for DSM, protocols, and scanners are not updated as expected. When this issue occurs, the Console software update completes successful, but the DSM, protocol, and scanner RPMs are not updated and remain at 7.3.3 versions. This leads to issues where users cannot view, add, or modify log source configurations in QRadar after the software update to 7.5.0 Update Pack 2.

Affected upgrade paths:
  • QRadar 7.3.2 Fix Pack 3 to Fix Pack 7 where users update directly to 7.5.0 Update Pack 2.
  • QRadar 7.3.3 GA to Fix Pack 12 where users update directly to 7.5.0 Update Pack 2.
When this issue occurs, an incompatible protocol version error is reported in /var/log/setup-(7.x.x.xxxxx)/patches.log:
Error: Incompatible version, this PROTOCOL requires build
version 7.4.x.x, exiting
error: %pre(PROTOCOL-Common-7.4-20210914195614.noarch) scriptlet
failed, exit status 5
Error in PREIN scriptlet in rpm package
PROTOCOL-Common-7.4.20210914195614.noarch
error: PROTOCOL-Common-7.4-20210914195614.noarch: install failed
06 September 2022
UPGRADE IJ40655 POSTGRES V11 UPDATE IN QRADAR 7.5.0 UP2 CAN FAIL DUE TO A TYPE DIFFERENCE ON THE LOCAL HOST CLOSED Resolved in
QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022)

Workaround
If you are unable to upgrade, contact QRadar Support for a possible workaround that might address this issue in some instances.

Issue
During an upgrade to QRadar 7.5.0 Upgrade Pack 2, a database change is applied for Postgres v11. The Postgres migration fails if the lc_ctype value in the upgrade script does not match the value of the local Postgres database. The lc_ctype mismatch causes the Postgres update to fail and prevents the software upgrade from continuing with a ‘Failed to pass the migration check for qradar database’ error message.

The following errors are displayed in /var/log/patches.log:
[DEBUG](patchmode) lc_ctype values for database "postgres" do
not match:  old "", new "C" 
[DEBUG](patchmode) Failure, exiting 
[DEBUG](patchmode) ERROR: Failed to pass the migration check for qradar database. (1)
06 September 2022
X-FORCE THREAT INTELLIGENCE IJ40606 SCASERVER THREADS REDUCED TO 15 AFTER 7.5.0 UP2 UPGRADE CLOSED Resolved in
QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022)

Workaround
Administrators who experience this issue can review the technical note to apply a workaround to correct the sca server thread count. For more information, see https://www.ibm.com/support/pages/node/6593537.

Issue
The scaserver threads can be incorrectly reduced to 15 after patching to or installing 7.5.0 UP2.

This can impact the performance of X-Force searches and rules.
06 September 2022
RULES IJ40522 ANOMALY ISSUE IN 7.5.0 UP2 PREVENT RULES WIZARD FROM LAUNCHING AND AFFECTS OFFENSE CREATION CLOSED Resolved in
QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022)

Workaround
Anomaly rules without a link_uuid value can be set to null to prevent this issue. To apply a workaround for this issue, run the following command on the QRadar Console:
psql -U qradar -c "update custom_rule set link_uuid = null where link_uuid not in (select uuid from custom_rule );"


Issue
After upgrading to 7.5.0 FP2, a mismatch of rules can cause the rule wizard page to be unavailable and offenses to not be created. This occurs when the link_uuid for a rule is not present.
06 September 2022
MANAGED HOSTS IJ40862 DATABASE REBUILD ON MANAGED HOST FAILS DUE TO MULTIPLE POSTGRESQL VERSIONS EXISTING CLOSED Resolved in
QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022)

Workaround
If you are unable to upgrade, contact QRadar Support for a possible workaround that might address this issue in some instances.

Issue
In deployments with managed hosts patched to 7.5.0 Update Pack 2, RPMs for postgresql 9.6 are not uninstalled or removed from /store/rpms, causing rebuild failures on a managed host whenever host services triggers a rebuild. This issue will occur only on managed hosts either after patching to 7.4.3 Fix Pack 6 or after patching to 7.5.0 Update Pack 2 from a version 7.5.0 GA or earlier. The error will not happen on systems already patched to 7.5.0 Fix Pack 1.
06 September 2022
RULES IJ40380 NEXT BUTTON IN RULE AND REPORT WIZARD DISABLED FOR CHROME 102.0.5005.61 CLOSED Resolved in
QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022)

Workaround
Users who experience this issue can use an alternate browser to complete rule changes. For more information, see https://ibm.biz/qradarbrowsers.

Issue
For Chrome version 102.0.5005.61, the next button on the Rule/Report Wizard is disabled and titles such as ‘Rule Wizard’ and ‘Report Wizard’ do not display.
06 September 2022
QRADAR VULNERABILITY MANAGER IJ40422 QVM EXCEPTION SCREEN DOES NOT LOAD FROM THE HISTORY PAGE CLOSED Resolved in
QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022)

Workaround
Mark a vulnerability as an exception from any screen other than the history screen.

Issue
On a deployment with a QVM license, it is not possible to mark a vulnerability as an exception from the vulnerability instance history page.

The following errors are displayed in /var/log/qradar.error:
tomcat[21077]: [user@x.x.x.x (9823)
/console/do/assetprofile/MaintainExceptionRule] WARN
org.apache.struts2.dispatcher.Dispatcher - Could not find action or result: /console/do/assetprofile/MaintainExceptionRule?dispatch=newExceptionRule
tomcat[21077]: No result defined for action com.q1labs.assetprofile.bean.action.struts2.MaintainExceptionRuleand result input -B-INF/struts/struts.xml:1461:151
tomcat[21077]: at com.opensymphony.xwork2.DefaultActionInvocation.executeResult(DefaultActionInvocation.java:377)
tomcat[21077]: at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:279)
tomcat[21077]: at com.opensymphony.xwork2.validator.ValidationInterceptor.doIntercept(ValidationInterceptor.java:263)
tomcat[21077]: at org.apache.struts2.interceptor.validation.AnnotationValidationInterceptor.doIntercept(AnnotationValidationInterceptor.java:49)
tomcat[21077]: at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:99)
tomcat[21077]: at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249)
tomcat[21077]: at com.opensymphony.xwork2.interceptor.ConversionErrorInterceptor.doIntercept(ConversionErrorInterceptor.java:142)
tomcat[21077]: at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:99)
tomcat[21077]: at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249)
tomcat[21077]: at com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:140)
tomcat[21077]: at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:99)
tomcat[21077]: at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249)
tomcat[21077]: at com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:140)
tomcat[21077]: at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:99)
tomcat[21077]: at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249)
tomcat[21077]: at com.opensymphony.xwork2.interceptor.StaticParametersInterceptor.intercept(StaticParametersInterceptor.java:201)
tomcat[21077]: at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249)
tomcat[21077]: at org.apache.struts2.interceptor.MultiselectInterceptor.intercept(MultiselectInterceptor.java:67)
06 September 2022
API IJ39788 REFERENCE_DATA_COLLECTIONS API DOES NOT CLOSE CONNECTION TO POSTGRES LEADING TO “TOO MANY CLIENTS” ERRORS CLOSED Resolved in
QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022)

Workaround
If you are unable to upgrade, contact QRadar Support for a possible workaround that might address this issue in some instances.

Issue
If a scenario occurs where a data record cannot be converted to UTF8, the API generates an exception but does not properly close the connection to postgres. Over time these connections will exceed the max connections allowed resulting in a “too many clients” error.

When this issue occurs, an error similar to the following can display in /var/log/qradar.log:
[tomcat.tomcat] [api@ (2889)
/console/restapi/api/reference_data_collections/set_entries]
com.q1labs.core.shared.util.SqlUtil: [ERROR] Chained SQL Exception [2/2]:
ERROR: invalid byte sequence for encoding "UTF8": 0x00
[tomcat.tomcat] [api@{IP} (2889)
/console/restapi/api/reference_data_collections/set_entries]
com.q1labs.core.shared.util.SqlUtil: [ERROR] [NOT:0000003000][{IP}/- -]
ERROR: invalid byte sequence for encoding "UTF8": 0x00
{prepstmnt 180895
432 WITH X AS (SELECT rde.id, rdk.rd_id as collection_id,
rd.collection_type, NULLIF(rdk.domain_info, 1234567890) as
domain_id, convert_from(rde.d
ata, 'UTF8') as value, rde.source, rde.notes,
round(EXTRACT(epoch FROM rde.first_seen)*1000) as first_seen,
round(EXTRACT(epoch FROM rde.last_seen)*1000) as last_seen,
rd.tenant_info FROM reference_data_element rde JOIN 
reference_data_key rdk ON rde.rdk_id=rdk.id JOIN
reference_data rd ON rd.id=rdk.rd_id) SELECT count(*) FROM X WHERE
(collection_type=?) AND ((domain_id in (0,1234567890) or
domain_id is null)) AND (((collection_id) = ?))} 

Note: The encoding error may vary depending on the data record being processed.
06 September 2022
ROUTING RULES IJ39393 ROUTING RULE DISPLAYS A BLANK PAGE WHEN THE INSTALL IS A SOFTWARE APPLIANCE ON 7.5.0 UP1 CLOSED Resolved in
QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022)

Workaround
If you are unable to upgrade, contact QRadar Support for a possible workaround that might address this issue in some instances.

Issue
Routing Rule window does not display as expected when the QRadar install is a ‘software appliance’ and the version is 7.5.0 Upgrade Pack 1. When this issue occurs, the web server (Tomcat) generates an error on RoutingRules.jsp and the page loads the appliance type information. This leads to the Routing Rules page displaying blank and administrators cannot configure or edit values in the user interface.

The following error displays when the Routing Rules interface attempts to load:
tomcat[25826]: Error including jsp /qradar/jsp/RoutingRules.jsp
tomcat[25826]: org.apache.jasper.JasperException: An exception occurred processing 
[/qradar/jsp/RoutingRules.jsp] at line [23]
tomcat[25826]: 20: String firstRecord = "";
tomcat[25826]: 21:
tomcat[25826]: 22: boolean isLogAggregation =
LicenseKeyManager.getInstance().isApplicationLicensed(
LicenseKeys.LOGAGGREGATION_LICENSED );
tomcat[25826]: 23: boolean isQRoC = LicenseKeyManager.getInstan
ce().getHardwareApplianceType().equals("3178");
tomcat[25826]: 24: String selectedId =
HTMLUtils.escapeHTMLAttr(request.getParameter("selectedId"));
tomcat[25826]: 25:
tomcat[25826]: 26: // get the suppressLogOnlyWarning flag.. have
to do this because when creating new routing rule, there is no
default form value from the server side.
tomcat[25826]: Stacktrace: 
tomcat[25826]: at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:831)
tomcat[25826]: at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1650)
tomcat[25826]: at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
tomcat[25826]: at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
tomcat[25826]: at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
tomcat[25826]: at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
tomcat[25826]: at java.lang.Thread.run(Thread.java:825)
tomcat[25826]: Caused by: java.lang.NullPointerException
tomcat[25826]: at org.apache.jsp.qradar.jsp.RoutingRules_jsp._jspService(RoutingRules_jsp.java:152)
tomcat[25826]: at org.apache.jasper.runtime.HttpJspBase.service
(HttpJspBase.java:70)
tomcat[25826]: at
javax.servlet.http.HttpServlet.service(HttpServlet.java:764)
tomcat[25826]: at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:465)
06 September 2022
NETWORK IJ39550 UNABLE TO CREATE BONDED INTERFACE ON QRADAR 7.5.0 CLOSED Resolved in
QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022)

Workaround
If you are unable to upgrade, contact QRadar Support for a possible workaround that might address this issue in some instances.

Issue
Users can encounter the following error in the UI that prevents them from creating bonded interfaces:
"Failed to save the network interface due to a server error. Try later."

The following stack is visible in /var/log/qradar.log:
Task CreateBondedNetworkInterfaceTask 338 is about to run
[Python tool]: [INFO] Failed to run ethtool ens224
[Python tool]: [INFO] 
[Python tool]: [INFO] Traceback (most recent call last):
[Python tool]: File
"/opt/qradar/lib/python/qradar//bondedInterfaceSetup.py", line 180, in _doesExist
[Python tool]: for line in output.split("\n"):
[Python tool]: TypeError: a bytes-like object is required, not 'str'
[Python tool]: [INFO] Failed to perform the task.
[Python tool]: [INFO] {class 'TypeError'}
[Python tool]: [INFO] Traceback (most recent call last):
[Python tool]: File
"/opt/qradar/lib/python/qradar//bondedInterfaceSetup.py", line 616, in main
[Python tool]: manager.validate(args)
[Python tool]: File
"/opt/qradar/lib/python/qradar//bondedInterfaceSetup.py", line 364, in validate
[Python tool]: if not self._doesExist(s):
[Python tool]: File
"/opt/qradar/lib/python/qradar//bondedInterfaceSetup.py", line 188, in _doesExist
[Python tool]: raise err
[Python tool]: File
"/opt/qradar/lib/python/qradar//bondedInterfaceSetup.py", line 180, in _doesExist
[Python tool]: for line in output.split("\n"):
[Python tool]: TypeError: a bytes-like object is required, not 'str'


Steps to reproduce:
  1. Deploy a 7.5.0 GA/FP1 AIO console.
  2. Add two new network adaptors to the AIO console in VCentre: Edit settings > Add New Device.
  3. Login to the UI and navigate to Admin > System and License Management > Double Click on Console > Network Interfaces
  4. Ensure both the extra interfaces have a role of "Monitor". If not edit them and set them to "Monitor"
  5. Highlight both interfaces and select "Bond". Ensure the role is "Monitor"

    Result
    The error occurs in the UI and qradar.log
06 September 2022
HIGH AVAILABILITY (HA) IJ40862 LARGE /STORE FILESYSTEMS CAN CAUSE HIGH AVAILABILITY 7.5.0 GA INSTALLS TO IMPROPERLY SET UP THE PARTITION LAYOUT CLOSED Resolved in
QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022)

Workaround
If you are unable to upgrade, contact QRadar Support for a possible workaround that might address this issue in some instances.

Issue
Installing High Availability (HA) on 7.5.0 GA can cause the partition layout to be built incorrectly. The prepare_ha.sh does not run properly when /store is greater than 2TB. Installing or rebuilding can cause the prepare_ha.sh script to generate an error, which prevents the secondary HA appliance from being added to the deployment without manual intervention.

When this issue occurs, the following error displays in /var/log/setup_7.5.0.20211220195207/ha_setup.log:
"Operation refused.
Command 'drbdmeta 0 v08 /dev/mapper/storerhel-store internal
create-md' terminated with exit code 40"
06 September 2022
RULES IJ39258 SPECIAL CHARACTERS IN RULE NAMES CAN CAUSE 'CHECKING DISABILITY' WHEN ADDING AS TEST TO ANOTHER RULE CLOSED Resolved in
QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022)

Workaround
Update rules to ensure they do not use special characters in the rule or building block names.

Issue
When a user has a rule name that contains a special character, the browser can display 'Checking disability' when you attempt to add a rule test. This issue can occur on either rules or building blocks when values contain special characters.

The browser must validate the input change and confirm the value can be added to the rule test. When a test references a rule with special characters, the browser changes the 'Add' button to 'Checking disability' and appears to hang indefinitely.

Steps to reproduce
  1. Create a simple rule with name containing special chars like 'Test@123' or '$UsernameChecks'
  2. Add this new rule to a second rule using the Rule Test:
    - when all of these rules, in|in any order, from the same|any source IP to the same|any destination IP, over this many seconds.
06 September 2022
INSTALL IJ39554 PRETEST FAILS WHEN RUNNING /MEDIA/UPDATES/INSTALLER -T BECAUSE MKS FILES NOT PUSHED CLOSED Resolved in
QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022)

Workaround
This error can be ignored as the MKS files are not pushed from the console until the patch is run.

Issue
When running the /media/updates/installer -t, to test the managed hosts before patching, pretest can fail because the MKS files are not pushed from the console. The managed hosts can display errors similar to the following:
[QRADAR-9104] [pretest:Error] [ERROR] MKS files are not staged
in /opt/qradar/conf/mks/mh/
Run the following command on the console before patching this host:
/opt/qradar/bin/mks_integration.sh -p
ERROR: [pretest] [QRADAR-9104] MKS files are not staged in
/opt/qradar/conf/mks/mh/
Run the following command on the console before patching this host:
/opt/qradar/bin/mks_integration.sh -p
[ERROR](-i-testmode) Pretest failed:
"/media/updates/scripts/QRADAR-6181.install --mode pretest"
[ERROR](-i-testmode) Failed pretests
[DEBUG](-i-testmode) returning code 4
06 September 2022
API IJ38961 DELETING ELEMENTS FROM REFERENCE MAPS WITH THE API OR REFERENCE DATA MGMT APP CAN FAIL WITH AN ERROR CLOSED Resolved in
QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022)

Workaround
Administrators with root access to the Console can use the ReferenceDataUtil.sh utility to delete or update reference sets. For more information, see https://ibm.biz/referencedatautil.

Issue
The deletion of an entry from a reference map using the API or Reference Data Management app can fail to complete when the reference map is large. This issue occurred when a user attempted to delete a single entry from a reference map that contained more than 80,000 entries. The following message was displayed when the deletion failed: "Map {map name} does not contain key {key name}"

When this issue occurs, the following message can display in the logs:
[tomcat.tomcat] [host@x.x.x.x (373) /console/restapi/api/refere
nce_data/maps/map_name/www.domain.com]com.q1labs.core.api.v3_0.r
[DEBUG] ReferenceDataAPI_Maps.removeMapValue() entered. Name:
map_name key: map _key value: 71700
[tomcat.tomcat] [host@x.x.x.x (373) /console/restapi/api/refere
nce_data/maps/map_name/www.domain.com]com.q1labs.core.api.v3_0.r
[DEBUG] ReferenceDataAPI_Maps.removeMapValue()Map {map_name} does not contain key map_key
06 September 2022
APPLICATION FRAMEWORK IJ41206 APP INSTALL FAILS DURING DOCKER BUILD WITH "AN EXCEPTION OCCURRED WHILE WAITING FOR TASK TO COMPLETE" ERROR CLOSED Resolved in
QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022)

Workaround
If you are unable to upgrade, contact QRadar Support for a possible workaround that might address this issue in some instances.

Issue
On QRadar 7.4.3 Fix Pack 4, when trying to install an app, the install might fail with a timeout error at the build stage. The "docker build" command takes longer than 900 seconds and times out. An error similar to the following appears in /var/log/qradar.log:
[tomcat.tomcat] [pool-1-thread-1] com.q1labs.uiframeworks.application.api.service.builders.shared.AsyncBuildStageTask: 
[ERROR] [IPADDRESS/- -][-/- -]An exception occurred while building app asynchronously.
Triggering rollback.
[tomcat.tomcat] [pool-1-thread-1] com.q1lab
s.restapi_annotations.content.exceptions.endpointExceptions.Serv
erProcessingException: An exception occurred while waiting for task to complete.
[tomcat.tomcat] [pool-1-thread-1] at com.q1lab
s.configservices.task.AbstractTaskPoller.getFinishedTaskState(AbstractTaskPoller.java:41)
[tomcat.tomcat] [pool-1-thread-1] at 
com.q1labs.configservices.task.AbstractTaskPoller.getFinishedTaskState(AbstractTaskPoller.java:22)
[tomcat.tomcat] [pool-1-thread-1] at com.q1labs.uiframeworks.application.api.ser
vice.builders.shared.DockerBuildProcessor.process(DockerBuildProcessor.java:94)
[tomcat.tomcat] [pool-1-thread-1] at com.q1labs.
uiframeworks.application.api.service.builders.shared.Conditional
HostTypeDecorator.process(ConditionalHostTypeDecorator.java:60)
[tomcat.tomcat] [pool-1-thread-1] at com.q1labs.uiframeworks.app
lication.api.service.builders.shared.AsyncBuildStageTask.runTask(AsyncBuildStageTask.java:231)
[tomcat.tomcat] [pool-1-thread-1] at com.ibm.si.frameworks.taskmanagement.Task.run(Task.java:108)
[tomcat.tomcat] [pool-1-thread-1] at java.util .concurrent.Executors$RunnableAdapter.call(Executors.java:522)
[tomcat.tomcat] [pool-1-thread-1] at java.util.concurrent.FutureTask.run(FutureTask.java:277)
[tomcat.tomcat] [pool-1-thread-1] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160)
[tomcat.tomcat] [pool-1-thread-1] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
[tomcat.tomcat] [pool-1-thread-1] at java.lang.Thread.run(Thread.java:822)
[tomcat.tomcat] [pool-1-thread-1] Caused by:
[tomcat.tomcat] [pool-1-thread-1] java.util.concurrent.ExecutionException:
com.q1labs.configservices.task.TaskTimeoutException: Task has not completed and file at
[/var/log/qradar/app/docker_build/docker_build.log.0] was not updated within [900] attempts
06 September 2022
UPGRADE IJ38842 REPLICATION FAILS WITH SECURE BOOT STATUS ERROR AFTER AN UPGRADE TO QRADAR 7.5.0 UP1 CLOSED Resolved in
QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022)

Workaround
If you are unable to upgrade, contact QRadar Support for a workaround to update the myver utility.

Issue
After patching to QRadar 7.5.0 update pack 1, replication can fail. Users can encounter the following error after patching:
"Secure boot status: 'This system doesn't support Secure Boot'"


[hostcontext.hostcontext]
[0bc4934b-31f8-4273-8577-608a0d79cf30/SequentialEventDispatcher]
com.q1labs.hostcontext.replication.MHReplication: [INFO]
[NOT:0000006000][IPADDRESS/- -] Timer expired.  Attempting to download updates
[hostcontext.hostcontext]
[0bc4934b-31f8-4273-8577-608a0d79cf30/SequentialEventDispatcher]
com.q1labs.hostcontext.replication.MHReplication: [INFO]
[NOT:0000006000][IPADDRESS/- -] Downloading updates request starting...
[hostcontext.hostcontext] [Thread-777] ComponentOutput: [ERROR]
[NOT:0000003000][IPADDRESS/- -] [-/- -]ErrorStream
replication: Bareword found where operator expected at (eval 74)
line 42, near "'This system doesn't"
hostcontext.hostcontext] [Thread-777] ComponentOutput: [ERROR]
[NOT:0000003000][IPADDRESS/- -] [-/- -]ErrorStream replication: (Missing operator before t?)
ip-XXX-XXX replication[9007]: Using XXX.XX.XXX.XXX as our local IP.
ip-XXX-XXX replication[9007]: Downloading and applying latest database dumps from the console.
ip-XXX-XXX replication[9007]: No new database updates to apply.
ip-XXX-XXX replication[9007]: Replication download timing: Downloading: 2628 ms Overall: 2628 ms


Note: This APAR applies to upgrades of existing appliances to QRadar 7.5.0 UP1. If you are installing a new virtual machine or installing software from an ISO, secure boot must be disabled and your issue is not related to this APAR. For more information, see Creating your virtual machine.
06 September 2022
RULES IJ38934 DELETED LOG SOURCE TYPE IS STILL VISIBLE IN RULE WIZARD CLOSED Resolved in
QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022)

Workaround
No workaround available. Users can ignore the deleted log source in the Rule Wizard and subscribe to this APAR to receive an alert when this issue is resolved.

Issue
Deleted log source types may still be visible in the Rule Wizard when creating rules using conditions such as:
when the event(s) were detected by one or more of these log source types
06 September 2022
OFFENSES IJ37124 OFFENSES ARE NOT RENAMED WITHIN THE WINDOW CONFIGURED IN THE RULE RESPONSE LIMITER CLOSED Resolved in
QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022)

Workaround
No workaround available. Users can ignore the deleted log source in the Rule Wizard and subscribe to this APAR to receive an alert when this issue is resolved.

Issue
When a rule response limiter is set, offense renaming can fail to work as expected within the limiter window. For example:
  1. Have a basic event rule that dispatches an offense for renaming with rule response limiter configured.
  2. Have a configured test (example: when at least 1 events are seen with the same Source IP in 10 minutes).
  3. Have a rule response configured: Ensure the detected event is part of an offense: index based on source ip; dispatch new event (configure an event name and description), ensure the dispatched event is part of an offense: Index based on Source IP, and tick This information should set or replace the name of the associated offense
  4. Set up the response limiter (example: Respond no more than 1 time per 4 hours per Source IP)
  5. Have events run in the QRadar environment that trigger the rule.
  6. The custom rule engine fires the new event name in Log Activity.
  7. In the Offenses tab, the offense is renamed correctly.
  8. Within the window configured above for the rule response limit, close any listed offences and wait for the events and offences to generate again.

    Result They won't generate as expected until the offense is closed after the rule response limit window that is configured.
06 September 2022
APPLICATION FRAMEWORK IJ37866 APPLICATIONS CAN STOP AND REPORT FREE DATA ISSUES DUE TO DEVICEMAPPER DRIVER CLOSED Resolved in
QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022)

Workaround
Contact QRadar Support for a possible workaround that might address this issue in some instances. Uninstalling or reinstalling applications does not resolve this issue as space is not properly allocated by the devicemapper and requires QRadar Support assistance.

Issue
It has been identified that applications can be stopped in the appliance framework when the devicemapper driver does not believe there is enough thin provision space for the docker container. When this issue occurs the applications are installed, but no applications are running in the user interface. When the command, docker ps is run, the output shows that containers do not exist and are not running (Column H lists the failure). When the administrator runs docker info, the Data Space Available reported is smaller than the Thin Pool Minimum Free Space required by docker.

Messages similar to the following might be visible when this issue occurs:
ERRO[1691] Error waiting for container: container {containerID}:
driver "devicemapper" failed to remove root filesystem:
failed to remove device {deviceID}: devicemapper: Error running
DeleteDevice dm_task_run failed
06 September 2022
SERVICES IJ37217 EVENTS CAN STOP BEING WRITTEN TO DISK UNEXPECTEDLY FOLLOWING MAXMIND GEODATA UPDATES CLOSED Resolved in
QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022)

Workaround
Disable updates of the maxmind/geographic data file using these steps:
  1. Click the Admin tab > System Settings > Geographic Settings.
  2. Set "Disable Automatic content Updates" to "True" (default is False).
Issue
It has been identified that events can unexpectedly stop being written to disk following geodata updates. This issue can occur due to a SIGBUS exception during the deploy process.

Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs:
[ecs-ep.ecs-ep] Ariel Writer#events java.lang.InternalError: SIGBUS
[ecs-ep.ecs-ep] Ariel Writer#events at
java.nio.DirectByteBuffer.get(DirectByteBuffer.java:252)
[ecs-ep.ecs-ep] Ariel Writer#events at
com.maxmind.db.Reader.readNode(Reader.java:219)
[ecs-ep.ecs-ep] Ariel Writer#events at
com.maxmind.db.Reader.findAddressInTree(Reader.java:174)
[ecs-ep.ecs-ep] Ariel Writer#events at
com.maxmind.db.Reader.get(Reader.java:146)
[ecs-ep.ecs-ep] Ariel Writer#events at
com.maxmind.geoip2.DatabaseReader.get(DatabaseReader.java:151)
[ecs-ep.ecs-ep] Ariel Writer#events at
com.maxmind.geoip2.DatabaseReader.city(DatabaseReader.java:202)
[ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.core.shared.l
ocation.LocationUtils.lookup(LocationUtils.java:524)
[ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.core.shared.l
ocation.LocationUtils.lookup(LocationUtils.java:377)
[ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.core.shared.l
ocation.LocationUtils.lookup(LocationUtils.java:329)
[ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.core.types.ev
ent.NormalizedEventProperties$SourceGeographicLocation.createKe
y(NormalizedEventProperties.java:108)
[ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.core.types.ev
ent.NormalizedEventProperties$SourceGeographicLocation.createKey
(NormalizedEventProperties.java:94)
[ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.ariel.Index.add(Index.java:267)
[ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.ariel.io.Buck
etWriter.writeRecord(BucketWriter.java:67)
[ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.ariel.io.Abst
ractDatabaseWriter.put(AbstractDatabaseWriter.java:114)
[ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.ariel.Databas
eWriterAsync.processRecord(DatabaseWriterAsync.java:131)
[ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.ariel.Scatter
ingDatabaseWriter.access$401(ScatteringDatabaseWriter.java:30)
[ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.ariel.Scatter
ingDatabaseWriter$Node.writeRecord(ScatteringDatabaseWriter.java:87)
[ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.ariel.Scatter
ingDatabaseWriter$Node.processRecord(ScatteringDatabaseWriter.java:55)
[ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.ariel.Scatter
ingDatabaseWriter$Node.access$1100(ScatteringDatabaseWriter.java:32)
[ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.ariel.Scatter
ingDatabaseWriter$DataNodes.processRecord(ScatteringDatabaseWriter.java:247)
[ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.ariel.Scatter
ingDatabaseWriter.processRecord(ScatteringDatabaseWriter.java:450)
[ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.ariel.Databas
eWriterAsync.run(DatabaseWriterAsync.java:115)
[ecs-ep.ecs-ep] Ariel Writer#events at
java.lang.Thread.run(Thread.java:822)
06 September 2022
LOG SOURCES IJ41200 THE CERTIFICATE PINNING VALIDATION DOES NOT TAKE INTO ACCOUNT PROPERTY FILE SETTINGS CLOSED Resolved in
QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022)

Workaround
No workaround available. Users can ignore the deleted log source in the Rule Wizard and subscribe to this APAR to receive an alert when this issue is resolved.

Issue
Administrators can experience configuration issues in the Log Source Management app or the Test button functionality with repeated check certificate pinning failed error messages. This issue is due to the values of the properties file, which are not appropriately applied.

The following error is repeatedly displayed in /var/log/qradar.log:
com.q1labs.frameworks.crypto.trustmanager.CertificateValidator:
[ERROR] [NOT:0000003000][IPADDRESS/- -] [-/--]checkCertificatePinning failed.
06 September 2022
ADVANCED SEARCH (AQL) IJ35136 "UNABLE TO CREATE FUNCTION: 'INOFFENSE' NULL" RESPONSE WHEN USING AQL FUNCTION CLOSED Resolved in
QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022)

Workaround
If you are unable to upgrade, contact QRadar Support for a workaround that might address this issue in some instances.

Issue
A message similar to "Unable to create function:'inoffense' null" can be generated when attempting to use the "INOFFENSE" AQL function on some offenses.

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470]
com.q1labs.ariel.ql.parser.Parser: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]Failed to instantiate function 'inoffense'
[ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470]
java.lang.reflect.InvocationTargetException
[ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470]
at sun.reflect.GeneratedConstructorAccessor77.newInstance(UnknownSource)
[ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470]
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(De
legatingConstructorAccessorImpl.java:57)
[ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470]
at java.lang.reflect.Constructor.newInstance(Constructor.java:437)
[ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470]
at com.q1labs.ariel.ql.parser.ScalarFunctionInfo.constructFunction(ScalarFunctionInfo.java:474)
[ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470]
at com.q1labs.ariel.ql.parser.ScalarFunctionInfo.create(ScalarFunctionInfo.java:557)
[ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470]
at com.q1labs.ariel.ql.parser.ParserBase.processScalarFunction(ParserBase.java:218)
[ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470]
at com.q1labs.ariel.ql.parser.ParserBase.processBooleanExpression(ParserBase.java:1176)
[ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470]
at com.q1labs.ariel.ql.parser.ParserBase.createQueryParams(ParserBase.java:1436)
[ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470]
at com.q1labs.ariel.ql.parser.ParserBase.parseBatch(ParserBase.java:1650)
[ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470]
at com.q1labs.ariel.ql.parser.Parser.parseStatement(Parser.java:156)
[ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470]
at com.q1labs.ariel.ql.parser.Parser.executeStatement(Parser.java:66)
[ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470]
at com.q1labs.ariel.ConnectedClient.processStatement(ConnectedClient.java:367)
[ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470]
at com.q1labs.ariel.ConnectedClient.processMessage(ConnectedClient.java:308)
[ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470]
at com.q1labs.ariel.ConnectedClient.run(ConnectedClient.java:136)
[ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160)
[ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
[ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470]
at java.lang.Thread.run(Thread.java:822)
[ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470]
Caused by:
[ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470]
java.lang.IllegalArgumentException: Invalid interval
[ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470]
at com.q1labs.ariel.Interval.{init}(Interval.java:165)
[ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470]
at com.q1labs.ariel.Expression.{init}(Expression.java:40)
[ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470]
at com.q1labs.ariel.Expression.add(Expression.java:128)
[ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470]
at com.q1labs.ariel.util.TimeIntervals.addInterval(TimeIntervals.java:21)
[ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470]
at com.q1labs.core.types.networkevent.NetworkEventMPCPredicate.addEPs(NetworkEventMPCPredicate.java:208)
[ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470]
at com.q1labs.core.aql.Base.{init}(OffenseFunctions.java:64)
[ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470]
at com.q1labs.core.aql.OffenseFunctions$OffenseEvents.{init}OffenseFunctions.java:122)
[ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470]
... 17 more
06 September 2022
API IJ34638 API SEARCHES USING LOCAL_DESTINATION_ADDRESS CAN FAIL ON ASSETS WITH A LARGE NUMBER OF VULNERABILITIES CLOSED Resolved in
QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022)

Workaround
If you are unable to upgrade, contact QRadar Support for a workaround that might resolve this issue in some instances.

Issue
API searches using local_destination_address can fail in environments where there are assets with a large number of vulnerabilities generating a magnitude of 32,767 or more.

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[tomcat.tomcat] [user@127.0.0.1(2560)
/console/restapi/api/siem/local_destination_addresses] com.q1la
bs.restapi_annotations.content.exceptions.APIMappedException:Pro
[tomcat.tomcat] [user@127.0.0.1 (2560)
/console/restapi/api/siem/local_destination_addresses] at com.q
1abs.restapi_annotations.content.exceptions.APIMappedException.
init(APIMappedException.java:132)
[tomcat.tomcat] [user@127.0.0.1(2560)
/console/restapi/api/siem/local_destination_addresses] at com.q
1labs.restapi.exceptionmapper.ExceptionMapper.mapException(ExceptionMapper.java:141)
[tomcat.tomcat][user@127.0.0.1(2560)
/console/restapi/api/siem/local_destination_addresses] 
Caused by: 
[tomcat.tomcat] [user@127.0.0.1 (2560)
/console/restapi/api/siem/local_destination_addresses]
org.postgresql.util.PSQLException: Bad value for type short : 32976.8000000000029
06 September 2022
LOG SOURCES IJ33638 FILTERING AND SEARCHING BY LOG SOURCE TYPE FILTER CAN FAIL AFTER CHANGES ARE MADE USING LSM APP CLOSED Resolved in
QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022)

Workaround
Option 1:
Perform a restart of the ECS-EP service from an SSH session to the QRadar Console:
systemctl restart ecs-ep


Option 2:
  • Perform a Deploy Full Configuration: Admin > Advanced > Deploy Full Configuration
  • Restart the tomcat service from an SSH session to the QRadar Console:
    systemctl restart tomcat
  • Note: Service impact of deploying a change

    Issue
    After changing a log source type using the Log Source Management (LSM) app, realtime or historical searches and filtering using the Log Source type filter can fail to work as expected (no events are displayed).
    06 September 2022
    APPLICATION FRAMEWORK IJ41515 APP CONTAINER FAILS BECAUSE APP HEALTH CHECK FAILURE THRESHOLD INCORRECTLY SET TO 1 CLOSED Resolved in
    QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022)

    Workaround
    No workaround available. APARs identified as 'No workaround available' require a software delivery to resolve. Administrators can subscribe to the APAR to receive updates when software releases are published for this issue.

    Issue
    In QRadar 7.5.0 consoles with applications installed, the Health Check Failure Threshold may exit after a single attempt when it should execute ten times. The correct value of 10 should be taken from the livenessprobe, but if the liveness probe check fails, the value defaults to 1. This incorrect value results in the following comnan error in /var/log/qradar.log:
    conwrap[1048]: time="2022-03-20T06:45:21Z" level=error
    msg="Health status polling has ended as the count of 1 has been hit."
    06 September 2022
    REFERENCE DATA IJ33799 REFERENCEDATAUTIL.SH SCRIPT FAILS TO UPDATE SOME DATABASE TABLES AS EXPECTED CLOSED Resolved in
    QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022)

    Workaround
    No workaround available. APARs identified as 'No workaround available' require a software delivery to resolve. Administrators can subscribe to the APAR to receive updates when software releases are published for this issue.

    Issue
    The script /opt/qradar/bin/ReferenceDataUtil.sh allows users to run the 'update' option to update the following parameters:
    • timeoutType
    • timeToLive
    • keyType
    • key1Label
    • valueLabel
    It has been identified that it does not update the following in postgres values correctly:
    • keyType
    • valueLabel
    For more information, see https://ibm.biz/referencedatautil.
    06 September 2022
    ROUTING RULES IJ33185 NORMALIZED FLOW FORWARDING USING ROUTING RULES DOES NOT FORWARD FLOW PAYLOADS CLOSED Resolved in
    QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022)

    Workaround
    Configure Flow Forwarding using the section "Forwarding Flows Using Flow Source Configuration" from: https://www.ibm.com/support/pages/node/543807.

    Issue
    Normalized Flows that are forwarded using routing rules do not contain the flow payloads at the destination site.

    At the source, payloads for the source or destination are visible on the Network Activity page.

    At the destination, the payload does not display but the payload bytes counts shows its values.
    06 September 2022
    BACKUP AND RESTORE IJ30069 RESTORING A CONFIGURATION BACKUP FAILS IF THE BACKUP ARCHIVE IS ALSO PRESENT IN THE /STORETMP/ DIRECTORY CLOSED Resolved in
    QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022)

    Workaround
    Move the backup archive files from /storetmp and do not put backup archive files there.

    Issue
    Restoring a configuration backup does not work if the backup archive being restored has also been placed into /storetmp/ directory.

    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    root: tar:
    /storetmp/backup.nightly.naming_53.13_01_2020.config.1608181708813.tgz: Cannot open: Not a directory
    06 September 2022
    QRADAR VULNERABILITY MANAGER IJ29536 ESTIMATED TIME TO PROCESS RESULTS OF SCAN INCREASES IF NO ASSETS ARE DETECTED IN THE SCAN CLOSED Resolved in
    QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022)

    Workaround
    No workaround available. APARs identified with no workaround require a software delivery to resolve.

    Issue
    When a QRadar Vulnerability Manager scan is run that discovers no assets, the scan completes, but the estimated time to process results continues to increase.
    06 September 2022
    QRADAR VULNERABILITY MANAGER IJ42185 ERROR EXPORTING DATA WHEN FILTERING FROM THE MANAGE VULNERABILITES LIST OPEN Workaround
    No workaround available. APARs identified with no workaround require a software delivery to resolve.

    Issue
    Users who click the Vulnerabilities tab, then use a filter from the Manage Vulnerabilities sidebar can experience a null pointer exception when you attempt to export data. Users who filter 'By Network, By Asset, By Vulnerability, or By Open Service', then select Actions > Export see the progress indicator display momentarily, then disappear from the user interface.

    When this issue occurs, vulnerabilities are not exported and the following error is displayed in /var/log/qradar.log:
    [ERROR] [NOT:0000003000][IPADD/- -] [-/- -]Error exporting data
    java.lang.NullPointerException
    at com.q1labs.core.ui.util.QueryUtils.getQVMQuery(QueryUtils.java:1481)
    at com.q1labs.core.ui.util.QueryUtils.prepareQueryString(QueryUtils.java:1194)
    at com.q1labs.core.ui.util.QueryUtils.getQueryCount(QueryUtils.java:583)
    at com.q1labs.core.ui.util.QueryUtils.getQueryCount(QueryUtils.java:562)
    at com.q1labs.core.ui.coreservices.export.ExportJobProcessor.exportJDBCSearchQRadarQuery(ExportJobProcessor.java:387)
    at com.q1labs.core.ui.coreservices.export.ExportJobProcessor.run(ExportJobProcessor.java:206)
    07 September 2022
    USER PREFERENCES IJ34850 COLLATION ERRORS IN QRADAR LOGGING OCCUR WHEN QRADAR IS SET TO SOME LOCALES REOPENED Workaround
    For more information on this issue, see https://www.ibm.com/support/pages/node/6596983.

    Issue
    Collation errors can be observed in QRadar logging when using a locale setting that is not found in the pg_collation database table.

    For example, having the locale set to "polski" can generate messages similar to the following in /var/log/qradar-sql.log:
    hostname postgres[26685]: [182-1] ERROR: collation "pl" for encoding "UTF8" does not exist at character 11
    hostname postgres[26685]: [182-2] STATEMENT: SELECT '' COLLATE "pl"
    07 September 2022
    SECURITY BULLETIN CVE-2021-22543
    CVE-2021-3653
    CVE-2021-3656
    CVE-2021-37576
    Apache HTTP Server as used by IBM QRadar SIEM is vulnerable to buffer overflow and denial of service CLOSED Resolved in
    QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)
    QRadar 7.4.3 Fix Pack 5 (7.4.3.20220307203834)
    QRadar 7.3.3 Fix Pack 11 (7.3.3.20220318161607)

    Affected versions
    • IBM QRadar SIEM 7.5.0 GA
    • IBM QRadar SIEM 7.4.3 GA - 7.4.3 Fix Pack 4
    • IBM QRadar SIEM 7.3.3 GA - 7.3.3 Fix Pack 10
    Issue
    • CVE-2021-22543: Linux Kernel could allow a local authenticated attacker to gain elevated privileges on the system, caused by improper handling of VM_IO|VM_PFNMAP vmas in KVM. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to gain elevated privileges to start and control a VM to read/write random pages of memory. CVSS Base score: 7.1
    • CVE-2021-3653: Linux Kernel is vulnerable to a denial of service, caused by improper input validation of the "int_ctl" VMCB field. By sending a specially-crafted request, a local authenticated attacker could exploit this vulnerability to cause the system to crash or obtain sensitive information from the physical memory. CVSS Base score: 7.1
    • CVE-2021-3656: Linux Kernel is vulnerable to a denial of service, caused by improper input validation of the "virt_ext" VMCB field. By sending a specially-crafted request, a local authenticated attacker could exploit this vulnerability to cause the system to crash or obtain sensitive information from the physical memory. CVSS Base score: 7.1
    • CVE-2021-37576: Linux Kernel for PowerPC could allow a local authenticated attacker to execute arbitrary code on the system, caused by a memory corruption flaw in the handling of the H_RTAS hypercall. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system. CVSS Base score: 7.8
    28 April 2022
    RULES IJ40380 NEXT BUTTON IN RULE AND REPORT WIZARD DISABLED FOR CHROME 102.0.5005.61 CLOSED Resolved in
    QRadar 7.5.0 Update Pack 2 Interim Fix 1 (7.4.3.20220609203147)

    Workaround
    Users who experience this issue can use an alternate browser to complete rule changes. For more information, see QRadar supported browsers.

    Issue
    For Chrome version 102.0.5005.61, the next button on the Rule/Report Wizard is disabled and titles such as 'Rule Wizard' and 'Report Wizard' do not display.

    This issue has also been reported for users on other Chromium-based browsers, such as Microsoft Edge version 102.0.1245.33.
    20 June 2022
    RULES IJ33244 RULES WITH NETWORK TESTS CAN SOMETIMES FAIL TO WORK AS EXPECTED CLOSED Resolved in
    QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137)
    QRadar 7.4.3 Fix Pack 6 (7.4.3.20220531120920)

    Workaround
    No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported is resolved in an existing software upgrade pack.

    Issue
    Rules that are configured with network tests (eg. Apply test on flows which are detected by the Local system, and NOT when the flow context is Local to Local) can sometimes fail to fire when expected due to an issue where the Custom Rule Engine loads threads in an incorrect order.
    20 June 2022
    USER INTERFACE IJ34633 TCPV6 SOCKET LEAK FROM REAL-TIME STREAMING CAUSING TOMCAT OUTAGES CLOSED Resolved in
    QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137)
    QRadar 7.4.3 Fix Pack 6 (7.4.3.20220531120920)

    Workaround
    During a maintenance window restart the tomcat web service.
    1. Click the Admin tab.
    2. Click Advanced > Restart Web Server.
    3. Add encryption to the Manged host experiencing this issue where possible.
    For more information on encrypting a Managed host, see: Managed host encryption

    Issue
    Administrators might notice occurrences of "Application Error" popups when attempting to access their UI.

    When this is happening administrators can look in /var/log/qradar.log on the Console or Managed hosts for similar messages:
    [tomcat.tomcat] [ReceiverServer(0.0.0.0:7801)]
    com.q1labs.core.shared.ariel.streaming.StreamConsumer$Receiver
    0.0.0.0:7801: [INFO] [NOT:0000006000][x.x.x.x/- -] [-/-
    -]2021-06-13 12:37:44.0601 Info: /x.x.x.x:59036 : Inactivity :
    Connection reset by peer [31]
    [tomcat.tomcat] [ReceiverServer(0.0.0.0:7800)]
    com.q1labs.core.shared.ariel.streaming.StreamConsumer$Receiver
    0.0.0.0:7800: [WARN] [NOT:0000004000][x.x.x.x/- -] [-/-
    -]Error: /x.x.x.x:50194 : IOException : Broken pipe
    This issue can occur between a unencrypted Managed host and the Console.

    Administrators can also run this script to confirm that the issue is being caused by tomcat holding on to TCPv6 File descriptors.
    while true; do echo $(date +"%T") | tee -a /root/lsof-mon.txt
    && lsof -p $(systemctl status tomcat | grep "Main PID" | awk
    '{print $3}') | grep 'protocol: TCPv6' | wc -l 2>&1 | tee -a
    /root/lsof-mon.txt; sleep 5; done;
    Note: If you are hitting this issue the file /root/lsof-mon.txt will continually grow. Press CTRL-C to stop the script and remove the file once troubleshooting is complete.
    20 June 2022
    SYSTEM NOTIFICATIONS IJ35015 SYSTEM NOTIFICATION FOR EXPENSIVE CUSTOM PROPERTIES FAILS TO WORK AS EXPECTED IN QRADAR 7.4.2 AND NEWER CLOSED Resolved in
    QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137)
    QRadar 7.4.3 Fix Pack 6 (7.4.3.20220531120920)

    Workaround
    No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported is resolved in an existing software upgrade pack.

    Issue
    The find expensive custom property function in the QRadar DSM Filter does not work as expected after the change in QRadar 7.4.2 that switched mbean measurements to nano seconds. There is no System Notification generated for expensive custom properties when encountered by QRadar due to this change. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [ecs-ec.ecs-ec] [Timer-18]
    com.ibm.si.ec.filters.normalize.DSMFilter: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Failed to get MBean value
    for "Average". javax.management.AttributeNotFoundException: No
    such attribute: Average
    20 June 2022
    SERVICES IJ36277 QRADAR CAN FAIL TO PASS EVENTS FROM ECS-EC-INGRESS COLLECTION PROCCESS TO THE ECS-EC PROCESS CLOSED Resolved in
    QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137)
    QRadar 7.4.3 Fix Pack 6 (7.4.3.20220531120920)

    Workaround
    Restart the ecs-ec-ingress service using the following command from an SSH session to the QRadar Console:
    systemctl restart ecs-ec-ingress

    Or from the QRadar User Interface:
    1. Click the Admin tab.
    2. Click Advanced > Restart Event Collection Services.

      For more information, see Restarting the event collection service.
    Issue
    In some instances a ConcurrentModificationException can cause the StreamListener thread to die. When this occurs, events stop flowing between the ecs-ec-ingress process to ecs-ec process causing event rates to drop to zero.

    This has been observed in environments where there is a very high event rate or a very large event backlog to process.

    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [ecs-ec-ingress.ecs-ec-ingress] [StreamListenerThread]
    com.q1labs.frameworks.core.ThreadExceptionHandler: [ERROR]
    [NOT:0000003000][X.X.X.X/- -] [-/- -]Exception was uncaught in thread: StreamListenerThread
    [ecs-ec-ingress.ecs-ec-ingress] [StreamListenerThread] java.util.ConcurrentModificationException
    [ecs-ec-ingress.ecs-ec-ingress] [StreamListenerThread] at java.util.HashMap$HashIterator.nextNode(HashMap.java:1456)
    [ecs-ec-ingress.ecs-ec-ingress] [StreamListenerThread] at java.util.HashMap$KeyIterator.next(HashMap.java:1480)
    [ecs-ec-ingress.ecs-ec-ingress] [StreamListenerThread] at com.q1labs.frameworks.nio.loadbalancing.AbstractLoadBalancer.addClient(AbstractLoadBalancer.java:88)
    [ecs-ec-ingress.ecs-ec-ingress] [StreamListenerThread] at com.q1labs.sem.nio.network.StreamingServer.run(StreamingServer.java:108)
    [ecs-ec-ingress.ecs-ec-ingress] [StreamListenerThread] at java.lang.Thread.run(Thread.java:822)
    20 June 2022
    USER INTERFACE IJ38930 SYSTEM RULES MIGHT NOT DISPLAY CHANGES AS EXPECTED FROM THE UI OR API CLOSED Resolved in
    QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137)
    QRadar 7.4.3 Fix Pack 6 (7.4.3.20220531120920)

    Workaround
    Users who make a rule edit can confirm the changes were successfully made or that a rule is enabled by editing the rule in the Rule Wizard.

    Issue
    When a user updates a system rule from the API or the user interface Action menu, the state change might not be properly captured. This issue was observed by development for V7.4.3 Fix Pack 5 when a user enables, then disables a rule. The system rule is expected to update the Status column to True, but the user interface is not refreshed properly with the state change and still displays False to the user.

    Steps to replicate this issue:
    1. Log in to the QRadar Console.
    2. From the Offenses > Log Activity tab, click Rules.
    3. Select the rule 'All Exploits Become Offenses' as the default state for this rule is False.
    4. Click Actions > Enable/Disable.
    5. The rule's state is still False, but should display True.
    6. Double click the rule to open the Rule Wizard.
    7. In the Enable Rule section, click the Enable this rule if you want it to begin watching events or flows right away check box.
    8. Click Finish.

      Results
      The user interface is refreshed and rule state displays True.
    20 June 2022
    RULES IJ38314 REFERENCE RULE RESPONSE STOPS WORKING AFTER ALL DOMAINS REMOVED CLOSED Resolved in
    QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137)
    QRadar 7.4.3 Fix Pack 6 (7.4.3.20220531120920)

    Workaround
    Users can manually edit the rule to save the reference data as shared.

    Issue
    When all domains are removed and tomcat is restarted, rule response writing domain specific data does not write to reference set. When this issue occurs, the following error is displayed in /var/log/qradar.log:
    [tomcat.tomcat][ReferenceDataUpdateServiceThread_1] com.q1labs.core.shared.referencedata.ReferenceDataManager:
    [ERROR] [NOT:0000003000][/- -] [-/--]ReferenceDataManager.addToReferenceDataCollection()
    rdata=name=UBA : Users Last Country size=24 {domain 0:[{data}...
    [tomcat.tomcat][ReferenceDataUpdateServiceThread_1] com.q1labs.core.shared.referencedata.ReferenceDataUpdateServiceThread:
    [ERROR] [NOT:0000003-]ReferenceDataUpdateServiceThread An unexpected exception was encountered processing name=UBA : Users Last Country size=24
    {domain 0:[{data}...
    [tomcat.tomcat][ReferenceDataUpdateServiceThread_1] com.q1labs.core.dao.referencedata.light.RefDataDomainRestrictionException:Can't use domain domains.
    [tomcat.tomcat][ReferenceDataUpdateServiceThread_1] at com.q1labs.core.dao.referencedata.RefDataDomainRestrictions.verifyWriteAccess(RefDataDomainRestrictions.java:176)
    [tomcat.tomcat][ReferenceDataUpdateServiceThread_1] at com.q1labs.core.dao.referencedata.light.RefDataDomainProtection.addElement(RefDataDomainProtection.java:54)
    [tomcat.tomcat][ReferenceDataUpdateServiceThread_1] at com.q1labs.core.dao.referencedata.RefDataDomainRestrictions.verifyWriteAccess(RefDataDomainRestrictions.java:188)
    [tomcat.tomcat][ReferenceDataUpdateServiceThread_1] at com.q1labs.core.shared.referencedata.ReferenceDataManager.addToReferenceDataCollection(ReferenceDataManager.java:825)
    [tomcat.tomcat][ReferenceDataUpdateServiceThread_1] at com.q1labs.core.shared.referencedata.ReferenceDataUpdateServiceThread.run(ReferenceDataUpdateServiceThread.java:100)


    To replicate this issue:
    1. Create a domain and a reference set.
    2. Create a rule to add a property to a reference set and choose domain specific data.
    3. Verify elements can be added either from default domain or other domains.
    4. Remove all domains.
    5. Log in to the QRadar Console, click Admin tab > Advanced > Restart Web Server.
    6. Attempt to update a rule with domain specific data.

      Results
      Elements cannot be added. Users encounter the error, "RefDataDomainRestrictionException: Can't use domains for Reference Data. This system has no domains."
    20 June 2022
    DEPLOY CHANGES IJ39425 FIPS APPLIANCES WITH IMQ PASSWORDS CONTAINING '$' CAN EXPERIENCE ADD HOST OR DEPLOY ISSUES CLOSED Resolved in
    QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137)
    QRadar 7.4.3 Fix Pack 6 (7.4.3.20220531120920)

    Workaround
    If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances.

    Issue
    Administrators with FIPS appliances who set an IMQ password to the same value as the JPA password with /opt/qradar/imq/bin/setup-imq.sh --password, can experience issues where part of the saved password in /opt/qradar/conf/frameworks.properties is truncated after the '$' character. The truncated value prevents administrators from adding managed hosts as the '$' character is treated as a variable in bash. The password issue causes the services to fail to connect to the DB after the initial deploy. This issue can occur on any QRadar version where FIPs is enabled.

    This APAR is associated to issue IJ37865.
    20 June 2022
    QRADAR ON CLOUD IJ40310 DATA GATEWAY APPLIANCES CANNOT SUCCESSFULLY ADD TO THE DEPLOYMENT DUE TO A SETUP ISSUE CLOSED Resolved in
    QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137)
    QRadar 7.4.3 Fix Pack 6 (7.4.3.20220531120920)

    Workaround
    QRadar on Cloud administrators must contact contact QRadar Support to resolve this issue as the workaround requires console command line access.

    Issue
    Administrators who attempt to add a Data Gateway appliance with the "/opt/qradar/bin/setup_qradar_host.py mh_setup interactive -p" command are not prompted for the root password during setup as a decryption error occurs. This leads to issues where the Console cannot establish an SSH session to the Data Gateway to properly add the host to the QRadar on Cloud Console.

    When this issue occurs, the Data Gateway fails to successfully add to the QRadar on Cloud Console. The following error is reported on the Data Gateway appliance in /var/log/qradar.log:
    Failed to run command 'mh_setup': Failed to add host
    'xx.xxx.xxx.xxx' to deployment 'xxxxxxconsole.qradar.ibm.com':
    Failed to add host to deployment: Check console logs for
    details.

    The QRadar on Cloud Console can display a connection refused error for the Data Gateway appliance. The error is only visible to QRadar Support as the information is displayed in /var/log/qradar.log on the Console. Administrators who experience Data Gateway issues can confirm the following error through a case opened with QRadar Support:
    com.q1labs.configservices.common.ConfigServicesException:
    Failed to connect to xx.xxx.xxx.xxx password may be invalid or
    the connection was refused.
    20 June 2022
    UPGRADE IJ38185 RERUNNING A FAILED UPGRADE ON V7.5.0 UPGRADE PACK 1 CAN LEAD TO CONFIGURATION ERROR QRADAR-6666.INSTALL CLOSED Resolved in
    QRadar 7.4.3 Fix Pack 6 (7.4.3.20220531120920)

    Workaround
    Do not attempt to run a QRadar 7.5.0 Upgrade Pack 1 installation a second time as running the installation again can cause the Postgres RPM issue described in this APAR. If you experience a failed QRadar 7.5.0 UP1 upgrade, contact QRadar Support for assistance and a workaround to this issue.

    Issue
    Administrators who attempt to rerun a previously failed upgrade on a managed host or Console from V7.4.x to QRadar 7.5.0 Upgrade Pack 1 (UP1) can experience a Postgres RPM installation issues that fail to roll back as expected. The upgrade attempts to rollback the database and restore the configuration. However, due to an issue in the QRADAR-6666.install utility, the rollback does not successfully complete. The failed rollback can leave the system without a Postgres configuration.

    This issue can occur on a reinstall attempt for a Console or a managed host.
    1. If this issue occurs on a managed host, a version mismatch between the Console (Postgres V11) and the host (Postgres V9.6) can occur that must be corrected by support as the host cannot receive the latest system settings and configuration from the Console.
    2. If this issue occurs on the Console, the system configuration can not be loaded successfully due to the Postgres errors that occurred during the reinstall attempt.
    Order of operations when this issue can occur:
    1. Administrator experiences an upgrade issue where the patch failed, but successfully rolled back.
    2. A second attempt to upgrade leads to a 'failure to install new postgresql rpms'.
    3. The Postgres configuration might be in a bad state and support assistance is required.
    A review of the /var/log/setup-{version}/patches.log reports the following error:
    Examining /media/updates/repo//postgresql11-contrib-11.14-1PGDG
    .rhel7.x86_64.rpm:postgresql11-contrib-11.14-1PGDG.rhel7.x86_64
    /media/updates/repo//postgresql11-contrib-11.14-1PGDG.rhel7.x86_64.rpm:
    does not update installed package. Error: Nothing to do
    [DEBUG](-i-patchmode) ERROR: Failed to install new postgresql
    rpms. (1) a[DEBUG](-i-patchmode) Error running 270:
    /media/updates/scripts/QRADAR-6666.install --mode presql; Got error code of 1.
    [ERROR](-i-patchmode) Error running 270:
    /media/updates/scripts/QRADAR-6666.install --mode presql
    20 June 2022
    UPGRADE IJ38233 UPGRADES TO 7.5.0 UP1 CAN EXPERIENCE HOSTCONTEXT ISSUES DUE TO UNRESTRICTED JCE JAR FILES CLOSED Resolved in
    QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137)
    QRadar 7.4.3 Fix Pack 6 (7.4.3.20220531120920)

    Workaround
    Administrators with unrestricted JCE policy files installed can confirm these files are installed with the following command:
    /opt/qradar/support/all_servers.sh -Ck "ls -1
    /opt/ibm/java-x86_64-80/jre/lib/security/*.jar"

    If the output on any host reports the following files, you are affected by this issue and must remove your JCE policy files before you upgrade to QRadar 7.5.0 UP1 avoid this issue:
    /opt/ibm/java-x86_64-80/jre/lib/security/local_policy.jar
    /opt/ibm/java-x86_64-80/jre/lib/security/US_export_policy.jar

    If the all_servers command returns the following output, you are NOT affected by this issue:
    ls: cannot access
    /opt/ibm/java-x86_64-80/jre/lib/security/*.jar: No such file or directory


    Issue
    Administrators who upgrade to QRadar 7.5.0 Upgrade Pack 1 (UP1) can experience an issue where the hostcontext service does not start properly after the upgrade completes due to signing issues in the JCE Policy files. This issue only applies to administrators who install the unrestricted JCE policy files on appliances that require advanced encryption ciphers.

    Order of operations:
    1. Administrator upgrades a QRadar appliance to 7.5.0 UP1 with unrestricted JCE policy files installed.
    2. The upgrade completes successfully.
    3. The administrator reboots the host to complete the upgrade.
    4. The hostcontext service fails to initialize after the appliance reboot.
    When this issue occurs, a 'Destroying Hostcontext' message is displayed in /var/log/qradar.log as the appliance starts:
    [hostcontext.hostcontext] [main]
    com.q1labs.frameworks.core.FrameworksContext: [INFO]
    [NOT:0000006000][IPADDRESS/- -] [-/- -]Initializing resource loggers: 
    [com.q1labs.frameworks.core.IFrameworksContext$ResourceLogger;e03cd69c
    [hostcontext.hostcontext] [main]
    com.q1labs.frameworks.core.FrameworksContext: [INFO]
    [NOT:0000006000][IPADDRESS/- -] [-/- -]Frameworks instance name: hostcontext.hostcontext
    [hostcontext.hostcontext] [main] com.q1labs.frameworks.core.FrameworksContext: [INFO]
    [NOT:0000006000][IPADDRESS/- -] [-/- -]Initializing with URL: file:/opt/qradar/conf/
    [hostcontext.hostcontext] [main] com.q1labs.frameworks.core.FrameworksContext: [INFO]
    [NOT:0000006000][IPADDRESS/- -] [-/- -]Frameworks booting - logging, loader complete
    [hostcontext.hostcontext] [main] com.q1labs.frameworks.core.FrameworksContext: [INFO]
    [NOT:0000006000][IPADDRESS/- -] [-/- -]Loading frameworks.properties
    [hostcontext.hostcontext] [main] com.q1labs.frameworks.util.NamedThreadFactory: [INFO]
    [NOT:0000006000][IPADDRESS/- -] [-/- -]Thread factory created: Spillover Cache Vacuum
    [hostcontext.hostcontext] [main] com.q1labs.frameworks.core.FrameworksContext: [INFO]
    [NOT:0000006000][IPADDRESS/- -] [-/- -]Frameworks global cache manager was initialized using: /opt/qradar/conf/ehcache.xml
    [hostcontext.hostcontext] [main] com.q1labs.frameworks.core.JMXHelper: [INFO]
    [NOT:0000006000][IPADDRESS/- -] [-/- -]Initializing JMX for RMI
    [hostcontext.hostcontext] [main] com.q1labs.frameworks.core.JMXHelper: [INFO]
    [NOT:0000006000][IPADDRESS/- -] [-/- -]Constructing mbean server at: service:jmx:rmi://IPADDRESS:7778/jndi/rmi://IPADDRESS:7778/jmxrmi
    [hostcontext.hostcontext] [main] com.q1labs.frameworks.logging.LogManagementAgent: [INFO]
    [NOT:0000006000][IPADDRESS/- -] [-/- -]Log management agent started.
    [hostcontext.hostcontext] [main] com.q1labs.frameworks.core.FrameworksContext: [INFO]
    [NOT:0000006000][IPADDRESS/- -] [-/- -]Initializing jpa helipad hostcontext[21113]: Destroying HostContext
    20 June 2022
    UPGRADE IJ39768 QRADAR PATCHING TO VERSION 7.5.0 OR NEWER CAN FAIL ON MANAGED HOSTS WITH "ERROR: COULD NOT CREATE UNIQUE INDEX..." CLOSED Resolved in
    QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137)
    QRadar 7.4.3 Fix Pack 6 (7.4.3.20220531120920)

    Workaround
    If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances.

    Issue
    Patching to QRadar 7.5.0 can fail on Managed Hosts due to an index that causes an SQL query to fail on duplicate data. Messages similar to the following might be visible during patching when this issue occurs:
    [ERROR](-i-patchmode) Error applying script [14/87] '/media/upd
    ates/opt/qradar/conf/templates/db_update_247342.ref_set_import1
    .sql'for Test_qradar database.; details: WARNING:  SET TRANSACTI
    can only be used in transaction blocks NOTICE:  index
    "reference_data_element_unique_rdata1" does not exist, skipping
    ERROR:  could not create unique index
    "reference_data_element_unique_rdata1" DETAIL:  Key
    (md5((rdk_id::text || '_'::text) || data))=(0139237e0f70a8400c8
    20 June 2022
    UPGRADE IJ39786 ISSUE REPORTED WHEN UPGRADING TO QRADAR 7.5.0 UP1 IF THE PATCH FAILS IN PATCHMODE CLOSED Resolved in
    QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137)
    QRadar 7.4.3 Fix Pack 6 (7.4.3.20220531120920)

    Workaround
    If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances.

    Issue
    Issues were reported when an upgrade to QRadar 7.5.0 UP1 fails during patchmode. This is an extension to what is seen in IJ38185.

    The following error message can be seen in /var/log/patches.log:
    [DEBUG](patchmode) Checking that tomcat is running and ready:
    (attempt 2/120) (24 seconds) Exception in thread "main"
    java.lang.NoClassDefFoundError:
    javax.persistence.EntityManagerFactory         
    at com.q1labs.hostcontext.backup.core.BackupUtils.main(BackupUtils.java:2771)
      Caused by: java.lang.ClassNotFoundException: javax.persistence.EntityManagerFactory         
    at java.net.URLClassLoader.findClass(URLClassLoader.java:610)  
    at java.lang.ClassLoader.loadClassHelper(ClassLoader.java:942)    
    at java.lang.ClassLoader.loadClass(ClassLoader.java:887)         
    at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:349)         
    at java.lang.ClassLoader.loadClass(ClassLoader.java:870)
    20 June 2022
    UPGRADE IJ39259 UPGRADES ON MANAGED HOSTS CAN FAIL DUE TO SCRIPT CONNECTION TIMEOUT CLOSED Resolved in
    QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137)
    QRadar 7.4.3 Fix Pack 6 (7.4.3.20220531120920)

    Workaround
    If error has already occurred, contact support for a possible workaround that might address this issue in some instances. The work around involves a sfs repackage or time setting change, and manually applying the patch to each host individually.

    If the issue has not yet occurred, you can work around the issue prior to error encounter using parallel upgrade steps: QRadar: How to Update Appliances in Parallel.

    Issue
    During an upgrade, when the All option is selected, managed hosts can fail to update due to a timeout error. The Console upgrade completes successfully, but individual managed hosts in the deployment fail during their upgrade. When this issue occurs, the connection is closed by the remote managed host and a "Could not apply patch on HOSTNAME at IPADDRESS" error displays.

    For example:
    [Connection [OK Applying presql script: (127/139)
    [Connection to x.x.x.x closed by remote host.
    [ERROR](patchingHost:x.x.x.x) Could not apply patch on HOSTNAME at x.x.x.x
    [DEBUG](patchingHost:x.x.x.x) report='Could not apply patch on HOSTNAME at x.x.x.x
    20 June 2022
    QRADAR VULNERABILITY MANAGER IJ39606 QRADAR VULNERABILITY MANAGER: SCHEDULED SCANS DO NOT RUN AFTER UPGRADING TO 7.5.0 UP1 CLOSED Resolved in
    QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137)
    QRadar 7.4.3 Fix Pack 6 (7.4.3.20220531120920)

    Workaround
    Re-apply the scan profile cron settings by navigating through the following menus: Vulnerabilities tab > Administrative > Scan Profiles > When to scan > Advanced > Cron.
    For more information, see Scan scheduling

    Issue
    After upgrading to QRadar 7.5.0 Update Package 1, scan profiles that are scheduled by using a cron expression will not run. This is caused by the ugprade removing cron expressions from scan profiles.
    20 June 2022
    UPGRADE IJ39789 POSTGRES RE-INSTALL ON MANAGED HOST CAN FAIL AFTER PATCHING TO 750 UPDATE PACKAGE 1 CLOSED Resolved in
    QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137)
    QRadar 7.4.3 Fix Pack 6 (7.4.3.20220531120920)

    Workaround
    If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances.

    Issue
    Hostservices can fail to start if issues occur that require a Managed Host to attempt a reinstall of the postgres RPMs. When this issue occurs, the following error can display:
    systemd[1]: Starting hostservices alias script...
    hostservices.sh[6708]: Job for postgresql-qrd.service failed because the control 
    process exited with error code. See "systemctl status postgresql-qrd.service" and "journalctl -x
    hostservices.sh[6708]: Job for postgresql-qrd.service failed because the control 
    process exited with error code. See "systemctl status postgresql-qrd.service" and "journalctl -x
    hostservices.sh[6708]: Job for postgresql-qrd.service failed because the control 
    process exited with error code. See "systemctl status postgresql-qrd.service" and "journalctl -x
    hostservices.sh[6708]: Job for postgresql-qrd.service failed because the control 
    process exited with error code. See "systemctl status postgresql-qrd.service" and "journalctl -x
    hostservices.sh[6708]: Job for postgresql-qrd.service failed because the control 
    process exited with error code. See "systemctl status postgresql-qrd.service" and "journalctl -x
    hostservices.sh[6708]: Job for postgresql-qrd.service failed because the control 
    process exited with error code. See "systemctl status postgresql-qrd.service" and "journalctl -x
    init_script[10300]: [/opt/qradar/systemd/bin/hostservices.sh] [WARN] 'postgresql-qrd' failed to start. Will try 4 more times. 
    hostservices.sh[6708]: Job for postgresql-qrd.service failed because the control 
    process exited with error code. See "systemctl status postgresql-qrd.service" and "journalctl -x
    init_script[10390]: [/opt/qradar/systemd/bin/hostservices.sh] [WARN] 'postgresql-qrd' failed to start. Will try 3 more times.
    hostservices.sh[6708]: Job for postgresql-qrd.service failed because the control 
    process exited with error code. See "systemctl status postgresql-qrd.service" and "journalctl -x
    hostservices.sh[6708]: Job for postgresql-qrd.service failed because the control 
    process exited with error code. See "systemctl status postgresql-qrd.service" and "journalctl -x
    hostservices.sh[6708]: Job for postgresql-qrd.service failed because the control 
    process exited with error code. See "systemctl status postgresql-qrd.service" and "journalctl -x
    hostservices.sh[6708]: Re-installing postgresql RPMs:  tr: when not truncating set1, string2 must be non-empty
    hostservices.sh[6708]: error: package postgresql-contrib is not installed
    hostservices.sh[6708]: error: package postgresql-server is not installed
    hostservices.sh[6708]: error: package postgresql-libs is not installed
    hostservices.sh[6708]: error: package postgresql is not installed
    hostservices.sh[6708]: FAILED
    hostservices.sh[6708]: Could not re-install postgresql rpms.
    20 June 2022
    QRADAR INCIDENT FORENSICS IJ38824 FORENSIC RECOVERY FAILS WHEN LIMITING RESULTS BY IP ADDRESS OPEN Workaround
    Run a forensics recovery search for raw data that includes both a port and an IP address. If you continue to experience issues, contact support for a workaround that might address this issue in certain scenarios.

    Issue
    Users who attempt to run a forensics recovery to search the raw packet capture for an IP address can encounter a "There was an error running Forensic Recovery" message in the user interface. This issue prevents users from targeting a specific IP when they click 'Run recovery' if they do not select a port.

    Steps to reproduce:
    1. On the QRadar Console, Forensics must be added as a managed host IJ38824(https://ibm.biz/qifaddhost)
    2. Deploy the changes.
      Ensure the Packet Capture is connected or added to the Forensics appliance (https://ibm.biz/addingpcap).
    3. Navigate to the Forensics tab.
    4. Attempt to perform a Forensic Recovery with an IP specified to limit results.

      Results The forensics recovery search fails to complete with a "There was an error running Forensic Recovery" when this issue occurs.
    26 March 2022
    QRADAR INCIDENT FORENSICS IJ39551 QRADAR INCIDENT FORENSICS UPGRADE PATCH TEST FAILS WITH UNABLE TO EXPORT SOLR DATA ERROR OPEN Workaround
    Contact support for a possible workaround that might address this issue in some instances.

    Issue
    Exporting of large SOLR documents during QRadar Incident Forensics upgrade can cause the patch test to fail. During a pretest when patching a QRadar Incident Forensics appliance, the /media/updates/scripts/.install --mode precheck runs and if there are many large SOLR documents to be exported, the script runs out of memory causing the patch pretest to fail with the following errors:
    [predown:Error] [ERROR] Unable to export SOLR data: code 1
    [WARN](-i-testmode) ERROR: [predown] QRADAR-4105 Unable to export SOLR data: code 1
    [DEBUG](-i-testmode) Error running 26:
    /media/updates/scripts/QRADAR-4105.install --mode predown; Got error code of 255.
    25 April 2022
    REFERENCE DATA IJ40269 LARGE REFERENCE DATA SETS MIGHT RETURN UNEXPECTED RESULTS BASED ON THE SPILLOVER CACHE SIZE OPEN Workaround
    Contact support for a possible workaround that might address this issue in some instances.

    Issue
    Users with queries that contains a reference data lookup might not return the expected result when the results exist outside of the in-memory cache. Large reference sets or small spillover caches on appliances can cause partial results to occur as the data resides outside of the ChainAppendCache lookup. This issue can occur during a search or when a rule test attempts to complete a lookup on a reference data set that exceeds the existing spillover cache of the software install or appliance. It is expected that the ChainAppendCache is able to retrieve data additional from disk to extend to potential results on disk when the query exceeds the existing spillover cache size.
    26 May 2022
    ROUTING RULES IJ30016 ROUTING RULE TEST 'IS N/A' DOES NOT WORK AS EXPECTED IF THE STRING IS NOT NULL OPEN Workaround
    Use this filter instead:
    - Username matches any of expression \A\z**

    Issue
    The routing rule test 'is N/A' does not work for empty strings.

    For example, configuring a routing rule to drop when the username is N/A. The rule does not work as expected if the payload of the events has an empty username. An empty username will be shown as N/A in the User Interface but the rule does not drop the event because it tests for 'username is null'.
    06 January 2021
    VULNERABILITY SCANNERS IJ39637 AFTER PATCHING TO 7.5.0 UP1, VULNERABILITY ASSESSMENT (VA) SCANNERS NO LONGER WORK CLOSED Resolved in
    QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137)

    Workaround
    If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances.

    Issue
    After patching to 7.5.0 UP1, the VA Scanners (e.g Qualys) are in a "New" or "Pending" state and no longer work.

    The following error can be observed when facing this issue:
    "[Pending] This scan job was detected to be in an inconsistent
    state".
    com.q1labs.vis.messages.VisRequestMessageEnum$1.process(VisRequestMessageEnum.java:42)
    [vis] [Scanner Manager]    at
    com.q1labs.vis.ScannerManager.run(ScannerManager.java:152)
    [vis] [Scanner Manager]    at
    java.lang.Thread.run(Thread.java:825)
    [vis] [Scanner Manager] Caused by:
    [vis] [Scanner Manager] java.lang.ClassNotFoundException:
    com.ctc.wstx.stax.WstxInputFactory# Temporary workaround for  -
    enable crl check on select processes only
    30 May 2022
    RULES IJ11541 DOUBLE MATCH COUNT FLOW RULES CAN MISFIRE DUE TO IPV6 ADDRESSES BEING EVALUATED IN RULES BEFORE IPV4 ADDRESSES CLOSED Resolved in
    QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137)

    Workaround
    No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported is resolved in an existing software upgrade pack.

    Issue
    It has been identified that double match count flow rules can sometimes misfire due to IPv6 addresses being prioritized in rules prior to IPv4 address evaluation.

    When this occurs, false positive offense generation can be observed.
    30 May 2022
    AUTHENTICATION IJ39020 LDAP GROUP AUTHENTICATION CAN FAIL WITH SPECIAL CHARACTERS IN USERNAMES CLOSED Resolved in
    QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137)

    Workaround
    No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported is resolved in an existing software upgrade pack.

    Issue
    Users using group-based LDAP authentication "by member" or "by query" are unable to login if the group member field on the LDAP server contains certain special characters such as an asterisk "*".

    For example, a user that attempts to authenticate with wildcard characters (*) in the username cannot log in successfully.

    Username: test*contractor*user Password: password

    When this issue occurs, the following error is displayed in /var/log/qradar.java.debug:
    executeQuery(): Attempting to execute ldap query
    [(uid=test*contractor*user)] executeQuery(): Found [1] search results.
    executeQuery(): Attempting to execute ldap query [(memberUid=test*contractor*user)] executeQuery(): Found [0] search results.
    executeQuery(): Attempting to execute ldap query [(memberUid=uid=test*CONTRACTOR*user,dc=example,dc=org)] executeQuery(): Found [0] search results.

    Note: Debug is not enabled by default and might require QRadar Support to confirm the error message.
    30 May 2022
    UPGRADE IJ40241 PATCH INSTALLER FAILS WITH ERROR MESSAGE "DISCOVERED EXTRA DATABASES WHICH MUST BE REMOVED BEFORE CONTINUING" CLOSED Resolved in
    QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137)

    Workaround
    No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported is resolved in an existing software upgrade pack.

    Issue
    When an administrator tries to patch a console in 7.3.3 FP10 to 7.5.0, the patch will fail with the error message:"Discovered extra databases which must be removed before continuing". The following error messages are displayed in the /var/log/patches.log:
    ERROR: Discovered extra databases which must be removed before continuing.
    ERROR: If you would like to preserve the contents, backup the database before removing it.
    ERROR: Make sure the database instance service is running before removing the extra database.
    ERROR: The extra databases are:
    * 'patch_test_qradar' in PostgreSQL instance 'postgresql-qrd'.
    To remove, run: psql -U postgres -p 5432 -c 'drop database patch_test_qradar'.
    * 'patch_test_fusionvm' in PostgreSQL instance 'postgresql-qvm'.
    To remove, run: psql -U postgres -p 15433 -c 'drop database patch_test_fusionvm'.
    * 'patch_test_qradar' in PostgreSQL instance 'postgresql-rm'. To
    remove, run: psql -U postgres -p 15432 -c 'drop database patch_test_qradar'.
    [ERROR](testmode) Pretest failed: "/media/updates/scripts/QRADAR-6666.install --mode pretest"
    [ERROR](testmode) Failed pretests
    [ERROR](testmode) Pre Patch Testing shows a configuration issue.
    Patching this host cannot continue.
     [INFO](testmode) Waiting for hostcontext to fully start
     [INFO](testmode) Set ip-xx-xx status to 'Patch Test Failed'
    [ERROR](testmode) Patching can not continue
    [ERROR] Failed to apply patch on localhost, not checking any managed hosts.
    An error was encountered attempting to process patches.
    Please contact customer support for further assistance.
    30 May 2022
    DEPLOYMENT IJ37288 DELETED MANAGED HOSTS WITH AN INCORRECT STATUS IN THE QRADAR DATABASE CAN CAUSE PATCHES TO COMPLETE SUCCESSFULLY BUT WITH ERRORS CLOSED Resolved in
    QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137)

    Workaround
    If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances.

    Issue
    It has been identified that deleted managed hosts not set to status = 14 in the serverhost table can cause patches to complete successfully, but with errors. This occurs when the patching process attempts to update SSH keys for deleted hosts not in status 14.

    Messages similar to the following might be visible in/var/log/setup-#####/patches.log:
    [mks_integration] [get_ssh_ip DeletedWed] IPDeletedWed is reachable. 
    ssh: Could not resolve hostname deletedwed: Name or service not known
    30 May 2022
    QRADAR RISK MANAGER IJ36915 EVENTS AND OFFENSES BUTTONS ARE NOT HIGHLIGHTED ON THE DEVICE SUMMARY TOOLBAR PREVENTING SEARCHES CLOSED Resolved in
    QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137)

    Workaround
    Use a search on the Log Activity or Offenses tab.

    Issue
    In QRadar Risk Manager, the Events and Offenses buttons on the device summary toolbar are not highlighted when a device is mapped to a log source.

    When this occurs, it prevents searches from being launched from the window.
    30 May 2022
    QRADAR USE CASE MANAGER APP IJ36907 DELETING A RULE IN THE USE CASE MANAGER (UCM) APP DOES NOT CREATE AN APPROPRIATE AUDIT EVENT CLOSED Resolved in
    QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137)

    Workaround
    Use the legacy QRadar rule interface to delete rules:
    1. Click the Offenses tab.
    2. On the navigation menu, click Rules.

    Issue
    When deleting a rule in the Use Case Manager (UCM) app, there is no associated audit log that states the specific rule was deleted.
    30 May 2022
    APPLICATION FRAMEWORK IJ36275 QRADAR APP INSTALL FAILS WITH 'NO TOKEN HEADER PRESENT IN REQUEST...' ERROR AFTER 30 MINUTES CLOSED Resolved in
    QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137)

    Workaround
    Ensure the values in /opt/qradar/conf/nva.conf for these variables are as follows prior to QRadar app installation:
    • APPFW_HEALTH_CHECK_DELAY_SECONDS=10
    • APPFW_HEALTH_CHECK_RETRY_LIMIT=50

    Issue
    QRadar app installations can fail during installation after 30 minutes (timeout) with message similar to "No token header present in request. Please provide it. You may also use BASIC authentication parameters if this host supports it. e.g. 'Authorization: Basic base64Encoding'."

    This has been observed when one or both of the following /opt/qradar/conf/nva.conf variables have been increased from their defaults of 10 and 50 respectively:
    APPFW_HEALTH_CHECK_DELAY_SECONDS
    APPFW_HEALTH_CHECK_RETRY_LIMIT


    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [tomcat.tomcat] [pool-1-thread-7] com.q1labs.uiframeworks.appli
    cation.api.service.builders.shared.AsyncBuildStageTask:[ERROR] [
    thrown during the execution of task: 84434 ....
    [tomcat.tomcat] [pool-1-thread-7]    at com.q1labs.uiframeworks.application.api.service.builders.SimpleBuildProcessor.trigger
    Rollback(SimpleBuildProcessor.java:240)
    [tomcat.tomcat] [pool-1-thread-7]    at com.q1labs.uiframeworks.application.api.service.builders.shared.AsyncBuildStageTask.runTask(AsyncBuildStageTask.java:236)
    [tomcat.tomcat] [pool-1-thread-7]    at com.ibm.si.frameworks.taskmanagement.Task.run(Task.java:108)
    [tomcat.tomcat] [pool-1-thread-7]    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:522)[tomcat.tomcat]
    java.util.concurrent.FutureTask.run(FutureTask.java:277)
    [tomcat.tomcat] [pool-1-thread-7]    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160)
    [tomcat.tomcat] [pool-1-thread-7]    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)[tomcat
    java.lang.Thread.run(Thread.java:822)
    [tomcat.tomcat] [pool-1-thread-7] Caused by:
    [tomcat.tomcat] [pool-1-thread-7]
    {openjpa-2.4.3-r422266:1833086 fatal store error}
    org.apache.openjpa.persistence.RollbackException: This connection has been closed.
    [tomcat.tomcat] [pool-1-thread-7]    at org.apache.openjpa.persistence.EntityManagerImpl.commit(EntityManagerImpl.java:595)
    [tomcat.tomcat] [pool-1-thread-7]    at com.q1labs.frameworks.session.SessionContext.commitTransaction(SessionContext.java:10
    39)[tomcat.tomcat] [pool-1-thread-7]    ... 9 more
    [tomcat.tomcat] [pool-1-thread-7] Caused by:
    [tomcat.tomcat] [pool-1-thread-7] {openjpa-2.4.3-r422266:1833086 fatal general error}
    org.apache.openjpa.persistence.PersistenceException: This connection has been closed. .....
    [tomcat.tomcat] [pool-1-thread-7] Caused by:
    [tomcat.tomcat] [pool-1-thread-7] org.postgresql.util.PSQLException: This connection has been closed.
    30 May 2022
    OFFENSES IJ36054 OFFENSE 'SAVE CRITERIA' DIALOG BOX DOES NOT WORK DUE TO SPECIFIC INTERVAL VALUE BEING 'NULL' CLOSED Resolved in
    QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137)

    Workaround
    If the specific interval is null, click "Cancel" and repeat the Save Criteria.
    Issue
    If the Offense "Save Criteria" dialog box is large relative to the parent page, it causes the specific interval to be 'null'. For example:
    1. Open Offense tab.
    2. Select Search > New Search.
    3. Specific Interval > select the checkbox Start Date Between.
    4. Select dates.
    5. Search.
    6. After search is complete, click the Save Criteria button.
    7. Type a name for the search.
    8. Click OK.

      Results
      Nothing happens, the specific interval value displayed is 'null'.
      30 May 2022
      HIGH AVAILABILITY (HA) IJ35704 HIGH AVAILABILITY APPLIANCE JOIN CAN FAIL WHEN THE /STORE PARTITION ON THE SECONDARY APPLIANCE IS BUSY CLOSED Resolved in
      QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137)

      Workaround
      If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances.

      Issue
      When attempting to create a High Availability (HA) pair, the process can fail when the /store partition on the Secondary appliance is unexpectedly in a busy state and unable to be accessed.

      Messages similar to the following might be visible in the qradar_hasetup.log file when this issue is occurring:
      Tue Jul 27 16:15:29 CDT 2021 /dev/mapper/storerhel-store is corrupted. Fixing it by running xfs_repair
      Tue Jul 27 16:15:29 CDT 2021 Running 'xfs_repair /dev/mapper/storerhel-store' in '/root'
      xfs_repair: /dev/mapper/storerhel-store contains a mounted filesystem
      xfs_repair: /dev/mapper/storerhel-store contains a mounted and writable filesystem
      fatal error ? couldn't initialize XFS library
      Tue Jul 27 16:15:29 CDT 2021 ERROR: Failed to repair /dev/mapper/storerhel-store with return code: 1
      30 May 2022
      ASSETS IJ35017 ASSET LIST CAN FAIL TO LOAD WHEN A NULL POINTER EXCEPTION OCCURS CLOSED Resolved in
      QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137)

      Workaround
      If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances.

      Issue
      The list of Assets can fail to load or display when a Null Pointer Exception occurs during the loading of cached data when empty ipaddress values are present in the asset.asset.view database table.

      Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
      [ecs-ep.ecs-ep] [CRE Processor [2]] com.q1labs.core.assetprofile.dao.light.Asset: [ERROR]
      [NOT:0000003000][X.X.X.X/- -] [-/- -] unable to pre-load asset IPs
      [ecs-ep.ecs-ep] [CRE Processor [2]] java.lang.NullPointerException
      [ecs-ep.ecs-ep] [CRE Processor [2]] at com.google.common.net.InetAddresses.ipStringToBytes(InetAddresses.java:164)
      [ecs-ep.ecs-ep] [CRE Processor [2]] at com.google.common.net.InetAddresses.forString(InetAddresses.java:139)
      [ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.core.platform.Qip.of(Qip.java:108)
      [ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.core.assetprofile.dao.light.Asset.lambda$preload$0(Asset.java:632)
      [ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.core.assetprofile.dao.light.Asset$$Lambda$102/0x00000000e000f680.call(UnknownSource)
      [ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.core.shared.util.SqlUtil.runQuery(SqlUtil.java:202)
      [ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.core.assetprofile.dao.light.Asset.preload(Asset.java:627)
      [ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.core.assetprofile.dao.light.Asset.lazyNotificationInit(Asset.java:704)
      [ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.core.assetprofile.dao.light.Asset.findByNetwork(Asset.java:405)
      [ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.jstl.test.Jstl.hostAsset(Jstl.java:950)
      [ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.jstl.test.Jstl.targetHostAsset(Jstl.java:980)
      [ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.jstl.gen.OptJstl.targetHostAsset(OptJstl.java:728)
      [ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.semsources.cre.tests.ExternalEventTests.targetHostAsset(ExternalEventTests.java:633)
      [ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.semsources.cre.tests.gen.targetAssetValue_lt.test(targetAssetValue_lt.java)
      [ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.semsources.cre.tests.IntCompare_Test.test(IntCompare_Test.java:44)
      [ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.semsources.cre.gen.TestExecutor_0_2.test(TestExecutor_0_2.java)
      [ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.semsources.cre.CustomRule.test(CustomRule.java:524)
      [ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.semsources.cre.CustomRule.test(CustomRule.java:477)
      [ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.semsources.cre.CustomRuleSetExecutor.testRule(CustomRuleSetExecutor.java:342)
      [ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.semsources.cre.CustomRuleSetExecutor.test(CustomRuleSetExecutor.java:210)
      [ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.semsources.cre.LocalRuleExecutor.processEventInPropertyMode(LocalRuleExecutor.java:229)
      [ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.semsources.cre.LocalRuleExecutor.processEvent(LocalRuleExecutor.java:158)
      [ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.semsources.cre.CREEventProcessor.processEvent(CustomRuleEngine.java:544)
      [ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.semsources.cre.CREEventProcessor.run(CustomRuleEngine.java:484)


      Or messages similar to:
      [ecs-ep.ecs-ep] [ECS Runtime Thread] com.q1labs.core.assetprofile.dao.light.Asset: [ERROR]
      [NOT:0000003000][X.X.X.X/- -] [-/- -] unable to pre-load asset IPs
      [ecs-ep.ecs-ep] [ECS Runtime Thread] java.lang.NullPointerException
      [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.google.common.net.InetAddresses.ipStringToBytes(InetAddresses.java:164)
      [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.google.common.net.InetAddresses.forString(InetAddresses.java:139)
      [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.q1labs.core.platform.Qip.of(Qip.java:108)
      [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.q1labs.core.assetprofile.dao.light.Asset.lambda$preload$0(Asset.java:632)
      [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.q1labs.core.assetprofile.dao.light.Asset$$Lambda$88/0x0000000024ed6df0.call(UnknownSource)
      [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.q1labs.core.shared.util.SqlUtil.runQuery(SqlUtil.java:202)
      [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.q1labs.core.assetprofile.dao.light.Asset.preload(Asset.java:627)
      [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.q1labs.core.assetprofile.dao.light.Asset.lazyNotificationInit(Asset.java:704)
      [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.q1labs.core.assetprofile.dao.light.Asset.assetExists(Asset.java:377)
      [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.ibm.si.mpc.magi.OffenseManagerDelegate.preloadCaches(OffenseManagerDelegate.java:816)
      [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.ibm.si.mpc.magi.OffenseManagerDelegate.configure(OffenseManagerDelegate.java:365)
      [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.ibm.si.mpc.filters.OffenseManagerFilter.setVars(OffenseManagerFilter.java:90)
      [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.eventgnosis.system.SystemObject.installChildByName(SystemObject.java:296)
      [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.eventgnosis.system.SystemObject.installChildByName(SystemObject.java:232)
      [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.eventgnosis.filters.FilterStack.createContainedFilters(FilterStack.java:71)
      [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.eventgnosis.filters.FilterStackManager.create(FilterStackManager.java:219)
      [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.eventgnosis.filters.FilterStackManager.doWork(FilterStackManager.java:90)
      [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.eventgnosis.system.SystemObject$DoWork.doIt(SystemObject.java:886)
      [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.eventgnosis.system.SystemObject.doForAllMembers(SystemObject.java:864)
      [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.eventgnosis.system.SystemObject.doWork(SystemObject.java:905)
      [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.eventgnosis.system.RuntimeController.doWork(RuntimeController.java:227)
      [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.eventgnosis.system.RuntimeController.run(RuntimeController.java:527)
      [ecs-ep.ecs-ep] [ECS Runtime Thread] at java.lang.Thread.run(Thread.java:822)
      30 May 2022
      BACKUP AND RESTORE IJ34657 AFTER PATCHING TO 743 THE CONFIGURED BACKUP REPOSITORY PATH MIGHT BE RESET TO /STORE/BACKUP CLOSED Resolved in
      QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137)

      Workaround
      No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

      Issue
      Administrators who are not using the default path of /store/backup for their backups might notice that after patching to 7.4.3 the path is defaulted back to /store/backup. This will cause backups to fail.

      When trying to reset the backup path, you may observe messages similar to:
      The backup repository path must contain a valid directory. The
      directory you specify must not be a system directory
      30 May 2022
      ASSETS IJ34594 ASSETS CAN FAIL TO BE UPDATED WITH FLOW DATA AS EXPECTED CLOSED Resolved in
      QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137)

      Workaround
      Set the HOST_PROFILE_REPORT_INTERVAL to be greater than 60 in Admin > System Settings.

      Issue
      In some instances flow data can fail to update appropriate Asset data.

      This can occur when the host_profiler component fails to initialize as expected due to the HOST_PROFILE_REPORT_INTERVAL being set to 60 causing an issue starting the host_profiler thread as the profiler thread starts after 60s at a random time between 60s and the report_interval value.

      Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
      [ecs-ep.ecs-ep] [ECS Runtime Thread] at java.lang.Thread.run(Thread.java:822)
      [ecs-ep.ecs-ep] [ECS Runtime Thread] Caused by:
      java.lang.IllegalArgumentException: bound must be positive
      [ecs-ep.ecs-ep] [ECS Runtime Thread] at java.util.Random.nextInt(Random.java:399)
      [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.ibm.si.ep.filters.hp.HostProfiler.initTimeStamps(HostProfiler.java:335)
      [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.ibm.si.ep.filters.hp.HostProfiler.onInit(HostProfiler.java:292)
      [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.q1labs.frameworks.naming.FrameworksNaming.initializeNewComponent(FrameworksNaming.java:916)
      30 May 2022
      DOMAINS & TENANTS IJ34846 THE OPTION TO REMOVE DOMAIN INFORMATION FROM NORMALIZED EVENT FORWARDING IS NOT HONORED CLOSED Resolved in
      QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137)

      Workaround
      No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

      Issue
      When forwarding normalized events, the option to remove domain information from events before forwarding is not honored causing Domain ID data to be forwarded as part of forwarded normalized events.
      30 May 2022
      USER INTERFACE IJ34392 CANNOT ACCESS REMOTE NETWORKS AND SERVICES CONFIGURATION FROM THE LEFT TREE MENU CLOSED Resolved in
      QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137)

      Workaround
      Do not use the left pane menu. Instead scroll down and directly click Remote Networks and Services.
      Issue
      QRoC Security Administrator or on-prem user of the "Remote Networks and Services Configuration" role cannot use left pane in Admin tab to access "Remote Networks and Services".

      This issue affects both QRoC and QRadar on-prem.

      Steps to reproduce the issue:
      1. Create a user role with Remote Networks and Services Configuration selected.
      2. Create a test user.
      3. Add the user role from step 1 to the user from step 2.
      4. Add a security profile: Admin.
      5. Log in with the new user.
      6. Click Admin tab > Remote Networks and Services Configuration in the left pane.

        Results
        The screen is blank and the user interface does not display values when you use the navigation sidebar.
        30 May 2022
        QRADAR VULNERABILITY MANAGER IJ33798 QRADAR VULNERABILITY MANAGER SCANS ARE NOT DISPLAYED ON THE SCHEDULED SCANS SCREEN CLOSED Resolved in
        QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137)

        Workaround
        No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

        Issue
        Scheduled scan profiles which use a cron expression do not appear on the Scheduled Scans screen after a QRadar domain, which includes a QVM scanner, is renamed.

        Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
        [tomcat.tomcat] [admin@127.0.0.1(6796)
        /console/JSON-RPC/QVM.getCronScanProfilesQVM.getCronScanProfiles]
        com.q1labs.core.ui.servlet.RemoteJavaScript: [ERROR]
        [NOT:0000003000][127.0.0.1/- -] [-/- -]An exception
        occurred while executing the remote method 'getCronScanProfiles'
        [tomcat.tomcat] [admin@127.0.0.1(6796)
        /console/JSON-RPC/QVM.getCronScanProfilesQVM.getCronScanProfiles]
        org.springframework.dao.IncorrectResultSizeDataAccessException: Incorrect result size: expected 1, actual 2
        [tomcat.tomcat] [admin@127.0.0.1(6796)
        /console/JSON-RPC/QVM.getCronScanProfiles
        QVM.getCronScanProfiles] at org.springframework.dao.support.DataAccessUtils.nullableSingleResult(DataAccessUtils.java:100)
        [tomcat.tomcat] [admin@127.0.0.1(6796)
        /console/JSON-RPC/QVM.getCronScanProfilesQVM.getCronScanProfiles] at org.springframework.jdbc.core.JdbcTemplate.queryForObject(JdbcTemplate.java:777)
        [tomcat.tomcat] [admin@127.0.0.1(6796)
        /console/JSON-RPC/QVM.getCronScanProfiles
        QVM.getCronScanProfiles] at org.springframework.jdbc.core.JdbcTemplate.queryForObject(JdbcTemplate.java:799)
        [tomcat.tomcat] [admin@127.0.0.1(6796)
        /console/JSON-RPC/QVM.getCronScanProfiles
        QVM.getCronScanProfiles] at com.q1labs.qvm.workflow.processor.dao.scanprofile.CronSchedulerDAO.getCronSchedules(CronSchedulerDAO.java:384)
        [tomcat.tomcat] [admin@127.0.0.1(6796)
        /console/JSON-RPC/QVM.getCronScanProfiles
        QVM.getCronScanProfiles] at com.q1labs.qvm.workflow.processor.ws.scanprofile.ScanProfileServiceImpl.getCronSchedules(ScanProfileServiceImpl.java:2008)
        [tomcat.tomcat] [admin@127.0.0.1(6796)
        /console/JSON-RPC/QVM.getCronScanProfiles
        QVM.getCronScanProfiles] at com.q1labs.qvm.service.UIScheduledScansService.getCronScanProfiles(UIScheduledScansService.java:72)
        30 May 2022
        BACKUP AND RESTORE IJ32857 OFFENSES NO LONGER GENERATED AFTER RESTORING A DEPLOYMENT CONFIG BACKUP AND OFFENSE DATA FROM DIFFERENT DATES CLOSED Resolved in
        QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137)

        Workaround
        Restore Deployment config and Data config from the same backup date.

        Issue
        In instances where a QRadar Deployment config restore and Offense data restore are done from backups with different dates, it is possible Offense generation can stop.

        Messages similar to the following might be visibile when this issue occurs:
        [ecs-ep.ecs-ep] [ECS Runtime Thread] com.eventgnosis.ecs:
        [ERROR] [NOT:0000003000][x.x.x.x/- -] [-/- -] Error attempting to load 
        console.ibm.com:ecs-ep/MPC/Magistrate1/MPC  
        Error: java.lang.RuntimeException: Failed to configure Offense Manager
        Since there isn't a configuration error handler defined, the
        original error is wrapped in a new RuntimeException
        [ecs-ep.ecs-ep] [ECS Runtime Thread] java.lang.RuntimeException: Failed to configure Offense Manager
        [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.ibm.si.mpc.filters.OffenseManagerFilter.setVars(OffenseManagerFilter.java:94)
        [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.eventgnosis.system.SystemObject.installChildByName(SystemObject.java:296)
        [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.eventgnosis.system.SystemObject.installChildByName(SystemObject.java:232)
        [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.eventgnosis.filters.FilterStack.createContainedFilters(FilterStack.java:71)
        [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.eventgnosis.filters.FilterStackManager.create(FilterStackManager.java:219)
        [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.eventgnosis.filters.FilterStackManager.doWork(FilterStackManager.java:90)
        [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.eventgnosis.system.SystemObject$DoWork.doIt(SystemObject.java:876)
        [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.eventgnosis.system.SystemObject.doForAllMembers(SystemObject.java:854)
        [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.eventgnosis.system.SystemObject.doWork(SystemObject.java:895)
        [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.eventgnosis.system.RuntimeController.doWork(RuntimeController.java:227)
        [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.eventgnosis.system.RuntimeController.run(RuntimeController.java:527)
        [ecs-ep.ecs-ep] [ECS Runtime Thread] at java.lang.Thread.run(Thread.java:818)
        [ecs-ep.ecs-ep] [ECS Runtime Thread] Caused by:
        java.lang.IllegalArgumentException: Invalid domain ID: 1
        [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.q1labs.core.util.domain.DomainCache.requireValidDomainID(DomainCache.java:749)
        [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.q1labs.core.platform.QipSet.add(QipSet.java:168)
        [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.q1labs.core.dao.sem.light.Attacker.preloadCreatedCache(Attacker.java:966)
        [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.q1labs.core.dao.sem.light.Attacker.preloadCaches(Attacker.java:949)
        [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.ibm.si.mpc.magi.OffenseManagerDelegate.preloadCaches(OffenseManagerDelegate.java:763)
        [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.ibm.si.mpc.magi.OffenseManagerDelegate.configure(OffenseManagerDelegate.java:365)
        [ecs-ep.ecs-ep] [ECS Runtime Thread] at com.ibm.si.mpc.filters.OffenseManagerFilter.setVars(OffenseManagerFilter.java:90)
        [ecs-ep.ecs-ep] [ECS Runtime Thread] ... 11 more
        30 May 2022
        DATA GATEWAY APPLICANCE IJ32852 PYTHON EXCEPTIONS GENERATED WHILE ATTEMPTING TO ADD A DATA GATEWAY CLOSED Resolved in
        QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137)

        Workaround
        If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances.

        Issue
        Python exceptions similar to those displayed below can sometimes be generated during the addition of a Data Gateway. When this occurs, the Data Gateway can become in a state where the console IP can be populated in nva.conf and nva.hostcontext.conf causing repeated failures due to the Console and Data Gateway being in a mismatched state in the deployment model.

        The Data Gateway attempts to remove the host from the deployment but fails as it does not exist on the Console.
        Failed to run command 'mh_setup': Failed to add host
        'XX.XX.XX.XX' to deployment 'console-XXXXX.qradar.ibmcloud.com':
        Failed to add host to deployment: Check console logs for details
        File "/opt/qradar/lib/python/qradar/command_line.py", line 179,
        in executeCommand self.cmd.execute(self.opts, self.args, self.parser)
        File "/opt/qradar/bin/setup_qradar_host.py", line 399, in setup
        input_obj.proxy_port, input_obj.proxy_username, input_obj.proxy_password)
        File "/opt/qradar/bin/setup_qradar_host.py", line 443, in setupImpl
        if addToDeploymentImpl(existing_server, server_host, token,
        private_ip, public_ip, nat_id, encrypt, compress, host_password,
        skip_deploy=True) is True:
        File "/opt/qradar/bin/setup_qradar_host.py", line 534, in
        addToDeploymentImpl addHostToDeployment(deployment, private_ip, 
        public_ip, nat_id, encrypt, compress, host_password)
        File "/opt/qradar/bin/setup_qradar_host.py", line 1240, in addHostToDeployment
        raise SystemException(error_message, exit_code)
        30 May 2022
        REPORTS IJ32677 TIME SERIES REPORTS AND DASHBOARDS NOT DISPLAYING DATA AFTER THE ACCUMULATOR FAILS TO LOAD A GLOBALVIEW CLOSED Resolved in
        QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137)

        Workaround
        If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances.

        Issue
        The QRadar accumulator stops working as expected after hitting an error when accumulating data for a globalview whose saved search is valid but its aggregated keys and mappings have an incompatible format.

        When this issue occurs, time series reports and dashboards stop displaying data due to the accumulator experiencing an error in one of its pre-processor threads.

        Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
        [accumulator.accumulator] [Preprocessor(events)_2]
        com.q1labs.cve.accumulation.ObjectArrayAccessors: [ERROR]
        [NOT:0000003000][xxx.xx.xx/- -] [-/- -]Unexpected error while building record
        [accumulator.accumulator] [Preprocessor(events)_2] at com.q1labs.cve.aggregation.props.AggregatedRecordPropertyBase.createKey(AggregatedRecordPropertyBase.java:17)
        [accumulator.accumulator] [Preprocessor(events)_2]
        java.lang.ClassCastException:
        com.q1labs.core.types.event.NormalizedEvent incompatible with java.util.Map$Entry
        [accumulator.accumulator] [Preprocessor(events)_2] at com.q1labs.cve.accumulation.ObjectArrayAccessors$ObjectArrayAccessor.getKey(ObjectArrayAccessors.java:355)
        [accumulator.accumulator] [Preprocessor(events)_2] at com.q1labs.cve.accumulation.ObjectArrayAccessors.getKey(ObjectArrayAccessors.java:265)
        [accumulator.accumulator] [Preprocessor(events)_2] at com.q1labs.cve.accumulation.ObjectArrayAccessors.buildRecord(ObjectArrayAccessors.java:233)
        [accumulator.accumulator] [Preprocessor(events)_2] at com.q1labs.cve.accumulation.Preprocessor$PreprocessTask.run(Preprocessor.java:26)
        [accumulator.accumulator] [Preprocessor(events)_2] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160)
        [accumulator.accumulator] [Preprocessor(events)_2] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        [accumulator.accumulator] [Preprocessor(events)_2] at
        java.lang.Thread.run(Thread.java:818)
        30 May 2022
        EVENT FORWARDING IJ34583 ONLINE FORWARDING CAN LEAVE BEHIND STALE TCP SOCKETS IF THE CONNECTION IS RESET BY THE PEER CLOSED Resolved in
        QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137)

        Workaround
        Switch to offline forwarding and fix whatever is causing the connection resets to the remote end.

        Or

        Disable the forwarding profile causing the connection resets. Then during a maintenance window run:
        systemctl restart ecs-ec
        .

        Issue
        Customers might experience stale sockets left behind when using forwarding if the connection is reset by the peer. These can build up over time resulting in the maximum file handles for the process being hit and "Too many open files" messages in journalctl.

        To diagnose if you are being affected by this issues, use journalctl to look for "Too many open files" messages or look for WARN messages similar to this in /var/log/qradar.error:
        [ecs-ec.ecs-ec] [SFCT_1247137] com.q1labs.sem.selectiveforwarding.
        SelectiveForwardingCommunicatorThread:[WARN] [NOT:0000004000][xxx.xxx.xxx.xxx
        [Global SOC_Forwarding Win:xxx.xxx.xxx.xxx:5003]
        Event Processing Error (SocketTimeoutException) [1].
        [ecs-ec.ecs-ec] [SFCT_1247137] com.q1labs.sem.selectiveforwarding.SelectiveForwardingCommunicatorThread:[WARN] 
        [NOT:0000004000][xxx.xxx.xxx.xxx
        19:25:59.0715 [Global SOC_Forwarding Win:xxx.xxx.xxx.xxx:5003]
        Unable to retry event[Queue Full], dropping event[104361].
        30 May 2022
        USER INTERFACE IJ30933 'APPLICATION ERROR' IS DISPLAYED WHEN ACCESSING THE ADMIN TAB WHEN THERE IS AN EMPTY FILE IN /OPT/QRADAR/CONF/LICENSEKEY CLOSED Resolved in
        QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137)

        Workaround
        1. On the console, from the command line, issue the following:
          ls- lah /opt/qradar/conf/licensekey/
        2. You should see something similar to:
          -rwxrwxr-x 1 ecuunpack swsupt 0 Apr 13 2018 history
          -rwxrwxr-x 1 ecuunpack swsupt 811 Feb 1 17:34 licensekey.355
          -rwxrwxr-x 1 ecuunpack swsupt 996 Feb 1 17:34 licensekey.52
          -rwxrwxr-x 1 ecuunpack swsupt 0 Apr 13 2018 null

          Notice that the "history" and "null" file have a size of 0. These are the empty files we will remove
        3. Make a copy of them to another directory, such as /store/ibm_support.
          cd /opt/qradar/conf/licensekey/
          cp /history null /store/ibm_support
        4. Then remove each one.
          rm history
          rm null
        5. Then refresh the browser.

          Results
          Attempt to open the Admin tab. If you have any questions about the workaround, or are still facing an issue after completing the workaround, contact support.

          1. Issue
            If an empty file is present in /opt/qradar/conf/licensekey a message similar to the following is displayed on the left side of the browser when opening the Admin tab of the QRadar user interface:
            Application Error
            An error has occourred.
            Return and attempt the action again.
            If the Problem persists, please contact customer support for assistance.
        30 May 2022
        DSM EDITOR IJ30104 USING THE DSM EDITOR TO MODIFY A CONFIGURATION PROPERTY FOR A SPECIFIC EVENT COLLECTOR DOES NOT SAVE THE CHANGE CLOSED Resolved in
        QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137)

        Workaround
        If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances.

        Issue
        When using the DSM Editor to modify a configuration property of a DSM for a specific Event Collector, the new value is not saved or displayed when the DSM Editor is re-opened due to missing parameters in /opt/qradar/conf/templates/replication.sql No error is observed or written to QRadar logging when this occurs.
        30 May 2022
        CONTENT MANAGEMENT TOOL (CMT) IJ29327 LOG SOURCES IMPORTED USING THE CONTENT MANAGEMENT TOOL CAN FAIL DUE TO PASSWORD DECRYPTION ISSUES CLOSED Resolved in
        QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137)

        Workaround
        If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances.

        Issue
        When Log Sources are imported into QRadar using the Content Management Tool (CMT), the passwords are not re-encrypted with the keys of the destination. As a result, undecryptable passwords are placed in the database that cause QRadar to error in any product area that attempts to read these passwords (For example: The legacy Log Source UI, the Log Source Mangement API, running protocols, etc). Messages similar to the following might be visible when this issue occurs:
        /console/restapi/api/config/event_sources/log_source_management/log_sources/595412] 
        javax.crypto.BadPaddingException: Given final block not properly padded
        /console/restapi/api/config/event_sources/log_source_management/log_sources/595412] at
        com.ibm.crypto.provider.AbstractBufferingCipher.a(UnknownSource)
        /console/restapi/api/config/event_sources/log_source_management/log_sources/595412] at
        com.ibm.crypto.provider.AbstractBufferingCipher.engineDoFinal(Unknown Source)
        /console/restapi/api/config/event_sources/log_source_management/log_sources/595412] at 
        javax.crypto.Cipher.doFinal(Unknown source)
        /console/restapi/api/config/event_sources/log_source_management/log_sources/595412] 
        java.lang.RuntimeException: com.q1labs.frameworks.crypto.DecryptException:
        com.ibm.si.mks.CryptoException: Failed to decrypt data
        /console/restapi/api/config/event_sources/log_source_management/log_sources/595412] at
        com.q1labs.core.dao.qidmap.SensorProtocolConfigParameters.decrypt(SensorProtocolConfigParameters.java:212)
        /console/restapi/api/config/event_sources/log_source_management/log_sources/595412] at
        com.q1labs.core.dao.qidmap.SensorProtocolConfigParameters.getValue(SensorProtocolConfigParameters.java:135)
        /console/restapi/api/config/event_sources/log_source_management/log_sources/595412] at
        com.q1labs.core.dao.qidmap.SensorDevice.getProtocolParameterValue(SensorDevice.java:1407)
        /console/restapi/api/config/event_sources/log_source_management/log_sources/595412] at
        com.ibm.si.data_ingestion.api.impl.logsource.model.LogSource.{init}(LogSource.java:88)
        /console/restapi/api/config/event_sources/log_source_management/log_sources/595412] at
        com.ibm.si.data_ingestion.api.impl.logsource.LogSourceUpdater.updateAndFetch(LogSourceUpdater.java:116)
        /console/restapi/api/config/event_sources/log_source_management/log_sources/595412] at
        com.ibm.si.data_ingestion.api.v13_0.logsource.LogSourceAPI.update(LogSourceAPI.java:717)
        /console/restapi/api/config/event_sources/log_source_management/log_sources/595412] at
        sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        30 May 2022
        AUTHENTICATION IJ29105 LDAP AUTH CAN FAIL WHEN LDAP GROUP NAME HAS A SPECIAL CHARACTER AND MULTIPLE GROUPS ASSIGNED TO SAME SECURITY PROFILE AND USER ROLE CLOSED Resolved in
        QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137)

        Workaround
        Create a separate security profile or user role for each LDAP group.

        Issue
        Multiple LDAP groups cannot be assigned to the same security profile or user role correctly if the group name contains special characters (example: a space).

        LDAP Authentication can fail for users in these instances. For example:
        1. Have group ldapuser 1.
        2. Add it to one of the security profiles in LDAP configuration, it changes to ldapuser%201.
        3. If adding another LDAP group ldapuser 2 to the same security profile, the first one is loaded to the ldapuser%25201.

          Result
          This breaks the LDAP authentication.
        30 May 2022
        RULES IJ28581 USING A LOCALE OTHER THAN ENGLISH, COUNTRIES ARE NOT DISPLAYED IN ALPHABETICAL ORDER WHEN MODIFYING GEOGRAPHIC RULE CONDITIONS CLOSED Resolved in
        QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137)

        Workaround
        If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances.

        Issue
        When users select a locale other than English, countries are not displayed in alphabetical order when editing a geographic condition. This makes editing geopraphic conditions difficult for administrators and users not using an English locale.
        1. Click User Preferences.
        2. Click Offenses.
        3. Click Rules.
        4. Click Actions > New Event Rule.
        5. Click Next.
        6. Select Events > Next.
        7. In the filter enter location:
        8. Choose one of the two rules.
          • when the source is located in this geographic location
          • when the source IP is a part of any of the following geographic network locations

          Results
          When you expand the locations, the list of countries are not displayed in alphabetical order.
          30 May 2022
          ERROR LOGS IJ28474 REPEATED SSH DEBUG MESSAGES CAN BE OBSERVED IN /VAR/LOG/MESSAGES CLOSED Resolved in
          QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137)
          Note: APAR IJ28474 was initially closed as a permanent restriction and resolved in 7.5.0 UP2.

          Workaround
          From an SSH session to the QRadar Console, paste the following command, press 'Enter' to take off '-v' option and restart tunnel_manager:

          sed -i 's/ssh -N -T -v/ssh -N -T/g' \/etc/systemd/system/managed-tunnel\@.service; systemctl \daemon-reload; systemctl restart tunnel_manager

          Issue
          Repeated SSH debug messages can be observed in /var/log/messages when a Managed Host connection is encrypted. For example:

          hostname ssh[5759]: debug1: channel 6: connected to localhost port 443
          hostname ssh[3083]: debug1: client_input_channel_open: ctype forwarded-tcpip rchan 12 win 2097152 max 32768
          hostname ssh[3083]: debug1: client_request_forwarded_tcpip: listen localhost port 443, originator 127.0.0.1 port 39748
          hostname ssh[3083]: debug1: connect_next: host localhost ([127.0.0.1]:443) in progress, fd=14
          hostname ssh[3083]: debug1: channel 10: new [127.0.0.1]
          hostname ssh[3083]: debug1: confirm forwarded-tcpip
          hostname ssh[3083]: debug1: channel 10: connected to localhost port 443
          hostname ssh[3132]: debug1: client_input_global_request: rtype ***@openssh.com want_reply 1
          hostname ssh[3163]: debug1: client_input_channel_req: channel 0 rtype ***@openssh.com reply1
          hostname ssh[3151]: debug1: client_input_channel_req: channel 0 rtype ***@openssh.com reply1
          hostname ssh[2936]: debug1: channel 14: free: 127.0.0.1, nchannels 16
          30 May 2022
          SEARCH IJ21678 ARIEL SEARCHES IN QRADAR CAN TAKE LONGER THAN EXPECTED TO COMPLETE WHEN USING A LOG SOURCE TYPE FILTER CLOSED Resolved in
          QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137)

          Workaround
          If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances.

          Issue:
          Searches can take longer than expected to complete when using a Log Source type filter in an Ariel search. This has been identified as being caused by ariel becoming single threaded in some instances.
          30 May 2022
          UPGRADE IJ36926 QRADAR PATCHING CAN FAIL IF DUPLICATE IP ADDRESSES ARE PRESENT IN DATABASE TABLE CLOSED Resolved in
          QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)
          QRadar 7.4.3 Fix Pack 5 (7.4.3.20220307203834)

          Workaround
          No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

          Issue
          The QRadar patching process from version 7.3.x to 7.4.3 FP3 or 7.4.3 FP4 can fail if duplicate ip addresses are present in the database due to new lines implemented in db_update_offense.inet.0.sql file.

          Messages similar to the following might be visible in the applicable /var/log/setup-xxxx/patches.log) when this issue occurs:
          Error applying script [31/136] '/media/updates/opt/qradar/conf/
          templates/db_update_offense.inet.0.sql'for Test_qradar database.
          WARNING:  SET TRANSACTION can only be used in transaction blocks
          NOTICE:  Finding duplicate IP addresses in ...
          NOTICE:  Duplicate IP addresses  found in ...
          23 February 2022
          UPGRADE IJ36269 QRADAR "PATCH SUCCESSFUL WITH ERRORS" FAILING ON "...9804.INSTALL" FILE CLOSED Resolved in
          QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)
          QRadar 7.4.3 Fix Pack 5 (7.4.3.20220307203834)

          Workaround
          The "patch was successful with errors" in these instances is benign and can be safely ignored.

          Issue
          The QRadar patching process can complete but fail on '...9804.install' ("Patch successful with errors") when a Managed Host is removed from the deployment prior to patching as there is a deleted record in the database that the 9804.install file is expecting during the patching process. The error is benign and can be safely ignored in these instances.
          23 February 2022
          DSM EDITOR IJ36376 EVENT PAYLOADS FAIL TO PARSE CORRECTLY WHEN THE PAYLOAD ENDS IN A QUOTATION MARK PRECEDED BY A SPACE CLOSED Resolved in
          QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)

          Workaround
          No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

          Issue
          Logs for Custom DSMs are parsed and mapped correctly in the DSM Editor but are marked and displayed as Stored in Log Activity when the payload ends in a " (quotation mark) character preceded by a blank space character.
          23 February 2022
          RULES IJ35847 AQL CUSTOM EVENT PROPERTIES IN EMAIL TEMPLATES DISPLAY AS 'N/A' AFTER PATCHING TO QRADAR 7.4.3 OR NEWER CLOSED Resolved in
          QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)
          QRadar 7.4.3 Fix Pack 5 (7.4.3.20220307203834)

          Workaround
          If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances.

          Issue
          AQL Custom event properties within the email template are displaying as 'N/A' after patching to QRadar version 7.4.3 or newer.

          This is caused by the deprecation of the ariel_aql_property database table.
          23 February 2022
          QRADAR NETWORK INSIGHTS (QNI) IJ35752 HIGHER THAN EXPECTED CPU USAGE ON QRADAR NETWORK INSIGHTS OR QRADAR INCIDENT FORENSICS HOSTS CLOSED Resolved in
          QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)

          Workaround
          If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances.

          Issue
          QRadar Network Insights hosts running on the Advanced inspection level or QRadar Incident Forensics hosts can experience high CPU consumption by the decapper process due to the regular expression for email address suspect content descriptions.
          23 February 2022
          APPLICATION FRAMEWORK IJ35002 UNINSTALLING A CONTENT PACK CAN CAUSE RULES TO NOT FUNCTION AS EXPECTED CLOSED Resolved in
          QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)
          QRadar 7.4.3 Fix Pack 5 (7.4.3.20220307203834)

          Workaround
          No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

          Issue
          After uninstalling a QRadar content pack, rules can fail to function as expected. This can occur when the content pack uninstall process removes items (example: Custom Event Properties) that it should not remove.
          23 February 2022
          QRADAR RISK MANAGER IJ34908 QRADAR RISK MANAGER CAN DISPLAY A CONFIRMATION MESSAGE DURING DEVICE IMPORT WHEN THE DEVICES ARE NOT IMPORTED CLOSED Resolved in
          QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)
          QRadar 7.4.3 Fix Pack 5 (7.4.3.20220307203834)

          Workaround
          No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

          Issue
          In QRadar Risk Manager, when devices are imported from a CSV file, the Device Import application can sometimes display the confirmation message similar to "Your devices have been imported successfully.", but the devices are not imported.
          23 February 2022
          UPGRADE IJ34734 QRADAR PATCHING PROCESS CAN FAIL ON DESTINATION SITE WHEN THE DATA SYNC APP IS INSTALLED CLOSED Resolved in
          QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)

          Workaround
          • If the patch on the Destination site has failed, please contact support for assistance.
            or
          • Prior to starting the patching process, the issue can be avoided by performing the following:
            1. Patching the Main site (while active).
            2. Activate the Destination site.
            3. Patch the Destination site.
          Issue
          The QRadar patching process can fail to complete when using the Data Sync app. This is due to a problem that occurs when hostcontext and its managed processes are attempting to startup on a Destination site that is not in an active state.
          23 February 2022
          QRADAR INCIDENT FORENSICS IJ34838 QRADAR INCIDENT FORENSICS RECOVERY SEARCHES FAIL AFTER A QRADAR DEPLOY FUNCTION IS PERFORMED CLOSED Resolved in
          QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)

          Workaround
          From an SSH session restart the solr service:
          systemctl restart solr
          Issue
          QRadar Incident Forensics recovery searches can fail after a QRadar deploy function as the solr service is not stopped during the deploy function processes.
          23 February 2022
          RULES IJ34847 DEPENDENT RULES ARE NOT DISPLAYED WHEN REFERENCE SETS ARE USED IN AN AQL OR ARIEL FILTER TEST IN A CUSTOM RULE CLOSED Resolved in
          QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)

          Workaround
          From an SSH session restart the solr service:
          systemctl restart solr
          Issue
          When reference sets are used in an AQL (Advanced Search) or ariel filter test in a custom rule, the Reference Set Management interface does not indicate that rule as dependent on the reference set.

          For example:
          1. Have a reference set, TestRefSet.
          2. Create a custom rule. Add a test using "when the event matches this search filter"
          3. Select Reference set , and select Username from Data Entry, operator : Exists in any of . Set the filter value to "and when the event matches Username exists in any of TestRefSet"
          4. Select finish.
          5. Open Admin-> Reference Set Management
          6. Search for TestRefSet. Note that Associate Rules displays as 0.
          7. Double click on TestRefSet and then click on References. Note that "No items to display" is displayed.

            Expected result: Dependent Rules are listed
          23 February 2022
          QRADAR VULNERABILITY MANAGER IJ34318 QRADAR VULNERABILITY MANAGER REPORT IN XLS FORMAT CAN FAIL DUE TO 'NUMBERFORMATEXCEPTION' CLOSED Resolved in
          QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)
          QRadar 7.4.3 Fix Pack 5 (7.4.3.20220307203834)

          Workaround
          Select another a report output format that is not .xls.

          Issue
          QRadar Vulnerability Manager reports that are configured to output in .xls format can fail.

          Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
          [report_runner] [main] com.q1labs.reporting.ReportServices:
          [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]REPORT [MANUAL#^
          #admin#$#9ec2259b-df99-4b5e-a8ea-087c1a704b99#^#1625732490790]:A
          [MANUAL#^#admin#$#9ec2259b-df99-4b5e-a8ea-087c1a704b99#^#162573
          2490790].java.lang.NumberFormatException:For input string: "4.54
          [report_runner] [main] com.q1labs.reporting.ReportServices:
          [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]REPORT [MANUAL#^
          #admin#$#9ec2259b-df99-4b5e-a8ea-087c1a704b99#^#1625732490790]:R
          admin#$#9ec2259b-df99-4b5e-a8ea-087c1a704b99.xml
          [report_runner] [main] java.lang.RuntimeException: REPORT [MANUAL#^
          #admin#$#9ec2259b-df99-4b5e-a8ea087c1a704b99#^#1625732490790]:Failed to generate report version.
          [report_runner] [main] at com.q1labs.reporting.Report.process(Report.java:623)
          [report_runner] [main] at com.q1labs.reporting.ReportRunner.main(ReportRunner.java:284)
          [report_runner] [main] com.q1labs.reporting.ReportRunner:
          [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- ]Run report
          "admin#$#9ec2259b-df99-4b5e-a8ea-087c1a704b99" Error
          [report_runner] [main] java.lang.RuntimeException: REPORT [MAN
          UAL#^#admin#$#9ec2259b-df99-4b5e-a8ea-087c1a704b99#^#1625732490
          790]:Failed to run using template
          admin#$#9ec2259b-df99-4b5e-a8ea-087c1a704b99.xml.
          23 February 2022
          INSTALL IJ34367 SHUTTING DOWN THE SYSTEM ON A NEW ISO INSTALL BEFORE THE LICENCE AGREEMENT CAUSES SETUP TO FAIL WHEN THE SYSTEM IS POWERED UP CLOSED Resolved in
          QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)

          Workaround
          If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances.

          Issue
          During setup or when running qchange_netsetup you may receive the error "The script cannot determine if this IP has been reused." contact support for further help.

          This is caused by shutting down the system on a new ISO install at the login before the license agreement, causing setup to fail when the system is powered back on and the install continues.

          Look for similar error messages in /var/log/setup-<QRadar_build>/qradar_netsetup.log:
          qradar_netsetup.py[6638]: ibm_logging error [ERROR] The script
          cannot determine if this IP has been reused.
          Jun 25 05:03:35 qradar_netsetup.py[6638]: qradar_netsetup
          finalBlock [ERROR] Exceptions:
          Jun 25 05:03:35 qradar_netsetup.py[6638]: qradar_netsetup
          finalBlock [ERROR] Traceback (most recent call last):
          Jun 25 05:03:35 qradar_netsetup.py[6638]: qradar_netsetup
          finalBlock [ERROR] File "/opt/qradar/bin/qradar_netsetup.py",
          line 3969, in main
          Jun 25 05:03:35 qradar_netsetup.py[6638]: qradar_netsetup
          finalBlock [ERROR] qradarNetsetup.doJob()
          Jun 25 05:03:35 qradar_netsetup.py[6638]: qradar_netsetup
          finalBlock [ERROR] File "/opt/qradar/bin/qradar_netsetup.py",
          line 961, in doJob
          23 February 2022
          ASSETS IJ33757 ASSET PROFILER CONFIGURATION 'USE ADVANCED' OPTION CHANGES NEW INPUT VALUES TO A VALUE OF ZERO (0) CLOSED Resolved in
          QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)
          QRadar 7.4.3 Fix Pack 5 (7.4.3.20220307203834)

          Workaround
          If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances.

          Issue
          In the Asset Profiler Configuration > Use advanced settings, new retention period values input are not saved and are instead reset to 0. For example
          1. Navigate to Admin > Asset Profiler Configuration.
          2. Change the Asset Profile Retention Period from Default 30 days to 'Use advanced'.
          3. Under the use advanced section, change one of the values from 30 to another value.
          4. Select Save and close the asset profiler configuration.
          5. Re-open the asset profiler configuration.

            Result
            Values are set to 0. No errors are generated in QRadar logging when this occurs and functionality works as expected when using the default 30 days value.

          Messages in /var/log/audit.log similar to the following might be visible when this issue occurs:
          admin@127.0.0.1 (5437)
          /console/JSON-RPC/QRadar.saveChangesAssetProfiler
          QRadar.saveChangesAssetProfiler | [Action]
          [QRadarSystemSettings] [SystemSettingsChange] admin changed
          'Enable Client Application Profiling' from '0' to '13' (
          initiating-user="admin" )
          admin@127.0.0.1 (5437)
          /console/JSON-RPC/QRadar.saveChangesAssetProfiler
          QRadar.saveChangesAssetProfiler | [Action]
          [QRadarSystemSettings] [SystemSettingsChange] admin changed
          'Enable Client Application Profiling' from '13' to '0' (
          initiating-user="admin" )
          23 February 2022
          RULES IJ34348 RULE OWNER CAN FAIL TO BE REASSIGNED AFTER A USER IS DELETED CLOSED Resolved in
          QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)
          QRadar 7.4.3 Fix Pack 5 (7.4.3.20220307203834)

          Workaround
          Recreate the deleted user, and reassign rule ownership prior to deletion. Issue
          When deleting a QRadar user, rules owned by that user are sometimes not re-assigned to the current active user as expected. For example,
          1. Have a user (eg. testuser3) that has rules created by them and assign them to a group.
          2. Navigate to Offense > Rules > Groups button, click on the group that were assigned to these rules (rule owner displays as testsuser3).
          3. Login as admin, delete the user testuser3, the dependents check dialog pops up, re-assign all ownership to admin, and then deploy the changes.
          4. Navigate back to Offense > Rules > Groups, click on the group that were assigned to these rules.

            Result
            The owner is still displayed as testuser3 when it should be admin in this example.
          23 February 2022
          CERTIFICATES IJ34632 HOSTCONTEXT OUT OF MEMORY CAN OCCUR WHEN A LARGE CERTIFICATE REVOCATION LIST EXISTS CLOSED Resolved in
          QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)

          Workaround
          If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances.

          Issue
          The QRadar Hostcontext service can experience an Out Of Memory occurrence when there is a large certificate revocation list file stored under cached_crls.

          Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
          3a30ea5c-e061-4a00-bb0f-2ea592d148f2/SequentialEventDispatcher
          at java.io.ByteArrayOutputStream.grow(I)V
          (ByteArrayOutputStream.java(Compiled Code))
           at java.io.ByteArrayOutputStream.write([BII)V
          (ByteArrayOutputStream.java:164(Compiled Code))
           at java.io.OutputStream.write([B)V
          (OutputStream.java:86(Compiled Code))
           at com.ibm.security.util.DerValue.toByteArray()[B
          (DerValue.java:1034(Compiled Code))
           at com.ibm.security.x509.X509CRLEntryImpl.parse(Lcom/ibm/secur
          ity/util/DerValue;)V(X509CRLEntryImpl.java:609(Compiled Code))
           at com.ibm.security.x509.X509CRLEntryImpl.(Lcom/ibm/secu
          rity/util/DerValue;)V(X509CRLEntryImpl.java:193(Compiled Code))
           at com.ibm.security.x509.X509CRLImpl.parse(Lcom/ibm/security/u
          til/DerValue;)V(X509CRLImpl.java:1634(Compiled Code))
           at
          com.ibm.security.x509.X509CRLImpl.<init>(Ljava/io/InputStream;)V
          (X509CRLImpl.java:228)
           at com.ibm.crypto.provider.X509Factory.engineGenerateCRL(Ljava
          /io/InputStream;)Ljava/security/cert/CRL;(null)
           at java.security.cert.CertificateFactory.generateCRL(Ljava/io/
          InputStream;)Ljava/security/cert/CRL;(CertificateFactory.java:50
           at com.q1labs.frameworks.crypto.trustmanager.Q1X509Certificate
          Factory.generateCrlURL(Ljava/lang/String;)Ljava/security/cert/X
          509CRL;(Q1X509CertificateFactory.java:569)
           at com.q1labs.frameworks.crypto.trustmanager.Q1X509CrlStore.ge
          nerateCrl(Ljava/lang/String;Ljava/lang/String;)Lcom/q1labs/fram
          eworks/crypto/trustmanager/Q1X509Crl;(Q1X509CrlStore.java:265)
           at com.q1labs.frameworks.crypto.trustmanager.Q1X509CrlStore.ge
          tCrl(Ljava/lang/String;)Lcom/q1labs/frameworks/crypto/trustmana
          ger/Q1X509Crl;(Q1X509CrlStore.java:243)
           at com.q1labs.frameworks.crypto.trustmanager.CertificateValida
          tor.checkCertPath([Ljava/security/cert/X509Certificate;Lcom/q1l
          abs/frameworks/crypto/trustmanager/Q1X509TrustStore;Lcom/q1labs
          /frameworks/crypto/trustmanager/Q1X509CrlStore;)V(CertificateVal
           at com.q1labs.frameworks.crypto.trustmanager.CertificateValida
          tor.validate([Ljava/security/cert/X509Certificate;Lcom/q1labs/f
          rameworks/crypto/trustmanager/CertValidatorParameters;)V(Certifi
           at com.q1labs.hostcontext.KeyStoreExpiryMonitor.monitorCertifi
          cateInfo(Lcom/q1labs/frameworks/crypto/KeyStoreManager;Lcom/q1l
          abs/frameworks/crypto/CertificateInfo;)V(KeyStoreExpiryMonitor.j
           at com.q1labs.hostcontext.KeyStoreExpiryMonitor.monitorEndCert
          ificates()V(KeyStoreExpiryMonitor.java:277)
           at com.q1labs.hostcontext.KeyStoreExpiryMonitor.timeExpired(Lc
          om/q1labs/frameworks/events/timer/TimerEvent;)V(KeyStoreExpiryMo
           at com.q1labs.frameworks.events.timer.TimerEventGenerator$Time
          rEventInfo.dispatchEvent()V(TimerEventGenerator.java:234)
           at com.q1labs.frameworks.events.SequentialEventDispatcher$Disp
          atchThread.run()V(SequentialEventDispatcher.java:129)
          23 February 2022
          EVENT COLLECTORS IJ33795 GLUSTERFS MIGRATION MANAGER CAN FAIL DURING RSYNC OF DATA BACK TO THE /STORE PARTITION CLOSED Resolved in
          QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)

          Workaround
          Prior to running the migration tool steps, stop crond by using the following command from and SSH session to the appliance:
          systemctl stop crond
          After the migration tool is completed, restart crond using:
          systemctl start crond
          NOTE: IF the issue has already occurred, contact support for assistance. Issue
          The glusterfs_migration_manager can fail during the rsync of data back to store as crond is running.

          This can occur as crond runs a task every 1 minute in the time between the /store partition is mounted after it was reformated and the rsync restores the symlink for /store/tmp.
          23 February 2022
          CUSTOM EVENT PROPERTIES IJ34598 "OPTIMIZED" CUSTOM EVENT PROPERTY WITH DIFFERENT EXPRESSION TYPES DO NOT PROPERLY PARSE CLOSED Resolved in
          QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)

          Workaround
          Where possible, remove the "optimize" option for the Custom Event Property (disable the "Enable for use in Rules..." parameter).

          NOTE: This is a limited workaround as the optimize option can be required for proper QRadar performance and functionality. Issue
          When a log source type has two or more "optimized" CEPs with different expression types (eg; one has Generic List expression, the other has Name-Value Pair expression), they both get correct property values when using the DSM editor event parsing preview. When the events are viewed in the log activity tab, one of the properties will have an incorrect value or "N/A" (value is missing).
          23 February 2022
          EVENT COLLECTORS IJ34167 GLUSTERFS MIGRATION TOOL FAILS WHEN THE /STORE PARTITION ENCOUNTERED IS IN EXT4 FORMAT CLOSED Resolved in
          QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)

          Workaround
          No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

          Issue
          The Glusterfs migration tool fails when it encounters a /store partition that is currently in ext4 format.
          23 February 2022
          DATA OBFUSCATION IJ34597 CEP PARSING BREAKS WHEN OBFUSCATION IS ACTIVATED AND THE CEP HAS FORCE PARSED ENABLED CLOSED Resolved in
          QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)
          QRadar 7.4.3 Fix Pack 5 (7.4.3.20220307203834)

          Workaround
          Uncheck the option under the Custom Event Property, Enable for use in Rules, Forwarding Profiles and Search Indexing. Issue
          Customers who use a regular expression based obfuscation profile and have checked the force parse option: "Enable for use in Rules, Forwarding Profiles and Search Indexing" might notice that event parsing using that Custom Event Property is broken.

          Steps to reproduce this issue:
          1. Create a Log Source that can receive events via syslog.
          2. Create and enable obfuscation on the 'Target Account Name'.
          3. For the Custom Event Property, check the "Enable for use in Rules, Forwarding Profiles and Search Indexing" checkbox.
          4. Replay events.

            Result
            The Custom Event Property parsing is broken.
          23 February 2022
          LICENSE IJ33284 QNI AND QIF ATTEMPT TO CONNECT TO LICENSE.XFORCE-SECURITY.COM AFTER A DECAPPER RAN OUT OF MEMORY CLOSED Resolved in
          QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)

          Workaround
          No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

          Issue
          For environments where there is QRadar Incident Forensics or QRadar Network Insights, when a decapper Out Of Memory occurs and it is restarted, a connection attempt is made to license.xforce-security.com.

          When this occurs, it can be blocked by a customer installed firewall generating alert messages.
          23 February 2022
          OFFENSES IJ33893 THE OFFENSE API UPDATES THE OFFENSE IN THE DATABASE BUT THE OFFENSE MANAGER IS NOT AWARE OF IT CLOSED Resolved in
          QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)
          QRadar 7.4.3 Fix Pack 2 (7.4.3.20210810221124)
          QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826)

          Workaround
          No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

          Issue
          Updates to the offense API endpoint /api/siem/offenses/{id} updates the database, but the Offense Manager is not aware of the update.

          An attempt to close an offense from the API appears to succeed, for example,
          curl -S -X POST -u admin -H 'Version: 17.0' -H 'Accept:application/json' 'https://x.x.x.x/api/siem/offenses/111?status=CLOSED'
          The API sets offense closed in DB; however, the Event Processor and Magistrate Processor Core still think that the offense is opened and continue update it.
          23 February 2022
          RULES IJ33438 CORRUPT REFERENCE DATA TABLE CAN CAUSE THE RULE WIZARD TO FAIL TO WORK AS EXPECTED CLOSED Resolved in
          QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)

          Workaround
          1. Identify the corrupt reference data instances, run the following from an SSH session to the QRadar Console:
            psql -U qradar -c "select rd.id,rd.name,rd.current_count,rd.key1_label,rd.value_label,rd.is_table from reference_data rd
            where rd.is_table = 't' and id NOT in (select rd_id from reference_data_key_type)"
          2. Use the Reference Data Management app to remove the corrupt reference data.
          Issue
          Corrupt reference data (database table) can stop the rule wizard from working as expected. Users are unable to see Rule enable and Rule limiter options in Rule Wizard, and unable to edit or add rules.

          Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
          [tomcat.tomcat] [user@127.0.0.1(4521) /console/do/rulewizard]
          org.apache.jsp.sem.jsp.ruleWizard.RuleWizard_002daction_jsp:
          [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]An error occurred
          in the _jspService method for org.apache.jsp.sem.jsp.ruleWizard.
          RuleWizard_002daction_jsp: null 
          [tomcat.tomcat] [user@127.0.0.1(4521) /console/do/rulewizard] java.lang.NullPointerException
          [tomcat.tomcat] [user@127.0.0.1(4521) /console/do/rulewizard] at
          org.apache.jsp.sem.jsp.ruleWizard.RuleWizard_002daction_jsp._js
          pService(RuleWizard_002daction_jsp.java:2104)[tomcat.tomcat] [us
          com.q1labs.uiframeworks.jsp.HttpJspBase.service(HttpJspBase.java:148)
          [tomcat.tomcat] [user@127.0.0.1(4521) /console/do/rulewiza javax.servlet.http.HttpServlet.service(HttpServlet.java:733)
          [tomcat.tomcat] [user@127.0.0.1(4521) /console/do/rulewizard] at
          org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:476)
          [tomcat.tomcat] [user@127.0.0.1(4521) /console/do/org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:386)
          [tomcat.tomcat] [user@127.0.0.1(4521) /console/do/ruleworg.apache.jasper.servlet.JspServlet.service(JspServlet.java:33
          0)[tomcat.tomcat] [user@127.0.0.1(4521) /console/do/rulewizard]
          javax.servlet.http.HttpServlet.service(HttpServlet.java:733)
          [tomcat.tomcat] [user@127.0.0.1(4521) /console/do/rulewizard] at
          org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
          23 February 2022
          QRADAR NETWORK INSIGHTS IJ37173 SOURCE AND DESTINATION PAYLOADS FOR ICMP TRAFFIC FAIL TO BE CAPTURED BY QRADAR NETWORK INSIGHTS CLOSED Resolved in
          QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)

          Workaround
          No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

          Issue
          QRadar Network Insights identifies ICMP traffic, but it does not capture source and destination payloads for ICMP traffic even when available.
          23 February 2022
          ASSETS IJ32925 ASSET PROFILER TREATS HOSTNAMES WITH DIFFERENT CASES (UPPER AND LOWER) AS SEPARATE ASSETS CLOSED Resolved in
          QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)

          Workaround
          No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

          Issue
          The QRadar asset profiler can create separate assets for the same asset due to differences in the case (upper and lower) of the hostname when events are processed by QRadar. For example,
          1. An asset exists in QRadar with DNS Hostname 'AB-123' and no MAC address.
          2. A DHCP event generated with hostname 'Ab-123' with MAC and IP is processed.

            Result
            A new asset is created for Ab-123
          23 February 2022
          RULES IJ32783 RULE RESPONSE EMAIL FAILS TO BE SENT DUE TO "&" (AMPERSAND) SYMBOL IN EMAIL ADDRESS BEING CHANGED TO "&" CLOSED Resolved in
          QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)

          Workaround
          No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

          Issue
          When a Rule Response is configured for email and the email address contains an "&" (ampersand) symbol, the Rule Response email is not generated as the symbol is changed to "&" by QRadar.

          Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
          [ecs-ep.ecs-ep] [[type=com.eventgnosis.system.ThreadedEventTerminator][parent=hostname:ecs-ep/EP/Emai
          lDestination]]com.q1labs.sem.util.EmailSender: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]
          Exception attempting to send email: Illegal semicolon, not in group 
          [ecs-ep.ecs-ep] [[type=com.eventgnosis.system.ThreadedEventTerminator][parent=hostname:ecs-ep/EP/EmailDestination]]org.ap
          [ecs-ep.ecs-ep] [[type=com.eventgnosis.system.ThreadedEventTerminator][parent=hostname:ecs-ep/EP/EmailDestination]]at 
          org.apache.commons.mail.Email.createIn
          va:605)[ecs-ep.ecs-ep] [[type=com.eventgnosis.system.ThreadedEve
          inator][parent=hostname:ecs-ep/EP/EmailDestination]]at org.apache.commons.mail.Email.addTo(Email.java)
          [ecs-ep.ecs-ep] [[type=com.eventgnosis.system.ThreadedEventTerminator][parent=hostname:ecs-ep/EP/Emai
          lDestination]]at org.apache.commons.mail.Email.addTo(Email.java:
          [ecs-ep.ecs-ep] [[type=com.eventgnosis.system.ThreadedEventTerminator][parent=hostname:ecs-ep/EP/Emai
          lDestination]]at org.apache.commons.mail.Email.addTo(Email.java)
          [ecs-ep.ecs-ep] [[type=com.eventgnosis.system.ThreadedEventTerminator][parent=hostname:ecs-ep/EP/Emai
          lDestination]]at com.q1labs.sem.util.EmailSender.send(EmailSende
          [ecs-ep.ecs-ep] [[type=com.eventgnosis.system.ThreadedEventTerminator][parent=hostname:ecs-ep/EP/Emai
          lDestination]]at com.ibm.si.ep.destinations.EmailDestination.outDestination.java:42)
          [ecs-ep.ecs-ep] [[type=com.eventgnosis.syst
          inator][parent=hostname:ecs-ep/EP/EmailDestination]]at com.eventgnosis.system.ThreadedEventTerminator.
          ventTerminator.java:51)[ecs-ep.ecs-ep] [[type=com.eventgnosis.sy
          inator][parent=hostname:ecs-ep/EP/EmailDestination]]at java.lang.Thread.run(Thread.java:822)
          23 February 2022
          RULES IJ32782 RULES CAN FAIL TO WORK AS EXPECTED DUE TO THE ACCUMULATOR PROCESS FAILING TO CONNECT TO ECS-EP PROCESS CLOSED Resolved in
          QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)

          Workaround
          Restarting the accumulator process can correct this issue. Run the following command from an SSH session to the QRadar Console:
          systemctl restart accumulator


          Issue
          In some instances, the connection from the accumulator to ecs-ep processes cannot be established once it has been disconnected by the channelActivitCheckTimer.

          When this occurs, rules (example: threshold rules) can fail to work as expected because of the failed connection between the processes.

          Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
          [accumulator.accumulator] [SentryAlertProcessor]
          com.q1labs.cve.sentryengine.AlertProcessor: [WARN]
          [NOT:0000004000][IP/- -] [-/- -][localhost:32005] 
          Unable to connect to: "localhost/127.0.0.1:32005".
          java.net.ProtocolException: Wrong protocol from
          java.nio.channels.SocketChannel[connected local=/127.0.0.1:59414
          remote=localhost/127.0.0.1:32005]
          23 February 2022
          REPORTS IJ32641 SCHEDULED REPORTS CAN RUN ON RAW DATA CAUSING THEM TO FAIL OR TAKE LONGER THAN EXPECTED TO COMPLETE CLOSED Resolved in
          QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)
          QRadar 7.4.3 Fix Pack 5 (7.4.3.20220307203834)

          Workaround
          No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

          Issue
          QRadar deployments running version 7.4.1 or newer can experience an issue where scheduled reports are running on raw data.

          When this occurs, searches take longer than expected to complete causing the reports to take longer than expected to complete or cause them to fail.
          23 February 2022
          BACKUP AND RESTORE IJ32734 RESTORE FAILS WHEN DEPLOYMENT CONFIGURATION IS NOT AUTO SELECTED WHEN ASSET DATA IS BEING RESTORED CLOSED Resolved in
          QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)

          Workaround
          No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

          Issue
          When Asset Data is being restored from backup, the Deployment Configuration should automatically be selected but is not. The restore fails in situations where an Asset restore is attempted without Deployment Configuration.

          Messages similar to the following might be visible in /var/log/qradar.log when the backup is performed in this manner:
          [hostcontext.hostcontext] [BackupServices_restore]
          com.q1labs.configservices.hostcontext.exception.RestoreException: 
          No host id mapping supplied with asset restore
          [hostcontext.hostcontext] [BackupServices_restore] at 
          com.q1labs.hostcontext.backup.core.HostRemappingUtils.remapScannerHostIds(HostRemappingUtils.java:372)
          [hostcontext.hostcontext] [BackupServices_restore] at 
          com.q1labs.hostcontext.backup.core.HostRemappingUtils.remap(HostRemappingUtils.java:439)
          [hostcontext.hostcontext] [BackupServices_restore] at com.q1
          labs.hostcontext.backup.BackupRecoveryEngine.doDbRestore(BackupRecoveryEngine.java:3068)
          [hostcontext.hostcontext] [BackupServices_restore]    
          ... 5 more
          23 February 2022
          GEOGRAPHIC DATA IJ20467 UNABLE TO RETRIEVE MAXMIND GEOLITE2-CITY.MMDB UPDATES USING A CONFIGURED PROXY IN QRADAR CLOSED Resolved in
          QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137)
          QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)

          Workaround
          If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances.

          Issue
          It has been identified that the geodata database within QRadar is not getting updated when a proxy is correctly configured in the User Interface (Admin > Auto Updates > Change Settings > Advanced) due to an issue found within AutoUpdateProxyUtil.sh.

          Messages similar to the following might be visible in /var/log/qradar.log when this issue is occuring:
          500 Can't connect to proxy_ip_address:proxy_port at
          /opt/qradar/bin/geoipupdate-pureperl.pl line 180, <STDIN> line 1.
          30 May 2022
          SEARCH IJ30759 ERROR MESSAGE GENERATED IN THE UI WHEN A SECURITY ADMIN ATTEMPS TO VIEW ANOTHER USER'S SAVED SEARCH RESULTS CLOSED Resolved in
          QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)
          QRadar 7.4.3 Fix Pack 5 (7.4.3.20220307203834)

          Workaround
          No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

          Issue
          When trying to view another user's saved search results as a security administrator, the following error message is displayed:
          This query has timed out, and is no longer valid. Please use
          the search to perform a new query."
          23 February 2022
          FLOWS IJ30102 FLOWS CAN STOP BEING RECEIVED BY QRADAR WHEN THE 'FLOWGOVERNOR' EXPERIENCES A BLOCK WHILE TRYING TO CONNECT TO ECS-EC PROCESS CLOSED Resolved in
          QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)

          Workaround
          Performing a service restart from an SSH session to the QRadar Console can resolve this issue:
          systemctl restart ecs-ec-ingress
          Then type, the following command:
          # systemctl restart ecs-ec
          Note: Event collection is interrupted when the ecs-ec-ingress service is restarted

          Issue
          Flows can fail to be received by QRadar when the Flow Governor experiences a NullPopinterException. When this occurs, no flows are streamed to the QRadar User Interface and users are unable to see recent flows in searches.

          Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
          [ecs-ec.ecs-ec] [FlowGovernerProcessor]
          com.q1labs.frameworks.core.ThreadExceptionHandler: [ERROR]
          [NOT:0000003000][/- -] [-/- -]Exception was uncaught in thread:
          FlowGovernerProcessor
          [ecs-ec.ecs-ec] [FlowGovernerProcessor]
          java.lang.NullPointerException
          [ecs-ec.ecs-ec] [FlowGovernerProcessor]    at
          com.ibm.si.ec.filters.FlowGoverner$FlowProcessor.run(FlowGoverner.java:345)
          Note: This issue has been identifed as most likely to occur after a QRadar patch is applied.
          23 February 2022
          CERTIFICATES IJ29956 HTTPD SERVICE CAN FAIL TO START IF AN ISSUE OCCURS WHILE INSTALLING A NEW CERTIFICATE USING INSTALL-SSL-CERT.SH CLOSED Resolved in
          QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)

          Workaround
          Manually start the httpd service from a command line SSH session on the QRadar Console:
          systemctl start httpd
          Issue
          The httpd service can sometimes fail to start after the install of a new ssl certificate via /opt/qradar/bin/install-ssl-cert.sh script. It is possible for the install-ssl-cert.sh script to restore a backup of the last configuration which attempts to reload the httpd service. The httpd service does not start successfully.

          Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
          Restoring previous SSL configuration ... (OK)
          Reloading httpd configuration:
          (SKIPPED): httpd not running
          Mon Nov 30 17:23:27 GTM 2020 [install-ssl-cert.sh] ERROR: Could
          not update SSL certificate - previous config restored
          23 February 2022
          HIGH AVAILABILITY (HA) IJ29684 BENIGN MESSAGE WRITTEN TO QRADAR LOGGING ON HA SECONDARY: "[WARN] HA IS ACTIVE BUT THIS IS NOT THE ACTIVE BOX. EXITING..." CLOSED Resolved in
          QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)

          Workaround
          If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances.

          Issue
          A benign message similar to the following can sometimes be observed in the QRadar logging on a High Availability (HA) Secondary appliance:
          [WARN] HA is active but this is not the active box. Exiting..."


          NOTE: This is caused by the /opt/qvm/assetupdates/run-qvm-assetupdates.sh script (activated via cron) on the Secondary.

          This a benign message and can be safely ignored.
          23 February 2022
          ASSETS IJ29376 BLANK OPERATING SYSTEM (OS) FIELD DISPLAYED FOR IMPORTED ASSETS WHERE THE OS IS UNKNOWN TO QRADAR CLOSED Resolved in
          QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)

          Workaround
          No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

          Issue
          When importing an asset that has an Operating System (OS) unknown to QRadar, the Asset tab displays the asset's OS as a blank field when it should dsplay it as 'unknown'.

          This behavior can also be observed in the Edit Asset Profile > Operating System field.
          23 February 2022
          FLOWS IJ29508 QFLOW PROCESS FAILS TO START WHEN THE RPM DATABASE CONTAINS CORRUPTION CLOSED Resolved in
          QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)

          Workaround
          If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances.

          Issue
          When corruption occurs in the QRadar RPM database causing RPM commands to fail to respond, the qflow process fails to start. When this occurs, flows are not processed by QRadar.

          Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
          Job for qflow.service failed because a timeout was exceeded.
          See "systemctl status qflow.service" and "journalctl -xe" for details.
          23 February 2022
          HIGH AVAILABILITY (HA) IJ28804 HIGH AVAILABILITY SECONDARY IN 'OFFLINE' STATE WHEN IT IS REBOOTED A FEW MINUTES AFTER THE PRIMARY DURING PATCH PROCESS CLOSED Resolved in
          QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)

          Workaround
          On the affected Secondary appliance:
          1. Remove the .remote_ha_install file from /opt/qradar/ha/conf
          2. Restart ha_manager via an SSH session on the Secondary appliance:
            systemctl restart ha_manager


            Results
            The Secondary appliance should then return to "standby" state.

          Issue
          If during the patching process, a QRadar High Availability (HA) Secondary appliance reboot is performed a few minutes later than the Primary appliance, the HA Secondary can be in "offline" state after the reboot completes.
          23 February 2022
          LOG SOURCE MANAGEMENT APP IJ28767 AN API ERROR IS GENERATED WHILE USING THE LOG SOURCE MANAGEMENT APP WHEN CONFIGURED TO USE THE 'NORSK (NORGE)' LOCALE IN QRADAR CLOSED Resolved in
          QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)

          Workaround
          Use the other available Norwegian locales:
          • norsk
          • norsk (Norge,nynorsk)
          • Norwegian Bokmal (Norge)

          • Issue
            Setting the QRadar locale to 'norsk (Norge)' can cause an API error when using the Log Source Managment (LSM) app. For example,
            1. Ensure the LSM app is installed.
            2. Change locale to norsk (Norge).
            3. Open the LSM app and proceed to click on "Log Sources".

              Result
              The following API error is generated:
              "Could not load log source data
              An unexpected API error has occured."


              Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
              [tomcat.tomcat] [admin@IP (2372)
              /console/restapi/api/config/event_sources/log_source_management/
              log_sources] Caused by:
              [tomcat.tomcat] [admin@IP (2372)
              /console/restapi/api/config/event_sources/log_source_management/
              log_sources] org.apache.openjpa.lib.jdbc.ReportingSQLException:
              ERROR: collation "no_NO" for encoding "UTF8" does not exist
              Position: 2097 {prepstmnt -2104345788 INSERT INTO
              logsourcereader_temp (id, spid, deviceinternal, status,
              end_time) SELECT id, spid, deviceinternal, status, end_time
              FROM (SELECT *   FROM (SELECT sd.id, sd.devicename,
              sd.devicedescription, sd.devicetypeid, sd.spconfig,
              coalesce(spc.spid, 0) as spid, sd.hostname, sd.deviceenabled,
              sd.gateway, sd.devicecredibility, sd.eccomponentid, sd.dlcid, 
              sd.encoding, sd.coalesce_events, sd.store_event_payload, 
              sd.extension_id, sd.languageid, sd.deployed, sd.autodiscovered, 
              sd.eps60s, sd.creationdate, sd.editdate, sd.timestamp_last_seen,
              sd.sending_ip, sd.parsing_order, sdba.bulk_group_name,
              sps.end_time, asdtdm.destination_id, CASE
              WHEN (sdt.mask = 1 OR sdt.devicecategoryid = 4) and
              sdt.id <> 246 THEN true ELSE false END AS
              deviceinternal, CASE WHEN 
              sd.deviceenabled = false THEN 4 WHEN
              ((spc.spid IS NULL OR spc.spid IN (0, 12, 22, 24, 50) 
              OR spc.spid IN (SELECT sensorprotocolid FROM sensorprotocolparameter 
              WHERE name = 'WinCollectInstanceName'))) THEN
              CASE WHEN sd.timestamp_last_seen = 0 THEN 0 
              WHEN sd.timestamp_last_seen < 1601515622685 THEN 3 ELSE 1
              END WHEN sps.last_known_status IS NOT NULL THEN sps.last_known_status
              ELSE 0 END AS status FROM sensordevice sd INNER JOIN sensordevicetype sdt ON
              (sdt.id = sd.devicetypeid) 
              LEFT JOIN sensorprotocolconfig spc ON (sd.spconfig = spc.id)
              LEFT JOIN sensordevicebulkadd sdba ON (sdba.id = sd.bulk_added_id 
              and sd.bulk_added = true)
              LEFT JOIN sensorprotocolstatus sps ON (sps.id = coalesce
              (sd.status_record, spc.status_record))
              LEFT JOIN ale_sensor_device_to_destination_mapping asdtdm ON 
              (asdtdm.sensor_device_id = sd.id AND asdtdm.internal = true))
              AS DUMMY  WHERE ((eccomponentid <> -1 OR eccomponentid IS
              NULL))  ORDER BY devicename COLLATE "no_NO" ASC  LIMIT 20
              OFFSET 0) AS DUMMY} 
          23 February 2022
          MANAGED HOSTS IJ28804 INTERMITTENT QRADAR SYSTEM NOTIFICATIONS 'TIME SYNCRONIZATION HAS FAILED - SOCAT FAILED TO INITIALIZE' WHEN ENCRYPTION ENABLED CLOSED Resolved in
          QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)

          Workaround
          No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

          Issue
          Intermittent System Notifications similar to the following can sometimes be observed in QRadar environments where encryption to Managed Hosts (Encypt Host Connections) is enabled: "Time Synchronization to Console has failed - socat failed to initialize."
          23 February 2022
          RULES IJ05418 ANOMALY DETECTION ENGINE (ADE) RULES CAN CONTINUE TO FIRE AFTER BEING DISABLED AND/OR DELETED IN THE USER INTERFACE CLOSED Resolved in
          None. Closed as suggestion for future release.

          Workaround
          No workaround available.

          Issue
          It has been identified that some Anomaly Detection Engine (ADE) rules can continue to function after they have been disabled or deleted from the QRadar User Interface.

          For example, on some occasions users reported that the User Behavior Analytics (UBA) app is uninstalled. However, the anomaly rules can still be functioning in the QRadar backend (database) even if no longer displayed in the User Interface (UI) and/or if they are showing in the UI and are not able to be disabled or deleted.
          10 June 2019
          DATA OBFUSCATION IJ27704 REGEX BASED DATA OBSFUSCATION ONLY OBFUSCATES THE FIRST DATA MATCH, NOT ALL DATA MATCHES CLOSED Resolved in
          QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)
          QRadar 7.4.3 Fix Pack 5 (7.4.3.20220307203834)

          Workaround
          No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

          Issue
          In situations where regex based data obfuscation is used and there are multiple pieces of data that match the regex, only the first one will be obfuscated leaving any other matches in plain text.

          Expected behavior is that all data matches by the regex would be obfuscated, not just the first match.
          23 February 2022
          ROUTING RULES IJ25912 ROUTING RULE FILTERS DROP DOWN LIST DOES NOT RELOAD APPROPRIATE OPTIONS WHEN TOGGLING BETWEEN ONLINE AND OFFLINE CLOSED Resolved in
          QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)

          Workaround
          Refresh the User Interface page prior to selecting the Routing Rule filters drop down.

          Issue
          Some offense properties do not appear in the Routing Rule Filters dropdown list after toggling between online and offline mode in the Routing Rule editor.

          For example:
          1. Select any routing rule.
          2. Switch Mode between online and offline.
          3. Check the Event Filters that are displayed in the drop down for each mode respectively.
            • Expected result: The dropdown list should reload properly so that the expected event filter options (either for online or for offline) are displayed.
            • Actual result: The dropdown list does not change.
            23 February 2022
            QRADAR VULNERABILITY MANAGER IJ24185 SYSTEM NOTIFICATION STATING QVM PROCESSOR FAILURE TO START CAN BE CAUSED BY CHECKQRMLICENSETRIGGER IN DB TABLE CLOSED Resolved in
            QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)

            Workaround
            If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances.

            Issue
            QRadar System Notifications stating that the qvmprocessor has failed to start can be generated when checkQRMLIcenceTrigger data is unexpectedly existing in within a database table.
            [ProcessMonitor] com.q1labs.hostcontext.processmonitor.ProcessManager: [ERROR]
            [NOT:0150114103][ip_address/- -] [-/- -]Process
            qvmprocessor.qvm has failed to start for 6606 intervals.
            Continuing to try to start...


            Messages similar to the following might be visible using journalctl when this issue occurs for the qvmprocessor process:
            qvmprocessor[29794]: Error creating bean with name
            'cronSchedulerDAO' defined in class path resource
            [scheduler.spring.xml]: Cannot resolve reference to bean
            'quartzScheduler' while setting bean property 'scheduler';
            nested exception is
            org.springframework.beans.factory.BeanCreationException: Error
            creating bean with name 'quartzScheduler' defined in class path
            resource [sqlagents.spring.xml]: Invocation of init method
            failed; nested exception is org.quartz.JobPersistenceException:
            Couldn't retrieve trigger: No record found for selection of
            Trigger with key: 'qvmScheduling.checkQRMLicenseTrigger' and
            statement: SELECT * FROM quartz.SIMPLE_TRIGGERS WHERE
            SCHED_NAME = 'qvmScheduler' AND TRIGGER_NAME = ? AND
            TRIGGER_GROUP = ? [See nested exception:
            java.lang.IllegalStateException: No record found for selection
            of Trigger with key: 'qvmScheduling.checkQRMLicenseTrigger' and
            statement: SELECT * FROM quartz.SIMPLE_TRIGGERS WHERE
            SCHED_NAME = 'qvmScheduler' AND TRIGGER_NAME = ? AND
            TRIGGER_GROUP = ?]
            org.springframework.beans.factory.BeanCreationException: Error
            creating bean with name 'cronSchedulerDAO' defined in class
            path resource [scheduler.spring.xml]: Cannot resolve reference
            to bean 'quartzScheduler' while setting bean property
            'scheduler'; nested exception is
            org.springframework.beans.factory.BeanCreationException: Error
            creating bean with name 'quartzScheduler' defined in class path
            resource [sqlagents.spring.xml]: Invocation of init method
            failed; nested exception is org.quartz.JobPersistenceException:
            Couldn't retrieve trigger: No record found for selection of
            Trigger with key: 'qvmScheduling.checkQRMLicenseTrigger' and
            statement: SELECT * FROM quartz.SIMPLE_TRIGGERS WHERE
            SCHED_NAME = 'qvmScheduler' AND TRIGGER_NAME = ? AND
            TRIGGER_GROUP = ? [See nested exception:
            java.lang.IllegalStateException: No record found for selection
            of Trigger with key: 'qvmScheduling.checkQRMLicenseTrigger' and
            statement: SELECT * FROM quartz.SIMPLE_TRIGGERS WHERE
            SCHED_NAME = 'qvmScheduler' AND TRIGGER_NAME = ? AND
            TRIGGER_GROUP = ?]
            ...
            qvmprocessor[29794]: Caused by:
            org.springframework.beans.factory.BeanCreationException: Error
            creating bean with name 'quartzScheduler' defined in class path
            resource [sqlagents.spring.xml]: Invocation of init method
            failed; nested exception is org.quartz.JobPersistenceException:
            Couldn't retrieve trigger: No record found for selection of
            Trigger with key: 'qvmScheduling.checkQRMLicenseTrigger' and
            statement: SELECT * FROM quartz.SIMPLE_TRIGGERS WHERE
            SCHED_NAME = 'qvmScheduler' AND TRIGGER_NAME = ? AND
            TRIGGER_GROUP = ? [See nested exception:
            java.lang.IllegalStateException: No record found for selection
            of Trigger with key: 'qvmScheduling.checkQRMLicenseTrigger' and
            statement: SELECT * FROM quartz.SIMPLE_TRIGGERS WHERE
            SCHED_NAME = 'qvmScheduler' AND TRIGGER_NAME = ? AND
            TRIGGER_GROUP = ?]
            ...
            qvmprocessor[29794]: Caused by:
            org.quartz.JobPersistenceException: Couldn't retrieve trigger:
            No record found for selection of Trigger with key:
            'qvmScheduling.checkQRMLicenseTrigger' and statement: SELECT *
            FROM quartz.SIMPLE_TRIGGERS WHERE SCHED_NAME = 'qvmScheduler'
            AND TRIGGER_NAME = ? AND TRIGGER_GROUP = ? [See nested
            exception: java.lang.IllegalStateException: No record found for
            selection of Trigger with key:
            'qvmScheduling.checkQRMLicenseTrigger' and statement: SELECT *
            FROM quartz.SIMPLE_TRIGGERS WHERE SCHED_NAME = 'qvmScheduler'
            AND TRIGGER_NAME = ? AND TRIGGER_GROUP = ?]


            How to use journalctl: https://www.ibm.com/support/pages/qradar-using-journalctl-command-view-logs-qradar-services
            23 February 2022
            RULES IJ28545 WHEN MODIFYING GEOGRAPHIC RULE CONDITIONS UNDER THE SPANISH LOCALE BELARUS IS SHOWN AS BRASIL INSTEAD OF BIELORRUSIA CLOSED Resolved in
            QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)

            Workaround
            To correct this issue,
            1. Use an SSH session to log in to the QRadar Console as root user.
            2. Run at the command line
              sed -i 's/geodata.Europe.Belarus=Brasil/geodata.Europe.Belarus=Bielo
              russia/g' /opt/qradar/conf/localization/geodata_es.properties

            Issue
            When using the Spanish locale and modifying a geographic rule condition it appears as though Brazil has been put in "Europe" by mistake. However, it can also be seen in South America. The issue is that under the Spanish locale Belarus has been given the name "Brasil" instead of "Bielorrusia". For example:
            1. Log in to the QRadar Console.
            2. Change locale to español.
            3. Click Offenses.
            4. Create a new event rule.
            5. Click Next.
            6. Click Events > Next
            7. Filter on "location" and choose either of these rules:
              - when the source is located in this geographic location
              - when the source IP is a part of any of the following geographic network locations
            8. Select the location parameter and go in to "Europa".

              Result
              Brasil will be visible in the list of countries.
            23 February 2022
            SEARCH IJ22497 OFFENSES WITHOUT NAMING CANNOT BE SEARCHED BY DESCRIPTION CLOSED Resolved in
            QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)

            Workaround
            The Offense can be searched by the Offense Id.

            Issue
            When the search option is used to find an Offense using the "Description" field under "Offenses" tab, no results are displayed when there is no naming. For example,
            1. Have a rule with Rule Response > Dispatch a new event > Ensure the dispatched event is part of an offense.
            2. Select "This information should not contribute to the naming of the associated offense(s)".
            3. Use the search option to find the offense using the "Description" field under the "Offenses" tab.

              Results
              No search results are returned
            23 February 2022
            BACKUP AND RESTORE IJ06104 THE HEALTH METRICS LOG SOURCE NAME FROM A CONFIGURATION BACKUP OVERWRITES THE NEW CONSOLE'S HOSTNAME IN THE LOG SOURCE CLOSED Resolved in
            QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)
            QRadar 7.4.3 Fix Pack 5 (7.4.3.20220307203834)

            Workaround
            If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances.

            Issue
            It has been identified that when a Configuration Backup is restored onto a QRadar Console that has a different hostname, the Health Metrics log source name continues to be displayed as the old hostname (ie. the Console's hostname contained within the config backup from the originating Console).
            23 February 2022
            SYSTEM NOTIFICATIONS IJ24564 A QRADAR SYSTEM NOTIFICATION IS GENERATED WHEN THE AUTOGENERATED QRADAR_SAML CERTIFICATE CANNOT BE RENEWED CLOSED Resolved in
            QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)

            Workaround
            No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

            Issue
            A System Notification similar to the following can be generated when the autogenerated QRadar_SAML cert cannot be renewed:
            com.q1labs.hostcontext.KeyStoreExpiryMonitor: [WARN]
            NOT:0030004104][127.0.0.1/- -] [-/- -]The certificate named
            QRadar_SAML will expire on Sun Dec 01 02:06:40 AST 2019. Please
            update the certificate  soon.


            The autogenerated QRadar_SAML cert cannot be renewed for users not using SAML 2.0 authentication. This autogenerated certificate isn't needed unless: - the console is configured for SAML 2.0 authentication - the QRadar_SAML certificate is the certificate used
            23 February 2022
            AUTHORIZED SERVICE TOKENS IJ37935 AUTHORIZED SERVICES WITH SPACES IN NAMES CAUSE 'FAILED TO DECRYPT' ERRORS DURING UPGRADE OPEN Workaround
            No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

            Issue
            It has been identified that authorized services with spaces in the name can can generate a 'Failed to decrypt' error message when administrators upgrade to QRadar 7.5.0 UP1 versions. When the authorized service token fails to decrypt successfully, this can lead to grouped data (FGroups) with incorrect names, which can affect users trying to view the data after the upgrade completes. An FGroup is a group of content such as a log source group, reporting group, or search group in QRadar.

            When this issur occurs, patches.log for the upgrade can display the following error messages:
            Jan 20 14:47:48 2022: Jan 20 14:47:48
            2022:[DEBUG](-ni-patchmode) Running script
            /media/updates/scripts/QRADAR-9108.install --mode mainpatch
            Jan 20 14:47:53 2022: Jan 20 14:47:53 2022:
            [WARN](-ni-patchmode) ERROR: Failed to decrypt
            Jan 20 14:47:55 2022: Jan 20 14:47:55 2022:
            [WARN](-ni-patchmode) ERROR: Failed to decrypt
            Jan 20 14:48:00 2022: Jan 20 14:48:00 2022:
            [WARN](-ni-patchmode) ERROR: Failed to decrypt
            Jan 20 14:48:01 2022: Jan 20 14:48:01 2022:
            [WARN](-ni-patchmode) ERROR: Failed to decrypt
            Jan 20 14:48:03 2022: Jan 20 14:48:03 2022:
            [WARN](-ni-patchmode) ERROR: Failed to decrypt
            Jan 20 14:48:07 2022: Jan 20 14:48:07 2022:
            [WARN](-ni-patchmode) ERROR: Failed to decrypt
            Jan 20 14:48:09 2022: Jan 20 14:48:09 2022:
            [WARN](-ni-patchmode) ERROR: Failed to decrypt
            04 March 2022
            USER INTERFACE IJ37604 FAILURE TO DECRYPT A CONFIG RESTORE IN 7.4.3 FIX PACK 4 CAN CAUSE USER INTERFACE ISSUES CLOSED Resolved in
            QRadar 7.4.3 Fix Pack 5 (7.4.3.20220307203834)

            Workaround
            A flash notice is available with an attached support utility to resolve this issue for administrators. To review the flash notice and download ConfigRestore_IJ37604.sh, see https://www.ibm.com/support/pages/node/6554538

            Issue
            Administrators who attempt to restore a configuration on QRadar 7.4.3 Fix Pack 4 (Build 20211109160104) or 7.4.3 Fix Pack 4 Interim Fix 2 (Build 20211217105419) can experience an error when the configuration restore file cannot be decrypted. When a configuration restore fails, a 'CryptoException: Failed to decrypt data' message displays in the logs and the configuration restore does not complete successfully. This issue can lead to the user interface being unavailable after the configuration restore fails as passwords cannot be properly decrypted from the configuration, requiring QRadar Support assistance.

            Scenarios that can lead to a key decryption issue in QRadar 7.4.3 Fix Pack 4:
            1. A Console is rebuilt or reinstalled and the admin attempts to restore the latest night configuration backup.
            2. Hardware migrations from an old Console to a new Console appliance.
            3. Administrators who use a lab Console appliance to validation changes, then attempt to restore a nightly configuration backup to the production Console.

            The following message is written to /var/log/qradar.log when a configuration restore fails to decrypt:
            com.q1labs.frameworks.crypto.DecryptException:
            com.ibm.si.mks.CryptoException: Failed to decrypt data
            [hostcontext.hostcontext] [pool-2-thread-1] at com.q1labs.frame
            works.crypto.CryptoUtils.decrypt(CryptoUtils.java:56)
            [hostcontext.hostcontext] [pool-2-thread-1]
            com.ibm.si.mks.CryptoException: Failed to decrypt data
            [hostcontext.hostcontext] [pool-2-thread-1] at
            com.ibm.si.mks.KeyStoreCrypto.decrypt(KeyStoreCrypto.java:385)
            [hostcontext.hostcontext] [pool-2-thread-1] at
            com.ibm.si.mks.Crypto.decrypt(Crypto.java:70)
            [hostcontext.hostcontext] [pool-2-thread-1] at com.q1labs.frame
            works.crypto.CryptoUtils.decrypt(CryptoUtils.java:53)
            [hostcontext.hostcontext] [pool-2-thread-1] at
            javax.crypto.Cipher.a(Unknown Source)
            [hostcontext.hostcontext] [pool-2-thread-1] at
            javax.crypto.Cipher.init(Unknown Source)
            [hostcontext.hostcontext] [pool-2-thread-1] at
            javax.crypto.Cipher.init(Unknown Source)
            [hostcontext.hostcontext] [pool-2-thread-1] at
            com.ibm.si.mks.KeyStoreCrypto.decrypt(KeyStoreCrypto.java:376)
            java.io.IOException: Integrity check failed:
            java.security.UnrecoverableKeyException: Failed PKCS12 integrity checking
            16 March 2022
            SECURITY BULLETIN CVE-2021-3712 OPENSSL AS USED BY IBM QRADAR SIEM IS VULNERABLE TO INFORMATION DISCLOSURE CLOSED Resolved in
            QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)
            QRadar 7.4.3 Fix Pack 4 Interim Fix 4 (7.4.3.20220211142137)
            QRadar 7.3.3 Fix Pack 10 Interim Fix 2 (7.3.3.20220203193207)

            Affected versions
            • IBM QRadar SIEM 7.5.0 GA
            • IBM QRadar SIEM 7.4.3 GA - 7.4.3 Fix Pack 4
            • IBM QRadar SIEM 7.3.3 GA - 7.3.3 Fix Pack 10
            Issue
            OpenSSL could allow a remote attacker to obtain sensitive information, caused by an out-of-bounds read when processing ASN.1 strings. By sending specially crafted data, an attacker could exploit this vulnerability to read contents of memory on the system or perform a denial of service attack. CVSS Base score: 6.5
            18 February 2022
            SECURITY BULLETIN CVE-2021-4034 Polkit as used by IBM® QRadar SIEM is vulnerable to privilege escalation CLOSED Resolved in
            QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)
            QRadar 7.4.3 Fix Pack 4 Interim Fix 4 (7.4.3.20220211142137)
            QRadar 7.3.3 Fix Pack 10 Interim Fix 2 (7.3.3.20220203193207)

            Affected versions
            • IBM QRadar SIEM 7.5.0 GA
            • IBM QRadar SIEM 7.4.3 GA - 7.4.3 Fix Pack 4
            • IBM QRadar SIEM 7.3.3 GA - 7.3.3 Fix Pack 10
            Issue
            Polkit could allow a local authenticated attacker to gain elevated privileges on the system, caused by incorrect handling of the argument vectors in the pkexec utility. By crafting environment variables in a specific way, an attacker could exploit this vulnerability to execute commands with root privileges. CVSS Base score: 7.8
            18 February 2022
            SECURITY BULLETIN CVE-2021-44790
            CVE-2021-34798
            CVE-2021-39275
            Apache HTTP Server as used by IBM QRadar SIEM is vulnerable to buffer overflow and denial of service CLOSED Resolved in
            QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)
            QRadar 7.4.3 Fix Pack 4 Interim Fix 4 (7.4.3.20220211142137)
            QRadar 7.3.3 Fix Pack 10 Interim Fix 2 (7.3.3.20220203193207)

            Affected versions
            • IBM QRadar SIEM 7.5.0 GA
            • IBM QRadar SIEM 7.4.3 GA - 7.4.3 Fix Pack 4
            • IBM QRadar SIEM 7.3.3 GA - 7.3.3 Fix Pack 10
            Issue
            • CVE-2015-5237: Apache HTTP Server is vulnerable to a buffer overflow, caused by improper bounds checking in the mod_lua multipart parser called from Lua scripts). By sending a specially crafted request, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVSS Base score: 9.8
            • CVE-2019-17195: Apache HTTP Server is vulnerable to a denial of service, caused by a NULL pointer dereference in httpd core. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service. CVSS Base score: 5.9
            • CVE-2012-6708: Apache HTTP Server is vulnerable to a buffer overflow, caused by improper bounds checking by the ap_escape_quotes() function. By sending specially crafted input, a remote attacker could write beyond the end of a buffer. CVSS Base score: 3.7
            18 February 2022
            APPLICATION FRAMEWORK IJ34380 QRADAR APPS CAN FAIL TO REINSTALL AFTER THEY ARE UNINSTALLED WHEN USING AN APPHOST CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)
            QRadar 7.4.3 Fix Pack 2 (7.4.3.20210810221124)

            Workaround
            Prior to attempting to reinstall the app:
            1. Restart the docker-distribution service by running the following command from an SSH session to the QRadar console:
              systemctl restart docker-distribution
            2. Attempt the App install again.

            Issue
            In some instances, a QRadar user is unable to reinstall a QRadar
            App after uninstalling it from an Apphost in the deployment when
            a "manifest unknown" error is generated.

            Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            [tomcat.tomcat] [admin@127.0.0.1]
            com.ibm.si.cmt.utils.app.AppFrameworkAPIClient: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]null
            [tomcat.tomcat] [admin@127.0.0.1] com.ibm.si.cmt.utils.app.ApplicationErrorStateException
            [tomcat.tomcat] [admin@127.0.0.1] at com.ibm.si.cmt.utils.app.AppFrameworkAPIClient.waitForInstallStatusChange(AppFrameworkAPIClient.java:503)
            [tomcat.tomcat] [admin@127.0.0.1] at com.ibm.si.cmt.utils.app.AppFrameworkAPIClient.getAppInstallResult(AppFrameworkAPIClient.java:239)
            [tomcat.tomcat] [admin@127.0.0.1] at com.ibm.si.cmt.utils.app.AppFrameworkAPIClient.performInstallOrUpgrade(AppFrameworkAPIClient.java:202)
            [tomcat.tomcat] [admin@127.0.0.1] at com.ibm.si.cmt.utils.app.AppFrameworkAPIClient.installAppWithOneInstance(AppFrameworkAPIClient.java:118)
            [tomcat.tomcat] [admin@127.0.0.1] at com.ibm.si.cmt.utils.app.AppFrameworkAPIClient.installApplication(AppFrameworkAPIClient.java:101)
            [tomcat.tomcat] [admin@127.0.0.1] at com.ibm.si.content_management.ContentCustom.importApplicationViaZip(ContentCustom.java:4404)
            [tomcat.tomcat] [admin@127.0.0.1] at com.ibm.si.content_management.ContentCustom.importCustom(ContentCustom.java:646)
            [tomcat.tomcat] [admin@127.0.0.1] at com.ibm.si.content_management.Content.importCustomContent(Content.java:3870)
            [tomcat.tomcat] [admin@127.0.0.1] at com.ibm.si.content_management.ContentManager.importContent(ContentManager.java:1942)
            [tomcat.tomcat] [admin@127.0.0.1] at com.ibm.si.content_management.ContentManager.doImport(ContentManager.java:4039)
            [tomcat.tomcat] [admin@127.0.0.1] at com.ibm.si.data_ingestion.api.impl.cmt.install.ExtensionInstaller.doImport(ExtensionInstaller.java:201)
            [tomcat.tomcat] [admin@127.0.0.1] at com.ibm.si.data_ingestion.api.impl.cmt.install.ExtensionInstaller.installExtension(ExtensionInstaller.java:82)
            [tomcat.tomcat] [admin@127.0.0.1] at com.ibm.si.data_ingestion.api.impl.cmt.tasks.InstallExtensionTask.runTask(InstallExtensionTask.java:81)
            [tomcat.tomcat] [admin@127.0.0.1] at com.ibm.si.frameworks.taskmanagement.Task.run(Task.java:108)
            [tomcat.tomcat] [admin@127.0.0.1] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:522)
            [tomcat.tomcat] [admin@127.0.0.1] at java.util.concurrent.FutureTask.run(FutureTask.java:277)
            [tomcat.tomcat] [admin@127.0.0.1] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160)
            [tomcat.tomcat] [admin@127.0.0.1] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
            [tomcat.tomcat] [admin@127.0.0.1] at java.lang.Thread.run(Thread.java:822)
            [tomcat.tomcat] [admin@127.0.0.1] com.ibm.si.content_management.ContentManager: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]
            Failed to import content ile [/store/tmp/cmt/out/QDI-2/QDIocp-ContentExport-20200221185554.xml]
            [tomcat.tomcat] [admin@127.0.0.1] com.ibm.si.data_ingestion.api.impl.cmt.tasks.InstallExtensionTask:[ERROR] [NOT:0000003000]
            [extension with id = 451 failed: appfw.app.health.check.failed
            [tomcat.tomcat] [admin@127.0.0.1] java.lang.Exception: appfw.app.health.check.failed
            [tomcat.tomcat] [admin@127.0.0.1] at com.ibm.si.data_ingestion.api.impl.cmt.tasks.InstallExtensionTask.runTask(InstallExtensionTask.java:84)
            [tomcat.tomcat] [admin@127.0.0.1] at com.ibm.si.frameworks.taskmanagement.Task.run(Task.java:108)
            [tomcat.tomcat] [admin@127.0.0.1] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:522)
            [tomcat.tomcat] [admin@127.0.0.1] at java.util.concurrent.FutureTask.run(FutureTask.java:277)
            [tomcat.tomcat] [admin@127.0.0.1] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160)
            [tomcat.tomcat] [admin@127.0.0.1] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
            [tomcat.tomcat] [admin@127.0.0.1] at java.lang.Thread.run(Thread.java:822)
            console-test-primary testregistry[28344]:
            time="2021-02-12T14:07:54-04:00" level=error msg="response
            completed with error" err.code="manifest unknown"
            err.detail="unknown manifest name=qapp/1158
            revision=sha256:df8d466107eda22d9c59818d6c834e92c4d656d2
            32b9a512ad5d166a391a0023" err.message="manifest unknown"
            go.version=go1.9.2
            http.request.host="console.localdeployment:5000"
            http.request.id=da0263ba-1fe4-4826-8c45-69ade7306f42
            http.request.method=GET
            http.request.remoteaddr="0.0.0.0:41414" http.request.uri="/
            v2/qapp/1158/manifests/2.2.5-20210212140020"
            http.request.useragent="docker/18.09.2 go/go1.10.6
            git-commit/6247962 kernel/3.10.0-1160.6.1.el7.x86_64 os/linux
            arch/amd64 UpstreamClient(Docker-Client/18.09.2 \\(linux
            ))" http.response.contenttype="application/json; charset=utf-8" 
            http.response.duration=1.991631ms http.response.status=404 
            http.response.written=185 instance.id=62e5af6b-0bd7-4094-bd71-c13da0a1c0bf
            vars.name="qapp/1158" vars.reference=2.2.5-20210212140020
            version="v2.6.2+unknown"
            2 February 2022
            QRADAR NETWORK INSIGHTS (QNI) IJ34582 THE NAPATECH FIRMWARE FOR THE 1910 (6300) APPLIANCES DELIVERED IN THE ISO IS INCORRECT CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)
            QRadar 7.4.3 (7.4.3.20210517144015)
            QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826)

            Workaround
            No workaround available.

            Issue
            The firmware for the Napatech card in the 1901 (6300) QRadar Network Insights (QNI) appliances is packaged in the ISO. The original firmware delivered from Napatech was incorrect. This results in the Napatech card not starting.
            2 February 2022
            DEPLOYMENT IJ35113 EVENT OR FLOW PROCESSORS CAN RUN OUT OF AVAILABLE FILE HANDLES IN ENCRYPTED DEPLOYMENTS AND PORT TO CONSOLE DROPS CLOSED Resolved in
            QRadar 7.5.0 GA (7.5.0.20211220195207)
            QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104)

            Workaround
            Admninistrators have two options to resolve the file handle issue util a software update can be released to resolve this issue:

            Option 1
            1. Perform a restart of the ecs-ep service from an SSH session on affected appliances can temporarily correct this issue:
              systemctl restart ecs-ep
            2. Investigate and fix the reason the remote port isn't available then restart the service that has run out of file handles.
            Option 2
            Administrators can disable encrpyption on the managed host:
            1. Log in to the Console as the administrator.
            2. Click the Admin tab > System and License Management.
            3. Select the Event or Flow Processor
            4. Click Deployment Actions > Edit Managed host.
            5. Clear the check box Encrypt Host Connections.

            Issue
            QRadar deployments can experience Event Processors or Flow Processors that can run out of file handles if they have encrypted tunnels and are generating offenses if the Console port they are connecting to is down.
            2 February 2020
            API IJ34378 QRADAR API 16.0 CAN RETURN UNEXPECTED RESULTS IN SOME INSTANCES CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)
            QRadar 7.4.3 (7.4.3.20210517144015)

            Workaround
            Use an API version prior to 16.0 (eg. 15.x) by accessing the QRadar interactive API documentation.

            Issue
            The QRadar API 16.0 can return unexpected results when using Range Header parameter versus the expected output when using an earlier version of the QRadar API (eg. 15.x).
            2 February 2020
            DEPLOY CHANGES IJ30810 DEPLOY CHANGES FUNCTION CAUSES IN PROGRESS SEARCHES TO ERROR WHEN AN ENCRYPTED MANAGED HOST IS IN THE QRADAR DEPLOYMENT OPEN Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)


            Workaround
            No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the Subscribe button on the right side of this page or ask a question about this APAR in our Support Forums. https://ibm.biz/qradarforums

            Issue
            When performing a Deploy Changes function (not a Deploy Full Configuration), any search that is in progress is interrupted and goes into error as the ariel proxy service restarts when the deployment has an encrypted Managed Host. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            [tomcat.tomcat] [x.x.x.x] com.q1labs.configservices.config.globalset.platform.GlobalArielServerListTransformer: 
            [INFO] [NOT:0000006000][x.x.x.x/- -] [-/--]Ariel list transformer has changed the deployment file.
            2 February 2020
            QFLOW IJ33435 QFLOW CAN SOMETIMES STOP PROCESSING IPFIX PACKETS SENT FROM QRADAR NETWORK INSIGHTS CLOSED Resolved in
            QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)
            QRadar 7.5.0 GA (7.5.0.20211220195207)
            QRadar 7.4.3 Fix Pack 5 (7.4.3.20220307203834)

            Workaround
            Restarting the Qflow service can temporarily correct the issue, but it can occur again in the future until a software release is availabe to resolve the error.

            Type the following from an SSH session to the QRadar Console:
            systemctl restart qflow

            Issue
            Qflow can stop processing flows when there is increase in the amount of flows from QRadar Network Insights (QNI).

            This issue occurs when QNI is set to enriched and the communication between QNI and Qflow service is configured for UDP.
            2 February 2020
            QFLOW IJ32496 INTERNAL API CALLS FAIL WHEN A CONSOLE FQDN IS ALL CAPITALS EVEN WHEN IT IS IN A NO_PROXY LIST CLOSED Resolved in
            QRadar 7.5.0 GA (7.5.0.20211220195207)

            Workaround
            Add the console FQDN in lower case letters to the APP_PROXY_NO_PROXY_LIST in the nva.conf file:
            1. Use an SSH session to connect to the QRadar Console.
              IMPORTANT: Administrators must backup your existing nva.conf before you attempt to make any changes. It is typically recommended that administrators create a folder for save files before a change. For example, administrators can use the mkdir command to create /store/IBM or /store/ibmsupport for temporary files before you apply a configuration change.
            2. To backup your nva.conf file, type:
              cp /opt/qradar/conf/nva.conf /store/IBM/nva.conf
            3. Navigate to /store/configservices/staging/globalconfig/nva.conf.
            4. Edit /store/configservices/staging/globalconfig/nva.conf and add the FQDN of the console in lower case letters to the list: APP_PROXY_NO_PROXY_LIST=

              Note: If you have multiple addresses, you can use commas to separate values between multiple hosts. For example:
              APP_PROXY_NO_PROXY_LIST=example-host.net,example-host2.net
            5. Log in to the QRadar Console user interface.
            6. Click the Admin tab and select Deploy changes.

            7. For more information on Deploy Changes, see https://www.ibm.biz/qradardeploy

            Issue
            QRadar Apps and or other internal API calls continue to attempt to route through a proxy, even when the hostname is in a no_proxy list, and fails due to the console Fully Qualified Domain Name (FQDN) being in all capital letters. For example:
            1. Have a console with a FQDN in capital letters.
            2. Configure the Console to use a proxy for Auto updates.
            3. Install Pulse or Network Hierarchy app on the Console.
            4. Attempt to access Pulse's Threat Globe dashboard or try to do a backup in Network Hierarchy.

              Result
              The backup fails and on Pulse app displays the error 'Unable to Connect to QRadar - Cannot establish a connection to the console.'
            2 February 2020
            UPGRADE IJ35458 HTTPD.JSON FILE CAN BE OVERWRITTEN DURING THE QRADAR PATCHING PROCESS CAUSING CUSTOM CERTS TO BE REPLACED CLOSED Resolved in
            QRadar 7.5.0 GA (7.5.0.20211220195207)

            Workaround
            No workaround available.

            APARs identified with no workaround require a software delivery to resolve. This reported issue is under considered for a future release and administrators can subscribe to the APAR to get updates.

            Issue
            In some instances, the qradarca RPM is updated during the QRadar patching process and overwrites the /opt/qradar/ca/conf.d/httpd.json file.

            This can cause values such as CertSkip and CertMonitorThreshold to be lost, in turn causing custom httpd certs to be replaced by certs generated by the local CA during the patch.
            2 February 2020
            RULE IJ31110 ADDING "EVENT PROCESSOR" AS A RESPONSE TO A REFERENCE DATA RULE DOES NOT WORK AS EXPECTED CLOSED Resolved in
            QRadar 7.5.0 GA (7.5.0.20211220195207)

            Workaround
            Create an AQL property of HOSTNAME(processorid) and use that to obtain the required data: http://ibm.biz/aqlfunctions

            Issue
            When Event Processor is added to the response for a Reference Data response, a ClassNotFoundException occurs and the rule response does not work.

            Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            [ecs-ep.ecs-ep] [CRE Processor [3]]
            com.q1labs.semsources.cre.responses.ReferenceDataResponse:
            [ERROR] [NOT:0000003000][QRADARIP/- -] [-/- -]Failed to get
            values from event: property="eventProcessorId",
            key1Val="127.0.0.1", key2Val=null, doSend=true, unRollFlow=false
            [ecs-ep.ecs-ep] [CRE Processor [3]] java.lang.RuntimeException:
            java.lang.ClassNotFoundException:
            com.q1labs.ariel.ui.formatters.EventProcessorIdFormatter
            [ecs-ep.ecs-ep] [CRE Processor [3]] at
            com.q1labs.core.shared.ariel.ArielUtils.getFormatter(ArielUtils.java:933)
            [ecs-ep.ecs-ep] [CRE Processor [3]] at
            com.q1labs.semsources.cre.responses.AbstractReferenceDataResponse.getValuesFromEvent(AbstractReferenceDataResponse.java:253)
            [ecs-ep.ecs-ep] [CRE Processor [3]] at
            com.q1labs.semsources.cre.responses.AbstractReferenceDataResponse.extractValuesFromEventAndSend(AbstractReferenceDataResponse.java:223)
            [ecs-ep.ecs-ep] [CRE Processor [3]] at
            com.q1labs.semsources.cre.responses.AbstractReferenceDataResponse.performResponse(AbstractReferenceDataResponse.java:360)
            [ecs-ep.ecs-ep] [CRE Processor [3]] at
            com.q1labs.semsources.cre.CustomRule.performResponses(CustomRule.java:1049)
            [ecs-ep.ecs-ep] [CRE Processor [3]] at com.q1labs.semsources.cre.CustomRule.test(CustomRule.java:578)
            [ecs-ep.ecs-ep] [CRE Processor [3]] at com.q1labs.semsources.cre.CustomRule.test(CustomRule.java:496)
            [ecs-ep.ecs-ep] [CRE Processor [3]] at com.q1labs.semsources.cre.CustomRuleSetExecutor.testRule(CustomRuleSetExecutor.java:342)
            [ecs-ep.ecs-ep] [CRE Processor [3]] at com.q1labs.semsources.cre.CustomRuleSetExecutor.test(CustomRuleSetExecutor.java:210)
            [ecs-ep.ecs-ep] [CRE Processor [3]] at com.q1labs.semsources.cre.LocalRuleExecutor.processEventInPropertyMode(LocalRuleExecutor.java:229)
            [ecs-ep.ecs-ep] [CRE Processor [3]] at com.q1labs.semsources.cre.LocalRuleExecutor.processEvent(LocalRuleExecutor.java:158)
            [ecs-ep.ecs-ep] [CRE Processor [3]] at com.q1labs.semsources.cre.CREEventProcessor.processEvent(CustomRuleEngine.java:544)
            [ecs-ep.ecs-ep] [CRE Processor [3]] at com.q1labs.semsources.cre.CREEventProcessor.run(CustomRuleEngine.java:484)
            [ecs-ep.ecs-ep] [CRE Processor [3]] Caused by:
            java.lang.ClassNotFoundException:
            com.q1labs.ariel.ui.formatters.EventProcessorIdFormatter
            [ecs-ep.ecs-ep] [CRE Processor [3]] at java.lang.Class.forNameImpl(Native Method)
            [ecs-ep.ecs-ep] [CRE Processor [3]] at java.lang.Class.forName(Class.java:337)
            [ecs-ep.ecs-ep] [CRE Processor [3]] at com.q1labs.core.shared.ariel.ArielUtils.getFormatter(ArielUtils.java:927)
            [ecs-ep.ecs-ep] [CRE Processor [3]] ... 12 more
            Feb 26 12:03:55 ::ffff:9.180.234.72 [ecs-ep.ecs-ep] [CRE Processor [3]] at
            com.q1labs.semsources.cre.responses.AbstractReferenceDataResponse.performResponse(AbstractReferenceDataResponse.java:360)
            Feb 26 12:03:55 ::ffff:9.180.234.72 [ecs-ep.ecs-ep] [CRE Processor [3]] at
            com.q1labs.semsources.cre.CustomRule.performResponses(CustomRule.java:1049)
            Feb 26 12:03:55 ::ffff:9.180.234.72 [ecs-ep.ecs-ep] [CREProcessor [3]] at
            com.q1labs.semsources.cre.CustomRule.test(CustomRule.java:578)
            Feb 26 12:03:55 ::ffff:9.180.234.72 [ecs-ep.ecs-ep] [CRE Processor [3]] at
            com.q1labs.semsources.cre.CustomRule.test(CustomRule.java:496)
            Feb 26 12:03:55 ::ffff:9.180.234.72 [ecs-ep.ecs-ep] [CRE Processor [3]] at
            com.q1labs.semsources.cre.CustomRuleSetExecutor.testRule(CustomRuleSetExecutor.java:342)
            Feb 26 12:03:55 ::ffff:9.180.234.72 [ecs-ep.ecs-ep] [CRE Processor [3]] at
            com.q1labs.semsources.cre.CustomRuleSetExecutor.test(CustomRuleSetExecutor.java:210)
            Feb 26 12:03:55 ::ffff:9.180.234.72 [ecs-ep.ecs-ep] [CRE Processor [3]] at
            com.q1labs.semsources.cre.LocalRuleExecutor.processEventInPropertyMode(LocalRuleExecutor.java:229)
            Feb 26 12:03:55 ::ffff:9.180.234.72 [ecs-ep.ecs-ep] [CRE Processor [3]] at
            com.q1labs.semsources.cre.LocalRuleExecutor.processEvent(LocalRuleExecutor.java:158)
            Feb 26 12:03:55 ::ffff:9.180.234.72 [ecs-ep.ecs-ep] [CRE Processor [3]] at
            com.q1labs.semsources.cre.CREEventProcessor.processEvent(CustomRuleEngine.java:544)
            Feb 26 12:03:55 ::ffff:9.180.234.72 [ecs-ep.ecs-ep] [CRE Processor [3]] at
            com.q1labs.semsources.cre.CREEventProcessor.run(CustomRuleEngine.java:484)
            Feb 26 12:03:55 ::ffff:9.180.234.72 [ecs-ep.ecs-ep] [CRE Processor [3]] Caused by: java.lang.ClassNotFoundException:
            com.q1labs.ariel.ui.formatters.EventProcessorIdFormatter
            Feb 26 12:03:55 ::ffff:9.180.234.72 [ecs-ep.ecs-ep] [CRE Processor [3]] at java.lang.Class.forNameImpl(Native Method)
            Feb 26 12:03:55 ::ffff:9.180.234.72 [ecs-ep.ecs-ep] [CRE Processor [3]] at java.lang.Class.forName(Class.java:337)
            Feb 26 12:03:55 ::ffff:9.180.234.72 [ecs-ep.ecs-ep] [CRE Processor [3]] 
            at com.q1labs.core.shared.ariel.ArielUtils.getFormatter(ArielUtils.java:927)
            Feb 26 12:03:55 ::ffff:9.180.234.72 [ecs-ep.ecs-ep] [CRE
            Processor [3]] ... 12 more
            2 February 2020
            QRADAR INCIDENT FORENSICS IJ30070 USER SAVE FUNCTION CAN FAIL WITH AN ERROR WRITTEN TO QRADAR-SQL.LOG CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)

            Workaround
            No workaround available.

            APARs identified with no workaround require a software delivery to resolve. This reported issue is under considered for a future release and administrators can subscribe to the APAR to get updates.

            Issue
            The user 'Save' function can fail with an error written to qradar-sql.log. For example,
            1. Open the forensics user permission window.
            2. Assign a user and assign some cases.
            3. Select save user.

              Messages similar to the following might be visible in the /var/log/qradar-sql.log when this issue occurs:
              postgres[9113]: [3-1] ERROR: syntax error at or near "select"
              at character 91
              postgres[9113]: [3-2] STATEMENT: BEGIN;
              postgres[9113]: [3-3] SET search_path TO
              forensics,"$user",public;
              postgres[9113]: [3-4] UPDATE forensics.users SET username =
              select '174' WHERE id = '57' AND NOT EXISTS (SELECT * from
              forensics.users where username='174');
              postgres[9113]: [3-5]
              postgres[9159]: [3-1] ERROR: syntax error at or near "select"
              at character 91
              postgres[9159]: [3-2] STATEMENT: BEGIN;
              postgres[9159]: [3-3] SET search_path TO
              forensics,"$user",public;
              postgres[9159]: [3-4] UPDATE forensics.users SET username =
              select '174' WHERE id = '57' AND NOT EXISTS (SELECT * from
              forensics.users where username='174');
              ...and if the database is busy, messages similar to the
              following might also be visible:
              postgres[13432]: [3-1] ERROR: duplicate key value violates
              unique constraint "users_username_key"
              postgres[13432]: [3-2] DETAIL: Key (username)=(430007059)
              already exists.
              postgres[13432]: [3-3] STATEMENT: BEGIN;
              postgres[13432]: [3-4] SET search_path TO
              forensics,"$user",public;
              postgres[13432]: [3-5] INSERT INTO forensics.users (username)
              select '430007059' WHERE NOT EXISTS (SELECT * from
              forensics.users where username='430007059') RETURNING lastval()
              as insert_id;
              postgres[13432]: [3-6]
              postgres[13432]: [4-1] ERROR: current transaction is aborted,
              commands ignored until end of transaction block
              postgres[13432]: [4-2] STATEMENT: SET search_path TO
              forensics,"$user",public;
              postgres[13432]: [5-1] ERROR: current transaction is aborted,
              commands ignored until end of transaction block
              postgres[13432]: [5-2] STATEMENT: SELECT id FROM users WHERE
              username = '430007059'
            2 February 2020
            QFLOW IJ30100 QRADAR CONFIG FILE IPFIXFIELDS.CONF CONTAINS TLV (TIME-LENGTH-VALUE) DATA THAT CAN AFFECT PAYLOADS CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)

            Workaround
            Contact support if you need help administering the following workaround. Always make a backup of a file if you plan to alter it.

            1. Copy /opt/qradar/conf/IPFIXFields.conf to /store/configservices/staging/globalconfig/ on the Console.
            2. Edit /store/configservices/staging/globalconfig/IPFIXFields.conf to add lines for the fields you wish to exclude. Example:
                  2,158,PROTOCOL_NAME,0
                  2,159,PROTOCOL_VERSION,0
            3. Save the file.
            4. From the Admin tab, click Deploy changes.
            5. For more information on TLV or Payload for QFlow, see https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc/t_qni_configure_qflow_settings.html

              Issue
              There are several newer TLVs (type-length-value) that are not excluded from payload mode in the IPFIXFields.conf. These internal properties can fill up the payload block. A flow can have it's payload filled with an incorrect property when this occurs instead of the true payload.
            2 February 2020
            QRADAR INCIDENT FORENSICS IJ30020 QRADAR INCIDENT FORENSICS UPLOAD CAN FAIL WHEN THERE ARE SPECIAL CHARACTERS CONTAINED IN THE DATABASE PASSWORD CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)

            Workaround
            No workaround available.

            APARs identified with no workaround require a software delivery to resolve. This reported issue is under considered for a future release and administrators can subscribe to the APAR to get updates.

            Issue
            Error similar to "There was an error running the forensics recovery." is observed while attempting to run a Forensics recovery on the Console when there is a database password containing special characters.
            [tomcat.tomcat] [HttpServletRequest-87-Idle]
            com.ibm.qradar.wfObjects.wfDBConnect: [ERROR] Database error:
            SQLException: FATAL: password authentication failed for user
            "qradar"
            SQLState: 28P01
            VendorError: 0
            --
            Checking the postgresql-qrd service in the Console it still
            shows this connection failures.
            x.x.x.x.ent postgres[173526]: [3-3] Connection matched
            pg_hba.conf line 54: "host all all 127.0.0.1 255.255.255.255
            md5"
             x.x.x.x.ent postgres[173909]: [3-1] FATAL: password
            authentication failed for user "qradar"
             x.x.x.x.ent postgres[173909]: [3-2] DETAIL: Password does not
            match for user "qradar".
             x.x.x.x.ent postgres[173909]: [3-3] Connection matched
            pg_hba.conf line 54: "host all all 127.0.0.1 255.255.255.255
            md5"
             x.x.x.x.ent postgres[173914]: [3-1] FATAL: password
            authentication failed for user "qradar"
             x.x.x.x.ent postgres[173914]: [3-2] DETAIL: Password does not
            match for user "qradar".
             x.x.x.x.ent postgres[173914]: [3-3] Connection matched
            pg_hba.conf line 54: "host all all 127.0.0.1 255.255.255.255
            md5"
             x.x.x.x.ent postgres[173929]: [3-1] FATAL: password
            authentication failed for user "qradar"
             x.x.x.x.ent postgres[173929]: [3-2] DETAIL: Password does not
            match for user "qradar".
             x.x.x.x.ent postgres[173929]: [3-3] Connection matched
            pg_hba.conf line 54: "host all all 127.0.0.1 255.255.255.255
            md5"
            2 February 2020
            UPGRADE IJ30097 MIGRATION FROM GLUSTERFS TO DRBD DURING EVENT COLLECTOR UPGRADE TO 7.4.2.X FOR HIGH AVAILABILITY CAN WIPE /STORE CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)

            Workaround
            Contact support for additional assistance as an appliance rebuild(s) is required if /store on the 15xx appliance in HA has been wiped during the migration/upgrade.

            Issue
            Upgrading to 7.4.2.X, QRadar Event Collector (EC) appliances (type 15xx) configured for High Availability (HA)are required to move from glusterfs to DRBD.

            The upgrade process requires manually running a script to perform that migration on 15xx appliances in HA. The script can be incorrectly be configured to use /store as its backup directory.

            If /store is configured in the script for backup (of the /store partition), the prepare_ha script used to prepare the environments wipes /store, therefore deleting the backup. 7.4.2 upgrade information: https://www.ibm.com/support/knowledgecenter/SS42VS_7.4/com.ibm.qradar.doc/t_qradar_up_ugrad_sys.html
            2 February 2020
            QRADAR INCIDENT FORENSICS IJ30018 CASE CANNOT BE UPLOADED IN QRADAR INCIDENT FORENSICS WHEN THE FTPMONITOR CANNOT CONNECT TO THE DATABASE CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)

            Workaround
            No workaround available.

            APARs identified with no workaround require a software delivery to resolve. This reported issue is under considered for a future release and administrators can subscribe to the APAR to get updates.

            Issue
            Cases cannot be uploaded into QRadar Incident Forensics when an ftp user has not been properly updated as the Forensics ftpmonitor fails the database connection.

            Messages similar to the following might be visible in QRadar logging when this issue occurs:
            127.0.0.1 [Timer-0] com.ibm.qradar.forensics.watcher.watchers.UserChecker: [ERROR] Failed to get users
            127.0.0.1 com.ibm.qradar.forensics.watcher.utils.Database$DatabaseException: Failed to retrieve console host.
            127.0.0.1 at com.ibm.qradar.forensics.watcher.utils.Database.getFTPUsernameList(Database.java:198)
            127.0.0.1 at com.ibm.qradar.forensics.watcher.watchers.UserChecker.getFTPUsernameList(UserChecker.java:92)
            127.0.0.1 at com.ibm.qradar.forensics.watcher.watchers.UserChecker.processFTPUsers(UserChecker.java:107)
            127.0.0.1 at com.ibm.qradar.forensics.watcher.watchers.UserChecker.run(UserChecker.java:58)
            127.0.0.1 at java.util.TimerThread.mainLoop(Timer.java:566)
            127.0.0.1 at java.util.TimerThread.run(Timer.java:516)
            127.0.0.1 Caused by: org.postgresql.util.PSQLException: FATAL: password authentication failed for user "username"
            127.0.0.1 at org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:514)
            127.0.0.1 at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:141)
            127.0.0.1 at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
            127.0.0.1 at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
            127.0.0.1 at org.postgresql.jdbc.PgConnection.(PgConnection.java:195)
            127.0.0.1 at org.postgresql.Driver.makeConnection(Driver.java:454)
            127.0.0.1 at org.postgresql.Driver.connect(Driver.java:256)
            127.0.0.1 at java.sql.DriverManager.getConnection(DriverManager.java:675)
            127.0.0.1 at java.sql.DriverManager.getConnection(DriverManager.java:281)
            127.0.0.1 at com.ibm.qradar.forensics.watcher.utils.Database.connect(Database.java:59)
            127.0.0.1 at com.ibm.qradar.forensics.watcher.utils.Database.getFTPUsernameList(Database.java:183)
            127.0.0.1 ... 5 more
            2 February 2020
            APPLICATION FRAMEWORK IJ28790 A QRADAR APP CAN FAIL TO AUTOMATICALLY RESTART IF THE APP HAS BEEN STOPPED AND IS IN AN ERROR STATE CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)

            Workaround
            Use the qappmanager utility to put the App back into RUNNING state: https://www.ibm.com/support/pages/qradar-about-qappmanager-support-utility

            Issue
            When a QRadar App is in ERROR state, the RestartAppAsyncTask attempts to restart the affected App. In some instances, an exception can occur that blocks the affected App from starting properly.

            Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            [tomcat.tomcat] [pool-1-thread-7]
            com.q1labs.restapi_annotations.content.exceptions.endpointExcept
            ions.ServerProcessingException: An error occurred setting app
            status to [STOPPED]. Task state found to be [EXCEPTION].
            [tomcat.tomcat] [pool-1-thread-7]    at
            com.q1labs.uiframeworks.application.api.service.status.tasks.RestartAppAsyncTask.stopAppInstance(RestartAppAsyncTask.java:149)
            [tomcat.tomcat] [pool-1-thread-7]    at
            com.q1labs.uiframeworks.application.api.service.status.tasks.RestartAppAsyncTask.runTask(RestartAppAsyncTask.java:112)
            [tomcat.tomcat] [pool-1-thread-7]    at com.ibm.si.frameworks.taskmanagement.Task.run(Task.java:108)
            [tomcat.tomcat] [pool-1-thread-7]    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:522) 
            [tomcat.tomcat] [pool-1-thread-7]    at java.util.concurrent.FutureTask.run(FutureTask.java:277)
            [tomcat.tomcat] [pool-1-thread-7]    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160) 
            [tomcat.tomcat] [pool-1-thread-7]    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) 
            [tomcat.tomcat] [pool-1-thread-7]    at java.lang.Thread.run(Thread.java:818)
            2 February 2020
            CUSTOM EVENT PROPERTY IJ27841 CUSTOM EVENT PROPERTY NAME THAT CONTAINS A PLUS SYMBOL "+" CANNOT BE SELECTED IN A RULE WIZARD RULE STACK CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)

            Workaround
            Where possible, do not use a plus symbol "+" in the name of a Custom Event Property.

            Issue
            When a Custom Event Property name contains a plus symbol "+", that CEP cannot be selected in the rule test stack.

            For example, AQL property name such as URI-Domain+Path+Query

            When saved, navigate to Rule Wizard (event rule) with the following condition and when any of these event properties are contained in any of these reference sets.

            Attempting to select URI-Domain+Path+Query generates an exception in /var/log/qradar.log similar to the following:
            [tomcat.tomcat] [x(3588)
            /console/do/rulewizard/saveCustomizeConditionParameter]
            com.q1labs.sem.ui.util.RuleConditionUtils: [WARN]
            [NOT:0000004000][/- -] [-/- -]No lookup results found for user
            selection(s) URI-Domain+Path+Query for method
            com.q1labs.sem.ui.semservices.UISemServices.getEventDatabaseFields
            2 February 2020
            QRADAR VULNERABILITY MANAGER IJ29848 'USE CENTRALIZED CREDENTIALS' IN QRADAR VULNERABILITY MANAGER BECOMES DESELECTED WHEN EDITING A SCAN PROFILE CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)

            Workaround
            No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the Subscribe button on the right side of this page or ask a question about this APAR in our Support Forum. shttps://ibm.biz/qradarforums

            Issue
            When editing a Scan Profile the use centralized credentials checkbox becomes unchecked in the QRadar User Interface. For example:
            1. Log into QRadar.
            2. Click Vulnerbilities.
            3. Click adminstration, then scan profile.
            4. Click Add to create a acan profile.
            5. Give scan profile a name, click Use centralized credentials checkbox.
            6. Save the Scan.
            7. Click the newly created scan, click Edit.

              Expected results
              The use centralized credentials checkbox is selected.

              Actual result The use centralized credentials checkbox is unchecked.
              Note: Scans saved with the use centalized creditionals selected save correctly and still run correctly.
            2 February 2020
            LICENSE IJ24030 EXPIRED LICENSE ALLOCATED TO A DELETED MANAGED HOST CAN GENERATE A NOTIFICATION MESSAGE CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)

            Workaround
            If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances.

            Issue
            When a QRadar deployment has an expired license(s) allocated to a deleted Managed Host(s), an incorrect notification is raised stating the license will expire soon even though it is already expired.

            The notification message is similar to:
            'License {name}', allocated to host '{hostname}' will expire soon. 
            Its expiration date is '{date}'
            Note: The date displayed in the error can already be expired.
            2 February 2020
            LOG SOURCE MANAGEMENT APP IJ25045 THE LOG SOURCE MANAGEMENT APP CAN SOMETIMES DISPLAY INCORRECT TARGET EVENT COLLECTOR CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)

            Workaround
            No workaround available.

            Issue
            The QRadar Log Source Management (LSM) app can sometimes display the incorrect Target Event Collector when filtering by Target Event Collector.
            2 February 2020
            GEOGRAPHIC DATA IJ28623 THE COUNTRY ESWATINI DISPLAYS AS SWAZILAND WITHIN QRADAR CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)

            Workaround
            If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances.

            Issue
            The country "Swaziland" is displayed in QRadar country options even though the country was been renamed to eSwatini.

            For example:
            When configuring a rule condition with geographic data, in the country list options is "Swaziland" instead of "eSwatini".
            2 February 2020
            QRADAR NETWORK INSIGHTS IJ30094 QRADAR NETWORK INSIGHTS: FLOWS OVER PORT 80 ARE MISCLASSIFIED AS 'SSH' CAUSING FALSE POSITIVES IN RULES CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)

            Workaround
            No workaround available as a software update is required to resolve this issue.

            Issue
            Flows on port 80 are misclassified by the Forensic Inspector as 'SSH'. When this occurs, false positives can be experienced during rule processing.
            2 February 2020
            RULES IJ25504 QRADAR CUSTOM RULE ENGINE FIRES AN EMAIL NOTIFICATION BUT AN ASSOCIATED OFFENSE IS NOT GENERATED CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)

            Workaround
            No workaround available as a software update is required to resolve this issue.

            Issue
            In some instances, an email notification can be generated by the QRadar Custom Rule Engine, but the associated Offense that should be created is not.

            Messages similar to the following (event-errs: {digit}) might be visible in /var/log/qradar.log when this issue occurs:
            [ecs-ep.ecs-ep] [MPC/PersisterThread@0000778355]
            com.ibm.si.mpc.magi.contrib.ModelPersister: [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Processed 39 commands in
            0:00:00.023 including offense: 2, attacker: 1, target: 1,
            network: 2, cat: 2, off-cre-agg: 2, off-cat-sum: 4, annot: 2,
            device: 1, user: 1, offenseEP: 2, mac: 0, qid: 0, appId: 0,
            host: 0, asset: 0, port: 0, rule: 0, ipv6: 0, asn: 0, regex: 0,
            calculated: 0, mpcQueryReq: 0. New Load: 0.00
            [ecs-ep.ecs-ep] [[type=com.eventgnosis.system.ThreadedEventProcessor]
            [parent=hostname:ecs-ep/MPC/Magistrate1/MPC]]
            com.ibm.si.mpc.magi.schedule.EventScheduler: [INFO]
            [NOT:0000006000][127.0.0.1/- -] [-/- -]Scheduling 1 of 1 offenses. 
            (events-rcvd: 10, event-errs: 6, events-rejected: 0,
            MT-recs: 4, MT-recs-rejected: 0 (eq: 0), capDropped: 0,
            off-create-err: 0, off-contrib-err: 0, schd: 4, wait: 0,
            bytes-sched: 0.00MB, bytes-wait: 0.00MB, total rcvd: 1144987).
            init-sched: 0, dorm-sched: 0, def-sched: 0, def: 0, active: 4,
            dormant: 53, Load: 0.00, Throughput: 100.00%
            2 February 2020
            AGGREGATE DATA MANAGEMENT IJ12235 'AN ERROR OCCURRED FOR INPUT STRING...' MESSAGE CAN BE GENERATED WHEN SORTING IN AGGREGATED DATA WINDOW CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)

            Workaround
            No workaround available as a software update is required to resolve this issue.

            Issue
            It has been identified that a message similar to "An error occurred For input string: "21622231248" " (the input string value varies) is generated when viewing Aggregated Data Management in the QRadar User Interface, looking at "Display: Aggregated Data View" and then performing a sort by "Data Written". For example:
            1. Log in as an administrator and click the Admin tab.
            2. Click the Aggregated Data Management icon.
            3. Select an Aggregated Data view in the Display dropdown.
            4. Change view dropdown. (eg. Last 3 days or Last 7 days)
            5. Click the Data Written Column to sort the data.

              Result An error occurred
              For input string: "2198937739"

            Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            [tomcat.tomcat] [admin@127.0.0.1 (268)
            /console/JSON-RPC/QRadar.getListPortion QRadar.getListPortion]
            com.q1labs.core.ui.servlet.RemoteJavaScript: [ERROR]
            [NOT:0000003000][127.0.0.1/- -] [-/- -]An exception occurred
            while executing the remote method 'getListPortion'
            [tomcat.tomcat] [admin@127.0.0.1 (268)
            /console/JSON-RPC/QRadar.getListPortion QRadar.getListPortion]
            java.lang.NumberFormatException: For input string: "2198937739"
            [tomcat.tomcat] [admin@127.0.0.1 (268)
            /console/JSON-RPC/QRadar.getListPortion QRadar.getListPortion]
              at
            java.lang.NumberFormatException.forInputString(NumberFormatException.java:76)
            [tomcat.tomcat] [admin@127.0.0.1 (268)
            /console/JSON-RPC/QRadar.getListPortion QRadar.getListPortion]
              at java.lang.Integer.parseInt(Integer.java:595)
            [tomcat.tomcat] [admin@127.0.0.1 (268)
            /console/JSON-RPC/QRadar.getListPortion QRadar.getListPortion]
              at java.lang.Integer.parseInt(Integer.java:627)
            [tomcat.tomcat] [admin@127.0.0.1 (268)
            /console/JSON-RPC/QRadar.getListPortion QRadar.getListPortion]
              at
            com.q1labs.gvmanagement.ui.services.GVStats$GVStatsComparator.compare(GVStats.java:86)
            [tomcat.tomcat] [admin@127.0.0.1 (268)
            /console/JSON-RPC/QRadar.getListPortion QRadar.getListPortion]
              at
            com.q1labs.gvmanagement.ui.services.GVStats$GVStatsComparator.compare(GVStats.java:40)
            [tomcat.tomcat] [admin@127.0.0.1 (268)
            /console/JSON-RPC/QRadar.getListPortion QRadar.getListPortion]
              at java.util.TimSort.binarySort(TimSort.java:307)
            [tomcat.tomcat] [admin@127.0.0.1 (268)
            /console/JSON-RPC/QRadar.getListPortion QRadar.getListPortion]
              at java.util.TimSort.sort(TimSort.java:250)
            [tomcat.tomcat] [admin@127.0.0.1 (268)
            /console/JSON-RPC/QRadar.getListPortion QRadar.getListPortion]
              at java.util.Arrays.sort(Arrays.java:1856)
            [tomcat.tomcat] [admin@127.0.0.1 (268)
            /console/JSON-RPC/QRadar.getListPortion QRadar.getListPortion]
              at java.util.ArrayList.sort(ArrayList.java:1473)
            [tomcat.tomcat] [admin@127.0.0.1 (268)
            /console/JSON-RPC/QRadar.getListPortion QRadar.getListPortion]
              at java.util.Collections.sort(Collections.java:186)
            ........
            [tomcat.tomcat] [admin@127.0.0.1 (268)
            /console/JSON-RPC/QRadar.getListPortion QRadar.getListPortion]
              at
            org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
            [tomcat.tomcat] [admin@127.0.0.1 (268)
            /console/JSON-RPC/QRadar.getListPortion QRadar.getListPortion]
              at
            org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:800)
            [tomcat.tomcat] [admin@127.0.0.1 (268)
            /console/JSON-RPC/QRadar.getListPortion QRadar.getListPortion]
              at
            org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1471)
            [tomcat.tomcat] [admin@127.0.0.1 (268)
            /console/JSON-RPC/QRadar.getListPortion QRadar.getListPortion]
              at
            org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
            [tomcat.tomcat] [admin@127.0.0.1 (268)
            /console/JSON-RPC/QRadar.getListPortion QRadar.getListPortion]
              at
            java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160)
            [tomcat.tomcat] [admin@127.0.0.1 (268)
            /console/JSON-RPC/QRadar.getListPortion QRadar.getListPortion]
              at
            java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
            [tomcat.tomcat] [admin@127.0.0.1 (268)
            /console/JSON-RPC/QRadar.getListPortion QRadar.getListPortion]
              at
            org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
            [tomcat.tomcat] [admin@127.0.0.1 (268)
            /console/JSON-RPC/QRadar.getListPortion QRadar.getListPortion]
              at java.lang.Thread.run(Thread.java:811)
            2 February 2020
            UPGRADE IJ36035 QRADAR DEPLOY FUNCTION CAN FAIL DURING AND AT THE END OF PATCH PROCESS WITH SOME INSTALL AND PATCH PATHS CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)

            Workaround
            If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances.

            Issue
            The QRadar deploy function can fail during and after a QRadar patch has been applied.

            This has been attributed to instances where auCrypto.pm is retained from pre-743 in some upgrade paths.

            Fpr example: QRadar 7.4.0 Fix Pack 4 (20200629201233) ISO > QRadar 7.4.1 Fix Pack 1 (20201112005343) SFS > QRadar 7.4.3 Fix Pack 1 (20210708143944) SFS

            Messages similar to the following might be visible in /var/log/setupxxxxx/patches.log when this issue occurs:
            AES: Datasize not exactly blocksize (16 bytes) at
            /opt/qradar/lib/Q1/auCrypto.pm line 79.
            Oct 28 18:20:49 2021: Oct 28 18:20:49 2021:[ERROR](patchmode)
            deploy failed.
            2 February 2020
            CUSTOM PROPERTIES IJ36006 SOME CUSTOM EVENT PROPERTIES CAN BE RENAMED DURING QRADAR PATCHING PROCESS TO VERSION 7.4.3 OR NEWER CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)

            Workaround
            If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances.

            Issue
            The QRadar patching process (to version 7.4.3 or newer) can change Custom Event Property names. When this occurs, rules and/or Reference Sets can be displayed incorrectly including in QRadar Apps (example: Use Case Manager).

            For more information, see Alias properties created for custom properties
            2 February 2020
            UPGRADE IJ35457 SOME CONTENT PACK PROPERTIES CAN FAIL DURING AND AFTER PATCHING TO QRADAR 7.4.3 CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)
            QRadar 7.4.3 Fix Pack 5 (7.4.3.20220307203834)

            Workaround
            If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances.

            Issue
            During the patching process to QRadar version 7.4.3 and newer, changes are made to the name of some content pack properties. No pre-check is performed to verify if the properties with the new name already exist causing the patch to not update the conflicting properties.

            This can also cause future install failures with content packs after the patch completes.

            Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            [WARN](patchmode) (date) 16:37:09,517 - WARNING -
            CustomPropertiesScript - process_searches_preload -
            Custom property Target Process Name exists, but not with system
            id 7453f3f4-58b3-4e08-aa35-372e2a029deb. Skipping custom-data.
            [tomcat.tomcat] [admin@127.0.0.1] com.ibm.si.data_ingestion.api
            .impl.cmt.tasks.InstallExtensionTask:[ERROR] [NOT:0000003000][12
            extension with id = 74 failed: Detected a conflict while
            importing a custom property.
            [tomcat.tomcat] [admin@127.0.0.1] java.lang.Exception: 
            Detected a conflict while importing a custom property. 
            [tomcat.tomcat] [admin@127.0.0.1]
            com.ibm.si.content_management.ContentCustom: [ERROR]
            [NOT:0000003000][127.0.0.1/- -] [-/- -]Property with id
            [DEFAULTCUSTOMEVENT8] already exists but has a different name
            [tomcat.tomcat] [admin@127.0.0.1]
            com.ibm.si.content_management.ContentManager: [ERROR]
            [NOT:0000003000][127.0.0.1/- -] [-/- -]Failed to import content
            file [/store/tmp/cmt/out/20210823183050/CustomProperties_Micros
            oftWindows.xml]
            [tomcat.tomcat] [admin@127.0.0.1]
            com.ibm.si.content_management.ContentManager: [ERROR]
            [NOT:0000003000][127.0.0.1/- -] [-/- -]Failed to import content
            file [/store/tmp/cmt/out/MicrosoftWindows-CustomProperties-1/Cu
            stomProperties_MicrosoftWindows.xml]
            [tomcat.tomcat] [admin@127.0.0.1] com.ibm.si.data_ingestion.api
            .impl.cmt.tasks.InstallExtensionTask:[ERROR] [NOT:0000003000][12
            extension with id = 75 failed: Detected a conflict while
            importing a custom property.
            [tomcat.tomcat] [admin@127.0.0.1] java.lang.Exception: 
            Detected a conflict while importing a custom property.
            2 February 2020
            CONTENT MANAGEMENT TOOL (CMT) IJ35138 CONTENT MANAGEMENT TOOL (CMT) EXPORT CAN FAIL ON RULES WITH A LOG SOURCE TEST CONTAINING AN EMPTY VALUE CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)
            QRadar 7.4.3 Fix Pack 5 (7.4.3.20220307203834)

            Workaround
            If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances.

            Issue
            A Content Management Tool export of data can fail with Null Pointer Exception during the export when a rule with a log source test where an empty value exists.

            A message similar to the following might be visible when this issue occurs:
            java.lang.NullPointerException
            at com.ibm.si.content_management.ContentParser.getCustomRuleLogSource(ContentParser.java:5150)
            at com.ibm.si.content_management.ContentParser.getParsed(ContentParser.java:149)
            at com.ibm.si.content_management.Content.exportContent(Content.java:2853)
            at com.ibm.si.content_management.Content.exportContent(Content.java:3388)
            at com.ibm.si.content_management.Content.exportContent(Content.java:3277)
            at com.ibm.si.content_management.Content.exportContent(Content.java:3388)
            at com.ibm.si.content_management.Content.exportContent(Content.java:3277)
            at com.ibm.si.content_management.Content.exportContent(Content.java:3388)
            at com.ibm.si.content_management.Content.exportContent(Content.java:3277)
            at com.ibm.si.content_management.Content.exportContent(Content.java:3388)
            at com.ibm.si.content_management.Content.exportContent(Content.java:3277)
            at com.ibm.si.content_management.Content.exportContent(Content.java:3388)
            at com.ibm.si.content_management.ContentManager.exportContent(ContentManager.java:1310)
            at com.ibm.si.content_management.ContentManager.doExport(ContentManager.java:3495)
            at com.ibm.si.content_management.ContentManager.doExport(ContentManager.java:3455)
            at com.ibm.si.content_management.ContentManager.doExport(ContentManager.java:3539)
            at com.ibm.si.content_management.CommandLineManager.processExport(CommandLineManager.java:323)
            at com.ibm.si.content_management.CommandLineManager.main(CommandLineManager.java:149)
            2 February 2020
            UPGRADE IJ36198 PATCH PRETEST FAILS WHEN DUPLICATE NAMED CUSTOM PROPERTIES ARE PRESENT IN MULTIPLE DATATBASES CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)
            QRadar 7.4.3 Fix Pack 5 (7.4.3.20220307203834)

            Workaround
            Upgrade to a version where this issue is resolved or review instructions for correcting the duplicate named custom event properties prior to re-running the QRadar patch process: Duplicate custom property names.

            Issue
            The QRadar patch pretest can fail when custom event properties with the same name but in different databases (event/flow) are present.
            2 February 2020
            QRADAR NETWORK INSIGHTS IJ35676 QRADAR DEPLOY FUNCTION CAN FAIL TO QRADAR NETWORK INTERFACE (QNI) APPLIANCES AFTER PATCHING CLOSED Resolved in
            QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)
            QRadar 7.5.0 (7.5.0.20211220195207)

            Workaround
            Performing a subsequent QRadar deploy function after the failed deploy can correct this issue when it occurs.

            Issue
            After patching to QRadar version 7.5.0 GA, the QRadar deploy function can fail for QRadar Network Interface (QNI) appliances.

            Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            Caused by:
            com.q1labs.configservices.common.ConfigServicesException:
            Unable to get properties to build the forensics_config.xml file
              at com.q1labs.configservices.config.localset.forensics.ForensicsRealtimeConfigTransformer.buildThreatAnalyticsConfigFile(ForensicsRealtimeConfigTransformer.java:199)
              at com.q1labs.configservices.config.localset.forensics.ForensicsRealtimeConfigTransformer.configure(ForensicsRealtimeConfigTransformer.java:87)
              at com.q1labs.configservices.config.localset.forensics.ForensicsRealtimeConfigTransformer.buildConfig(ForensicsRealtimeConfigTransformer.java:71)
              at com.q1labs.configservices.config.AbstractComponentConfigBuilder.buildComponentConfig(AbstractComponentConfigBuilder.java:65)
              at com.q1labs.configservices.config.localset.component.ComponentTransformerManager.processComponent(ComponentTransformerManager.java:206)
              at com.q1labs.configservices.config.localset.component.ComponentTransformerManager.buildConfiguration(ComponentTransformerManager.java:117)
              ... 9 more
            2 February 2020
            UPGRADE IJ33797 PATCH PRETEST TO QRADAR 7.4.3 GA CAN FAIL ON CHECK FOR DUPLICATE CUSTOM EVENT PROPERTIES CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)

            Workaround
            No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

            Issue
            A QRadar patch pretest that checks for duplicate properties in the ariel_regex_property table can cause the pretest to fail as a result of the presence of facade properties.
            2 February 2020
            CONTENT MANAGEMENT TOOL (CMT) IJ35707 CONTENT MANAGEMENT TOOL (CMT) CHANGES RULE RESPONSE DURING CMT IMPORT CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)
            QRadar 7.4.3 Fix Pack 5 (7.4.3.20220307203834)

            Workaround
            Manually update the affected rule response after using CMT import.

            Issue
            The Content Management Tool (CMT) import function is incorrectly changing the behavior of the Sensitive File Directories rule in QRadar:

            Before CMT import
            Rule Response of Files in Sensitive File Directories rule
            - Add the Filename of the event or flow payload to the Reference Set: Files in Sensitive Directories - AlphaNumeric

            After CMT import
            Rule Response of Files in Sensitive File Directories rule
            - Add the Filename of the event or flow payload to the Reference Set: Asset Reconciliation DNS Blacklist - AlphaNumeric (Ignore Case).
            2 February 2020
            UPGRADE IJ35026 QRADAR PATCHING CAN FAIL ON APPLIANCES USING EFI FIRMWARE CLOSED Resolved in
            QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)
            QRadar 7.5.0 (7.5.0.20211220195207)

            Workaround
            If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances.



            Issue
            The QRadar patching process can fail when using EFI firmware. Messages similar to the following might be visible when this issue occurs:
            Grub Files Check
             Ensures grub files and settings are correct
                [FAILURE]
            
                    The symlink /etc/grub2-efi.cfg does not have the correct
            target. Found:
                    /boot/efi/EFI/grub/grub.cfg Expected:
            ../boot/efi/EFI/redhat/grub.cfg
                   [REMEDIATION]
            
                    Delete /etc/grub2-efi.cfg (if it exists) using 'rm
            /etc/grub2-efi.cfg',
                    then re-create the symlink by running 'ln -s
                    ../boot/efi/EFI/redhat/grub.cfg /etc/grub2-efi.cfg'
            2 February 2020
            SECURITY BULLETIN CVE-2021-20400 A vulnerability in IBM Java SDK and IBM Java Runtime affects IBM QRadar SIEM CLOSED Resolved in
            QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104)
            QRadar 7.3.3 Fix Pack 10 (7.3.3.20211125190208)
            QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337)

            Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users.

            Affected versions
            • IBM QRadar SIEM 7.3.0 to 7.3.3 Fix Pack 9
            • IBM QRadar SIEM 7.4.0 to 7.4.3 Fix Pack 2
            Issue
            CVE-2021-20400: IBM QRadar uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. CVSS Base score: 5.9
            30 November 2021
            SECURITY BULLETIN CVE-2021-2161 A vulnerability in IBM Java SDK and IBM Java Runtime affects IBM QRadar SIEM CLOSED Resolved in
            QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104)
            QRadar 7.3.3 Fix Pack 10 (7.3.3.20211125190208)
            QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337)

            Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users.

            Affected versions
            • IBM QRadar SIEM 7.3.0 to 7.3.3 Fix Pack 9
            • IBM QRadar SIEM 7.4.0 to 7.4.3 Fix Pack 2
            Issue
            CVE-2021-2161: An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality impact, high integrity impact, and no availability impact. CVSS Base score: 5.9
            30 November 2021
            SECURITY BULLETIN CVE-2021-29779 IBM QRadar SIEM Performs Key Exchange Without Entity Authentication on Inter-Host Communications CLOSED Resolved in
            QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104)
            QRadar 7.3.3 Fix Pack 10 (7.3.3.20211125190208)
            QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337)

            Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users.

            Affected versions
            • IBM QRadar SIEM 7.3.0 to 7.3.3 Fix Pack 9
            • IBM QRadar SIEM 7.4.0 to 7.4.3 Fix Pack 2
            Issue
            CVE-2021-29779: IBM QRadar could allow an attacker to obtain sensitive information due to the server performing key exchange without entity authentication on inter-host communications using man in the middle techniques. CVSS Base score: 5.9
            30 November 2021
            SECURITY BULLETIN CVE-2020-12362
            CVE-2020-12363
            CVE-2020-12364
            CVE-2020-27170
            CVE-2020-8648
            CVE-2021-3347
            CVE-2020-24489
            CVE-2020-24511
            CVE-2020-24512
            CVE-2020-24513
            Linux Kernel as used by IBM QRadar SIEM contains multiple vulnerabilities CLOSED Resolved in
            QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104)
            QRadar 7.3.3 Fix Pack 10 (7.3.3.20211125190208)
            QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337)

            Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users.

            Affected versions
            • IBM QRadar SIEM 7.3.0 to 7.3.3 Fix Pack 9
            • IBM QRadar SIEM 7.4.0 to 7.4.3 Fix Pack 2
            Issue
            • CVE-2020-12362: Intel Graphics Drivers could allow a local authenticated attacker to gain elevated privileges on the system, caused by an integer overflow in the firmware. An attacker could exploit this vulnerability to gain elevated privileges on the system. CVSS Base score: 7.5
            • CVE-2020-12363: Intel Graphics Drivers are vulnerable to a denial of service, caused by improper input validation. A local authenticated attacker could exploit this vulnerability to cause a denial of service. CVSS Base score: 1.9
            • CVE-2020-12364: Intel Graphics Drivers are vulnerable to a denial of service, caused by a NULL pointer reference error. A local authenticated attacker could exploit this vulnerability to cause a denial of service. CVSS Base score: 1.9
            • CVE-2020-27170: Linux Kernel could allow a local authenticated attacker to obtain sensitive information, caused by an out-of-bounds loads flaw. By executing specially-crafted BPF programs, an attacker could exploit this vulnerability to obtain contents of kernel memory, and use this information to launch further attacks against the affected system. CVSS Base score: 5.5
            • CVE-2020-8648: Linux kernel could allow a remote attacker to obtain sensitive information, caused by a use-after-free in the n_tty_receive_buf_common function of drivers/tty/n_tty.c. An attacker could exploit this vulnerability to read memory that should not be available for access. CVSS Base score: 5.3
            • CVE-2021-3347: Linux Kernel could allow a local authenticated attacker to gain elevated privileges on the system, caused by a kernel stack use-after-free during fault handling in PI futexes. An attacker could exploit this vulnerability to gain elevated privileges and execute arbitrary code in the kernel. CVSS Base score: 7.8
            • CVE-2020-24489: Multiple Intel Virtualization Technology for Directed I/0 (VT-d) products could allow a local authenticated attacker to gain elevated privileges on the system, caused by an incomplete cleanup. An attacker could exploit this vulnerability to gain elevated privileges on the system. CVSS Base score: 8.8
            • CVE-2020-24511: Intel Processors could allow a local authenticated attacker to obtain sensitive information, caused by improper isolation of shared resources. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 5.6
            • CVE-2020-24512: Intel Processors could allow a local authenticated attacker to obtain sensitive information, caused by the observable timing discrepancy issue. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 2.8
            • CVE-2020-24513: Intel Atom could allow a local authenticated attacker to obtain sensitive information, caused by domain-bypass transient execution vulnerability. A local attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 5.6
            30 November 2021
            SECURITY BULLETIN CVE-2021-32028
            CVE-2021-32027
            PostgreSQL as used by IBM QRadar SIEM is vulnerable to information disclosure CLOSED Resolved in
            QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104)
            QRadar 7.3.3 Fix Pack 10 (7.3.3.20211125190208)
            QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337)

            Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users.

            Affected versions
            • IBM QRadar SIEM 7.3.0 to 7.3.3 Fix Pack 9
            • IBM QRadar SIEM 7.4.0 to 7.4.3 Fix Pack 2
            Issue
            • CVE-2021-32028: PostgreSQL could allow a remote authenticated attacker to obtain sensitive information, caused by a memory disclosure vulnerability when using an INSERT … ON CONFLICT … DO UPDATE command on a purpose-crafted table. By creating prerequisite objects, an attacker could exploit this vulnerability to read arbitrary bytes of server memory. CVSS Base score: 6.5
            • CVE-2021-32027: PostgreSQL could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an integer overflow while modifying certain SQL array values. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 7.5
            30 November 2021
            SECURITY BULLETIN CVE-2021-31811
            CVE-2021-31812
            Apache PDFBox as used by IBM QRadar SIEM is vulnerable to denial of service CLOSED Resolved in
            QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104)
            QRadar 7.3.3 Fix Pack 10 (7.3.3.20211125190208)
            QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337)

            Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users.

            Affected versions
            • IBM QRadar SIEM 7.3.0 to 7.3.3 Fix Pack 9
            • IBM QRadar SIEM 7.4.0 to 7.4.3 Fix Pack 2
            Issue
            • CVE-2021-31811: Apache PDFBox is vulnerable to a denial of service, caused by an out-of-memory exception while loading a file. By persuading a victim to open a specially-crafted PDF file, a remote attacker could exploit this vulnerability to cause a denial of service. CVSS Base score: 5.5
            • CVE-2021-31812: Apache PDFBox is vulnerable to a denial of service, caused by an error while loading a file. By persuading a victim to open a specially-crafted PDF file, a remote attacker could exploit this vulnerability to cause the system to enter into an infinite loop. CVSS Base score: 5.5
            30 November 2021
            SECURITY BULLETIN CVE-2021-30468 Apache CXF as used by IBM QRadar SIEM is vulnerable to denial of service (DOS) CLOSED Resolved in
            QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104)
            QRadar 7.3.3 Fix Pack 10 (7.3.3.20211125190208)
            QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337)

            Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users.

            Affected versions
            • IBM QRadar SIEM 7.3.0 to 7.3.3 Fix Pack 9
            • IBM QRadar SIEM 7.4.0 to 7.4.3 Fix Pack 2
            Issue
            CVE-2021-30468: Apache CXF is vulnerable to a denial of service, caused by an infinite loop flaw in the JsonMapObjectReaderWriter function. By sending a specially-crafted JSON to a web service, a remote attacker could exploit this vulnerability to consume available CPU resources. CVSS Base score: 7.5
            30 November 2021
            SECURITY BULLETIN CVE-2021-29849 IBM QRadar SIEM is vulnerable to cross-site scripting (XSS) CLOSED Resolved in
            QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104)
            QRadar 7.3.3 Fix Pack 10 (7.3.3.20211125190208)
            QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337)

            Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users.

            Affected versions
            • IBM QRadar SIEM 7.3.0 to 7.3.3 Fix Pack 9
            • IBM QRadar SIEM 7.4.0 to 7.4.3 Fix Pack 2
            Issue
            CVE-2021-29849: IBM QRadar SIEM is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. CVSS Base score: 5.4
            30 November 2021
            SECURITY BULLETIN CVE-2021-29863 IBM QRadar SIEM is vulnerable to server side request forgery (SSRF) CLOSED Resolved in
            QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104)
            QRadar 7.3.3 Fix Pack 10 (7.3.3.20211125190208)
            QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337)

            Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users.

            Affected versions
            • IBM QRadar SIEM 7.3.0 to 7.3.3 Fix Pack 9
            • IBM QRadar SIEM 7.4.0 to 7.4.3 Fix Pack 2
            Issue
            CVE-2021-29863: IBM QRadar SIEM is vulnerable to server side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. This vulnerability is due to an incomplete fix for CVE-2020-4786. CVSS Base score: 5.4
            30 November 2021
            SECURITY BULLETIN MULTIPLE (69 CVEs) IBM QRadar SIEM Application Framework Base Image is vulnerable to using components with Known Vulnerabilities CLOSED Resolved in
            QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104)
            QRadar 7.3.3 Fix Pack 10 (7.3.3.20211125190208)
            QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337)

            Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users.

            Affected versions
            • IBM QRadar SIEM 7.3.0 to 7.3.3 Fix Pack 9
            • IBM QRadar SIEM 7.4.0 to 7.4.3 Fix Pack 2
            Issue
            • CVE-2021-3541: GNOME libxml2 is vulnerable to a denial of service, caused by an exponential entity expansion attack which bypasses all existing protection mechanisms. A remote authenticated attacker could exploit this vulnerability to consume all available resources. CVSS Base score: 6.5
            • CVE-2021-3516: libxml2 could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free in xmlEncodeEntitiesInternal() in entities.c. By persuading a victim to open a specially crafted file, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 7.8
            • CVE-2021-3520: lz4 could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow. By sending a specially crafted file, an attacker could invoke memmove() on a negative size argument leading to memory corruption and trigger an out-of-bounds write or cause the library to crash. CVSS Base score: 8.6
            • CVE-2017-14502: libarchive is vulnerable to a buffer overflow, caused by improper bounds checking by the read_header function in archive_read_support_format_rar.c. By persuading a victim to open a specially-crafted RAR file, a remote attacker could overflow a buffer and execute arbitrary code on the system. CVSS Base score: 7.8
            • CVE-2021-20271: RPM could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the signature check function. By persuading a victim to open a specially-crafted package file, an attacker could exploit this vulnerability to cause RPM database corruption and execute arbitrary code on the system. CVSS Base score: 6.7
            • CVE-2021-33503: urllib3 is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw due to catastrophic backtracking. By sending a specially-crafted URL request, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 5.3
            • CVE-2019-20387: libsolv is vulnerable to a denial of service, caused by a heap-based buffer over-read in the repodata_schema2id function in repodata.c. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 7.5
            • CVE-2020-29361: p11-glue p11-kit are vulnerable to a denial of service, caused by multiple integer overflows when allocating memory for arrays of attributes and object identifiers. By sending a specially-crafted request using realloc or calloc function, an attacker could exploit this vulnerability to cause a denial of service or possibly execute arbitrary code on the system. CVSS Base score: 7.5
            • CVE-2020-29363: p11-glue p11-kit is vulnerable to a denial of service, caused by a heap-based buffer overflow in the RPC protocol. By sending a serialized byte array in a CK_ATTRIBUTE, a remote attacker could overflow a buffer and cause a denial of service. CVSS Base score: 7.5
            • CVE-2020-15358: SQLite is vulnerable to a denial of service, caused by a heap-based buffer overflow in the mishandling of query-flattener optimization in select.c. By sending a specially-crafted query, a local authenticated attacker could overflow a buffer and cause the application to crash. CVSS Base score: 5.5
            • CVE-2020-13776: systemd could allow a local authenticated attacker to gain elevated privileges on the system, caused by the mishandling of numerical usernames. By sending a specially-crafted request, an attacker could exploit this vulnerability to gain elevated privileges as root. CVSS Base score: 6.7
            • CVE-2018-18751: GNU gettext is vulnerable to a denial of service, caused by a double free flaw in the default_add_message function in read-catalog.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 3.3
            • CVE-2019-18276: GNU Bash could allow a remote authenticated attacker to gain elevated privileges on the system, caused by a flaw in the disable_priv_mode in shell.c. By sending a specially-crafted command, an attacker could exploit this vulnerability to escalate privileges. CVSS Base score: 8.8
            • CVE-2020-9951: Apple Safari could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free in the WebKit component. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 8.8
            • CVE-2020-13543: Webkit WebKitGTK could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free in the WebSocket functionality. By persuading a victim to visit a specially crafted Web site, an attacker could exploit this vulnerability to execute arbitrary code or cause the application to crash. CVSS Base score: 8.8
            • CVE-2020-13584: Webkit WebKitGTK could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free in the ImageDecoderGStreamer functionality. By persuading a victim to visit a specially crafted Web site, an attacker could exploit this vulnerability to execute arbitrary code or cause the application to crash. CVSS Base score: 8.8
            • CVE-2019-14889: libssh could allow a remote authenticated attacker to execute arbitrary commands on the system, caused by a flaw in the ssh_scp_new(). By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system. CVSS Base score: 8.8
            • CVE-2019-20916: pypa pip package for python could allow a remote attacker to traverse directories on the system, caused by a flaw when installing package via a specified URL. An attacker could use a specially-crafted Content-Disposition header with filename containing "dot dot" sequences (/../) to overwrite arbitrary files on the system. CVSS Base score: 8.2
            • CVE-2021-20305: Nettle could allow a remote attacker to bypass security restrictions, caused by a flaw related to several signature verification functions result in the Elliptic Curve Cryptography point (ECC) multiply function being invoked with out-of-range scalers. An attacker could exploit this vulnerability to force an invalid signature, causing an assertion failure or possible validation. CVSS Base score: 8.1
            • CVE-2020-14352: Librepo could allow a remote authenticated attacker to traverse directories on the system, caused by the failure to sanitize paths in remote repository metadata. An attacker could send a specially-crafted URL request containing directory traversal sequences to copy files outside of the destination directory and compromise the system. CVSS Base score: 8
            • CVE-2020-24977: GNOME libxml2 is vulnerable to a buffer overflow, caused by improper bounds checking by the xmlEncodeEntitiesInternal function in libxml2/entities.c. By persuading a victim to open a specially-crafted file, a remote attacker could overflow a buffer and execute arbitrary code on the system. CVSS Base score: 7.8
            • CVE-2020-8285: cURL libcurl is vulnerable to a denial of service, caused by a stack-based buffer overflow in the wildcard matching function. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 7.5
            • CVE-2020-8286: cURL libcurl could allow a remote attacker to bypass security restrictions, caused by improper OCSP response verification. By sending a specially-crafted request, an attacker could exploit this vulnerability to breach a TLS server. CVSS Base score: 7.5
            • CVE-2019-25013: GNU glibc is vulnerable to a denial of service, caused by a buffer over-read in iconv feature. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a SIGSEGV. CVSS Base score: 7.5
            • CVE-2021-3326: GNU C Library (aka glibc or libc6) is vulnerable to a denial of service, caused by an assertion failure when processing invalid input sequences in the ISO-2022-JP-3 encoding in the iconv function. By sending specially-crafted input, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 7.5
            • CVE-2020-28196: MIT Kerberos 5 (aka krb5) is vulnerable to a denial of service, caused by an unbounded recursion flaw in lib/krb5/asn.1/asn1_encode.c. By sending a specially-crafted ASN.1-encoded Kerberos message, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 7.5
            • CVE-2020-7595: GNOME libxml2 is vulnerable to a denial of service, caused by an error in xmlStringLenDecodeEntities in parser.c. An attacker could exploit this vulnerability to cause the application to enter into an infinite loop. CVSS Base score: 7.5
            • CVE-2021-3449: OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference in signature_algorithms processing. By sending a specially crafted renegotiation ClientHello message from a client, a remote attacker could exploit this vulnerability to cause the TLS server to crash. CVSS Base score: 7.5
            • CVE-2020-14422: Python is vulnerable to a denial of service, caused by improper computing hash values in the IPv4Interface and IPv6Interface classes in Lib/ipaddress.py. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 7.5
            • CVE-2020-13434: SQLite is vulnerable to a denial of service, caused by an integer overflow in the sqlite3_str_vappendf function. By sending a specially-crafted request, a remote attacker could overflow a buffer and cause a denial of service. CVSS Base score: 7.5
            • CVE-2020-13777: GnuTLS could allow a remote attacker to obtain sensitive information, caused by the use of incorrect cryptography for encrypting a session ticket. By using man-in-the-middle attack techniques, an attacker could exploit this vulnerability to obtain previous conversations in TLS and bypass the authentication process. CVSS Base score: 7.4
            • CVE-2021-3450: OpenSSL could allow a remote attacker to bypass security restrictions, caused by a a missing check in the validation logic of X.509 certificate chains by the X509_V_FLAG_X509_STRICT flag. By using any valid certificate or certificate chain to sign a specially crafted certificate, an attacker could bypass the check that non-CA certificates must not be able to issue other certificates and override the default purpose. CVSS Base score: 7.4
            • CVE-2019-9169: GNU glibc is vulnerable to a heap-based buffer overflow, caused by a buffer over-read flaw in the proceed_next_node function in posix/regexec.c. By sending a specially-crafted argument using a case-insensitive regular-expression match, a remote attacker could overflow a buffer and execute arbitrary code on the system. CVSS Base score: 7.3
            • CVE-2019-14866: GNU cpio could allow a local authenticated attacker to gain elevated privileges on the system, caused by the failure to properly validate input files when generating TAR archives. An attacker could exploit this vulnerability to inject any tar content and compromise the system. CVSS Base score: 6.7
            • CVE-2020-8284: cURL libcurl could allow a remote attacker to obtain sensitive information, caused by improper validation of FTP PASV responses. By persuading a victim to connect a specially-crafted server, an attacker could exploit this vulnerability to obtain sensitive information about services, and use this information to launch further attacks against the affected system. CVSS Base score: 6.5
            • CVE-2020-26116: Python is vulnerable to CRLF injection, caused by improper validation of user-supplied input in http.client. By inserting CR and LF control characters in the first argument of HTTPConnection.request, a remote attacker could exploit this vulnerability to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. CVSS Base score: 6.5
            • CVE-2020-9948: Apple Safari could allow a remote attacker to execute arbitrary code on the system, caused by a type confusion in the WebKit component. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 6.3
            • CVE-2020-9983: Apple Safari could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds write in the WebKit component. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 6.3
            • CVE-2020-9983: Apple Safari could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds write in the WebKit component. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 6.3
            • CVE-2019-16935: Python is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the python/Lib/DocXMLRPCServer.py. A remote attacker could exploit this vulnerability using the server_title field to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base score: 6.1
            • CVE-2020-24659: GnuTLS is vulnerable to a denial of service, caused by a NULL pointer dereference. By sending specially-crafted messages, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 5.9
            • CVE-2019-13627: libgcrypt20 cryptographic library could allow a remote attacker to obtain sensitive information, caused by a ECDSA timing attack. An attacker could exploit this vulnerability to obtain private key information, and use this information to launch further attacks against the affected system. CVSS Base score: 5.9
            • CVE-2021-23336: Python CPython could allow a remote attacker to bypass security restrictions, caused by a web cache poisoning flaw via urllib.parse.parse_qsl and urllib.parse.parse_qs. By sending a specially-crafted request parameter cloaking, an attacker could exploit this vulnerability to cause a difference in the interpretation of the request between the proxy and the server. CVSS Base score: 5.9
            • CVE-2020-27618: GNU C Library (aka glibc or libc6) is vulnerable to a denial of service, caused by an error when processing some invalid inputs from several IBM character sets in the iconv function. By sending invalid multi-byte input sequences in IBM1364, IBM1371, IBM1388, IBM1390, IBM1399 encodings, a local authenticated attacker could exploit this vulnerability to cause the application to enter into an infinite loop. CVSS Base score: 5.5
            • CVE-2019-20907: Python is vulnerable to a denial of service, caused by a flaw in the tarfile module in Lib/tarfile.py. By persuading a victim to open a specially-craft a TAR archive, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop. CVSS Base score: 5.5
            • CVE-2020-8927: Brotli is vulnerable to buffer overflow. By controlling the input length of a "one-shot" decompression request to a script, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVSS Base score: 5.3
            • CVE-2020-8177: cURL could allow a remote attacker to overwrite arbitrary files on the system, caused by the improper handling of certain parameters when using -J (--remote-header-name) and -I (--include) in the same command line. An attacker could exploit this vulnerability to overwrite a local file. CVSS Base score: 5.3
            • CVE-2020-8231: cURL libcurl could allow a remote attacker to obtain sensitive information, caused by the improper handling of the CURLOPT_CONNECT_ONLY option. The raw data is sent over that connection to the wrong destination. An attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 5.3
            • CVE-2019-19906: cyrus-sasl is vulnerable to a denial of service, caused by an off-by-one error in _sasl_add_string in common.c. By sending a malformed LDAP packet, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 5.3
            • CVE-2019-15903: libexpat is vulnerable to a denial of service, caused by a heap-based buffer over-read in XML_GetCurrentLineNumber. By using a specially-crafted XML input, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 5.3
            • CVE-2016-10228: GNU C Library (glibc) is vulnerable to a denial of service, caused by an error in the iconv program. By processing invalid multi-byte input sequences, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop. CVSS Base score: 5.3
            • CVE-2019-13050: GNU Privacy Guard (GnuPG) is vulnerable to a denial of service, caused by a certificate spamming attack when referring to a host on the SKS keyserver network in the keyserver configuration. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 5.3
            • CVE-2020-1730: libssh is vulnerable to a denial of service, caused by the use of uninitialized AES-CTR ciphers. A remote attacker could exploit this vulnerability to crash the implemented counterpart. CVSS Base score: 5.3
            • CVE-2020-29362: p11-glue p11-kit could allow a remote attacker to obtain sensitive information, caused by a heap-based buffer over-read flaw in the RPC protocol. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain up to 4 bytes of memory past the heap allocation, and use this information to launch further attacks against the affected system. CVSS Base score: 5.3
            • CVE-2019-20454: PCRE is vulnerable to a denial of service, caused by an out-of-bounds read in the do_extuni_no_utf function in pcre2_jit_compile.c. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 5.3
            • CVE-2020-8492: Python is vulnerable to a denial of service, caused by a flaw in the urllib.request.AbstractBasicAuthHandler. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a Regular Expression Denial of Service (ReDoS). CVSS Base score: 5.3
            • CVE-2020-27619: An unspecified error with CJK codec tests call eval() on content retrieved throug HTTP in multibytecodec_support.py in Python has an unknown impact and attack vector. CVSS Base score: 5.3
            • CVE-2021-23240: sudo could allow a local authenticated attacker to launch a symlink attack. The selinux_edit_copy_tfiles() and selinux_edit_create_tfiles functions creates temporary files insecurely. An attacker could exploit this vulnerability by creating a symbolic link from a temporary file to various files on the system, which could allow the attacker to overwrite arbitrary files on the system with elevated privileges. CVSS Base score: 5.3
            • CVE-2019-3842: systemd could allow a local authenticated attacker to gain elevated privileges on the system, caused by the failure to properly sanitize the environment before using the XDG_SEAT variable by pam_systemd. By spoofing an active session to PolicyKit, an authenticated attacker could exploit this vulnerability to gain additional PolicyKit privileges. CVSS Base score: 4.5
            • CVE-2018-1000858: GnuPG is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input by dirmngr. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities. CVSS Base score: 4.3
            • CVE-2020-11080: Node.js is vulnerable to a denial of service, caused by an error in the HTTP/2 session frame which is limited to 32 settings by default. By sending overly large HTTP/2 SETTINGS frames, an attacker could exploit this vulnerability to consume all available CPU resources. CVSS Base score: 3.7
            • CVE-2018-20843: libexpat is vulnerable to a denial of service, caused by an error in the XML parser. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to consume all available CPU resources. CVSS Base score: 3.3
            • CVE-2019-13012: GNOME GLib could allow a local attacker to bypass security restrictions, caused by improper permission control in the keyfile settings backend. An attacker could exploit this vulnerability to bypass access restrictions. CVSS Base score: 3.3
            • CVE-2019-19221: libarchive is vulnerable to a denial of service, caused by an out-of-bounds read in the archive_wstring_append_from_mbs in archive_string.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 3.3
            • CVE-2019-19956: libxml2 is vulnerable to a denial of service, caused by a memory leak in xmlParseBalancedChunkMemoryRecover in parser.c. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 3.3
            • CVE-2019-2708: An unspecified vulnerability in Oracle Berkeley DB related to the Data Store component could allow an authenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 3.3
            • CVE-2019-20388: GNOME libxml2 could allow a remote attacker to obtain sensitive information, caused by a xmlSchemaValidateStream memory leak in xmlSchemaPreRun in xmlschemas.c. By persuading a victim to open a specially crafted file, an attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 3.3
            • CVE-2021-23239: sudo could allow a local authenticated attacker to obtain sensitive information, caused by a race condition in sudoedit. By using symlink attack techniques, an attacker could exploit this vulnerability to obtain directory information, and use this information to launch further attacks against the affected system. CVSS Base score: 3.3
            30 November 2021
            SECURITY BULLETIN CVE-2020-7226
            CVE-2021-29425
            CVE-2021-28165
            CVE-2021-28169
            CVE-2021-28163
            CVE-2021-22696
            CVE-2020-13954
            CVE-2018-8029
            CVE-2020-9492
            CVE-2018-11768
            CVE-2017-15713
            CVE-2018-18751
            CVE-2019-9924
            CVE-2021-3715
            CVE-2020-27777
            CVE-2021-22555
            CVE-2021-29154
            CVE-2021-29650
            CVE-2021-32399
            IBM QRadar SIEM is vulnerable to using components with know vulnerabilities CLOSED Resolved in
            QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104)
            QRadar 7.3.3 Fix Pack 10 (7.3.3.20211125190208)
            QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337)

            Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users.

            Affected versions
            • IBM QRadar SIEM 7.3.0 to 7.3.3 Fix Pack 9
            • IBM QRadar SIEM 7.4.0 to 7.4.3 Fix Pack 2
            Issue
            • CVE-2020-7226: Cryptacular is vulnerable to a denial of service, caused by an excessive memory allocation during a decode operation in CiphertextHeader.java. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 5.3
            • CVE-2021-29425: Apache Commons IO could allow a remote attacker to traverse directories on the system, caused by improper input validation by the FileNameUtils.normalize method. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. CVSS Base score: 7.5
            • CVE-2021-28165: Eclipse Jetty is vulnerable to a denial of service, caused by improper input valistion. By sending a specially-crafted TLS frame, a remote attacker could exploit this vulnerability to cause CPU resources to reach to 100% usage. CVSS Base score: 7.5
            • CVE-2021-28169: Eclipse Jetty could allow a remote attacker to obtain sensitive information, caused by a flaw in the ConcatServlet. By sending a specially-crafted request using a doubly encoded path, an attacker could exploit this vulnerability to obtain sensitive information from protected resources within the WEB-INF directory, and use this information to launch further attacks against the affected system. CVSS Base score: 5.3
            • CVE-2021-28163: Eclipse Jetty could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw when the ${jetty.base} directory or the ${jetty.base}/webapps directory is a symlink. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain webapp directory contents information, and use this information to launch further attacks against the affected system. CVSS Base score: 2.7
            • CVE-2021-22696: Apache CXF is vulnerable to a denial of service, caused by improper validation of request_uri parameter by the OAuth 2 authorization service. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition on the authorization server. CVSS Base score: 7.5
            • CVE-2020-13954: Apache CXF is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the services listing page. A remote attacker could exploit this vulnerability using the styleSheetPath in a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base score: 6.1
            • CVE-2018-8029: Apache Hadoop could allow a remote authenticated attacker to gain elevated privileges on the system. An attacker could exploit this vulnerability to run arbitrary commands as root user. CVSS Base score: 8.8
            • CVE-2020-9492: Apache Hadoop could allow a remote authenticated attacker to gain elevated privileges on the system, caused by improper validation of SPNEGO authorization header. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to gain elevated privileges to trigger services to send server credentials to a webhdfs path for capturing the service principal. CVSS Base score: 8.8
            • CVE-2018-11768: Apache Hadoop is vulnerable to a denial of service, caused by a mismatch in the size of the fields used to store user/group information between memory and disk representation. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause the user/group information to be corrupted across storing in fsimage and reading back from fsimage. CVSS Base score: 7.5
            • CVE-2017-15713: Apache Hadoop could allow a remote authenticated attacker to obtain sensitive information. By using a specially-crafted file, a remote attacker could exploit this vulnerability to expose private files. CVSS Base score: 4.3
            • CVE-2018-18751: GNU gettext is vulnerable to a denial of service, caused by a double free flaw in the default_add_message function in read-catalog.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 3.3
            • CVE-2019-9924: Bash could allow a remote authenticated attacker to execute arbitrary commands on the system, caused by the failure to prevent the shell user from modifying BASH_CMDS in the rbash. By modifying BASH_CMDS, an attacker could exploit this vulnerability to execute arbitrary commands on the system with the permissions of the shell. CVSS Base score: 8.8
            • CVE-2021-3715: Linux Kernel could allow a local authenticated attacker to gain elevated privileges on the system, caused by a use-after-free in route4_change() in net/sched/cls_route.c. By sending a specially-crafted request, an attacker could exploit this vulnerability to escalate privileges. CVSS Base score: 7.8
            • CVE-2020-27777: Linux Kernel for PowerPC could allow a local authenticated attacker to bypass security restrictions, caused by a flaw with the Run-Time Abstraction Services (RTAS) interface. By sending a specially-crafted request, an attacker could exploit this vulnerability to overwrite some parts of memory, including kernel memory. CVSS Base score: 6.8
            • CVE-2021-22555: Linux Kernel could allow a local authenticated attacker to gain elevated privileges on the system, caused by a heap out-of-bounds write flaw in net/netfilter/x_tables.c. By sending a specially-crafted request through user name space, an authenticated attacker could exploit this vulnerability to gain elevated privileges or cause a denial of service condition. CVSS Base score: 7.8
            • CVE-2021-29154: Linux Kernel could allow a could allow a local authenticated attacker to gain elevated privileges on the system, caused by an issue with incorrect computation of branch displacements in BPF JIT compiler. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to gain elevated privileges, and execute arbitrary code in the Kernel mode. CVSS Base score: 7.8
            • CVE-2021-29650: Linux Kernel is vulnerable to a denial of service, caused by the lack of a full memory barrier upon the assignment of a new table value in the netfilter subsystem. By sending a specially-crafted request, a local attacker could exploit this vulnerability to cause the system to crash. CVSS Base score: 6.2
            • CVE-2021-32399: Linux Kernel could allow a local authenticated attacker to gain elevated privileges on the system, caused by a race condition in the BlueTooth subsystem. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to execute arbitrary code with elevated privileges. CVSS Base score: 7.8
            30 November 2021
            UPGRADE IJ35114 QRADAR PATCH PROCESS CAN HANG FOR AN EXTENDED DURATION DURING A CONTENT MANAGEMENT EXPORT IN THE PATCHING PROCESS CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)
            QRadar 7.4.3 Fix Pack 5 (7.4.3.20220307203834)
            QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104)

            Workaround
            No workaround available. APARs identified with no workaround may require a software delivery to resolve.

            Issue
            The QRadar patching process can hang for a longer than expected time due to the running of a content management export from 257644.install.

            This has been identified in QRadar environments that have a large number of searches (thousands) prior to patching. NOTE: The process needs to complete successfully, do not interrupt the QRadar patch. Support can determine if this issue is causing the QRadar patch process to hang
            14 November 2021
            RULES IJ34276 RULES WITH EMAIL RESPONSES WILL CAUSE THE CRE THREADS TO GET STUCK IN A DEADLOCK CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)
            QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104)
            QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337)

            Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users.

            Workaround
            Disable email responses on rules and restart ECS-EP by using the following command:
            systemctl restart ecs-ep

            Important: Restarting ECS-EP might result in services not being available, schedule a maintenance period before preforming this step.

            Issue
            Rules with email responses will cause the CRE threads to slowly get stuck in a deadlock, resulting in the CRE no longer processing events and sending them to storage if the deployment has any AQL CEP's with "Enable for use in Rules, Forwarding Profiles and Search Indexing" enabled.

            When this happens look for a similar stack trace in threads.txt that is generated by running the command:
            /opt/qradar/support/threadTop.sh -p 7799 --full > threads.txt

            at sun.misc.Unsafe.park(Native Method) 
            at java.util.concurrent.locks.LockSupport.park(LockSupport.java:186) 
            at java.util.concurrent.locks.AbstractQueuedSynchronizer.parkAndCheckInterrupt
             (AbstractQueuedSynchronizer.java:847) 
            at java.util.concurrent.locks.AbstractQueuedSynchronizer.doAcquireShared(
             AbstractQueuedSynchronizer.java:978) 
            at java.util.concurrent.locks.AbstractQueuedSynchronizer.acquireShared(Abstract
             QueuedSynchronizer.java:1294) 
            at java.util.concurrent.locks.ReentrantReadWriteLock$ReadLock.lock(ReentrantReadWriteLock
             .java:738) 
            at com.q1labs.core.shared.ariel.CustomPropertyServices.parseAllProperties(Custom
             PropertyServices.java:166) 
            at com.q1labs.semsources.cre.responses.templates.CustomAlertFieldsManager.replace
            CustomPropertiesNullValues(CustomAlertFieldsManager.java:536) 
            at com.q1labs.semsources.cre.responses.templates.CustomAlertFieldsManager.build
             ResponseFromXML(CustomAlertFieldsManager.java:351) 
            at com.q1labs.semsources.cre.responses.templates.CustomAlertFieldsManager.loadTemplate
             (CustomAlertFieldsManager.java:145) 
            at com.q1labs.semsources.cre.responses.Email_Response.performResponse(Email_Response.java:51) 
            at com.q1labs.semsources.cre.CustomRule.performResponses(CustomRule.java:1049) 
            at com.q1labs.semsources.cre.CustomRule.test(CustomRule.java:578) 
            at com.q1labs.semsources.cre.CustomRule.test(CustomRule.java:496) 
            at com.q1labs.semsources.cre.CustomRuleSetExecutor.testRule(CustomRuleSetExecutor.java:342) 
            at com.q1labs.semsources.cre.CustomRuleSetExecutor.test(CustomRuleSetExecutor.java:210) 
            at com.q1labs.semsources.cre.CRERuleExecutor.processEventInAllMode(CRERuleExecutor.java:177) 
            at com.q1labs.semsources.cre.GlobalRuleExecutor.processEvent(GlobalRuleExecutor.java:207) 
            at com.q1labs.semsources.cre.CREEventProcessor.processEvent(CustomRuleEngine.java:544) 
            at com.q1labs.semsources.cre.CREEventProcessor.run(CustomRuleEngine.java:484)
            2 February 2020
            BACKUP AND RESTORE IJ35436 'TEST HOST ACCESS' CAN FAIL TO WORK AS EXPECTED WHEN RESTORING A BACKUP ARCHIVE CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)
            QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104)
            QRadar 7.3.3 Fix Pack 10 (7.3.3.20211125190208)
            QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337)

            Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users.

            Workaround
            If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances.

            Issue
            When restoring a backup archive created on a different Console (with Managed Host), the Test Host Access does not work as expected on the "Restore a Backup (Managed Hosts Accessibility)" window even if the iptables is stopped on the Managed Host. It displays "No Access" in the "Access Status" column. Continuing with the restore completes with "Console cannot access the host" message.
            2 February 2020
            QRADAR NETWORK INSIGHTS IJ33201 ICMPV6 FLOWS CAN BE MISSING IPV6 FIELD DATA CLOSED Resolved in
            QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104)
            QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337)

            Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users.

            Workaround
            If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances.

            Issue
            When viewing ICMPv6 traffic in the QRadar User Interface, some fields are missing for flows and ICMPv6 traffic from QRadar Network Insights or IPFIX exporters.

            These fields include IPV6 addresses (they display as 0:0:0:0:0:0:0:0), all tagged fields, QoS, ASN, IF Index, and flowid.

            When this issue occurs, searches performed for these fields in ICMPv6 traffic do not work as expected.
            14 November 2021
            EVENT AND FLOW RETENTION IJ20880 'COMPRESSION' COLUMN IS DISPLAYED ON THE EVENT/FLOW RETENTION SCREEN AND UNABLE TO EDIT EXISITING RETENTION BUCKETS CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)
            QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104)
            QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337)

            Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users.

            Workaround
            When editing a retention bucket, set the Compression value to Never.

            Issue
            It has been identified that a "Compression" column can be observed on the Event/Flow Retention window.

            When this issue is occuring, editing an existing retention policy fails with an error in the QRadar User Interface. Messages similar to the following might be visible in /var/log/qradar.log when this issue is occurring:
            [tomcat.tomcat] [USER@IP2 (5852) /console/do/qradar/retention]
            com.q1labs.qradar.ui.action.Retention: [ERROR]
            [NOT:0000003000][IP/- -] [-/- -]Retention Bucket save failed
            [tomcat.tomcat] [USER@IP2 (5852) /console/do/qradar/retention]
            java.lang.NumberFormatException: For input string: ""
            [tomcat.tomcat] [USER@IP2 (5852) /console/do/qradar/retention]
              at
            java.lang.NumberFormatException.forInputString(NumberFormatException.java:76)
            [tomcat.tomcat] [USER@IP2 (5852) /console/do/qradar/retention]
              at java.lang.Integer.parseInt(Integer.java:604)
            [tomcat.tomcat] [USER@IP2 (5852) /console/do/qradar/retention]
              at java.lang.Integer.parseInt(Integer.java:627)
            [tomcat.tomcat] [USER@IP2 (5852) /console/do/qradar/retention]
              at
            com.google.gson.JsonPrimitive.getAsInt(JsonPrimitive.java:260)
            [tomcat.tomcat] [USER@IP2 (5852) /console/do/qradar/retention]
              at
            com.q1labs.qradar.ui.bean.RetentionForm$1.deserialize(RetentionForm.java:97)
            [tomcat.tomcat] [USER@IP2 (5852) /console/do/qradar/retention]
              at
            com.q1labs.qradar.ui.bean.RetentionForm$1.deserialize(RetentionForm.java:79)
            [tomcat.tomcat] [USER@IP2 (5852) /console/do/qradar/retention]
              at
            com.google.gson.internal.bind.TreeTypeAdapter.read(TreeTypeAdapter.java:69)
            [tomcat.tomcat] [USER@IP2 (5852) /console/do/qradar/retention]
              at
            com.google.gson.internal.bind.TypeAdapterRuntimeTypeWrapper.read
            (TypeAdapterRuntimeTypeWrapper.java:41)
            14 November 2021
            Advanced Search (AQL) IJ32889 AQL SEARCHES CAN BECOME CORRUPTED AFTER A CONTENT MANAGEMENT TOOL IMPORT CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)
            QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104)
            QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337)

            Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users.

            Workaround
            Manually edit the affected AQL searches to remove the extra quotes from all effected searches where the extra quotes appear.

            For example, ""Bytes Sent"(GB)"

            In this example, the user can remove the interior (second and third) quotation marks, which are underlined and bolded.

            Issue
            AQL saved searches can become corrupted during the Content Management Tool (CMT) import after the DataExfiltration-ContentExtension-1.0.4.zip is added to QRadar causing an invalid AQL query. Affected searches can not be used. For example, some searches containing a specific AQL string pattern are affected:
            SELECT DOUBLE(sum("BytesSent")) / 1073741824 As "Bytes Sent(GB)"
            FROM events

            When a highlighted string is used as a custom column name, the AQL search becomes corrupted. This also includes name variations with the key part being Bytes Sent followed by the brackets, such as "Bytes Sent(Megabytes)"

            Components that use the affected search, like reports and accumulation, are also likely to be affected as the search(es) do not complete.

            Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
            com.q1labs.ariel.ql.parser.Parser: [ERROR]
            [NOT:0000003000][127.0.0.1/- -] [-/- -]Parse error: missing FROM at 'Bytes'
            [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
            com.q1labs.ariel.ql.parser.AQLParserException: Parse error:
            missing FROM at 'Bytes') / 1073741824 As ""Bytes Sent"(GB)" From^
            [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
            at com.q1labs.ariel.ql.parser.AQLErrorListener.syntaxError(ParserUtils.java:84)
            [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
            at org.antlr.v4.runtime.ProxyErrorListener.syntaxError(ProxyErrorListener.java:65)
            [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
            at org.antlr.v4.runtime.Parser.notifyErrorListeners(Parser.java:564)
            [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
            at org.antlr.v4.runtime.DefaultErrorStrategy.reportMissingToken(DefaultErrorStrategy.java:407)
            [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
            at org.antlr.v4.runtime.DefaultErrorStrategy.singleTokenInsertion(DefaultErrorStrategy.java:510)
            [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
            at org.antlr.v4.runtime.DefaultErrorStrategy.recoverInline(DefaultErrorStrategy.java:474)
            [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
            at org.antlr.v4.runtime.Parser.match(Parser.java:227)
            [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
            at com.q1labs.ariel.ql.parser.antlr.AQLParser.query(AQLParser.java:725)
            [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
            at com.q1labs.ariel.ql.parser.antlr.AQLParser.batch(AQLParser.java:404)
            [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
            at com.q1labs.ariel.ql.parser.ParserUtils.parse(ParserUtils.java:413)
            [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
            at com.q1labs.ariel.ql.parser.ParserBase.parseBatch(ParserBase.java:1623)
            [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
            at com.q1labs.ariel.ql.parser.Parser.parseStatement(Parser.java:172)
            [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
            at com.q1labs.ariel.ql.parser.Parser.executeStatement(Parser.java:67)
            [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
            at com.q1labs.ariel.ConnectedClient.processStatement(ConnectedClient.java:367)
            [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
            at com.q1labs.ariel.ConnectedClient.processMessage(ConnectedClient.java:308)
            [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
            at com.q1labs.ariel.ConnectedClient.run(ConnectedClient.java:136)
            [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
            at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160)
            [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
            at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
            [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
            at java.lang.Thread.run(Thread.java:822) 
            14 November 2021
            SEARCH IJ32741 REAL TIME EVENT STREAMING CAN STOP WHEN A "JAVA.IO.EXCEPTION: BROKEN PIPE" ERROR OCCURS AFTER A TOMCAT PROCESS RESTART CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)
            QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104)
            QRadar 7.3.3 Fix Pack 10 (7.3.3.20211125190208)
            QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337)
            Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users.

            Workaround
            Select one of the following workaround options:

            A. Perform a restart of the ecs-ep process on the QRadar deployment from an SSH session to the QRadar Console:
            /opt/qradar/support/all_servers.sh -C "systemctl restart ecs-ep"

            OR

            B. Perform a Deploy Full Configuration from the Console:
            Admin > Advanced > Deploy Full Configuration.

            Issue
            In some instances where tomcat is restarted on the QRadar Console, a "java.io.exception error: Broken pipe" error can occur after which real time event streaming in the QRadar User Interface can stop functioning.

            Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            [tomcat.tomcat] [ReceiverServer(0.0.0.0:7801)]
            com.q1labs.core.shared.ariel.streaming.StreamConsumer$Receiver
            0.0.0.0:7801: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/--]
            Error: /127.0.0.1:49432 : IOException : Broken pipe
            [tomcat.tomcat] [ReceiverServer(0.0.0.0:7801)]
            java.io.IOException: Broken pipe
            [tomcat.tomcat] [ReceiverServer(0.0.0.0:7800)]
            com.q1labs.core.shared.ariel.streaming.StreamConsumer$Receiver
            0.0.0.0:7800: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/-
            -]Error: /127.0.0.1:52834 : IOException : Broken pipe
            [tomcat.tomcat] [ReceiverServer(0.0.0.0:7800)]
            java.io.IOException: Broken pipe
            14 November 2021
            FLOWS IJ33511 THE NETWORK ACTIVITY FLOW SOURCE TYPE FIELD DISPLAYS N/A CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)
            QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104)
            QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337)

            Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users.

            Workaround
            No workaround available.

            APARs identified with no workaround require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

            Issue
            In the Network Activity tab, it has been observed in some instances that N/A is being displayed in the Flow Source field. The Flow Source field should not be displaying N/A.
            2 February 2022
            QRADAR NETWORK INSIGHTS IJ29680 NON-ADMIN USERS CANNOT OPEN THE EXTRACT PROPERTIES TAB WHEN A LARGE NUMBER OF LOG SOURCES EXIST CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)
            QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104)
            QRadar 7.3.3 Fix Pack 10 (7.3.3.20211125190208)
            QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337)

            Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users.

            Workaround
            If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances.

            Issue
            Non-admin QRadar users can experience a time out after a longer than expected period of wait time while trying to open the extract properties tab when using Log Source Management.

            This issue occurs when there are a large number of Log Sources as a permission check of all devices occurs one at a time. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            "user@127.0.0.1 (4918) /console/do/qradar/arielProperties"
            Id=1835698 in RUNNABLE
            at org.postgresql.core.PGStream.receive(PGStream.java:467)
            at org.postgresql.core.PGStream.receiveTupleV3(PGStream.java:422)
            at org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:2146)
            at org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:308)
            - locked org.postgresql.core.v3.QueryExecutorImpl@cdad6869
            at org.postgresql.jdbc.PgStatement.executeInternal(PgStatement.java:441)
            at org.postgresql.jdbc.PgStatement.execute(PgStatement.java:365)
            at org.postgresql.jdbc.PgPreparedStatement.executeWithFlags(PgPreparedStatement.java:143)
            at org.postgresql.jdbc.PgPreparedStatement.executeQuery(PgPreparedStatement.java:106)
            at com.mchange.v2.c3p0.impl.NewProxyPreparedStatement.executeQuery(NewProxyPreparedStatement.java:76)
            at org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:270)
            at org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator$LoggingConnection$LoggingPreparedStatement.executeQuery(LoggingConnection
            Decorator.java:1115)
            at org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:268)
            at org.apache.openjpa.jdbc.sql.PostgresDictionary$PostgresPreparedStatement.executeQuery(PostgresDictionary.java:1011)
            at org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:268)
            at org.apache.openjpa.jdbc.kernel.JDBCStoreManager$CancelPreparedStatement.executeQuery(JDBCStoreManager.java:1800)
            at org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:268)
            at org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:258)
            at com.q1labs.frameworks.session.PreparedStatementWrapper.executeQuery(PreparedStatementWrapper.java:270)
            at com.q1labs.core.shared.util.SqlUtil.runQuery(SqlUtil.java:177)
            at com.q1labs.core.shared.util.SqlUtil.runQuery(SqlUtil.java:162)
            at com.q1labs.core.util.sensors.SensorDeviceUtil.getAllLogSources(SensorDeviceUtil.java:27)
            at com.q1labs.core.shared.util.UserUtils.getUserDeviceIds(UserUtils.java:803)
            at com.q1labs.core.shared.util.UserUtils.userHasDevices(UserUtils.java:741)
            at com.q1labs.core.shared.util.UserUtils.userHasDevices(UserUtils.java:1080)
            at com.q1labs.sem.ui.semservices.UISemServices.getSensorDevicesByDe
            viceType(UISemServices.java:3302)
            at com.q1labs.ariel.ui.action.ArielProperty.prepareDefaultRequestOpions(ArielProperty.java:120)
            at com.q1labs.ariel.ui.action.ArielProperty.executeEdit(ArielProperty.java:793)
            at com.q1labs.uiframeworks.actions.DispatchAction.edit(DispatchAction.java:253)
            at sun.reflect.GeneratedMethodAccessor2973.invoke(UnknownSource)
            at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
            at java.lang.reflect.Method.invoke(Method.java:508)
            14 November 2021
            QRADAR NETWORK INSIGHTS IJ28760 QNI DATA CAN FAIL TO BE RECEIVED BY THE QRADAR CONSOLE USING DTLS DUE TO A MISSING CERTIFICATE ON THE QRADAR NETWORK INSIGHTS APPLIANCE CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)
            QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104)
            QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337)

            Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users.

            Workaround
            On the QRadar Network Insights appliance, copy the certificate from:
            /store/configservices/staging/globalconfig/dtlspki
            to:
            /opt/qradar/conf/dtls/client/

            Issue
            The DTLS connection between an encrypted, natted, QRadar Network Insights (QNI) appliance and the Console can fail if the required certificate does not get copied to the correct directory during the connection setup on the QNI appliance.

            The needed certificate resides on the QNI appliance in: /store/configservices/staging/globalconfig/dtlspki, but can fail to be copied during connection setup to: /opt/qradar/conf/dtls/client/
            14 November 2021
            REPORTS IJ26321 REPORTS CAN FAIL TO COMPLETE DUE TO A LOCK ON THE QRADAR DATABASE PREVENTING REPORT TEMPLATES FROM LOADING CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)
            QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104)
            QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337)

            Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users.

            Workaround
            Administrators can restart the reporting executor service, which allows the report templates to reload and creates a new transaction session.
            1. Log in to the QRadar Console as the root user.
            2. To restart the reporting executor, type:
              systemctl restart reporting_executor
            3. To verify the issue, manually start the report in the QRadar interface.

            Issue
            In some instances, QRadar report templates can fail to load due to a lock that is applied to the QRadar database preventing the database transaction from retrieving report templates. The database fails to connect as the session connection is already considered dead or previously used and closed. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            [reporting_executor.reporting_executor] [Report Queue]
            com.q1labs.reporting.ReportServices: [INFO]
            [NOT:0000006000][xx.xx.xx.xx/- -] [-/- -]Reporting Scheduler is enabled
            [reporting_executor.reporting_executor] [Report Queue]
            com.q1labs.reporting.ReportServices: [ERROR]
            [NOT:0000003000][xx.xx.xx.xx/- -] [-/- -]Lock to templates
            folder is acquired by another process, skipping templates reload.
            [reporting_executor.reporting_executor] [Report Queue]
            com.q1labs.core.shared.ariel.CustomKeyCreator: [ERROR]
            [NOT:0000003000][xx.xx.xx.xx/- -] [-/- -]Exception loading
            custom property ID ed1cbe38-1f8a-4621-a838-8a6400c61384
            [reporting_executor.reporting_executor] [Report Queue]
            {openjpa-2.4.3-r422266:1833086 fatal general error}
            org.apache.openjpa.persistence.PersistenceException: This
            connection has been closed. {SELECT t0.id, t0.autodiscovered,
            t0.creationdate, t0.database, t0.datepattern, t0.description,
            t0.description_id, t0.editdate, t0.forceparse, t0.languagetag,
            t0.propertyname, t0.sequenceid, t0.tenant_id, t0.propertytype,
            t0.username FROM ariel_regex_property t0 WHERE (t0.id = ?)}
            {code=0, state=08003}
            FailedObject: SELECT a FROM ArielRegexProperty a WHERE a.id =
            ?1 [java.lang.String]
            [reporting_executor.reporting_executor] [Report Queue]    at
            org.apache.openjpa.jdbc.sql.DBDictionary.narrow(DBDictionary.jav
            a:5003)
            ..
            [reporting_executor.reporting_executor] [Report Queue] Caused
            by:
            [reporting_executor.reporting_executor] [Report Queue]
            org.apache.openjpa.lib.jdbc.ReportingSQLException: This
            connection has been closed. {SELECT t0.id, t0.autodiscovered,
            t0.creationdate, t0.database, t0.datepattern, t0.description,
            t0.description_id, t0.editdate, t0.forceparse, t0.languagetag,
            t0.propertyname, t0.sequenceid, t0.tenant_id, t0.propertytype,
            t0.username FROM ariel_regex_property t0 WHERE (t0.id = ?)}
            
            14 November 2021
            DATA SYNCHRONIZATION APP IJ33228 DESTINATION SITE AUTH TOKENS FAIL TO WORK PROPERLY AFTER A RESTORE IS PERFORMED USING THE QRADAR DATA SYNCHRONIZATION APP CLOSED Resolved in
            QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104)
            QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337)

            Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users.

            Workaround
            1. After the restore process completes, perform a Deploy Full Configuration: Admin > Advanced > Deploy Full Configuration.
            2. Wait for the Deploy Full Configuration to complete.
            3. Use SSH to log in to QRadar as the root user.
            4. To verify tomcat is running, type:
              systemctl status tomcat
            5. Verify tomcat is running, look for "Active: active (running)" in the status output
            6. After confirming tomcat is running, type:
              systemctl restart tomcat

            Issue
            After restoring a backup using the Data Synchronization app, the Destination site auth tokens are unusable and error messages similar to the following can be observed in the app logs identifying that the QRadar APIs are no longer retrieving results:
            [ERROR] [Fri May 07 2021 13:12:44 GMT-0300 (Atlantic Daylight
            Time)] 'An error occured retrieving backups from QRadar API: No
            SEC header present in request. Please provide it via "SEC:
            token". You may also use BASIC authentication parameters if this
            host supports it. e.g. "Authorization: Basic base64Encoding"',
            [ERROR] [Fri May 07 2021 13:12:44 GMT-0300 (Atlantic Daylight
            Time)] toString: ^Function: toString] } 
            14 November 2021
            MANAGED HOSTS IJ33650 'ERRORSTREAM FLUSH-KEY-FOR-IPADDRESS' ERROR MESSAGES BEING WRITTEN TO QRADAR LOGGING CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)

            Workaround
            No workaround available. APARs identified with no workaround require a software delivery to resolve.

            Issue
            Repeating "ErrorStream" messages can sometimes be observed in /var/log/qradar.log as well as Managed Hosts attempting to connect to other Managed Hosts over port 22.

            Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            [hostcontext.hostcontext] [Thread-1913] ComponentOutput: [ERROR]
            [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
            flush-key-for-ipaddress: # ipaddress:22 SSH-2.0-OpenSSH_7.4 May
            13 10:14:28 ::ffff:127.0.0.1 [hostcontext.hostcontext]
            [Thread-1917] ComponentOutput: [ERROR]
            [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
            flush-key-for-ipaddress: # ipaddress:22 SSH-2.0-OpenSSH_7.4 May
            13 10:14:28 ::ffff:127.0.0.1 [hostcontext.hostcontext]
            [Thread-1919] ComponentOutput: [ERROR]
            [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
            flush-key-for-ipaddress: # ipaddress:22 SSH-2.0-OpenSSH_7.4 May
            13 10:14:28 ::ffff:127.0.0.1 [hostcontext.hostcontext]
            [Thread-1921] ComponentOutput: [ERROR]
            [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
            flush-key-for-ipaddress: # ipaddress:22 SSH-2.0-OpenSSH_7.4 May
            13 10:14:29 ::ffff:127.0.0.1 [hostcontext.hostcontext]
            [Thread-1923] ComponentOutput: [ERROR]
            [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
            flush-key-for-ipaddress: # ipaddress:22 SSH-2.0-OpenSSH_7.4 May
            13 10:14:30 ::ffff:127.0.0.1 [hostcontext.hostcontext]
            [Thread-1925] ComponentOutput: [ERROR]
            [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
            flush-key-for-ipaddress: # ipaddress:22 SSH-2.0-OpenSSH_7.4
            2 February 2022
            UPGRADE IJ32896 QRADAR PATCH PRE-TEST CAN FAIL DUE TO CHECK_YUM.SH ISSUES WHEN WINCOLLECT 7.3.1-16 INSTALLED CLOSED Resolved in
            QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)
            QRadar 7.4.3 Fix Pack 5 (7.4.3.20220307203834)

            Workaround
            To work around this issue, clean the yum cache to allow the patch to run successfully.
            1. Mount the 7.4.2 Fix Pack 3 file on the appliance.
            2. Run the following command:
              /media/updates/supplementary_scripts/run_yum.py --baseurl /media/updates/repo --clean all
            3. Run the pre-test on the appliance and confirm the error no longer displays.
            Note: The command in this workaround is a single command, if the code block appears split to two line.

            Issue
            The QRadar patch pre-test can fail when the check_yum.sh pretest does not clean out the old yum cache.

            This can occur when WinCollect 7.3.1-16 has been installed prior to the QRadar patch attempt. Messages similar to the following might be visible when this issue occurs:
            [INFO](testmode) Not using downloaded
            qradar-upgrade-local/repomd.xml because it is older than what we have:
            Current : Wed Apr 28 16:45:33 2021
            Downloaded: Tue Mar 23 18:56:37 2021
            23 February 2022
            HIGH AVAILABILITY (HA) IJ34628 INCORRECT STATUS FOR NETWORK INTERFACES CAN BE DISPLAYED FOR HIGH AVAILABILITY HOST OPEN Workaround
            Contact support for a possible workaround that might address this issue in some instances.

            Issue
            An incorrect status for network interfaces can be observed (example: network interface shows as down) for a High Availability (HA) host in the "Network Interfaces" tab of the "System and License Management" window when the secondary is active.
            04 November 2021
            UPGRADE IJ36052 HOSTCONTEXT CAN FAIL TO START ON MANAGED HOSTS AFTER PATCHING QRADAR CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)

            Workaround
            Contact support for a possible workaround that might address this issue in some instances.

            Issue
            In some instances, Managed Hosts can fail to start the hostcontext service after patching: Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            [main] java.lang.NullPointerException
            [main] at com.q1labs.hostcontext.HostContext.destroy(HostContext.java:1168)
            [main] at com.q1labs.hostcontext.HostContext.main(HostContext.java:1319)
            hostcontext[131454]: at com.mchange.v2.sql.SqlUtils.toSQLException(SqlUtils.java:106)
            hostcontext[131454]: at com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool.checkoutPooledConnection(C3P0PooledConnectionPool.java:529)
            hostcontext[131454]: at com.mchange.v2.c3p0.impl.AbstractPoolBackedDataSource.getConnection(AbstractPoolBackedDataSource.java:128)
            2 February 2022
            UDP MULTILINE SYSLOG PROTOCOL IJ35316 EVENTS THAT HAVE BEEN COMBINED IN A GATEWAY CAN BECOME UNCOMBINED OPEN Workaround
            No workaround available. APARs identified with no workaround require a software delivery to resolve. This reported issue will be considered for a future release of the UDP Mutliline Syslog Protocol.

            Issue
            Events that have been combined in a gateway can become uncombined when parsed by a syslog log source with a matching Log Source Identifier (LSI).

            When Open LDAP UDP Multiline events are collected with the 'Use As A Gateway Log Source' on its own port, they are combined correctly as configured and display as Sim Generic events. If there is a syslog log source also created that matches the LSI of these generic combined events, the events are parsed with that log source and some of them uncombine.

            This only occurs with specific payloads and caused by a parsing issue with the UDPMultiline protocol.
            8 October 2021
            OFFENSES IJ29371 OFFENSE DETAILS REPORT IN PDF FORMAT CAN CAUSE REPORT_RUNNER TO GO OUT OF MEMORY CLOSED Resolved in
            QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022)

            Workaround
            1. Run the required Offense Details report on a smaller set of data.
              OR
            2. Change the report to excel/csv output instead of pdf.


            3. Issue
              The QRadar report_runner process can go out of memory when running an Offense Details report that is configured for PDF output.

              This out of memory occurs when there is too much data for the PDF rendering to handle (example: over month of data). When this occurs, the report fails to generate.
            06 September 2022
            tbd IJ34320 QRADAR USER INTERFACE DISPLAYS 'NULL' AND OR 'KEY NOT FOUND' IN MULTIPLE UI FIELDS OPEN Workaround
            Correct the permissions on the files/directories when this issue occurs. This issue has been identified with /opt/qradar/conf/localization From an SSH session to the QRadar console, use the chmod command to set the correct permissions for /opt/qradar/conf/localization to 775:
            # chmod 775 /opt/qradar/conf/localization

            Issue
            In some instances, lineChange.sh can cause incorrect file permissions to be set on required file/folders.

            When this issue occurs, the QRadar User Interface can display "null" and or "key not found" across multiple UI fields.
            13 August 2021
            AQL IJ21739 'PAYLOAD CONTAINS' AQL FILTER FROM A BASIC SEARCH CAN GENERATE AN ILLEGAL ARGUMENT EXCEPTION AND INCORRECT RESULTS OPEN Workaround
            Enable store payload in the Log Sources.

            Issue
            Using the 'Payload Contains' AQL filter generated from a basic search generates an illegal argument exception and has incorrect search results when compared with the results of the basic search. For example:
            1. Create a basic search.
            2. Add the filter "Payload Contains" Admin.
            3. Add the payload column.
            4. Save the search and run it.
            5. Notice the expected output of the payload column.
            6. Convert the search to AQL by clicking > Log Activity > Edit Search > Show AQL.
            7. Have an AQL:
              select "payload" as 'Payload',QIDNAME(qid) as 'Event
              Name',logsourcename(logSourceId) as 'Log Source',"eventCount"
              as 'Event Count',"startTime" as 'Start
              Time',categoryname(category) as 'Low Level Category',"sourceIP"
              as 'Source IP',"sourcePort" as 'Source Port',"destinationIP" as
              'Destination IP',"destinationPort" as 'Destination
              Port',"userName" as 'Username',"magnitude" as 'Magnitude' from
              events where icu4jsearch('Admin', payload) != -1 order by
              "startTime" desc LIMIT 1000 last 5 minutes
            8. Run the AQL search.

              Results
              An illegal argument exception is generated and the payload is incorrect.

            Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            com.q1labs.frameworks.nio.exceptions.ExtendedRuntimeException:
            Error calling function
            com.q1labs.ariel.ql.parser.ICU4jSearch([B@e6bc0507):
            java.lang.IllegalArgumentException
            at com.q1labs.frameworks.util.Utils.icu4jSearch(Utils.java:672)
            at com.q1labs.frameworks.util.Utils.icu4jSearch(Utils.java:647)
            at com.q1labs.ariel.ql.parser.ICU4jSearch.calculate(Functions.java:799)
            at com.q1labs.ariel.ql.parser.ICU4jSearch.calculate(Functions.java:774)
            31 December 2021
            WINCOLLECT IJ33117 MAXIMUM OF THREE (3) WINCOLLECT AGENTS ARE DISPLAYED WHEN USING THE LOG SOURCE MANAGEMENT APP OPEN Workaround
            Manually type the WinCollect Agent name to find it in the list.

            Issue
            When using the Log Source Management (LSM) app, the drop-down menu of WinCollect Agents displays a maximum of three (3) agents.

            For example:
            1. Have more than three (3) WinCollect clients, ensure the Agents have been connected.
            2. Launch the LSM app, click New Log Source button
            3. Select Single Log Source, select LST as Microsoft Windows Security Event Log, and select WinCollect protocol type.
            4. Fill all required fields, in Configure Protocol Parameters page, scroll down to the bottom and select WinCollect Agent.

              Results
              Only the three (3) agents are displayed
            17 June 2021
            QRADAR NETWORK INSIGHTS IJ32209 INCIDENT RESULTS WINDOW CAN TAKE LONGER THAN EXPECTED TO LOAD CLOSED Resolved in
            QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)

            Workaround
            If you are unable to upgrade, contact support for a possible workaround that might address this issue in some instances.

            Issue
            The Incident Results window populates from a forensics database table that is not purged even when cases are deleted through Case Management.

            All entries on all pages must have a Solr request sent to determine the document count for the page which can sometimes cause the Incident Results window to take longer than expected to load.
            28 April 2021
            AQL IJ33665 AQL REFERENCETABLE TABLE FUNCTION USING 'LOWER' AND 'GROUP' CAN FAIL TO WORK AS EXPECTED OPEN Workaround
            No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

            Issue
            Using the AQL REFERENCETABLE function with LOWER and GROUP clause can result in inconsistent query results. Example query containing both LOWER and GROUP:
            select REFERENCETABLE('test','number',LOWER(username)) as
            'number',REFERENCETABLE('test','test',LOWER(username)) as
            'test', username from events GROUP BY
            username,'numOfParts','SHA256' ORDER BY username,'number','test'
            DESC last 1 HOURS


            Removing either LOWER() or GROUP clause provides correct query results.
            18 July 2021
            APPLICATION FRAMEWORK IJ24325 INSTALLING A NEW VERSION OF AN APP CAN LEAVE THE OLD VERSION STILL INSTALLED AND RUNNING CLOSED Resolved in
            QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)

            Workaround
            Remove the older QRadar App version manually from Extension Management in Admin tab of the QRadar User Interface.

            Issue
            Installing a newer version of a QRadar App can sometimes result in being left with both the old and new version running simultaneously. This is to say the old version does not get removed properly and is left running.

            Messages similar the the following might be visible in /var/log/qradar.log when this issue occurs:
            [tomcat.tomcat] [configservices@127.0.0.1(4359)
            /console/restapi/api/gui_app_framework/applications/1101]
            com.q1labs.restapi_annotations.content.exceptions.APIMappedExcep
            tion: Unable to process request because Container Manager
            service is unavailable
            [tomcat.tomcat] [configservices@127.0.0.1(4359)
            /console/restapi/api/gui_app_framework/applications/1101]    at
            com.q1labs.restapi.exceptionmapper.ExceptionMapper.mapException(
            ExceptionMapper.java:141)
            [tomcat.tomcat] [configservices@127.0.0.1(4359)
            /console/restapi/api/gui_app_framework/applications/1101]    at
            org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(T
            askThread.java:61)
            ...
            [tomcat.tomcat] [configservices@127.0.0.1(4359)
            /console/restapi/api/gui_app_framework/applications/1101]    at
            java.lang.Thread.run(Thread.java:812)
            [tomcat.tomcat] [configservices@127.0.0.1(4359)
            /console/restapi/api/gui_app_framework/applications/1101]
            Caused by:
            [tomcat.tomcat] [configservices@127.0.0.1(4359)
            /console/restapi/api/gui_app_framework/applications/1101]
            com.q1labs.restapi_annotations.content.exceptions.endpointExcept
            ions.ServerProcessingException: Unable to process request
            because Container Manager service is unavailable
            [tomcat.tomcat] [configservices@127.0.0.1(4359)
            /console/restapi/api/gui_app_framework/applications/1101]    at
            com.q1labs.uiframeworks.application.api.service.DefaultApplicati
            onAPIService.abortIfConManIsUnavailable(DefaultApplicationAPISer
            vice.java:556)
            [tomcat.tomcat] [configservices@127.0.0.1(4359)
            /console/restapi/api/gui_app_framework/applications/1101]    at
            com.q1labs.uiframeworks.application.api.service.DefaultApplicati
            onAPIService.deleteApp(DefaultApplicationAPIService.java:577)
            [tomcat.tomcat] [configservices@127.0.0.1(4359)
            /console/restapi/api/gui_app_framework/applications/1101]    at
            com.q1labs.uiframeworks.application.api.v10_0.ApplicationsAPI.de
            leteApplication(ApplicationsAPI.java:423)
            [tomcat.tomcat] [configservices@127.0.0.1(4359)
            /console/restapi/api/gui_app_framework/applications/1101]    at
            sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
            [tomcat.tomcat] [configservices@127.0.0.1(4359)
            /console/restapi/api/gui_app_framework/applications/1101]    at
            sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessor
            Impl.java:90)
            [tomcat.tomcat] [configservices@127.0.0.1(4359)
            /console/restapi/api/gui_app_framework/applications/1101]    at
            sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod
            AccessorImpl.java:55)
            [tomcat.tomcat] [configservices@127.0.0.1(4359)
            /console/restapi/api/gui_app_framework/applications/1101]    at
            java.lang.reflect.Method.invoke(Method.java:508)
            [tomcat.tomcat] [configservices@127.0.0.1(4359)
            /console/restapi/api/gui_app_framework/applications/1101]    at
            com.q1labs.restapi.servlet.utilities.APIRequestHandler.invokeMet
            hod(APIRequestHandler.java:1031)
            [tomcat.tomcat] [configservices@127.0.0.1(4359)
            /console/restapi/api/gui_app_framework/applications/1101]    at
            com.q1labs.restapi.servlet.utilities.APIRequestHandler.redirectR
            equest(APIRequestHandler.java:399)
            [tomcat.tomcat] [configservices@127.0.0.1(4359)
            /console/restapi/api/gui_app_framework/applications/1101]
            ... 61 more
            [tomcat.tomcat] [com@127.0.0.1]
            com.ibm.si.content_management.utils.AppFrameworkAPIClient:
            [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Delete failed
            for app 1101
            23 February 2022
            DATA SYNCHRONIZATION APP IJ34687 UNABLE TO COMPLETE FAIL BACK PROCESS DUE TO 'FAIL BACK TO MAIN SITE' OPTION NOT SELECTABLE IN DATA SYNC APP OPEN Workaround
            1. Perform a factory reset on main and destination sites:https://www.ibm.com/docs/en/qradar-common?topic=app-implementing-factory-reset.
            2. Run through the failover process again, making sure not to select 'Reactivate Main Site' until a few moments after the notification that the ariel copy is caught up.

            Issue
            In instances where the 'Reactivate Main Site' option is selected prior to a fail back being completed, the IBM QRadar Data Syncronization app option for 'Fail back to main site' becomes permanently un-selectable (option is greyed out) on the destination site.
            29 August 2021
            OFFENSES IJ34730 EVENTS MATCHING A RULE CAN SOMETIMES FAIL TO BE ASSOCIATED WITH AN OFFENSE OR GENERATE A NEW OFFENSE OPEN Workaround
            No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

            Issue
            In some instances after an offense is closed, new events that match a rule are neither associated with the offense nor generate a new offense as expected due to a race condition that can occur.
            26 August 2021
            SEARCH IJ19107 SEARCHES USING A CUSTOM PROPERTY CAN BE SLOWER TO COMPLETE THAN EXPECTED OPEN Workaround
            Contact Support if you are experiencing slower that expected search results when using Custom Properties.

            Issue
            It has been identified that searches using a Custom Property can be slower than expected to return results when some ariel threads are slow to complete.

            Performing an evaluation of a threaddump using the threadTop.sh command can determine if this issue is affecting your QRadar searches. A "BLOCKED" worker thread in an ariel thread dump indicates this issue is affecting your QRadar searches. For Example - Only one should be in running state and others (executing the same code) should be blocked on that one. In the below example, thread qw_2 is in the synchronized block and qw_3 is blocked on it:
            "qw_2:2500ba82-b58c-4906-b20b-04f05fbed185" Id=188 in RUNNABLE
            at com.q1labs.core.shared.ariel.CustomKeyCreator.createKey(CustomKeyCreator.java:95)
            at com.q1labs.core.shared.ariel.CustomKeyCreator.createKey(CustomKeyCreator.java:30)
            at com.q1labs.ariel.IndexPredicate$ExpressionPredicate.evaluate(IndexPredicate.java:50)
            at com.q1labs.ariel.IndexPredicate.evaluate(IndexPredicate.java:247)
            at com.q1labs.frameworks.util.predicate.AndPredicate.evaluate(AndPredicate.java:15)
            at com.q1labs.ariel.searches.service.ids.FilteredSource.next(FilteredSource.java:40)
            at com.q1labs.ariel.searches.tasks.QueryWorker.execute(QueryWorker.java:53)
            at com.q1labs.ariel.searches.tasks.ServiceTaskBase.runTask(ServiceTaskBase.java:89)
            at com.q1labs.ariel.searches.tasks.ServiceTask.runTask(ServiceTask.java:69)
            at com.q1labs.ariel.searches.tasks.ServiceTaskBase$Runner.run(ServiceTaskBase.java:32)
            at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160)
            at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
            at java.lang.Thread.run(Thread.java:812)
            "qw_3:2500ba82-b58c-4906-b20b-04f05fbed185" Id=241 in BLOCKED
            on lock=com.q1labs.core.shared.ariel.CustomKeyCreator@e58ce78d
            owned by qw_2:2500ba82-b58c-4906-b20b-04f05fbed185 Id=188
            at com.q1labs.core.shared.ariel.CustomKeyCreator.createKey(CustomKeyCreator.java:95)
            at com.q1labs.core.shared.ariel.CustomKeyCreator.createKey(CustomKeyCreator.java:30)
            at com.q1labs.ariel.IndexPredicate$ExpressionPredicate.evaluate(IndexPredicate.java:50)
            at com.q1labs.ariel.IndexPredicate.evaluate(IndexPredicate.java:247)
            at com.q1labs.frameworks.util.predicate.AndPredicate.evaluate(AndPredicate.java:15)
            at com.q1labs.ariel.searches.service.ids.FilteredSource.next(FilteredSource.java:40)
            at com.q1labs.ariel.searches.tasks.QueryWorker.execute(QueryWorker.java:53)
            at com.q1labs.ariel.searches.tasks.ServiceTaskBase.runTask(ServiceTaskBase.java:89)
            at com.q1labs.ariel.searches.tasks.ServiceTask.runTask(ServiceTask.java:69)
            at com.q1labs.ariel.searches.tasks.ServiceTaskBase$Runner.run(ServiceTaskBase.java:32)
            at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160)
            at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
            at java.lang.Thread.run(Thread.java:812)
            25 September 2019
            CUSTOM PROPERTIES IJ30032 UNABLE TO SAVE CHANGES TO DEFAULT CUSTOM EVENT PROPERTY (CEP): "OBJECT TYPE(S)" OPEN Workaround
            Create a new CEP without the characters outlined in the error message. For more information on creating a custom property, see https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc/t_qradar_create_cust_property.html.

            Issue
            A message similar to: "Property name cannot contain following characters: \ , . & ', " ( )" is generated when attempting to save changes to the Custom Event Property (CEP) "Object Type(s)".

            To replicate this issue:
            1. Click the Admin tab > Custom Event Property.
            2. From Search Field, search (s)
            3. Multiple results are returned, such as "Object name(s)" and "Object type(s)", click one of them
            4. Click Save button.

              Results
              An error message is generated - "Property name cannot contain following characters: \ , . & ', " ( ) [ ]"
            5 January 2021
            JDBC PROTOCOL IJ30026 HOSTNAME STARTING WITH NUMBER OR SPECIAL CHARACTER FAILS VALIDATION WHEN CREATING A LOG SOURCE USING THE JDBC PROTOCOL OPEN Workaround
            1. Use a hostname starting with a letter instead of digits or special characters.
              or
            2. Contact Support for another workaround that might work in these instances.

            3. Issue
              "IP or Hostname must be a valid IPv4 address or hostname" message can be observed when attempting to create a Log Source using the JDBC protocol when the configured hostname begins with a number or special character.
            5 January 2021
            CUSTOM PROPERTIES IJ32194 LEADING WHITESPACE NOT BEING DISPLAYED CAN CAUSE RULES BASED ON CUSTOM EVENT PROPERTIES TO NOT WORK AS EXPECTED OPEN Workaround
            No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

            Issue
            The QRadar Log Activity page does not display the leading whitespace for a custom event property that has a whitespace at the beginning of its characters. Views within the DSM editor can also fail to properly display a leading whitespace where they exist. This can cause false visibility during rule creation due to not being able to see the blank space paresd within custom event properties.
            30 April 2021
            RULES IJ30033 DEVICE STOP SENDING EMAIL RULE RESPONSES CAN CONTINUE FROM THE BACKUP HOST AFTER QRADAR DATA SYNCRONIZATION APP IS CONFIGURED OPEN Workaround
            Manually stop the postfix service on the backup host using the command:
            # systemctl stop postfix


            Issue
            After completing the configuration of the QRadar Data Syncronization app, any rules configured "device stop sending events" can continue to send emails from the Backup host if using email as response is configured.
            5 January 2021
            APP HOST APPLIANCE IJ28640 DUPLICATE ENTRIES WITHIN IPTABLES ON AN APP HOST CAN BE GENERATED AFTER QRADAR APPS ARE STOPPED AND STARTED OPEN Workaround
            From a command line (SSH session), restart docker on the App Host to reset the iptables entries:
            # systemctl restart docker


            Issue
            When QRadar Apps are stopped and started with the API, the firewall (iptables) on an App Host is appended with duplicate entries.

            The issue is caused due to the firewall (Iptables) being appended with the entries to the NAT rule when starting the app without first checking if the existing rule has already been placed in the firewall.
            11 October 2020
            ASSETS IJ01985 SOME ASSET IDENTITY DATABASE INFORMATION IS NOT CLEANED UP AFTER ASSETS ARE UPDATED OPEN Workaround
            No workaround available.

            Issue
            It has been identified that in some instances, residual identity data associated to an Asset can be left in the QRadar database after the Asset is updated.

            When this occurs, incorrect identity/username information associated with an Asset can sometimes be observed in generated Offenses.

            An example of when this issue occurs:
            View the Offense Summary screen (Offenses -> All Offenses). When the Offense Source Summary includes a username this does not correlate to the offense detected, it is based on the what is known about the asset.

            This does not represent the actual user(s) that contributed to the offense. To get the details for the username associated with the offense, on the right choose Event/Flow count -> X events, the next pop up displays the captured details.
            23 March 2018
            NETWORK IJ29953 IPTABLES FIREWALL RULES CAN FAIL TO UPDATE PROPERLY AFTER ADDING AN ADDITIONAL IPV4 OR IPV6 INTERFACE OPEN Workaround
            No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

            Issue
            After adding an additional interface as IPv4 on an IPv6 environment or adding an additional IPv6 interface with IPv4 as a management interface, the iptables firewall rule is not updated, even after a Deploy Full Configuration is performed.
            20 December 2020
            FLOWS IJ34731 FLOW SOURCE FILTERS WITH RANDOM INVALID CHARACTERS CAN BE DISPLAYED IN THE QRADAR USER INTERFACE OPEN Workaround
            Contact Support for a possible workaround that might address this issue in some instances.

            Issue
            In some instances, Flow Source filters with random invalid characters for a name can be displayed in the QRadar User Interface.

            This can occur as some entries are not properly validated and then can be populated when overflow records (and sometimes host info and domain info) are invalid as they are read from an overflow buffer.
            29 August 2021
            tbd IJ34719 UNABLE TO LOGIN AFTER ADDING A SECOND LDAP GROUP MAPPING CONTAINING A SPACE IN THE NAME OPEN Workaround
            Contact Support for a possible workaround that might address this issue in some instances.

            Issue
            Adding a second LDAP group to a mapping with a group that has a space in the name causes logins to stop working. This is caused by the space being escaped incorrectly resulting in the space being replaced with '%2520' instead of '%20' and no longer mapping correctly. For example:
            1. Have LDAP group based authentication.
            2. Select the '+' to add a group mapping and use a group with spaces in the name (for ex. "group with space")
            3. The group adds with the space replaced with a '%20' (this is expected)
            4. Confirm you can logon with a user in the mapping using the group with the space.
            5. Select the '+' again to add another group to the same mapping (with or without spaces.)
            6. The existing group with the space changes from '%20' to '%2520'
            7. Save the changes.
            8. Attempt to login

              Results
              Unable to login as the mapping no longer matches.
            29 August 2021
            DATA NODE IJ28324 DATA NODE STAYS AT 'WAITING FOR REBALANCING' STATUS WHEN DIRECTLY ADDED TO A QRADAR DEPLOYMENT IN 'ARCHIVE' MODE CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)

            Workaround
            From an SSH session to the QRadar Console:
            1. Confirm the /opt/qradar/conf/datanode.history appears as follows:
              {"history":[...<skipped>...],"id":8,"master_id":8,"status":{"sta
              tus":"requiresRebalancing","databases":{"flows":{"status":"requi
              resRebalancing"},"events":{"status":"requiresRebalancing"}},"mod
              e":"Active"},"nodes":[8]}
            2. Make a backup of the file.
            3. Using the vi command, edit the 3 occurrences of "requiresRebalancing" references to "ready" and save.
            4. Perform the command:
              systemctl restart ariel_proxy_server


            Issue
            Upon deploying a data node into the QRadar deployment directly into archive mode, it continuously displays "Waiting for Rebalancing" for it's rebalancing status. For example:
            1. Have a QRadar Console and a Data Node.
            2. Add a Data Node.
            3. Without performing a deploy after the Data Node is added, change its mode to "archive".
            4. Perform the Deploy function.
            5. The data node's rebalancing status stays as "Waiting for Rebalancing"
            2 February 2022
            QRADAR RISK MANAGER IJ34686 RESULTS FROM A TOPOLOGY PATH SEARCH CAN DISPLAY INCORRECT PATH RESULTS OPEN Workaround
            No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

            Issue
            A topology path search that should traverse a directly-connected network on a network device which supports virtual routers, and has no routing protocol entry for the network in any of its routing tables, fails to find the correct path. Affected device types are Cisco IOS, Juniper Junos, and F5 BIG-IP.

            Messages similar to the following might be visible in the device backup log when this issue occurs:
            WARN: No Interfaces are assigned to routing-instance default
            25 August 2021
            LOG SOURCES IJ33664 EVENTS CAN SOMETIMES FAIL TO BE DISPLAYED FOR A NEWLY AUTO DISCOVERED LOG SOURCE OPEN Workaround
            Disable auto detect for the affected log source using the DSM Editor, and create the log source manually.

            Issue
            In some instances a new log source can be successfully created by the auto discovery feature but no events are displayed for the log source. This has only been observed on a select few log source types.
            13 August 2021
            QRADAR VULNERABILITY MANAGER IJ33116 QRADAR VULNERABILITY MANAGER SCAN RESULT EXPORT CAN INCLUDE ALL SCANNED ASSETS CLOSED Resolved in
            QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137)

            Workaround
            Add the vulnerability or service to an asset or vulnerability search and then export the results.

            Issue
            When assets which have a specific vulnerability or open service are exported from the Scan Results screen in QRadar Vulnerability Manager, the export contains all assets that were scanned.
            30 May 2022
            OFFENSES IJ26094 QRADAR USER INTERFACE AND API FUNCTIONS CAN BE SLOW TO RESPOND WHEN OFFENSES HAVE A LARGE AMOUNT OF ATTACKER/TARGET DATA OPEN Workaround
            Contact Support to help identify if QRadar UI or API function slowness is being caused by this issue.

            If so, perform a Hard Clean of the SIM Model.
            Note: Performing a Hard Clean purges all current and historical SIM data from the database, including protected offenses, source IP addresses, and destination IP addresses.

            Issue
            The QRadar User Interface (UI) and/or the QRadar API can become slow to respond when an Offense(s) accrues a very large amount (millions) of attacker/target data in it's data set. This slowness is caused by the amount of time being used to continually purge data by the QRadar MPC PersisterThread (used for Offenses) when these large attacker/target data sets exist in a QRadar environment.
            13 July 2020
            UPGRADE IJ30812 7.4.2 UPGRADE PRETEST OPTION CANNOT COMPLETE UNTIL EVENT COLLECTOR HIGH AVAILABILITY PAIRS HAVE MIGRATED TO DRBD OPEN Workaround
            Migrate the Event Collector pairs in the QRadar deployment from glusterfs to DRBD, then run the upgrade pretest option. See link for more information on the required migration: https://www.ibm.com/support/knowledgecenter/SS42VS_7.4/com.ibm.q radar.doc/t_qradar_up_ugrad_glusterfs_migration.html

            Issue
            The QRadar 7.4.2 upgrade pretest (/media/updates/installer -t) cannot be successfully completed until all Event Collector pairs in High Availability (HA) have completed the required glusterfs to DRBD migration.
            16 February 2021
            QRADAR NETWORK INSIGHTS IJ26733 TWO QNI TIKA INSTANCES CAN START ON THE SAME PORT DUE TO A RACE CONDITION CAUSING REPEATED MESSAGES WRITTEN TO QRADAR LOGS CLOSED Resolved in
            QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)

            Workaround
            Find the TikaServer port number in the parenthesis of the qradar.log file (eg. 6690 in the case described above).
            1. Check for two Tika instances on 6690.
              pgrep -af "tika.py.*6690"
                  27350 /usr/bin/python
              /opt/ibm/forensics/decapper/python/tika.py watch
              /opt/ibm/forensics/decapper/decap/tika/tika.sh
              /opt/ibm/forensics/decapper/decap/tika/TikaServer.jar
              /opt/ibm/forensics/decapper/decap/tika/tika_log4j.xml 6144 6690
                 45730 /usr/bin/python
              /opt/ibm/forensics/decapper/python/tika.py watch
              /opt/ibm/forensics/decapper/decap/tika/tika.sh
              /opt/ibm/forensics/decapper/decap/tika/TikaServer.jar
              /opt/ibm/forensics/decapper/decap/tika/tika_log4j.xml 6144 6690
            2. Kill any Tika instances on 6690 and let the watcher script restart Tika.
              pkill -f "tika.py.*6690"
            3. Double check there is only a single instance of Tika on that port after
              pgrep -af "tika.py.*6690"
                 27350 /usr/bin/python
              /opt/ibm/forensics/decapper/python/tika.py watch
              /opt/ibm/forensics/decapper/decap/tika/tika.sh
              /opt/ibm/forensics/decapper/decap/tika/TikaServer.jar
              /opt/ibm/forensics/decapper/decap/tika/tika_log4j.xml 6144 6690

            Issue
            A race condition can occur where the TikaServer and Tika watcher script result in two Tika instances being started and the second TikaServer fails because the port is already in use. The Tika watcher script identifies that the 2nd instance dies and attempts to restart it in an infinite loop. Due to an instance already running on the port, the decapper continues to process without issue. Repeated log messages are written every second which can flood the /var/log/qradar.log file and appear similar to the following:
            TikaServer (6690) Watcher - INFO - TikaServer (6690) is not
            running
            TikaServer (6690) - INFO - Starting
            TikaServer (6690) - INFO - Started
            23 February 2022
            ASSETS IJ29372 NEW ASSETS BEING CREATED CAN HANG AT 'PENDING' IF AN ASSET IMPORT WITH INVALID IP ADDRESS HAS PREVIOULSY OCCURRED OPEN Workaround
            Clean out the spillover queue files using an SSH session to the QRadar Console:
            1. Stop the asset profiler:
              systemctl stop assetprofiler
            2. Remove the spillover files (backup the files from this location prior to deleting them):
              rm /store/transient/spillover/queue/assetprofiler.assetprofiler/*
            3. Restart the assetprofiler:
              systemctl restart assetprofiler

            Issue
            After importing a large number of assets with invalid IP addresses and then attempting to create assets, these asset creations can stall at "pending". When this occurs, a spillover queue can sometimes need to be cleaned out of flies to correct this behavior.
            18 November 2020
            SEARCH IJ30810 DEPLOY CHANGES FUNCTION CAUSES IN PROGRESS SEARCHES TO ERROR WHEN AN ENCRYPTED MANAGED HOST IS IN THE QRADAR DEPLOYMENT OPEN Workaround
            No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

            Issue
            When performing a Deploy Changes function (not a Deploy Full Configuration), any search that is in progress is interrupted and goes into error as the ariel proxy service restarts when the deployment has an encrypted Managed Host. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            ::ffff:x.x.x.x [tomcat.tomcat] [rhc_x.x.x.x]
            com.q1labs.configservices.config.globalset.platform.GlobalArielS
            erverListTransformer: [INFO] [NOT:0000006000][x.x.x.x/- -] [-/-
            -]Ariel list transformer has changed the deployment file.
            16 February 2021
            NETWORK PACKET CAPTURE IJ32975 "SYNTAX ERROR: INVALID SYNTAX" WHEN PERFORMING A NETWORK PACKET CAPTURE INSTALLATION ON CUSTOM HARDWARE OPEN Workaround
            No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

            Issue
            QRadar Network Packet Capture installations can only be performed on computer systems with hardware that matches IBM supplied appliances. Messages similar to the following might be visible when performing the installation on hardware that does not match:
                   ./setup
                   File "./setup", line 86
            global NTADAPTER = napatech_adapters [0]
            SyntaxError: invalid syntax
            17 June 2021
            SEARCH IV87948 SEARCH FILTERING FOR A CUSTOM EVENT PROPERTY THAT INCLUDES NON-ENGLISH CHARACTERS DOES NOT WORK AS EXPECTED OPEN Workaround
            No workaround available. This issue was reopened as a user reported that they experiences the error described in this APAR.

            Issue
            Adding search filters for a Customer Event Property (CEP) that includes non-English characters does not work. Event/Data with valid, matching values that should be returned is not, in these instances.
            7 August 2020
            CUSTOM PROPERTIES IJ34647 UPGRADING TO QRADAR 743 RESULTS IN A LIST OF DEPRECATED CUSTOM EVENT PROPERTIES BEING DISPLAYED OPEN Workaround
            No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

            Issue
            Environments upgraded to 7.4.3 might see a list of deprecated custom event properties (CEP) being displayed in event details. In some cases this list can be long and confusing as the CEP's can not be found in the CEP UI. The administrator may not be able to identify them or they look like duplicates.
            27 August 2021
            DSM EDITOR IJ30347 'THERE WAS A PROBLEM SAVING THE LOG SOURCE TYPE CONFIGURATION' AFTER CLICKING SAVE ON THE DSM EDITOR PAGE OPEN Workaround
            Set Global autodetection to True:
            1. Admin > System & License Management > Edit Managed Host > Component Management- Event Collector- Autodetection Enabled-True Autodetection - Use Global settings -True
            2. Perform a Deploy Changes function For more information on global autodetection, see https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc/t_qradar_adm_dsm_ed_auto_log_source_config.html.

            Issue
            A messages similar to "There was a problem saving the Log Source Type configuration" can be displayed when clicking Save on the DSM Editor page when global autodetection has been disabled in QRadar settings:
            Admin > System and License Management > Edit Managed Host > Component Management > Event Collector > Autodetection Enabled-False Autodetection - Use Global settings -False
            23 January 2021
            DEPLOY CHANGES IJ30019 DELEGATED ADMIN CAN PERFORM 'DEPLOY CHANGES' FUNCTION OPEN Workaround
            No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

            Issue
            Delegated admin users can perform a Deploy Changes function when they should not be able to perfrom this task.
            5 January 2021
            IBM SECURITY IDENTITY MANAGER JDBC PROTOCOL IJ30959 : THE QRADAR IBM SECURITY IDENTITY MANAGER JDBC PROTOCOL CAN GENERATE OUT OF MEMORY ERRORS OPEN Workaround
            A protocol update to the IBM Security Identity Manager JDBC protocol is required to resolve this issue. Administrators can monitor for stopped collection from IBM Security Identity Manager log sources in the Log Activity tab or review for the logs for "OutOfMemoryError: Direct buffer memory" errors.

            If you experience issues with collection from your IBM Security Identity Manager JDBC protocol log sources, you can restart the ecs-ec-ingress service to restart event collection when you have a large event spike on your log source.

            To restart ecs-ec-ingress:
            1. Use SSH to log in to the QRadar Console.
            2. Open an SSH session to the appliance that has stopped sending IBM Security Identity Manager JDBC events.
            3. Type the following command:
              systemctl restart ecs-ec-ingress
            4. Confirm events are received from your IBM Security Identity Manager JDBC log source. To force the JDBC protocol to collect events you can disable, then enable the IBM Security Identity Manager log source from the Log Source Management application.

              Note: In most cases, administrators only need to restart ecs-ec-ingress on one appliance that polls their IBM Security Identity Manager JDBC database. Administrators can restart ecs-ec-ingress globally on all appliances from the Admin tab in QRadar if you have a number of IBM Security Identity Manager appliances. The navigation bar includes an Advanced menu. Selecting ?Restart Event Collection Service? halts event collection globally while the ecs-ec-ingress service restarts.

            Issue
            An issue has been identified where the IBM Security Identity Manager JDBC protocol can experience a memory condition when it attempts to process events from the spillover cache. Administrators can experience this issue when an event burst (incoming EPS spike) for the IBM Security Identity Manager JDBC protocol is large enough, the IBMSIMJDBCEventConnector can run out of available memory. When the memory error occurs, the ecs-ec-ingress service cannot move events from the direct memory buffer for IBMSIMJDBCEventConnector to the event pipeline. Events expected to be viewable from the Log Activity tab might not return search results as they did not enter the event pipeline as expected from the ecs-ec-ingress service.

            Note: This issue only affects IBM Security Identity Manager JDBC protocol integrations, other QRadar integrations that use JDBC are not affected by this memory issue.

            When this issue occurs, the following message is displayed in in /var/log/qradar.log:
            [ecs-ec-ingress.ecs-ec-ingress] [com.q1labs.
            semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnector1954]
            java.lang.OutOfMemoryError: Direct buffer memory::Please use
            appropriate 'size' via -XX:MaxDirectMemorySize={size}
            [ecs-ec-ingress.ecs-ec-ingress] [
            com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
            r1954] at java.nio.Bits.reserveMemory(Bits.java:747)
            [ecs-ec-ingress.ecs-ec-ingress] [com.q1labs.semsources.sources.ibmsimjdbc.
            IBMSIMJDBCEventConnector1954] at java.nio.DirectByteBuffer.{init}
            (DirectByteBuffer.java:123)
            [ecs-ec-ingress.ecs-ec-ingress] [com.q1labs.
            semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnector1954] 
            at java.nio.ByteBuffer.allocateDirect(ByteBuffer.java:311)
            [ecs-ec-ingress.ecs-ec-ingress] [com.q1labs.semsources.sources.ib
            msimjdbc.IBMSIMJDBCEventConnector1954] at com.q1labs.frameworks.
            cache.ResizableBufferPool.{init}(ResizableBufferPool.java:50)
            [ecs-ec-ingress.ecs-ec-ingress] [com.q1labs.semsources.sources.ibm
            simjdbc.IBMSIMJDBCEventConnector1954] at com.q1labs.frameworks.c
            ache.ResizableBufferPool.{init}(ResizableBufferPool.java:26)
            27 February 2021
            LOG SOURCE MANAGEMENT APP IJ28131 LSM APP TEST FOR ORACLE LOG SOURCE IGNORES THE TIMEOUT AND KEEPS RUNNING OPEN Workaround
            No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

            Issue
            It has been identified that in some cases the Oracle log source protocol test ignores the test protocol timeout value and keeps running until the Log Source test query completes.
            22 September 2020
            QRADAR INCIDENT FORENSICS IJ30018 CASE CANNOT BE UPLOADED IN QRADAR INCIDENT FORENSICS WHEN THE FTPMONITOR CANNOT CONNECT TO THE DATABASE OPEN Workaround
            No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

            Issue
            Cases cannot be uploaded into QRadar Incident Forensics when an ftp user has not been properly updated as the Forensics ftpmonitor fails the database connection. Messages similar to the following might be visible in QRadar logging when this issue occurs:
            127.0.0.1 [Timer-0] com.ibm.qradar.forensics.watcher.watchers.UserChecker: 
            [ERROR] Failed to get users
            127.0.0.1 com.ibm.qradar.forensics.watcher.utils.Database$DatabaseException: 
            Failed to retrieve console host.
            127.0.0.1 at com.ibm.qradar.forensics.watcher.utils.Database.getFTPUsernameList(Database.java:198)
            127.0.0.1 at com.ibm.qradar.forensics.watcher.watchers.UserChecker.getFTPUsernameList(UserChecker.java:92)
            127.0.0.1 at com.ibm.qradar.forensics.watcher.watchers.UserChecker.processFTPUsers(UserChecker.java:107)
            127.0.0.1 at com.ibm.qradar.forensics.watcher.watchers.UserChecker.run(UserChecker.java:58)
            127.0.0.1 at java.util.TimerThread.mainLoop(Timer.java:566)
            127.0.0.1 at java.util.TimerThread.run(Timer.java:516)
            127.0.0.1 Caused by: 
            org.postgresql.util.PSQLException: FATAL: password authentication failed for user "username"
            127.0.0.1 at org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:514)
            127.0.0.1 at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:141)
            127.0.0.1 at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
            127.0.0.1 at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
            127.0.0.1 at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195)
            127.0.0.1 at org.postgresql.Driver.makeConnection(Driver.java:454)
            127.0.0.1 at org.postgresql.Driver.connect(Driver.java:256)
            127.0.0.1 at java.sql.DriverManager.getConnection(DriverManager.java:675)
            127.0.0.1 at java.sql.DriverManager.getConnection(DriverManager.java:281)
            127.0.0.1 at com.ibm.qradar.forensics.watcher.utils.Database.connect(Database.java:59)
            127.0.0.1 at com.ibm.qradar.forensics.watcher.utils.Database.getFTPUsernameList(Database.java:183)
            127.0.0.1 ... 5 more
            5 January 2021
            ASSETS IV97179 ATTEMPTING TO PERFORM A CLEAN VULNERABILITIES CAN FAIL DUE TO A TIMEOUT IN THE BACKEND CLOSED Resolved in
            QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)

            Workaround
            Contact Support for a possible workaround that might address this issue in some instances.

            Issue
            Assets tab -> Actions drop down -> Clean Vulnerabilities

            Attempting a "Clean Vulnerabilities" from the User Interface, Assets tab, can fail due to a backend timeout occurring.

            Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            [assetprofiler.assetprofiler]
            [AssetProfilePersister-BottomTier]
            com.q1labs.assetprofile.persistence.AssetProfilePersistenceWorkerThread:
            [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Root cause: An I/O error occured while sending to the backend.
            [assetprofiler.assetprofiler]
            [AssetProfilePersister-BottomTier]
            com.q1labs.assetprofile.persistence.AssetProfilePersistenceWorkerThread: 
            [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]
            Asset Profile Persister is rolling back its current transaction due
            to the above exceptions.
            23 February 2022
            LOG SOURCE IJ34691 AUTO DISCOVERY LOG SOURCE NAMES ARE CASE SENSITIVE BUT THE LSM AND API LOG SOURCE NAME ARE NOT OPEN Workaround
            No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

            Issue
            Administrators might notice that Auto discovery can add two Log sources with the same name but one is upper case and the other is lower case. For example, server1 and SERVER1. When trying to do the same manually through the Log Source Management a Log Source name such as server1 can be added. When adding the Log Source name SERVER1, the second Log Source will fail with a message "The log source name must be unique"

            When trying to add the Log Sources by using the API, the second Log Source will fail with the error message "The 'name' parameter must be unique." when you try to create another Log Source as "SERVER1"
            29 August 2021
            LICENSE IV93531 'LICENSE POOL ALLOCATION' WINDOW CAN TAKE A LONGER THAN EXPECTED TIME TO LOAD IN LARGE QRADAR DEPLOYMENTS OPEN Workaround
            No workaround available.

            Issue
            It has been observed in large QRadar deployments that opening the 'License Pool Allocation' window can take a longer than expected time (multiple minutes). QRadar User Interface -> Admin tab -> System and License Management - > Licenses -> License Pool Allocation window.
            9 January 2019
            WINCOLLECT IJ33115 WINCOLLECT AGENTS CAN FAIL TO UPDATE OR GET CONFIGURATION UPDATES WHEN USING CUSTOM HTTPD CERTIFICATE OPEN Workaround
            In a distributed QRadar deployment, and where possible, encrypt the required Managed Host used for the WinCollect agent. for more information, see https://www.ibm.com/docs/en/qsip/7.4?topic=hosts-configuring-managed-host.

            Issue
            WinCollect agents can fail to receive configuration updates or are unable to be updated when using custom httpd certificate and when the connection to console from Managed Host is not encrypted (when using a Managed Host for the agent).

            Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15]
            com.q1labs.frameworks.crypto.trustmanager.Q1X509TrustManager:
            [ERROR] [NOT:0000003000][(ConsoleIP)/- -] [-/- -]No subject
            alternative names matching IP address (ConsoleVIP) found
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15]
            java.security.cert.CertificateException: No subject alternative
            names matching IP address (ConsoleVIP) found
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15]
            at com.ibm.jsse2.util.b.b(b.java:29)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15]
            at com.ibm.jsse2.util.b.a(b.java:12)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15]
            at com.ibm.jsse2.aD.a(aD.java:209)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15]
            at com.ibm.jsse2.aD.a(aD.java:63)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15]
            at com.ibm.jsse2.aD.a(aD.java:134)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15]
            at com.ibm.jsse2.aD.checkServerTrusted(aD.java:144)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15]
            at com.q1labs.frameworks.crypto.trustmanager.Q1X509TrustManager
            .checkServerTrusted(Q1X509TrustManager.java:317)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15]
            at com.ibm.jsse2.E.a(E.java:145)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15]
            at com.ibm.jsse2.E.a(E.java:479)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15]
            at com.ibm.jsse2.D.s(D.java:286)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15]
            at com.ibm.jsse2.D.a(D.java:251)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15]
            at com.ibm.jsse2.av.a(av.java:788)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15]
            at com.ibm.jsse2.av.i(av.java:45)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15]
            at com.ibm.jsse2.av.a(av.java:637)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15]
            at com.ibm.jsse2.av.startHandshake(av.java:1020)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15]
            at com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java:1)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15]
            at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:72)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15]
            at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1582)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15]
            at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1510)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15]
            at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:491)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15]
            at com.ibm.net.ssl.www2.protocol.https.b.getResponseCode(b.java:81)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15]
            at com.q1labs.sem.semsources.wincollectconfigserver.util.WinCol
            lectConsole.Call(WinCollectConsole.java:281)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15]
            at com.q1labs.sem.semsources.wincollectconfigserver.requestproc
            essors.ConnectionEstablishmentVersion2Processor.onReceiveConnec
            tionEstablishmentRequest(ConnectionEstablishmentVersion2Processor.java:204)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_15]
            at com.q1labs.sem.semsources.wincollectconfigserver.WinCollectConfigHandler.run
            (WinCollectConfigHandler.java:122)
            16 June 2021
            API IJ33667 DOMAIN MANAGEMENT API FUNCTIONS DO NOT ALLOW FOR DISCONNECTED LOG COLLECTOR ASSOCIATION TO A DOMAIN OPEN Workaround
            Add the required domain association for the Disconnected Log Collector from admin > System Configuration section, Domain Management.

            Issue
            The domain management API functions do not allow for associating a Disconnected Log Collector to a domain.
            18 July 2021
            ASSETS IJ29159 SOME INSTALLED WINDOWS PATCHES (KB) ARE NOT DISPLAYED FOR ASSETS IN QRADAR OPEN Workaround
            No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

            Issue
            In some instances, patches that have been applied to Windows systems are not updated with the latest KBs installed on scanned systems in Assets -> Asset -> Display -> Windows Patches.

            This has been identified as occurring when an installed KB for an affected Windows computer system asset does not get added to a QRadar database table (extrefvalue).
            17 November 2021
            UPGRADE IJ32784 QRADAR DOES NOT AUTOMATICALLY CLEAN UP FAILED REPLICATION FILES IN /STORE/REPLICATION/FAILED CLOSED Resolved in
            QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137)

            Workaround
            Delete files in /store/replication/failed from the affected QRadar appliance and attempt the patch again: From an SSH session, run the following command:
            rm -f /store/replication/failed/failed*


            Issue
            The QRadar patching process can fail when /store has insufficient space due to files located in /store/replication/failed that are not cleaned up automatically by QRadar.
            30 May 2022
            JDBC PROTOCOL IJ29367 SOPHOS LOG SOURCES USING JDBC CAN CAUSE AN ECS-EC-INGRESS SERVICE OUT OF MEMORY CAUSING AN EVENT COLLECTION OUTAGE OPEN Workaround
            Contact Support for a possible workaround that might address this issue in some instances.

            Issue
            Sophos Log Sources using the JDBC protocol can sometimes cause the ecs-ec-ingress service to go out of memory. The ecs-ec-ingress service is the QRadar event collection service (QRadar 7.3.1 and newer), therefore an out of memory in this service causes an interruption to event collection until the service recovers successfully.

            This out of memory issue can occur when there are a large number of rows to retrieve and the "EventTypeName" column has any of these values: "Device control", "Viruses/spyware", "Adware or PUA" or "Firewall".
            18 November 2020
            FLOWS IV98672 MULTIPLE FLOW TYPES SENT FROM THE SAME IP CAN BE INCORRECTLY IDENTIFIED/LABELLED BY QRADAR OPEN Workaround
            No workaround available.

            Issue
            It has been observed that when two different flow types are sent from same IP on two different ports, QRadar creates an alias for the first flow type from that IP and the second flow type is reported as being the same as the first one.

            Example:
            Packeteer sent to Console and Jflow sent to QFlow managed host appliance from the same IP but on different ports.

            Flow Alias is created for Packeteer and the Jflows also get reported under that one.
            13 September 2017
            UDP MULTILINE SYSLOG PROTOCOL IJ26093 LOG SOURCES USING UDP MULTILINE SYSLOG CAN STOP RECEIVING EVENTS AFTER AN ECS-EC-INGRESS SERVICE RESTART OCCURS OPEN Workaround
            An additional restart of the ecs-ec-ingress service can correct this issue. Please see this URL for details:https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.2/com.ibm.qradar.doc/t_qradar_adm_restart_ec_ingress.html.
            Note Event collection is briefly interrupted while the service restarts.

            Issue
            In some instances when the ecs-ec-ingress service (needed for event collection) restart occurs (eg. can occur after an autoupdate is applied), the UDP multiline syslog provider does not shutdown fast enough. When the provider attempts to start up, the old version of the provider is still locked to port 517, so the new instance cannot open the port. When this situation occurs, the provider cannot start and therefore cannot receive events as expected.
            13 July 2020
            MSRPC PROTOCOL IJ34656 LOG SOURCES USING WINDOWS EVENT RPC PROTOCOL CAN INTERMITTENTLY STOP WORKING AS EXPECTED OPEN Workaround
            Toggling the affected Log Source to disabled, and then enable it again can temporarily correct this issue.

            Issue
            Log Sources that use the Windows Event RPC Protocol can intermittently stop collecting events when an exception occurs on the receipt of Windows Server 2019 events.

            Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            [ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol
            Provider Thread: Windows Event Log RPC Provider 609]
            java.lang.ArrayIndexOutOfBoundsException
            
            [ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol
            Provider Thread: Windows Event Log RPC Provider 609] at
            jcifs.util.Encdec.dec_uint32le(Encdec.java:90)
            
            [ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol
            Provider Thread: Windows Event Log RPC Provider 609] at
            ndr.NdrBuffer.dec_ndr_long(NdrBuffer.java:135)
            [ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol
            Provider Thread: Windows Event Log RPC Provider 609] at ndr.Net
            workDataRepresentation.readUnsignedLong(NetworkDataRepresentati
            on.java:64)
            
            [ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol
            Provider Thread: Windows Event Log RPC Provider 609] at com.q1l
            abs.semsources.sources.windowseventrpc.ndr.util.NetworkDataRepr
            esentationAdapter.readUnsignedLong(NetworkDataRepresentationAda
            pter.java:34)
            
            [ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol
            Provider Thread: Windows Event Log RPC Provider 609] at com.q1l
            abs.semsources.sources.windowseventrpc.ndr.method.eventlog.msev
            en6.EvtRpcGetNextEventMetadata.readResult(EvtRpcGetNextEventMet
            adata.java:80)
            
            [ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol
            Provider Thread: Windows Event Log RPC Provider 609] at com.q1l
            abs.semsources.sources.windowseventrpc.ndr.BaseNdrObject.read(B
            aseNdrObject.java:28)
            
            [ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol
            Provider Thread: Windows Event Log RPC Provider 609] at
            ndr.NdrObject.decode(NdrObject.java:36)
            
            [ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol
            Provider Thread: Windows Event Log RPC Provider 609] at rpc.Con
            nectionOrientedEndpoint.call(ConnectionOrientedEndpoint.java:13
            7)
            
            [ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol
            Provider Thread: Windows Event Log RPC Provider 609] at
            rpc.Stub.call(Stub.java:113)
            
            [ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol
            Provider Thread: Windows Event Log RPC Provider 609] at com.q1l
            abs.semsources.sources.windowseventrpc.eventsource.mseven6.Publ
            isherMetadataCache.getEventMetadata(PublisherMetadataCache.java
            :125)
            
            [ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol
            Provider Thread: Windows Event Log RPC Provider 609] at com.q1l
            abs.semsources.sources.windowseventrpc.eventsource.mseven6.Publ
            isherMetadataCache.cachePublisherInfo(PublisherMetadataCache.ja
            va:97)
            
            [ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol
            Provider Thread: Windows Event Log RPC Provider 609] at com.q1l
            abs.semsources.sources.windowseventrpc.eventsource.mseven6.Publ
            isherMetadataCache.getPublisherMetadata(PublisherMetadataCache.
            java:62)
            
            [ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol
            Provider Thread: Windows Event Log RPC Provider 609] at com.q1l
            abs.semsources.sources.windowseventrpc.eventsource.mseven6.Even
            tMessageAPIRenderer.renderMessage(EventMessageAPIRenderer.java:
            46)
            
            [ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol
            Provider Thread: Windows Event Log RPC Provider 609] at com.q1l
            abs.semsources.sources.windowseventrpc.eventsource.mseven6.Even
            tMessageRenderer.renderMessage(EventMessageRenderer.java:40)
            
            [ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol
            Provider Thread: Windows Event Log RPC Provider 609] at com.q1l
            abs.semsources.sources.windowseventrpc.eventsource.mseven6.Even
            tLogIterator.processBuffer(EventLogIterator.java:78)
            
            [ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol
            Provider Thread: Windows Event Log RPC Provider 609] at com.q1l
            abs.semsources.sources.windowseventrpc.eventsource.mseven6.Even
            tLogIterator.getAll(EventLogIterator.java:42)
            
            [ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol
            Provider Thread: Windows Event Log RPC Provider 609] at com.q1l
            abs.semsources.sources.windowseventrpc.eventsource.mseven6.Wind
            owsEventLogImpl.read(WindowsEventLogImpl.java:323)
            
            [ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol
            Provider Thread: Windows Event Log RPC Provider 609] at com.q1l
            abs.semsources.sources.windowseventrpc.eventsource.RPCEventSour
            ce.getEvents(RPCEventSource.java:219)
            
            [ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol
            Provider Thread: Windows Event Log RPC Provider 609] at com.q1l
            abs.semsources.sources.windowseventrpc.eventsource.RPCEventSour
            ceMonitor.getEvents(RPCEventSourceMonitor.java:124)
            
            [ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol
            Provider Thread: Windows Event Log RPC Provider 609] at com.q1l
            abs.semsources.sources.windowseventrpc.WindowsEventRPCProvider.
            execute(WindowsEventRPCProvider.java:194)
            
            [ecs-ec-ingress.ecs-ec-ingress] [Windows Event Log RPC Protocol
            Provider Thread: Windows Event Log RPC Provider 609] at com.q1l
            abs.semsources.sources.base.SourceProvider.run(SourceProvider.j
            ava:195)
            29 August 2021
            UPGRADE IJ33887 PATCHING FROM QRADAR 7.3 TO 7.4 WITH CISCO FIRE POWER THREAT DEFENSE DSM CAN BREAK EVENT PARSING OPEN Workaround
            install the 7.4 CiscoFirepowerThreatDefense DSM or run an autoupdate

            Issue
            Administrators who patch from 7.3 to 7.4 and have a configured Cisco Fire power Threat Defense DSM that was receiving events. When these are received post patch they can break Event Parsing causing all events to go to stored.

            Look for similar messages in /var/log/qradar.log/
            Jun 14 16:09:41 ::ffff:IP [ecs-ec.ecs-ec] [Event Parser[3]]
            com.q1labs.frameworks.session.SessionContext: [INFO]
            [NOT:0000006000][IP/- -] [-/- -]Starting NON_BLOCKING
            dispatcher: 40c0afcb-4250-44c3-8613-94ca6d522889
            Jun 14 16:09:42 ::ffff:X.X.X.X [ecs-ec.ecs-ec] [Event Parser[3]]
            com.q1labs.frameworks.core.ThreadExceptionHandler: [ERROR]
            [NOT:0000003000][IP/- -] [-/- -]Exception was uncaught in thread: Event Parser[3]
            Jun 14 16:09:42 ::ffff:X.X.X.X [ecs-ec.ecs-ec] [Event Parser[3]]
            java.lang.NoSuchFieldError: com/q1labs/sem/dsm/cisco/firewall/CiscoFirepowerThreatDefense.properties
            04 August 2021
            LOG SOURCE MANAGEMENT APP IJ26534 'AN UNEXPECTED API ERROR HAS OCCURED. PLEASE REFER TO THE QRADAR ERROR LOGS' WHEN USING LOG SOURCE MANAGEMENT APP CLOSED Resolved in
            QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)

            Workaround
            No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

            Issue
            In instances where an unexpected non-numeric value is present in a database entry, the Log Source Managment app can fail to load with an error similar to: 'An unexpected API error has occured. Please refer to the QRadar error logs for additional information'. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            [tomcat.tomcat] [user@x.x.x.x (6680)
            /console/restapi/api/config/event_sources/log_source_management/
            log_source_statistics]
            com.q1labs.restapi.servlet.apidelegate.APIDelegate: [INFO]
            [NOT:0000006000][x.x.x.x/- -] [-/- -]Following message
            suppressed 1 times in 300000 milliseconds
            [tomcat.tomcat] [user@x.x.x.x (6680)
            /console/restapi/api/config/event_sources/log_source_management/
            log_source_statistics]
            com.q1labs.restapi.servlet.apidelegate.APIDelegate: [ERROR]
            [NOT:0000003000][x.x.x.x/- -] [-/- -]Request Exception
            [tomcat.tomcat] [user@x.x.x.x (6680)
            /console/restapi/api/config/event_sources/log_source_management/
            log_source_statistics]
            com.q1labs.restapi_annotations.content.exceptions.APIMappedException: 
            Unable to retrieve log source statistics.
            [tomcat.tomcat] [user@x.x.x.x (6680)
            /console/restapi/api/config/event_sources/log_source_management/
            log_source_statistics]    at
            com.q1labs.restapi.exceptionmapper.ExceptionMapper.mapException(ExceptionMapper.java:141)
            [tomcat.tomcat] [user@x.x.x.x (6680)
            /console/restapi/api/config/event_sources/log_source_management/
            log_source_statistics]    at
            com.q1labs.restapi_annotations.content.exceptions.APIMappedExcep
            tion.<init>(APIMappedException.java:131)
            [tomcat.tomcat] [user@x.x.x.x (6680)
            /console/restapi/api/config/event_sources/log_source_management/
            log_source_statistics]    at
            com.q1labs.restapi.servlet.utilities.APIRequestHandler.processEn
            dpointException(APIRequestHandler.java:1417)
            [tomcat.tomcat] [user@x.x.x.x (6680)
            /console/restapi/api/config/event_sources/log_source_management/
            log_source_statistics]    at
            com.q1labs.restapi.servlet.utilities.APIRequestHandler.redirectR
            equest(APIRequestHandler.java:415)
            [tomcat.tomcat] [user@x.x.x.x (6680)
            /console/restapi/api/config/event_sources/log_source_management/
            log_source_statistics]    at
            com.q1labs.restapi.servlet.utilities.APIRequestHandler.handleReq
            uest(APIRequestHandler.java:244)
            [tomcat.tomcat] [user@x.x.x.x (6680)
            /console/restapi/api/config/event_sources/log_source_management/
            log_source_statistics]    at
            com.q1labs.restapi.servlet.apidelegate.APIDelegate.handleRequest
            (APIDelegate.java:341)
            [tomcat.tomcat] [user@x.x.x.x (6680)
            /console/restapi/api/config/event_sources/log_source_management/
            log_source_statistics]    at
            com.q1labs.restapi.servlet.apidelegate.APIDelegate.service(APIDe
            legate.java:259)
            [tomcat.tomcat] [user@x.x.x.x (6680)
            /console/restapi/api/config/event_sources/log_source_management/
            log_source_statistics]    at
            javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
            [tomcat.tomcat] [user@x.x.x.x (6680)
            /console/restapi/api/config/event_sources/log_source_management/
            log_source_statistics]    at
            org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
            (ApplicationFilterChain.java:231)
            [tomcat.tomcat] [user@x.x.x.x (6680)
            /console/restapi/api/config/event_sources/log_source_management/
            log_source_statistics]    at
            org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
            tionFilterChain.java:166)
            [tomcat.tomcat] [user@x.x.x.x (6680)
            /console/restapi/api/config/event_sources/log_source_management/
            log_source_statistics]    at
            org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
            [tomcat.tomcat] [user@x.x.x.x (6680)
            /console/restapi/api/config/event_sources/log_source_management/
            log_source_statistics]    at
            org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
            (ApplicationFilterChain.java:193)
            [tomcat.tomcat] [user@x.x.x.x (6680)
            /console/restapi/api/config/event_sources/log_source_management/
            log_source_statistics]    at
            org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
            tionFilterChain.java:166)
            [tomcat.tomcat] [user@x.x.x.x (6680)
            /console/restapi/api/config/event_sources/log_source_management/
            log_source_statistics]    at
            com.q1labs.uiframeworks.servlet.AddUserHeaderFilter.doFilter(Add
            UserHeaderFilter.java:86)
            [tomcat.tomcat] [user@x.x.x.x (6680)
            /console/restapi/api/config/event_sources/log_source_management/
            log_source_statistics]    at
            org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
            (ApplicationFilterChain.java:193)
            [tomcat.tomcat] [user@x.x.x.x (6680)
            /console/restapi/api/config/event_sources/log_source_management/
            log_source_statistics]    at
            org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
            tionFilterChain.java:166)
            [tomcat.tomcat] [user@x.x.x.x (6680)
            /console/restapi/api/config/event_sources/log_source_management/
            log_source_statistics]    at
            com.q1labs.uiframeworks.servlet.ThreadNameFilter.doFilter(Thread
            NameFilter.java:53)
            ...
            [tomcat.tomcat] [user@x.x.x.x (6680)
            /console/restapi/api/config/event_sources/log_source_management/
            log_source_statistics] Caused by:
            [tomcat.tomcat] [user@x.x.x.x (6680)
            /console/restapi/api/config/event_sources/log_source_management/
            log_source_statistics]
            org.apache.openjpa.lib.jdbc.ReportingSQLException: ERROR:
            invalid input syntax for integer: "SYSTEM-DLP-2" {prepstmnt
            -1244260909     SELECT fgroup.id as value, count(*) as count
               FROM fgroup INNER JOIN fgroup_link ON (fgroup.id =
            fgroup_link.fgroup_id) INNER JOIN logsourcereader_temp temp ON
            (temp.id = CAST(fgroup_link.item_id AS INTEGER))        AND
            fgroup.type_id = 1   GROUP BY fgroup.id} 
            [tomcat.tomcat] [user@x.x.x.x (6680)
            /console/restapi/api/config/event_sources/log_source_management/
            log_source_statistics]    at
            org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator.wrap(Logg
            ingConnectionDecorator.java:218)
            25 August 2020
            REPORTS IJ27158 'THE ATTACHMENT SIZE IS TOO LARGE' MESSAGE IS WRITTEN TO QRADAR LOGGING REGARDLESS OF A MAIL FAILURE REASON CLOSED Resolved in
            QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022)

            Workaround
            No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

            Issue
            The message "Unable to send email to: [email_address], the attachment size is too large. You can update the Max Email Attachment Size (KB) in the System Settings" is written to the QRadar error logs regardless of the mail failure reason. Messages similar to the following might be visible in /var/log/qradar.log when this issue has occurred:
            [report_runner] [main] com.q1labs.reporting.ReportRunner:
            [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Initializing
            Template:
            "test-email@test-email.com#$#2871c317-796f-4b43-834a-3ced048baae
            6"
            [report_runner] [main] com.q1labs.reporting.ReportRunner:
            [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Report start:
            "2871c317-796f-4b43-834a-3ced048baae6" Title: "Qradar Daily
            Device Report"
            ....
            [report_runner] [main] com.q1labs.reporting.ReportServices:
            [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Unable to send
            report "2871c317-796f-4b43-834a-3ced048baae6" to
            test-email@test-email.com
            [report_runner] [main]
            com.q1labs.frameworks.exceptions.FrameworksException: Unable to
            send email to: [test-email@test-email.com], the attachment size
            is too large. You can update the Max Email Attachment Size (KB)
            in the System Settings
            [report_runner] [main] Caused by:
            com.sun.mail.smtp.SMTPSendFailedException: 552 5.3.4 Error:
            message file too big
            06 September 2022
            MANAGED HOST IJ29029 THE REMAP OPTION (COMPONENT ID) OPTION WHEN ADDING A HOST CAN FAIL TO COMPLETE ALL REQUIRED TASKS OPEN Workaround
            No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

            Issue
            When adding a host to a QRadar Deployment, if the remap option is selected and that option is missing a component in removed_deployment_components that the Mangeed Host needs to have remapped, the remap generates a Null Pointer Exception and all subsequent actions of the remap process fail to complete. When this situation happens, it leaves a partially remapped Managed Host or potentially a Managed Host that is not remapped at all depending on the order of how the components were being remapped.

            No messages are displayed in the QRadar User Interface indicating a problem has occured in these instances.

            Messages similar to the following might be visible is /var/log/qradar.log when this issue occurs:
            /console/JSON-RPC/QRadar.valdiationRemap
            QRadar.valdiationRemap]
            com.q1labs.core.ui.servlet.RemoteJavaScript: [ERROR]
            [NOT:0000003000][x.x.x.x/- -] [-/- -]An exception occurred
            while executing the remote method 'valdiationRemap'
            /console/JSON-RPC/QRadar.valdiationRemap
            QRadar.valdiationRemap] java.lang.NullPointerException
            /console/JSON-RPC/QRadar.valdiationRemap
            QRadar.valdiationRemap]    at
            com.ibm.si.configservices.api.impl.DeploymentAPIHostHelper.testRemapAppliance(DeploymentAPIHostHelper.java:598)
            /console/JSON-RPC/QRadar.valdiationRemap
            QRadar.valdiationRemap]    at
            com.q1labs.qradar.ui.qradarservices.UIDeploymentManagement.valdiationRemap(UIDeploymentManagement.java:227)
            /console/JSON-RPC/QRadar.valdiationRemap
            QRadar.valdiationRemap]    at
            sun.reflect.GeneratedMethodAccessor1055.invoke(Unknown Source)
            /console/JSON-RPC/QRadar.valdiationRemap
            QRadar.valdiationRemap]    at
            sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
            /console/JSON-RPC/QRadar.valdiationRemap
            QRadar.valdiationRemap]    at
            java.lang.reflect.Method.invoke(Method.java:508)
            /console/JSON-RPC/QRadar.valdiationRemap
            QRadar.valdiationRemap]    at
            com.q1labs.uiframeworks.application.ReflectiveExportedMethod.callWithContext(ReflectiveExportedMethod.java:170)
            /console/JSON-RPC/QRadar.valdiationRemap
            QRadar.valdiationRemap]    at
            com.q1labs.uiframeworks.application.ReflectiveExportedMethod.call(ReflectiveExportedMethod.java:128)
            /console/JSON-RPC/QRadar.valdiationRemap
            QRadar.valdiationRemap]    at
            com.q1labs.uiframeworks.application.ExportedMethod.call(ExportedMethod.java:146)
            /console/JSON-RPC/QRadar.valdiationRemap
            QRadar.valdiationRemap]    at
            com.q1labs.core.ui.servlet.RemoteJavaScript.doGet(RemoteJavaScript.java:378)
            /console/JSON-RPC/QRadar.valdiationRemap
            QRadar.valdiationRemap]    at
            com.q1labs.core.ui.servlet.RemoteJavaScript.doPost(RemoteJavaScript.java:619)
            /console/JSON-RPC/QRadar.valdiationRemap
            QRadar.valdiationRemap]    at
            javax.servlet.http.HttpServlet.service(HttpServlet.java:660)
            /console/JSON-RPC/QRadar.valdiationRemap
            QRadar.valdiationRemap]    at
            com.q1labs.uiframeworks.servlet.HttpServlet.service(HttpServlet.java:22)
            /console/JSON-RPC/QRadar.valdiationRemap
            QRadar.valdiationRemap]    at
            javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
            /console/JSON-RPC/QRadar.remapHost QRadar.remapHost]
            com.q1labs.core.ui.servlet.RemoteJavaScript: [ERROR]
            [NOT:0000003000][x.x.x.x/- -] [-/- -]An exception occurred
            while executing the remote method 'remapHost'
            /console/JSON-RPC/QRadar.remapHost QRadar.remapHost]
            java.lang.NullPointerException
            /console/JSON-RPC/QRadar.remapHost QRadar.remapHost]    at
            com.ibm.si.configservices.api.impl.DeploymentAPIHostHelper.remap
            Appliance(DeploymentAPIHostHelper.java:753)
            /console/JSON-RPC/QRadar.remapHost QRadar.remapHost]    at
            com.q1labs.qradar.ui.qradarservices.UIDeploymentManagement.remap
            Host(UIDeploymentManagement.java:236)
            /console/JSON-RPC/QRadar.remapHost QRadar.remapHost]    at
            sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
            /console/JSON-RPC/QRadar.remapHost QRadar.remapHost]    at
            sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90)
            /console/JSON-RPC/QRadar.remapHost QRadar.remapHost]    at
            sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
            /console/JSON-RPC/QRadar.remapHost QRadar.remapHost]    at
            java.lang.reflect.Method.invoke(Method.java:508)
            /console/JSON-RPC/QRadar.remapHost QRadar.remapHost]    at
            com.q1labs.uiframeworks.application.ReflectiveExportedMethod.cal
            lWithContext(ReflectiveExportedMethod.java:170)
            /console/JSON-RPC/QRadar.remapHost QRadar.remapHost]    at
            com.q1labs.uiframeworks.application.ReflectiveExportedMethod.cal
            l(ReflectiveExportedMethod.java:128)
            /console/JSON-RPC/QRadar.remapHost QRadar.remapHost]    at
            com.q1labs.uiframeworks.application.ExportedMethod.call(ExportedMethod.java:146)
            /console/JSON-RPC/QRadar.remapHost QRadar.remapHost]    at
            com.q1labs.core.ui.servlet.RemoteJavaScript.doGet(RemoteJavaScript.java:378)
            /console/JSON-RPC/QRadar.remapHost QRadar.remapHost]    at
            com.q1labs.core.ui.servlet.RemoteJavaScript.doPost(RemoteJavaScript.java:619)
            /console/JSON-RPC/QRadar.remapHost QRadar.remapHost]    at
            javax.servlet.http.HttpServlet.service(HttpServlet.java:660)
            /console/JSON-RPC/QRadar.remapHost QRadar.remapHost]    at
            com.q1labs.uiframeworks.servlet.HttpServlet.service(HttpServlet.java:22)
            /console/JSON-RPC/QRadar.remapHost QRadar.remapHost]    at
            javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
            02 November 2020
            SYSTEM NOTIFICATIONS IJ29983 CLICKING THE HELP ICON FOR EVENT 'CRE: PROCESSOR THREAD(S) TERMINATED ABRUPTLY' (QID 38750144) RESULTS IN 'PAGE NOT FOUND' OPEN Workaround
            No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

            Issue
            When there is a System Notification generated for "CRE: Processor Thread(s) Terminated Abruptly", clicking the Help icon results in a "page not found". This is for event QID: 38750144.
            18 December 2020
            API IJ28323 DATA CAN BE RETURNED SLOWER THAN EXPECTED WHEN QUERYING FROM THE QRADAR API API/CONFIG/EXTENSION_MANAGEMENT/EXTENSIONS CLOSED Resolved in
            QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022)

            Workaround
            No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

            Issue
            Querying data using the QRadar API api/config/extension_management/extensions can take longer than expected.

            This can also affect QRadar Apps that use the API to return this data (example: QRadar Assistant).
            06 September 2022
            QRADAR INCIDENT FORENSICS IJ30020 QRADAR INCIDENT FORENSICS UPLOAD CAN FAIL WHEN THERE ARE SPECIAL CHARACTERS CONTAINED IN THE DATABASE PASSWORD OPEN Workaround
            No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

            Issue
            Error similar to "There was an error running the forensics recovery." is observed while attempting to run a Forensics recovery on the Console when there is a database password containing special characters.
            [tomcat.tomcat] [HttpServletRequest-87-Idle]
            com.ibm.qradar.wfObjects.wfDBConnect: [ERROR] Database error:
            SQLException: FATAL: password authentication failed for user
            "qradar"
            SQLState: 28P01
            VendorError: 0
            --
            Checking the postgresql-qrd service in the Console it still
            shows this connection failures.
            x.x.x.x.ent postgres[173526]: [3-3] Connection matched
            pg_hba.conf line 54: "host all all 127.0.0.1 255.255.255.255
            md5"
             x.x.x.x.ent postgres[173909]: [3-1] FATAL: password
            authentication failed for user "qradar"
             x.x.x.x.ent postgres[173909]: [3-2] DETAIL: Password does not
            match for user "qradar".
             x.x.x.x.ent postgres[173909]: [3-3] Connection matched
            pg_hba.conf line 54: "host all all 127.0.0.1 255.255.255.255
            md5"
             x.x.x.x.ent postgres[173914]: [3-1] FATAL: password
            authentication failed for user "qradar"
             x.x.x.x.ent postgres[173914]: [3-2] DETAIL: Password does not
            match for user "qradar".
             x.x.x.x.ent postgres[173914]: [3-3] Connection matched
            pg_hba.conf line 54: "host all all 127.0.0.1 255.255.255.255
            md5"
             x.x.x.x.ent postgres[173929]: [3-1] FATAL: password
            authentication failed for user "qradar"
             x.x.x.x.ent postgres[173929]: [3-2] DETAIL: Password does not
            match for user "qradar".
             x.x.x.x.ent postgres[173929]: [3-3] Connection matched
            pg_hba.conf line 54: "host all all 127.0.0.1 255.255.255.255
            md5"
            05 January 2021
            AKAMAI KONA IJ26656 LOG SOURCES USING THE AKAMAI KONA PROTOCOL CAN STOP PULLING EVENTS OPEN Workaround
            Toggling the Log Source experiencing the issue can correct this issue when it occurs: Perform a Disable and then Enable of the affected Log Source.

            Issue
            Log Sources configured to use the Akamai Kona RestAPI Protocol can stop pulling events when an "UnknownHostException" is received by the protocol (eg. DNS issue experienced during protocol query).

            Messages similar to the following might be visible in /var/log/qradar.log when this issue is occurs:
            ecs-ec-ingress.ecs-ec-ingress] [Akamai Kona REST API Protocol
            Provider Thread: class
            com.q1labs.semsources.sources.akamaikonarestapi.AkamaiKonaRESTAP
            IProvider3427] java.net.UnknownHostException:
            akab-uyyfbgxgw7ainbm3-wssxie3ldbia4l42.cloudsecurity.akamaiapis.
            net:
            akab-uyyfbgxgw7ainbm3-wssxie3ldbia4l42.cloudsecurity.akamaiapis.
            net: unknown error
            30 July 2020
            tbd IJ32192 ERROR WRITTEN TO QRADAR LOGGING: "THERE WAS AN ERROR READING AUTHENTICATION.PROPERTIES. SETTINGS WILL NOT BE RELOADED" OPEN Workaround
            Copy "/opt/qradar/conf/securityModel/authentication.properties" from the Console to the Managed Hosts in the QRadar deployment: See the following link for information on how to use the QRadar all_servers.sh command: https://www.ibm.com/support/pages/qradar-using-allserverssh-command.

            Issue
            An error message containing "There was an error reading authentication.properties. Settings will not be reloaded" can be observed in QRadar logging when a login message has been previously configured and then QRadar is patched.

            Messages similar to the following can also be visible in /var/log/qradar.log when this issue occurs:
            com.ibm.si.security
            model.authentication.settings.InvalidAuthenticationSettingsFileC
            onfigurationException: Invalid value for Logon message found.
            securitymodel.authentication.logon.require_accept was set to
            true but securitymodel.authentication.logon.message empty.
            30 April 2021
            ASSSETS IJ28539 UPDATING AN ASSET USING THE QRADR API WHEN THE ASSET HAS NO IP ADDRESS DEFINED FAILS WITH AN 'ILLEGAL ARGUMENT EXCEPTION' CLOSED Resolved in
            QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)

            Workaround
            Perform required asset update using the QRadar User Interface.

            Issue
            Deleting an asset's IP address results in the inability to update the asset through the API and generates an IllegalArgumentException.

            This is due to the verification process that determines whether the IP is in the security profile.

            Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            [tomcat.tomcat] [admin@127.0.0.1 (5792)
            /console/restapi/api/asset_model/assets/1460]
            com.q1labs.assetprofile.api.v3_1.AssetsAPI: [ERROR]
            [NOT:0000003000][127.0.0.1/- -] [-/- -]Could not verify if the
            current user has permission to access domainid: [0], ipaddress: []
            [tomcat.tomcat] [admin@127.0.0.1 (5792)
            /console/restapi/api/asset_model/assets/1460]
            java.lang.IllegalArgumentException: Could not get domainId or
            ipAddress for asset [1460] !
            [tomcat.tomcat] [admin@127.0.0.1 (5792)
            /console/restapi/api/asset_model/assets/1460]    at
            com.q1labs.assetprofile.api.v3_1.impl.AssetsAPIImpl.canUserUpdat
            eAsset(AssetsAPIImpl.java:278)
            [tomcat.tomcat] [admin@127.0.0.1 (5792)
            /console/restapi/api/asset_model/assets/1460]    at
            com.q1labs.assetprofile.api.v3_1.impl.AssetsAPIImpl.updateAsset(AssetsAPIImpl.java:69)
            [tomcat.tomcat] [admin@127.0.0.1 (5792)
            /console/restapi/api/asset_model/assets/1460]    at
            com.q1labs.assetprofile.api.v3_1.AssetsAPI.updateAsset(AssetsAPI.java:140)
            [tomcat.tomcat] [admin@127.0.0.1 (5792)
            /console/restapi/api/asset_model/assets/1460]    at
            sun.reflect.GeneratedMethodAccessor5608.invoke(Unknown Source)
            [tomcat.tomcat] [admin@127.0.0.1 (5792)
            /console/restapi/api/asset_model/assets/1460]    at
            sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
            [tomcat.tomcat] [admin@127.0.0.1 (5792)
            /console/restapi/api/asset_model/assets/1460]    at
            java.lang.reflect.Method.invoke(Method.java:508)
            [tomcat.tomcat] [admin@127.0.0.1 (5792)
            /console/restapi/api/asset_model/assets/1460]    at
            com.q1labs.restapi.servlet.utilities.APIRequestHandler.invokeMet
            hod(APIRequestHandler.java:1038)
            [tomcat.tomcat] [admin@127.0.0.1 (5792)
            /console/restapi/api/asset_model/assets/1460]
            atcom.q1labs.restapi.servlet.utilities.APIRequestHandler.redirec
            tRequest(APIRequestHandler.java:406)
            [tomcat.tomcat] [admin@127.0.0.1 (5792)
            /console/restapi/api/asset_model/assets/1460]    at
            com.q1labs.restapi.servlet.utilities.APIRequestHandler.handleReq
            uest(APIRequestHandler.java:244)
            [tomcat.tomcat] [admin@127.0.0.1 (5792)
            /console/restapi/api/asset_model/assets/1460]    at
            com.q1labs.restapi.servlet.apidelegate.APIDelegate.handleRequest(APIDelegate.java:341)
            [tomcat.tomcat] [admin@127.0.0.1 (5792)
            /console/restapi/api/asset_model/assets/1460]    at
            com.q1labs.restapi.servlet.apidelegate.APIDelegate.service(APIDelegate.java:259)
            [tomcat.tomcat] [admin@127.0.0.1 (5792)
            /console/restapi/api/asset_model/assets/1460]    at
            javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
            [tomcat.tomcat] [admin@127.0.0.1 (5792)
            /console/restapi/api/asset_model/assets/1460]    at
            org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
            (ApplicationFilterChain.java:231)
            [tomcat.tomcat] [admin@127.0.0.1 (5792)
            /console/restapi/api/asset_model/assets/1460]    at
            org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
            tionFilterChain.java:166)
            [tomcat.tomcat] [admin@127.0.0.1 (5792)
            /console/restapi/api/asset_model/assets/1460]    at
            org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
            [tomcat.tomcat] [admin@127.0.0.1 (5792)
            /console/restapi/api/asset_model/assets/1460]    at
            org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
            (ApplicationFilterChain.java:193)
            [tomcat.tomcat] [admin@127.0.0.1 (5792)
            /console/restapi/api/asset_model/assets/1460]    at
            org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
            tionFilterChain.java:166)
            [tomcat.tomcat] [admin@127.0.0.1 (5792)
            /console/restapi/api/asset_model/assets/1460]    at
            com.q1labs.uiframeworks.servlet.AddUserHeaderFilter:
            23 February 2022
            LOG SOURCE MANAGEMENT APP IJ32804 A NON-ADMIN USER ROLE USER CANNOT REASSIGN OR MOVE A LOG SOURCE TO A DIFFERENT GROUP USING LOG SOURCE MANAGEMENT APP OPEN Workaround
            Perform the required change using: LSM app > Menu > Previous Log Source Interface > Edit

            Issue
            When a non-admin user attempts to change the Log Source Group using the Log Source Management app (version 6.1 and 7.0), the changes are not saved. For example:

            1. Login with a non-admin user.
            2. Open LSM app.
            3. Select any Log Source > edit > Groups > select group > Save.

              Results
              After clicking Save, the Log Source Group displays the original group name, the change does not take affect.
            28 May 2021
            REPORTS IJ29558 THE VALUE OF 'MOST RECENT RESULTS' IN AN OFFENSE REPORT DISPLAYS AS A NEGATIVE WHEN USING A DIFFERENT USER ACCOUNT OPEN Workaround
            No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

            Issue
            The value of 'Most Recent Results' in an offense report is negative when viewing as a different user account.
            For example:
            1. Have a user account that is not admin but has permissions to log activity, offenses and reports.
            2. Log on as admin user account, create a search ensuring it returns offense data
            3. Create a report based on the saved search, and view Scheduled Search results.
            4. Log on as the user account (same as step 1), view the Scheduled Search results, "Most Recent Results" is a negative value in Offense Source Summary section.
            04 December 2020
            DSM EDITOR IJ29955 MISSING DATE FORMAT IN THE LINUX OS DSM EDITOR CAUSES THE SIMULATION PARSING TO FAIL OPEN Workaround
            Uncheck (deselect) the box for "Override system behavior" for "Log Source Time". DSM Editor information: https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc/c_qradar_adm_dsm_ed_overview.html.

            Issue
            Missing date format in the Linux OS DSM Editor causes the simulation parsing to fail.

            The DSM Editor does not parse/show the events in Log Activity Preview if there is no Date format for the time type event property and a NullPointerException is thrown.

            Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            [tomcat.tomcat]
            [user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate]
            com.q1labs.restapi_annotations.content.exceptions.endpointExceptions.
            ServerProcessingException: Unable to complete parsing simulation
            [tomcat.tomcat]
            [user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] at
            com.ibm.si.data_ingestion.api.impl.application.ApplicationAPIImpl.simulateParse
            (ApplicationAPIImpl.java:1070)
            [tomcat.tomcat]
            [user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] at
            com.ibm.si.data_ingestion.api.v7_0.application.ApplicationAPI.simulateParse
            (ApplicationAPI.java:410)
            [tomcat.tomcat]
            [user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] at 
            sun.reflect.NativeMethodAccessorImpl.invoke0(NativeMethod)
            [tomcat.tomcat]
            [user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] at
            sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90)
            [tomcat.tomcat]
            [user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] at
            sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
            [tomcat.tomcat]
            [user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] at 
            java.lang.reflect.Method.invoke(Method.java:508)
            [tomcat.tomcat]
            [user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] at
            com.q1labs.restapi.servlet.utilities.APIRequestHandler.invokeMet
            hod(APIRequestHandler.java:1038)
            [tomcat.tomcat]
            [user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] at
            com.q1labs.restapi.servlet.utilities.APIRequestHandler.redirectRequest(APIRequestHandler.java:406)
            [tomcat.tomcat]
            [user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] ... 61 more
            [tomcat.tomcat]
            [user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] Caused by:
            [tomcat.tomcat]
            [user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] java.lang.NullPointerException
            [tomcat.tomcat]
            [user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] at
            java.text.SimpleDateFormat.<init>(SimpleDateFormat.java:609)
            [tomcat.tomcat]
            [user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] at
            java.text.SimpleDateFormat.<init>(SimpleDateFormat.java:591)
            [tomcat.tomcat]
            [user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] at
            com.ibm.si.data_ingestion.dsm_simulator.parsers.DatePropertyParser.initialize
            Expression(DatePropertyParser.java:46)
            [tomcat.tomcat]
            [user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] at
            com.ibm.si.data_ingestion.dsm_simulator.parsers.PropertyParser.<
            init>(PropertyParser.java:34)
            [tomcat.tomcat]
            [user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] at
            com.ibm.si.data_ingestion.dsm_simulator.parsers.PropertyParser.<
            init>(PropertyParser.java:75)
            [tomcat.tomcat]
            [user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] at
            com.ibm.si.data_ingestion.dsm_simulator.parsers.DatePropertyPars
            er.<init>(DatePropertyParser.java:28)
            [tomcat.tomcat]
            [user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] at
            com.ibm.si.data_ingestion.dsm_simulator.parsers.PropertyParserFactory.getPropertyParser
            (PropertyParserFactory.java:39)
            [tomcat.tomcat]
            [user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] at
            com.ibm.si.data_ingestion.dsm_simulator.ParserSimulator.setPropertyParsers(ParserSimulator.java:120)
            [tomcat.tomcat]
            [user@127.0.0.1/console/restapi/api/application/data_ingestion/simulate] at
            com.ibm.si.data_ingestion.api.impl.application.ApplicationAPIImpl.
            simulateParse(ApplicationAPIImpl.java:1060)
            [tomcat.tomcat] [xxx@xxxxx
            /console/restapi/api/application/data_ingestion/simulate] ...68 more
            18 December 2020
            QRADAR NETWORK INSIGHTS IJ33716 QNI PERFORMANCE DEGRADATION CAN OCCUR WHEN RUNNING IN ADVANCED MODE WITH AND A LARGE AMOUNT OF TLS TRAFFIC CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)

            Workaround
            On the console and each QNI host:
            1. Edit the /opt/qradar/conf/templates/configservices/forensics_config.vm file.
            2. In the tikaFilter section for excludeExt, add a line for
              <ext name=".crt"/>
            3. Perform a Deploy Full Configuration (Admin > Advanced drop down) so that the new configuration template is picked up and used for all QNI hosts.

              Mote: When this workaround is performed, the content type field is no longer populated for X509 certificates and this workaround can fail to persist during QRadar patching. Contact Support for assistance if required.

            Issue
            QRadar Network Insights (QNI) performance degradation can occur when running in advanced mode and a large amount of TLS traffic in the network environment.

            This is due to the decapper processing every X509 certificate as a file and thereby all processed through Tika unnecessarily.
            2 February 2020
            X-FORCE IJ08964 RIGHT CLICK FOR "X-FORCE EXCHANGE LOOKUP" IS NOT DISPLAYED ON URL ITEM FROM AN AQL QUERY SEARCH IN LOG ACTIVITY OPEN Workaround
            No workaround available.

            Issue
            It has been identified that plugin option for "X-Force Exchange Lookup" is not available in the case of an AQL Query result in Log Activity when a performing a right click on the URL item of the event.

            The "X-Force Exchange Lookup" right click option is available in the case of a normal search result.
            16 October 2018
            DISCONNECTED LOG COLLECTOR (DLC) IJ29148 DISCONNECTED LOG COLLECTOR (DLC) CAN FAIL TO RECEIVE EVENTS AFTER AN INTERRUPTION IN NETWORK CONNECTIVITY OPEN Workaround
            No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

            Issue
            When there is an interruption in the network connectivity between a Disconnected Log Collector (DLC) and QRadar, some events can be missing due to way in which the disconnect and reconnect is handled in regards to handshake and socket monitoring.
            16 November 2020
            NETWORK IJ26509 QCHANGE_NETSETUP FAILS WHEN AN APPLIANCE TIMEZONE IS SET WHERE NO CITY/REGION IS SELECTED CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)

            Workaround
            QRadar System and License Management: Set the timezone to include region and city (eg. "Europe/Dublin") for the affected appliance and run qchange_netsetup again.

            Issue
            Using the qchange_netsetup command from the QRadar command line (eg. To change an appliance hostname) can fail during the completion process when a timezone with no City/Region is selected for that appliance within System and License Management.

            Messages similar to the following might be displayed when this issue is occuring during the qchange_netsetup:
            May 27 17:27:35 qradar_netsetup.py[31813]: qradar_netsetup
            finalBlock [ERROR] KeyError: 'Eire'
            May 27 17:27:35 qradar_netsetup.py[31813]: ibm_logging error
            [ERROR] Failed. Exit code: 1. Case 1.
            2 February 2022
            LOG ACTIVITY IJ34165 QRADAR APP LOGGING CAN CAUSE UNKNOWN SIM GENERIC EVENTS TO BE DISPLAYED IN THE USER INTERFACE OPEN Workaround
            No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates.

            Issue
            QRadar App logging can incorrectly direct events into the QRadar event pipeline. When this occurs, SIM Generic events can be generated and displayed in the User Interface.

            Example of messages that can be seen generated from the User Behavior Analytics app when this occurs:
            <14>1 2021-05-09T23:47:22+0000 7af7bf83d639e752 UserAnalytics
            1803 - - [NOT:0000006000] Detected QRadar version: 742
            <14>1 2021-05-09T23:47:00+0000 7af7bf83d639e752 UserAnalytics
            1803 - - [NOT:0000006000] Post app configs to ML response: Token
            successfully updated
            <14>1 2021-05-09T23:46:59+0000 7af7bf83d639e752 UserAnalytics
            1803 - - [NOT:0000006000] Calling qradar api on
            /console/plugins/1851/app_proxy/get_usecase_count returned
            status code 200
            <14>1 2021-05-09T23:46:58+0000 7af7bf83d639e752 UserAnalytics
            1803 - - [NOT:0000006000] ML Pipeline app id=1851,
            status=RUNNING
            <14>1 2021-05-09T23:46:58+0000 7af7bf83d639e752 UserAnalytics
            1803 - - [NOT:0000006000] Checking appliance hardware (RAM) is >
            2097152
            <14>1 2021-05-09T23:46:56+0000 7af7bf83d639e752 UserAnalytics
            1803 - - [NOT:0000006000] Checking if ML pipeline app present
            and getting appID.
            <14>1 2021-05-09T23:46:56+0000 7af7bf83d639e752 UserAnalytics
            1803 - - [NOT:0000006000] SEC token main UBA app present.
            <14>1 2021-05-09T23:46:56+0000 7af7bf83d639e752 UserAnalytics
            1803 - - [NOT:0000006000] An SEC Token has been configured
            05 August 2021
            SERVICE IJ34835 QRADAR ECS-EC-INGRESS SERVICE CAN STOP PROCESSING EVENTS DUE TO A NULL EVENT OPEN Workaround
            Restart the QRadar event collection service:
            Admin tab > Advanced > Restart Event Collection Services.

            Issue
            The QRadar ecs-ec-ingress service can stop processing events when a null event is received.

            Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            [ecs-ec-ingress.ecs-ec-ingress] [Thread-45]
            com.q1labs.frameworks.core.ThreadExceptionHandler: [ERROR]
            [NOT:0000003000][10.153.24.147/- -] [-/- -]Exception was
            uncaught in thread: Thread-45
            [ecs-ec-ingress.ecs-ec-ingress] [Thread-45]
            java.lang.NullPointerException
            [ecs-ec-ingress.ecs-ec-ingress] [Thread-45] at com.ibm.si.ecing
            ress.filters.QueuedEventThrottleFilter$ThrottleProcessor.run(Qu
            euedEventThrottleFilter.java:349)
            10 September 2021
            SECURITY BULLETIN CVE-2021-29880 IBM QRADAR SIEM IS VULNERABLE TO POSSIBLE INFORMATION DISCLOSURE IN A MULTI-DOMAIN DEPLOYMENT CLOSED Resolved in
            QRadar 7.4.3 Fix Pack 2 (7.4.3.20210810221124)

            Affected versions
            IBM QRadar 7.4.3 GA to 7.4.3 Fix Pack 1 (SFS files only)

            IMPORTANT FLASH NOTICE
            The QRadar Support team issued a flash notice for this issue for users on QRadar 7.4.3 and QRadar 7.4.3 Fix Pack 1 with domains enabled. For more information, see: https://www.ibm.com/support/pages/node/6480739.

            Issue
            IBM QRadar SIEM when using domains or multi-tenancy could be vulnerable to information disclosure between tenants by routing SIEM data to the incorrect domain. CVSS Base score: 5.3.
            12 August 2021
            SECURITY BULLETIN CVE-2021-20337 IBM QRADAR SIEM USES WEAKER THAN EXPECTED CRYPTOGRAPHIC ALGORITHMS CLOSED Resolved in
            QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944)
            QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826)

            Affected versions
            • IBM QRadar SIEM 7.4.0 to 7.4.3 GA
            • IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 8
            Issue
            CVE-2021-20337: IBM QRadar uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. CVSS Base score: 5.9
            23 July 2021
            SECURITY BULLETIN CVE-2019-13990
            CVE-2020-8908
            CVE-2020-9488
            CVE-2020-13956
            CVE-2020-25649
            IBM DISCONNECTED LOG COLLECTOR IS VULNERABLE TO USING COMPONENTS WITH KNOWN VULNERABILITIES CLOSED Resolved in
            Disconnected Log Collect (DLC) V1.6

            Affected versions
            IBM Disconnected Log Collector V1.0 to V1.5 Issue
            • CVE-2019-13990: Terracotta could allow a remote attacker to obtain sensitive information, caused by improper handling of XML external entity (XXE) declarations by the initDocumentParser function in xml/XMLSchedulingDataProcessor.java. By persuading a victim to open specially-crafted XML content, a remote attacker could exploit this vulnerability to read arbitrary files. CVSS Base score: 5.5
            • CVE-2020-8908: Guava could allow a remote authenticated attacker to bypass security restrictions, caused by a temp directory creation vulnerability in com.google.common.io.Files.createTempDir(). By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass access restrictions. CVSS Base score: 5.4
            • CVE-2020-9488: Apache Log4j is vulnerable to a man-in-the-middle attack, caused by improper certificate validation with host mismatch in the SMTP appender. An attacker could exploit this vulnerability to launch a man-in-the-middle attack and gain access to the communication channel between endpoints to obtain sensitive information or further compromise the system. CVSS Base score: 3.7
            • CVE-2020-13956: Apache HttpClient could allow a remote attacker to bypass security restrictions, caused by the improper handling of malformed authority component in request URIs. By passing request URIs to the library as java.net.URI object, an attacker could exploit this vulnerability to pick the wrong target host for request execution. CVSS Base score: 5.3
            • CVE-2020-25649: FasterXML Jackson Databind could provide weaker than expected security, caused by not having entity expansion secured properly. A remote attacker could exploit this vulnerability to launch XML external entity (XXE) attacks to have impact over data integrity. CVSS Base score: 7.5
            10 August 2021
            SECURITY BULLETIN CVE-2021-29757 USER BEHAVIOR ANALYTICS APPLICATION ADD ON TO IBM QRADAR SIEM PERFORMS IMPROPER CSRF CHECKING FOR SOME COMPONENTS CLOSED Resolved in
            User Behavior Analytics V4.1.2

            Affected versions
            All User Behavior Analytics versions

            Issue
            CVE-2021-29757: IBM QRadar User Behavior Analytics is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. CVSS Base score: 4.3
            30 July 2021
            SECURITY BULLETIN CVE-2021-25215
            CVE-2020-25648
            CVE-2020-25692
            CVE-2020-8625
            CVE-2021-27363
            CVE-2021-27364
            CVE-2021-27365
            IBM QRADAR NETWORK PACKET CAPTURE IS VULNERABLE TO USING COMPONENTS WITH KNOWN VULNERABILITIES CLOSED Resolved in
            IBM QRadar Network Packet Capture 7.3.3 Patch 7 (Build 17)
            IBM QRadar Network Packet Capture 7.4.3 Fix Pack 1 (Build 1302)

            Affected versions
            • IBM QRadar Network Packet Capture 7.3.0 - 7.3.3 Patch 6
            • IBM QRadar Network Packet Capture 7.4.0 - 7.4.3 GA
            Issue
            • CVE-2021-25215: ISC BIND is vulnerable to a denial of service, caused by an assertion failure while answering queries for DNAME records. By sending a query for DNAME records, an attacker could exploit this vulnerability to trigger a failed assertion check and terminate the named process. CVSS Base score: 7.5
            • CVE-2020-25648: Mozilla Network Security Services (NSS), as used in Mozilla Firefox is vulnerable to a denial of service, caused by improper handling of CCS (ChangeCipherSpec) messages in TLS. By sending specially-crafted CCS messages, a remote attacker could exploit this vulnerability to cause the system to crash. CVSS Base score: 7.5
            • CVE-2020-25692: OpenLDAP is vulnerable to a denial of service, caused by a NULL pointer dereference. By sending a specially crafted TCP packet, a remote attacker could exploit this vulnerability to cause slapd to crash. CVSS Base score: 7.5
            • CVE-2020-8625: ISC BIND is vulnerable to a buffer overflow, caused by improper bounds checking by the SPNEGO implementation. By setting valid values for the tkey-gssapi-keytab or tkey-gssapi-credentialconfiguration options, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the named process to crash. CVSS Base score: 8.1
            • CVE-2021-27363: Linux Kernel could allow a local authenticated attacker to obtain sensitive information, caused by a kernel pointer leak when show_transport_handle function in drivers/scsi/scsi_transport_iscsi.c is called. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain the address of the iscsi_transport structure information, and use this information to launch further attacks against the affected system. CVSS Base score: 5.5
            • CVE-2021-27364: Linux Kernel could allow a local authenticated attacker to execute arbitrary commands on the system, caused by a flaw in the iscsi_if_recv_msg function in drivers/scsi/scsi_transport_iscsi.c. By sending specially-crafted Netlink messages, an attacker could exploit this vulnerability to connect to the iscsi NETLINK socket and send arbitrary commands to the kernel. CVSS Base score: 7.8
            • CVE-2021-27365: Linux Kernel could allow a local authenticated attacker to obtain sensitive information, caused by an issue when certain iSCSI data structures do not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. By sending a specially-crafted Netlink message, an attacker could exploit this vulnerability to obtain memory information, and use this information to launch further attacks against the affected system. CVSS Base score: 5.5
            30 July 2021
            SECURITY BULLETIN CVE-2020-13949
            CVE-2020-25649
            CVE-2021-25329
            CVE-2021-25122
            CVE-2020-17527
            IBM QRADAR SIEM IS VULNERABLE TO USING COMPONENTS WITH KNOWN VULNERABILITIES CLOSED Resolved in
            QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944)
            QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826)

            Affected versions
            • IBM QRadar SIEM 7.4.0 to 7.4.3 GA
            • IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 8
            Issue
            • CVE-2020-13949: Apache Thrift is vulnerable to a denial of service, caused by improper input validation. By sending specially-crafted messages, a remote attacker could exploit this vulnerability to cause a large memory allocation. CVSS Base score: 7.5
            • CVE-2020-25649: FasterXML Jackson Databind could provide weaker than expected security, caused by not having entity expansion secured properly. A remote attacker could exploit this vulnerability to launch XML external entity (XXE) attacks to have impact over data integrity. CVSS Base score: 7.5
            • CVE-2021-25329: Apache Tomcat could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a flaw with a configuration edge case. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 8.8
            • CVE-2021-25122: Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by a flaw when responding to new h2c connection requests. By sending a specially-crafted request, an attacker could exploit this vulnerability to see the request body information from one request to another, and use this information to launch further attacks against the affected system. CVSS Base score: 5.3
            • CVE-2020-17527: Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by an issue when the HTTP request header value can be reused from the previous stream received on an HTTP/2 connection. By sending a specially-crafted HTTP request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system. CVSS Base score: 5.3
            27 July 2020
            SECURITY BULLETIN CVE-2021-20399 IBM QRADAR SIEM IS VULNERABLE TO AN XML EXTERNAL ENTITY INJECTION (XXE) ATTACK CLOSED Resolved in
            QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944)
            QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826)

            Affected versions
            • IBM QRadar SIEM 7.4.0 to 7.4.3 GA
            • IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 8
            Issue
            CVE-2021-20399: IBM QRadar is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. CVSS Base score: 7.1
            26 July 2021
            SECURITY BULLETIN CVE-2021-20225
            CVE-2020-25632
            CVE-2021-20233
            CVE-2020-25647
            CVE-2021-3418
            CVE-2020-27749
            CVE-2020-14372
            CVE-2020-27779
            GRUB2 AS USED BY IBM QRADAR SIEM IS VULNERABLE TO ARBITRARY CODE EXECUTION CLOSED Resolved in
            QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944)
            QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826)

            Affected versions
            • IBM QRadar SIEM 7.4.0 to 7.4.3 GA
            • IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 8
            Issue
            • CVE-2021-20225: GNU GRUB2 could allow a local authenticated attacker to execute arbitrary code on the system, caused by a heap out-of-bounds write flaw in the short form option parser. By sending specially-crafted commands, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 7.5
            • CVE-2020-25632: GNU GRUB2 could allow a local authenticated attacker to execute arbitrary code on the system, caused by a use-after-free flaw in the rmmod implementation. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code and bypass Secure Boot protections. CVSS Base score: 7.5
            • CVE-2021-20233: GNU GRUB2 could allow a local authenticated attacker to execute arbitrary code on the system, caused by a heap out-of-bounds write flaw due to miscalculation of space required for quoting. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 7.5
            • CVE-2020-25647: GNU GRUB2 could allow a physical authenticated attacker to execute arbitrary code on the system, caused by an out-of-bound write flaw in the grub_usb_device_initialize function. By using a specially-crafted USB device, an attacker could exploit this vulnerability to execute arbitrary code and bypass Secure Boot protections. CVSS Base score: 6.9
            • CVE-2021-3418: GNU GRUB2 could allow a local authenticated attacker to bypass security restrictions, caused by improper validation of kernel signature when booted directly without shim. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass secure boot to boot any kernel. CVSS Base score: 7.5
            • CVE-2020-27749: GNU GRUB2 is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the rub_parser_split_cmdline function. By sending a specially-crafted request, a local authenticated attacker could overflow a buffer and execute arbitrary code and bypass Secure Boot protections. CVSS Base score: 7.5
            • CVE-2020-14372: GNU GRUB2 could allow a local authenticated attacker to execute arbitrary code on the system, caused by improper input validation by the acpi command. By using specially-crafted ACPI tables, an attacker could exploit this vulnerability to load unsigned kernel modules and execute arbitrary kexec unsigned on the system. CVSS Base score: 7.5
            • CVE-2020-27779: GNU GRUB2 could allow a local authenticated attacker to bypass security restrictions, caused by the failure to honor Secure Boot locking in the cutmem command. By sending a specially-crafted request, an attacker could exploit this vulnerability to remove address ranges from memory and bypass Secure Boot protections. CVSS Base score: 7.5
            26 July 2020
            SECURITY BULLETIN CVE-2020-8908
            CVE-2020-11987
            CVE-2020-13956
            CVE-2020-13954
            CVE-2015-9251
            CVE-2019-11358
            CVE-2020-11022
            CVE-2020-11023
            CVE-2021-28657
            IBM QRADAR SIEM IS VULNERABLE TO USING COMPONENTS WITH KNOWN VULNERABILITIES CLOSED Resolved in
            QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944)
            QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826)

            Affected versions
            • IBM QRadar SIEM 7.4.0 to 7.4.3 GA
            • IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 8
            Issue
            • CVE-2020-8908: Guava could allow a remote authenticated attacker to bypass security restrictions, caused by a temp directory creation vulnerability in com.google.common.io.Files.createTempDir(). By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass access restrictions. CVSS Base score: 5.4
            • CVE-2020-11987: Apache XML Graphics Batik is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to conduct SSRF attack to cause the underlying server to make arbitrary GET requests. CVSS Base score: 5.3
            • CVE-2020-13956: Apache HttpClient could allow a remote attacker to bypass security restrictions, caused by the improper handling of malformed authority component in request URIs. By passing request URIs to the library as java.net.URI object, an attacker could exploit this vulnerability to pick the wrong target host for request execution. CVSS Base score: 5.3
            • CVE-2020-13954: Apache CXF is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the services listing page. A remote attacker could exploit this vulnerability using the styleSheetPath in a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base score: 6.1
            • CVE-2015-9251: jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base score: 6.1
            • CVE-2019-11358: jQuery, as used in Drupal core, is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base score: 6.1
            • CVE-2020-11022: jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the jQuery.htmlPrefilter method. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base score: 6.1
            • CVE-2020-11023: jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the option elements. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base score: 6.1
            • CVE-2021-28657: jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base score: 6.1
            23 July 2020
            SECURITY BULLETIN CVE-2021-27807
            CVE-2021-27906
            APACHE PDFBOX AS USED BY IBM QRADAR INCIDENT FORENSICS IS VULNERABLE TO DENIAL OF SERVICE CLOSED Resolved in
            QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944)
            QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826)

            Affected versions
            • IBM QRadar SIEM 7.4.0 to 7.4.3 GA
            • IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 8
            Issue
            • CVE-2021-27807: Apache PDFBox is vulnerable to a denial of service, caused by an infinite loop flaw. By persuading a victim to open a specially-crafted .PDF file, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 5.5
            • CVE-2021-27906: Apache PDFBox is vulnerable to a denial of service, caused by an OutOfMemory-Exception flaw. By persuading a victim to open a specially-crafted .PDF file, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 5.5
            23 July 2021
            SECURITY BULLETIN CVE-2020-4980 IBM QRADAR SIEM USES LESS SECURE METHODS FOR SECURING DATA AT REST AND IN TRANSIT BETWEEN HOSTS CLOSED Resolved in
            QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944)
            QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

            Affected versions
            • IBM QRadar SIEM 7.4.0 to 7.4.3 GA
            • IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 7
            Issue
            CVE-2020-4980: IBM QRadar SIEM uses less secure methods for protecting data in transit between hosts when encrypt host connections is not enabled as well as data at rest. CVSS Base score: 5.3
            15 July 2021
            SECURITY BULLETIN CVE-2020-36282 IBM QRADAR SIEM USES LESS SECURE METHODS FOR SECURING DATA AT REST AND IN TRANSIT BETWEEN HOSTS CLOSED Resolved in
            Resolved in the 11 July 2021 QRadar weekly auto update. Administrtors who manually update RPM files might be required to install the following files from IBM Fix Central: PROTOCOL-RabbitMQ-7.3-20210505121416.noarch.rpm
            PROTOCOL-RabbitMQ-7.4-20210505121348.noarch.rpm

            Affected versions
            • All RabbitMQ Protocol versions before 7.3.0-QRADAR-PROTOCOL-RabbitMQ-7.3-20210505121416.noarch.rpm
            • All RabbitMQ Protocol versions before 7.4.0-QRADAR-PROTOCOL-RabbitMQ-7.4-20210505121348.noarch.rpm
            Issue
            CVE-2020-36282: JMS Client for RabbitMQ could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization flaw. By sending a specially-crafted StreamMessage data, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8
            18 July 2021
            SECURITY BULLETIN CVE-2021-20396 IBM SECURITY QRADAR ANALYST WORKFLOW APP FOR IBM QRADAR SIEM IS VULNERABLE TO CACHEABLE SSL PAGES CLOSED Resolved in
            IBM Security QRadar Analyst Workflow V1.18.1

            Affected versions
            IBM Security QRadar Analyst Workflow App V1.0 to V1.18.0

            Issue
            CVE-2021-20396: IBM QRadar allows web pages to be stored locally which can be read by another user on the system. CVSS Base score: 4
            10 June 2021
            SECURITY BULLETIN CVE-2021-20380 IBM QRADAR ADVISOR WITH WATSON APP FOR IBM QRADAR SIEM IS VULNERABLE TO INFORMATION EXPOSURE CLOSED Resolved in
            IBM QRadar Advisor with Watson App V2.6.1

            Affected versions
            IBM QRadar Advisor with Watson App V1.1 to V2.5

            Issue
            CVE-2021-20380: IBM QRadar could allow a remote user to obtain sensitive information from HTTP requests that could aid in further attacks against the system. CVSS Base score: 5.3
            02 June 2021
            SECURITY BULLETIN CVE-2021-20429 USER BEHAVIOR ANALYTICS APPLICATION ADD ON TO IBM QRADAR SIEM IS VULNERABLE TO OVERLY PERMISSIVE CORS POLICY CLOSED Resolved in
            QRadar User Behavior Analytics V4.1.1 or later

            Affected versions
            QRadar User Behavior Analytics V1.0.0 to V4.1.0

            Issue
            CVE-2021-20429: IBM QRadar User Behavior Analytics could disclose sensitive information due an overly permissive cross-domain policy. CVSS Base score: 3.7
            13 May 2021
            SECURITY BULLETIN CVE-2021-20392 USER BEHAVIOR ANALYTICS APPLICATION ADD ON TO IBM QRADAR SIEM IS VULNERABLE TO CROSS-SITE SCRIPTING CLOSED Resolved in
            QRadar User Behavior Analytics V4.1.0 or later

            Affected versions
            QRadar User Behavior Analytics V1.0.0 to V4.0.1

            Issue
            CVE-2021-20392: IBM QRadar User Behavior Analytics is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. CVSS Base score: 6.1
            13 May 2021
            SECURITY BULLETIN CVE-2021-20393 USER BEHAVIOR ANALYTICS APPLICATION ADD ON TO IBM QRADAR SIEM IS VULNERABLE TO INFORMATION EXPOSURE CLOSED Resolved in
            QRadar User Behavior Analytics V4.1.1 or later

            Affected versions
            QRadar User Behavior Analytics V1.0.0 to V4.1.0

            Issue
            CVE-2021-20393: IBM QRadar User Behavior Analytics could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. CVSS Base score: 5.3
            13 May 2021
            SECURITY BULLETIN CVE-2021-20391 USER BEHAVIOR ANALYTICS APPLICATION ADD ON TO IBM QRADAR SIEM IS VULNERABLE TO CACHEABLE SSL PAGES CLOSED Resolved in
            QRadar User Behavior Analytics V4.1.1 or later

            Affected versions
            QRadar User Behavior Analytics V1.0.0 to V4.1.0

            Issue
            CVE-2021-20391: IBM QRadar User Behavior Analytics allows web pages to be stored locally which can be read by another user on the system. CVSS Base score: 4
            13 May 2021
            HIGH AVAILABILITY (HA) IJ32545 HIGH AVAILABILITY (HA) JOIN PROCESS FAILS WHEN SECONDARY APPLIANCE IS MISSING /SSH DIRECTORY CLOSED Workaround
            1. Create the missing .ssh folder on the HA Secondary:
              mkdir /root/.ssh
            2. Perform the HA join process steps again.
            This issue is closed as permanent restriction. At this time, there is no current plan for this item but we will revisit if any further customer issues are raised.

            Issue
            In instances where a High Availability (HA) Secondary host does not have a .ssh directory, the HA pair creation process fails with messaging stating issues with the SSH keys, and to check the provided password.

            Messages similar to the following might be visible in found in /var/log/setup-XXX/qradar_hasetup.log when this issue occurs:
            /opt/qradar/ha/bin/ha_setup.sh: line 3257:
            /root/.ssh/authorized_keys: No such file or directory
            12 August 2021
            UPGRADE IJ33138 QRADAR UPGRADE PRETEST CAN FAIL ON THE RAMCHECK DUE TO KB VALUE BEING RETURNED CLOSED Workaround
            Contact Support for a possible workaround that might address this issue in some instances. This issue is closed as permanent restriction. At this time, there is no current plan for this item but we will revisit if any further customer issues are raised.

            Issue
            The QRadar upgrade pretest can fail on the ramcheck when dmidecode -t 17 size returns in KB as the patch pretest is expecting a MB or GB value.

            This behavior has been seen when run on Hyper-V environments. Messages similar to the following might be visible when this issue occurs:
            Traceback (most recent call last):
             File "/media/updates/pretests/ramcheck.py", line 181, in
            
               system_ram = getSystemMemory()
             File "/media/updates/pretests/ramcheck.py", line 24, in
            getSystemMemory
               raise Exception('Unrecognizable size unit:
            {0}'.format(units))
            Exception: Unrecognizable size unit: KB
            [ERROR](-i-testmode) Patch pretest 'Minimum RAM Check' failed.
            (ramcheck.py)
            12 August 2021
            LOG SOURCE MANAGEMENT APP IJ29050 QRADAR NON-ADMIN USER CANNOT VIEW SOME LOG SOURCE GROUPS USING THE LOG SOURCE MANAGEMENT APP CLOSED Resolved in
            Log Source Management app v7.0.2 when installed on QRadar 7.3.3 FixPack 9, 7.4.2 FixPack 3, or 7.4.3 FixPack 1.

            Workaround
            Create a top level Log Source group for use with Security Profile assignment.

            Issue
            A QRadar non-admin user cannot view Log Source groups when the Security Profile is set to a nested Log Source group using the Log Source Mangement App. For example,
            1. Have some Log Source Groups with Log Sources as the following:
               Group A --> top level
                 Group AB
                   Group ABC
            2. Have Security Profiles and users who has permission to see one of those log source groups.
                userALL with a Security Profile set to all log source group.
                userA with a Security Profile assigned to group "A"
                userAB with a Security Profile assigned to group "A.AB"
                userABC with a Security Profile assigned to group "A.AB.ABC"
            3. Deploy, log in as new users, navigate to Log Source Management App.
                userA and userALL can view groups correctly.
                userAB and userABC cannot see any groups when clicking "+Add Group".
            12 August 2021
            RULES IJ18492 /VAR/LOG PARTITION CAN FILL WITH EXCEPTION THROWN WHEN USING 'CHAINED EXPLOIT FOLLOWED BY SUSPICIOUS EVENTS' RULE TEST CLOSED Resolved in
            QRadar 7.4.3 (7.4.3.20210517144015)
            QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826)

            Workaround
            No workaround available.

            Issue
            It has been identified that an exception is thrown during the test of the Custom Rule Engine rule "Chained Exploit Followed by Suspicious Events". As events are tested against rules, the following exception is thrown for every test and can quickly fill up the /var/log partition.

            Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            [ecs-ep.ecs-ep] [CRE Processor [4]]
            com.q1labs.semsources.cre.CustomRule: [ERROR]
            [NOT:0000003000][127.0.0.1/- -] [-/- -]Exception in rule 100106
            - Chained Exploit Followed by Suspicious Events:
            Entry.next=null, data[removeIndex]={ipaddress}=package
            com.q1labs.semsources.cre.tests.gen.RuleSequence_SourceIP_In@a57
            ddb4a previous={ipaddress}=package
            com.q1labs.semsources.cre.tests.gen.RuleSequence_SourceIP_In@a57
            ddb4a key={ipaddress}value=package
            com.q1labs.semsources.cre.tests.gen.RuleSequence_SourceIP_In@af1
            35446 size=25000 maxSize=25000 Please check that your keys are
            immutable, and that you have used synchronization properly. If
            so, then please report this to commons-dev@jakarta.apache.org as a bug.
            [ecs-ep.ecs-ep] [CRE Processor [4]]
            java.lang.IllegalStateException: Entry.next=null,
            data[removeIndex]={ipaddress}=package
            com.q1labs.semsources.cre.tests.gen.RuleSequence_SourceIP_In@a57
            ddb4a previous={ipaddress}=package
            com.q1labs.semsources.cre.tests.gen.RuleSequence_SourceIP_In@a57
            ddb4a key={ipaddress} value=package
            com.q1labs.semsources.cre.tests.gen.RuleSequence_SourceIP_In@af1
            35446 size=25000 maxSize=25000 Please check that your keys are
            immutable, and that you have used synchronization properly. If
            so, then please report this to commons-dev@jakarta.apache.org
            as a bug.
            [ecs-ep.ecs-ep] [CRE Processor [4]] at
            org.apache.commons.collections.map.LRUMap.reuseMapping(LRUMap.java:301)
            [ecs-ep.ecs-ep] [CRE Processor [4]] at
            com.q1labs.frameworks.cache.LFUMap.reuseMapping(LFUMap.java:263)
            [ecs-ep.ecs-ep] [CRE Processor [4]] at
            org.apache.commons.collections.map.LRUMap.addMapping(LRUMap.java:267)
            [ecs-ep.ecs-ep] [CRE Processor [4]] at
            org.apache.commons.collections.map.AbstractHashedMap.put(AbstractHashedMap.java:284)
            [ecs-ep.ecs-ep] [CRE Processor [4]] at
            com.q1labs.frameworks.cache.LFUMap.put(LFUMap.java:226)
            [ecs-ep.ecs-ep] [CRE Processor [4]] at
            com.q1labs.semsources.cre.tests.DoubleSequenceFunction_Test.test(DoubleSequenceFunction_Test.java:237)
            [ecs-ep.ecs-ep] [CRE Processor [4]] at
            com.q1labs.semsources.cre.tests.CREStatefulEventTest.test(CREStatefulEventTest.java:81)
            [ecs-ep.ecs-ep] [CRE Processor [4]] at
            com.q1labs.semsources.cre.gen.TestExecutor_1_0.test(TestExecutor_1_0.java)
            [ecs-ep.ecs-ep] [CRE Processor [4]] at
            com.q1labs.semsources.cre.CustomRule.test(CustomRule.java:519)
            [ecs-ep.ecs-ep] [CRE Processor [4]] at
            com.q1labs.semsources.cre.CustomRule.test(CustomRule.java:476)
            [ecs-ep.ecs-ep] [CRE Processor [4]] at
            com.q1labs.semsources.cre.CustomRuleSetExecutor.testRule(CustomRuleSetExecutor.java:342)
            [ecs-ep.ecs-ep] [CRE Processor [4]] at
            com.q1labs.semsources.cre.CustomRuleSetExecutor.test(CustomRuleSetExecutor.java:210)
            [ecs-ep.ecs-ep] [CRE Processor [4]] at
            com.q1labs.semsources.cre.LocalRuleExecutor.processEventInPropertyMode(LocalRuleExecutor.java:229)
            [ecs-ep.ecs-ep] [CRE Processor [4]] at
            com.q1labs.semsources.cre.LocalRuleExecutor.processEvent(LocalRuleExecutor.java:158)
            [ecs-ep.ecs-ep] [CRE Processor [4]] at
            com.q1labs.semsources.cre.CREEventProcessor.processEvent(CustomRuleEngine.java:521)
            [ecs-ep.ecs-ep] [CRE Processor [4]] at
            com.q1labs.semsources.cre.CREEventProcessor.run(CustomRuleEngine.java:464)
            12 August 2021
            RULES IJ33794 MATCH COUNT RULES DO NOT GENERATE AN OFFENSE RENAMING EVENT AFTER IT IS CLOSED IF IT IS RE-TRIGGERED CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)
            QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944)
            QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826)

            Workaround
            No workaround available. Administrators can upgrade to a version where this issue is resolved if you experience offense renaming event generation issues.

            Issue
            Match count rules that have a response configured to send an Offense renaming event should trigger again if the Offense associated with that rule is closed and the rule is still triggering.
            06 August 2021
            AUTO UPDATE IJ33892 AUTO UPDATE FOR 20 JULY 2021 CAN ROUTE EVENTS TO STORAGE AFTER A DSM COMMON RPM UPDATE CLOSED Resolved in
            This fix is available in the weekly auto update for 22 July 2021 (Build 1626984260) and in the following RPM on IBM Fix Central: DSM-DSMCommon-7.4-20210721162935.noarch.rpm. Administrators can run a QRadar auto update to resolve this issue described in the flash notice: Flash Notice for IJ33892.

            Workaround
            Administrators who experienced the issue described in IJ33892 received the updated DSM Common (codegen JAR) automatically from QRadar Auto Updates on 22 July 2021 as described in the Overview article for IJ33892.

            Issue
            The QRadar auto update released on 20 July 2021 introduced problem where the Traffic Analysis service that auto discovers and creates log sources is no longer working as expected due to a class loading issue. For customers with affected log sources configured on their QRadar appliances, the event pipeline can experience an uncaught exception, which causes events to be routed directly to storage.

            QRadar SIEM 7.4.x on-premise and QRadar on Cloud versions with DSMCommon-7.4-20210624145517.noarch.rpm installed from the 20 July 2021 auto update can experience this issue.

            The following DSMs can cause exceptions to be generated in the logs as described in the flash notice:
            • Array Networks SSL VPN Access Gateways
            • Cisco Aironet
            • CRYPTOCard CRYPTOShield
            • Extreme HiGuard
            • Extreme XSR Security Routers
            • Fair Warning
            • HP Network Automation
            • IBM DB2
            • IBM Informix Audit
            • Juniper vGW
            • Juniper Networks AVT
            • Juniper SRC
            • McAfee Application/Change Control
            • Microsoft ISA
            • Motorola SymbolAP
            • Redback ASE
            • Sentrigo Hedgehog
            • Silver Springs Networks Smart Meter
            • Sophos Enterprise Console
            • Sophos PureMessage
            • Tropos Control
            24 July 2021
            RULES IJ23172 RULENAME (CREEVENTLIST): AQL FUNCTION IN A RULE CAN GENERATE AN UNCAUGHT EXCEPTION CAUSING RULE AND OFFENSE FAILURES CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)
            QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944)
            QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826)

            Workaround
            Disable the rule or remove the RULENAME(creeventlist) aql function from the rule.

            Issue
            Having the RULENAME(creeventlist) aql function in a rule condition causes a custom rule read failure generating a uncaught exception error. When this issue occurs, rules fail fire and offenses fail to be created.

            Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            [ecs-ep.ecs-ep] [Thread-75] com.q1labs.frameworks.core.ThreadExceptionHandler: 
            [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Exception was uncaught in thread: Thread-75
            [ecs-ep.ecs-ep] [Thread-75] java.lang.ExceptionInInitializerError
            [ecs-ep.ecs-ep] [Thread-75] at java.lang.J9VMInternals.ensureError(J9VMInternals.java:146)
            [ecs-ep.ecs-ep] [Thread-75] at java.lang.J9VMInternals.recordInitializationFailure(J9VMInternals.java:135)
            [ecs-ep.ecs-ep] [Thread-75] at com.q1labs.ariel.searches.subquery.CursorPredicate.initialize(DistinctScalarTransformer.java:57)
            [ecs-ep.ecs-ep] [Thread-75] at com.q1labs.frameworks.util.Utils.initialize(Utils.java:458)
            [ecs-ep.ecs-ep] [Thread-75] at com.q1labs.ariel.IndexPredicate.initialize(IndexPredicate.java:234)
            [ecs-ep.ecs-ep] [Thread-75] at com.q1labs.frameworks.util.Utils.initialize(Utils.java:458)
            [ecs-ep.ecs-ep] [Thread-75] at com.q1labs.semsources.cre.tests.AQL_Test.setParms(AQL_Test.java:73)
            [ecs-ep.ecs-ep] [Thread-75] at com.q1labs.semsources.cre.tests.CREEventTest.init(CREEventTest.java:121)
            [ecs-ep.ecs-ep] [Thread-75] at com.q1labs.semsources.cre.CustomRule.<init>(CustomRule.java:178)
            [ecs-ep.ecs-ep] [Thread-75] at com.q1labs.semsources.cre.CustomRuleReader.preProcessNewRules(CustomRuleReader.java:742)
            [ecs-ep.ecs-ep] [Thread-75] at com.q1labs.semsources.cre.CustomRuleReader.readRules(CustomRuleReader.java:332)
            [ecs-ep.ecs-ep] [Thread-75] at com.q1labs.semsources.cre.CustomRuleReader.run(CustomRuleReader.java:217)
            [ecs-ep.ecs-ep] [Thread-75] Caused by: 
            [ecs-ep.ecs-ep] [Thread-75] java.lang.IllegalStateException: AccessManager instance is allowed only in the application ariel
            12 July 2021
            UPGRADE IJ25316 QRADAR PATCHING CAN FAIL DUE TO A LARGE NUMBER OF SESSION SCOPE FILES CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)
            QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944)
            QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826)

            Workaround
            Running the following command on QRadar appliances can determine if a very large number of session scope files exist (> 1000) prior to commencing a QRadar patch:
            find /run/systemd/system/ -name "session-*.scope" | wc -l

            Issue
            QRadar patches can fail when a very large number of session scope files exist. On appliances with greater than 1000 session scope files, an appliance reboot is recommended to clear the session files prior to commencing the QRadar patching process.
            12 July 2021
            OFFENSES IJ27803 'APPLICATION ERROR' CAN OCCUR WHEN SEARCHING MULTIPLE IP ADDRESSES IN "BY SOURCE/DESTINATION IP" IN OFFENSES CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)
            QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944)
            QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826)

            Workaround
            Return to the search and ensure to not include spaces in comma separated lists when entering them into the UI: 1.1.1.1,2.2.2.2,127.0.0.1

            Issue
            Under Offenses > New Search > By Source/Destination IP you can get an "Application Error" when searching multiple IPs in Source/Destination IP when the listed IP addresses have either trailing or leading spaces. To replicate this issue:
            1. Go to Offenses > new search > By Source/Destination IP put a comma separated list (with a space), such as 1.1.1.1, 2.2.2.2, 127.0.0.1
            2. Perform the search.

              Result
              'Application Error' is displayed in the USer Interface.
            12 July 2021
            NETWORK IJ28218 DNS VALUES MISSING FROM RESOLVE.CONF AND MYVER ON LENOVO M5 AND M6 QRADAR APPLIANCE INSTALLATIONS CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)

            Workaround
            This issue was reopened on 18 July 2021 as it was mistakenly closed. No workaround available. APARs identified with no workaround might require a software delivery to resolve. This reported issue will be considered fora future release.

            Issue
            During QRadar installations on Lenovo M5 and M6 appliances, DNS values are not set in the /opt/qradar/bin/myver and /etc/resolve.conf.

            This causes name resolution issues that are required for proper QRadar functionality.
            2 February 2022
            NETWORK IJ28643 LARGE AMOUNT OF REVERSE DNS LOOKUPS CAN BE GENERATED FROM QRADAR DUE TO MISSING CONFIGURATION WHEN NO IPV6 NETWORK CONFIG CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)
            QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944)
            QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826)

            Workaround
            1. Add the following line to /etc/hosts and /etc/hosts.default:
              ::1 localhost ip6-localhost ip6-loopback
            2. Save the changes.

            Issue
            A large of amount of reverse DNS lookups can sometimes be observed and traced to originating from QRadar. This behavior can occur when the QRadar appliance install is performed (or when a qchange_netsetup is performed) and the appliance is not configured with IPv6 settings. In these instances, the configuraton setting "::1" is removed for localhost under /etc/hosts.default.
            24 July 2021
            QRADAR VULNERABILITY MANAGER IJ29156 "QVM PROCESSOR ALREADY EXISTS ON DEPLOYMENT..." WHEN ADDING A QVM PROCESSOR APPLIANCE. CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)
            QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944)
            QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826)

            Workaround
            Disable the QVM processor (de-select Enable Proceesor) and deploy the changes. This will remove the processor and all QVM scanners from the deployment. Add the QVM processor appliance and all scanners that were removed, and deploy the changes. For more information on moving a QVM processor while performing steps to remove it first, see Moving your vulnerability processor to a managed host or console.

            Note
            This workaround assumes there is a valid QVM license applied. The workaround does not apply if you do not.

            Issue
            When attempting to add a QVM processor appliance, a message similar to "QVM Processor already exists on deployment. If you wish to continue, remove the existing processor first.

            [hostcontext.hostcontext][9d70a275-690d-4c5d-9b22-1044832065ab/SequentialEventDispatcher]
            com.q1labs.configservices.capabilities.AddHost: [ERROR]
            [NOT:0000003000][127.0.0.1/- -] [-/- -]QVM Processor already
            exists on deployment. If you wish to continue, remove the
            existing processor first. The IP of the host is: x.x.x.x.
            [tomcat.tomcat] [Thread-164313] com.q1labs.configservices.capabilities.CapabilitiesHandler:
            [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Removing host x.x.x.x from the deployment model, 
            if present, due to add_host failure.
            [tomcat.tomcat] [Thread-164313]
            com.ibm.si.configservices.api.v3_0.deployment.DeploymentAPI:
            [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]unable to add
            managed host: QVM Processor already exists on deployment. If
            you wish to continue, remove the existing processor first.
            [tomcat.tomcat] [Thread-164313]
            com.q1labs.restapi_annotations.content.exceptions.endpointExcept
            ions.ServerProcessingException: QVM Processor already exists on
            deployment. If you wish to continue, remove the existing
            processor first.
            [tomcat.tomcat] [Thread-164313] at
            com.ibm.si.configservices.api.impl.DeploymentAPIImpl.addManagedH
            ost(DeploymentAPIImpl.java:924)
            [tomcat.tomcat] [Thread-164313] at
            com.ibm.si.configservices.api.v3_0.deployment.DeploymentAPI$AddH
            ostThread.run(DeploymentAPI.java:1003)
            [tomcat.tomcat] [Thread-164313]
            com.q1labs.configservices.common.ConfigServicesException: QVM
            Processor already exists on deployment. If you wish to
            continue, remove the existing processor first.
            [tomcat.tomcat] [Thread-164313] at
            com.ibm.si.configservices.api.impl.DeploymentAPIImpl.addManagedH
            ost(DeploymentAPIImpl.java:893)
            12 July 2021
            NETWORK IJ29164 RENAMING A NETWORK CAN BREAK RELATED RULES, SEARCHES, AND REPORTS CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)
            QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944)
            QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826)

            Workaround
            Manually change the network name where it is not updated automatically by QRadar (Rules, Searches, Reports).

            Issue
            After renaming a network, the network name change is not reflected in all the areas of QRadar where that network name is used.

            The network renaming change is reflected in the Offenses tab but not within rules, searches, and reports.

            For example:
            1. Have a rule/search/report that uses a network.
            2. Rename the network name.
            3. Deploy changes.

              Results
              Rules, search, or reports continue to refer to the old name. If an Offense is generated from that rule, it reflects the network name change.

              Note
              The name change is also reflected in the search filters.
            12 July 2021
            ADVANCED SEARCH (AQL) IJ29293 USING "INOFFENSE()" WITHIN AN ADVANCED SEARCH (AQL) CAN BE SLOWER TO COMPLETE THAN EXPECTED CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)
            QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944)

            Workaround
            No workaround available, you must upgrade to a QRadar version where this issue is resolved.

            Issue
            Using the option "inOffense(n)" in an Advanced Search (AQL) query where "n" has a large number of events, causes the query to be slower than expected to complete.

            This can also affect any QRadar Apps that use the same backend functionality to produce data/search results.
            12 July 2021
            DISK SPACE IJ30017 DISKSPACE SENTINEL MONITORS DOCKER PARTITIONS AND CAN GENERATE DISK SENTRY NOTIFICATION MESSAGES CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)
            QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944)
            QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826)

            Workaround
            If you are unable to upgrade to a version where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue in some instances.

            Issue
            The QRadar Disk Space sentinel monitors docker partitions and can therefore generate an error similar to the following: "Disk Sentry has detected that one or more storage partitions are not accessible."

            Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            [hostcontext.hostcontext] [Thread-4076] com.q1labs.hostcontext.ds.DiskSpaceSentinel: 
            [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Error testing availability of partition
            /store/docker-data/engine/VMware-42-26-/containers/{containerid}/mounts/shm, assuming NOT available
            [hostcontext.hostcontext] [Thread-4076] java.io.IOException: No such file or directory
            [hostcontext.hostcontext] [Thread-4076] at java.io.UnixFileSystem.createFileExclusively(Native Method)
            [hostcontext.hostcontext] [Thread-4076] at java.io.File.createTempFile(File.java:2035)
            [hostcontext.hostcontext] [Thread-4076] at com.q1labs.hostcontext.ds.PartitionTester$PartitionTesterThread.run(PartitionTester.java:180)
            12 July 2021
            UPGRADE IJ30039 QRADAR PATCHING TO 7.4.1 FP2 CAN FAIL AT HOSTNAME VALIDATION CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)
            QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944)
            QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826)

            Workaround
            No workaround available, you must upgrade to a QRadar version where this issue is resolved.

            Issue
            The QRadar patching process to 7.4.1 FP 2 can fail due to hostname naming validation. If, while building a High Availability (HA) setup, the primary is named hostname-primary.domainname, when HA is added, the hostnames are:
            • hostname-primary-primary.domain
            • hostname-primary-secondary.domain
            When attempting to patch to 7.4.1 FP2, it fails as the hostname validation is incorrect.
            12 July 2021
            PERFORMANCE IJ30512 EVENT COLLECTOR SECONDARIES AND EVENT COLLECTOR SOFTWARE APPLIANCES CAN EXPERIENCE DEGRADED PERFORMANCE CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)
            QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944)
            QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826)

            Workaround
            If you are unable to upgrade to a version where this issue is resolved, contact QRadar Support for a possible workaround if degraded performance is experienced on Event Collector Secondary (High Availability) appliances or Event Collector software appliances.

            Issue
            QRadar can experience degraded performance when running on Event Collector Secondary appliances or Event Collector software appliances compared to the Primary or standalone Event Collector appliances of the same hardware specifications due to a setting that is not properly applied from the apply_appliance_tuning.pl script.
            12 July 2021
            QRADAR NETWORK INSIGHTS IJ30678 MP4PARSER WITHIN QRADAR NETWORK INSIGHTS CAN CAUSE THE /STORE/FORENSICS/TMP DIRECTORY TO FILL AND STOP SERVICES CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)
            QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944)
            QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826)

            Workaround
            No workaround available, you must upgrade to a QRadar version where this issue is resolved.

            Issue
            When using QRadar Network Insights, the MP4parser can cause /store/forensics/tmp fill to up and cause services to stop as a result.
            12 July 2021
            RULES IJ30912 RULES CAN SOMETIMES FAIL TO RENAME OFFENSES AS EXPECTED, USING INSTEAD THE LOW LEVEL CATEGORY OF THE CONTRIBUTING EVENT CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)
            QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944)
            QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826)

            Workaround
            No workaround available, you must upgrade to a QRadar version where this issue is resolved.

            Issue
            In some instances where an Offense is closed, those rules that generate a subsequent Offense can fail to rename the rule as expected and the Offense is created again with a different name that usually corresponds to the Low Level Category (LLC) of the contributing event.

            For example:
            1. Have a custom rule:
              - and when an event matches any of the following BB:DeviceDefinition: IDS / IPS
              - and when the event category for the event is one of the following Exploit.Misc Exploit
              - and NOT when the event QID is one of the following (5771846) Shell_Command_Injection
              - and NOT when the destination port is one of the following 445
              - and when at least 3 events are seen with the same Source IP
              - and different Event Name in 30 minutes
            2. Rule Action: Ensure the detected event is part of an offense
            3. Rule Response: Ensure the dispatched event is part of an offense
            4. Offense Naming: This information should contribute to the name of the associated offense(s)
            5. Have events that match the rule, checking that the Offense was generated and a Custon Rule Engine (CRE) event, and was renamed correctly as configured above.
            6. Close the Offense within 30 minutes.
            7. Have events that match the rule again.

              Expected Result: Another Offense is generated with CRE event and named correctly.
              Actual Result: No CRE event was dispatched, and as a result the new Offense is named by LLC.
            12 July 2021
            FLOWS IJ33287 ICMPV6 FLOW TRAFFIC DATA FROM QNI FAILS TO BE DISPLAYED AFTER PATCHING TO QRADAR 7.4.3 GA CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)
            QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944)

            Workaround
            No workaround available, you must upgrade to a QRadar version where this issue is resolved.

            Issue
            ICMPv6 flow data from QRadar Network Insights fails to be displayed in QRadar searches after patching to QRadar 7.4.3 GA. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            [ariel_proxy.ariel_proxy_server]
            [aqw_local_7:5ab5ee0a-e9e2-44bb-a0e6-856584e630f2] com.q1labs.ariel.searches.tasks.ArielQueryTaskBase: 
            [ERROR][NOT:0000003000][127.0.0.1/- -] [-/- -]Exception processing file:/store/ariel/flows/records/2021/3/5/13/flows~18_0~d
            3e271fa8ea44f9~bfeaa0b4316aba3c~0,skipped... executing
            query:Id:5ab5ee0a-e9e2-44bb-a0e6-856584e630f2, DB:
            12 July 2021
            MANAGED HOSTS IJ33703 ENCRYPTED TUNNEL BETWEEN MANAGED HOSTS CAN FAIL TO START AFTER PATCHING TO QRADAR 7.4.3 FP1 OR NEWER OPEN Note
            This APAR has been identified as a known issue in QRadar 7.4.3 Fix Pack 1.

            Workaround
            Run the following command from an SSH session to the QRadar Console after the host(s) is added to the deployment:
            /opt/qradar/bin/deploy_known_hosts.sh


            Issue
            An encrypted tunnel between two Managed Hosts that have been installed at an earlier build and then patched independently to QRadar version 743 FP1 or newer can fail to start. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            hostname-primary.fqnd ssh[31216]: debug1: expecting
            SSH2_MSG_KEX_ECDH_REPLY
            hostname-primary.fqdn ssh[31216]: debug1: Server host key:
            ecdsa-sha2-nistp256
            SHA256:9bmfZQ2qbj5zYrT3Fo5K04gKOevEic4S36baS1x4i6o
            hostname-primary.fqdn ssh[31216]: No ECDSA host key is known for
            (ipaddress) and you have requested strict checking.
            hostname-primary.fqdn ssh[31216]: Host key verification failed.
            hostname-primary.fqdn systemd[1]:
            managed-tunnel@1734707364450525150.service: main process exited,
            code=exited, status=255/n/a
            hostname-primary.fqdn systemd[1]: Unit
            managed-tunnel@1734707364450525150.service entered failed state.
            hostname-primary.fqdn systemd[1]:
            managed-tunnel@1734707364450525150.service failed.
            10 July 2021
            CONTENT MANAGEMENT TOOL (CMT) IJ32874 CONTENT MANAGEMENT TOOL IMPORT CAN CHANGE SOME PROPERTIES CAUSING SAVED SEARCHES TO FAIL CLOSED Resolved in
            QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)

            Workaround
            Manually update the search, put the property through a type conversion function. In this example, replace sum("BytesSent") with sum(DOUBLE("BytesSent"))

            Before
            SELECT sum("BytesSent") / 1073741824 As "Bytes Sent(GB)" FROM events

            After
            SELECT sum(DOUBLE("BytesSent")) / 1073741824 As "Bytes Sent(GB)" FROM events


            Issue
            When the Content Management Tool (CMT) imports a property with a "bad" name it adds a "facade" property with that name instead and points the AQL expression to a property with a "good" name.

            Example AQL:
            SELECT DOUBLE(sum("BytesSent")) / 1073741824 As "Bytes Sent(GB)" FROM events


            Property "BytesSent" used to have a numeric property type. When CMT imports it, it is merged into a property with a good name "Bytes Sent" (property type is also numeric), but a replacement facade property "BytesSent" is added with the type string.

            Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778] com.q1labs.ariel.ql.parser.Parser: [ERROR] [NOT:0000003000][127.0.0.1.73/- -] [-/- -]Expression "BytesSent" is not a Number
            [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778] com.q1labs.ariel.ql.parser.AQLParserException: Expression "BytesSent" is not a Number
            tinationip,  DOUBLE(sum("BytesSent")) / 1^
            [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778]    at com.q1labs.ariel.ql.parser.ParserBase.createAggregateFunctionInfo(ParserBase.java:896)
            [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778]    at com.q1labs.ariel.ql.parser.ParserBase.processScalarFunction(ParserBase.java:198)
            [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778]    at com.q1labs.ariel.ql.parser.ParserBase.processExpression(ParserBase.java:357)
            [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778]    at com.q1labs.ariel.ql.parser.ParserBase.processScalarFunction(ParserBase.java:206)
            [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778]    at com.q1labs.ariel.ql.parser.ParserBase.processExpression(ParserBase.java:357)
            [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778]    at com.q1labs.ariel.ql.parser.ParserBase.processExpression(ParserBase.java:323)
            [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778]    at com.q1labs.ariel.ql.parser.ParserBase.processArithmeticExpression(ParserBase.java:226)
            [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778]    at com.q1labs.ariel.ql.parser.ParserBase.processExpression(ParserBase.java:372)
            [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778]    at com.q1labs.ariel.ql.parser.ParserBase.processExpression(ParserBase.java:323)
            [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778]    at com.q1labs.ariel.ql.parser.ParserBase.processColumnContext(ParserBase.java:432)
            [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778]    at com.q1labs.ariel.ql.parser.ParserBase.processQueryContext(ParserBase.java:494)
            [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778]    at com.q1labs.ariel.ql.parser.ParserBase.createQueryParams(ParserBase.java:1435)
            [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778]    at com.q1labs.ariel.ql.parser.ParserBase.parseBatch(ParserBase.java:1662)
            [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778]    at com.q1labs.ariel.ql.parser.Parser.parseStatement(Parser.java:173)
            [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778]    at com.q1labs.ariel.ql.parser.Parser.executeStatement(Parser.java:68)
            [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778]    at com.q1labs.ariel.ConnectedClient.processStatement(ConnectedClient.java:367)
            [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778]    at com.q1labs.ariel.ConnectedClient.processMessage(ConnectedClient.java:308)
            [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778]    at com.q1labs.ariel.ConnectedClient.run(ConnectedClient.java:136)
            [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778]    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160)
            [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778]    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
            [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1.73:33778]    at java.lang.Thread.run(Thread.java:822)
            27 May 2021
            UPGRADE IJ33207 "SESSION MUST BE IN THE BOUNDS OF A TRANSACTION TO ACCESS JPA/JDBC RESOURCES" MESSAGES IN QRADAR LOGGING OPEN Workaround
            No workaround available.

            APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the Subscribe button on the right side of this page or ask a question about this APAR in our Support Forums.

            Issue
            A benign message similar to the following might be visible in /var/log/qradar.log after patching to QRadar 7.4.3:
            [ecs-ec.ecs-ec] [ECS Runtime Thread] com.q1labs.frameworks.session.SessionContext: 
            [ERROR] [NOT:0000003000][X.X.X.X/- -] [-/- -]Session must be in the bounds of a transaction 
            to access jpa/jdbc resources. Session Id: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx
            [ecs-ec.ecs-ec] [ECS Runtime Thread] java.lang.IllegalStateException
            [ecs-ec.ecs-ec] [ECS Runtime Thread] at com.q1labs.frameworks.session.JPASessionDelegate.
            checkTX(JPASessionDelegate.java:307)
            [ecs-ec.ecs-ec] [ECS Runtime Thread] at com.q1labs.frameworks.session.JPASessionDelegate.
            checkTX(JPASessionDelegate.java:294)
            [ecs-ec.ecs-ec] [ECS Runtime Thread] at com.q1labs.frameworks.session.JPASessionDelegate.
            find(JPASessionDelegate.java:436)
            [ecs-ec.ecs-ec] [ECS Runtime Thread] at com.q1labs.frameworks.naming.NamingCacheDecorator.
            createPersistentObject(NamingCacheDecorator.java:95)
            [ecs-ec.ecs-ec] [ECS Runtime Thread] at com.q1labs.frameworks.session.SessionContext.
            createPersistentObject(SessionContext.java:1504)
            [ecs-ec.ecs-ec] [ECS Runtime Thread] at com.q1labs.core.dao.qidmap.DeviceExtension.get
            (DeviceExtension.java:42)
            [ecs-ec.ecs-ec] [ECS Runtime Thread] at com.ibm.si.ec.filters.property.creation.LogSourceExtensionProperty
            Exclusion.addToFilter(LogSourceExtensionPropertyExclusion.java:181)
            [ecs-ec.ecs-ec] [ECS Runtime Thread] at com.ibm.si.ec.filters.property.creation.LogSourceExtensionProperty
            Exclusion.loadLogSourceExtensionProperties(LogSourceExtensionPropertyExclusion.java:105)
            [ecs-ec.ecs-ec] [ECS Runtime Thread] at com.ibm.si.ec.filters.property.creation.LogSourceExtensionProperty
            Exclusion.init(LogSourceExtensionPropertyExclusion.java:75)
            [ecs-ec.ecs-ec] [ECS Runtime Thread] at com.ibm.si.ec.filters.property.creation.LogSourceExtensionProperty
            Exclusion.<init>(LogSourceExtensionPropertyExclusion.java:50)
            [ecs-ec.ecs-ec] [ECS Runtime Thread] at com.ibm.si.ec.filters.property.PropertyDiscoveryEngine.<init>(PropertyDiscoveryEngine.java:72)
            [ecs-ec.ecs-ec] [ECS Runtime Thread] at com.ibm.si.ec.filters.property.PropertyDiscoveryFilter.setVars(PropertyDiscoveryFilter.java:48)
            [ecs-ec.ecs-ec] [ECS Runtime Thread] at com.eventgnosis.system.SystemObject.installChildByName(SystemObject.java:296)
            [ecs-ec.ecs-ec] [ECS Runtime Thread] at com.eventgnosis.system.SystemObject.installChildByName(SystemObject.java:232)
            [ecs-ec.ecs-ec] [ECS Runtime Thread] at com.eventgnosis.filters.FilterStack.createContainedFilters(FilterStack.java:71)
            [ecs-ec.ecs-ec] [ECS Runtime Thread] at com.eventgnosis.filters.FilterStackManager.create(FilterStackManager.java:219)
            [ecs-ec.ecs-ec] [ECS Runtime Thread] at com.eventgnosis.filters.FilterStackManager.getFilterStack(FilterStackManager.java:149)
            [ecs-ec.ecs-ec] [ECS Runtime Thread] at com.eventgnosis.filters.FilterBase.createDestination(FilterBase.java:179)
            [ecs-ec.ecs-ec] [ECS Runtime Thread] at com.ibm.si.ec.filters.normalize.DSMFilter.setVars(DSMFilter.java:271)
            [ecs-ec.ecs-ec] [ECS Runtime Thread] at com.eventgnosis.system.SystemObject.installChildByName(SystemObject.java:296)
            [ecs-ec.ecs-ec] [ECS Runtime Thread] at com.eventgnosis.system.SystemObject.installChildByName(SystemObject.java:232)
            [ecs-ec.ecs-ec] [ECS Runtime Thread] at com.eventgnosis.filters.FilterStack.createContainedFilters(FilterStack.java:71)
            [ecs-ec.ecs-ec] [ECS Runtime Thread] at com.eventgnosis.filters.FilterStackManager.create(FilterStackManager.java:219)
            [ecs-ec.ecs-ec] [ECS Runtime Thread] at com.eventgnosis.filters.FilterStackManager.doWork(FilterStackManager.java:90)
            [ecs-ec.ecs-ec] [ECS Runtime Thread] at com.eventgnosis.system.SystemObject$DoWork.doIt(SystemObject.java:886)
            [ecs-ec.ecs-ec] [ECS Runtime Thread] at com.eventgnosis.system.SystemObject.doForAllMembers(SystemObject.java:864)
            [ecs-ec.ecs-ec] [ECS Runtime Thread] at com.eventgnosis.system.SystemObject.doWork(SystemObject.java:905)
            [ecs-ec.ecs-ec] [ECS Runtime Thread] at com.eventgnosis.system.RuntimeController.doWork(RuntimeController.java:227)
            [ecs-ec.ecs-ec] [ECS Runtime Thread] at com.eventgnosis.system.RuntimeController.run(RuntimeController.java:527)
            [ecs-ec.ecs-ec] [ECS Runtime Thread] at java.lang.Thread.run(Thread.java:822)
            18 June 2021
            QRADAR RISK MANAGER IV98938 CLICKING THE RISKS TAB CAN GENERATE AN 'APPLICATION ERROR' IN SOME INSTANCES OF CONSOLE/QRM MANAGED HOST ENCRYPTION CLOSED Resolved in
            QRadar 7.4.3 (7.4.3.20210517144015)

            Workaround
            Configure appropriate firewall to allow communication between the Console and Risk Manager appliance on ports 443 and 8082 when encryption is enabled between these appliances.

            Issue
            It has been identified that an 'Application Error' message is generated when the Risks tab is clicked in instances where encryption is used between the Console and Risk Manager appliance and a firewall between them blocks ports 443 and 8082.

            For example:
            Application Error An error has occurred. Refresh your browser (press F5) 
            and attempt the action again. If the problem persists, please contact 
            customer support for assistance.


            Messages in /var/log/qradar.log when port 443 is blocked:
            [tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology]
            com.q1labs.srmconsole.util.WSUtil$WebClientProxy: [ERROR]
            [NOT:0000003000][127.0.0.1/- -] [-/- -]Error invoking method
            isTopologyReloading on the appliance; full error details in
            appliance log
            [tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology]
            com.q1labs.uiframeworks.action.ExceptionHandler: [ERROR]
            [NOT:0000003000][127.0.0.1/- -] [-/- -]An exception occurred
            while processing the request:
            [tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology]
            com.sun.xml.ws.client.ClientTransportException: HTTP transport
            error: java.net.SocketTimeoutException: connect timed out
            [tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology]
              at com.sun.xml.ws.transport.http.client.HttpClientTransport.
              getOutput(HttpClientTransport.java:132)
            [tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology]
              at com.sun.xml.ws.transport.http.client.HttpTransportPipe.process
              (HttpTransportPipe.java:153)
            [tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology]
              at com.sun.xml.ws.transport.http.client.HttpTransportPipe.
              processRequest(HttpTransportPipe.java:94)
            [tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology]
              at com.sun.xml.ws.transport.DeferredTransportPipe.processRequest
              (DeferredTransportPipe.java:89)
            [tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology]
              at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:598)
            [tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology]
              at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:557)
            [tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology]
              at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:542)
            [tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology]
              at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:439)
            [tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology]
              at com.sun.xml.ws.client.Stub.process(Stub.java:222)
            [tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology]
              at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:135)
            [tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology]
              at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler
              .java:109)
            [tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology]
              at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:89)
            [tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology]
              at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:118)
            [tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology]
              at com.sun.proxy.$Proxy114.isTopologyReloading(Unknown Source)
            [tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology]
              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
            [tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology]
              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:95)
            [tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology]
              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod
              AccessorImpl.java:56)
            [tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology]
              at java.lang.reflect.Method.invoke(Method.java:620)
            [tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology]
              at com.q1labs.srmconsole.util.WSUtil$WebClientProxy.invoke(WSUtil.java:68)
            [tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology]
              at com.sun.proxy.$Proxy114.isTopologyReloading(Unknown Source)
            [tomcat] [admin@127.0.0.1 (4290) /console/do/120/networkTopology]
              at com.q1labs.srmconsole.services.UINetworkTopologyServices.
              isTopologyReloading(UINetworkTopologyServices.java:165)


            And when port 8082 is blocked:
            [tomcat] [admin@127.0.0.1 (4480)
            /console/do/120/networkTopology] com.q1labs.simulator.device.DeviceServices: 
            [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]
            Failed to query ziptie server for device list status check:
            [tomcat] [admin@127.0.0.1 (4480)
            /console/do/120/networkTopology] com.sun.xml.ws.client.ClientTransportException: 
            HTTP transport error: java.net.ConnectException: Connection timed out
            (Connection timed out)
            [tomcat] [admin@127.0.0.1 (4480) /console/do/120/networkTopology]
              at com.sun.xml.ws.transport.http.client.HttpClientTransport.getOutput
              (HttpClientTransport.java:132)
            [tomcat] [admin@127.0.0.1 (4480) /console/do/120/networkTopology]
              at com.sun.xml.ws.transport.http.client.HttpTransportPipe.process
              (HttpTransportPipe.java:153)
            [tomcat] [admin@127.0.0.1 (4480) /console/do/120/networkTopology]
              at com.sun.xml.ws.transport.http.client.HttpTransportPipe.processRequest
              (HttpTransportPipe.java:94)
            [tomcat] [admin@127.0.0.1 (4480) /console/do/120/networkTopology]
              at com.sun.xml.ws.transport.DeferredTransportPipe.processRequest
              (DeferredTransportPipe.java:89)
            [tomcat] [admin@127.0.0.1 (4480) /console/do/120/networkTopology]
              at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:598)
            [tomcat] [admin@127.0.0.1 (4480) /console/do/120/networkTopology]
              at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:557)
            [tomcat] [admin@127.0.0.1 (4480) /console/do/120/networkTopology]
              at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:542)
            [tomcat] [admin@127.0.0.1 (4480) /console/do/120/networkTopology]
              at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:439)
            [tomcat] [admin@127.0.0.1 (4480) /console/do/120/networkTopology]
              at com.sun.xml.ws.client.Stub.process(Stub.java:222)
            [tomcat] [admin@127.0.0.1 (4480) /console/do/120/networkTopology]
              at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:135)
            [tomcat] [admin@127.0.0.1 (4480) /console/do/120/networkTopology]
              at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke
              (SyncMethodHandler.java:109)
            [tomcat] [admin@127.0.0.1 (4480) /console/do/120/networkTopology]
              at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke
              (SyncMethodHandler.java:89)
            [tomcat] [admin@127.0.0.1 (4480) /console/do/120/networkTopology]
              at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:118)
            [tomcat] [admin@127.0.0.1 (4480) /console/do/120/networkTopology]
              at com.sun.proxy.$Proxy110.getDevicesWithErrors(Unknown Source)
            24 May 2021
            DEPLOY CHANGES IJ00933 DEPLOY CHANGES RESULTS IN ERROR "THERE IS ANOTHER DEPLOYMENT CURRENTLY IN PROGRESS PLEASE TRY AGAIN LATER" CLOSED Resolved in
            QRadar 7.4.3 (7.4.3.20210517144015)

            Workaround
            If you are unable to upgrade to a release where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue.

            Issue
            When deploying changes some customers have seen an error "There is another deployment currently in progress, please try again later" or a search error "There was a problem connecting to the query server. Please try again later. "

            Administrators who experience deploy issues can review /var/log/qradar.error for a message similar to the following:
            [tomcat] [main] com.q1labs.core.shared.embeddedstaging.EmbeddedStagingManager:
            [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Unable to initialise Embedded Staging Manager:
            com.q1labs.frameworks.exceptions.FrameworksNamingException:
            Failed to initialize component: EmbeddedStagingManager
            [tomcat] [main] com.q1labs.core.shared.permissions.PermissionsManager: [ERROR]
            [NOT:0000003000][127.0.0.1/- -] [-/- -]Failed to get an instance of the Embedded Staging Manager
            [tomcat] [configservices@127.0.0.1 (9181) /console/services/configservices]
            com.q1labs.configservices.core.ConfigurationServices: 
            [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Error synchronizing deployed components
            [tomcat] [configservices@127.0.0.1 (9181) /console/services/configservices]
            com.q1labs.configservices.common.ConfigServicesException:  Error synchronizing deployed components
            [tomcat] [configservices@127.0.0.1 (9181) /console/services/configservices] at
            com.q1labs.configservices.config.globalset.platform.DeployedComp
            onentSynchronizer.buildConfiguration(DeployedComponentSynchronizer.java:82)
            24 May 2021
            NETWORK CONFIGURATION IJ05709 FIREWALL CONFIGURATION CHANGES MADE IN THE QRADAR UI FOR CONSOLE RESTRICTING ACCESS TO PORT 443 CAN CAUSE ISSUES CLOSED Resolved in
            QRadar 7.4.3 (7.4.3.20210517144015)

            Workaround
            1. Log in to the Console as an administrator.
            2. Click the Admin tab > System and License Management > Systems.
            3. Select the QRadar Console.
            4. From the Actions drop-down, select View and Manage System.
            5. Select the Firewall tab.
            6. Add CIDR 169.254.0.0/16 to the firewall for any port.

            Issue
            It has been identified that adding IP/CIDR restrictions in the Console firewall settings for port 443 can cause multiple issues:
            • QRadar Apps can sometimes to fail to install.
            • QRadar Apps can sometimes fail to update/apply configuration settings.
            • In some instances the QRadar upgrade process can fail due to required internal QRadar communications blocked by the 443 port blocking firewall setting.
            24 May 2021
            NETWORK CONFIGURATION IJ22716 QCHANGE_NETSETUP FAILS WITH 'ERROR: DUPLICATE KEY VALUE VIOLATES UNIQUE CONSTRAINT 'MANAGEDHOST_IP_KEY' CLOSED Resolved in
            QRadar 7.4.3 (7.4.3.20210517144015)

            Workaround
            If you are unable to upgrade to a release where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue.

            Issue
            The qchange_netsetup script fails when attempting to change a QRadar console's IP address to an IP that exists as a deleted Managed Host in the database.

            Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:

            [hostcontext.hostcontext] [main] Caused by:
            [hostcontext.hostcontext] [main] <openjpa-2.4.3-r422266:1833086
            fatal store error>
            org.apache.openjpa.persistence.EntityExistsException: ERROR:
            duplicate key value violates unique constraint "managedhost_ip_key" 
            Detail: Key (ip)=(127.0.0.1) already exists. 
            {prepstmnt -1085858985 UPDATE ManagedHost SET ip = ? WHERE id = ?}
            
            FailedObject:
            com.q1labs.core.dao.platform.registry.ManagedHost-53
            [hostcontext.hostcontext] [main]    at
            org.apache.openjpa.jdbc.sql.DBDictionary.narrow(DBDictionary.java:4988)
            [hostcontext.hostcontext] [main]    at
            org.apache.openjpa.jdbc.sql.DBDictionary.newStoreException(DBDictionary.java:4963)
            [hostcontext.hostcontext] [main]    at
            org.apache.openjpa.jdbc.sql.SQLExceptions.getStore(SQLExceptions.java:133)
            [hostcontext.hostcontext] [main]    at
            org.apache.openjpa.jdbc.sql.SQLExceptions.getStore(SQLExceptions.java:75)
            [hostcontext.hostcontext] [main]    at
            org.apache.openjpa.jdbc.kernel.PreparedStatementManagerImpl.flushAndUpdate
            (PreparedStatementManagerImpl.java:144)
            [hostcontext.hostcontext] [main]    at
            org.apache.openjpa.jdbc.kernel.BatchingPreparedStatementManagerI
            mpl.flushAndUpdate(BatchingPreparedStatementManagerImpl.java:79)
            [hostcontext.hostcontext] [main]    at
            org.apache.openjpa.jdbc.kernel.PreparedStatementManagerImpl.flushInternal
            (PreparedStatementManagerImpl.java:100)
            [hostcontext.hostcontext] [main]    at
            org.apache.openjpa.jdbc.kernel.PreparedStatementManagerImpl.flush
            (PreparedStatementManagerImpl.java:88)
            [hostcontext.hostcontext] [main]    at
            org.apache.openjpa.jdbc.kernel.ConstraintUpdateManager.flush
            (ConstraintUpdateManager.java:550)
            [hostcontext.hostcontext] [main]    at
            org.apache.openjpa.jdbc.kernel.ConstraintUpdateManager.flush
            (ConstraintUpdateManager.java:107)
            [hostcontext.hostcontext] [main]    at
            org.apache.openjpa.jdbc.kernel.BatchingConstraintUpdateManager.flush
            (BatchingConstraintUpdateManager.java:59)
            [hostcontext.hostcontext] [main]    at
            org.apache.openjpa.jdbc.kernel.AbstractUpdateManager.flush
            (AbstractUpdateManager.java:104)
            [hostcontext.hostcontext] [main]    at
            org.apache.openjpa.jdbc.kernel.AbstractUpdateManager.flush
            (AbstractUpdateManager.java:77)
            [hostcontext.hostcontext] [main]    at
            org.apache.openjpa.jdbc.kernel.JDBCStoreManager.flush(JDBCStoreManager.java:731)
            [hostcontext.hostcontext] [main]    at
            org.apache.openjpa.kernel.DelegatingStoreManager.flush(
            DelegatingStoreManager.java:131)
            [hostcontext.hostcontext] [main]    ... 13 more
            [hostcontext.hostcontext] [main] Caused by:
            [hostcontext.hostcontext] [main]
            org.apache.openjpa.lib.jdbc.ReportingSQLException: ERROR:
            duplicate key value violates unique constraint
            "managedhost_ip_key"
              Detail: Key (ip)=(127.0.0.1) already exists. {prepstmnt
            -1085858985 UPDATE ManagedHost SET ip = ? WHERE id = ?}
            
            [hostcontext.hostcontext] [main]    at
            org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator.wrap(LoggingConnection
            Decorator.java:218)
            [hostcontext.hostcontext] [main]    at
            org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator.wrap(LoggingConnection
            Decorator.java:194)
            [hostcontext.hostcontext] [main]    at
            org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator.access$1000
            (LoggingConnectionDecorator.java:58)
            [hostcontext.hostcontext] [main]    at
            org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator$LoggingConnection
            $LoggingPreparedStatement.executeUpdate(LoggingConnectionDecorator.java:1133)
            [hostcontext.hostcontext] [main]    at
            org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeUpdate
            (DelegatingPreparedStatement.java:275)
            [hostcontext.hostcontext] [main]    at
            org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeUpdate
            (DelegatingPreparedStatement.java:275)
            [hostcontext.hostcontext] [main]    at
            org.apache.openjpa.jdbc.kernel.JDBCStoreManager$CancelPreparedStatement.
            executeUpdate(JDBCStoreManager.java:1791)
            [hostcontext.hostcontext] [main]    at
            org.apache.openjpa.jdbc.kernel.PreparedStatementManagerImpl.executeUpdate
            (PreparedStatementManagerImpl.java:268)
            [hostcontext.hostcontext] [main]    at
            org.apache.openjpa.jdbc.kernel.PreparedStatementManagerImpl.flushAndUpdate
            (PreparedStatementManagerImpl.java:119)
            [hostcontext.hostcontext] [main]    ... 23 more
            [hostcontext.hostcontext] [pool-1-thread-4]
            com.ibm.si.application.platform.exception.ApplicationPlatformServiceException: 
            Unable to start application with id [qapp-1051] on host 
            [8e634203e32e3588ed7c.localdeployment] with port [9000], responseCode [0],
             responseBody [null]
            [hostcontext.hostcontext] [pool-1-thread-4]    at
            com.ibm.si.application.conman.v1.ConManPlatformService.processEx
            ception(ConManPlatformService.java:389)
            [hostcontext.hostcontext] [pool-1-thread-4]    at
            com.ibm.si.application.conman.v1.ConManPlatformService.startApp(
            ConManPlatformService.java:554)
            [hostcontext.hostcontext] [pool-1-thread-4]    at
            com.ibm.si.hostcontext.app.tasks.conman.PlatformStartAppTask.run
            Task(PlatformStartAppTask.java:54)
            [hostcontext.hostcontext] [pool-1-thread-4]    at
            com.ibm.si.frameworks.taskmanagement.Task.run(Task.java:108)
            [hostcontext.hostcontext] [pool-1-thread-4]    at
            java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:522)
            [hostcontext.hostcontext] [pool-1-thread-4]    at
            java.util.concurrent.FutureTask.run(FutureTask.java:277)
            [hostcontext.hostcontext] [pool-1-thread-4]    at
            java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160)
            [hostcontext.hostcontext] [pool-1-thread-4]    at
            java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
            [hostcontext.hostcontext] [pool-1-thread-4]    at
            java.lang.Thread.run(Thread.java:812)
            [hostcontext.hostcontext] [pool-1-thread-4] Caused by:
            [hostcontext.hostcontext] [pool-1-thread-4]
            com.ibm.si.api.workload.v1.ApiException:
            java.net.UnknownHostException:
            8e634203e32e3588ed7c.localdeployment
            [hostcontext.hostcontext] [pool-1-thread-4]    at
            com.ibm.si.api.workload.v1.ApiClient.execute(ApiClient.java:844)
            [hostcontext.hostcontext] [pool-1-thread-4]    at
            com.ibm.si.api.workload.v1.api.WorkloadsApi.showWorkloadByIdWith
            HttpInfo(WorkloadsApi.java:500)
            [hostcontext.hostcontext] [pool-1-thread-4]    at
            com.ibm.si.api.workload.v1.api.WorkloadsApi.showWorkloadById(Wor
            kloadsApi.java:486)
            [hostcontext.hostcontext] [pool-1-thread-4]    at
            com.ibm.si.application.conman.v1.ConManPlatformService.getAppsWo
            rkload(ConManPlatformService.java:348)
            [hostcontext.hostcontext] [pool-1-thread-4]    at
            com.ibm.si.application.conman.v1.ConManPlatformService.buildWork
            load(ConManPlatformService.java:404)
            hostcontext.hostcontext] [pool-1-thread-4]    at
            com.ibm.si.application.conman.v1.ConManPlatformService.buildWork
            load(ConManPlatformService.java:399)
            [hostcontext.hostcontext] [pool-1-thread-4]    at
            com.ibm.si.application.conman.v1.ConManPlatformService.startApp(
            ConManPlatformService.java:527)
            [hostcontext.hostcontext] [pool-1-thread-4]    ... 7 more
            [tomcat.tomcat] [gui_app_startup_thread]
            com.q1labs.uiframeworks.util.ApplicationStartupThread: [ERROR]
            [NOT:0000003000][127.0.0.1253.7.60/- -] [-/- -]Error occurred
            processing [QRadar Assistant] 1051
            [tomcat.tomcat] [gui_app_startup_thread]
            com.q1labs.restapi_annotations.content.exceptions.endpointExcept
            ions.ServerProcessingException: An error occurred setting app
            status to [RUNNING]. Task state found to be [EXCEPTION].
            [tomcat.tomcat] [gui_app_startup_thread]    at
            com.q1labs.uiframeworks.application.api.service.status.handlers.
            RunningStatusHandler.handleStatus(RunningStatusHandler.java:99)
            [tomcat.tomcat] [gui_app_startup_thread]    at
            com.q1labs.uiframeworks.application.api.service.DefaultApplicati
            onAPIService.updateAppStatus(DefaultApplicationAPIService.java:505)
            [tomcat.tomcat] [gui_app_startup_thread]    at
            com.q1labs.uiframeworks.application.api.service.DefaultApplicati
            onAPIService.updateAppStatus(DefaultApplicationAPIService.java:462)
            [tomcat.tomcat] [gui_app_startup_thread]    at
            com.q1labs.uiframeworks.util.ApplicationStartupThread.processRun
            ningApplication(ApplicationStartupThread.java:148)
            [tomcat.tomcat] [gui_app_startup_thread]    at
            com.q1labs.uiframeworks.util.ApplicationStartupThread.processApp
            lications(ApplicationStartupThread.java:127)
            [tomcat.tomcat] [gui_app_startup_thread]    at
            com.q1labs.uiframeworks.util.ApplicationStartupThread.run(Applic
            ationStartupThread.java:89)
            24 May 2021
            SYSTEM TIME IJ24182 THE TZDATA DST RULES FOR AMERICA/SANTIAGO ARE OUT OF DATE AND HAVE THE INCORRECT DATE FOR SWITCHOVER TO DST CLOSED Resolved in
            QRadar 7.4.3 (7.4.3.20210517144015)

            Workaround
            No workaround available. Administrators who experience issues with appliance timezone changes must upgrade to resolve this issue and get the latest tzdata RPM.

            Issue
            The tzdata DST (Daylight Savings Time) rules for America/Santiago are out of date. They do not accurately reflect the correct change over date for DST timz zones.
            24 May 2021
            QRADAR NETWORK INSIGHTS IJ24628 REMOVING A FLOW PROCESSOR FROM A QRADAR DEPLOYMENT AFTER A QRADAR NETWORK INSIGHTS (QDI) OR FORENSICS HOST HAS BEEN REMOVED CAN FAIL CLOSED Resolved in
            QRadar 7.4.3 (7.4.3.20210517144015)

            Workaround
            If you are unable to upgrade to a release where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue.

            Issue
            Removing a Flow Processor can fail if the deployment.xml file has remnants of a previously installed QNI or Forensics managed host.

            The QRadar Deploy function can continously fail after the failed Flow Processor removal.
            24 May 2021
            BACKUP AND RESTORE IJ25318 PERFORMING A 'DEPLOYMENT CONFIGURATION' RESTORE REQUIRES RESTORING THE 'RULES' OPTION CLOSED Resolved in
            QRadar 7.4.3 (7.4.3.20210517144015)

            Workaround
            Select the user interface option to restore Rules when you complete a 'Deployment Configuration" config restore.

            Issue
            Performing a config restore for "Deployment Configuration" does not include custom rules dependencies of reference data, therefore restoring "Rules" is also required.

            Messages similar to the following might be visible in /var/log/qradar.log when the Rules option is not selected during a "Deployment Configuration" restore:
            User@127.0.0.1[hostcontext.hostcontext]
            [BackupServices_restore] java.lang.Exception: unable to execute
            sql statement: ALTER TABLE public.reference_data_rules ADD
            CONSTRAINT reference_data_rules_rule_id_fkey FOREIGN KEY
            (rule_id) REFERENCES public.custom_rule(id) ON DELETE CASCADE;
            User@127.0.0.1[hostcontext.hostcontext]
            [BackupServices_restore] at
            com.q1labs.hostcontext.capabilities.PostgresAction.executeSql(Po
            stgresAction.java:668)
            User@127.0.0.1[hostcontext.hostcontext]
            [BackupServices_restore] at
            com.q1labs.hostcontext.capabilities.PostgresAction.applyConstrai
            nts(PostgresAction.java:287)
            User@127.0.0.1[hostcontext.hostcontext]
            [BackupServices_restore] at
            com.q1labs.hostcontext.backup.BackupRecoveryEngine.doDbRestore(B
            ackupRecoveryEngine.java:2974)
            User@127.0.0.1[hostcontext.hostcontext]
            [BackupServices_restore] ... 5 more
            24 May 2021
            BACKUP AND RESTORE IJ25505 QRADAR BACKUP CAN HANG AND TIMEOUT WHEN A CONFIGURED NFS IS UNREACHABLE CLOSED Resolved in
            QRadar 7.4.3 (7.4.3.20210517144015)

            Workaround
            Verify the network communication/connection to the configured NFS from QRadar.

            Issue
            A QRadar Backup can fail due to timeout when a configured NFS share is unreachable by QRadar.

            Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            [hostcontext.hostcontext] [Backup]
            com.q1labs.hostcontext.backup.BackupRecoveryEngine: [INFO]
            [NOT:0000006000][127.0.0.1/- -] [-/- -]Current backup was interrupted
            [hostcontext.hostcontext] [Backup] com.q1labs.hostcontext.backup.BackupRecoveryEngine: [INFO]
            [NOT:0000006000][127.0.0.1/- -] [-/- -]Current task: cleaning up
            [hostcontext.hostcontext] [Backup] com.q1labs.hostcontext.backup.core.BackupUtils: [INFO]
            [NOT:0000006000][127.0.0.1/- -] [-/- -]Following message suppressed 1 times in 300000 milliseconds
            [hostcontext.hostcontext] [Backup] com.q1labs.hostcontext.backup.core.BackupUtils: 
            [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Cannot execute 'ps -e -o pid -o ppid -o cmd'
            [hostcontext.hostcontext] [Backup] java.lang.InterruptedException
            [hostcontext.hostcontext] [Backup] at java.lang.Object.wait(Object.java:218)
            [hostcontext.hostcontext] [Backup] at java.lang.UNIXProcess.waitFor(UNIXProcess.java:458)
            [hostcontext.hostcontext] [Backup] at java.lang.Object.wait(Native Method)
            [hostcontext.hostcontext] [Backup] at com.q1labs.hostcontext.backup.core.BackupUtils.
            getPsProcesses(BackupUtils.java:2566)
            [hostcontext.hostcontext] [Backup] at com.q1labs.hostcontext.backup.BackupRecoveryEngine
            .cleanup(BackupRecoveryEngine.java:2544)
            [hostcontext.hostcontext] [Backup] at com.q1labs.hostcontext.backup.BackupRecoveryEngine
            $BackupThread.run(BackupRecoveryEngine.java:4949)
            [hostcontext.hostcontext] [Backup] com.q1labs.hostcontext.backup.BackupRecoveryEngine: [INFO]
            [NOT:0000006000][127.0.0.1/- -] [-/- -]Cancel process '/bin/bash /opt/qradar/bin/run_command.sh
            /opt/qradar/bin/determine_partition.sh <backup folder under NFS
            mount> /storetmp/backup/determine_partition' if exists
            24 May 2021
            DISK SPACE IJ25759 LOG ROTATE CAN FAIL AFTER A PATCH BEING APPLIED CAUSING PARTITIONS TO FILL TO 100% CLOSED Resolved in
            QRadar 7.4.3 (7.4.3.20210517144015)

            Workaround
            No workaround available. Administrators who experience this issue must upgrade to a software version where this issue is resolved.

            Issue
            A condition exists where during a QRadar patch being applied, cron is restarted and in some instances log rotate starts processing log files while the patch has requested and proceeds with a system shutdown.

            When this issue occurs, an uncompressed file remains in the olddir causing logrotate to fail. Log rotate failing to run can cause QRadar partitions to fill to 100% unexpectedly.

            Note: When QRadar partitions fill to past 95% usage, required QRadar services are shutdown. For more infortion on monitored partitions, seeQRadar: Troubleshooting disk space usage problems.
            24 May 2021
            MANAGED HOST IJ25799 "RE-ADDING A MANAGED HOST" OPTION CAN FAIL TO BE DISPLAYED WHEN ADDING A NEW HOST TO A DEPLOYMENT USING THE SAME IP/HOSTNAME CLOSED Resolved in
            QRadar 7.4.3 (7.4.3.20210517144015)

            Workaround
            If you are unable to upgrade to a release where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue.

            Issue
            When adding a new Managed Host to a QRadar deployment with the same IP address and hostname, the "Readding a managed host" option can sometimes fail to appear. When this occurs, the old IP from the drop down is not available for selection during the add process.

            This issue results in the add host creating new component IDs instead of using the original ones, causing historical searches to fail.
            24 May 2021
            NETWORK HIERARCHY IJ25874 NETWORK HIERARCHY GROUPS NAMED WITH NON-ENGLISH NAMES ARE NOT VISIBLE AS A QUICK FILTER OPTION OR FROM A NEW SEARCH PAGE CLOSED Resolved in
            QRadar 7.4.3 (7.4.3.20210517144015)

            Workaround
            Where possible, use English named Network groups.

            Issue
            Network Groups and Networks with non-English names (eg. Chinese, or Korean characters) are not visible as available options in the network filter drop down in quick filter or from new search page. For example:
            • Have a network group named with Chinese characters.
            • Add network to that group.
            • Have another network group named with Chinese characters.
            • Add network to the second group.
            • Deploy Changes.
            • Go to Log Activity tab and open quick filter, then select Destination Network.

              Results
              The group names with Chinese characters is not an availble option to select in the user interface.
            24 May 2021
            LOG SOURCE IJ25884 LOG SOURCE TYPE DROPDOWN CAN FAIL TO POPULATE AND GENERATE A TOMCAT OUT OF MEMORY WHEN OVER 1 MILLION LOG SOURCES EXIST CLOSED Resolved in
            QRadar 7.4.3 (7.4.3.20210517144015)

            Workaround
            If you are unable to upgrade to a release where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue.

            Issue
            Opening the Log Source Type dropdown (filter) can fail to populate properly and lead to a Tomcat service Out of Memory in QRadar environments with more than 1 million log sources.

            Note: The QRadar User Interface is unavailable during a Tomcat Out Of Memory occurance until the affected services recover.
            24 May 2021
            LOG SOURCE IJ25885 EVENT FOR SIM AUDIT QID 28250069 DOES NOT PROVIDE INFORMATION ON CHANGES THAT WERE MADE CLOSED Resolved in
            QRadar 7.4.3 (7.4.3.20210517144015)

            Workaround
            No workaround available. Administrators who experience this issue must upgrade to a software version where this issue is resolved.

            Issue
            In the sim audit log event (QID 28250069), there is no information in the event about what modifications have been made.

            The event payload contains only the name of the user and an api call, not the modifications made. Previous versions of QRadar (eg 7.3.0, 7.3.1) provided additional event payload information.
            24 May 2021
            QRADAR RISK MANAGER IJ26074 AUTOMATED RISK MANAGER QUERY CAN RUN LONGER THAN EXPECTED CAUSING AN APPLICATION ERROR ON THE RISKS TAB CLOSED Resolved in
            QRadar 7.4.3 (7.4.3.20210517144015)

            Workaround
            No workaround available. Administrators who experience this issue must upgrade to a software version where this issue is resolved.

            Issue
            A query which runs periodically on the Risk Manager server to gather vulnerability statistics for the subnets on the Topology screen can sometimes take longer than ten minutes to complete.

            When this situation occurs, the tomcat-rm service is automatically restarted and an Application Error is generated on the Risks tab during the restart of the tomcat-rm service.

            Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            [tomcat-rm.tomcat-rm] [Statistics Collector Job]
            org.apache.openjpa.lib.jdbc.ReportingSQLException: ERROR:
            canceling statement due to user request {prepstmnt 1607360343
            SELECT c.longname AS impact FROM qrm_asset qa INNER JOIN
            classificationitem ci ON qa.vulnid = ci.vulnid INNER JOIN
            classification c ON ci.classificationid=c.classificationid
            WHERE qa.vulnid IS NOT NULL AND (qa.domainid IN (0)) AND (
            (qa.ipaddress << 'x.x.x./x') )} [code=0, state=57014]
            [tomcat-rm.tomcat-rm] [Statistics Collector Job]    at
            org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator.wrap(Logg
            ingConnectionDecorator.java:218)
            [tomcat-rm.tomcat-rm] [Statistics Collector Job]    at
            org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator.wrap(Logg
            ingConnectionDecorator.java:202)
            [tomcat-rm.tomcat-rm] [Statistics Collector Job]    at
            org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator.access$70
            0(LoggingConnectionDecorator.java:58)
            [tomcat-rm.tomcat-rm] [Statistics Collector Job]    at
            org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator$LoggingCo
            nnection$LoggingPreparedStatement.executeQuery(LoggingConnectionDecorator.java:1117)
            [tomcat-rm.tomcat-rm] [Statistics Collector Job]    at
            org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeQ
            uery(DelegatingPreparedStatement.java:268)
            [tomcat-rm.tomcat-rm] [Statistics Collector Job]    at
            org.apache.openjpa.jdbc.sql.PostgresDictionary$PostgresPreparedS
            tatement.executeQuery(PostgresDictionary.java:1011)
            [tomcat-rm.tomcat-rm] [Statistics Collector Job]    at
            org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeQ
            uery(DelegatingPreparedStatement.java:268)
            [tomcat-rm.tomcat-rm] [Statistics Collector Job]    at
            org.apache.openjpa.jdbc.kernel.JDBCStoreManager$CancelPreparedSt
            atement.executeQuery(JDBCStoreManager.java:1800)
            [tomcat-rm.tomcat-rm] [Statistics Collector Job]    at
            org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeQ
            uery(DelegatingPreparedStatement.java:268)
            [tomcat-rm.tomcat-rm] [Statistics Collector Job]    at
            org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeQ
            uery(DelegatingPreparedStatement.java:258)
            [tomcat-rm.tomcat-rm] [Statistics Collector Job]    at
            com.q1labs.simulator.util.LocalQRadarAPI.collectFromResult(LocalQRadarAPI.java:3256)
            [tomcat-rm.tomcat-rm] [Statistics Collector Job]    at
            com.q1labs.simulator.util.LocalQRadarAPI.getImpactsinSubnet(LocalQRadarAPI.java:4987)
            [tomcat-rm.tomcat-rm] [Statistics Collector Job]    at
            com.q1labs.simulator.ask.APIQRadarInterface.getImpactsinSubnet(A
            PIQRadarInterface.java:113)
            [tomcat-rm.tomcat-rm] [Statistics Collector Job]    at
            com.q1labs.simulator.util.subnetcolor.StatisticsCollectorTask.co
            llectStatisticsForSubnet(StatisticsCollectorTask.java:166)
            [tomcat-rm.tomcat-rm] [Statistics Collector Job]    at
            com.q1labs.simulator.util.subnetcolor.StatisticsCollectorTask.co
            llectStatisticsForAll(StatisticsCollectorTask.java:148)
            [tomcat-rm.tomcat-rm] [Statistics Collector Job]    at
            com.q1labs.simulator.util.subnetcolor.StatisticsCollectorTask.co
            llectStatistics(StatisticsCollectorTask.java:58)
            [tomcat-rm.tomcat-rm] [Statistics Collector Job]    at
            com.q1labs.simulator.jobs.StatisticsCollectorJob.process(StatisticsCollectorJob.java:42)
            [tomcat-rm.tomcat-rm] [Statistics Collector Job]    at
            com.q1labs.simulator.jobframework.jobexecutioncontroller.schedul
            er.PeriodicJobScheduler$1.run(PeriodicJobScheduler.java:122)
            [tomcat-rm.tomcat-rm] [Statistics Collector Job]    at
            java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:522)
            [tomcat-rm.tomcat-rm] [Statistics Collector Job]    at
            java.util.concurrent.FutureTask.runAndReset(FutureTask.java:319)
            [tomcat-rm.tomcat-rm] [Statistics Collector Job]    at
            java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFuture
            Task.access$301(ScheduledThreadPoolExecutor.java:191)
            [tomcat-rm.tomcat-rm] [Statistics Collector Job]    at
            java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFuture
            Task.run(ScheduledThreadPoolExecutor.java:305)
            [tomcat-rm.tomcat-rm] [Statistics Collector Job]    at
            java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160)
            [tomcat-rm.tomcat-rm] [Statistics Collector Job]    at
            java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
            [tomcat-rm.tomcat-rm] [Statistics Collector Job]    at
            java.lang.Thread.run(Thread.java:818)
            24 May 2021
            LOG ACTIVITY IJ26098 'AN IO ERROR OCCURRED ON SERVER(S)...' CAN OCCUR DURING SEARCHES AFTER A HOST HAS HAD ITS IP ADDRESS CHANGED CLOSED Resolved in
            QRadar 7.4.3 (7.4.3.20210517144015)

            Workaround
            Using a command line tool such as vi, find and comment out or remove the entries for the old IP address in /etc/hosts on the QRadar Console. Attempt the search again.

            Issue
            Removing a non encrypted host from a QRadar deployment that has ariel running, changing it's IP address (using qchange_netsetup) and then re-adding the host to the QRadar deployment can result in ariel searches (eg. in the Log Activity tab) to that managed host reporting errors similar to: 'An IO error occurred on server(s) XXXXXX:ZZZZ. Please try again." (where XXXXX is the hostname of managed host that had its IP address changed and ZZZZ is the ariel port).

            Example steps that can identify this behavior occurs:
            1. QRadar environment where the Console and managed host (eg Event Processor EP) are not encrypted.
            2. Verify that searches are working (eg Log Activity tab).
            3. Perform the proper documented steps to remove the EP from the deployment.
            4. Perform the proper documented steps to use qchange_netsetup to change the IP address of the managed host (without changing the hostname).
            5. Perform the proper documented steps to re-add the host into the deployment.
            6. After the deploy is complete, attempt a basic search on that Event Prpcessor (EP) in the Log Activity tab (eg. last 5 minutes)

              Results
              A message similar to the following might be genereated in the Log Activity search screen: "An IO error occurred on server(s) XXXXXX:ZZZZ. Please try again." Where XXXXX is hostname of box that had its IP address changed and ZZZZ is the ariel port.
            24 May 2021
            ASSETS IJ26163 ASSET SEARCH CAN FAIL WHEN FILTERING BASED ON CONTENTS OF A REFERENCE SET WHERE MORE THAN ONE DOMAIN EXISTS CLOSED Resolved in
            QRadar 7.4.3 (7.4.3.20210517144015)

            Workaround
            No workaround available. Administrators who experience this issue must upgrade to a software version where this issue is resolved.

            Issue
            An Asset Search can fail when filtering based on the contents of a reference set when more than one domain is added to the reference set.

            For example:
            1. Navigate to Admin > Reference Set Management, select a Reference Set, and click Edit.
            2. In Content tab, click Add and enter your data, and select domain1. Then click Add.
            3. Perform Step 2 again, but select a different domain.
            4. Go to Asset tab, click Search > New Search.
            5. In the bottom Search Parameter(s), Select "IP Address", "In reference set", then select the Reference set used in step 1, then click the Search button.

              Results
              The search fails and generate an error.

            Administrators who experience this issue can confirm an ReportingSQLException similar to the following error in /var/log/qradar.error:
            [tomcat.tomcat] [admin@127.0.0.1 (8838)
            /console/do/assetprofile/SearchForm] com.q1labs.assets.ui.assetservices.UIAssetList: 
            [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Error running filter based asset 
            list query for performance.org.apache.openjpa.lib.jdbc.ReportingSQLException:
            ERROR: more than one row returned by a subquery used as an
            expression {stmnt 669393640 select DISTINCT(asset.asset.id)
            from asset.asset  where (1=1) AND asset.asset.id NOT IN (SELECT
            assetid FROM asset.pendingassetupdate WHERE action=3) AND
            asset.asset.id in (SELECT DISTINCT(asset.interface.assetid)
            FROM asset.interface LEFT OUTER JOIN asset.ipaddress ON
            asset.interface.id=asset.ipaddress.interfaceid WHERE (1=1)  AND
             ( asset.ipaddress.ipaddress NOT IN (
                                            SELECT
            convert_from(data,'UTF8')::inet AS ipv4address FROM
            public.reference_data_element
                                            WHERE
            public.reference_data_element.rdk_id = (SELECT id FROM
            public.reference_data_key
                                            WHERE
            public.reference_data_key.rd_id = (SELECT id FROM
            public.reference_data WHERE name LIKE $ItrXqTU$Steve2$ItrXqTU$))
                            ) ) )} 
            [tomcat.tomcat] [admin@127.0.0.1 (8838)
            /console/do/assetprofile/SearchForm]
            com.q1labs.assets.ui.assetservices.UIAssetList: [WARN]
            [NOT:0000004000][127.0.0.1/- -] [-/- -]Asset UI Performance optimization
            failing.:org.apache.openjpa.lib.jdbc.ReportingSQLException:
            ERROR: more than one row returned by a subquery used as an
            expression {stmnt 669393640 select DISTINCT(asset.asset.id)
            from asset.asset  where (1=1) AND asset.asset.id NOT IN (SELECT
            assetid FROM asset.pendingassetupdate WHERE action=3) AND
            asset.asset.id in (SELECT DISTINCT(asset.interface.assetid)
            FROM asset.interface LEFT OUTER JOIN asset.ipaddress ON
            asset.interface.id=asset.ipaddress.interfaceid WHERE (1=1)  AND
             ( asset.ipaddress.ipaddress NOT IN (
                                            SELECT
            convert_from(data,'UTF8')::inet AS ipv4address FROM
            public.reference_data_element
                                            WHERE
            public.reference_data_element.rdk_id = (SELECT id FROM
            public.reference_data_key
                                            WHERE
            public.reference_data_key.rd_id = (SELECT id FROM
            public.reference_data WHERE name LIKE $ItrXqTU$Steve2$ItrXqTU$))
                            ) ) )} 
            [tomcat.tomcat] [admin@127.0.0.1 (8838)
            /console/do/assetprofile/SearchForm]
            com.q1labs.core.sql.queryframework.QueryFramework: [WARN]
            [NOT:0000004000][127.0.0.1/- -] [-/- -]SELECT * FROM (
                    SELECT
                        0               AS "assetid"
                    FROM asset.pendingassetupdate
                    WHERE (1=1)
                    AND asset.pendingassetupdate.assetid IS NULL AND
            asset.pendingassetupdate.action != 3
                     AND asset.pendingassetupdate.updatedby =
            $pGISzQS$Steve$pGISzQS$
                ) ASSET_PENDING_LIST_VIEW
                UNION ALL
                SELECT * FROM
                (
                    SELECT
                        DISTINCT(asset.asset.id)                  AS
            "assetid"
                    FROM asset.asset
                    INNER JOIN asset.interface ON asset.interface.assetid =
            asset.asset.id INNER JOIN asset.ipaddress ON
            asset.ipaddress.interfaceid = asset.interface.id
                    WHERE (1=1)
                    AND asset.asset.id NOT IN (SELECT assetid FROM
            asset.pendingassetupdate WHERE action=3)
                     AND  ( asset.ipaddress.ipaddress NOT IN (
                                            SELECT
            convert_from(data,'UTF8')::inet AS ipv4address FROM
            public.reference_data_element
                                            WHERE
            public.reference_data_element.rdk_id = (SELECT id FROM
            public.reference_data_key
                                            WHERE
            public.reference_data_key.rd_id = (SELECT id FROM
            public.reference_data WHERE name LIKE $eIQrWGn$Steve2$eIQrWGn$))
                            ) )
                    --Additional ordering/limits for any base SQL query type
                ) ASSET_LIST_VIEW
                     OFFSET 0;
            [tomcat.tomcat] [admin@127.0.0.1 (8838)
            /console/do/assetprofile/SearchForm]
            com.q1labs.core.sql.queryframework.QueryFramework: [ERROR]
            Chained SQL Exception [1/2]: ERROR: current transaction is
            aborted, commands ignored until end of transaction block {stmnt
            -1679308538 SELECT * FROM (
                    SELECT
                        0               AS "assetid"
                    FROM asset.pendingassetupdate
                    WHERE (1=1)
                    AND asset.pendingassetupdate.assetid IS NULL AND
            asset.pendingassetupdate.action != 3
                     AND asset.pendingassetupdate.updatedby =
            $pGISzQS$Steve$pGISzQS$
                ) ASSET_PENDING_LIST_VIEW
                UNION ALL
                SELECT * FROM
                (
                    SELECT
                        DISTINCT(asset.asset.id)                  AS
            "assetid"
                    FROM asset.asset
                    INNER JOIN asset.interface ON asset.interface.assetid =
            asset.asset.id INNER JOIN asset.ipaddress ON
            asset.ipaddress.interfaceid = asset.interface.id
                    WHERE (1=1)
                    AND asset.asset.id NOT IN (SELECT assetid FROM
            asset.pendingassetupdate WHERE action=3)
                     AND  ( asset.ipaddress.ipaddress NOT IN (
                                            SELECT
            convert_from(data,'UTF8')::inet AS ipv4address FROM
            public.reference_data_element
                                            WHERE
            public.reference_data_element.rdk_id = (SELECT id FROM
            public.reference_data_key
                                            WHERE
            public.reference_data_key.rd_id = (SELECT id FROM
            public.reference_data WHERE name LIKE $eIQrWGn$Steve2$eIQrWGn$))
                            ) )
                    --Additional ordering/limits for any base SQL query type
                ) ASSET_LIST_VIEW
                     OFFSET 0;} 
            [tomcat.tomcat] [admin@127.0.0.1 (8838)
            /console/do/assetprofile/SearchForm]
            com.q1labs.core.sql.queryframework.QueryFramework: [ERROR]
            Chained SQL Exception [2/2]: ERROR: current transaction is
            aborted, commands ignored until end of transaction block
            [tomcat.tomcat] [admin@127.0.0.1 (8838)
            /console/do/assetprofile/SearchForm]
            com.q1labs.core.sql.queryframework.QueryFramework: 
            [WARN] [NOT:0000004000][127.0.0.1/- -] [-/--] 
            QueryFramework.executeQuery(): Could not execute the above SQL statement.
            [tomcat.tomcat] [admin@127.0.0.1 (8838) /console/do/assetprofile/SearchForm]
            org.apache.openjpa.lib.jdbc.ReportingSQLException: ERROR:
            current transaction is aborted, commands ignored until end of
            transaction block {stmnt -1679308538 SELECT * FROM (
                    SELECT
                        0               AS "assetid"
                    FROM asset.pendingassetupdate
                    WHERE (1=1)
                    AND asset.pendingassetupdate.assetid IS NULL AND
            asset.pendingassetupdate.action != 3
                     AND asset.pendingassetupdate.updatedby =
            $pGISzQS$Steve$pGISzQS$
                ) ASSET_PENDING_LIST_VIEW
                UNION ALL
                SELECT * FROM
                (
                    SELECT
                        DISTINCT(asset.asset.id)                  AS
            "assetid"
                    FROM asset.asset
                    INNER JOIN asset.interface ON asset.interface.assetid =
            asset.asset.id INNER JOIN asset.ipaddress ON
            asset.ipaddress.interfaceid = asset.interface.id
                    WHERE (1=1)
                    AND asset.asset.id NOT IN (SELECT assetid FROM
            asset.pendingassetupdate WHERE action=3)
                     AND  ( asset.ipaddress.ipaddress NOT IN (
                                            SELECT
            convert_from(data,'UTF8')::inet AS ipv4address FROM
            public.reference_data_element
                                            WHERE
            public.reference_data_element.rdk_id = (SELECT id FROM
            public.reference_data_key
                                            WHERE
            public.reference_data_key.rd_id = (SELECT id FROM
            public.reference_data WHERE name LIKE $eIQrWGn$Steve2$eIQrWGn$))
                            ) )
                    --Additional ordering/limits for any base SQL query type
                ) ASSET_LIST_VIEW
                     OFFSET 0;} 
            [tomcat.tomcat] [admin@127.0.0.1 (8838)
            /console/do/assetprofile/SearchForm]    at
            org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator.wrap(Logg
            ingConnectionDecorator.java:218)
            24 May 2021
            QRADAR NETWORK INSIGHTS IJ26167 THE QRADAR NETWORK INSIGHTS (QNI) SMTP INSPECTOR CAN FAIL TO SHOW ALL RECIPIENT EMAIL ADDRESSES FOR SMTP CONTENT FLOWS CLOSED Resolved in
            QRadar 7.4.3 (7.4.3.20210517144015)

            Workaround
            If you are unable to upgrade to a release where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue.

            Issue
            In unencrypted SMTP flows, the Recipient User field is shown as some variation of "undisclosed" which is derived from the mail header instead of the the recipient email address. This type of field in the mail header is used for both valid masking and malicious activities.

            The actual recipient (RCPT TO) in these instances can be viewed in the Standard Flow's Payload field provided it's position in the flow does not exceed that of the bytes in the payload that is extracted.
            24 May 2021
            QRADAR VULNERABILITY MANAGER IJ26525 VULNERABILITY SCAN DISPLAYS 100% COMPLETION BUT NEVER FINISHES WHEN TOOLS ARE EXCLUDED FROM THE SCAN POLICY CLOSED Resolved in
            QRadar 7.4.3 (7.4.3.20210517144015)

            Workaround
            No workaround available. Administrators who experience this issue must upgrade to a software version where this issue is resolved.

            Issue
            If either of the following tools are excluded in a QRadar Vulnerability Manager scan policy, the scan does not complete as expected:
            • netbios - patch scanning - check credentials (the checkaccess tool)
            • netbios - patch scanning & policy checks (the enum.pl tool)

              Results
              The Scan Results screen displays a value of 100% for the scan progress, but the percentage continues to increase.
            • Status: Running"
            • Progress: 100%"
            • Duration: <continues to increase>"
            24 May 2021
            QRADAR NETWORK INSIGHTS IJ26651 SMTP CONTENT FLOWS ORIGINATING FROM QNI HAVE FIELDS THAT ARE LIMITED TO 64 CHARACTERS IN THE NETWROK ACTIVITY TAB CLOSED Resolved in
            QRadar 7.4.3 (7.4.3.20210517144015)

            Workaround
            No workaround available. Administrators who experience this issue must upgrade to a software version where this issue is resolved.

            Issue
            SMTP Content Flows (originating from QNI) in the Network Activity tab can have certain fields that are limited to 64 characters. For example: Network Activity - SMTP Content Flows
            • Email fields and subject fields (these were the observed fields) are truncated to 64 characters
            • Email addresses in the format "First Last (Title of individual)" were often truncated somewhere in the actual email address
            • Recipient Users can be broken on a space. For example, one entry would read "Smith, another entry would read John (Title of person)" <John.Smith@exampledomain.com>
            24 May 2021
            DSM EDITOR IJ26665 CEF EVENTID DOES NOT MAP TO A QID WHEN IT IS THE LAST KEY/VALUE IN THE PAYLOAD WHEN CONFIGURED USING DSM EDITOR/LSX CLOSED Resolved in
            QRadar 7.4.3 (7.4.3.20210517144015)

            Workaround
            Use a Regular Expression (regex), instead of using a CEF key in the DSM Editor to parse a CEF name=value pair that is the last entry of the event payload.

            Issue
            If a CEF key is used to override the EventID for a log source using the DSM Editor/LSX, and it is the last key/value in the payload, it does not work as expected as it is not matched to a mapped QID in QRadar as a newline character "\n" is added to the parsed item.

            To recreate this issue:
            Add a CEF key as an override for a payload when the key/value pair is the last item in a payload.

            Results
            The Event ID is not able to match a QID as it will have a '\n' at the end.

            Note: If another key/value is added to the end of the payload it works as expected as the desired value no longer has the newline '\n' in it.
            24 May 2021
            MANAGED HOST IJ26729 USING QCHANGE_NETSETUP IN NAT'D QRADAR ENVIRONMENTS CAN CAUSE EVENT COLLECTION TO FAIL AFTER A MANAGED HOST IS RE-ADDED CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)
            QRadar 7.4.3 (7.4.3.20210517144015)

            Workaround
            If you are unable to upgrade to a release where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue.

            Issue
            When re-adding a Managed Host to a deployment after performing a qchange_netsetup to add a public IP (NAT'd), some QRadar components can fail to be remapped or created correctly on the Managed Host. In these instances, affected QRadar component services have been identified as hostcontext, ecs-ec and ecs-ep. When this issue occurs, event collection can stop working for these affected Managed Hosts and not allow hosts to be connected together in a QRadar deployment successfully (eg. connecting an Event Collector to an Event Processor, or a DataNode to an Event Processor) due to the missing component services.

            Messages similar to the following might be visible in /var/log/qradar.log on an affected Managed Host when this issue occurs:
            [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
            com.q1labs.hostcontext.configuration.ConfigChangeObserver:
            [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]
            Failed to download and apply new configuration
            [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
            com.q1labs.hostcontext.exception.HostContextConfigException:
            Unable to properly download and apply new configuration
            ...
            [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
            Caused by:
            [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
            com.q1labs.hostcontext.exception.HostContextConfigException:
            Failed to download and process global set
            ..
            [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
            Caused by:
            [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
            com.q1labs.hostcontext.exception.HostContextConfigException:
            Failed to build local configuration set
            ...
            [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
            Caused by:
            [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
            com.q1labs.hostcontext.exception.HostContextConfigException:
            Failed to build local configuration set
            ...
            [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
            Caused by:
            ...
            [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
            Caused by:
            [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
            com.q1labs.configservices.common.ConfigServicesException:
            unable to transform components
            ...
            [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
            Caused by:
            [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
            com.q1labs.configservices.common.ConfigServicesException:
            Failed to create EC_Ingress.xml for component
            eventcollectoringress103.
            ...
            [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
            Caused by:
            [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
            java.lang.RuntimeException: Error merging velocity template and
            context
            ...
            [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
            org.apache.velocity.exception.MethodInvocationException:
            Invocation of method 'getEventThreshold' in  class
            com.q1labs.configservices.config.l
            ocalset.sem.ECIngressConfigBuilder threw exception
            java.lang.NumberFormatException: null at EC_Ingress.vm[line
            498, column 79]
            ...
            [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
            Caused by:
            [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
            java.lang.NumberFormatException: null
            ...
            [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
            com.q1labs.hostcontext.configuration.ConfigChangeObserver:
            [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]
            Setting deployment status to Error
            24 May 2021
            QRADAR VULNERABILITY MANAGER IJ27020 DUPLICATE ASSETS CAN BE CREATED BY AN 'EARLY WARNING' VULNERABILITY WHEN DOMAINS ARE CONFIGURED IN QRADAR CLOSED Resolved in
            QRadar 7.4.3 (7.4.3.20210517144015)

            Workaround
            On the Assets tab, manually delete of the duplicate asset with the "Default Domain" if this issue occurs.

            Issue
            In QRadar environments where Domains are configured, an "Early Warning" vulnerability detected by a QRadar Vulnerability Manager scan can result in the creation of a duplicate Asset in the "Default Domain".
            24 May 2021
            GEOGRAPHIC DATA IJ27129 GEO::DISTANCE IN AQL QUERIES DOES NOT CALCULATE DISTANCE CORRECTLY WHEN AN INTERNAL IP IS USED FOR THE SECOND ARGUEMENT CLOSED Resolved in
            QRadar 7.4.3 (7.4.3.20210517144015)

            Workaround
            No workaround available. Administrators who experience this issue must upgrade to a software version where this issue is resolved.

            Issue
            Using GEO::DISTANCE in AQL queries does not calculate distance correctly if a internal IP address is used for the second argument in the query.

            For example, when using SELECT GEO::DISTANCE(sourceip, destinationip) in AQL gueries:
            • Distance calculated properly when both IPs are External. GEO::DISTANCE(External Source IP Address, External Destination IP Address)
            • Distance calculated properly when IPs are internal to external. GEO::DISTANCE(Internal Source IP Address, External Destination IP Address)
            • Incorrectly calculates distances from external to internal. GEO::DISTANCE(External Source IP Address, Internal Destination IP Address)
            • Incorrectly calculates distances from internal to internal addresses when the distance is greater then 0. GEO::DISTANCE(Internal Source IP Address, Internal Destination IP Address)

              For example:
            • The following AQL query displays N/A as the distance output.
              SELECT GEO::DISTANCE('external-IP', 'internal-IP') AS KM FROM events LIMIT 1
            • The following AQL query displays an incorrect distance output.
              SELECT GEO::DISTANCE('internal-IP', 'internal-IP') AS KM FROM events LIMIT 1
            24 May 2021
            ASSETS IJ31040 UPDATES TO ASSET IP ADDRESSES CAN SOMETIMES CAUSE THE ASSET PROFILER SERVICE TO STOP PROCESSING ASSETS CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)
            QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944)
            QRadar 7.4.3 (7.4.3.20210517144015)

            Workaround
            If you are unable to upgrade to a release where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue.

            Issue
            Updates to Asset IP addresses that occur while the asset profiler is using the QRadar spillover cache can cause the asset profiler service to stop processing assets correctly.

            Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            java.lang.ClassCastException: java.lang.String incompatible with java.lang.Integer
             at com.q1labs.assetprofile.persistence.AssetChangeEvent$ChangeValue
             .put(AssetChangeEvent.java:99)
             at com.q1labs.assetprofile.persistence.AssetChangeEvent.writeAffected
             Fields(AssetChangeEvent.java:324)
             at com.q1labs.assetprofile.persistence.AssetChangeEvent.put
             (AssetChangeEvent.java:306)
             at com.q1labs.assetprofile.persistence.AssetChangeEventSet$
             AssetChangeEventSubset.put(AssetChangeEventSet.java:99)
             at com.q1labs.assetprofile.persistence.AssetChangeEventSet.writeSubsets
             (AssetChangeEventSet.java:480)
             at com.q1labs.assetprofile.persistence.AssetChangeEventSet.put
             (AssetChangeEventSet.java:539)
             at com.q1labs.assetprofile.persistence.AssetChangeEventSet.put
             (AssetChangeEventSet.java:34)
             at com.q1labs.frameworks.queue.SpilloverQueue$RecordSerializerWithSize.put
             (SpilloverQueue.java:1142)
             at com.q1labs.frameworks.queue.SpilloverQueue$FileBasedQueue.
             serialized_offer(SpilloverQueue.java:1249)
             at com.q1labs.frameworks.queue.SpilloverQueue$FileBasedQueue.offer
             (SpilloverQueue.java:1240)
             at com.q1labs.frameworks.queue.SpilloverQueue.offer(SpilloverQueue.java:706)
             at com.q1labs.assetprofile.changelistener.AssetChangeListenerLoader
             .offerBlocking(AssetChangeListenerLoader.java:365)
             at com.q1labs.assetprofile.changelistener.AssetChangeListenerLoader
             .offerThreaded(AssetChangeListenerLoader.java:339)
             at com.q1labs.assetprofile.changelistener.AssetChangeListenerLoader
             .publishToListener(AssetChangeListenerLoader.java:307)
             at com.q1labs.assetprofile.changepublisher.AssetChangePublisher.
             publishAssetChange(AssetChangePublisher.java:176)
             at com.q1labs.assetprofile.persistence.AssetProfilePersistenceManager
             .dispatchFromTopTier(AssetProfilePersistenceManager.java:417)
             at com.q1labs.assetprofile.persistence.AssetProfilePersistenceManager
             .dispatchBufferedEvents(AssetProfilePersistenceManager.java:357)
             at com.q1labs.assetprofile.persistence.AssetProfilePersistenceWorker
             Thread.commitCurrentTransactionAndFlushOutput
             (AssetProfilePersistenceWorkerThread.java:1037)


            And if the IP address update is sent to the spillover cache, the asset profiler stops processing any further asset updates and the following can be visible in /var/log/qradar.log:
            java.lang.ClassCastException: java.lang.String incompatible with java.lang.Integer
             at com.q1labs.assetprofile.persistence.AssetChangeEvent$ChangeValue.put
             (AssetChangeEvent.java:99)
             at com.q1labs.assetprofile.persistence.AssetChangeEvent.writeAffected
             Fields(AssetChangeEvent.java:324)
             at com.q1labs.assetprofile.persistence.AssetChangeEvent.put
             (AssetChangeEvent.java:306)
             at com.q1labs.assetprofile.persistence.AssetChangeEventSet$AssetChange
             EventSubset.put(AssetChangeEventSet.java:99)
             at com.q1labs.assetprofile.persistence.AssetChangeEventSet.writeSubsets
             (AssetChangeEventSet.java:480)
             at com.q1labs.assetprofile.persistence.AssetChangeEventSet
             .put(AssetChangeEventSet.java:539)
             at com.q1labs.assetprofile.persistence.AssetChangeEventSet
             .put(AssetChangeEventSet.java:34)
             at com.q1labs.frameworks.queue.SpilloverQueue$RecordSerializerWithSize
             .put(SpilloverQueue.java:1142)
             at com.q1labs.frameworks.queue.SpilloverQueue$FileBasedQueue
             .serialized_offer(SpilloverQueue.java:1249)
             at com.q1labs.frameworks.queue.SpilloverQueue$FileBasedQueue
             .offer(SpilloverQueue.java:1240)
             at com.q1labs.frameworks.queue.SpilloverQueue.offer(SpilloverQueue.java:706)
             at com.q1labs.assetprofile.changelistener.AssetChangeListenerLoader
             .offerBlocking(AssetChangeListenerLoader.java:365)
             at com.q1labs.assetprofile.changelistener.AssetChangeListenerLoader
             .offerThreaded(AssetChangeListenerLoader.java:339)
             at com.q1labs.assetprofile.changelistener.AssetChangeListenerLoader
             .publishToListener(AssetChangeListenerLoader.java:307)
             at com.q1labs.assetprofile.changepublisher.AssetChangePublisher
             .publishAssetChange(AssetChangePublisher.java:176)
             at com.q1labs.assetprofile.persistence.AssetProfilePersistenceManager
             .dispatchFromTopTier(AssetProfilePersistenceManager.java:417)
             at com.q1labs.assetprofile.persistence.AssetProfilePersistenceManager
             .dispatchBufferedEvents(AssetProfilePersistenceManager.java:357)
             at com.q1labs.assetprofile.persistence.AssetProfilePersistenceWorker
             Thread.commitCurrentTransactionAndFlushOutput(AssetProfilePersistence
             WorkerThread.java:1037)
             at com.q1labs.assetprofile.persistence.AssetProfilePersistenceWorker
             Thread.run(AssetProfilePersistenceWorkerThread.java:429)
            24 May 2021
            DEPLOY CHANGES IJ29047 QRADAR MANAGED HOST(S) CAN FAIL TO DEPLOY AFTER COMPLETING THE PATCHING PROCESS AS THE QRADAR DATABASE HAS NOT DOWNLOADED CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)
            QRadar 7.4.3 (7.4.3.20210517144015)

            Workaround
            1. Open an SSH session to the QRadar Console, and navigate to /store/configservices/globalconfig/nva.conf.
            2. Change the value of LOCAL_FALLBACK_DISABLED=true to LOCAL_FALLBACK_DISABLED=false.
            3. SSH to any affected Managed Host(s) and in /store/configservices/globalconfig/nva.conf and /store/configservices/staging/globalconfig/nva.conf change LOCAL_FALLBACK_DISABLED=true to LOCAL_FALLBACK_DISABLED=false.
            4. To run a local transformation on affected Managed Host(s), type:
              /opt/qradar/bin/local_transformation.sh -l -f

              Results
              Deploys should now work as expected.
            Issue
            In instances where LOCAL_FALLBACK_DISABLED=true setting is contained within the nva.conf file, a QRadar Managed Host(s) can fail to download the QRadar database from the Console successfully after being patched. When this occurs, QRadar Deploy functions fail to affected Managed Hosts. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            org.apache.openjpa.lib.jdbc.ReportingSQLException: ERROR: cannot execute UPDATE 
            in a read-only transaction {stmnt -490361463 UPDATE public.user_settings SET
            allow_system_authentication_fallback=false} 
               at org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator.wrap
               (LoggingConnectionDecorator.java:218)
               at org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator.wrap
               (LoggingConnectionDecorator.java:202)
               at org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator.access
               $700(LoggingConnectionDecorator.java:58)
               at org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator$LoggingConnection
               $LoggingStatement.executeUpdate(LoggingConnectionDecorator.java:913)
               at org.apache.openjpa.lib.jdbc.DelegatingStatement.executeUpdate
               (DelegatingStatement.java:118)
               at org.apache.openjpa.jdbc.kernel.JDBCStoreManager$CancelStatement.
               executeUpdate(JDBCStoreManager.java:1689)
               at org.apache.openjpa.lib.jdbc.DelegatingStatement.executeUpdate
               (DelegatingStatement.java:118)
               at com.q1labs.core.shared.permissions.UserManager.updateAllowSystem
               AuthenticationFallback(UserManager.java:1737)
            24 May 2021
            APPLICATION FRAMEWORK IJ28648 QRADAR APPS CAN FAIL TO LOAD DUE TO THE QRADARCA-MONITOR SERVICE BEING IN A STUCK STATE CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)
            QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944)
            QRadar 7.4.3 (7.4.3.20210517144015)
            QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826)

            Workaround
            No workaround available. Administrators who experience this issue must upgrade to a software version where this issue is resolved.

            Issue
            QRadar Apps can fail to load if the qradarca-monitor service is in a stuck state of activating. This issue can also cause the failure of new app installations, app deletions, and app upgrades.

            Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            bash[55538]: goroutine 1 [chan receive, 44478 minutes]:
            bash[55538]:
            path/pi/si-qradarca/vendor/golang.org/x/crypto/ssh.(*mux).openCh
            annel(0xc42018ccb0, 0x766c05, 0x7, 0x0, 0x0, 0x0, 0x20002,
            0xc4201341e4, 0xc4201341e0)
            bash[55538]:
            /builds/pi/si-qradarca/.gogradle/project_gopath/src/path/pi/si-q
            radarca/vendor/golang.org/x/crypto/ssh/mux.go:322 +0x1f2
            bash[55538]:
            path/pi/si-qradarca/vendor/golang.org/x/crypto/ssh.(*mux).OpenCh
            annel(0xc42018ccb0, 0x766c05, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0,
            0x0, 0x0, ...)
            bash[55538]:
            /builds/pi/si-qradarca/.gogradle/project_gopath/src/path/pi/si-q
            radarca/vendor/golang.org/x/crypto/ssh/mux.go:298 +0x64
            bash[55538]:
            path/pi/si-qradarca/vendor/golang.org/x/crypto/ssh.(*Client).New
            Session(0xc42018f800, 0x3, 0xc4202888d0, 0x10)
            bash[55538]:
            /builds/pi/si-qradarca/.gogradle/project_gopath/src/path/pi/si-q
            radarca/vendor/golang.org/x/crypto/ssh/client.go:130 +0x67
            bash[55538]:
            path/pi/si-qradarca/localca.connectToHost(0x76616e, 0x4,
            0xc420165119, 0xd, 0x4ae499, 0x3, 0xc42030c000, 0x65)
            bash[55538]:
            /builds/pi/si-qradarca/.gogradle/project_gopath/src/path/pi/si-q
            radarca/localca/util.go:320 +0x356
            bash[55538]:
            path/pi/si-qradarca/localca.CheckRemoteFileExists(0x76616e,
            0x4, 0xc420163360, 0x20, 0xc420165119, 0xd, 0x0, 0x0, 0x0)
            bash[55538]:
            /builds/pi/si-qradarca/.gogradle/project_gopath/src/path/pi/si-q
            radarca/localca/remote.go:63 +0x85
            bash[55538]:
            path/pi/si-qradarca/localca.checkCertificateOnRemote(0xc42016511
            9, 0xd, 0xc42015bce0, 0x9, 0xc420163340, 0x12, 0xc42015bcf0,
            0x9, 0x7660ca, 0x4, ...)
            24 May 2021
            SIM AUDIT IJ26652 'USER ACCOUNT MODIFIED" EVENT GENERATED INSTEAD OF "USER PASSWORD CHANGE" WHEN PASSWORD CHANGE OCCURS CLOSED Resolved in
            QRadar 7.4.3 (7.4.3.20210517144015)

            Workaround
            No workaround available. Administrators who experience this issue must upgrade to a software version where this issue is resolved.

            Issue
            A "User Account Modified" event (QID 28250069) is generated when a QRadar user password is changed from the QRadar User Interface instead of an expected "User Changed Password" event being generated.

            The same "Account Modified" is logged by the audit logs:
            test@127.0.0.1 (7179) /console/restapi/api/config/access/users/3 | [Configuration] [UserAccount] [AccountModified] test
            24 May 2021
            DSM EDITOR IJ25814 DSM EXPORT FUNCTION FAILS WHEN AUTHOR FIELD IS LEFT BLANK CLOSED Resolved in
            QRadar 7.4.3 (7.4.3.20210517144015)

            Workaround
            Ensure the Author field is populated when performing a DSM Export function.

            Issue
            When perfroming an DSM "Export" function, the Author field is not required, but if the field is blank (it is prefilled with Admin) the Export function fails and generates and error similar to:
            console/restapi/api/config/extension_management/extension_export_tasks]
            com.ibm.si.data_ingestion.api.v12_0.cmt.ExtensionManagementAPI:
            [ERROR][NOT:0000003000][127.0.0.1/- -] [-/- -]Export failed.
            Manifest Configuration should be valid. Name, Author, min_version and version should be valid.


            Note: After an upgrade to QRadar 7.4.3 GA or later, the DSM Editor displays, "The value is required" if you attempt to export a custom DSM without the author field populated.
            24 May 2021
            AUTHENTICATION IJ27713 UNABLE TO LOGIN TO QRADAR USING ENCRYPTED LDAP WITH MICROSOFT AD SERVICES OVER STANDARD LDAP PORTS CLOSED Workaround
            Multiple workarounds available:
            • Use SSL instead of TLS or configure LDAP and the LDAP settings (base OU etc.) to prevent referrals.
              OR
            • Attempt to use one of the AD Global Catalog ports, such as LDAP TCP/3268 or LDAPS TCP/3269.

            Issue
            Users are unable to log in when using encrypted LDAP with Microsoft Active Directory Services over standard LDAP ports TCP/389 and TCP/636 as LDAP referrals break communications over TLS encryption.

            When attempting to login, the LDAP authentication fails even while using the "Test Connection" button on the LDAP configuration page.

            Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            [tomcat.tomcat] [admin@127.0.0.1(3540)
            /console/JSON-RPC/QRadar.isLDAPConnectionAvailable
            QRadar.isLDAPConnectionAvailable]
            com.q1labs.core.shared.ldap.SimpleLdapClient: [ERROR]
            [NOT:0000003000][ipaddress/- -] [-/- -]Exception occurred when
            checking if ldap connection is available
            [tomcat.tomcat] [admin@127.0.0.1(3540)
            /console/JSON-RPC/QRadar.isLDAPConnectionAvailable
            QRadar.isLDAPConnectionAvailable] javax.naming.NamingException:
            [LDAP: error code 1 - 00000000: LdapErr: DSID-0C09127A,
            comment: TLS or SSL already in effect, data 0, v3839
            04 February 2021
            QRADAR RISK MANAGER IJ00838 ARC_BUILDER GOES OUT OF MEMORY GOES WHEN THE ASSET CEILING NUMBER IS SET TO 5 MILLION ASSETS CLOSED Resolved in
            QRadar 7.4.3 (7.4.3.20210517144015)

            Workaround
            If you are unable to upgrade to a release where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue.

            Issue
            Arc_builder goes out of the memory in the managed host when the asset ceiling number is set to 5 million.

            If you have a large number of assets, review /var/log/qradar.log
            for Java heap space or load daemon messages related to ArcBuilder.init:
            QRADAR-primary arc_builder[22051]: Caused by:
            java.lang.Exception: java.lang.OutOfMemoryError: Java heap space
            QRADAR-primary arc_builder[22051]:     at
            com.q1labs.semsources.filters.arc.ArcBuilder.init(ArcBuilder.java:240)
            QRADAR-primary arc_builder[22051]:     ... 5 more
            QRADAR-primary arc_builder[22051]: Caused by:
            java.lang.OutOfMemoryError: Java heap space
            QRADAR-primary arc_builder[22051]:     at
            gnu.trove.TLongHashSet.rehash(TLongHashSet.java:169)
            QRADAR-primary arc_builder[22051]:     at
            gnu.trove.THash.postInsertHook(THash.java:359)
            QRADARprimary arc_builder[22051]:     at
            gnu.trove.TLongHashSet.add(TLongHashSet.java:154)
             QRADAR-primary arc_builder[22051]:     at
            com.q1labs.semsources.filters.arc.NetworkModelsServices.loadExis
            tingPortData(NetworkModelsServices.java:405)
            QRADAR-primary arc_builder[22051]:     at
            com.q1labs.semsources.filters.arc.NetworkModelsServices.init(Net
            workModelsServices.java:215)
            QRADAR-primary arc_builder[22051]:     at
            com.q1labs.semsources.filters.arc.ArcBuilder.init(ArcBuilder.java:164)
            QRADAR-primary arc_builder[22051]:     at
            com.q1labs.semsources.filters.arc.ArcBuilder.init(ArcBuilder.java:235)
             QRADAR-primary arc_builder[22051]:     ... 5 more
            QRADAR-primary arc_builder[22051]: 09/04/2017 22:06:18 22052
            arc_builder error: Cannot load daemon
            
            12 August 2020
            DATA SYNCHRONIZATION APP IJ32756 DESTINATION SITE AUTH TOKENS FAIL TO WORK PROPERLY AFTER A RESTORE IS PERFORMED USING THE QRADAR DATA SYNCHRONIZATION APP OPEN Workaround
            After a cross-site restore completes from the QRadar Data Snychronization app:
            1. On the Admin tab, click Advanced > Deploy Full Configuration.
            2. Wait for the full deploy to complete.
            3. After the Deploy Full Configuration completes, type the following command and verify the status is "Active: active (running)":
              systemctl status tomcat
            4. After confirming tomcat is running, restart tomcat:
              systemctl restart tomcat

            Issue
            After completing a cross-site restore through the Data Sync App, the following error massages can display, which suggest that the QRadar APIs are no longer retrieving results:
            [ERROR] [Fri May 07 2021 13:12:44 GMT-0300 (Eastern Daylight Time)] 'An error occured retrieving backups from QRadar API: No SEC header present in request. Please provide it via "SEC: token". You may also use BASIC authentication parameters if this host supports it. e.g. "Authorization: Basic base64Encoding"',
            [ERROR] [Fri May 07 2021 13:12:44 GMT-0300 (Eastern Daylight Time)] toString: [Function: toString] }
            24 May 2021
            USER INTERFACE IJ23859 'APPLICATION ERROR' POP UP CAN OCCUR WHEN DISABLING A USER THAT HAS DEPENDENCIES (E.G. CEP, SAVED SEARCH) CLOSED Resolved in
            None. Closed as Permanent restriction.

            Workaround
            After initiating the user delete process, reassign all dependencies and then cancel the delete process.

            Issue
            An "Application Error" can be generated in the user interface after a user is disabled who owns dependencies (e.g. Custom Event Properties or Saved Searches). The following error can be displayed on the Log Activity tab or Network Activity tab when a value (custom property, reference set, saved search, etc) owned by a disabled users attempts to render.
            The Log Activity tab can display Application Error when a disabled users owns a custom property or dependency the UI requires to display results.

            Messages similar to the following might be generated in /var/log/qradar.log when this issue occurs:
            [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails]
            com.q1labs.core.shared.ariel.AqlCustomKeyCreator: [ERROR]
            [NOT:0000003000][127.0.0.1/- -] [-/- -]Exception creating AQL
            key creator for property ID 58099b2f-d650-4b70-ac93-f5d770d24062
            [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails]
            com.q1labs.ariel.ql.parser.AQLParserException: Catalog "events"
            does not exist.
            concat(REFERENCEMAP('^
            [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
            com.q1labs.ariel.ql.parser.ParserBase.getCatalog(ParserBase.java:179)
            [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
            com.q1labs.ariel.ql.parser.Parser.parseExpression(Parser.java:300)
            [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
            com.q1labs.core.shared.ariel.AqlCustomKeyCreator.createKeyCreator(AqlCustomKeyCreator.java:145) 
            [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
            com.q1labs.core.shared.ariel.AqlCustomKeyCreator.initialize(AqlCustomKeyCreator.java:122) 
            [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
            com.q1labs.frameworks.util.Utils.initialize(Utils.java:459)
            [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
            com.q1labs.events.ui.bean.EventForm.copyFromDAO(EventForm.java:782)
            [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
            com.q1labs.ariel.ui.UIArielServices.getRecordBean(UIArielServices.java:5872)
            [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
            com.q1labs.ariel.ui.action.ArielDetails.viewDetails(ArielDetails.java:36)
            [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
            sun.reflect.GeneratedMethodAccessor1170.invoke(Unknown Source)
            [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
            sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
            [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
            java.lang.reflect.Method.invoke(Method.java:508) 
            [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
            org.apache.struts.actions.DispatchAction.dispatchMethod(DispatchAction.java:280)
            [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
            org.apache.struts.actions.DispatchAction.execute(DispatchAction.java:216)
            [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
            com.q1labs.uiframeworks.actions.DispatchAction.execute(DispatchAction.java:64)
            [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
            org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:484)
            [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
            com.q1labs.uiframeworks.action.RequestProcessor.processActionPerform(RequestProcessor.java:101)
            [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
            org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:275)
            [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
            org.apache.struts.action.ActionServlet.process(ActionServlet.java:1482)
            [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
            com.q1labs.uiframeworks.action.ActionServlet.process(ActionServlet.java:122)
            [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
            org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:525)
            [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
            javax.servlet.http.HttpServlet.service(HttpServlet.java:661)
            [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
            javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
            [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
            org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
            [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
            org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
            [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
            com.q1labs.uiframeworks.encoding.AddEncodingToRequestFilter.doFilter(AddEncodingToRequestFilter.java:56)
            [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
            org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
            [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
            org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
            [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
            com.q1labs.uiframeworks.servlet.DestroySessionFilter.doFilter(DestroySessionFilter.java:26)
            [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
            org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
            [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
            org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
            [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
            com.q1labs.uiframeworks.servlet.AddHSTSHeaderFilter.doFilter(AddHSTSHeaderFilter.java:22)
            [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
            org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) 
            [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
            org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
            [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
            org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
            [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
            org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
            [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
            org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493)
            [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
            org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137)
            [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
            com.q1labs.uiframeworks.valve.ErrorReportValve.invoke(ErrorReportValve.java:47)
            [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
            org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
            [tomcat.tomcat] [admin@127.0.0.1(6637)/console/do/ariel/arielDetails] at
            org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
            [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
            org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:476)
            [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
            org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
            [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
            org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:808)
            [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
            org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498)
            [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
            org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
            [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
            java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160)
            [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
            java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
            [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
            org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) 
            [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails] at
            java.lang.Thread.run(Thread.java:812)
            [tomcat.tomcat] [admin@127.0.0.1(6637) /console/do/ariel/arielDetails]
            com.q1labs.uiframeworks.action.ExceptionHandler: [INFO] [NOT:0000006000]
            [127.0.0.1/- -] [-/- -]Following message suppressed 1 times in 300000 milliseconds
            09 March 2021
            SALESFORCE REST API PROTOCOL IJ29347 QRADAR REQUIRES SECURITY TOKEN FOR SALESFORCE RESTAPI PROTOCOL CONNECTION OPEN Workaround
            Running the following command from an SSH session to the QRadar Console allows for connectivity without the use of a security token for Salesforce REstAPI Protocol connections:
            psql -U qradar -c "update sensorprotocolparameter set required = 'f' where id = 54030;"

            Issue
            Salesforce RestAPI Protocol configuration allows connections without using a Security Token, but within QRadar the Security Token is still required (see QRadar DSM Guide).

            This can cause connectivity issues between QRadar and the Salesforce source due to the variance in setup that can occur when configuring the protocol/connection.

            Messages similar to the following might be visible in /var/log/qradar.error when this issue is occurs:
            Response from auth attempt was not 200, response: 400: Bad
            Request
            [ecs-ec-ingress.ecs-ec-ingress] [Thread-8126]
            com.q1labs.semsources.sources.salesforcerestapi.SalesforceRESTAP
            IInstance: [ERROR] [NOT:0000003000][x.x.x.x/- -] [-/- -]
            {"error":"invalid_grant","error_description":"authentication
            failure"}
            19 November 2020
            ROUTING RULES / FORWARDED EVENTS IJ29718 EVENTS CAN BE DROPPED WHEN A DROPPED CONNECTION FAILED TO RECONNECT USING ONLINE FORWARDING WITH 'TCP' OR 'TCP OVER SSL' CLOSED Resolution
            The development team is unable to reproduce this issue. If you contain to experience errors with forwarded events or routing rules Contact QRadar Support.

            Workaround
            No workaround available. APARs identified with no workaround require a software update to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

            Issue
            When using online forwarding with TCP or TCP over SSL, if a connection issue occurs, it can result in online forwarding not reconnecting to the configured Destination successfully. Events are not forwarded to the Destination until the forwarding rule is disabled and re-enabled to establish a proper connection.
            02 February 2021
            RULES IJ32591 RULES CAN BE INCORRECTLY GENERATED IN DEPLOYMENTS WHERE DUAL STACK IS CONFIGURED AND A QRADAR PATCH HAS BEEN APPLIED OPEN Workaround
            Contact QRadar Support for a possible workaround that might address this issue.

            Issue
            Iptables and ip6tables rules can be incorrectly generated in QRadar deployments where dual stack is configured. Appliances with dual stack (IPv4 and IPv6) are configured so iptables and ip6tables are disabled and iptables_update.pl script is symlinked to /bin/true.

            When patching to a QRadar version where the hostcontext rpm is updated, this configuration is reverted and iptables is unexpectedly re-enabled.
            10 May 2021
            RULES IJ32591 RULES CAN BE INCORRECTLY GENERATED IN DEPLOYMENTS WHERE DUAL STACK IS CONFIGURED AND A QRADAR PATCH HAS BEEN APPLIED CLOSED Resolved in
            QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)

            Workaround
            Contact QRadar Support for a possible workaround that might address this issue.

            Issue
            The Incident Results window populates from a forensics database table that is not purged even when cases are deleted through Case Management.

            All entries on all pages must have a Solr request sent to determine the document count for the page which can sometimes cause the Incident Results window to take longer than expected to load.
            29 April 2021
            QRADAR NETWORK INSIGHTS IJ32062 QRADAR NETWORK INSIGHTS CANNOT ADD HOST TO THE DEPLOYMENT WHEN THE CONSOLE FAILS TO OPEN AN SFTP CHANNEL CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)

            Workaround
            1. Using an SSH session to the QNI host, edit the following file located in /etc/ssh/sshd_config using a tool such as vi to un-comment the following line:
              Subsystem sftp /usr/libexec/openssh/sftp-server
            2. On the QNI host, restart hte sshd using the command:
              systemctl restart sshd
            3. Add the QNI host to the deployment again.

            Issue
            QRadar Network Insights (QNI) hosts can fail to be added to a QRadar deployment due to the console failing to open an SFTP channel.

            These instances have been identified as being caused by changes made in sshd_config during previous QRadar upgrades of the QNI host.

            Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            [hostcontext.hostcontext] [a393ce8b-13c3-4a89-a9af-45b902ce90f4/SequentialEventDispatcher]
            com.q1labs.core.shared.cli.ssh.SshException: Failed to open an sftp channel
            29 April 2021
            LOG SOURCE MANAGEMENT APP IJ32519 ALERT BOX 'ERRORFETCHINGCERTIFICATEDATATITLE' POP UP WHEN USING LOG SOURCE MANAGEMENT APP (LSM) V7.0.0 CLOSED Resolved in
            Log Source Management app v7.0.1

            Workaround
            Close the Alert if it appears. The error message is benign and Log Source Management app continues to function as expected after the error message is closed.

            Issue
            The Log Source Management app (LSM) v7.0.0 can display an alert box similar to the following:
            ERRORFETCHINGCERTIFICATEDATATITLE is an API error that can be closed if displayed and does not impact LSM app functionality.
            This message is generated when an API call returns null and is not handled properly by the Log Source Management app.
            19 May 2021
            UPGRADE IJ32160 PATCH PRE-TEST CAN FAIL WITH '[ERROR] THERE ARE X BACKUPS IN PROGRESS. PLEASE WAIT FOR THEM TO COMPLETE...' CLOSED Resolved in
            QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022)

            Workaround
            Follow these steps from an SSH session to the QRadar Console to update all backups marked "DELETING" to be 'FAILED':
            1. Stop hostcontext and tomcat:
              systemctl stop hostcontext
              systemctl stop tomcat
            2. Run the following sql:
              psql -U qradar -c "update backup set status = 'FAILED' where status = 'DELETING';"
            3. Restart tomcat and hostcontext
              systemctl start tomcat
              systemctl start hostcontext
            4. Retry the patch pre-test process
            Issue
            The QRadar patch pre-test can fail with a message displayed similar to the following when the QRadar database has many backup records in status 'DELETING': [ERROR] There are X backups in progress. Please wait for them to complete or cancel via UI before restarting patch
            06 September 2022
            LOG ACTIVITY IJ32112 "Q1CERTIFICATEEXCEPTION: CHECKCERTIFICATEPINNING FAILED" ERROR MESSAGES IN LOG ACTIVITY AS SIM GENERIC EVENTS CLOSED Resolved in
            QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022)

            Workaround
            Contact QRadar Support for a possible workaround that might address this issue.

            Issue
            "Q1CertificateException: checkCertificatePinning failed" error messages can sometimes be observed in Log Activity as Sim Generic events.

            Individual lines of the stack trace can be sent into the QRadar pipeline and when this occurs they are being parsed as Unknown SIM Generic events or in some instances as Stored events under a newly created Log Source.

            This error message is caused by the certificate being retrieved from the Log Source location that is not matching any of the stored certificates on the QRadar system.

            Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            Caused by: com.q1labs.frameworks.crypto.trustmanager.exceptions.Q1CertificateException: checkCertificatePinning failed.
            at com.q1labs.frameworks.crypto.trustmanager.Q1X509TrustManager.checkCertificatesTrusted(Q1X509TrustManager.java:411)
            at com.q1labs.frameworks.crypto.trustmanager.CertificateValidator.validate(CertificateValidator.java:110)
            at com.ibm.jsse2.D.s(D.java:286)
            at com.q1labs.frameworks.crypto.trustmanager.CertificateValidator.checkCertificatePinning(CertificateValidator.java:547)
            at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160)
            ... 25 more
            at com.ibm.jsse2.av.a(av.java:788)
            at com.q1labs.frameworks.crypto.trustmanager.Q1X509TrustManager.checkServerTrusted(Q1X509TrustManager.java:307)
            at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1352)
            at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1327)
            at com.ibm.jsse2.av.a(av.java:637)
            at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
            at com.ibm.jsse2.E.a(E.java:145)
            at java.lang.Thread.run(Thread.java:822)
            at com.ibm.jsse2.E.a(E.java:479)
            at com.q1labs.core.shared.jsonrpc.RPC.executeMethodWithTimeout(RPC.java:215)
            at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:319)
            at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:191)
            at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305)
            at com.q1labs.hostcontext.configuration.ConfigChangeObserver$ConfigChangeObserverTask.run(ConfigChangeObserver.java:662)
            at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:72)
            at com.ibm.jsse2.E.a(E.java:585)
            at com.ibm.jsse2.D.a(D.java:251)
            at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:522)
            at com.q1labs.hostcontext.configuration.ConfigChangeObserver$CheckDeployRequestTimer.timeExpired(ConfigChangeObserver.java:401)
            at com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java:1)
            at com.q1labs.hostcontext.configuration.ConfigChangeObserver$CheckDeployRequestTimer.getActionRequest(ConfigChangeObserver.java:426)
            at com.ibm.jsse2.av.startHandshake(av.java:1020)
            at com.ibm.jsse2.D.a(D.java:121)
            at com.ibm.jsse2.k.a(k.java:43)
            at com.q1labs.core.shared.jsonrpc.RPC.executeMethod(RPC.java:359)
            at com.ibm.net.ssl.www2.protocol.https.b.getOutputStream(b.java:70)
            at com.ibm.jsse2.av.a(av.java:722)
            at com.q1labs.core.shared.jsonrpc.RPC.executeMethod(RPC.java:544)
            at com.ibm.jsse2.D.a(D.java:572)
            at com.ibm.jsse2.av.i(av.java:45)
            at com.q1labs.frameworks.crypto.trustmanager.Q1X509TrustManager.checkCertificatesTrusted(Q1X509TrustManager.java:411)
            at com.q1labs.frameworks.crypto.trustmanager.CertificateValidator.checkCertificatePinning(CertificateValidator.java:547)
            at com.q1labs.frameworks.crypto.trustmanager.CertificateValidator.validate(CertificateValidator.java:110)
            Caused by: com.q1labs.frameworks.crypto.trustmanager.exceptions.Q1CertificateException: checkCertificatePinning failed.
            at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:191)
            at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:522)
            at com.ibm.jsse2.E.a(E.java:145)
            ... 25 more
            06 September 2022
            HIGH AVAILABILITY (HA) IJ32089 HIGH AVAILABILITY FAILOVER DOES NOT WORK AS EXPECTED WHEN ISCSI AND MUTIPATH IS CONFIGURED CLOSED Workaround
            Closed as permanent restriction as this issue will not be fixed. Refer to the IBM Security QRadar Offboard Storage Guide for supported offboard storage configurations.

            Issue
            High Availability (HA) failovers do not work as expected when ISCSI is configured with multipath. The ha_setup.sh allows the multipath configuration to succeed, but HA failovers do not work as a bad symlink is created.
            20 July 2021
            QRADAR NETWORK INSIGHTS IJ32165 MISCELLANEOUS FLOWS CAN BE GENERATED BY QRADAR NETWORK INSIGHTS WITH PAYLOADS SIMILAR TO "IBM(158)=HTTP;IBM(159)=1.0" CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)

            Workaround
            1. If no custom NetFlow v9 or IPFIX integration with third party sources, along with custom flow properties to extract fields out of the payload, then it is recommend to disable Payload mode altogether. This can be done via the System Settings dialog and selecting only "TLV" mode.
            2. If Payload mode is required, then edit the /opt/qradar/conf/IPFIXFields.conf to add the additional fields shown in the payload field that are to be hidden.
              Note: The 0 should be included in the payload column of that file so it is not included in the payload. For example, the protocol name field can be hidden with the following line:
              "2,158,PROTOCOL_NAME,0")

            Issue
            QRadar Network Insights can generate miscellaneous flows that include payloads that display similar to:
            "Apr 5, 2021, 4:04:54PM","false","Web.Web.Misc","Best Effort","6","false","0:0:0:0:0:0:0:0",
            "0","4","IBM(158)=HTTP;IBM(159)=1.0;IBM(158)=HTTP;IBM(159)=1.0;IBM(158)=HTTP;IBM(159)=1.0;
            IBM(158)=HTTP;IBM(159)=1.0;IBM(158)=HTTP;IBM(159)=1.0;IBM(158)=HTTP;IBM(159)=1.0;
            IBM(158)=HTTP;IBM(159)=1.0;IBM(158)=HTTP;IBM(159)=1.0;IBM(158)=HTTP;IBM(159)=1.0;
            IBM(158)=HTTP;IBM(159)=1.0;IBM(158)=HTTP;IBM(159)=1.0;","Web","18448","IBM(158)=HTTP;
            IBM(159)=1.0;IBM(158)=HTTP;IBM(159)=1.0;IBM(158)=HTTP;IBM(159)=1.0;IBM(158)=HTTP;
            IBM(159)=1.0;IBM(158)=HTTP;IBM(159)=1.0;IBM(158)=HTTP;IBM(159)=1.0;IBM(158)=HTTP;
            IBM(159)=1.0;IBM(158)=HTTP;IBM(159)=1.0;IBM(158)=HTTP;IBM(159)=1.0;IBM(158)=HTTP;
            IBM(159)=1.0;IBM(158)=HTTP;IBM(159)=1.0;","Apr 5,2021, 4:02:50 PM","Best Effort","L2L",
            "Web.HTTPWeb","61176","S,P,A","9999"
            2 February 2022
            CUSTOM PROPERTIES IJ32104 AN EXCEPTION GENERATED BY THE AUTOMATIC PROPERTY DISCOVERY ENGINE CAN CAUSE EVENTS TO BE DROPPED FOR LOG SOURCES OPEN Workaround
            Contact QRadar Support for a possible workaround that might address this issue.

            Issue
            Property Autodetection can stop working if the threshold for bad properties is reached on a Managed Host as disablePropertyDiscoveryProfile can try to update the DB and fail as it is a read-only transaction. When this issue occurs, events can fail to be received into QRadar Log Sources.

            Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            [ecs-ec.ecs-ec] [Property Discovery Engine Thread]
            com.q1labs.frameworks.core.ThreadExceptionHandler: 
            [ERROR] [NOT:0000003000][X.X.X.X/- -] [-/- -]
            Exception was uncaught in thread: Property Discovery Engine Thread
            [ecs-ec.ecs-ec] [Property Discovery Engine Thread] com.q1labs.frameworks.
            exceptions.FrameworksRuntimeException: Problem occurred committing transaction
            [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at com.q1labs.frameworks.
            session.SessionContext.commitTransaction(SessionContext.java:1079)
            [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at com.q1labs.frameworks.
            session.SessionContext.commitTransaction(SessionContext.java:1005)
            [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at com.ibm.si.ec.filters. 
            property.cache.PropertyDiscoveryThreshold.disableProperty
            DiscoveryProfile(PropertyDiscoveryThreshold.java:159)
            [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at com.ibm.si.ec.filters.property.
            cache.PropertyDiscoveryThreshold.incrementThreshold(PropertyDiscoveryThreshold.java:92)
            [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at com.ibm.si.ec.filters.
            property.parser.PropertyParser.handleResults(PropertyParser.java:56)
            [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at com.ibm.si.ec.filters.
            property.parser.PropertyParserJSON.processEvent(PropertyParserJSON.java:54)
            [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at com.ibm.si.ec.filters.
            property.PropertyDiscoveryEngine$PropertyDiscoveryEngineThread.run
            (PropertyDiscoveryEngine.java:222)
            [ecs-ec.ecs-ec] [Property Discovery Engine Thread] 
            Caused by:
            <openjpa-2.4.3-r422266:1833086 fatal store error>
            org.apache.openjpa.persistence.RollbackException: The transaction has been rolled back. 
            See the nested exceptions for details on the errors that occurred. 
            [ecs-ec.ecs-ec] [Property
            Discovery Engine Thread] FailedObject: com.q1labs.core.dao.qidmap.PropertyDiscoveryProfile-51
            [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.
            persistence.EntityManagerImpl.commit(EntityManagerImpl.java:595)
            [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at com.q1labs.frameworks.
            session.SessionContext.commitTransaction(SessionContext.java:1039)
            [ecs-ec.ecs-ec] [Property Discovery Engine Thread] ... 6 more
            [ecs-ec.ecs-ec] [Property Discovery Engine Thread] 
            Caused by: <openjpa-2.4.3-r422266:1833086 fatal general error>
            org.apache.openjpa.persistence.PersistenceException: The
            transaction has been rolled back. See the nested exceptions for
            details on the errors that occurred.
            [ecs-ec.ecs-ec] [Property Discovery Engine Thread] FailedObject: 
            com.q1labs.core.dao.qidmap.PropertyDiscoveryProfile-51
            [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.
            kernel.BrokerImpl.newFlushException(BrokerImpl.java:2374)
            [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.
            kernel.BrokerImpl.flush(BrokerImpl.java:2211)
            [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.
            kernel.BrokerImpl.flushSafe(BrokerImpl.java:2103)
            [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.
            kernel.BrokerImpl.beforeCompletion(BrokerImpl.java:2021)
            [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.
            kernel.LocalManagedRuntime.commit(LocalManagedRuntime.java:81)
            [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.
            kernel.BrokerImpl.commit(BrokerImpl.java:1526)
            [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.
            kernel.DelegatingBroker.commit(DelegatingBroker.java:932)
            [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.
            persistence.EntityManagerImpl.commit(EntityManagerImpl.java:571)
            [ecs-ec.ecs-ec] [Property Discovery Engine Thread] ... 7 more
            [ecs-ec.ecs-ec] [Property Discovery Engine Thread] 
            Caused by: 
            <openjpa-2.4.3-r422266:1833086 fatal general error>
            org.apache.openjpa.persistence.PersistenceException: ERROR: cannot execute UPDATE 
            in a read-only transaction {prepstmnt -722393899 UPDATE property_discovery_profile 
            SET active = ? WHERE id = ?} 
            [ecs-ec.ecs-ec] [Property Discovery Engine Thread] FailedObject: com.q1labs.core.
            dao.qidmap.PropertyDiscoveryProfile-51
            [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc.
            sql.DBDictionary.narrow(DBDictionary.java:5003)
            [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc.
            sql.DBDictionary.newStoreException(DBDictionary.java:4963)
            [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc.
            sql.SQLExceptions.getStore(SQLExceptions.java:133)
            [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc.
            sql.SQLExceptions.getStore(SQLExceptions.java:75)
            [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc.
            kernel.PreparedStatementManagerImpl.flushAndUpdate(PreparedStatementManagerImpl.java:144)
            [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc.
            kernel.BatchingPreparedStatementManagerImpl.flushAndUpdate(BatchingPreparedStatementManagerImpl.java:79)
            [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc.
            kernel.PreparedStatementManagerImpl.flushInternal(PreparedStatementManagerImpl.java:100)
            [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc.
            kernel.PreparedStatementManagerImpl.flush(PreparedStatementManagerImpl.java:88)
            [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc.
            kernel.ConstraintUpdateManager.flush(ConstraintUpdateManager.java:550)
            [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc.
            kernel.ConstraintUpdateManager.flush(ConstraintUpdateManager.java:107)
            [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc.
            kernel.BatchingConstraintUpdateManager.flush(BatchingConstraintUpdateManager.java:59)
            [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc.
            kernel.AbstractUpdateManager.flush(AbstractUpdateManager.java:104)
            [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc.
            kernel.AbstractUpdateManager.flush(AbstractUpdateManager.java:77)
            [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc.
            kernel.JDBCStoreManager.flush(JDBCStoreManager.java:731)
            [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.
            kernel.DelegatingStoreManager.flush(DelegatingStoreManager.java:131)
            [ecs-ec.ecs-ec] [Property Discovery Engine Thread] ... 14 more
            [ecs-ec.ecs-ec] [Property Discovery Engine Thread] Caused by:
            org.apache.openjpa.lib.jdbc.ReportingSQLException: ERROR: cannot execute UPDATE in a read-only 
            transaction {prepstmnt -722393899 UPDATE property_discovery_profile SET active = ? WHERE id = ?} 
            
            [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.lib.jdbc.
            LoggingConnectionDecorator.wrap(LoggingConnectionDecorator.java:218)
            [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.lib.jdbc.
            LoggingConnectionDecorator.wrap(LoggingConnectionDecorator.java:194)
            [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.lib.jdbc.
            LoggingConnectionDecorator.access$1000(LoggingConnectionDecorator.java:58)
            [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.lib.jdbc.
            LoggingConnectionDecorator$LoggingConnection$LoggingPreparedStatement.executeUpdate
            (LoggingConnectionDecorator.java:1133)
            [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.lib.jdbc.
            DelegatingPreparedStatement.executeUpdate(DelegatingPreparedStatement.java:275)
            [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.lib.jdbc.
            DelegatingPreparedStatement.executeUpdate(DelegatingPreparedStatement.java:275)
            [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc.
            kernel.JDBCStoreManager$CancelPreparedStatement.executeUpdate(JDBCStoreManager.java:1791)
            [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc.
            kernel.PreparedStatementManagerImpl.executeUpdate(PreparedStatementManagerImpl.java:268)
            [ecs-ec.ecs-ec] [Property Discovery Engine Thread] at org.apache.openjpa.jdbc.
            kernel.PreparedStatementManagerImpl.flushAndUpdate(PreparedStatementManagerImpl.java:119)
            [ecs-ec.ecs-ec] [Property Discovery Engine Thread] ... 24 more
            29 April 2021
            SEARCH IJ32428 UNABLE TO DELETE SAVED SEARCHES OPEN Workaround
            No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

            Issue
            When attempting to delete saved searches, the search can load as expected but then there is no option to delete it as the window with "confirm deletion" button does not appear.

            Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            [tomcat.tomcat] [admin@127.0.0.1(4474) 
            /console/do/ariel/arielSearch] java.lang.ArrayIndexOutOfBoundsException
            [tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] 
            at com.q1labs.cve.utils.CustomColumnDefinition.fromString(CustomColumnDefinition.java:386)
            [tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] 
            at com.q1labs.ariel.ui.bean.ArielSearchForm.getColumns(ArielSearchForm.java:1391)
            [tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] 
            at com.q1labs.ariel.ui.bean.ArielSearchForm.getColumns(ArielSearchForm.java:1296)
            [tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] 
            at com.q1labs.ariel.ui.bean.ArielSearchForm.getOrderBy(ArielSearchForm.java:246)
            [tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] 
            at org.apache.jsp.qradar.jsp.ArielSearch_jsp._jspService(ArielSearch_jsp.java:415)
            [tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] 
            at com.q1labs.uiframeworks.jsp.HttpJspBase.service(HttpJspBase.java:148)
            [tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] 
            at javax.servlet.http.HttpServlet.service(HttpServlet.java:733)
            [tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] 
            at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:476)
            [tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] 
            at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:386)
            [tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] 
            at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:330)
            [tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] 
            at javax.servlet.http.HttpServlet.service(HttpServlet.java:733)
            [tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] 
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
            [tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] 
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
            [tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] 
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
            [tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] 
            at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
            [tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] 
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
            [tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] 
            at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:713)
            [tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch]
            at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:462)
            [tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] 
            at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:387)
            [tomcat.tomcat] [admin@127.0.0.1(4474) /console/do/ariel/arielSearch] 
            at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:315)
            01 May 2021
            AUTHENTICATION IJ32108 THE USER INTERFACE ADMIN PASSWORD CAN FAIL TO BE SET CORRECTLY WHEN A REBOOT OCCURS DURING SYSTEM BUILD OPEN Workaround
            Set the User Interface admin password using the command line interface (CLI) script using these instructions:
            QRadar: Changing the admin account password from the UI or CLI

            Issue
            When a QRadar system is being built and a reboot occurs during the install configuration, the User Interface admin password can sometimes fail to be set correctly.
            01 May 2021
            LOG SOURCE MANAGEMENT APP IJ32240 LOG SOURCE MANAGEMENT APP DOES NOT ALLOW THE PORT FIELD TO BE LEFT BLANK WHEN USING SOME JDBC PROTCOL CONFIGURATIONS OPEN Workaround
            No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

            Issue
            In the DSM Guide documentation on configuring parameters for the JDBC protocol, it states that "if a database instance is used with the MSDE database type, you must leave the Port field blank". This is also displayed in the LSM app under a "show more" button.

            However the LSM app does not allow you to leave the Port field blank and considers this field to be a "required field".
            01 May 2021
            DSM EDITOR IJ32103 WINDOWS SECURITY LOG EVENTS CAN FAIL TO BE PARSED COMPLETLY BY THE DSM EDITOR WHILE WORKING AS EXPECTED IN LOG ACTIVITY OPEN Workaround
            No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

            Issue
            Microsoft Windows Security Events Logs (with AWS Kinesis) can fail to be parsed correctly in the DSM Editor while being parsed correctly in the Log Activity tab of the QRadar User Interface.

            For example: EventID in the DSM Editor not displaying as expected, but parses fine in the Log Activity tab.
            Tip: To view a larger version of the image, right-click and open the image in a new tab.
            01 May 2021
            INDEX MANAGEMENT IJ32111 QUICK FILTER PROPERTY IN ADMIN > INDEX MANAGEMENT DISPLAYS AS "% OF SERACHES USING PROPERTY" AND HITS/MISSES STAY AT 0 OPEN Workaround
            No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

            Issue
            When looking at 'Quick Filter' property under Admin > Index Management, sometimes '% of Searches Using Property' is displayed along with hits/misses always as " 0 " even after many searches have been run during a selected timeframe.
            01 May 2021
            PROTOCOLS IJ27028 LOG SOURCES CONFIGURED TO USE THE GOOGLE G SUITE ACTIVITY REPORTS RESTAPI PROTOCOL CAN BE MISSING SOME EVENTS OPEN Workaround
            No workaround available. APARs identified with no workaround might require a protocol update to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

            Issue
            Log Sources that are configured to use the Google G Suite Activity Reports REST API Protocol can be missing events. There have been multiple reasons identifed as being the cause for this issue.

            1. When multiple pages are returned in the response, the oldest time is set for the event marker, which instead should be the latest time.
            2. When delays occur at the vendor, the query based on real-time can experience missing events.
            15 August 2020
            LOG SOURCE MANAGEMENT APP IJ32222 REPETITIVE /VAR/LOG/AUDIT.LOG MESSAGES BEING WRITTEN AFTER A FAILED PROTOCOL TEST USING LOG SOURCE MANAGEMENT (LSM) APP OPEN Workaround
            Performing an ecs-ec-ingress service restart corrects this issue until another failed protocol test is performed as above.
            1. Log in to QRadar as an Administrator.
            2. Click the Admin tab.
            3. On the Advanced menu, click Restart Event Collection Services.
              Note: Restarting the Event Collection Service interrupts event collection momentarily on all appliances while the service restarts.

              Results
              After the Event Collection Service (ecs-ec-ingress) restarts, the repetative log messages are not written in /var/log/audit.log.

            Issue
            Using the Log Source Management app to perform a protocol test can fail and sometimes causes repeating API messages similar to the following to be written every 5 seconds to /var/log/audit.log:
            Apr 12 17:31:52 ::ffff:127.0.0.1 configservices@ipaddress (6604)
            /console/restapi/api/system/task_management/tasks | [Action]
            [RestAPI] [APISuccess] [configservices]
            [1b76e3ae-d28f-4c1e-9b47-86940f613bea] [SECURE] |
            ContextPath=/console | Headers=[Version: 6.0][host:
            ipaddress][accept: text/html, image/gif, image/jpeg, *; q=.2,
            */*; q=.2][user-agent: Java/1.8.0_261] | Method=POST |
            PathInfo=/system/task_management/tasks | Protocol=HTTP/1.1 | Que
            ryString=message_local_info=%7B%7D&created=1618245112104&task_cl
            ass=com.q1labs.semsources.sources.base.testing.ProtocolTestTask&
            task_state=INITIALIZING&status_uuid=d6fe4a4d-6ed7-4deb-8533-66de
            50bb2ede&created_by=admin&host_id=53&task_name_local_info=%7B%7D
            &delete_task_id=0&progress=0&maximum=0&modified=1618245112105&ta
            sk_type=ProtocolTestTask&app_id=ecs-ec-ingress&minimum=0&retenti
            on=2_HOURS | RemoteAddr=ipaddress | RemotePort=47952
            Apr 12 17:31:52 ::ffff:127.0.0.1 configservices@ipaddress (6604)
            /console/restapi/api/system/task_management/tasks | [Action]
            [TaskManagement] [TaskAdded] StatusId=158 HostId=53
            ApplicationId=ecs-ec-ingress CreatedBy=admin
            TaskType=ProtocolTestTask
            Apr 12 17:31:52 ::ffff:127.0.0.1 configservices@ipaddress (6606)
            /console/restapi/api/system/task_management/internal_tasks/158
            | [Action] [RestAPI] [APISuccess] [configservices]
            [94ab9727-29f1-48d8-92e3-5e505ca3938e] [SECURE] |
            ContextPath=/console | Headers=[Version: 6.0][host:
            ipaddress][accept: text/html, image/gif, image/jpeg, *; q=.2,
            */*; q=.2][user-agent: Java/1.8.0_261] | Method=POST |
            PathInfo=/system/task_management/internal_tasks/158 |
            Protocol=HTTP/1.1 | QueryString=message_local_info=%7B%7D&create
            d=1618245112104&task_class=com.q1labs.semsources.sources.base.te
            sting.ProtocolTestTask&status_uuid=d6fe4a4d-6ed7-4deb-8533-66de5
            0bb2ede&created_by=admin&host_id=53&task_name_local_info=%7B%7D&
            delete_task_id=0&progress=0&maximum=0&modified=1618245112622&is_
            cancel_requested=false&task_type=ProtocolTestTask&app_id=ecs-ec-
            ingress&minimum=0&retention=2_HOURS | RemoteAddr=ipaddress |
            RemotePort=47956
            29 April 2021
            DATA NODE IJ32123 SEARCHES ON INDEXED FIELDS CAN BE SLOWER THAN EXPECTED AFTER ADDING A DATA NODE INTO THE QRADAR DEPLOYMENT CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)
            QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944)
            QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826)

            Workaround
            If you are unable to upgrade to a version where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue in some instances.

            Issue
            Searches that are performed on indexed fields can be slower than expected to complete after a Data Node is added to a QRadar Deployment. This issue can be caused by a race condition during multi-source re-balancing that results in hourly folder(s) to be merged from different sources.

            Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            [ariel.ariel_query_server] [ariel_client/127.0.0.1:45750]
            com.ibm.si.ariel.dcs.databalancing.DestinationTransaction:
            [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Checking destination folder /store/ariel/events/records/2021/1/18/17 from source 104
            [ariel.ariel_query_server] [ariel_client/127.0.0.1:45750] com.ibm.si.ariel.dcs.databalancing.DestinationTransaction:
            [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Data folder /store/ariel/events/records/2021/1/18/17 does not exist. Requested from source 104
            [ariel.ariel_query_server][ariel_client /127.0.0.1:45750] com.ibm.si.ariel.dcs.databalancing.DestinationData: 
            [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -] 
            Path:/store/ariel/events/records/ibmTemp~events104/store/ariel/events/records/store/ariel/events/records/2021/1/18/17 does not exist
            [ariel.ariel_query_server] [ariel_client/127.0.0.1:45750] com.ibm.si.ariel.dcs.databalancing.DestinationData: [INFO] 
            [NOT:0000006000][127.0.0.1/- -] [-/- -] Path:/store/ariel/events/records/ibmTemp~events8/store/ariel/events/records/store/ariel/events/records/2021/1/18/17 does not exist
            [ariel.ariel_query_server] [ariel_client/127.0.0.1:45750]
            com.ibm.si.ariel.dcs.databalancing.DestinationTransaction:
            [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Destination data accepted from source 104
            [ariel.ariel_query_server][ariel_client /127.0.0.1:35228]
            com.ibm.si.ariel.dcs.databalancing.DestinationTransaction:
            [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Checking destination folder /store/ariel/events/records/2021/1/18/17 from source 8
            [ariel.ariel_query_server] [ariel_client/127.0.0.1:35228] com.ibm.si.ariel.dcs.databalancing.DestinationTransaction:
            [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Data folder /store/ariel/events/records/2021/1/18/17 does not exist. Requested from source 8
            [ariel.ariel_query_server] [ariel_client /127.0.0.1:35228]
            com.ibm.si.ariel.dcs.databalancing.DestinationData: 
            [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -] Path:/store/ariel/events/records/ibmTemp~events104/store/ariel/events/records/store/ariel/events/records/2021/1/18/17 does not exist
            [ariel.ariel_query_server] [ariel_client /127.0.0.1:35228]
            com.ibm.si.ariel.dcs.databalancing.DestinationData:  [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -] 
            Path:/store/ariel/events/records/ibmTemp~events8/store/ariel/events/records/store/ariel/events/records/2021/1/18/17 does not exist
            [ariel.ariel_query_server] [ariel_client/127.0.0.1:35228] com.ibm.si.ariel.dcs.databalancing.DestinationTransaction:
            [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Destination data accepted from source 8
            29 April 2021
            SECURITY BULLETIN CVE-2020-4993 IBM QRADAR SIEM IS VULNERABLE TO PATH TRAVERSAL CLOSED Resolved in
            QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312)
            QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

            Affected versions
            • IBM QRadar 7.3.0 GA to 7.3.3 Patch 7
            • IBM QRadar 7.4.0 GA to 7.4.2 Patch 2
            Issue
            IBM QRadar SIEM when decompressing or verifying signature of zip files processes data in a way that may be vulnerable to path traversal attacks. CVSS Base score: 4.9
            04 May 2021
            SECURITY BULLETIN CVE-2015-5237
            CVE-2019-17195
            CVE-2012-6708
            CVE-2015-9251
            CVE-2020-11022
            CVE-2020-11023
            CVE-2011-4969
            CVE-2017-18640
            CVE-2020-15250
            IBM QRADAR SIEM IS VULNERABLE TO USING COMPONENTS WITH KNOWN VULNERABILITIES CLOSED Resolved in
            QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312)
            QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

            Affected versions
            • IBM QRadar 7.3.0 GA to 7.3.3 Patch 7
            • IBM QRadar 7.4.0 GA to 7.4.2 Patch 2
            Issue
            • CVE-2015-5237: Google Protocol Buffers could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow in MessageLite::SerializeToString. A remote attacker could exploit this vulnerability to execute arbitrary code on the vulnerable system or cause a denial of service. CVSS Base score: 6.3
            • CVE-2019-17195: Connect2id Nimbus JOSE+JWT is vulnerable to a denial of service, caused by the throwing of various uncaught exceptions while parsing a JWT. An attacker could exploit this vulnerability to crash the application or obtain sensitive information. CVSS Base score: 6.5
            • CVE-2012-6708: jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the jQuery(strInput) function. A remote attacker could exploit this vulnerability using the to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base score: 6.1
            • CVE-2015-9251: jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base score: 6.1
            • CVE-2020-11022: jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the jQuery.htmlPrefilter method. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base score: 6.1
            • CVE-2020-11023: jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the option elements. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base score: 6.1
            • CVE-2011-4969: jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input when handling the "location.hash" property. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base score: 4.3
            • CVE-2017-18640: SnakeYAML is vulnerable to a denial of service, caused by an entity expansion in Alias feature during a load operation. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 5.3
            • CVE-2020-15250: JUnit4 could allow a local attacker to obtain sensitive information, caused by a flaw in test rule TemporaryFolder. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 4
            04 May 2021
            SECURITY BULLETIN CVE-2020-4929 IBM QRADAR SIEM IS VULNERABLE TO CROSS SITE SCRIPTING (XSS) CLOSED Resolved in
            QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312)
            QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

            Affected versions
            • IBM QRadar 7.3.0 GA to 7.3.3 Patch 7
            • IBM QRadar 7.4.0 GA to 7.4.2 Patch 2
            Issue
            IBM QRadar SIEM is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. CVSS Base score: 5.4
            04 May 2021
            SECURITY BULLETIN CVE-2020-4979 IBM QRADAR SIEM IS VULNERABLE TO INSECURE INTER-DEPLOYMENT COMMUNICATION CLOSED Resolved in
            QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312)
            QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

            Affected versions
            • IBM QRadar 7.3.0 GA to 7.3.3 Patch 7
            • IBM QRadar 7.4.0 GA to 7.4.2 Patch 2
            Issue
            IBM QRadar SIEM is vulnerable to insecure inter-deployment communication. An attacker that is able to comprimise or spoof traffic between hosts may be able to execute arbitrary commands. CVSS Base score: 7.5
            04 May 2021
            SECURITY BULLETIN CVE-2020-4883 IBM QRADAR SIEM IS VULNERABLE TO CROSS DOMAIN INFORMATION DISCLOSURE CLOSED Resolved in
            QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312)
            QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

            Affected versions
            • IBM QRadar 7.3.0 GA to 7.3.3 Patch 7
            • IBM QRadar 7.4.0 GA to 7.4.2 Patch 2
            Issue
            IBM QRadar SIEM could disclose sensitive information about other domains which could be used in further attacks against the system. CVSS Base score: 4.3
            04 May 2021
            SECURITY BULLETIN CVE-2020-13943 APACHE TOMCAT AS USED BY IBM QRADAR SIEM IS VULNERABLE TO INFORMATION DISCLOSURE CLOSED Resolved in
            QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312)
            QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

            Affected versions
            • IBM QRadar 7.3.0 GA to 7.3.3 Patch 7
            • IBM QRadar 7.4.0 GA to 7.4.2 Patch 2
            Issue
            Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by a flaw when HTTP/2 client exceeded the agreed maximum number of concurrent streams for a connection. By sending a specially-crafted HTTP request, an attacker could exploit this vulnerability to see the responses for unexpected resources, and use this information to launch further attacks against the affected system. CVSS Base score: 5.3
            04 May 2021
            SECURITY BULLETIN CVE-2021-20397 IBM QRADAR SIEM IS VULNERABLE TO CROSS SITE SCRIPTING (XSS) CLOSED Resolved in
            QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312)
            QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

            Affected versions
            • IBM QRadar 7.3.0 GA to 7.3.3 Patch 7
            • IBM QRadar 7.4.0 GA to 7.4.2 Patch 2
            Issue
            IBM QRadar is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. CVSS Base score: 6.1
            04 May 2021
            SECURITY BULLETIN CVE-2021-20401
            CVE-2020-4932
            IBM QRADAR SIEM CONTAINS HARD-CODED CREDENTIALS CLOSED Resolved in
            QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312)
            QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

            Affected versions
            • IBM QRadar 7.3.0 GA to 7.3.3 Patch 7
            • IBM QRadar 7.4.0 GA to 7.4.2 Patch 2
            Issue
            • CVE-2020-4932: IBM QRadar contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. CVSS Base score: 6.2
            • CVE-2021-20401: IBM QRadar contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. CVSS Base score: 5.9
            04 May 2021
            SECURITY BULLETIN CVE-2020-5013 IBM QRADAR SIEM MAY BE VULNERABLE TO A XML EXTERNAL ENTITY INJECTION ATTACK (XXE) CLOSED Resolved in
            QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312)
            QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

            Affected versions
            • IBM QRadar 7.3.0 GA to 7.3.3 Patch 7
            • IBM QRadar 7.4.0 GA to 7.4.2 Patch 2
            Issue
            IBM QRadar SIEM may vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. CVSS Base score: 7.1
            04 May 2021
            WINCOLLECT IJ29851 WINCOLLECT 7.3.0 P1 AGENTS FAIL TO UPDATE OR GET CONFIGURATION UPDATES IN NAT'D ENVIRONMENTS CLOSED Resolved in
            WinCollect 7.3.1 (Build 16) (7.3.1.16)

            Workaround
            If you are unable to upgrade to a version where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue in some instances.

            Issue
            WinCollect 7.3.0 P1 Agents can fail to receive configuration updates or are unable to be updated due to connection timeouts occuring in NAT'd environments.

            Messages similar to the following might be visible when this issue occurs:
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24]
            com.q1labs.sem.semsources.wincollectconfigserver.requestprocessors.ConnectionEstablishmentVersion2Processor: 
            [ERROR] [NOT:0000003000][<IP Address >/- -] [-/- -]Agent XXXXXXX2069(127.0.0.1) caught exception
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] java.net.ConnectException: Connection timed out (Connection timed out)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:236)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:218)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:374)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at java.net.Socket.connect(Socket.java:682)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at com.ibm.jsse2.av.connect(av.java:453)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at com.ibm.jsse2.au.connect(au.java:98)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at sun.net.NetworkClient.doConnect(NetworkClient.java:192)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at sun.net.www.http.HttpClient.openServer(HttpClient.java:494)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at sun.net.www.http.HttpClient.openServer(HttpClient.java:589)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at com.ibm.net.ssl.www2.protocol.https.c.<init>(c.java:56)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at com.ibm.net.ssl.www2.protocol.https.c.a(c.java:222)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at com.ibm.net.ssl.www2.protocol.https.d.getNewHttpClient(d.java:25)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at sun.net.www.protocol.http.HttpURLConnection.plainConnect0 (HttpURLConnection.java:1206)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at sun.net.www.protocol.http.HttpURLConnection.plainConnect (HttpURL Connection.java:1068)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:78)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at sun.net.www.protocol.http.HttpURLConnection.getInputStream0 (HttpURLConnection.java:1582)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at sun.net.www.protocol.http.HttpURLConnection.getInputStream (HttpURLConnection.java:1510)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:491)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at com.ibm.net.ssl.www2.protocol.https.b.getResponseCode(b.java:40)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at com.q1labs.sem.semsources.wincollectconfigserver.requestprocessors. ConnectionEstablishmentVersion2Processor.onReceiveConnectionEstablishmentRequest (ConnectionEstablishmentVersion2Processor.java:235)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at com.q1labs.sem.semsources.wincollectconfigserver. WinCollectConfigHandler.run(WinCollectConfigHandler.java:121)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1160)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:635)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_24] at java.lang.Thread.run(Thread.java:818)
            14 December 2020
            WINCOLLECT IJ27033 WINCOLLECT CAN ASSIGN INCORRECT IP ADDRESSES FOR WINDOWS COMPUTERS DUE TO DNS LOOKUP REFRESH CLOSED Resolved in
            WinCollect 7.3.1 (Build 16) (7.3.1.16)

            Workaround
            No workaround available. Administrators must upgrade to a version where this issue is resolved.

            Issue
            WinCollect can assign incorrect IP addresses for Windows Computers due to issues with DNS Lookup refreshing. The 'OriginatingComputer=ipaddress' being written into the event by WinCollect can be incorrect.
            18 August 2020
            WINCOLLECT IJ26354 WINCOLLECT AGENT 'STATUS' CONTINUES TO DISPLAY 'RUNNING' AFTER NOT RECEIVING HEARTBEAT FOR AN EXTENDED PERIOD OF TIME CLOSED Resolved in
            WinCollect 7.3.1 (Build 16) (7.3.1.16)

            Workaround
            No workaround available. Administrators must upgrade to a version where this issue is resolved.

            Issue
            The WinCollect agent "Status" displayed in the QRadar User Interface can continue to display "Running" and fail to update appropriately when QRadar has not received a heartbeat message for an extended period of time from the agent.
            31 July 2020
            WINCOLLECT IJ27800 WINCOLLECT INSTALLER CANNOT PROPERLY USE A CERTIFICATE THAT IS GREATER THAN 2000 CHARACTERS IN LENGTH CLOSED Resolved in
            WinCollect 7.3.0 Fix Pack 1 (Build 41) (7.3.0.41)

            Workaround
            If you are unable to upgrade to a version where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue in some instances.

            Issue
            When a certificate greater than 2000 characters in length is pasted into the certificate field of the destination configuration page of the WinCollect installer, the certificate is cut to 2000 characters and successfully installs, but TLS communication fails.
            28 October 2020
            WINCOLLECT IJ26949 WHEN WINCOLLECT 7.3.0 IS INSTALLED AND CONFIGURED FOR USE ON AN ENCRYPTED MANAGED HOST, AGENT/LOG SOURCE COMMUNICATION FAILS CLOSED Resolved in
            WinCollect 7.3.0 Fix Pack 1 (Build 41) (7.3.0.41)

            Workaround
            If you are unable to upgrade to a version where this issue is resolved, contact QRadar Support for a possible workaround that might address this issue in some instances.

            Issue
            When WinCollect is configured for use on an encrypted Managed Host in a QRadar environment, the installation of WinCollect version 7.3.0 introduces communication problems between QRadar and the WinCollect Agents. Adding new WinCollect Agent/Log Sources into QRadar fails due to the failure in communication preventing Agent registration.

            Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs:
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1]
            com.q1labs.frameworks.crypto.trustmanager.extended.Q1X509FullTru
            stManager: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/-
            -]Server Not Trusted No subject alternative names matching IP address 127.0.0.1 found
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1]
            com.q1labs.sem.semsources.wincollectconfigserver.requestprocesso
            rs.ConnectionEstablishmentVersion2Processor: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Agent Agent-name(127.0.0.1) caught exception --
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] javax.net.ssl.SSLHandshakeException:
            java.security.cert.CertificateException:
            java.security.cert.CertificateException: No subject alternative names matching IP address 127.0.0.1 found
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.k.a(k.java:37)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.av.a(av.java:422)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.D.a(D.java:70)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.D.a(D.java:164)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.E.a(E.java:249)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.E.a(E.java:731)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.D.r(D.java:486)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.D.a(D.java:244)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.av.a(av.java:608)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.av.i(av.java:282)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.av.a(av.java:1009)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.av.startHandshake(av.java:778)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java:239)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:60)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at sun.net.www.protocol.http.HttpURLConnection.getInputStream0 
            (HttpURLConnection.java:1582)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at sun.net.www.protocol.http.HttpURLConnection.getInputStream 
            (HttpURLConnection.java:1510)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:491)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.net.ssl.www2.protocol.https.b.getResponseCode(b.java:40)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.q1labs.sem.semsources.wincollectconfigserver.requestprocessors. 
            ConnectionEstablishmentVersion2Processor.onReceiveConnectionEstablishmentRequest(ConnectionEstablishmentVersion2Processor.jav a:234)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.q1labs.sem.semsources.wincollectconfigserver.WinCollectConfigHandler 
            .run(WinCollectConfigHandler.java:153)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1160)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:635)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at java.lang.Thread.run(Thread.java:818)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1]
            Caused by: java.security.cert.CertificateException:
            java.security.cert.CertificateException: No subject alternative names matching IP address 127.0.0.1 found
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1]
            at com.q1labs.frameworks.crypto.trustmanager.extended.Q1X509FullTrustManager. 
            checkServerTrusted(Q1X509FullTrustManager.java:382)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.E.a(E.java:438)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1]
            ... 18 more
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1]
            Caused by: java.security.cert.CertificateException: No subject alternative names matching IP address 127.0.0.1 found
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.util.b.b(b.java:42)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.util.b.a(b.java:96)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.aD.a(aD.java:183)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.aD.a(aD.java:49)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1]
            at com.ibm.jsse2.aD.a(aD.java:191)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.ibm.jsse2.aD.checkServerTrusted(aD.java:34)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1] at com.q1labs.frameworks.crypto.trustmanager.extended. 
            Q1X509FullTrustManager.  checkServerTrusted(Q1X509FullTrustManager.java:377)
            [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_1]
            ... 19 more
            24 April 2021
            WINCOLLECT IJ27857 WINDOWS 10 HOSTS UPDATED TO BUILD 2004 CAN RESET EVENTRECORDID VALUES TO 1 CAUSING WINCOLLECT ISSUES CLOSED Resolved in
            WinCollect 7.3.0 Fix Pack 1 (Build 41) (7.3.0.41)

            Workaround
            If you are unable to upgrade to a version where this issue is resolved, administrators can apply the following workaround:
            1. Log in to the Windows host with the WinCollect agent.
            2. Stop the WinCollect service.
            3. Navigate to C:\ProgramData\WinCollect\Data\PersistenceManager.
            4. Delete all files in the PersistenceManager directory.
            5. Start the WinCollect service.

            Issue
            WinCollect agents installed on Microsoft Windows 10 hosts upgraded to build 2004 can experience an issue where the WinCollect agent stops sending events to QRadar. The issue was reported after administrators completed updates of Windows 10 from build 1909 to 2004.

            WinCollect agents track event collection with the EventRecordID value in the Event Viewer for each event type in C:\ProgramData\WinCollect\Data\PersistenceManager. The PersistenceManager directory includes a file for each event log type with a cursor entry, which indicates the next event in the Event Viewer WinCollect needs to parse and send. When Windows updates to Windows 10 build 2004, the operating system resets the EventRecordID values to 1 in the Event Viewer for all event log types. A reset in the EventRecordID results in WinCollect agents not sending events until the EventRecordID in the Event Viewer matches the last polled Cursor value in the WinCollect agent.

            This APAR is intended to alert administrators of this operating systems change in Windows 10 Feature Build 2004. All WinCollect agents at all versions are affected by the EventRecordID reset issue in Windows 10 build 2004. Administrators who plan to update the Windows 10 systems tofeature build 2004 ought to alert their teams to this EventRecordID reset issue.
            28 October 2020
            WINCOLLECT IJ32255 WINCOLLECT 7.3.0 P1 (7.3.0-41) AGENTS THAT ARE NOT INSTALLED ON DRIVE C:\ OF THE WINDOWS COMPUTER CAN STOP SENDING EVENTS OPEN Workaround
            On the affected Microsoft Windows computer:
            1. Copy \IBM\WinCollect\config\AgentConfig.xml to \IBM\WinCollect.
            2. Install WinCollect 7.3.0 P1 (7.3.0-41).
            3. After the install has successfully completed, copy AgentConfig.xml from \IBM\WinCollect\ to \IBM\WinCollect\config
            4. Restart the WinCollect service.

            Issue
            On Microsoft Windows computers where the WinCollect agents are installed to a drive other than C:\, an upgrade to WinCollect 7.3.0 P1 (7.3.0-41) can cause the destination and log source information to be removed from the AgentConfig.xml file and the WinCollect agent stops sending events.

            Microsoft Windows computers where the WinCollect agent was installed to the C:\ drive are not affected.
            03 May 2021
            ADAPTER / QRADAR RISK MANAGER IJ28428 "SHOW VLANS" CISCO IOS ADAPTER COMMAND DOES NOT RETURN RESULTS DUE TO THE EXPECTED COMMAND "SHOW VLAN" CLOSED Resolved in
            QRadar Risk Manager Adapter Bundle 17 (2021.04-09155130)

            Note: Adapter Bundle 17 (2021.04-09155130) requires QRadar 7.3.3 GA or later. For information on updating adapters, see: Installing adapters

            Workaround
            No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

            Issue
            "show vlans" command for Cisco IOS Adapter fails to return output as the command on that appliance (C2900 series) is "show vlan". (No 's' on the end).

            The adapter is expected to work for both command variations. Example of output with "show vlans" :
            2020-05-06 20:55:50 [ZipTie::SSH] [SENDING]
            2020-05-06 20:55:50 [ZipTie::SSH] show vlans
            2020-05-06 20:55:50 [ZipTie::SSH]
            ----------------------------------------------------------------
            2020-05-06 20:55:50 [ZipTie::SSH]
            ----------------------------------------------------------------
            2020-05-06 20:55:50 [ZipTie::SSH] [WAITING 300 SECOND(S) FOR]
            2020-05-06 20:55:50 [ZipTie::SSH] hostname[#>]\s*$|--More--\s*$
            2020-05-06 20:55:50 [ZipTie::SSH]
            ----------------------------------------------------------------
            2020-05-06 20:55:50 [ZipTie::SSH]
            ----------------------------------------------------------------
            2020-05-06 20:55:50 [ZipTie::SSH] [RESPONSE]
            2020-05-06 20:55:50 [ZipTie::SSH]show vlans
            2020-05-06 20:55:50 [ZipTie::SSH] Command authorization failed.
            2020-05-06 20:55:50 [ZipTie::SSH]
            2020-05-06 20:55:50 [ZipTie::SSH] hostname#
            18 May 2021
            ADAPTER / QRADAR RISK MANAGER IJ28512 JUNIPER JUNOS DEVICE BACKUP FAILURE WHEN ACL REFERENCES A PREFIXLIST WHICH DOES NOT CONTAIN A LIST OF IP ADDRESSES CLOSED Resolved in
            QRadar Risk Manager Adapter Bundle 17 (2021.04-09155130)

            Note: Adapter Bundle 17 (2021.04-09155130) requires QRadar 7.3.3 GA or later. For information on updating adapters, see:Installing adapters

            Workaround
            No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

            Issue
            Administrators might notice that a Juniper JunOS device might fail to backup when an access control list references a prefix list which does not contain a list of IP addresses or CIDRs.

            Look for similar messages in /var/log/qradar.log:
            [tomcat-rm.tomcat-rm] [Adapter Backup Job]
            com.q1labs.simulator.jobs.DeviceAdapterBackupJob: [ERROR]
            [NOT:0000003000][9.175.220.190/- -] [-/- -]java.lang.Exception:
            Don't know how to nbits yet at /usr/share/ziptie-server/adapters
            /ziptie.adapters.juniper.junos_2020.04.08143009/scripts/ZipTie/Adapters/Juniper/JUNOS/Parsers.pm line 1637.
             at org.ziptie.server.job.AbstractAdapterTask.execute(AbstractAdapterTask.java:157)
             at org.ziptie.server.dispatcher.Operation.execute(Operation.java:100)
             at org.ziptie.server.dispatcher.OperationExecutor$JobThread.runJob(OperationExecutor.java:686)
             at org.ziptie.server.dispatcher.OperationExecutor$JobThread.run(OperationExecutor.java:563)
            Caused by: javax.xml.ws.soap.SOAPFaultException: Don't know how to nbits yet at /usr/share/ziptie-server/adapters/
            ziptie.adapters.juniper.junos_2020.04.08143009/scripts/ZipTie/Adapters/Juniper/JUNOS/Parsers.pm line 1637.
             at com.sun.xml.ws.fault.SOAPFault.getProtocolException(SOAP11Fault.java:188)
             at com.sun.xml.ws.fault.SOAPFaultBuilder.createException(SOAPFaultBuilder.java:116)
             at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:119)
             at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:89)
             at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:118)
             at com.sun.proxy.$Proxy95.backup(Unknown Source)
             at org.ziptie.server.job.backup.BackupTask.performTask(BackupTask.java:74)
             at org.ziptie.server.job.AbstractAdapterTask.execute(AbstractAdapterTask.java:142)
            18 May 2021
            ADAPTER / QRADAR RISK MANAGER IJ28901 INCORRECT DISPLAY OF 'ANY' IN DESTINATION SERVICE COLUMN FOR ACCESS CONTROL LIST RULE AFTER CISCO IOS DEVICE BACKUP CLOSED Resolved in
            QRadar Risk Manager Adapter Bundle 17 (2021.04-09155130)

            Note: Adapter Bundle 17 (2021.04-09155130) requires QRadar 7.3.3 GA or later. For information on updating adapters, see:Installing adapters

            Workaround
            No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

            Issue
            The Configuration Monitor -> Rules screen can incorrectly display a value of "any" in the Destination Service(s) column instead of the actual destination port for an extended access control list rule after Cisco IOS device backup is performed.
            18 May 2021
            ADAPTER / QRADAR RISK MANAGER IJ29954 PERFROMING A DISCOVERY FROM A CISCO FIREPOWER MANAGEMENT CENTER CAN FAIL CLOSED Resolved in
            QRadar Risk Manager Adapter Bundle 17 (2021.04-09155130)

            Note: Adapter Bundle 17 (2021.04-09155130) requires QRadar 7.3.3 GA or later. For information on updating adapters, see:Installing adapters

            Workaround
            No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

            Issue
            Discovery from Cisco Firepower Management Center (FMC) fails when the user is not automatically placed in expert mode when logging to retrieve the list of network devices.

            The adapter currently ensures that export mode is gained when backing a discovered device, but not when discovering devices from the FMC.
            18 May 2021
            ADAPTER / QRADAR RISK MANAGER IJ30906 CHECK POINT HTTPS DEVICE ADAPTER FAILS TO BACKUP DUE TO INCORRECT IP ADDRESS CLOSED Resolved in
            QRadar Risk Manager Adapter Bundle 17 (2021.04-09155130)

            Note: Adapter Bundle 17 (2021.04-09155130) requires QRadar 7.3.3 GA or later. For information on updating adapters, see:Installing adapters

            Workaround
            No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

            Issue
            A Check Point HTTPS device adapter backup fails when the IP address of the device's interface is the same as the IP address of the Check Point security management server from which it was discovered and not the main IP address of the device.

            When this issue occurs, the adapter backup log contains a message similar to the following:
            Check this device was not discovered from the multi-domain server IP.
            18 May 2021
            ADAPTER / QRADAR RISK MANAGER IJ31098 A PAN-OS DEVICE BACKUP FAILS WHEN A STATIC ROUTE REFERENCES A NETWORK GROUP INSTEAD OF AN IP ADDRESS CLOSED Resolved in
            QRadar Risk Manager Adapter Bundle 17 (2021.04-09155130)

            Note: Adapter Bundle 17 (2021.04-09155130) requires QRadar 7.3.3 GA or later. For information on updating adapters, see:Installing adapters

            Workaround
            Ensure to configure the static route on the device to use an IP address instead of a network group.

            Issue
            A PAN-OS device backup will fail when a static route references a network group rather than an IP address.

            When this isue occurs, the logs contain a message similar to the following:
            ERROR: Backup failed for device (device name) at IP (IP address) with adapter type ZipTie::Adapters::PaloAlto::PANOS.
            [Failed to process device routing]
            18 May 2021
            BOX RESTAPI PROTOCOL IJ28431 LOG SOURCES USING THE BOX RESTAPI PROTOCOL CAN STOP RECEIVING EVENTS WHEN THE EVENT QUEUE FILLS OPEN Workaround
            No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

            Issue
            Log Sources configured to use the Box RestAPI can stop receiving events when the event queue fills.

            Messages similar to the follwoing might be visible in /var/log/qradar.log when this issue is occurs:
            [ecs-ec-ingress.ecs-ec-ingress] [Box REST API Query Thread]
            com.q1labs.semsources.sources.boxrestapi.api.BoxRESTAPIInstance:
            [ERROR] [NOT:0000003000][EP IP] [-/- -]Unable to query for content. Terminating query thread for for Box API
            [ecs-ec-ingress.ecs-ec-ingress] [Box REST API Query Thread]
            java.util.IllegalFormatConversionException: d != java.lang.Double
            [ecs-ec-ingress.ecs-ec-ingress] [Box REST API Query Thread]
            at java.util.Formatter$FormatSpecifier.failConversion(Formatter.java:4313)
            [ecs-ec-ingress.ecs-ec-ingress] [Box REST API Query Thread]
            at java.util.Formatter$FormatSpecifier.printInteger(Formatter.java:2804)
            [ecs-ec-ingress.ecs-ec-ingress] [Box REST API Query Thread]
            at java.util.Formatter$FormatSpecifier.print(Formatter.java:2758)
            [ecs-ec-ingress.ecs-ec-ingress] [Box REST API Query Thread]
            at java.util.Formatter.format(Formatter.java:2531)
            [ecs-ec-ingress.ecs-ec-ingress] [Box REST API Query Thread]
            at java.util.Formatter.format(Formatter.java:2466)
            [ecs-ec-ingress.ecs-ec-ingress] [Box REST API Query Thread]
            at java.lang.String.format(String.java:4174)
            [ecs-ec-ingress.ecs-ec-ingress] [Box REST API Query Thread]
            at com.q1labs.frameworks.logging.Logger.warn(Logger.java:805)
            [ecs-ec-ingress.ecs-ec-ingress] [Box REST API Query Thread]
            at com.q1labs.semsources.sources.boxrestapi.BoxRESTAPIProvider.onRe
            ceiveMessage(BoxRESTAPIProvider.java:235)
            [ecs-ec-ingress.ecs-ec-ingress] [Box REST API Query Thread]
            at com.q1labs.semsources.sources.boxrestapi.api.BoxAPIQuery.queryCo
            ntent(BoxAPIQuery.java:237)
            12 October 2020
            HIGH AVAILABILITY (HA) IJ30674 A HIGH AVAILABILITY (HA) FAILOVER CAN OCCUR DUE TO A FAILURE WITH THE MOUNT MONITOR CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)
            QRadar 7.4.3 (7.4.3.20210517144015)
            QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
            QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

            Workaround
            No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

            Issue
            In instances where the QRadar mount monitor fails, an unexpected High Availability (HA) failover can occur.

            Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            hostname-primary HA System Monitor: [ERROR]
            /store/docker-data/engine/VMware-42-26-70-33-66-fb-61-4c-f2-27-d
            e-b4-88-91-98-b9/devicemapper/mn
            t/88bbfc361142fe836845842fca3082f18c8962501a795252de51d81d224a8f
            48-init is not mounted properly with read write permition
            127.0.0.1 [ha_manager.ha_manager] [IPCWorkerThread]
            com.q1labs.ha.manager.ipc.IPCWorkerThread: [INFO]
            [NOT:0000006000][127.0.0.1/- -] [-/- -]IPC service "sensor" = "1.0"
            hostname-primary HA System Monitor: Mount point check failed
            127.0.0.1 [ha_manager.ha_manager] [HAManager]
            com.q1labs.ha.manager.StateMachine: [WARN][NOT:0000004000][127.0.0.1/- -] [-/- -]
            The "mount_status" sensor key is down, and is in position to cause failover. 
            It is both enabled for failover, and has  satisfied any time restrictions. 
            Requesting switch to OFFLINE/MOUNT_MONITOR state (SMD001061/59903)
            127.0.0.1 [ha_manager.ha_manager] [HAManager]com.q1labs.ha.manager.HAManager: [INFO]
            [NOT:0000006000][127.0.0.1/- -] [-/- -]Starting OFFLINE/MOUNT_MONITOR state
            26 February 2021
            QRADAR VULNERABILITY MANAGER IJ31842 RUNNING API QUERIES AGAINST QVM SCANNERS CAN TIMEOUT AND FAIL WITH A RESPONSE CODE 500 CLOSED Resolved in
            QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312)
            QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

            Workaround
            Performing a hostcontext restart on the QRadar console can temporarily (for approximately 30 minutes) correct this issue.

            Note: Restarting hostcontext causes an interruption to some QRadar functionality. For more information, see: Hostcontext service and the impact of a service restart.

            Issue
            Attempting to run API queries against QRadar Vulnerability Manager (QVM) scanners can become unresponsive, timeout and fail with a response code of 500.

            For example:
            curl -S -X GET -u -H 'Version: 12.1' -H 'Accept:
            application/json' 'https:///api/scanner/profiles'
            {
            "http_response": {
            "code": 500,
            "message": "Unexpected internal server error"
            },
            "code": 12,
            "description": "",
            "details": {},
            "message": "Endpoint invocation returned an unexpected error"
            05 June 2020
            SERVICES IJ32110 THE QRADAR PIPELINE CAN STOP RECEIVING ALL EVENTS DUE TO A STRINGOUTOUFBOUNDSEXCEPTION OCCURRING OPEN Workaround
            Perform a restart of the ecs-ingress service:
            1. Log in to the QRadar Console as an administrator.
            2. Click the Admin tab > Advanced > Restart Event Collection Services.

              Results
              Restarting ecs-ec-ingress interrupts event collection in QRadar. If another similar payload that causes this issue is processed by QRadar, the issue can occur again.

            Issue
            In some instances, the QRadar pipeline can stop receiving all events when a stringoutofbounds exception occurs.

            Changes made in fix releases for APAR IJ28752 corrected the issue if the payload is cut off before the end of the full forwarded message ("Message forwarded from"), but the fix releases do not fix the issue if it gets cut off immediately after that part.

            Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            [ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread]
            java.lang.StringIndexOutOfBoundsException: String index out of range: 43
            [ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread] at 
            java.lang.String.substring(String.java:2682)
            [ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread] at 
            com.q1labs.sem.types.SyslogSourcePayload.parseLine(SyslogSourcePayload.java:196)
            [ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread] at 
            com.q1labs.sem.types.SyslogSourcePayload.getSourceName(SyslogSourcePayload.java:159)
            [ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread] at 
            com.q1labs.sem.types.SourcePayloadBase.put(SourcePayloadBase.java:331)
            [ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread] at 
            com.q1labs.sem.types.SyslogSourcePayload.put(SyslogSourcePayload.java:412)
            22 April 2021
            SALESFORCE REST API PROTOCOL IJ32090 LOG SOURCES CONFIGURED TO USE THE SALESFORCE PROTOCOL CAN GO INTO ERROR STATE DUE TO PROTOCOL PARSING ISSUE OPEN Workaround
            No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

            Issue
            Log Sources configured to use the Salesforce Protocol can go into Error status with error message "Event size is different from the schema size" due to a parsing issue with received events containing complex format that contains JSON object as part of the "URL" field.

            Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            com.q1labs.semsources.sources.salesforcerestapi.eventformatter.
            EventFormatterException: Event size is different from the schema size, schema '....' payload '...'
            at com.q1labs.semsources.sourc
            es.salesforcerestapi.SalesforceRESTAPIProvider.processEventLogFi
            le(SalesforceRESTAPIProvider.java:550)
            at com.q1labs.semsources.
            sources.salesforcerestapi.eventformatter.EventLogFileFormatter.f
            ormatEventLogFile(EventLogFileFormatter.java:181)
            at com.q1labs.
            semsources.sources.salesforcerestapi.SalesforceRESTAPIProvider.p
            rocessEventLogFileAPIResults(SalesforceRESTAPIProvider.java:509)
            at com.q1labs.semsources.sources.salesforcerestapi.SalesforceRE
            STAPIProvider.getEvents(SalesforceRESTAPIProvider.java:407)
            at com.q1labs.semsources.sources.salesforcerestapi.SalesforceRESTAPI
            Provider.execute(SalesforceRESTAPIProvider.java:357)
            at com.q1labs.semsources.sources.base.SourceProvider.run(SourceProvider.java:195)
            22 April 2021
            DATA GATEWAY APPLIANCE IJ32138 RESPONSIVENESS OF DATA GATEWAYS CAN BE SLOWER THAN EXPECTED WHEN /STORE IS LOW ON FREE SPACE OPEN Workaround
            No workaround available. IBM DevOps support for QRadar On Cloud is working on implementing an automated solution to address this issue.

            APARs identified with no workaround typically require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

            Issue
            Data Gateway responsiveness can be slower than expected when the /store partition on the Data Gateway is low on available free space.

            This can cause various QRadar performance related issues with the processes that require communication between the QRadar on Cloud Console and Data Gateways.
            22 April 2021
            CENTRIFY REDROCK RESTAPI PROTOCOL IJ30101 LOG SOURCES USING CENTRIFYREDROCKRESTAPI PROTOCOL CAN STOP RECEIVING EVENTS WHEN UNABLE TO OBTAIN A THREAD CONNECTION OPEN Workaround
            Performing a manual stop/start of the affected log source should allow the connection to occur correctly.

            APARs identified with no workaround typically require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

            Issue
            Log Sources configured to use the CentrifyRedrockRESTAPI can stop collecting logs and not automatically recover a proper connection on it's own when an active thread connection cannot be obtained by the Protocol.

            Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            [Centrify Redrock REST API Provider Protocol Provider Thread:
            class com.q1labs.semsources.sources.centrifyredrockrestapi.CentrifyRed
            RockRESTAPIProvider54] com.q1labs.semsources.sources.centrifyredrockrestapi.CentrifyRed
            RockRESTAPIProvider: [ERROR] [NOT:0000003000][127.0.0.1/- -]
            [-/- -] Unable to find any active query threads.
            06 January 2021
            QRADAR PULSE APP IJ26452 ORDER OF RETURNED AQL RESULTS DISPLAYED CAN VARY WHEN USING THE QRADAR PULSE APP CLOSED Resolved in
            QRadar Pulse App v2.2.6.

            Workaround
            No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

            Issue
            When using an AQL query within the Pulse App, and a parameter is changed, both searches (refresh time and parameter update) run at the same time.

            Both results get displayed one after the other and so the result that finishes running last is the one is displayed. This only occurs for AQL queries as these are the only data sources that support parameters.
            26 April 2021
            LOG SOURCE MANAGEMENT APP IJ20697 UNABLE TO SAVE CHANGES TO WINCOLLECT LOG SOURCES WHEN USING THE LOG SOURCE MANAGEMENT APP CLOSED Resolved in
            QRadar Log Source Management app v7.0.0.

            Workaround
            Edit the WinCollect Log Source(s) using the legacy log source user interface. From the Admin tab, click the Log Sources icon.

            Issue
            It has been identified that in some instances, when editing a WinCollect log source using the Log Source Managment (LSM) app, clicking the Save button does nothing and no error is displayed.
            27 April 2021
            QRADAR NETWORK INSIGHTS (QNI) IJ29129 RULE 'QNI: FILE EXTENSION/CONTENT TYPE VERIFICATION' FROM QNI CONTENT PACK V1.51 PARSES FILE EXTENSION INCORECTLY CLOSED Resolved in
            QRadar Network Insights Content pack V1.5.2.

            Workaround
            No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

            Issue
            False positive rule results can be experienced due to the rule "QNI: File Extension/Content Type Verification" from QNI Content Pack v1.5.1.

            Files with names containing more than one dot(.) are handled incorrectly by the rule.

            For example:
            1. Have a flow with filename "jquery-1.8.3.js" and content type = "application/javascript".
            2. The rule uses an AQL filter test:
              when the flow matches
              strpos("file name",'.') >= 0 
              and not REFERENCESETCONTAINS('QNI : File Extension / Content Type Verification Exclusions', LOWER(SUBSTRING("file
              name",STRPOS("file name",'.'),STRLEN("file name")))) 
              and not REFERENCEMAPSETCONTAINS('QNI-Extension-ContentType-Pairs',LOWER(
              SUBSTRING("file name",STRPOS("file name",'.'),STRLEN("file
              name"))),"content type")

              Results
              The STRPOS("file name",'.') returns the first dot position, which captures .8.3.js instead of .js in above example and so the combination cannot be found in reference map.
            27 April 2021
            DOCUMENTATION IJ29297 INSTALL OF QRADAR MARKETPLACE IMAGES FAIL WITH 'PANIC:RUNTIME ERROR: INDEX OUT OF RANGE' WHEN MORE THAN TWO DNS ENTRIES EXIST CLOSED Resolved in
            QRadar documentation was updated in the following chapters: Workaround
            Ensure only a maximum of two DNS entries exist in /etc/resolve.conf prior to the setup of a QRadar marketplace image installation.

            Issue
            The installation of QRadar marketplace images fail when more than two DNS entries are present in /etc/resolve.conf. The error message generated at the file of installtion failure is similar to:
            panic: runtime error: index out of range.
            27 April 2021
            MANAGED HOSTS IJ26182 QRADAR DATABASE REPLICATION REBUILD FUNCTION CAN SOMETIMES FAIL DUE TO A MISSING SQL FILE REFERENCE CLOSED Resolved in
            QRadar 7.4.1 (7.4.1.20200716115107)

            Workaround
            If you are unable to upgrade to resolve this issue, contact QRadar Support for a possible workaround.

            Issue
            The QRadar database replication rebuild function to Managed Hosts can fail due to the sql script db_update_235970.add_backup_build_version.sql being omitted from the /opt/qradar/conf/templates/installation_ordering.txt file.

            Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            [hostcontext.hostcontext] [Thread-70] ComponentOutput: [ERROR]
            [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream replication:
            psql:/store/replication/tx0000000000000241053.sql:14325693:
            ERROR: extra data after last expected column
            [hostcontext.hostcontext] [Thread-70] ComponentOutput: [ERROR]
            [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream replication:
            CONTEXT:  COPY backup, line 1
            27 April 2021
            ADVANCED SEARCH (AQL) IJ27235 THE 'REFERENCESETCONTAINS' AQL FUNCTION DOES NOT SEARCH INDEX FILES FOR QRADAR ON CLOUD CLOSED Resolved in
            QRadar on Cloud 7.4.1 Fix Pack 2 Interim Fix 1.

            Workaround
            Where possible, use the search functionality in the QRadar User Interface to perform the required searches.

            Issue
            AQL queries using referencesetcontains() lookups fail to search against index files when searching against indexed properties, only data files are searched.

            Performing the same searches using the QRadar User Interface works as expected.

            Messages similar to the following might be observed in /var/log/qradar.log when this issue occurs while performing related searches:
            ariel_client /127.0.0.1:47392 | [Action] [Search]
            [SearchExecuted] query starts,
            description="User:admin,Source:UI,Params:Id:ab137002-2aed-4433-9
            5d4-baaf53d399f2, DB:, Time:<20-08-07,08:00:00 to
            20-08-07,12:00:00>, progress details 100, data snapshot size
            40, Criteria=,
            MappingFactory=com.q1labs.core.types.event.mapping.NormalizedEve
            ntMappingFactory@4ee, retentionTime=86400000,
            prio=NORMAL,AQL:select 1 from events where
            REFERENCESETCONTAINS('HM_TestSet',"File Hash") start
            '2020-08-07 08:00' stop '2020-08-07 12:00'"
            ariel_query_1:ab137002-2aed-4433-95d4-baaf53d399f2 | [Action]
            [Search] [SearchCompleted] query finished, status=COMPLETED,
            stat details="Id:ab137002-2aed-4433-95d4-baaf53d399f2,
            FileStats [dataFileCount=480, compressedDataFileCount=0,
            indexFileCount=0, dataTotalSize=34790213,
            compressedDataTotalSize=0, indexTotalSize=0, progress=100.0%,
            totalResult=0, totalResultDataSize=24, searchTime=2476ms]",
            concurrent queries="1"

            Administrators should not that this issue does not generate an error, instead data from the search does not hit the indexes as expected as the query lists: indexFileCount=0
            27 April 2021
            QRADAR WORKFLOW ANALYST APP IJ22582 CHANGING THE DISPLAY (GROUP BY) OF AN EXISTING SEARCH CAN RETURN INACCURATE RESULTS UNTIL 'UPDATE' BUTTON SELECTED CLOSED Resolved in
            QRadar Analyst Workflow App v1.9.16.

            Workaround
            Click the Update button to see the correct search results after grouping by a specific category.

            Issue
            After executing a Search using filters and a "Results Limit", if the "Display" field is changed to a "group by" ("Low Level Category" for example), some search results are not returned until the Update button is selected/clicked.
            27 April 2021
            QRADAR WORKFLOW ANALYST APP IJ17196 ADVANCED SEARCH (AQL) RETURNS ERROR 'REQUEST-URL TOO LARGE' CLOSED Resolved in
            QRadar Analyst Workflow App v1.9.16.

            Workaround
            Click the Update button to see the correct search results after grouping by a specific category.

            Issue
            It has been identified that an Advanced Search (AQL) can return a message after executing the following that is similar to:
            Request-URI Too Large


            Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            [ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856]
            org.antlr.v4.runtime.Parser: [ERROR]
            [NOT:0000003000][127.0.0.1/- -] [-/- -]Parse error:  and
            (INCIDR('127.0.0.1/23', IP_source_...
            [ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856]
            com.q1labs.ariel.ql.parser.AQLParserException: Unrecognized
            context (Line: 1, Position: 130): " and (INCIDR('127.0.0.1/23',
            IP_source_..."
            [ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856] at
            com.q1labs.ariel.ql.parser.ParserBase.parseStatement(ParserBase.java:488)
            [ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856] at
            com.q1labs.ariel.ql.parser.Parser.processRequest(Parser.java:102)
            [ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856] at
            com.q1labs.ariel.ql.parser.Parser.executeStatement(Parser.java:93)
            [ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856] at
            com.q1labs.ariel.ConnectedClient.processStatement(ConnectedClient.java:361)
            [ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856] at
            com.q1labs.ariel.ConnectedClient.processMessage(ConnectedClient.java:306)
            [ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856] at
            com.q1labs.ariel.ConnectedClient.run(ConnectedClient.java:134)
            [ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856] at
            java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec
            utor.java:1157)
            [ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856] at
            java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe
            cutor.java:627)
            [ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856]
            at java.lang.Thread.run(Thread.java:798)
            27 April 2021
            QRADAR WORKFLOW ANALYST APP IJ28494 QRADAR USERS WITHOUT "VIEW CUSTOM RULES" AND "MAINTAIN CUSTOM RULES" ACCESS CAN STILL SEE FULL LIST OF CUSTOM RULES UNDER LOG CLOSED Resolved in
            QRadar Analyst Workflow App v1.9.16.

            Workaround
            No workaround available. Administrators must upgrade the application to resolve this issue.

            Issue
            QRadar users can access custom rules even when their access has not been granted to 'View Custom Rules' and 'Maintain Custom Rules' while searching in Log Activity.

            To recreate this issue:
            1. Log in to QRadar as an administrator.
            2. Click the Admin tab.
            3. Click User Roles.
            4. Create a new user role without the View Custom Rules and Maintain Custom Rules permission.
            5. Click the Users icon.
            6. Assign the user role to the new user.
            7. Log in to QRadar as the new user.
            8. Click the Log Activity tab.
            9. Click Search > New Search.
            10. Click Search parameters > Parameter Custom rule [Indexed].

              Results
              Verify both Rule Group and Rules are visible by the user who should not have access.
            27 April 2021
            QRADAR WORKFLOW ANALYST APP IJ24469 ADVANCED SEARCH (AQL) RESULT 'CLIENT EXCEPTION OCCURRED WHILE HANDLING THE SERVER RESPONSE' WHEN USING \U CLOSED Resolved in
            QRadar Analyst Workflow App v1.9.16. Workaround
            Where possible: Using Wildcard character '_' (Matches any single character) in the AQL so that it can avoid Unicode escapes, match any single character(include backslash) followed by u.

            Issue
            When the AQL search contains backslash u (\u) character, the Log Activity Advanced Search (AQL) user interface returns the error:
            client exception occurred while handling the server response

            Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            [tomcat.tomcat] [Token: ArcherBridge@127.0.0.1 (8425)
            /console/do/core/;jsessionid=99572ED7939336B1E986C7D45BE43B70]
            org.apache.struts.action.RequestProcessor: [ERROR] Invalid path
            /core/ was requested
            27 April 2021
            DEPOLYMENT IJ26156 DUPLICATE DEPLOYMENT ARROWS CAN BE VISIBLE IN THE 'VIEW DEPLOYMENT' WINDOW WHEN A MANAGED HOST ID IS 128 OR HIGHER CLOSED Reason
            Closed as Permanent restriction. This issue is only graphical and doesn't affect event collection. Closing as won't fix. Workaround
            No workaround available.

            Issue
            A Managed Host id of 128 or greated can cause duplicate deployment arrows to be visible in the "View Deployment" window of the QRadar User Interface.

            Note: This issue is only graphical and does not affect event collection.
            27 April 2021
            NETWORK IJ04296 CONFIGURING THE 169.154 CIDR FOR QRADAR APPLIANCE INTERFACES CAN CAUSE QRADAR APPS (DOCKER) TO FAIL CLOSED Reason
            Closed as Permanent restriction. This issue will not be fixed. Workaround
            Contact QRadar Support for a possible workaround that might address this issue in some instances.

            Issue
            Configuring QRadar Appliance interfaces to use IPs within the 169.154 CIDR causes QRadar Apps to fail when there is a conflict with the Docker IPs that are used from within that CIDR.
            27 April 2021
            UPGRADE IJ28895 HOSTCONTEXT SERVICE FAILS TO START AFTER PATCHING OR UPGRADE FROM 7.3.X TO 7.4.X CLOSED Resolved in
            This fix is available in the weekly auto update starting on 09 March 2021. Administrators who manually update RPM can download and install the following file from IBM Fix Central: DSM-RadwareDefensePro-7.3-20210218181623.noarch.rpm

            Workaround
            1. Contact QRadar Support before patching or upgrading from 7.3.x to 7.4.x to apply a workaround in advance that prevents this issue from occurring.
            2. If you have already patched or upgraded from 7.3.x to 7.4.x, and are experiencing this issue, contact QRadar Support for a possible workaround that might address this issue in some instances.

            A technical note is available with more information for administrators on APAR IJ28895.

            Issue
            After patching or upgrading from QRadar 7.3.x to 7.4.x, the hostcontext service can fail to start on the QRadar Console. This issue has been determined to be caused by a QRadar Autoupdate bundle installation, specifically with the guava-28.0-jre.jar file that is installed as part of the QRadar patch/upgrade process. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            [main] java.lang.NoClassDefFoundError: com.google.common.cache.CacheBuilder
            [main] at com.q1labs.core.dao.qidmap.SensorProtocolConfigParameters.<clinit>(SensorProtocolConfigParameters.java:37)
            [main] at sun.misc.Unsafe.ensureClassInitialized(Native Method)
            [main] at sun.reflect.UnsafeFieldAccessorFactory.newFieldAccessor(UnsafeFi
            eldAccessorFactory.java:55)
            [main] at sun.reflect.ReflectionFactory.newFieldAccessor(ReflectionFactory.java:154)
            [main] at java.lang.reflect.Field.acquireFieldAccessor(Field.java:1103)
            [main] at java.lang.reflect.Field.getFieldAccessor(Field.java:1079)
            [main] at java.lang.reflect.Field.set(Field.java:774)
            [main] at com.q1labs.frameworks.naming.FrameworksNaming.checkNameConstant(FrameworksNaming.java:412)
            [main] at com.q1labs.frameworks.naming.FrameworksNaming.loadClasses(FrameworksNaming.java:323)
            [main] at com.q1labs.frameworks.naming.FrameworksNaming.loadNaming(FrameworksNaming.java:171)
            [main] at com.q1labs.frameworks.naming.FrameworksNaming.loadClasses(FrameworksNaming.java:270)
            [main] at com.q1labs.frameworks.naming.FrameworksNaming.loadNaming(FrameworksNaming.java:171)
            [main] at com.q1labs.frameworks.naming.FrameworksNaming.loadNaming(FrameworksNaming.java:105)
            [main] at com.q1labs.frameworks.naming.FrameworksNaming.(FrameworksNaming.java:86)
            [main] at com.q1labs.frameworks.core.FrameworksContext.initServices(FrameworksContext.java:620)
            [main] at com.q1labs.frameworks.core.FrameworksContext.initFrameworks(FrameworksContext.java:257)
            [main] at com.q1labs.qvm.workflow.FrameworksJsvcBootstrapper.init(FrameworksJsvcBootstrapper.java:135)
            [main] at com.q1labs.qvm.workflow.FrameworksJsvcBootstrapper.main(FrameworksJsvcBootstrapper.java:243)
            [main] Caused by:
            [main] java.lang.ClassNotFoundException:
            com.google.common.cache.CacheBuilder
            [main] at java.net.URLClassLoader.findClass(URLClassLoader.java:610)
            [main] at java.lang.ClassLoader.loadClassHelper(ClassLoader.java:943)
            [main] at java.lang.ClassLoader.loadClass(ClassLoader.java:888)
            [main] at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:349)
            [main] at java.lang.ClassLoader.loadClass(ClassLoader.java:871)
            [main] ... 18 more
            28 April 2021
            VULNERABILITY SCANNER IJ31088 QRADAR CAN SOMETIMES CONTINUE TO ATTEMPT TO DOWNLOAD A CERT FOR A SCANNER THAT HAS BEEN REMOVED CLOSED Reason
            Closed as Permanent restriction. We have identified this issue as a permanent restriction for this integration. A fix for this issue will not be provided. Workaround
            1. From an SSH session to the QRadar Console.
            2. Optional. Open an SSH session to the Managed Host that runs the scan.
            3. Navigate to the directory that contains the certificate_catalogue.txt.
            4. Remove the bad scanner record, then save the file.
            5. From the Admin tab, click Deploy Changes.

              Results
              After the deploy changes completes, the cert should no longer attempt to be downloaded from the QRadar Managed Host.

            Issue
            QRadar can sometimes try to download a VA Scanner certificate even if scanner configuration was removed from QRadar. This is due to a cached value written in a temporary file. System Notifications similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            generateNotification: An attempt to download the server
            certificate for [IP ADDRESS:443] to
            [/opt/qradar/conf/trusted_certificates/IP_443.crt] has failed
            28 April 2021
            TLS SYSLOG PROTOCOL IJ25789 TLS SYSLOG LOG SOURCE CAN FAIL TO WORK AFTER USING INCORRECT PRIVATE KEY AT SETUP EVEN AFTER IT HAS BEEN CORRECTED CLOSED Reason
            Closed as Permanent restriction. We have identified this issue as a permanent restriction for this integration. A fix for this issue will not be provided. Workaround
            1. Rename the certificate to any new name.
            2. Disable/enable the log source.


            3. Results
              The log source should then work and retrieve events as expected.

            Issue
            A TLS Syslog Log Source can fail to ingest events when initially configured with an incorrect private key even after the private key has been corrected.

            Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            [ecs-ec-ingress.ecs-ec-ingress] [Thread-26717]
            com.q1labs.semsources.sources.tlssyslog.TLSSecurityManager:
            [ERROR] Error adding key to TLS keystore.
            [ecs-ec-ingress.ecs-ec-ingress] [Thread-26717]
            java.security.spec.InvalidKeySpecException: Inappropriate key
            specification: PrivateKeyInfo parsing error.
            [ecs-ec-ingress.ecs-ec-ingress] [Thread-26717]    at
            com.ibm.crypto.provider.RSAKeyFactory.engineGeneratePrivate(Unknown Source)
            [ecs-ec-ingress.ecs-ec-ingress] [Thread-26717]    at
            java.security.KeyFactory.generatePrivate(KeyFactory.java:383)
            [ecs-ec-ingress.ecs-ec-ingress] [Thread-26717]    at
            com.q1labs.semsources.sources.tlssyslog.TLSSecurityManager.addKe
            yToKeyStore(TLSSecurityManager.java:408)
            [ecs-ec-ingress.ecs-ec-ingress] [Thread-26717]    at
            com.q1labs.semsources.sources.tlssyslog.TLSSyslogProvider.setupS
            erverKeyStore(TLSSyslogProvider.java:487)
            [ecs-ec-ingress.ecs-ec-ingress] [Thread-26717]    at
            com.q1labs.semsources.sources.tlssyslog.TLSSyslogProvider.preExe
            cuteConfigure(TLSSyslogProvider.java:94)
            [ecs-ec-ingress.ecs-ec-ingress] [Thread-26717]    at
            com.q1labs.semsources.sources.base.SourceProvider.run(SourceProv
            ider.java:181)
            28 April 2021
            PROTOCOL IJ29518 SMBTAILPROTOCOL LOG SOURCES CAN FUNCTION NORMALLY BUT DISPLAY IN 'ERROR' STATE WHEN A JNQEXCEPTION OCCURS CLOSED Resolved in
            This fix is dependent upon the QRadar version and is available in the following RPMs on IBM Fix Central:

            Version 7.3.x:
          4. PROTOCOL-SmbTailProtocol-7.3-20210329122540.noarch.rpm
          5. PROTOCOL-WindowsDHCPProtocol-7.3-20210315133009.noarch.rpm
          6. PROTOCOL-WindowsExchangeProtocol-7.3-20210315133009.noarch.rpm
          7. PROTOCOL-WindowsIISProtocol-7.3-20210315133009.noarch.rpm
          8. PROTOCOL-OracleDatabaseListener-7.3-20210315133009.noarch.rpm
          9. PROTOCOL-WindowsEventRPC-7.3-20210315133009.noarch.rpm

          10. Version 7.4.x:
          11. PROTOCOL-SmbTailProtocol-7.4-20210329122529.noarch.rpm

          12. Workaround
            No workaround available. Administators must install the RPM files where this issue is resolved from IBM Fix Central. These files are NOT included through QRadar Auto Updates.

            Issue
            Log Sources using the SMBTail Protocol display in an error state when a jNQ exception is thrown, but the Log Source continues to function as expected. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            [ecs-ec-ingress.ecs-ec-ingress] [Folder Monitor
            [127.0.0.1][smb://127.0.0.1/dhcplog/]]
            com.q1labs.semsources.sources.smbtail.io.jnq.JNQException:
            Unable to create/open - j50.log status = -1073741757
            (0xc0000043) (0xC0000043)
            [ecs-ec-ingress.ecs-ec-ingress] [Folder Monitor
            [127.0.0.1][smb://127.0.0.1/dhcplog/]]
            com.q1labs.semsources.sources.windowsdhcp.WindowsDHCPTailProvide
            r: [ERROR] [NOT:0000003000][IP ADDRESS/- -] [-/-
            -]TailingException: Unable to create/open - examplename.log status =
            -1073741757 (0xc0000043) (0xC0000043)
            28 April 2021
            PROTOCOL IJ26183 ECS-EC-INGRESS PROCESS CAN SOMETIMES GO OUT OF MEMORY WHEN LOG SOURCES ARE USING THE WINDOWS IIS PROTOCOL CLOSED Resolved in
            This fix is available in the following RPMs on IBM Fix Central:
          13. PROTOCOL-SmbTailProtocol-7.3-20201007124637.noarch.rpm
          14. PROTOCOL-SmbTailProtocol-7.4-20201007123631.noarch.rpm
          15. PROTOCOL-WindowsEventRPC-7.3-20210315133009.noarch.rpm
          16. PROTOCOL-WindowsEventRPC-7.4-20210113131122.noarch.rpm

          17. The PROTOCOL-SmbTailProtocol release is also available in the weekly auto update for 25 April 2021 (Build 1619381033). The PROTOCOL-WindowsEventRPC RPM release is not included in automatic updates. Administrators must download and install the latest version of the Microsoft Windows Security Event Log over MSRPC RPM file on the Console using the YUM command.

            Workaround
            Contact QRadar Support for a possible workaround that might address this issue in some instances.

            Issue
            In some instances, the ecs-ec-ingress process (required for event collection) can experience out of memory occurences that are caused by Log Sources using the Windows IIS Protocol when an incorrect .jar file is referenced for use. Messages similar to the following that are referencing a Log Source connecting to an SMB Host might be visible in /var/log/qradar.log when this issue is occuring:
            [ecs-ec-ingress.ecs-ec-ingress] [Folder Monitor
            [x.x.x.x][smb://x.x.x.x/LogFiles/]]
            com.q1labs.semsources.sources.smbtail.io.SmbFileWithRetries:
            [ERROR] [NOT:0000003000][x.x.x.x/- -] [-/-
            -][smb://x.x.x.x/LogFiles/W3SVC13] exists(): Failed: Access
            error for file W3SVC13 status = -1073741790 (0xc0000022)
            (0xC0000022)
            28 April 2021
            PROTOCOL IJ28166 LOG SOURCES CONFIGURED TO USE THE WINDOWS EVENT LOG RPC PROTOCOL CAN GO INTO ERROR STATE DISPLAYING 'INTERNAL ERROR' CLOSED Resolved in
            This fix is available in the following RPMs on IBM Fix Central:
          18. PROTOCOL-SmbTailProtocol-7.3-20201007124637.noarch.rpm
          19. PROTOCOL-SmbTailProtocol-7.4-20201007123631.noarch.rpm
          20. PROTOCOL-WindowsEventRPC-7.3-20210315133009.noarch.rpm
          21. PROTOCOL-WindowsEventRPC-7.4-20210113131122.noarch.rpm

          22. The PROTOCOL-SmbTailProtocol release is also available in the weekly auto update for 25 April 2021 (Build 1619381033). The PROTOCOL-WindowsEventRPC RPM release is not included in automatic updates. Administrators must download and install the latest version of the Microsoft Windows Security Event Log over MSRPC RPM file on the Console using the YUM command.

            Workaround
            No workaround available as this issue is closed as a vendor solution. Administrator must install the RPMs listed to resolve this issue or update to the latest version of the SMB Tail Protocol and Microsoft Windows Security Event Log over MSRPC protocol, if a newer version exist.

            Issue
            Some log source that are configured to use the Windows Event Log RPC Protocol can go into "Error" state with an "Internal Error".

            These instances have been identified as being caused when the jNQ jar file is required for use by the Protocol.

            Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for
            host [127.0.0.1]] java.lang.ArrayIndexOutOfBoundsException
            [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for
            host [127.0.0.1]]    at
            jcifs.util.Encdec.dec_uint32le(Encdec.java:90)
            [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for
            host [127.0.0.1]]    at
            ndr.NdrBuffer.dec_ndr_long(NdrBuffer.java:135)
            [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for
            host [127.0.0.1]]    at
            ndr.NetworkDataRepresentation.readUnsignedLong(NetworkDataRepres
            entation.java:64)
            [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for
            host [127.0.0.1]]    at
            com.q1labs.semsources.sources.windowseventrpc.ndr.util.NetworkDa
            taRepresentationAdapter.readUnsignedLong(NetworkDataRepresentationAdapter.java:34)
            [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for
            host [127.0.0.1]] java.lang.NullPointerException
            [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for
            host [127.0.0.1]]    at
            com.visuality.nq.client.rpc.Dcerpc.close(Dcerpc.java:901)
            [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for
            host [127.0.0.1]]    at
            com.q1labs.semsources.sources.windowseventrpc.eventsource.common
            .EventLogWinRegistry.disconnectRemoteRegistry(EventLogWinRegistry.java:245)
            27 April 2021
            QRADAR NETWORK INSIGHTS IJ30955 PERFORMING A FORENSICS RECOVERY CAN APPEAR TO SUCCEED WHEN THE TASK FAILED SILENTLY AND NEVER STARTED CLOSED Resolved in
            QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)

            Workaround
            No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

            Issue
            Attempting to perform a Forensics Recovery can appear to succeed but the job never starts and there are no results in the Incident Recovery Grid when a user has over 25 characters. In these instances, messages in the logs indicate a postgres error if either of the username or submitter fields are greater than 25 characters.

            Example of error log written in /var/log/qradar.log when this issue occurs:
            [tomcat.tomcat] [HttpServletRequest-3016-Idle]
            com.ibm.qradar.wfObjects.wfDBConnect: [ERROR] Database error:
                 SQLException: ERROR: value too long for type character
            varying(25)
             SQLState: 22001
             VendorError: 0
            23 February 2022
            REPORTS IJ30954 AFTER REFRESHING PAGE AFTER CHANGES ARE MADE FOR SHARING REPORTING GROUPS THE CHANGES DO NOT APPEAR TO HAVE BEEN SAVED OPEN Workaround
            No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

            Issue
            An issue has been identified in the Reports > Managed Groups > 'Share with Users Matching the following criteria' interface where sharing a report does not appear to save as expected.

            If a user shares a report group with specific user role and security profile, then clicks the refresh option the change does not appear to save. This is misleading to users as the report is saved succesfully and shared with the selected user, but does not display as shared correctly. If a recipient of the shared report logs in, they can see the shared reports as (Shared)Report name.
            05 March 2021
            HIGH AVAILABILITY (HA) IJ30664 HIGH AVAILABILITY (HA) JOIN FAILS DUE TO INCORRECT SIZE OF /STORE AND /TRANSIENT PARTITION IN NON-CONSOLE BUILD OPEN Workaround
            Contact QRadar Support for a possible workaround that might address this issue in some instances.

            Issue
            In some instances, the /store partition on a High Availability (HA) Primary appliance can be larger and /transient partition smaller than expected on a software installation build of a non console QRadar appliance.

            When this occurs, the HA join process fails due to the incorrect and mismatched partition sizing between the Primary and Secondary appliances.

            The /var/log/setup-xxx/qradar_partsetup.log file displays similar messages as the following when this issue occurs:
            Wed Jul 31 03:31:24 +03 2019 [lvm_resize.sh] [InitLog] Log file
            set to /var/log/setup-7.3.2.20190410024210/qradar_partsetup.log
            Wed Jul 31 03:31:24 +03 2019 [lvm_resize.sh] [getopts]
            Pre-check argument passed
            Wed Jul 31 03:31:29 +03 2019 [lvm_resize.sh] [InitLog] Log file
            set to /var/log/setup-7.3.2.20190410024210/qradar_partsetup.log
            Wed Jul 31 03:31:29 +03 2019 [lvm_resize.sh] ERROR: Failed to
            unmount /store 
            06 March 2021
            DATA DEOBFUSCATION IJ30950 DATA DEOBFUSCATION DOES NOT WORK AS EXPECTED AFTER REASSIGNING A LOG SOURCE TO A DIFFERENT DOMAIN UNTIL PERFORMING FULL DEPLOY CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)
            QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944)
            QRadar 7.3.3 Fix Pack 9 (7.3.3.20210716155826)

            Workaround
            Perform a Deploy Full Configuration from the User Interface after moving a Log Source to a Log Source Group that is part of a different domain:
            1. Log in to the Console as an administrator.
            2. Click the Admin tab.
            3. Select Advanced > Deploy Full Configuration.
              For more information, see QRadar: What is the difference between 'Deploy Changes' and a 'Deploy Full Configuration'?

              Issue
              When a Log Source is reassigned to a different Log Source group and that Log Source group is part of a different domain, data deobfuscation doesn't work as expected with the new domain's data obfuscation profile key.

              Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
              [tomcat.tomcat] [admin@127.0.0.1 (3282)
              /console/do/obfuscation/obfuscationdecryption]
              com.q1labs.obfuscation.ui.action.ObfuscationDecryptionAction:
              [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/-
              -]qradar.obfuscation.ui.obfuscationdecryption.error.CORRESPONDIN
              G_DECRYPTION_KEY_FOUND_IN_SESSION_BUT_DECRYPTION_FAIL,
              javax.crypto.BadPaddingException: decryption fail.
              javax.crypto.BadPaddingException: Given final block not
              properly padded
              [tomcat.tomcat] [admin@127.0.0.1 (3282)
              /console/do/obfuscation/obfuscationdecryption]
              com.q1labs.obfuscation.ui.action.ObfuscationDecryptionAction:
              [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]decryption fail
            12 July 2021
            ACCUMULATOR IJ31082 'ACCUMULATOR FALLING BEHIND' NOTIFICATIONS AFTER DEFAULT GLOBAL VIEWS FOR EVENT RATE AND FLOW RATE HAVE BEEN RECREATED OPEN Workaround
            Contact QRadar Support for a possible workaround that might address this issue in some instances.

            Issue
            QRadar environments where the default Global Views for Event Rate (EPS) and Flow Rate (FPS) have been deleted and then recreated can experience Accumulator Falling Behind notifications during search processes.

            This is due to the addition of a locale which occurs in these instances that uses "contains" for its algorithm which is considerably slower for searches.
            05 March 2021
            VULNERABILITY SCANNER IJ31109 TENABLE SCAN TASK CAN HANG AND NOT COMPLETE SUCCESSFULLY DUE TO A NULL KEY OPEN Workaround
            No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

            Issue
            Tenable IO is inserting a null key/element into spillOverCache, which causes the scan task to hang until it fails to complete successfully. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            [vis] [Tenable.io-454-worker]
            com.q1labs.vis.exceptions.ScannerTaskException: This cache
            cannot accept null elements or null keys
            [vis] [Tenable.io-454-worker] at
            com.q1labs.vis.scanners.tenable.io.IOModule.scan(IOModule.java:187)
            [vis] [Tenable.io-454-worker] at
            com.q1labs.vis.scanners.base.ScannerModule.run(ScannerModule.jav
            a:221)
            05 March 2021
            DOMAINS AND TENANTS IJ31107 TENENTQUEUEDEVENTTHROTTLEFILTER DOES NOT PERFORM AS EXPECTED WITH A LOW EPS LIMIT AND CAN CAUSE DROPPED EVENTS OPEN Workaround
            Contact QRadar Support for a possible workaround that might address this issue in some instances.

            Issue
            The TenantQueuedEventThrottleFilter does not perform as expected with a low EPS limit and can cause dropped events. As a result, it can be observed for a low tenant EPS limit configuration that the limit cannot be attained without dropping events.

            For example:
            1. Have a tenant and assign them a tenant EPS limit of 100.
            2. Have a low EPS of traffic for that tenant (example ~100EPS)

              Results
              Log Activity displays only "Receiving an average of 63 results per second" or something similar.
            06 March 2021
            PROTOCOLS IJ31086 LOG SOURCES USING RABBITMQ CAN SOMETIMES FAIL TO CONNECT AS EXPECTED DUE TO ROGUE CONNECTIONS CREATED OPEN Workaround
            No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

            Issue
            RabbitMQ can sometimes create new connections before the old one is removed. When this occurs, it can result in having multiple rogue connections on CiscoAMP causing events to not be received into QRadar.
            06 March 2021
            UPGRADE IJ31095 QRADAR PATCHING TO VERSION 7.4.1 OR NEWER CAN FAIL ON MANAGED HOSTS WITH ''ERROR: COULD NOT CREATE UNIQUE INDEX..." OPEN Workaround
            No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

            Issue
            Patching to QRadar 7.4.1 or newer can fail on Managed Hosts due to an index that causes an SQL to fail on duplicate data. Messages similar to the following might be visible during patching when this issue occurs:
            2 SQL script errors were detected; Error applying script [26/32]
            '/media/updates/opt/qradar/conf/templates/db_update_250323.ref_s
            et_import1.sql' for Test_qradar database.; details:
            WARNING:  SET TRANSACTION can only be used in transaction blocks
            NOTICE:  index "reference_data_element_unique_rdata1" does not
            exist, skipping
            ERROR:  could not create unique index
            "reference_data_element_unique_rdata1"
            DETAIL:  Key (md5((rdk_id::text || '_'::text) ||
            data))=(af781b7cdfc258bf8698f03aa207f885) is duplicated.Error
            applying script [29/32]
            '/media/updates/opt/qradar/conf/templates/db_update_248240.ref_s
            et_import1.sql' for Test_qradar database.; details:
            WARNING:  SET TRANSACTION can only be used in transaction blocks
            NOTICE:  index "reference_data_element_unique_rdata1" does not
            exist, skipping
            ERROR:  could not create unique index
            "reference_data_element_unique_rdata1"
            DETAIL:  Key (md5((rdk_id::text || '_'::text) ||
            data))=(af781b7cdfc258bf8698f03aa207f885) is duplicated.
            <hostname> :  patch rolled back.
            05 March 2021
            UPGRADE IJ31096 QRADAR MANAGED HOST PATCH COMPLETES SUCCESSFULLY BUT WITH ERRORS RUNNING "/MEDIA/UPDATES/SCRIPTS/QRADAR-2072.INSTALL" OPEN Workaround
            No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

            Issue
            QRadar Managed Hosts (MH) can patch successfully but with errors when the tomcat process on the Console appliance is unavailable during MH patching. A messages similar to the following can be displayed when this occurs:
            (hostname)-primary : patch test succeeded.
            (hostname)-secondary : patch test succeeded.
            Error running 143: /media/updates/scripts/QRADAR-2072.install
            --mode mainpatch


            In /var/log/setup-xxxxx/patches.log messages similar to the following can also be observed when this issue occurs:
            Feb 22 04:31:18 2021: Feb 22 04:31:18
            2021:[DEBUG](-ni-patchmode) Running script
            /media/updates/scripts/QRADAR-2072.install --mode mainpatch
            Feb 22 04:31:18 2021: [QRADAR-2072] [mainpatch:Run]
            /opt/qradar/bin/generate_cert_from_csr.sh
            parse error: Invalid numeric literal at line 1, column 8
            Feb 22 04:33:22 2021: Feb 22 04:33:22
            2021:[DEBUG](-ni-patchmode) Error running 73:
            /media/updates/scripts/QRADAR-2072.install --mode mainpatch;
            Got error code of 1.
            Feb 22 04:33:22 2021: Feb 22 04:33:22
            2021:[ERROR](-ni-patchmode) Error running 73:
            /media/updates/scripts/QRADAR-2072.install --mode mainpatch
            05 March 2021
            PROTOCOLS IJ31102 LOG SOURCES CONFIGURED TO USE THE IBMSIMJDBC PROTOCOL CAN FAIL TO WORK AS EXPECTED DUE TO A JAR DEPENDENCY OPEN Workaround
            In the following path: /opt/ibm/si/services/ecs-ec-ingress/eventgnosis/lib/q1labs/IBMSIMJDBC/
            1. Make a copy of mssql-jdbc-7.2.0.jar.
            2. Name it mssql-IBMSIMJDBC-7.2.0.jar.

            Issue
            Log Sources configured to use the IBM Security Identity Manager Protocol can stop working with a 'NoClassDefFoundError' due to a jar dependency.

            Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            [ecs-ec-ingress.ecs-ec-ingress] [Thread-25]
            com.eventgnosis.ecs: [ERROR] [NOT:0000003000][127.0.0.1/- -]
            [-/- -]Error attempting to load
            (device):ecs-ec-ingress/EC_Ingress/Q1_I BMSIMJDBCEventSource
            Error : java.lang.NoClassDefFoundError:
            com.microsoft.sqlserver.jdbc.SQLServerException
            05 March 2021
            LICENSE IJ07953 'FAILED TO GET EPS FPM ALLOCATION VALUES' IN LOG ACTIVITY TAB OR 'FAILED TO LOAD DATA' IN LICENSE POOL MANAGEMENT CLOSED Resolved in
            QRadar 7.3.2 (7.3.2.20190201201121)
            QRadar 7.3.1 Fix Pack 7 (7.3.1.20181123182336)

            Workaround
            Administrators can upgrade to a release where this issue is resolved. For more information, review the following resources:
            Issue
            It has been identified in instances where manual database changes have been made to license_key and serverhosts table that the license pool management page sometimes does not load and displays error "Failed to load data". The message "Failed to Get EPS FPM allocation values" can also be observed in the Log Activity tab when this issue is occurring.

            Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs:
            [tomcat.tomcat] [admin@127.0.0.1 (2795)
            /console/restapi/api/config/deployment/license_pool] Caused by:
            [tomcat.tomcat] [admin@127.0.0.1 (2795)
            /console/restapi/api/config/deployment/license_pool]
            com.q1labs.restapi_annotations.content.exceptions.endpointExcept
            ions.ServerProcessingException: Failed to retrieve the deployed
            license pool
            [tomcat.tomcat] [admin@127.0.0.1 (2795)
            /console/restapi/api/config/deployment/license_pool]    at
            com.ibm.si.configservices.api.impl.license_pool.LicensePoolGetIm
            pl.buildPool(LicensePoolGetImpl.java:42)
            [tomcat.tomcat] [admin@127.0.0.1 (2795)
            /console/restapi/api/config/deployment/license_pool]    at
            com.ibm.si.configservices.api.impl.license_pool.LicensePoolGetIm
            pl.getLicensePool(LicensePoolGetImpl.java:18)
            [tomcat.tomcat] [admin@127.0.0.1 (2795)
            /console/restapi/api/config/deployment/license_pool]    at
            com.q1labs.configservices.api.v8_0.license_pool.LicensePoolAPI.g
            etDeployedLicensePool(LicensePoolAPI.java:70)
            [tomcat.tomcat] [admin@127.0.0.1 (2795)
            /console/restapi/api/config/deployment/license_pool]    at
            sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
            [tomcat.tomcat] [admin@127.0.0.1 (2795)
            /console/restapi/api/config/deployment/license_pool]    at
            sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessor
            Impl.java:90)
            [tomcat.tomcat] [admin@127.0.0.1 (2795)
            /console/restapi/api/config/deployment/license_pool]    at
            sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod
            AccessorImpl.java:55)
            [tomcat.tomcat] [admin@127.0.0.1 (2795)
            /console/restapi/api/config/deployment/license_pool]    at
            java.lang.reflect.Method.invoke(Method.java:508)
            [tomcat.tomcat] [admin@127.0.0.1 (2795)
            /console/restapi/api/config/deployment/license_pool]    at
            com.q1labs.restapi.servlet.utilities.APIRequestHandler.invokeMet
            hod(APIRequestHandler.java:1031)
            [tomcat.tomcat] [admin@127.0.0.1 (2795)
            /console/restapi/api/config/deployment/license_pool]    at
            com.q1labs.restapi.servlet.utilities.APIRequestHandler.redirectR
            equest(APIRequestHandler.java:399)
            [tomcat.tomcat] [admin@127.0.0.1 (2795)
            /console/restapi/api/config/deployment/license_pool] ... 46 more
            [tomcat.tomcat] [admin@127.0.0.1 (2795)
            /console/restapi/api/config/deployment/license_pool] Caused by:
            [tomcat.tomcat] [admin@127.0.0.1 (2795)
            /console/restapi/api/config/deployment/license_pool]
            java.lang.NullPointerException
            [tomcat.tomcat] [admin@127.0.0.1 (2795)
            /console/restapi/api/config/deployment/license_pool]    at
            com.q1labs.core.shared.license.LicenseKeyManager.getHostType(Lic
            enseKeyManager.java:4305)
            [tomcat.tomcat] [admin@127.0.0.1 (2795)
            /console/restapi/api/config/deployment/license_pool]    at
            com.q1labs.core.shared.license.LicensePoolAllocationManager.getT
            otalCapacities(LicensePoolAllocationManager.java:652)
            [tomcat.tomcat] [admin@127.0.0.1 (2795)
            /console/restapi/api/config/deployment/license_pool]    at
            com.q1labs.core.shared.license.LicensePoolAllocationManager.getT
            otalCapacities(LicensePoolAllocationManager.java:629)
            [tomcat.tomcat] [admin@127.0.0.1 (2795)
            /console/restapi/api/config/deployment/license_pool]    at
            com.ibm.si.configservices.api.impl.license_pool.LicensePoolGetIm
            pl.buildPool(LicensePoolGetImpl.java:33)
            26 February 2019
            QRADAR ON CLOUD IJ32040 QRADAR ON CLOUD USER INTERFACE CAN EXPERIENCE UNPOPULATED LIST BOXES OR ONES ONLY DISPLAYING AN "X" OPEN Workaround
            Contact QRadar Support for a possible workaround that might address this issue in some instances.

            Issue
            Some QRadar On Cloud instances on Akamai can experience User Interface (UI) display issues such as unpopulated list boxes or list boxes with only "X" being displayed. This UI display behavior can be intermittent.

            This behavior has been identified as being caused by downloads of CSS resources, such as dojo.css, failing authentication and getting redirected to login.ibm.com. As these static resource downloads do not handle the HTTP 302 redirection, the CSS is not downloaded and the UI is incomplete.
            16 April 2021
            PROTOCOL IJ32029 LOG SOURCES CONFIGURED TO USE THE VMWARE PROTOCOL CAN STOP WORKING AFTER INSTALLING UPDATED PROTOCOL VERSION OPEN Workaround
            The workaround is QRadar version dependent. Note: Restarting the ecs-ec-ingress service stops event collection. For more information, see: Impact of restarting QRadar services.

            For QRadar 7.4.x:
            1. Remove the file /opt/ibm/si/services/ecs-ec-ingress/eventgnosis/lib/q1labs/dom4j.jar.
            2. To restart the ecs-ec-ingress service, select Admin > Advanced > Restart Event Collection Service.

            For QRadar 7.3.x:
            1. Remove the file /opt/ibm/si/services/ecs-ec-ingress/current/bin/dom4j-1.3.jar.
            2. To restart the ecs-ec-ingress service, select Admin > Advanced > Restart Event Collection Service.

            Issue
            Log Sources configured to use the VMware protocol can stop working and display "Invalid Credentials when initializing EMCVmWareProtocol" after installing a new EMCVmware protocol rpm manually or via the AutoUpdate feature in QRadar.

            Affected RPM versions:
            • PROTOCOL-EMCVMWareProtocol-7.3-20200916171440.noarch.rpm
            • PROTOCOL-EMCVMWareProtocol-7.4-20200916171516.noarch.rpm

            Run the following command to identify the currently installed rpm version from an SSH session to the QRadar Console for verification of this identified issue:
            rpm -qa | grep -i emcvmwareprotocol


            Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            [ecs-ec-ingress.ecs-ec-ingress] [Thread-246] 
            Caused by: 
            java.rmi.RemoteException: VI SDK invoke
            exception:java.rmi.RemoteException: VI SDK invoke
            exception:org.dom4j.DocumentException:
            org.dom4j.DocumentFactory incompatible with
            org.dom4j.DocumentFactory
            [ecs-ec-ingress.ecs-ec-ingress]
            [Thread-246] at com.vmware.vim25.ws.WSClient.invoke(Unknown
            Source)
            [ecs-ec-ingress.ecs-ec-ingress] [Thread-246] at
            com.vmware.vim25.ws.VimStub.retrieveServiceContent(Unknown
            Source)
            [ecs-ec-ingress.ecs-ec-ingress] [Thread-246] at
            com.vmware.vim25.mo.ServiceInstance.<init>(Unknown
            Source)
            [ecs-ec-ingress.ecs-ec-ingress] [Thread-246] at
            com.vmware.vim25.mo.ServiceInstance.<init>(Unknown
            Source)
            [ecs-ec-ingress.ecs-ec-ingress] [Thread-246] at com.q1la
            bs.semsources.sources.vmware.api.VmApi.init(VmApi.java:90)
            [ecs-ec-ingress.ecs-ec-ingress] [Thread-246] ... 4
            more
            [ecs-ec-ingress.ecs-ec-ingress] [Thread-246]
            com.q1labs.semsources.sources.vmware.EMCVmWareProtocol: [DEBUG]
            EMC Vm Ware Protocol Provider 'class
            com.q1labs.semsources.sources.vmware.VmWareAPIProvider6'
            changed state from STARTING to STOPPED.
            16 April 2021
            UPGRADE IJ31972 RESIDUAL JDBC PROTOCOL JAR FILES ARE LEFT BEHIND WHEN UPGRADING FROM QRADAR 7.3.X TO 7.4.X OPEN Workaround
            The residual .jar files from the 7.3.x JDBC protocol can be ignored.

            Issue
            When patching from QRadar 7.3.x to QRadar 7.4.x there are residual JDBC Protocol .jar files that are left behind from the older protocol version. These residual .jar files are benign and can be safely ignored.
            16 April 2021
            ADVANCED SEARCH (AQL) IJ31912 DATA CONTAINED WITHIN "< >" FROM PAYLOADS IS MISSING IN CSV EXPORT FROM AN AQL ADVANCED SEARCH CONTAINING A GROUP BY OPEN Workaround
            Where possible, perform the AQL search without the GROUP BY condition.

            Issue
            When performing an AQL search with a GROUP BY condition, and exporting the visible columns to a CSV file, any priority headers contained in the event payloads (e.g. "<13>") are missing in the .csv export file. For example:
            1. QRadar user interface, select Log Activity > Quick Filter > Advanced Search.
            2. Search for events with GROUP BY condition where the results contains the "< >" symbols.
            3. Select Actions > Export to CSV > Visible Columns.
            4. Save and open the file.

              Result
              From the output csv columns, the strings contained by the "< >" symbols are missing.
            16 April 2021
            PROTOCOL IJ31913 JDBC TIMEOUT VALUE CONFIGURED FOR ORACLE LOG SOURCES IS SET AT 1 MINUTE VS 5 MINUTES FOR MSDB LOG SOURCES OPEN Workaround
            No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

            Issue
            The JDBC timeout value used for Oracle Log Sources is set at 1 minute, but when JDBC is used for MSDB Log Sources it is set at 5 minutes. This can cause Oracle Log Sources to go into a failed state earlier than expected.

            Messages similar to the following might be visible in /var/log/qradar.log when the timeout occurs:
            [ecs-ec-ingress.ecs-ec-ingress] [*Oracle*//LxxxxxA@ipaddress
            Protocol Provider Thread: class
            com.q1labs.semsources.sources.jdbc.JdbcEventConnector5530]
            com.q1labs.semsources.sources.jdbc.JdbcEventConnector: [WARN]
            [NOT:0000004000][ipaddress/- -] [-/- -]IO Error: Socket read
            timed out on Oracle//LxxxxxA@ipaddress
            16 April 2021
            MANAGED HOST / ADD HOST IJ32092 ADMIN USER WITH NO LOCALE CONFIGURED IS UNABLE TO ADD A MANAGED HOST TO THE QRADAR DEPLOYMENT OPEN Workaround
            1. Set the locale to English using the following command from an SSH session to the QRadar Console:
              psql -U qradar -c "update
              user_settings set locale='en',use_browser_locale = 'f' where
              security_id = (select security_id from security_descriptors
              where label = 'admin');"
            2. To restart hostcontext, type:
              systemctl restart hostcontext
            3. Restart tomcat, type:
              systemctl restart tomcat
            4. Attempt to add the managed host to the deployment again.


            5. Issue
              The Add Host process fails with a message similar to "Cannot connect to the host. Check password and IP" for an admin user with no QRadar locale configured.

              Messages similar to the following might be visible in /var.log/qradar.log when this issue occurs:
              [tomcat.tomcat] [Thread-503]
              com.ibm.si.configservices.api.v3_0.deployment.DeploymentAPI:
              [ERROR] [NOT:0000003000][xx.xx.xx.xx/- -] [-/- -]unable to add
              managed host: null
              [tomcat.tomcat] [Thread-503] com.q1labs.resta
              pi_annotations.content.exceptions.endpointExceptions.ServerProcessingException
              [tomcat.tomcat] [Thread-503] at com.ibm.si.config
              services.api.impl.DeploymentAPIImpl.addManagedHost(DeploymentAPIImpl.java:924)
              [tomcat.tomcat] [Thread-503] at com.ibm.si.config
              services.api.v3_0.deployment.DeploymentAPI$AddHostThread.run(Dep
              loymentAPI.java:1003)
              [tomcat.tomcat] [Thread-503] at
              java.lang.Thread.run(Thread.java:822)
              [tomcat.tomcat]
              [Thread-503] Caused by:
              [tomcat.tomcat] [Thread-503]
              com.q1labs.configservices.common.ConfigServicesException:
              Unable to add managed host.
              [tomcat.tomcat] [Thread-503] at com.
              q1labs.configservices.capabilities.CapabilitiesHandler.addManage
              dHost(CapabilitiesHandler.java:2025)
              [tomcat.tomcat]
              [Thread-503] at com.ibm.si.configservices.api.impl.DeploymentAPI
              Impl.addManagedHost(DeploymentAPIImpl.java:893)
              [tomcat.tomcat]
              [Thread-503] ... 2 more
            16 April 2021
            ROUTING RULES IJ31911 ROUTING RULES WITH A FILTER CONTAINING A TRAILING BACKSLASH ARE NOT EDITABLE ONCE SAVED CLOSED Resolved in
            QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)

            Workaround
            No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

            Issue
            Routing Rules with a filter containing a trailing backslash are not editable once saved. For example:
            1. Log in to the QRadar Console as an administrator.
            2. Click the Admin tab.
            3. Click the Routing Rules icon.
            4. Create a new rule.
            5. Add a filter to the rule that uses a trailing backslash. For example:
              Filename is equal to any of C:\Users\Test\
            6. Click Save.
            7. Attempt to edit the rule.

              Results
              The edit interface does not open. Users are unable to use the Edit button in the user interface.
            23 February 2022
            EVENT DATA IJ31537 MESSAGESIZEEXCEPTION CAN CAUSE THE QRADAR EVENT PIPELINE TO STOP FUNCTIONING AS EXPECTED CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)
            QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944)

            Workaround
            No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

            Issue
            The QRadar event pipeline can stop working as expected when a message size exception is encountered causing a failure of events to be processed.

            Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            [ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread]
            com.q1labs.sem.nio.network.StreamProcessor: [ERROR]
            [NOT:0000003000][x.x.x.x/- -] [-/- -]Cannot get the event from
            SpilloverQueue
            [ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread]
            com.q1labs.frameworks.nio.exceptions.MessageSizeException:
            Message size exceeds communication buffer capacity 131062
            [ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread]    at
            com.q1labs.frameworks.nio.network.protocol.CollectionHandler.put
            (CollectionHandler.java:66)
            [ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread]    at
            com.ibm.si.ecingress.destinations.SECStoreForwardDestination.sen
            dEventFromQ(SECStoreForwardDestination.java:471)
            [ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread]    at
            com.q1labs.sem.nio.network.StreamProcessor.sendMessage(StreamPro
            cessor.java:96)
            [ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread]    at
            com.q1labs.sem.nio.network.StreamProcessor.run(StreamProcessor.java:55)
            [ecs-ec-ingress.ecs-ec-ingress] [StreamProcessorThread]    at
            java.lang.Thread.run(Thread.java:818)
            16 April 2021
            LOG SOURCES IJ31917 LOG SOURCE IDENTIFIER COLUMN DISPLAYS "N/A" WHEN SELECTED IN A LOG ACTIVITY PAGE SEARCH CLOSED Resolved in
            QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)

            Workaround
            This issue only affects users in the legacy user inteface, this issue does not affect the Log Source Management app. The Log Source Management App displays the correct Log Source Identifier value.

            Where possible, use the Log Source Management app to view Log Source Identifier data.

            Issue
            The Log Source Identifier column displays N/A when it is selected in a search in Log Activity page of the QRadar User Interface. This prevents being able to group by Log Source Identifier.

            When opening a received event, the Log Source Identifier column displays the expected data within that view.
            23 February 2022
            PROTOCOL IJ32031 LOG SOURCES CONFIGURED TO USE THE GOOGLE CLOUD PUB SUB PROTOCOL CAN INCORRECTLY DISPLAY ERROR STATUS OPEN Workaround
            1. Confirm events are being received by the Log Source by performing an event search.
            2. Toggling affected Log Sources to disabled and then back to enabled can temporarily correct the error status for the Google Pub/Sub log source.


              1. Issue
                Log Sources that are configured to use the Google Cloud Pub Sub Protocol can sometimes incorrectly display a status of "Error" when they are working correctly.
            16 April 2021
            UPGRADE IJ32030 QRADAR PATCH PRETEST FAILS TO RUN ON MANAGED HOSTS UNTIL CONSOLE IS PATCHED CLOSED Resolved in
            QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137)

            Workaround
            Perform the QRadar pretest and complete the Console software update. After the Console patching is successfully completed, the pretest can be run on the remaining Managed Hosts in the deployment.

            Issue
            The QRadar patch pretest function cannot be run on a Managed Host when the QRadar Console has not yet been patched. This issue prevents a pretest of a complete QRadar deployment prior to performing the patching process until after the Console is patched.

            A message similar to the following might be visible when attempting to run the pretest function:
            [ERROR] Failed to determine the patch level of the Console.
            30 May 2022
            UPGRADE IJ32036 LOG SOURCES CONFIGURED TO USE THE MQJMS PROTOCOL CAN STOP WORKING UNEXPECTEDLY OPEN Workaround
            Toggle the affected MQ JMS log source to disabled and then enable it again to correct the issue.

            Issue
            Log Sources that are configured to use the MQJMS Protocol stop working when a JMSWMQ1107 error occurs. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            [ecs-ec-ingress.ecs-ec-ingress]
            [JMSCCThreadPoolWorker-32]
            com.q1labs.semsources.sources.mqjms.MQJMSErrorHandler: [ERROR]
            [NOT:0000003000][127.0.0.1/- -] [-/- -]Error Message:
            JMSWMQ1107: A problem with this connection has
            occurred.
            [ecs-ec-ingress.ecs-ec-ingress]
            [JMSCCThreadPoolWorker-32]
            com.ibm.msg.client.jms.DetailedIllegalStateException:
            JMSWMQ1107: A problem with this connection has
            occurred.
            [ecs-ec-ingress.ecs-ec-ingress]
            [JMSCCThreadPoolWorker-32] An error has occurred with the IBM
            MQ JMS connection.
            [ecs-ec-ingress.ecs-ec-ingress]
            [JMSCCThreadPoolWorker-32] Use the linked exception to
            determine the cause of this error.
            [ecs-ec-ingress.ecs-ec-ingress]
            [JMSCCThreadPoolWorker-32] at com.ibm.msg.client.wmq.common.inte
            rnal.Reason.reasonToException(Reason.java:489)
            [ecs-ec-ingress.e
            cs-ec-ingress] [JMSCCThreadPoolWorker-32] at com.ibm.msg.client.
            wmq.common.internal.Reason.createException(Reason.java:215)
            [ecs-ec-ingress.ecs-ec-ingress] [JMSCCThreadPoolWorker-32] at com.ib
            m.msg.client.wmq.internal.WMQMessageConsumer.checkJmqiCallSucces
            s(WMQMessageConsumer.java:217)
            [ecs-ec-ingress.ecs-ec-ingress]
            [JMSCCThreadPoolWorker-32] at com.ibm.msg.client.wmq.internal.WM
            QMessageConsumer.checkJmqiCallSuccess(WMQMessageConsumer.java:273)
            [ecs-ec-ingress.ecs-ec-ingress] [JMSCCThreadPoolWorker-32]
            at com.ibm.msg.client.wmq.internal.WMQAsyncConsumerShadow.consum
            er(WMQAsyncConsumerShadow.java:615)
            [ecs-ec-ingress.ecs-ec-ingre
            ss] [JMSCCThreadPoolWorker-32] at com.ibm.mq.jmqi.remote.impl.Re
            moteProxyQueue.callConsumer(RemoteProxyQueue.java:3616)
            [ecs-ec-
            ingress.ecs-ec-ingress] [JMSCCThreadPoolWorker-32] at com.ibm.mq
            .jmqi.remote.impl.RemoteDispatchThread.run(RemoteDispatchThread.java:269)
            [ecs-ec-ingress.ecs-ec-ingress]
            [JMSCCThreadPoolWorker-32] at com.ibm.msg.client.commonservices.
            workqueue.WorkQueueItem.runTask(WorkQueueItem.java:319)
            [ecs-ec-
            ingress.ecs-ec-ingress] [JMSCCThreadPoolWorker-32] at com.ibm.ms
            g.client.commonservices.workqueue.SimpleWorkQueueItem.runItem(Si
            mpleWorkQueueItem.java:99)
            [ecs-ec-ingress.ecs-ec-ingress]
            [JMSCCThreadPoolWorker-32] at com.ibm.msg.client.commonservices.
            workqueue.WorkQueueItem.run(WorkQueueItem.java:343)
            [ecs-ec-ingress.ecs-ec-ingress] [JMSCCThreadPoolWorker-32] at com.ibm.msg.cl
            ient.commonservices.workqueue.WorkQueueManager.runWorkQueueItem(
            WorkQueueManager.java:312)
            [ecs-ec-ingress.ecs-ec-ingress]
            [JMSCCThreadPoolWorker-32] at com.ibm.msg.client.commonservices.
            j2se.workqueue.WorkQueueManagerImplementation$ThreadPoolWorker.r
            un(WorkQueueManagerImplementation.java:1227)
            [ecs-ec-ingress.ecs
            -ec-ingress] [JMSCCThreadPoolWorker-32] 
            Caused by:
            com.ibm.mq.MQException: JMSCMQ0001: IBM MQ call failed with
            compcode '2' ('MQCC_FAILED') reason '2202'
            ('MQRC_CONNECTION_QUIESCING').
            16 April 2021
            SECURITY BULLETIN CVE-2020-7692 GOOGLE-API-CLIENT AS USED BY IBM QRADAR SIEM IS VULNERABLE TO AUTHORIZATION BYPASS CLOSED Resolved in
            7.3.0-QRADAR-PROTOCOL-GoogleCommon-7.3-20210126200436
            7.4.0-QRADAR-PROTOCOL-GoogleCommon-7.4-20210126200430

            Affected versions
            • All GoogleCommon versions before 7.3.0-QRADAR-PROTOCOL-GoogleCommon-7.3-20210126200436
            • All GoogleCommon versions before 7.4.0-QRADAR-PROTOCOL-GoogleCommon-7.4-20210126200430
            Issue
            CVE-2020-7692: Google APIs google-oauth-java-client could allow a remote attacker to bypass security restrictions, caused by no PKCE support implemented. By executing a specially-crafted application, an attacker could exploit this vulnerability to obtain the authorization code, and gain authorization to the protected resource. CVSS Base score: 7.4
            04 March 2021
            SERVICES IJ31105 POSTFIX SERVICE IN A BAD STATE CAN CAUSE HOSTCONTEXT TO HANG OPEN Workaround
            Contact QRadar Support for a possible workaround that might address this issue in some instances.

            Issue
            QRadar's hostcontext (responsible for multiple QRadar functions) can go into a hung state when the postfix service is not working correctly.

            Checking the status of postfix can help to identify that it may be in a bad state and can be perfomed via an SSH session to the QRadar Console:
            # systemctl status postfix
            postfix.service - Postfix Mail Transport Agent
               Loaded: loaded (/usr/lib/systemd/system/postfix.service;
            enabled; vendor preset: disabled)
              Drop-In: /etc/systemd/system/postfix.service.d
                       80-si-postfix.conf
               Active: active (running) since Tue 2021-02-23 14:14:49 EST;
            1h 15min ago
             Main PID: 22618 (master)
                Tasks: 3
               Memory: 3.1M
               CGroup: /system.slice/postfix.service
                       22618 /usr/libexec/postfix/master -w
                       22619 pickup -l -t unix -u
                       22620 qmgr -l -t unix -uFeb 23 15:26:02 (console)
            postfix/master[22618]: warning: /usr/libexec/postfix/smtpd: bad
            command startup -- throttling
            (console) postfix/smtpd[69654]: fatal: bad numerical
            configuration: unknown_local_recipient_reject_code = 550
            relayhost =
             (console) postfix/master[22618]: warning: process
            /usr/libexec/postfix/smtpd pid 69654 exit status 1
             (console) postfix/master[22618]: warning:
            /usr/libexec/postfix/smtpd: bad command startup -- throttling
            Feb 23 15:28:03 (console) postfix/smtpd[85954]: fatal: bad
            numerical configuration: unknown_local_recipient_reject_code =
            550 relayhost =
            (console) postfix/master[22618]: warning: process
            /usr/libexec/postfix/smtpd pid 85954 exit status 1
            (console) postfix/master[22618]: warning:
            /usr/libexec/postfix/smtpd: bad command startup -- throttling
            (console) postfix/smtpd[96641]: fatal: bad numerical
            configuration: unknown_local_recipient_reject_code = 550
            relayhost =
            (console) postfix/master[22618]: warning: process
            /usr/libexec/postfix/smtpd pid 96641 exit status 1
            (console) postfix/master[22618]: warning:
            /usr/libexec/postfix/smtpd: bad command startup -- throttlin

            More information on hostconext in QRadar, see: QRadar: Hostcontext service and the impact of a service restart
            31 March 2021
            LOG SOURCES IJ31534 AUTODISCOVERED LOG SOURCES WITH A 127.0.0.1 IP ADDRESS CAN CAUSE SYSTEM EVENTS TO BE CATEGORIZED INCORRECT OPEN Workaround
            Update your parsing order for log sources to move the autodiscovered log sources below the QRadar system log sources. For more information, see: Adding a log source parsing order.

            Issue
            Autodiscovered log sources with an IP Address of 127.0.0.1 can have a higher value in the parsing order than the system based log sources. This can cause internal events (example SIM Audit) to be associated to the incorrect log source.

            To identifiy if this is the issue for incorrect Log Source association for internal events, check the parsing order:
            1. Open the Log Source parsing order User Interface in the Admin tab
            2. Filter by identifier = 127.0.0.1.

              Results
              When this issue occurs, there will be log sources above internal log sources in the parsing order list. Updating the parsing order can resolve this issue. For more information about QRadar system (internal) log sources, see: Creating an Offense for Monitoring an Internal Log Source.
            31 March 2021
            LOG SOURCES IJ31840 LOG SOURCES CONFIGURED FOR IBM SECURITY IDENTITY MANAGER JDBC CAN FAIL TO PARSE AS EXPECTED OPEN Workaround
            1. Open the affected Log Source
            2. Save the log source.
            3. Verify that the Log Source is parsing the expected data from new events after re-saving it.
            4. Note: In some instances, a change to the Log Source might be needed, then save the Log Source anc check for proper event parsing.

              Issue
              Log Sources configured for use with IBM Security Identity Manager JDBC can fail to work as expected.

              Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
              [ecs-ec-ingress.ecs-ec-ingress] [DB2//ITIMDB@dbHost Protocol
              Provider Thread: class
              com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
              r2018]
              com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
              r: [INFO] [NOT:0000006000][epIp/- -] [-/- -]disconnected
              [ecs-ec-ingress.ecs-ec-ingress] [DB2//ITIMDB@dbHost Protocol
              Provider Thread: class
              com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
              r2018]
              com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventSource:
              [INFO] [NOT:0000006000][epIp/- -] [-/- -]Provider 'class
              com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
              r2018' stopped.
              [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021]
              com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
              r: [INFO] [NOT:0000006000][epIp/- -] [-/- -]Polling interval in
              milliseconds = 30000
              [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021]
              com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
              r: [INFO] [NOT:0000006000][epIp/- -] [-/- -]jdbc session
              properties file already exists, loading its values
              [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021]
              com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
              r: [WARN] [NOT:0000004000][epIp/- -] [-/- -]null on
              DB2//ITIMDB@dbHost
              [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021]
              java.lang.NullPointerException
              [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021]   at
              com.q1labs.semsources.sources.jdbc.SourceDatabaseType$2.composeU
              rl(SourceDatabaseType.java:90)
              [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021]   at
              com.q1labs.semsources.sources.jdbc.JdbcEventConnector.connect(Jd
              bcEventConnector.java:482)
              [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021]   at
              com.q1labs.semsources.sources.jdbc.JdbcEventConnector.preExecute
              Configure(JdbcEventConnector.java:1060)
              [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021]   at
              com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
              r.preExecuteConfigure(IBMSIMJDBCEventConnector.java:483)
              [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021]   at
              com.q1labs.semsources.sources.base.SourceProvider.run(SourceProv
              ider.java:179)
              [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021]
              com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
              r: [ERROR] [NOT:0000003000][epIp/- -] [-/- -]Unable to obtain a
              comparable value for the RECERTIFICATIONLOG table!
              [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021]
              java.lang.NullPointerException
              [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021]   at
              com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
              r.preExecuteConfigure(IBMSIMJDBCEventConnector.java:500)
              [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021]   at
              com.q1labs.semsources.sources.base.SourceProvider.run(SourceProv
              ider.java:179)
              [ecs-ec-ingress.ecs-ec-ingress] [DB2//ITIMDB@dbHost Protocol
              Provider Thread: class
              com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
              r2018]
              com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventSource:
              [INFO] [NOT:0000006000][epIp/- -] [-/- -]IBMSIMJDBC provider
              'class
              com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
              r2018' config ok; now trying to run...
              [ecs-ec-ingress.ecs-ec-ingress]
              [a5a99e1b-3d31-4659-8586-b5dcbbe148c6/SequentialEventDispatcher]
              com.q1labs.semsources.sources.base.SourceConfigDB: [INFO]
              [NOT:0000006000][epIp/- -] [-/- -]Updating provider (id = 2018)
              because its parameters have changed.
              [ecs-ec-ingress.ecs-ec-ingress]
              [a5a99e1b-3d31-4659-8586-b5dcbbe148c6/SequentialEventDispatcher]
              com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventSource:
              [INFO] [NOT:0000006000][epIp/- -] [-/- -]Stopping provider
              'class
              com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
              r2018'.
              [ecs-ec-ingress.ecs-ec-ingress] [DB2//ITIMDB@dbHost Protocol
              Provider Thread: class
              com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
              r2018]
              com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
              r: [INFO] [NOT:0000006000][epIp/- -] [-/- -]disconnected
            31 March 2021
            VULNERABILITY SCANNER IJ30930 QRADAR SCANS ARE CALLING DEPRECATED TENABLE ENDPOINTS OPEN Workaround
            No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

            Issue
            QRadar scans continue to call deprecated Tenable endpoints after updates have been made within the Tenable API. Changes within QRadar scanning are needed so that only the appropriate endoint fields are being parsed.
            05 March 2021
            APPLICATION FRAMEWORK IJ30953 DRQ DIAGNOSTIC TEST RUNS ON ANY HOST CAPABLE OF RUNNING APPS (CONSOLE OR APPHOST) AND FAILS ON STANDBY HOSTS OPEN Workaround
            No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

            Issue
            The drq diagnostic test for docker runs on any QRadar app capable host (console or App Host). When it runs on a Standby host (High Availability), the drq test fails as docker is inactive on Standby hosts.

            This drq diagnostic test failure on Standby hosts is benign and can be safely ignored.

            Messages similar to the following might be visible when drq is run on Standy hosts:
            root@hostname-secondary ~]# drq
            DrQ version 1.4.1 (mode(s): checkup, tag(s): , verbosity: summary)
            ------
            Docker Running Check
            Check if Docker is installed and running [FAILURE]
            'docker.service' is not active.
            05 March 2021
            UPGRADE IJ31087 PATCHING FROM A MOUNTED .SFS IN /STORE IS ALLOWED BY QRADAR BUT CAN CAUSE HIGH AVAILABILITY PATCHING TO FAIL OPEN Workaround
            Prior to a patch being run, ensure it is run from a mount of /tmp or /root (or another non High Availability filesytem). If the patching is in progress on an HA configured system from an .sfs mount point of /store and fails, please Contact QRadar Support.

            Issue
            QRadar patching via .sfs is allowed to be run when it's mounted in /store partition. If it's run from this location, patch failure can occur when run on High Availability (HA) appliances.
            05 March 2021
            UPGRADE IJ31084 PATCHING TO QRADAR 7.3.3 FP7 CAN FAIL WITH DRACUT RPM DEPENDENCIES OPEN Workaround
            If the patches.log contains the above messages, then remove the required file(s) using the following command from an SSH session to the QRadar Console:
            1. Type the following command:
              yum remove dracut-config-generic
            2. If that states it has no dependencies, then proceed to remove the dracut RPM.
            3. Re-run the patch Installer.

            Issue
            Patching to QRadar 7.3.3 FP7 can fail with due to RPM dependencies. Messages simlar to the following might be visible in /var/log/setup-#####/patches.log:
            Feb  5 08:22:07 2021: Feb  5 08:22:07 2021:[ERROR](testmode)
            sql pretest errored, halting.[6/9] Install & Upgrade Packages
            failed to complete successfully.
            Errors:
            [6/9] Install & Upgrade Packages  upgrading produced:
            Error: Package:
             dracut-config-generic-033-535.el7.x86_64 (installed)
            Requires: dracut = 033-535.el7
            Removing: dracut-033-535.el7.x86_64 (installed)
            dracut = 033-535.el7
            Updated By: dracut-033-564.el7.x86_64 (local)dracut =
            033-564.el7
            05 March 2021
            UPGRADE IJ31085 GLUSTERFS TO DRBD MIGRATION FAILS WHEN HOSTNAME IS LONGER THAN 54 CHARACTERS OPEN Workaround
            Contact QRadar Support for a possible workaround that might address this issue in some instances.

            Issue
            The glusterfs to DRBD migration fails when the hostname it is being run on is longer than 54 characters.
            05 March 2021
            UPGRADE IJ31074 QRADAR PATCHING PROCESS CAN HANG AT MESSAGE "UPDATING : SYSTEMD-219-78.EL7.X86_64" CLOSED Resolved in
            QRadar 7.5.0 Update Pack 2 (7.5.0.20220527130137)

            Workaround
            It is possible old heap dumps need to be removed from /store/jheap/<dir> prior to patching.

            If you require any assistance to identify and remove these old heap dumps, Contact QRadar Support.

            Issue
            The QRadar patching process can hang with a message similar to the following being displayed on screen:
            Feb 21 11:53:44 2021: Feb 21 11:53:44 2021: [INFO](patchmode)
            Updating : systemd-219-78.el7.x86_64
            This issue can occur when there are dump files located in
            /store/jheap/ on a QRadar appliance being patched.
            30 May 2022
            UPGRADE IJ31079 '[WARNING] ALL APPLICABLE HOSTS HAVE MIGRATED FROM GLUSTERFS TO DRBD. EXITING' WHEN RUNNING GLUSTERFS TO DRBD MIGRATION TOOL CLOSED Resolved in
            QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)

            Workaround
            If you experience issues with the glusterfs_migration_manager, move the report on the Console to another directory location, such as /store/ibm_support. For example:
            1. Log in to the QRadar Console as the root user.
            2. To create a directory, type: mkdir /store/ibm_support
            3. To move the report, type: mv /etc/qradar/ha/glusterfs_migration_report.json /store/ibm_support
            4. Run the glusterfs_migration_manager.py tool again.

              Results
              If you are still facing issues, or require assistance with the workaround, Contact QRadar Support.

            Issue
            Running the glusterfs to DRBD migration in a QRadar Deployment with multiple affected hosts can fail to start again if one appliance fails the migration process.

            A message similar to the following might be visible when this issue occurs:
            [WARNING] All applicable hosts have migrated from GlusterFS to
            DRBD. Exiting.

            This is caused by the logic in glusterfs_migration_manager.py to check if all hosts are migrated and occurs if the report contains more than 1 host and the first host in the list has already completed migration.

            This then causes the system to call sys.exit(1) closing out the script saying all migration has completed.
            27 March 2021
            VULNERABILITY SCANNER IJ31088 QRADAR CAN SOMETIMES CONTINUE TO ATTEMPT TO DOWNLOAD A CERT FOR A SCANNER THAT HAS BEEN REMOVED OPEN Workaround
            From an SSH session to the QRadar Console:
            1. Log in to the QRadar Console as the root user.
            2. Find and modify the file "certificate_catalogue.txt", remove the bad scanner record, then save the file.

            Issue
            QRadar can sometimes try to download a VA Scanner certificate even if scanner configuration was removed from QRadar. This is due to a cached value written in a temporary file. System Notifications similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            generateNotification: An attempt to download the server
            certificate for [IP:443] to
            [/opt/qradar/conf/trusted_certificates/IP_443.crt] has failed
            05 March 2021
            INDEX MANAGEMENT IJ31090 INDEX MANAGEMENT CAN DISPLAY ZEROS (0) ACROSS ALL COLUMNS WHEN A LARGE TIME RANGE IS CHOSEN OPEN Workaround
            Contact QRadar Support for a possible workaround that might address this issue in some instances.

            Issue
            Index management can show zeros (0) for every column of each index if a large time range is chosen. This occurs when a backend timeout happens due to the large amount of data processed.
            05 March 2021
            SYSTEM SETTINGS IJ31083 GEOGRAPHIC SETTINGS CAN FAIL TO WORK AS EXPECTED WHEN AN INCORRECT USERID AS BEEN INPUT CLOSED Resolved in
            QRadar 7.5.0 Update Pack 3 (7.5.0.20220829221022)

            Workaround
            Verify that the correct UserId data is entered into the field.

            Issue
            Geographic updates can fail in QRadar if incorrect values are input for the UserId text box in the Geographic Settings section of the System Settings page. UserIds provided are only numbers, but a lack of data validation in the UserId field allows users to input any characters.

            When incorrect information for UserId is entered, this can cause the GeoIP.conf file to have bad values in it.
            05 March 2021
            PROTOCOLS IJ31080 EVENTS COMING FROM THE SAME SOURCE CAN SOMETIMES BE PLACED WITH DIFFERENT GOOGLE PUB/SUB LOG SOURCES OPEN Workaround
            No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the APAR number, then selecting subscribe. If you have questions about this issue, ask in our Support Forums.

            Issue
            An issue with with Google Pub/Sub log source auto-detection can occur when it sometimes randomly selects the last character of the regex "} and appends to the Log Source Identifier. When this occurs, events coming from the same source can be placed within different Log Sources.
            05 March 2021
            DEPLOY CHANGES IJ31081 DEPLOY FUNCTION CAN FAIL ON SOME MANAGED HOSTS IF A LEGACY DEPLOYMENT.XML FILE REMAINS IN /STORE/CONFIGSERVICES/DEPLOYED/ OPEN Workaround
            Contact QRadar Support for a possible workaround that might address this issue in some instances.

            Issue
            The QRadar deploy function can fail on some Managed Hosts when there is a legacy deployment.xml file located in /store/configservices/deployed/.

            This deploy failure occurs when ECIngressConfigBuilder verifies if a file exists in the deployed folder, and only if not, then reads the staging folder. On a Managed Host that usually does not have a file in the deployed folder, this can result in deploy issues if a legacy file has been left there. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
            com.q1labs.configservices.common.ConfigServicesException:
            Failed to create EC_Ingress.xml for component
            eventcollectoringress102.
            [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
            com.q1labs.configservices.config.localset.sem.ECIngressConfigBui
            lder.buildConfig(ECIngressConfigBuilder.java:130)
            [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
            com.q1labs.configservices.config.AbstractComponentConfigBuilder.
            buildComponentConfig(AbstractComponentConfigBuilder.java:54)
            [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
            com.q1labs.configservices.config.localset.component.ComponentTra
            nsformerManager.processComponent(ComponentTransformerManager.java:206)
            [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
            com.q1labs.configservices.config.localset.component.ComponentTra
            nsformerManager.buildConfiguration(ComponentTransformerManager.java:117)
            [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] ...22 more
            [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
            Caused by:
            [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
            java.lang.RuntimeException: Error merging velocity template and
            context
            [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
            com.q1labs.configservices.config.VelocityFileProducer.createConf
            igFile(VelocityFileProducer.java:56)
            [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
            com.q1labs.configservices.config.localset.sem.ECIngressConfigBui
            lder.buildConfig(ECIngressConfigBuilder.java:126)
            [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] ...25 more
            [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
            Caused by:
            [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
            org.apache.velocity.exception.MethodInvocationException:
            Invocation of method 'getEventThreshold' in class
            com.q1labs.configservices.config.localset.sem.ECIngressConfigBui
            lder threw exception java.lang.NumberFormatException: null at
            EC_Ingress.vm[line 498, column 79]
            [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
            org.apache.velocity.runtime.parser.node.ASTMethod.handleInvocati
            onException(ASTMethod.java:243)
            [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
            org.apache.velocity.runtime.parser.node.ASTMethod.execute(ASTMet
            hod.java:187)
            [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
            org.apache.velocity.runtime.parser.node.ASTReference.execute(AST
            Reference.java:280)
            [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
            org.apache.velocity.runtime.parser.node.ASTReference.render(ASTR
            eference.java:369)
            [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
            org.apache.velocity.runtime.parser.node.ASTBlock.render(ASTBlock
            .java:72)
            [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
            org.apache.velocity.runtime.parser.node.ASTIfStatement.render(AS
            TIfStatement.java:87)
            [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
            org.apache.velocity.runtime.parser.node.SimpleNode.render(Simple
            Node.java:342)
            [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
            org.apache.velocity.Template.merge(Template.java:356)
            [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
            org.apache.velocity.Template.merge(Template.java:260)
            [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
            com.q1labs.configservices.config.VelocityFileProducer.createConf
            igFile(VelocityFileProducer.java:50)
            [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] ...26 more
            [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
            Caused by:
            [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
            java.lang.NumberFormatException: null
            [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
            java.lang.Long.parseLong(Long.java:564)
            [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
            java.lang.Long.parseLong(Long.java:643)
            [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
            com.q1labs.configservices.config.localset.sem.ECIngressConfigBui
            lder.getEPSThreshold(ECIngressConfigBuilder.java:315)
            [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
            com.q1labs.configservices.config.localset.sem.ECIngressConfigBui
            lder.getEventThreshold(ECIngressConfigBuilder.java:307)
            [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
            sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
            [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
            sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessor
            Impl.java:90)
            [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
            sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod
            AccessorImpl.java:55)
            [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
            java.lang.reflect.Method.invoke(Method.java:508)
            [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
            org.apache.velocity.util.introspection.UberspectImpl$VelMethodIm
            pl.doInvoke(UberspectImpl.java:395)
            [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
            org.apache.velocity.util.introspection.UberspectImpl$VelMethodIm
            pl.invoke(UberspectImpl.java:384)
            [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] at
            org.apache.velocity.runtime.parser.node.ASTMethod.execute(ASTMet
            hod.java:173)
            [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] ...34 more
            05 March 2021
            UPGRADE IJ31092 QRADAR PATCHING CAN FAIL DUE TO A FREE SPACE CHECK THAT FAILS OPEN Workaround
            Contact QRadar Support for a possible workaround that might address this issue in some instances.

            Issue
            QRadar patching can fail because of an invalid drq check. This check of /var/log/lastlog is not required and should not cause QRadar patching to fail. Messages similar to the following might be visible when this issue occurs:
            Available Space Checks
              Checks if /var/log has enough space
            
               [FAILURE]
                Not enough space in /var/log: Available Space: 14108 MB - File:
                /var/log/lastlog 99520 MB. This will cause logrotate to fail.
            
               [REMEDIATION]
                Free up space in /var/log. You need at least 99720 MB free.
            05 March 2021
            CONTENT MANAGEMENT TOOL (CMT) IJ30916 HIDDEN CONTROL CHARACTERS CAN CAUSE A CONTENT MANAGEMENT TOOL (CMT) IMPORT TO FAIL OPEN Workaround
            Contact QRadar Support for a possible workaround that might address this issue in some instances.

            Issue
            Performing a Content Management Tool import can fail when there are hidden control characters in the import. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            [ContentManager.cmt] [root@127.0.0.1:60778
            (ContentManagementCLI)] javax.xml.bind.UnmarshalException
            [ContentManager.cmt] [root@127.0.0.1:60778
            (ContentManagementCLI)] - with linked exception:
            [ContentManager.cmt] [root@127.0.0.1:60778
            (ContentManagementCLI)] [org.xml.sax.SAXParseException: An
            invalid XML character (Unicode: 0x3) was found in the element
            content of the document.]
            05 March 2021
            LOG SOURCES IJ31577 LOG FILE PROTOCOL STOPS PROCCESSING ANY FURTHER FILES WHEN AN EMPTY FILE IS READ IN A ZIPPED FILE OPEN Workaround
            • Manually unzip the files, remove the empty files and zip them again.
            • OR
            • If download size is not important (storage free space), there is the option to directly process text files instead of zipped files.

            Issue
            When an empty file is encountered in a zipped file, Log File Protocol stops processing any further files and repeatedly proceses the last file that was not empty.

            For example:
            3 files are in a .zip file as file1, file2, and file3 and in this instance, file2 is empty. The protocol stops when processing file2 to post events from file1 repeatedly and never reaches file3.
            31 March 2021
            LOG SOURCES IJ31868 "THE FIELD MUST NOT EXCEED 2047 CHARACTERS" MESSAGE CAN BE GENERATED WHEN CONFIGURING A TLS SYSLOG PROTOCOL CERTIFICATE OPEN Workaround
            Close out of the Log Source interface if editing, and then change the allowable character limit using the following command from an SSH session to the QRadar Console:
            psql -U qradar -c "UPDATE sensorprotocolparameter SET maxlength
            = 4096 WHERE id = 22022 AND name = 'issuerPk';"

            Issue
            The TLS syslog protocol character limit for entering a Root/Intermediate Issuer's Certificate is set at 2047 and attempting to enter anything longer fails with a message similar to:
            The field must not exceed 2047 characters
            31 March 2021
            DEPLOYMENT IJ31762 RE-ADD OF A MANAGED HOST CAN FAIL DUE TO INCORRECT STATUS OF THE MANANGED HOST IN THE QRADAR DATABASE OPEN Workaround
            From an SSH session to the QRadar console, identify the id number and set the affected Managed Host to "Deleted" in the managedhost database table:
            1. To locate the id of the managed host that failed to add, type:
              psql -U qradar -c "select * from managedhost where hostname
              like '%hostname%'"

              Important: Note the id value from the query as it is required for the next step.
            2. To set the managed host to deleted by id, type the following command and use the id from the query in step 1:
              psql -U qradar -c "update managedhost set status ='Deleted'
              where id=xxx"
            3. Attempt the re-add process for the affected Managed Host.

            Issue
            Re-adding a Managed Host can fail when the status of the Managed Host is not correct in the QRadar database. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            [hostcontext.hostcontext]
            [8cba150a-4bc7-4405-b12f-03184d6332cf/SequentialEventDispatcher]
            com.q1labs.configservices.capabilities.AddHost: [ERROR]
            [NOT:0000003000][127.0.0.1/- -] [-/- -]host already exists with
            that ip: (ipaddress) with status: ADD_FAILED_CHECK_LOGS
            [hostcontext.hostcontext]
            [8cba150a-4bc7-4405-b12f-03184d6332cf/SequentialEventDispatcher]
            com.q1labs.configservices.capabilities.AddHost: [ERROR]
            [NOT:0000003000][127.0.0.1/- -] [-/- -]Precheck: unable to mark host as being added
            [hostcontext.hostcontext]
            [8cba150a-4bc7-4405-b12f-03184d6332cf/SequentialEventDispatcher]
            com.q1labs.configservices.common.ConfigServicesException:
            Precheck: unable to mark host as being added
            [hostcontext.hostcontext]
            [8cba150a-4bc7-4405-b12f-03184d6332cf/SequentialEventDispatcher]
               at
            com.q1labs.configservices.capabilities.AddHost.add(AddHost.java:1241)
            [hostcontext.hostcontext]
            [8cba150a-4bc7-4405-b12f-03184d6332cf/SequentialEventDispatcher]
               at
            com.q1labs.configservices.capabilities.AddHost.addManagedHost(AddHost.java:324)
            [hostcontext.hostcontext]
            [8cba150a-4bc7-4405-b12f-03184d6332cf/SequentialEventDispatcher]
               at
            com.q1labs.hostcontext.core.executor.AddHostExecutor.addManagedH
            ost(AddHostExecutor.java:74)
            31 March 2021
            EMC VMWARE PROTOCOL IJ31531 VCENTER LOG SOURCES USING THE EMCVMWARE PROTOCOL CAN FAIL TO CONNECT DUE TO IPADDRESS IN CONFIGURATION VERSUS A FQDN OPEN Workaround
            No workaround available.

            APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the Subscribe button on the right side of this page or ask a question about this APAR in our Support Forums.

            Issue
            VCenter Log Sources can fail to connect as the single sign-on (SSO) mechanism for VCenter 7.0 accepts only a server's fully qualified domain name (FQDN) under the https requests. As the accepted value of the VCenter Log Source address can be only be an IP address, the connection from QRadar to the VCenter server cannot be established.
            31 March 2021
            BACKUP AND RESTORE IJ31100 QRADAR 7.4.X CONFIGURATION RESTORE FAILS DUE TO DUPLICATE ENTRIES IN THE ATTACKER_HISTORY DATABASE TABLE OPEN Workaround
            Contact QRadar Support for a possible workaround that might address this issue in some instances.

            Issue
            Restoring a config backup from QRadar 7.4.x fails due to duplicate entries in attacker_history database table. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            [hostcontext.hostcontext] [Thread-355377] ComponentOutput:
            [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
            pg_restore: pg_restore: [archiver (db)] COPY failed for table
            "attacker_history": ERROR: duplicate key value violates unique
            constraint "attacker_history_ipaddress_key"
            [hostcontext.hostcontext] [Thread-355377] ComponentOutput:
            [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
            pg_restore: DETAIL: Key (ipaddress, domain_id)=(ip_address, 1)
            already exists.
            31 March 2021
            AUTHENTICATION IJ31665 ATTEMPTING TO REMOVE A GROUP MAPPING FROM LDAP GROUP BASED AUTHENTICATION CAN FAIL TO WORK AS EXPECTED OPEN Workaround

            Option 1
            When removing a group, and then adding a group, and then clicking save, the process works as expected.

            Option 2
            Disable group based authentication, click save. Then before performing a deploy function, re-enable group mapping and configure it from the beginning.

            If this still does not correct the issue, contact Support for a an additional workaround that might address this issue in some instances.

            Issue
            While attempting to remove a group mapping in LDAP group based authentication from a Security role, the group can fail to be removed and is still displayed when navigating back to the configuration settings. For example:
            1. Have group based LDAP authentication.
            2. Add a group to the group mapping.
            3. Deploy changes.
            4. Remove a group.

              Result
              No deploy is needed, and if you go back in the configuration settings, the group is again displayed.
            31 March 2021
            ASSETS IJ31924 THE CLEAN VULNERABILITES FUNCTION DOES NOT WORK AS EXPECTED FOR ASSETS THAT DO NOT HAVE AN IP ADDRESS CONFIGURED CLOSED Resolved in
            QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)

            Workaround
            Where possible, use one of the following methods to workaround the issue described above:
            • Assign the asset an IP address.
            • OR
            • Delete the vulnerability from the asset UI.
            • OR
            • Delete the asset.
              • For more information, see: working with assets.

                Issue
                When an asset has no IP address assigned to it, the clean vulnerabilities option does not remove the vulnerabilities from the asset. For Example:
                1. Have an asset with vulnerabilities with no IP address assigned to it in the Asset tab.
                2. For that asset, select Actions > Clean Vulnerabilities.
                3. Select the date for today for remove vulnerabilities and select the scanner.

                  Result
                  When the clean vulnerabilities runs, the vulnerabilities remainl listed in the User Interface (UI) and under the asset.
            23 February 2022
            QRADAR NETWORK INSIGHTS (QNI) IJ30903 SOME QRADAR NETWORK INSIGHTS (QNI) APPLIANCES CANNOT BE SETUP TO CONNECT TO QRADAR ON CLOUD (QRoC) ENVIRONMENTS CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)
            QRadar 7.4.3 Fix Pack 1 (7.4.3.20210708143944)

            Workaround
            Contact QRadar Support for a possible workaround that might address this issue in some instances.

            Issue
            Virtual QRadar Network Insights QNI (6500) and 1940/6600 40Gbps appliance types cannot be setup to connect to QRadar On Cloud (QRoC) due to variables within the setup_qradar_host.py script. Messages similar to the following might be visible when this issue occurs:
            Skipping apply VPN action: This host does not support VPN
            actions.
            12 July 2021
            QRADAR PACKET CAPTURE IJ32043 NAPATECH CARD FIRMWARE INSTALLED IN PACKET CAPTURE APPLIANCES CAN BE AT AN OLDER VERSION THAN EXPECTED OPEN Workaround
            Contact QRadar Support for a possible workaround that might address this issue in some instances.

            Issue
            Some Napatech cards that were installed in QRadar Packet Capture appliances have a down level firmware version (9232-52-13). The Packet Capture software installation does not attempt detection and upgrade of the firmware to the expected version.

            To verify the Napatech firmware version, type the following command from an SSH session to the appliance:
            /opt/napatech3/bin/adapterinfo

            Result
            • FPGA ID: 200-9232-52-13-0000 (down leveled firmware version)
            • FPGA ID: 200-9232-53-01-0000 (expected firmware version)
            15 April 2021
            VULNERABILITY SCANNER IJ26097 MAXPATROL VULNERABILITY SCANNER CAN FAIL TO CONNECT TO QRADAR AS IT USES THE DEPRECATED MICROSOFT WINDOWS SMBV1 OPEN Workaround
            No workaround available.

            Issue
            The Positive Technologies MaxPatrol vulnerabilities scanner can fail to connect to QRadar as expected as it is configured to use the now deprecated Microsoft Windows SMBv1 network protocol.

            This protocol version is no longer installed by default on computer systems running Microsoft Windows.
            15 July 2020
            USER INTERFACE IJ31931 QRRADAR RISK MANAGER: AN 'APPLICATION ERROR' CAN OCCUR WHEN OPENING THE RISKS TAB IN THE USER INTERFACE DUE TO IPV6 SETTINGS IN A CONFIGURATION FILE CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)

            Workaround
            1. Edit the following file using the vi command on the QRadar Risk Manager server appliance:
              /opt/tomcat-rm/conf/server.xml
            2. Remove address="::" from this section of the file:
              <Connector port="18009" address="::"
              enableLookups="false" redirectPort="18443" protocol="AJP/1.3"
              URIEncoding="UTF-8" maxPostSize="67108864"
              secretRequired="false"/> <!-- 67 108 864 = 64 MB -->
            3. Save your changes and exit vi.
            4. Type the following command:
              systemctl restart tomcat-rm

            Issue
            An "Application Error" can be displayed on the Risks tab of the QRadar User Interface if Internet Protocol version 6 is disabled on the QRadar Risk Manager (QRM) server appliance.

            Messages similar to the following might be visible in /var/log/qradar.log on the QRadar Console when this issue occurs:
            [tomcat.tomcat] [admin@127.0.0.1 (6623)
            /console/do/120/networkTopology]
            com.q1labs.srmconsole.util.WSUtil$WebClientProxy: [ERROR]
            [NOT:0000003000][127.0.0.1/- -] [-/- -]Error invoking method
            isTopologyReloading on the appliance; full error details in
            appliance log
            [tomcat.tomcat] [admin@127.0.0.1 (6623)
            /console/do/120/networkTopology]
            com.q1labs.uiframeworks.action.ExceptionHandler: [ERROR]
            [NOT:0000003000][127.0.0.1/- -] [-/- -]An exception occurred
            while processing the request:
            [tomcat.tomcat] [admin@127.0.0.1 (6623)
            /console/do/120/networkTopology]
            com.sun.xml.ws.client.ClientTransportException: The server sent
            HTTP status code 503: Service Unavailable
            Messages similar to the following might be visible in
            logging on the QRM server appliance when this issue
            occurs:
            Mar 26 13:33:28 hostname tomcat-rm[17470]: SEVERE: Failed to
            initialize connector [Connector[AJP/1.3-18009]]
            Mar 26 13:33:28 hostname tomcat-rm[17470]:
            org.apache.catalina.LifecycleException: Protocol handler
            initialization failed
            Mar 26 13:33:28 hostname tomcat-rm[17470]: at
            org.apache.catalina.connector.Connector.initInternal(Connector.java:1077)
            Mar 26 13:33:28 hostname tomcat-rm[17470]: at
            org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
            Mar 26 13:33:28 hostname tomcat-rm[17470]: at
            org.apache.catalina.core.StandardService.initInternal(StandardSe
            rvice.java:552)
            Mar 26 13:33:28 hostname tomcat-rm[17470]: at
            org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
            Mar 26 13:33:28 hostname tomcat-rm[17470]: at
            org.apache.catalina.core.StandardServer.initInternal(StandardSer
            ver.java:848)
            Mar 26 13:33:28 hostname tomcat-rm[17470]: at
            org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
            Mar 26 13:33:28 hostname tomcat-rm[17470]: at
            org.apache.catalina.startup.Catalina.load(Catalina.java:639)
            Mar 26 13:33:28 hostname tomcat-rm[17470]: at
            org.apache.catalina.startup.Catalina.load(Catalina.java:662)
            Mar 26 13:33:28 hostname tomcat-rm[17470]: at
            sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
            Mar 26 13:33:28 hostname tomcat-rm[17470]: at
            sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessor
            Impl.java:90)
            Mar 26 13:33:28 hostname tomcat-rm[17470]: at
            sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod
            AccessorImpl.java:55)
            Mar 26 13:33:28 hostname tomcat-rm[17470]: at
            java.lang.reflect.Method.invoke(Method.java:508)
            Mar 26 13:33:28 hostname tomcat-rm[17470]: at
            org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:302)
            Mar 26 13:33:28 hostname tomcat-rm[17470]: at
            org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:472)
            Mar 26 13:33:28 hostname tomcat-rm[17470]: Caused by:
            java.net.SocketException: Protocol family unavailable
            Mar 26 13:33:28 hostname tomcat-rm[17470]: at
            sun.nio.ch.Net.bind0(Native Method)
            Mar 26 13:33:28 hostname tomcat-rm[17470]: at
            sun.nio.ch.Net.bind(Net.java:460)
            Mar 26 13:33:28 hostname tomcat-rm[17470]: at
            sun.nio.ch.Net.bind(Net.java:452)
            Mar 26 13:33:28 hostname tomcat-rm[17470]: at
            sun.nio.ch.ServerSocketChannelImpl.bind(ServerSocketChannelImpl.
            java:253)
            Mar 26 13:33:28 hostname tomcat-rm[17470]: at
            sun.nio.ch.ServerSocketAdaptor.bind(ServerSocketAdaptor.java:86)
            Mar 26 13:33:28 hostname tomcat-rm[17470]: at
            org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:221)
            Mar 26 13:33:28 hostname tomcat-rm[17470]: at
            org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoin
            t.java:1118)
            Mar 26 13:33:28 hostname tomcat-rm[17470]: at
            org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJss
            eEndpoint.java:222)
            Mar 26 13:33:28 hostname tomcat-rm[17470]: at
            org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:587)
            Mar 26 13:33:28 hostname tomcat-rm[17470]: at
            org.apache.catalina.connector.Connector.initInternal(Connector.java:1075)
            Mar 26 13:33:28 hostname tomcat-rm[17470]: ... 13 more
            07 April 2021
            WINCOLLECT IJ31843 WINCOLLECT 7.3.0 P1 AGENTS CAN STOP SENDING LOGS WHEN INFORMATION AND WARN EVENT TYPES ARE NOT SELECTED OPEN Workaround
            • Ensure that information, and warning messages are selected to be sent to QRadar from the WinCollect agent.
              OR
            • Configure Xpath for required Critical and Error logs to be retrieved: https://www.ibm.com/support/pages/how-use-xpath-queries-wincollect-suppress-specific-events

              For example:
              <QueryList>
              <Query Id="0" Path="System">
              <Select Path="System">*[System[(Level=1 or Level=2)]]</Select>
              </Query>
              </QueryList>

              • Issue
                WinCollect 7.3.0 P1 agents can stop sending logs to QRadar when information and warn type events are not selected. When this issue occurs, affected WinCollect agent hosts can be checked for messages that include "Error code 15001: The specified query is invalid." when the host agent logs are placed into debug.

                To place a WinCollect agent host into debug, see: https://www.ibm.com/support/pages/node/6404330#localsrv
                Note: Ensure to disable Debug as soon as possible to prevent log bloat.
            13 April 2021
            WINCOLLECT IJ32028 WINCOLLECT LOG SOURCE MANAGEMENT DISPLAYS MULTIPLE INCORRECT ENTRIES WHEN A MANAGED HOST IS REMOVED AND ADDED BACK OPEN Workaround
            Create a WinCollect destination in the WinCollect UI and configure the WinCollect log sources to use this destination instead: https://www.ibm.com/community/qradar/2019/06/11/wincollect-configure-local-collection-when-installing-agent/

            Issue
            When a Managed Host is removed from a QRadar deployment and then added back with either the same or a new hostname and/or same or different IP address, the database does not get updated correctly.

            When this occurs it creates additional duplicate Target Internal Destination options in the Log Source Management App for WinCollect log sources that can be invalid.
            12 April 2021
            WINCOLLECT IJ31923 STANDALONE WINCOLLECT CAN FAIL TO WORK WHEN USING TCP TLS CONFIGURATION AND A CERTIFICATE SIZE OVER 8000 CHARACTERS OPEN Workaround
            No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the Subscribe button on the right side of this page or ask a question about this APAR in our Support Forums: https://ibm.biz/wincollectforums

            Issue
            Standalone WinCollect fails to receive logs and work as expected when using TCP TLS configuration and a certificate with a character size over 8000 characters. When using a certificate that is too large, the deploy changes does not work to push out required deployconfiguration changes.
            12 April 2021
            SCAN RESULTS IJ32044 QRADAR VULNERABILITY MANAGER (QVM) SCAN STATUS REMAINS AT 'OUTSIDE OPERATIONAL WINDOW' AFTER SCAN COMPLETES CLOSED Resolved in
            QRadar 7.5.0 Update Pack 1 (7.5.0.20220215133427)

            Workaround
            Contact QRadar Support for a possible workaround that might address this issue in some instances.

            Issue
            When a scan uses operational windows, the scan status remains at "Outside Operational Window" after the scan completes.

            The asset model is updated, but the user is unable to open the scan results.
            23 February 2022
            SECURITY BULLETIN CVE-2020-2773
            CVE-2020-14797
            CVE-2020-14779
            CVE-2020-14796
            CVE-2020-14803
            CVE-2020-27221
            CVE-2020-14782
            CVE-2020-14781
            MULTIPLE VULNERABILITIES IN IBM JAVA SDK AND IBM JAVA RUNTIME AFFECT IBM QRADAR SIEM CLOSED Resolved in
            QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312)
            QRadar 7.3.3 Fix Pack 7 Interim Fix 2 (7.3.3.20210330030509)

            Affected versions
            • IBM QRadar 7.3.0 GA to 7.3.3 Patch 7
            • IBM QRadar 7.4.0 GA to 7.4.2 Patch 2
            Issue
            • CVE-2020-2773: An unspecified vulnerability in Java SE related to the Java SE Security component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 3.7
            • CVE-2020-14797: An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. CVSS Base score: 3.7
            • CVE-2020-14779: An unspecified vulnerability in Java SE related to the Serialization component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 3.7
            • CVE-2020-14796: An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. CVSS Base score: 3.1
            • CVE-2020-14803: An unspecified vulnerability in Java SE could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. CVSS Base score: 5.3
            • CVE-2020-27221: Eclipse OpenJ9 is vulnerable to a stack-based buffer overflow when the virtual machine or JNI natives are converting from UTF-8 characters to platform encoding. By sending an overly long string, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVSS Base score: 9.8
            • CVE-2020-14782: An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. CVSS Base score: 3.7
            • CVE-2020-14781: An unspecified vulnerability in Java SE related to the JNDI component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. CVSS Base score: 3.7
            12 April 2021
            SECURITY BULLETIN CVE-2021-3156 SUDO AS USED BY IBM QRADAR SIEM IS VULNERABLE TO ARBITRARY CODE EXECUTION CLOSED Resolved in
            QRadar 7.4.3 Fix Pack 4 (7.4.3.20211109160104)
            QRadar 7.3.3 Fix Pack 10 (7.3.3.20211125190208)
            QRadar on Cloud 7.4.3 Fix Pack 3 (7.4.3.20211021121337)

            Note: Version 7.4.3 Fix Pack 3 is only available to QRadar on Cloud users. QRadar 7.4.3 Fix Pack 3 was removed for on-premise QRadar SIEM users.

            Affected versions
            • IBM QRadar 7.3.0 GA to 7.3.3 Patch 7
            • IBM QRadar 7.4.0 GA to 7.4.2 Patch 2
            Issue
            CVE-2021-3156: Sudo is vulnerable to a heap-based buffer overflow, caused by improper bounds checking when parsing command line arguments. By sending an "sudoedit -s" and a command-line argument that ends with a single backslash character, a local attacker could overflow a buffer and execute arbitrary code on the system with root privileges. This vulnerability is also known as Baron Samedit. CVSS Base score: 8.4
            12 April 2021
            DEPLOYMENT IJ32056 RE-ADD OF MANAGED HOST ON QRADAR 7.4.2 FIX PACK 3 HANGS AT "HOST IS BEING ADDED TO THE DEPLOYMENT" AFTER A QCHANGE_NETSETUP COMMAND IS PERFORMED OPEN Workaround
            1. After you have confirmed you are experiencing the issue described has occurred during re-add (unable to add managed host: SSH connection or SSH command execution failed), close the QRadar user interface window for the re-add.
            2. Verify in Admin tab > System and License Management that the Managed Host has not been re-added.
            3. After verification the Managed Host has not be re-added, attempt the Add Host steps again.

              Results
              A second attempt to add the managed host should complete successfully and Managed Host should be correctly added to the deployment.

              1. Issue
                When re-adding a Managed Host to a QRadar deployment running 7.4.2 Fix Pack 3 after it has been removed, and qchange_netsetup has been run prior to the re-add attempt, the Managed Host can fail to add and the Add Host process appears in a hung state with a message similar to:
                Host is being added to the deployment.

                Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
                [hostcontext.hostcontext] [a65729b7-ff60-47c7-bdef-33c4b20063e8/SequentialEventDispatcher] com.q1labs.configservices.capabilities.AddHost: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Failed to add host. Output: 'Done Presence Script', data:'hostcontext is already stopped, no need to stop the service.
                [hostcontext.hostcontext] [a65729b7-ff60-47c7-bdef-33c4b20063e8/SequentialEventDispatcher] com.q1labs.configservices.capabilities.AddHost: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Failed to read output from ssh connection on host 127.0.0.1
                [hostcontext.hostcontext] [a65729b7-ff60-47c7-bdef-33c4b20063e8/SequentialEventDispatcher] com.q1labs.configservices.capabilities.AddHost: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]SSH connection or SSH command execution failed. The ip of the host is: 127.0.0.1
                [hostcontext.hostcontext] [a65729b7-ff60-47c7-bdef-33c4b20063e8/SequentialEventDispatcher] com.q1labs.configservices.hostcontext.core.HostContextServices: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Error retrieving message
                [tomcat.tomcat] [Thread-644] com.q1labs.configservices.capabilities.CapabilitiesHandler: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Removing host 127.0.0.1 from the deployment model, if present, due to add_host failure.
                [tomcat.tomcat] [Thread-644] com.ibm.si.configservices.api.v3_0.deployment.DeploymentAPI: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]unable to add managed host: SSH connection or SSH command execution failed.
            12 April 2021
            NETWORK CONFIGURATION IJ31239 A CRITICAL ISSUE HAS BEEN IDENTIFIED IN /OPT/QRADAR/BIN/QCHANGE_NETSETUP CLOSED Resolved in
            QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

            Workaround
            A flash notice is available for administrators that describes how to confirm information in qradar_netsetup.log before you complete any network changes using the /opt/qradar/bin/qchange_netsetup utility. For more information, see: Important: A critical issue has been identified in /opt/qradar/bin/qchange_netsetup (IJ31239).

            Issue
            QRadar development has identified a defect in the network component /opt/qradar/bin/qchange_netsetup where a hostname issue can cause a critical error, impacting the appliance configuration.
            31 March 2021
            APPLICATION FRAMEWORK IJ25911 QRADAR APPS CAN FAIL TO INSTALL AFTER TOMCAT CLIENT CERTIFICATE(S) ARE RENEWED UNTIL SERVICE RESTARTS OCCUR CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)
            QRadar 7.4.3 (7.4.3.20210517144015)
            QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312)
            QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

            Note: This issue was resolved for QRadar on Cloud administrators in 7.4.1 Fix Pack 2 QRoC Interim Fix 1, which is not available to on-premise users.

            Workaround
            If you are unable to upgrade, administrators can restart the Tomcat and Hostcontext services. Before you complete this procedure, administrators can alert their users that the user interface is unavailable and all users will be required to log back in when Tomcat is restarted. The user interface is unavailable until all required services are running as expected.
            1. Use SSH to log in to the Console as the root user.
            2. Type the following command:
              systemctl restart tomcat
            3. Wait until the service succesfully restarts.
            4. Type the following command:
              systemctl restart hostcontext

            For more details on the effects of QRadar service restarts, see:
            • QRadar: Hostcontext service and the impact of a service restart
            • QRadar Core Services and the Impact when Restarted

            • Issue
              QRadar Apps can fail to install after Tomcat client certificate(s) are renewed (eg. tomcat-client-conman or tomcat-client-traefik) until the tomcat service and hostcontext have been succesfully restarted.

              Messages similar to the following might be visible in journalctl -u conman when this issue is occuring:
              {host}.com conman-server[23711]: 2020/06/28 21:23:32 http: TLS
              handshake error from 127.0.0.1:47032: tls: failed to verify
              client's certificate: x509: certificate has expired or is not
              yet valid
              {host}.com conman-server[23711]: 2020/06/28 21:23:36 http: TLS
              handshake error from 127.0.0.1:47602: tls: failed to verify
              client's certificate: x509: certificate has expired or is not
              yet valid
            24 March 2021
            UPGRADE IJ30763 QRADAR APPLICATION FRAMEWORK CAN FAIL AFTER PATCHING DUE TO INCORRECT HANDLING OF CASE SENSITIVITY OF HOSTNAMES CLOSED Resolved in
            QRadar 7.5.0 (7.5.0.20211220195207)
            QRadar 7.4.3 (7.4.3.20210517144015)
            QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
            QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
            QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722)

            Workaround
            Contact QRadar Support for a possible workaround that might address this issue in some instances. More information is available for administrators in this technical note: Upgrades can fail for hosts that contain case sensitivity of hostnames (APAR IJ30763).

            Issue
            After performing the QRadar patching process, the QRadar Application Framework can fail due to incorrect handling of the case sensitivity of hostnames.

            When this occurs, QRadar apps fail to load.
            09 February 2021
            SEARCH IJ26117 PERFORMING A FREE TEXT SEARCH IN THE LAST FEW SECONDS OF AN HOUR CAN RETURN PARTIAL RESULTS AND CAUSE INDEX CORRUPTION CLOSED Resolved in
            QRadar 7.4.3 (7.4.3.20210517144015)
            QRadar 7.4.2 Fix Pack 3 (7.4.2.20210323172312)
            QRadar 7.3.3 Fix Pack 8 (7.3.3.20210427222138)

            Workaround
            Where possible, do not perform a free text Quick Filter search in the last 5-10 seconds of the hour.

            Issue
            Due to a timing issue (race condition), performing a free text Quick Filter search can sometimes only return partial results and cause corrupted indexes when the free text search is performed in the in last 5-10 seconds of an hour. A message generated in the QRadar User Interface can be similar to:
            Partial results may be returned due to incomplete payload
            indexes for the specified time range".

            Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
            /events/records/aux/1/2020/5/4/13/lucene
            lockFactory=org.apache.lucene.store.NativeFSLockFactory@87bbef33: 
            org.apache.lucene.store.LockObtainFailedException: Lock held
            by this virtual machine:
            /store/ariel/events/records/aux/1/2020/5/4/13/lucene/write.lock
            [ariel.ariel_query_server] [odi_31]    at
            org.apache.lucene.store.SleepingLockWrapper.obtainLock(SleepingL
            ockWrapper.java:102)
            [ariel.ariel_query_server] [odi_31]    at
            org.apache.lucene.index.IndexWriter.(IndexWriter.java:800)
            [ariel.ariel_query_server] [odi_31]    at
            com.q1labs.ariel.liquery.FTSIndexWriter.(FTSIndexWriter.java:34)
            [ariel.ariel_query_server] [odi_31]    at
            com.q1labs.ariel.liquery.FTSIndexWriter_MT.(FTSIndexWriter_MT.java:106)
            [ariel.ariel_query_server] [odi_31]    at
            com.q1labs.ariel.liquery.LuManager.createIndexWriter(LuManager.java:308)
            [ariel.ariel_query_server] [odi_31]    at
            com.q1labs.ariel.liquery.LuIndexer.getODIWriter(LuIndexer.java:412)
            [ariel.ariel_query_server] [odi_31]    at
            com.q1labs.ariel.liquery.LuIndexer.indexDirectory(LuIndexer.java:466)
            [ariel.ariel_query_server] [odi_31]    at
            com.q1labs.ariel.liquery.LuIndexer.indexDirectory(LuIndexer.java:429)
            [ariel.ariel_query_server] [odi_31]    at
            com.q1labs.ariel.liquery.ReaderCache$IndexReaderInfo.reIndexDire
            ctory(ReaderCache.java:156)
            [ariel.ariel_query_server] [odi_31]    at
            com.q1labs.ariel.liquery.ReaderCache$IndexReaderInfo.openDirecto
            ryReader(ReaderCache.java:139)
            [ariel.ariel_query_server] [odi_31]    at
            com.q1labs.ariel.liquery.ReaderCache$IndexReaderInfo.call(ReaderCache.java:187)
            [ariel.ariel_query_server] [odi_31]    at
            com.q1labs.ariel.liquery.ReaderCache$IndexReaderInfo.call(ReaderCache.java:59)
            [ariel.ariel_query_server] [odi_31]    at
            java.util.concurrent.FutureTask.run(FutureTask.java:277)
            [ariel.ariel_query_server] [odi_31]    at
            java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec
            utor.java:1160)
            [ariel.ariel_query_server] [odi_31]    at
            java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
            [ariel.ariel_query_server] [odi_31]    at
            java.lang.Thread.run(Thread.java:818)
            [ariel.ariel_query_server] [odi_31] Caused by:
            [ariel.ariel_query_server] [odi_31]
            org.apache.lucene.store.LockObtainFailedException: Lock held by
            this virtual machine:
            /store/ariel/events/records/aux/1/2020/5/4/13/lucene/write.lock
            [ariel.ariel_query_server] [odi_31]    at
            org.apache.lucene.store.NativeFSLockFactory.obtainFSLock(NativeF
            SLockFactory.java:127)
            [ariel.ariel_query_server] [odi_31]    at
            org.apache.lucene.store.FSLockFactory.obtainLock(FSLockFactory.java:41)
            [ar