IBM Support

IJ04898: GEOGRAPHIC COUNTRY/REGION INDEXING CAN CAUSE UNEXPECTED EVENT COLLECTION INTERRUPTION WHEN GEODATA UPDATES OCCUR

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • It has been identified that when Geographic Country/Region is
    enabled in Index Management, the Ariel Writer process can
    sometimes fail unexpectedly when the automated geodata updates
    occur and that database file is queried/accessed while it is
    being updated.
    
    When this situation occurs, events being received into QRadar
    are no longer written to disk causing event data loss until all
    required QRadar processes are running as expected.
    
    Messages similar to the following might be visible in
    /var/log/qradar.error when this issue is occuring:
    
    [ecs-ep.ecs-ep] [Ariel Writer#events]
    com.q1labs.frameworks.core.ThreadExceptionHandler: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Exception was uncaught
    in thread: Ariel Writer#events
    [ecs-ep.ecs-ep] [Ariel Writer#events]
    java.lang.ArrayIndexOutOfBoundsException
    [ecs-ep.ecs-ep] [Ariel Writer#events]    at
    com.maxmind.db.Decoder$Type.get(Decoder.java:52)
    [ecs-ep.ecs-ep] [Ariel Writer#events]    at
    com.maxmind.db.Decoder.decode(Decoder.java:128)
    [ecs-ep.ecs-ep] [Ariel Writer#events]    at
    com.maxmind.db.Decoder.decode(Decoder.java:87)
    [ecs-ep.ecs-ep] [Ariel Writer#events]    at
    com.maxmind.db.Reader.resolveDataPointer(Reader.java:252)
    [ecs-ep.ecs-ep] [Ariel Writer#events]    at
    com.maxmind.db.Reader.get(Reader.java:150)
    [ecs-ep.ecs-ep] [Ariel Writer#events]    at
    com.maxmind.geoip2.DatabaseReader.get(DatabaseReader.java:151)
    [ecs-ep.ecs-ep] [Ariel Writer#events]    at
    com.maxmind.geoip2.DatabaseReader.city(DatabaseReader.java:202)
    [ecs-ep.ecs-ep] [Ariel Writer#events]    at
    com.q1labs.core.shared.location.LocationUtils.lookup(LocationUti
    ls.java:531)
    [ecs-ep.ecs-ep] [Ariel Writer#events]    at
    com.q1labs.core.shared.location.LocationUtils.lookup(LocationUti
    ls.java:384)
    [ecs-ep.ecs-ep] [Ariel Writer#events]    at
    com.q1labs.core.shared.location.LocationUtils.lookup(LocationUti
    ls.java:336)
    [ecs-ep.ecs-ep] [Ariel Writer#events]    at
    com.q1labs.core.types.event.NormalizedEventProperties$Geographic
    Location.createKey(NormalizedEventProperties.java:59)
    [ecs-ep.ecs-ep] [Ariel Writer#events]    at
    com.q1labs.core.types.event.NormalizedEventProperties$Geographic
    Location.createKey(NormalizedEventProperties.java:38)
    [ecs-ep.ecs-ep] [Ariel Writer#events]    at
    com.q1labs.ariel.Index.add(Index.java:267)
    [ecs-ep.ecs-ep] [Ariel Writer#events]    at
    com.q1labs.ariel.io.BucketWriter.writeRecord(BucketWriter.java:6
    7)
    [ecs-ep.ecs-ep] [Ariel Writer#events]    at
    com.q1labs.ariel.io.AbstractDatabaseWriter.put(AbstractDatabaseW
    riter.java:113)
    [ecs-ep.ecs-ep] [Ariel Writer#events]    at
    com.q1labs.ariel.DatabaseWriterAsync.processRecord(DatabaseWrite
    rAsync.java:131)
    [ecs-ep.ecs-ep] [Ariel Writer#events]    at
    com.q1labs.ariel.ScatteringDatabaseWriter.access$401(ScatteringD
    atabaseWriter.java:29)
    [ecs-ep.ecs-ep] [Ariel Writer#events]    at
    com.q1labs.ariel.ScatteringDatabaseWriter$Node.writeRecord(Scatt
    eringDatabaseWriter.java:86)
    [ecs-ep.ecs-ep] [Ariel Writer#events]    at
    com.q1labs.ariel.ScatteringDatabaseWriter$Node.processRecord(Sca
    tteringDatabaseWriter.java:54)
    [ecs-ep.ecs-ep] [Ariel Writer#events]    at
    com.q1labs.ariel.ScatteringDatabaseWriter$Node.access$1000(Scatt
    eringDatabaseWriter.java:31)
    [ecs-ep.ecs-ep] [Ariel Writer#events]    at
    com.q1labs.ariel.ScatteringDatabaseWriter$DataNodes.processRecor
    d(ScatteringDatabaseWriter.java:244)
    [ecs-ep.ecs-ep] [Ariel Writer#events]    at
    com.q1labs.ariel.ScatteringDatabaseWriter.processRecord(Scatteri
    ngDatabaseWriter.java:447)
    [ecs-ep.ecs-ep] [Ariel Writer#events]    at
    com.q1labs.ariel.DatabaseWriterAsync.run(DatabaseWriterAsync.jav
    a:115)
    [ecs-ep.ecs-ep] [Ariel Writer#events]    at
    java.lang.Thread.run(Thread.java:785
    

Local fix

  • 1) If enabled, then disable the Geographic Country/Region
    indexing (Admin, Index Management)
    
    OR
    
    2) Disable the geodata database update (Admin, System Settings,
    Geographic Settings -> Set "Disable Automatic Content Updates"
    to True, Save, deploy changes)
    

Problem summary

  • This issue was fixed in QRadar QRM QVM release of 7.3.1
    patch 8 and 7.3.2 patch 1.
    

Problem conclusion

  • This issue was fixed in QRadar QRM QVM release of 7.3.1
    patch 8 and 7.3.2 patch 1.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IJ04898

  • Reported component name

    QRADAR SOFTWARE

  • Reported component ID

    5725QRDSW

  • Reported release

    731

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2018-03-13

  • Closed date

    2019-06-27

  • Last modified date

    2019-08-09

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    QRADAR SOFTWARE

  • Fixed component ID

    5725QRDSW

Applicable component levels

[{"Business Unit":{"code":"BU048","label":"IBM Software"}, "Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"731","Edition":""}]

Document Information

Modified date:
09 August 2019