IBM Support

IJ05338: EVENT COLLECTION CAN STOP DUE TO A BUFFER UNDERFLOW EXCEPTION IN ECS-EC REQUIRING AN ECS-EC-INGRESS SERVICE RESTART

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • It has been identified that an ecs-ec buffer underflow
    exception can sometimes occur leading to event collection to
    stop on any affected QRadar appliance.
    When this issue occurs, a restart of the ecs-ec-ingress service
    is required to correct the issue.
    
    Messages similar to the following might be visible in
    /var/log/qradar.log when this issue is occurring:
    
    [ecs-ec.ecs-ec] [ECS Runtime Thread]
    com.q1labs.sem.monitors.PipelineStatusMonitor: [INFO]
    [NOT:0000006000][127.0.0.1/- -] [-/- -]
    EC-Queue-Q1From_ECIngress_via_TCPIP  registered.
    [ecs-ec.ecs-ec] [ECS Runtime Thread]
    com.q1labs.sem.monitors.SourceMonitor: [INFO]
    [NOT:0000006000][127.0.0.1/- -] [-/- -]Event Source Registered
    [SECTCPSource]
    [ecs-ec.ecs-ec] [ECS Runtime Thread] com.eventgnosis.ecs:
    [INFO] [NOT:0000006000][127.0.0.1/- -] [-/-
    -]"<HOSTNAME>:ecs-ec/EC/Q1From_ECIngress_via_TCPIP" THREAD
    started.
    [ecs-ec.ecs-ec]
    [[type=com.eventgnosis.system.ThreadedEventGenerator][parent=<HO
    STNAME>:ecs-ec/EC/Q1From_ECIngress_via_TCPIP]]
    com.eventgnosis.ecs: [INFO] [NOT:0000006000][127.0.0.1/- -]
    [-/-
    -]"<HOSTNAME>:ecs-ec/EC/Q1From_ECIngress_via_TCPIP.ThreadedEvent
    Generator:" THREAD started.
    [ecs-ec.ecs-ec]
    [ReceiverClient:ecs-ec/EC/Q1From_ECIngress_via_TCPIP]
    com.q1labs.frameworks.nio.network.protocol.ProtocolProcessor:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]10366 records
    read, type: 68, expected buffer size after decompression: 0,
    expected record size: 498,
    java.nio.DirectByteBuffer[pos=7005092 lim=7005549
    cap=13312000], Serializer:
    com.q1labs.sem.types.mapping.SECEventMapping@f7265e6f
    [ecs-ec.ecs-ec]
    [ReceiverClient:ecs-ec/EC/Q1From_ECIngress_via_TCPIP]
    java.nio.BufferUnderflowException
    [ecs-ec.ecs-ec]
    [ReceiverClient:ecs-ec/EC/Q1From_ECIngress_via_TCPIP]    at
    java.nio.DirectByteBuffer.get(DirectByteBuffer.java:271)
    [ecs-ec.ecs-ec]
    [ReceiverClient:ecs-ec/EC/Q1From_ECIngress_via_TCPIP]    at
    java.nio.ByteBuffer.get(ByteBuffer.java:715)
    [ecs-ec.ecs-ec]
    [ReceiverClient:ecs-ec/EC/Q1From_ECIngress_via_TCPIP]    at
    com.q1labs.frameworks.nio.util.StorageUtils.getString(StorageUti
    ls.java:568)
    [ecs-ec.ecs-ec]
    [ReceiverClient:ecs-ec/EC/Q1From_ECIngress_via_TCPIP]    at
    com.q1labs.sem.types.SourcePayloadBase.get(SourcePayloadBase.jav
    a:386)
    [ecs-ec.ecs-ec]
    [ReceiverClient:ecs-ec/EC/Q1From_ECIngress_via_TCPIP]    at
    com.q1labs.sem.types.SyslogSourcePayload.get(SyslogSourcePayload
    .java:427)
    [ecs-ec.ecs-ec]
    [ReceiverClient:ecs-ec/EC/Q1From_ECIngress_via_TCPIP]    at
    com.q1labs.sem.types.mapping.SourcePayloadMapping.get(SourcePayl
    oadMapping.java:37)
    [ecs-ec.ecs-ec]
    [ReceiverClient:ecs-ec/EC/Q1From_ECIngress_via_TCPIP]    at
    com.q1labs.sem.types.mapping.SourcePayloadMapping.get(SourcePayl
    oadMapping.java:10)
    [ecs-ec.ecs-ec]
    [ReceiverClient:ecs-ec/EC/Q1From_ECIngress_via_TCPIP]    at
    com.q1labs.sem.types.mapping.SECEventMapping.get(SECEventMapping
    .java:87)
    [ecs-ec.ecs-ec]
    [ReceiverClient:ecs-ec/EC/Q1From_ECIngress_via_TCPIP]    at
    com.q1labs.sem.types.mapping.SECEventMapping.get(SECEventMapping
    .java:21)
    [ecs-ec.ecs-ec]
    [ReceiverClient:ecs-ec/EC/Q1From_ECIngress_via_TCPIP]    at
    com.q1labs.frameworks.nio.network.protocol.ProtocolProcessor.dec
    ode(ProtocolProcessor.java:271)
    [ecs-ec.ecs-ec]
    [ReceiverClient:ecs-ec/EC/Q1From_ECIngress_via_TCPIP]    at
    com.q1labs.frameworks.nio.network.protocol.ProtocolProcessor.dec
    odeCompressedObjectsSync(ProtocolProcessor.java:301)
    [ecs-ec.ecs-ec]
    [ReceiverClient:ecs-ec/EC/Q1From_ECIngress_via_TCPIP]    at
    com.q1labs.frameworks.nio.network.protocol.Protocol.pollMessage(
    Protocol.java:1117)
    [ecs-ec.ecs-ec]
    [ReceiverClient:ecs-ec/EC/Q1From_ECIngress_via_TCPIP]    at
    com.q1labs.frameworks.nio.network.protocol.Protocol.readFromSock
    et(Protocol.java:398)
    [ecs-ec.ecs-ec]
    [ReceiverClient:ecs-ec/EC/Q1From_ECIngress_via_TCPIP]    at
    com.q1labs.frameworks.nio.network.Communicator.read(Communicator
    .java:169)
    [ecs-ec.ecs-ec]
    [ReceiverClient:ecs-ec/EC/Q1From_ECIngress_via_TCPIP]    at
    com.q1labs.frameworks.nio.network.ReceiverClient.receiveMessage(
    ReceiverClient.java:152)
    [ecs-ec.ecs-ec]
    [ReceiverClient:ecs-ec/EC/Q1From_ECIngress_via_TCPIP]    at
    com.q1labs.frameworks.nio.network.ReceiverClient.run(ReceiverCli
    ent.java:76)
    [ecs-ec.ecs-ec]
    [ReceiverClient:ecs-ec/EC/Q1From_ECIngress_via_TCPIP]    at
    java.lang.Thread.run(Thread.java:785)
    
    Event collection can then stop and errors similar to the
    following might be visible:
    [ecs-ec.ecs-ec]
    [ReceiverClient:ecs-ec/EC/Q1From_ECIngress_via_TCPIP]
    com.q1labs.frameworks.nio.network.ReceiverClient: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Unexpected Error,
    java.nio.BufferUnderflowException
    [ecs-ec.ecs-ec]
    [ReceiverClient:ecs-ec/EC/Q1From_ECIngress_via_TCPIP]
    com.q1labs.frameworks.nio.network.ReceiverClient: [INFO]
    [NOT:0000006000][127.0.0.1/- -] [-/- -]Connect to communicator
    (Handshake is not ok)localhost.localdomain:32015
    [ecs-ec.ecs-ec]
    [ReceiverClient:ecs-ec/EC/Q1From_ECIngress_via_TCPIP]
    com.q1labs.frameworks.nio.network.ReceiverClient: [INFO]
    [NOT:0000006000][127.0.0.1/- -] [-/- -]Connect to communicator
    (Handshake is not ok)localhost.localdomain:32015
    [ecs-ec.ecs-ec]
    [ReceiverClient:ecs-ec/EC/Q1From_ECIngress_via_TCPIP]
    com.q1labs.frameworks.nio.network.ReceiverClient: [INFO]
    [NOT:0000006000][127.0.0.1/- -] [-/- -]Connect to communicator
    (Handshake is not ok)localhost.localdomain:32015
    [ecs-ec.ecs-ec]
    [ReceiverClient:ecs-ec/EC/Q1From_ECIngress_via_TCPIP]
    com.q1labs.frameworks.nio.network.ReceiverClient: [INFO]
    [NOT:0000006000][127.0.0.1/- -] [-/- -]Connect to communicator
    (Handshake is not ok)localhost.localdomain:32015
    [ecs-ec.ecs-ec]
    [ReceiverClient:ecs-ec/EC/Q1From_ECIngress_via_TCPIP]
    com.q1labs.frameworks.nio.network.ReceiverClient: [INFO]
    [NOT:0000006000][127.0.0.1/- -] [-/- -]Connect to communicator
    (Handshake is not ok)localhost.localdomain:32015
    [ecs-ec.ecs-ec]
    [ReceiverClient:ecs-ec/EC/Q1From_ECIngress_via_TCPIP]
    com.q1labs.frameworks.nio.network.ReceiverClient: [INFO]
    [NOT:0000006000][127.0.0.1/- -] [-/- -]Connect to communicator
    (Handshake is not ok)localhost.localdomain:32015
    [ecs-ec.ecs-ec]
    [ReceiverClient:ecs-ec/EC/Q1From_ECIngress_via_TCPIP]
    com.q1labs.frameworks.nio.network.ReceiverClient: [INFO]
    [NOT:0000006000][127.0.0.1/- -] [-/- -]Connect to communicator
    (Handshake is not ok)localhost.localdomain:32015
    [ecs-ec.ecs-ec]
    [ReceiverClient:ecs-ec/EC/Q1From_ECIngress_via_TCPIP]
    com.q1labs.frameworks.nio.network.ReceiverClient: [INFO]
    [NOT:0000006000][127.0.0.1/- -] [-/- -]Connect to communicator
    (Handshake is not ok)localhost.localdomain:32015
    [ecs-ec.ecs-ec]
    [ReceiverClient:ecs-ec/EC/Q1From_ECIngress_via_TCPIP]
    com.q1labs.frameworks.nio.network.ReceiverClient: [INFO]
    [NOT:0000006000][127.0.0.1/- -] [-/- -]Connect to communicator
    (Handshake is not ok)localhost.localdomain:32015
    [ecs-ec.ecs-ec]
    [ReceiverClient:ecs-ec/EC/Q1From_ECIngress_via_TCPIP]
    com.q1labs.frameworks.nio.network.ReceiverClient: [INFO]
    [NOT:0000006000][127.0.0.1/- -] [-/- -]Connect to communicator
    (Handshake is not ok)localhost.localdomain:32015
    [ecs-ec.ecs-ec]
    [ReceiverClient:ecs-ec/EC/Q1From_ECIngress_via_TCPIP]
    com.q1labs.frameworks.nio.network.ReceiverClient: [INFO]
    [NOT:0000006000][127.0.0.1/- -] [-/- -]Connect to communicator
    (Handshake is not ok)localhost.localdomain:32015
    

Local fix

  • Restart the ecs-ec-ingress service via command line interface
    on an affected appliance:
    
    # systemctl restart ecs-ec-ingress
    

Problem summary

  • This issue was fixed in QRadar QRM QVM release of 731 Patch 4
    interimfix 01 and 731 Patch 5.
    

Problem conclusion

  • This issue was fixed in QRadar QRM QVM release of 731 Patch 4
    interimfix 01 and 731 Patch 5.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IJ05338

  • Reported component name

    QRADAR SOFTWARE

  • Reported component ID

    5725QRDSW

  • Reported release

    731

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2018-03-29

  • Closed date

    2018-06-26

  • Last modified date

    2018-07-29

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    QRADAR SOFTWARE

  • Fixed component ID

    5725QRDSW

Applicable component levels

[{"Business Unit":{"code":"BU048","label":"IBM Software"}, "Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"731","Edition":""}]

Document Information

Modified date:
29 July 2018