IBM Support

IJ06381: EVENTS FORWARDED VIA AN OFFENSE RULE DO NOT HAVE A VALID SYSLOG HEADER APPENDED

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • It has been identified that Events that are forwarded via an
    Offense Rule with a syslog header appended, do not have a valid
    syslog header once received at the forwarding destination.  The
    syslog header that is appended is missing the hostname/ip
    component.
    
    For example:
    1) Create a forwarding destination and select "Prefix a syslog
    header if it is missing or invalid".
    2) Create an Offense Rule that fires on events coming in from a
    specific log source.
    - In the Rule response, select "Send to Forwarding
    Destinations" and select the destination created in step 1.
    3) Observe at the destination that the forwarded event is
    missing the hostname/ip component of the syslog header.
    

Local fix

  • No workaround available.
    

Problem summary

  • This issue was fixed in QRadar QRM QVM release of 728 patch 14
    and 731 patch 5.
    

Problem conclusion

  • This issue was fixed in QRadar QRM QVM release of 728 patch 14
    and 731 patch 5.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IJ06381

  • Reported component name

    QRADAR SOFTWARE

  • Reported component ID

    5725QRDSW

  • Reported release

    728

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2018-05-11

  • Closed date

    2018-10-24

  • Last modified date

    2018-10-24

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    QRADAR SOFTWARE

  • Fixed component ID

    5725QRDSW

Applicable component levels

[{"Business Unit":{"code":"BU048","label":"IBM Software"}, "Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"728","Edition":""}]

Document Information

Modified date:
24 October 2018