IBM Support

IJ07257: WINCOLLECT AGENTS INSTALLED ON OR POLLING FROM WINDOWS 10 VERSION 1803 (APRIL 2018 UPDATE) STOP RECEIVING SECURITY EVENTS

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • It has been identified that changes made in Microsoft Windows 10
    version 1803 (April 2018 update) causes locally installed
    WinCollect agents or those agents polling Microsoft Windows 10
    version 1803 computers to stop receiving Windows security
    events.
    Messages similar to the following might be visible in the
    WinCollect log (default log directory is C:\Program
    Files\IBM\WinCollect\logs) on affected Windows computers that
    are hosting the WinCollect agent:
    05-07 16:34:25.736 INFO  Device.WindowsLog.EventLogMonitor :
    Opening event log 127.0.0.1 [\\127.0.0.1:Security]...
    05-07 16:34:25.736 DEBUG
    Device.WindowsLog.EventLogState.127.0.0.1.Application :
    EndTransaction 1
    05-07 16:34:25.736 INFO  Device.WindowsLog.EventLogMonitor :
    Event log 127.0.0.1 [\\127.0.0.1:Security] opened.
    05-07 16:34:25.736 DEBUG
    Device.WindowsLog.EventLogState.127.0.0.1.Security :
    FetchNumberOfEventsAvailable: Cursor = 2522, NumRecs = 1861,
    Oldest = 783, NumAvailable = 122
    05-07 16:34:25.736 DEBUG
    Device.WindowsLog.WindowsLogDeviceReaderPool.x16E0 : handling
    changes to Security on 127.0.0.1...
    05-07 16:34:25.736 DEBUG
    Device.WindowsLog.WindowsLogDeviceReader.127.0.0.1.Security :
    ProcessLogChange - Reading Events
    05-07 16:34:25.736 DEBUG
    Device.WindowsLog.EventLogState.127.0.0.1.Security :
    FetchNumberOfEventsAvailable: Cursor = 2522, NumRecs = 1861,
    Oldest = 783, NumAvailable = 122
    05-07 16:34:25.736 ERROR
    Device.WindowsLog.EventLog.127.0.0.1.Security.Read :
    ReadEventLog failed. Reason: Error code 1500: The event log file
    is corrupted.
    05-07 16:34:25.736 WARN
    Device.WindowsLog.WindowsLogDeviceReaderPool.x16E0 : An
    exception occurred when attempting to read event log 127.0.0.1
    [\\127.0.0.1:Security]. Reason: ReadEventLog failed - perhaps
    the event log was either closed or we are shutting down. The
    event log will be closed and will be re-opened (if appropriate).
    05-07 16:34:25.736 DEBUG
    Device.WindowsLog.WindowsLogDeviceReaderPool.x16E0 : The
    exception did not cause the collection for 127.0.0.1
    [\\127.0.0.1:Security] to be canceled.
    05-07 16:34:25.736 DEBUG
    Device.WindowsLog.EventLogState.127.0.0.1.Security :
    EndTransaction 1
    

Local fix

  • WinCollect version 7.2.5:
    Edit any QRadar Log Sources that are experiencing the issue
    above with an XPATH that includes the Security event log along
    with any other event channels being monitored (See latest
    WinCollect documentation for instructions).
    
    WinCollect 7.2.6 or newer:
    Edit any affected Log Sources to use MSEVEN6, not MSEVEN.
    

Problem summary

  • It has been identified that changes made in Microsoft Windows 10
    version 1803 (April 2018 update) causes locally installed
    WinCollect agents or those agents polling Microsoft Windows 10
    version 1803 computers to stop receiving Windows security
    events.
    Messages similar to the following might be visible in the
    WinCollect log (default log directory is C:\Program
    Files\IBM\WinCollect\logs) on affected Windows computers that
    are hosting the WinCollect agent:
    05-07 16:34:25.736 INFO  Device.WindowsLog.EventLogMonitor :
    Opening event log 127.0.0.1 [\\127.0.0.1:Security]...
    05-07 16:34:25.736 DEBUG
    Device.WindowsLog.EventLogState.127.0.0.1.Application :
    EndTransaction 1
    05-07 16:34:25.736 INFO  Device.WindowsLog.EventLogMonitor :
    Event log 127.0.0.1 [\\127.0.0.1:Security] opened.
    05-07 16:34:25.736 DEBUG
    Device.WindowsLog.EventLogState.127.0.0.1.Security :
    FetchNumberOfEventsAvailable: Cursor = 2522, NumRecs = 1861,
    Oldest = 783, NumAvailable = 122
    05-07 16:34:25.736 DEBUG
    Device.WindowsLog.WindowsLogDeviceReaderPool.x16E0 : handling
    changes to Security on 127.0.0.1...
    05-07 16:34:25.736 DEBUG
    Device.WindowsLog.WindowsLogDeviceReader.127.0.0.1.Security :
    ProcessLogChange - Reading Events
    05-07 16:34:25.736 DEBUG
    Device.WindowsLog.EventLogState.127.0.0.1.Security :
    FetchNumberOfEventsAvailable: Cursor = 2522, NumRecs = 1861,
    Oldest = 783, NumAvailable = 122
    05-07 16:34:25.736 ERROR
    Device.WindowsLog.EventLog.127.0.0.1.Security.Read :
    ReadEventLog failed. Reason: Error code 1500: The event log file
    is corrupted.
    05-07 16:34:25.736 WARN
    Device.WindowsLog.WindowsLogDeviceReaderPool.x16E0 : An
    exception occurred when attempting to read event log 127.0.0.1
    [\\127.0.0.1:Security]. Reason: ReadEventLog failed - perhaps
    the event log was either closed or we are shutting down. The
    event log will be closed and will be re-opened (if appropriate).
    05-07 16:34:25.736 DEBUG
    Device.WindowsLog.WindowsLogDeviceReaderPool.x16E0 : The
    exception did not cause the collection for 127.0.0.1
    [\\127.0.0.1:Security] to be canceled.
    05-07 16:34:25.736 DEBUG
    Device.WindowsLog.EventLogState.127.0.0.1.Security :
    EndTransaction 1
    

Problem conclusion

  • This issue has been fixed in WinCollect version 7.2.9
    

Temporary fix

Comments

APAR Information

  • APAR number

    IJ07257

  • Reported component name

    QRADAR SOFTWARE

  • Reported component ID

    5725QRDSW

  • Reported release

    731

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2018-06-21

  • Closed date

    2019-05-09

  • Last modified date

    2019-05-09

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    QRADAR SOFTWARE

  • Fixed component ID

    5725QRDSW

Applicable component levels

[{"Business Unit":{"code":"BU048","label":"IBM Software"}, "Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"731","Edition":""}]

Document Information

Modified date:
09 May 2019