IBM Support

IJ11494: QRADAR NETWORK INSIGHTS (QNI) DECAPPER 'OUT OF MEMORY' INSTANCES CAUSED BY 'MYSPACE' INSPECTOR

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • It has been identified that the 'MySpace' inspector QRadar
    Network Insights (QNI) component can cause QNI decapper
    service Out of Memory instances and a coredump file to be
    generated in /store/jheap on the QNI appliance.
    QNI cannot process flow traffic as expected while the decapper
    service is not running.
    
     [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib64/libthread_db.so.1".
    Core was generated by
    `/opt/ibm/forensics/decapper/decap/decapper -c
    /opt/qradar/conf/forensics_config'.
    Program terminated with signal 11, Segmentation fault.
    #0 0x00007fe7d0fb62ab in std::string::assign(char const*,
    unsigned long) () from /lib64/libstdc++.so.6
    #0 0x00007fe7d0fb62ab in std::string::assign(char const*,
    unsigned long) () from /lib64/libstdc++.so.6
    #1 0x00007fe6441448a7 in assign (__s=0x7fe64415214a ",",
    this=0x7fe68420e440) at
    /usr/include/c++/4.8.2/bits/basic_string.h:1131
    #2 operator= (__s=0x7fe64415214a ",", this=0x7fe68420e440) at
    /usr/include/c++/4.8.2/bits/basic_string.h:555
    #3 QueryResponsePacket::getCSVDataFile (this=0x7fe68420e400,
    session=session@entry=0x7fe2e70bb330) at MysqlPacket.cpp:618
    #4 0x00007fe64413d1a7 in MysqlSession::readServerResponseTask
    (this=0x7fe2e70bb330) at NGLdpiMysql.cpp:220
    #5 0x00007fe7d4acfb99 in Session::executeTask
    (this=0x7fe2e70bb330) at Session.cpp:89
    #6 0x00007fe7d4aa8d42 in InspectorMgrImpl::processData
    (this=0x7fe3f3beb3f0, input=...) at InspectorMgr.cpp:277
    #7 0x00007fe7d4aab3de in
    call<boost::shared_ptr<InspectorMgrImpl>,
    boost::shared_ptr<InspectorDataImpl> > (b1=..., u=...,
    this=<optimized out>) at
    /usr/include/boost/bind/mem_fn_template.hpp:156
    #8 operator()<boost::shared_ptr<InspectorMgrImpl> > (a1=...,
    u=..., this=<optimized out>) at
    /usr/include/boost/bind/mem_fn_template.hpp:171
    #9 operator()<boost::_mfi::mf1<void, InspectorMgrImpl,
    boost::shared_ptr<InspectorDataImpl> >, boost::_bi::list0>
    (a=<synthetic pointer>, f=..., this=<optimized out>) at
    /usr/include/boost/bind/bind.hpp:313
    #10 operator() (this=<optimized out>) at
    /usr/include/boost/bind/bind_template.hpp:20
    #11
    boost::detail::function::void_function_obj_invoker0<boost::_bi::
    bind_t<void, boost::_mfi::mf1<void, InspectorMgrImpl,
    boost::shared_ptr<InspectorDataImpl> >,
    boost::_bi::list2<boost::_bi::value<boost::shared_ptr<InspectorM
    grImpl> >,
    boost::_bi::value<boost::shared_ptr<InspectorDataImpl> > > >,
    void>::invoke (function_obj_ptr=...) at
    /usr/include/boost/function/function_template.hpp:153
    #12 0x00007fe7d4af6f2a in operator() (this=0x7fe3f3beb438) at
    /usr/include/boost/function/function_template.hpp:767
    #13 Schedulable::execute (this=0x7fe3f3beb3f0) at
    ThreadPool.cpp:370
    #14 0x00007fe7d4af54e1 in operator() (this=<optimized out>) at
    /usr/include/boost/function/function_template.hpp:767
    #15 WorkGroupImpl::executeThread (this=0x7fe4505debf0, task=...)
    at ThreadPool.cpp:143
    #16 0x00007fe7d4af9d5e in operator() (a1=..., p=0x7fe4505debf0,
    this=0x7fdffcb32aa0) at
    /usr/include/boost/bind/mem_fn_template.hpp:165
    #17 operator()<boost::_mfi::mf1<void, WorkGroupImpl,
    boost::function0<void> >, boost::_bi::list0> (a=<synthetic
    pointer>, f=..., this=0x7fdffcb32ab0) at
    /usr/include/boost/bind/bind.hpp:313
    #18 operator() (this=0x7fdffcb32aa0) at
    /usr/include/boost/bind/bind_template.hpp:20
    #19
    boost::detail::function::void_function_obj_invoker0<boost::_bi::
    bind_t<void, boost::_mfi::mf1<void, WorkGroupImpl,
    boost::function0<void> >,
    boost::_bi::list2<boost::_bi::value<WorkGroupImpl*>,
    boost::_bi::value<boost::function0<void> > > >, void>::invoke
    (function_obj_ptr=...) at
    /usr/include/boost/function/function_template.hpp:153
    #20 0x00007fe7d4af86c3 in operator() (this=0x7fe6a5ffaca0) at
    /usr/include/boost/function/function_template.hpp:767
    #21 ThreadPool::execute (this=0x16e31f80, indx=<optimized out>)
    at ThreadPool.cpp:272
    #22 0x00007fe7d328027a in thread_proxy () from
    /lib64/libboost_thread-mt.so.1.53.0
    #23 0x00007fe7d03fedd5 in start_thread () from
    /lib64/libpthread.so.0
    #24 0x00007fe7d0711b3d in clone () from /lib64/libc.so.6
    

Local fix

  • No workaround available.
    

Problem summary

  • This issue was fixed in QRadar QRM QVM release of 7.3.1 patch 8
    and 7.3.2 patch 1.
    

Problem conclusion

  • This issue was fixed in QRadar QRM QVM release of 7.3.1 patch 8
    and 7.3.2 patch 1.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IJ11494

  • Reported component name

    QR INCIDENT FOR

  • Reported component ID

    5725QIFSW

  • Reported release

    731

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2018-11-22

  • Closed date

    2019-04-15

  • Last modified date

    2019-04-15

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    QR INCIDENT FOR

  • Fixed component ID

    5725QIFSW

Applicable component levels

  • R731 PSY

       UP

  • R732 PSY

       UP

[{"Business Unit":{"code":"BU048","label":"IBM Software"}, "Product":{"code":"SS6E69","label":"IBM QRadar Network Insights"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"731","Edition":""},{"Business Unit":{"code":"BU048","label":"IBM Software"}, "Product":{"code":"SSUK44","label":"IBM Security QRadar Incident Forensics"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"731","Edition":""}]

Document Information

Modified date:
15 April 2019