IBM Support

IJ12221: ARIELUTILS.JAVA REPEATEDLY WRITING UNNECESSARILY TO LOG FILES IN /VAR/LOG/

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • It has been identified that ArielUtils.java can repeatedly be
    writing unnecessarily to /var/log/qradar.error and qradar.log
    with messages similar to the following:
    Dec 10 12:21:12 ::ffff:IP_ADDRESS [ecs-ep.ecs-ep]
    [855c5069-dec7-433e-b343-dd9a975ed8f7/SequentialEventDispatcher]
    com.q1labs.core.shared.ariel.ArielUtils$UnknownPropertyException
    : No property 'Account Locked Out Security ID' exists in set:
        ACF2 rule key
        APIContextPath
        APIMethod
        APIPathInfo
        APIQueryString
        AQL Statement
        AVT-App-Category
        AVT-App-NAme
        AVT-App-VolumeBytes
        Access allowed
        Access intent
        Access of unix ACL group
        Access of unix ACL user
        Accesses
        AccountDomain
        AccountID
        AccountName
        Action
        Action Result
        Active Offense Count
        Affected Rows
        Affected Workload
        Allowed cipher priority order
        Analyzer
        Analyzer Host Name
        Analyzer Name
        Anomali_Domains
        App User
        Application
        Application Category
        Application User ID
        Application name
        Ariel Aggregates
    

Local fix

  • This logging can be disabled using the mod_log4j.pl via SSH to
    the Console:
    /opt/qradar/support/mod_log4j.pl
    Enter 3 for Advanced Menu
    Enter 2 for 'Add a new logger'
    Paste the class path: com.q1labs.core.shared.ariel.ArielUtils
    Enter 4 for 'OFF'
    Enter * for 'All of the above'
    Press Enter
    Enter CQ for 'Commit changes and quit this program'
    

Problem summary

  • This issue was fixed in QRadar QRM QVM release of 7.4.0.
    

Problem conclusion

  • This issue was fixed in QRadar QRM QVM release of 7.4.0.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IJ12221

  • Reported component name

    QRADAR SOFTWARE

  • Reported component ID

    5725QRDSW

  • Reported release

    731

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2018-12-19

  • Closed date

    2020-03-18

  • Last modified date

    2020-03-18

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    QRADAR SOFTWARE

  • Fixed component ID

    5725QRDSW

Applicable component levels

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"731","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
27 March 2020