IBM Support

IJ16819: OFFENSES CAN FAIL TO GENERATE AND OR UPDATE WHEN USERNAME OR HOSTNAME IN ASSET EXCEEDS 255 CHARACTERS

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • It has been identified that Offenses can fail to generate and
    or Offense data can fail to update when a username or hostname
    in an asset exceeds 255 characters.
    When this issue is occuring, the magistrate (MPC) continuously
    attempts to recover and repeatedly experiences a TX Sentry
    reported in /var/log/qradar.log with entries similar to:
    'Multiple (101) TX's found, attempting recovery'
    Messages similar to the following might be visible in
    qradar-sql.log when this issue is occuring:
    postgres[49684]: [3-1] ERROR:  value too long for type
    character varying(255)
    postgres[49684]: [3-2] CONTEXT:  SQL statement "INSERT into
    offense_target_link (offense_id, target_id, add_time,
    macaddress, hostname, username)
    postgres[49684]: [3-3]                 values (p_offense,
    v_target, extract (epoch from now())::int8, substring
    (v_identity.macaddress from 1 for 17), v_identity.hostname,
    v_identity.username)"
    postgres[49684]: [3-4]   PL/pgSQL function
    link_offense_targets(bigint,character varying,integer) line 34
    at SQL statement
    postgres[49684]: [3-5] STATEMENT:  select * from
    link_offense_targets($1,$2, $3, $4)  as result
    

Local fix

  • Contact Support for a possible workaround that might address
    this issue in some instances.
    

Problem summary

  • This issue was fixed in QRadar QRM QVM release of 7.3.3 Patch 1.
    

Problem conclusion

  • This issue was fixed in QRadar QRM QVM release of 7.3.3 Patch 1.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IJ16819

  • Reported component name

    QRADAR SOFTWARE

  • Reported component ID

    5725QRDSW

  • Reported release

    728

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2019-06-13

  • Closed date

    2019-12-09

  • Last modified date

    2019-12-09

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    QRADAR SOFTWARE

  • Fixed component ID

    5725QRDSW

Applicable component levels

[{"Business Unit":{"code":"BU048","label":"IBM Software"}, "Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"728","Edition":""}]

Document Information

Modified date:
09 December 2019