IBM Support

IJ18087: 'MISSING PATCHES' REPORT CAN FAIL TO GENERATE WHEN THERE IS A LARGE SET OF VULNERABILITY SCAN DATA

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as Permanent restriction.

Error description

  • It has been identified that when there is a large set of
    vulnerability data from vulnerability scans and the default
    'Missing Patches' report is run, the report shows as
    'Generating' until it stops and never actually generates.
    Messages similar to the following might be visible in
    /var/log/qradar.log when this issue is occurring:
    [hostcontext.hostcontext]
    [66578912-36e5-4812-b5b4-dd8b8cb1fd30/SequentialEventDispatcher]
    com.q1labs.hostcontext.tx.TxSentry: [WARN]
    [NOT:0000004000][127.0.0.1/- -] [-/- -]Found a process on host
    127.0.0.1 report_runner, pid=65806, TX age=651 secs
    

Local fix

  • Contact Support for a possible workaround that might address
    this issue in some instances.
    

Problem summary

  • Changing the tx sentry limit from 10 minutes to 30 minutes and
    also increasing the report_runner memory via
    report_runner.ovveride can avoid the issue. Also another
    workaround is to avoid using the saved search 'Default All' and
    narrow it down more.
    

Problem conclusion

  • Changing the tx sentry limit from 10 minutes to 30 minutes and
    also increasing the report_runner memory via
    report_runner.ovveride can avoid the issue. Also another
    workaround is to avoid using the saved search 'Default All' and
    narrow it down more.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IJ18087

  • Reported component name

    QR VULNERABILIT

  • Reported component ID

    5725QVMSW

  • Reported release

    732

  • Status

    CLOSED PRS

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2019-08-02

  • Closed date

    2020-01-07

  • Last modified date

    2020-01-07

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

Applicable component levels

[{"Business Unit":{"code":"BU048","label":"IBM Software"}, "Product":{"code":"SSHLPS","label":"IBM Security QRadar Vulnerability Manager"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"732","Edition":""}]

Document Information

Modified date:
07 January 2020