IBM Support

IJ21155: EXCESSIVE LOGGING OF MESSAGE 'TRAFFIC ANALYSIS WILL CREATE NEW DEVICES WITH EVENT COALESCING TURNED ON'

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • It has been identified that excessive logs similar to the
    following might be visible in /var/log/qradar.log:
    [ecs-ec.ecs-ec]
    [[type=com.eventgnosis.system.ThreadedEventProcessor][parent=l3r
    tc.canlab.ibm.com:ecs-ec/EC/TrafficAnalysis1/TrafficAnalysis]]
    com.ibm.si.ec.filters.trafficanalysis.TrafficAnalysisFilter:
    [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Traffic analysis
    will create new devices with event payload storage turned on
    [ecs-ec.ecs-ec]
    [[type=com.eventgnosis.system.ThreadedEventProcessor][parent=l3r
    tc.canlab.ibm.com:ecs-ec/EC/TrafficAnalysis1/TrafficAnalysis]]
    com.ibm.si.ec.filters.trafficanalysis.TrafficAnalysisFilter:
    [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Traffic analysis
    will create new devices with event coalescing turned on
    

Local fix

  • You can turn off logging for the TrafficaAnalysisFilter class
    to prevent it from filling the logs.
    From a command line on the QRadar Console:
    /opt/qradar/support/mod_log4j.pl
    Enter your name for audit
    Select 3 for Advanced Menu
    Select 2) for Add a new Logger
    Enter the classpath
    com.ibm.si.ec.filters.trafficanalysis.TrafficAnalysisFilter
    Select 4) Off
    Select * for All of the above
    

Problem summary

  • This issue was fixed in QRadar QRM QVM release of 7.3.3 GA and
    7.3.2 Patch 6.
    

Problem conclusion

  • This issue was fixed in QRadar QRM QVM release of 7.3.3 GA and
    7.3.2 Patch 6.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IJ21155

  • Reported component name

    QRADAR SOFTWARE

  • Reported component ID

    5725QRDSW

  • Reported release

    732

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2019-11-22

  • Closed date

    2020-01-09

  • Last modified date

    2020-01-09

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    QRADAR SOFTWARE

  • Fixed component ID

    5725QRDSW

Applicable component levels

[{"Business Unit":{"code":"BU048","label":"IBM Software"}, "Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"732","Edition":""}]

Document Information

Modified date:
09 January 2020