IBM Support

IJ21698: QRADAR NETWORK INSIGHTS DECAPPER CAN CRASH AND GENERATE A COREDUMP

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • The QRadar Network Insights (QNI) decapper can crash and
    generate a coredump.
    These particular decapper coredump instances are related to a
    DTLS error.  Support can analyze the coredump that is generated
    to futher determine if this is the issue affecting the QNI
    decapper.
    Messages similar to the following might be visible in
    /var/log/messages and /var/log/qradar.log when this issue is
    occuring:
    messages log file
    [578]: Process 5298 (decapper) of user 99 killed by SIGABRT -
    dumping core
    [6921]: Process 8687 (decapper) of user 99 killed by SIGABRT -
    dumping core
    [32451]: Process 15846 (decapper) of user 99 killed by SIGABRT
    - dumping core
    [15466]: Process 4250 (decapper) of user 99 killed by SIGABRT -
    dumping core
    [18330]: Process 24891 (decapper) of user 99 killed by SIGABRT
    - dumping core
    [26649]: Process 24823 (decapper) of user 99 killed by SIGABRT
    - dumping core
    [23568]: Process 6960 (decapper) of user 99 killed by SIGABRT -
    dumping core
    [14450]: Process 5803 (decapper) of user 99 killed by SIGABRT -
    dumping core
    [30995]: Process 18982 (decapper) of user 99 killed by SIGABRT
    - dumping core
    qradar.log file
    decapper - INFO - rtf for rtf0 died - return code: -6
    decapper - INFO - Started rtf process for case rtf0
    decapper: [main] decapper.keybag: [INFO] Reading keybag
    configuration......
    decapper: [main] decapper.APPID: [INFO] Reading signature
    file....
    decapper: [main] decapper.yara: [INFO] YaraRules: Reading rule
    file......
    decapper: [main] decapper.yara: [WARN] YaraRules: Config file
    is empty.
    decapper: [main] decapper: [INFO] rtf0: Processing napatech
    [hostcontext.hostcontext] [Server Host Status Processor]
    com.q1labs.configservices.controller.ServerHostS
    tatusUpdater: [INFO] [NOT:0000006000][127.0.0.1/- -] [-/-
    -]Sent update status of host 127.0.0.1 to ACTIVE
    decapper: [] decapper.capture: [INFO] rtf1: [1] Packet Capture
    Stats 60 sec: (Read: Packets(1938480, 32297/sec), Oct
    ets(909349284, 15150791/sec)) (Dropped: Packets(0, 0/sec),
    Octets(0, 0/sec))
    decapper: [] decapper.capture: [INFO] rtf1: [1] Content Scan
    Stats 60 sec: Requests(8873, 147/sec) Throttled(0, 0/se
    c) Filtered(2, 0/sec)
    decapper: [] decapper.capture: [INFO] rtf1: [1] Flow Report
    Stats 60 sec: Std(33000, 549/sec, 10406 unique) Content(
    32041, 533/sec) Dropped(0, 0/sec)
    

Local fix

  • No workaround available.
    

Problem summary

  • This issue was fixed in QRadar QRM QVM release of 7.3.3 Fix Pack
    3 and 7.4.0 Fix Pack 1.
    

Problem conclusion

  • This issue was fixed in QRadar QRM QVM release of 7.3.3 Fix Pack
    3 and 7.4.0 Fix Pack 1.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IJ21698

  • Reported component name

    QR INCIDENT FOR

  • Reported component ID

    5725QIFSW

  • Reported release

    732

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2019-12-17

  • Closed date

    2020-04-15

  • Last modified date

    2020-04-15

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    QR INCIDENT FOR

  • Fixed component ID

    5725QIFSW

Applicable component levels

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SS6E69","label":"IBM QRadar Network Insights"},"Platform":[{"code":"PF025","label":"Platform Independent"}]}]

Document Information

Modified date:
16 April 2020