IBM Support

IJ23194: EVENT COLLECTION ON APPLIANCES CAN STOP DUE TO AN INCORRECT PIPELINEDISKMONITOR FREE SPACE CALCULATION

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • The event collection service ecs-ec-ingress on QRadar
    appliances can stop sending events as a result of an incorrect
    calculation performed by the pipelineDiskMonitor.py script not
    taking into account that there can be filesystems mounted under
    store.
    Note: Seeing "percents=" in the error message below with a
    value greater than 100% is an indication that this can be the
    cause for event collection stopping.
    Example below: "percents=148%"
    Messages similar to the following might be visible in
    /var/log/qradar.log when this issue is occurring:
    [ecs-ec-ingress.ecs-ec-ingress] [PipelineDiskMonitor]
    com.ibm.si.ecingress.destinations.SECStoreForwardDestination(ecs
    -ec-ingress/EC_Ingress/TCP_TO_ECParse): [WARN]
    [NOT:0060005100][10.1.17.76/- -] [-/- -]PipelineDiskMonitor has
    detected that spillover queue threshold is crossed
    (total=70252554 MB, used=103749251  MB, free=-33496697  MB,
    percents=148%, ingress=1%, ec=1%). The ecs-ec-ingress starts
    dropping events until disk issue resolved.
    

Local fix

  • NOTE - command may appear on two(2) lines on APAR due to
    formatting.
    
    Run the following from the command line on all QRadar
    appliances:
    # sed -i.bak 's/du -sB/du -xsB/'
    /opt/qradar/bin/pipelineDiskMonitor.py
    

Problem summary

  • This issue was fixed in QRadar QRM QVM release of 7.3.3 Fix Pack
    3 and 7.4.0 Fix Pack 1.
    

Problem conclusion

  • This issue was fixed in QRadar QRM QVM release of 7.3.3 Fix Pack
    3 and 7.4.0 Fix Pack 1.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IJ23194

  • Reported component name

    QRADAR SOFTWARE

  • Reported component ID

    5725QRDSW

  • Reported release

    732

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2020-03-04

  • Closed date

    2020-04-15

  • Last modified date

    2020-04-15

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    QRADAR SOFTWARE

  • Fixed component ID

    5725QRDSW

Applicable component levels

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Platform":[{"code":"PF025","label":"Platform Independent"}]}]

Document Information

Modified date:
16 April 2020