IBM Support

IJ26093: LOG SOURCES USING UDP MULTILINE SYSLOG CAN STOP RECEIVING EVENTS AFTER AN ECS-EC-INGRESS SERVICE RESTART OCCURS

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • In some instances when the ecs-ec-ingress service (needed for
    event collection) restart occurs (eg. can occur after an
    autoupdate is applied), the UDP multiline syslog provider does
    not shutdown fast enough.  When the provider attempts to start
    up, the old version of the provider is still locked to port
    517, so the new instance cannot open the port.
    When this situation occurs, the provider cannot start and
    therefore cannot receive events as expected.
    

Local fix

Problem summary

  • Resolves an issue where in some instances when the
    ecs-ec-ingress service (needed for event collection) restart
    occurs (eg. can occur after an autoupdate is applied), the UDP
    multiline syslog provider does not shutdown fast enough.  When
    the provider attempts to start up, the old version of the
    provider is still locked to port 517, so the new instance cannot
     open the port.
    
    When this situation occurs, the provider cannot start and
    therefore cannot receive events as expected.
    
    This fix is available in the weekly auto update for 6 October
    2021 and in the following RPM(s) on IBM Fix Central:
    PROTOCOL-UDPMultilineSyslog-7.3-20210705183815.noarch.rpm
    PROTOCOL-UDPMultilineSyslog-7.4-20210705183817.noarch.rpm
    

Problem conclusion

  • This fix is available in the weekly auto update for 6 October
    2021 and in the following RPM(s) on IBM Fix Central:
    PROTOCOL-UDPMultilineSyslog-7.3-20210705183815.noarch.rpm
    PROTOCOL-UDPMultilineSyslog-7.4-20210705183817.noarch.rpm
    

Temporary fix

Comments

APAR Information

  • APAR number

    IJ26093

  • Reported component name

    QRADAR SOFTWARE

  • Reported component ID

    5725QRDSW

  • Reported release

    740

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2020-07-07

  • Closed date

    2021-10-26

  • Last modified date

    2021-10-26

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    QRADAR SOFTWARE

  • Fixed component ID

    5725QRDSW

Applicable component levels

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"740"}]

Document Information

Modified date:
27 October 2021