IBM Support

IJ26098: 'AN IO ERROR OCCURRED ON SERVER(S)...' CAN OCCUR DURING SEARCHES AFTER A HOST HAS HAD ITS IP ADDRESS CHANGED

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • Removing a non encrypted host from a QRadar deployment that has
    ariel running, changing it's IP address (using
    qchange_netsetup) and then re-adding the host to the QRadar
    deployment can result in ariel searches (eg. in the Log
    Activity tab) to that managed host reporting errors similar to:
    'An IO error occurred on server(s) XXXXXX:ZZZZ. Please try
    again." (where XXXXX is the hostname of managed host that had
    its IP address changed and ZZZZ is the ariel port).
    Example steps that can identify this behavior occurring:
    1) QRadar environment where the Console and managed host (eg
    Event Processor EP) are not encrypted.
    2) Verify that searches are working (eg Log Activity tab).
    3) Perform the proper documented steps to remove the EP from
    the deployment
    4) Perform the proper documented steps to use
    qchange_netsetup to change the IP address of the managed host
    (without changing the hostname).
    5) Perform the proper documented steps to re-add the host into
    the deployment
    6) Once the deploy has been completed attempt a basic search on
    that EP in Log Activity (eg. last 5 minutes)
    A message similar to the following might be genereated in the
    Log Activity search screen:
    "An IO error occurred on server(s) XXXXXX:ZZZZ. Please try
    again." Where XXXXX is hostname of box that was re ip addressed
    and ZZZZ is the ariel port.
    

Local fix

  • Using a command line tool such as vi, find and comment out or
    remove the entries for the old IP address in /etc/hosts on the
    QRadar Console.
    Attempt the search again.
    

Problem summary

  • This issue was fixed in QRadar QRM QVM release of 7.4.3.
    

Problem conclusion

  • This issue was fixed in QRadar QRM QVM release of 7.4.3.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IJ26098

  • Reported component name

    QRADAR SOFTWARE

  • Reported component ID

    5725QRDSW

  • Reported release

    730

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2020-07-07

  • Closed date

    2021-05-25

  • Last modified date

    2021-05-25

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    QRADAR SOFTWARE

  • Fixed component ID

    5725QRDSW

Applicable component levels

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"730"}]

Document Information

Modified date:
26 May 2021