IBM Support

IJ26183: ECS-EC-INGRESS PROCESS CAN SOMETIMES GO OUT OF MEMORY WHEN LOG SOURCES ARE USING THE WINDOWS IIS PROTOCOL

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as Vendor Solution.

Error description

  • In some instances, the ecs-ec-ingress process (required for
    event collection) can experience out of memory occurences that
    are caused by Log Sources using the Windows IIS Protocol when
    an incorrect .jar file is referenced for use.
    Messages similar to the following that are referencing a Log
    Source connecting to an SMB Host might be visible in
    /var/log/qradar.log when this issue is occuring:
    [ecs-ec-ingress.ecs-ec-ingress] [Folder Monitor
    [x.x.x.x][smb://x.x.x.x/LogFiles/]]
    com.q1labs.semsources.sources.smbtail.io.SmbFileWithRetries:
    [ERROR] [NOT:0000003000][x.x.x.x/- -] [-/-
    -][smb://x.x.x.x/LogFiles/W3SVC13] exists(): Failed: Access
    error for file W3SVC13 status = -1073741790 (0xc0000022)
    (0xC0000022)
    

Local fix

  • Contact Support for a possible workaround that might address
    this issue in some instances.
    

Problem summary

Problem conclusion

Temporary fix

Comments

  • This fix is available in the following RPMs on IBM Fix Central:
    
    PROTOCOL-SmbTailProtocol-7.3-20201007124637.noarch.rpm
    PROTOCOL-SmbTailProtocol-7.4-20201007123631.noarch.rpm
    
    PROTOCOL-WindowsEventRPC-7.3-20210315133009.noarch.rpm
    PROTOCOL-WindowsEventRPC-7.4-20210113131122.noarch.rpm
    
    The PROTOCOL-SmbTailProtocol release is also available in the
    weekly auto update for 25 April 2021 (Build 1619381033). The
    PROTOCOL-WindowsEventRPC RPM release is not included in
    automatic updates. Administrators must download and install the
    latest version of the Microsoft Windows Security Event Log over
    MSRPC RPM file on the Console using the YUM command.
    

APAR Information

  • APAR number

    IJ26183

  • Reported component name

    QRADAR SOFTWARE

  • Reported component ID

    5725QRDSW

  • Reported release

    732

  • Status

    CLOSED ISV

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2020-07-13

  • Closed date

    2021-04-26

  • Last modified date

    2021-04-26

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

Applicable component levels

[{"Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU029","label":"Software"},"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"732"}]

Document Information

Modified date:
27 April 2021