IBM Support

IJ26689: FORWARDING NORMALIZED FLOWS THAT ARE ASSOCIATED TO A DOMAIN FAILS WITH A BUFFERUNDERFLOWEXCEPTION WRITTEN TO QRADAR LOGGING

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • Forwarding normalized flows that are associated to a domain on
    the sending side to another deployment fails and a
    BufferUnderflowException is generated in QRadar logging.
    Messages similar to the following might be visible in
    /var/log/qradar.log when this issue is occurring:
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
    com.q1labs.sem.nio.network.ReceiverServerWithChannelActivity
    0.0.0.0:32005: [WARN] [NOT:0000004000][X.X.X.X/- -] [-/-
    -]Error: /127.0.0.1:41902 : RuntimeException : 0 records read,
    type: 68, expected buffer size after decompression: 0, expected
    record size: 195, java.nio.DirectByteBuffer[pos=182 lim=209
    cap=13312000], Serializer:
    com.q1labs.core.types.networkevent.mapping.NetworkEventMappings$
    ECSMappingAll@1
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
    java.lang.RuntimeException: 0 records read, type: 68, expected
    buffer size after decompression: 0, expected record size: 195,
    java.nio.DirectByteBuffer[pos=182 lim=209 cap=13312000],
    Serializer:
    com.q1labs.core.types.networkevent.mapping.NetworkEventMappings$
    ECSMappingAll@1
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.frameworks.nio.network.protocol.ProtocolProcessor.dec
    ode(ProtocolProcessor.java:281)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.frameworks.nio.network.protocol.ProtocolProcessor.dec
    odeCompressedObjectsSync(ProtocolProcessor.java:302)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.frameworks.nio.network.protocol.Protocol.pollMessage(
    Protocol.java:1185)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.frameworks.nio.network.protocol.Protocol$2.readFromCh
    annel(Protocol.java:126)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.frameworks.nio.network.protocol.Protocol.read(Protoco
    l.java:396)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.frameworks.nio.network.ReceiverServerProtocol.readAll
    (ReceiverServerProtocol.java:85)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.frameworks.nio.network.ReceiverServer.read(ReceiverSe
    rver.java:229)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.sem.nio.network.ReceiverServerWithChannelActivity.run
    (ReceiverServerWithChannelActivity.java:140)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at java.lang.Thread.run(Thread.java:818)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
    Caused by: java.nio.BufferUnderflowException
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at java.nio.DirectByteBuffer.get(DirectByteBuffer.java:271)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at java.nio.ByteBuffer.get(ByteBuffer.java:715)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.core.types.networkevent.CustomPropertyRecord.fromByte
    BufferForMPC(CustomPropertyRecord.java:164)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.core.types.networkevent.mapping.NetworkEventMappingUt
    ils.readCustomPropertiesWithMPCAttributes(NetworkEventMappingUti
    ls.java:435)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.core.types.flow.mapping.FlowRecordMappingECS.readCust
    omProperties(FlowRecordMappingECS.java:139)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.core.types.flow.mapping.FlowRecordMapping.getData(Flo
    wRecordMapping.java:393)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.core.types.flow.mapping.FlowRecordMapping.get(FlowRec
    ordMapping.java:226)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.core.types.flow.mapping.FlowRecordMappingECS.get(Flow
    RecordMappingECS.java:65)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.core.types.flow.mapping.FlowRecordMappingECSAll.get(F
    lowRecordMappingECSAll.java:30)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.core.types.networkevent.mapping.NetworkEventMappings$
    ECSMappingAll.getFlow(NetworkEventMappings.java:71)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.core.types.networkevent.mapping.NetworkEventMappingEx
    .get(NetworkEventMappingEx.java:86)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.core.types.networkevent.mapping.NetworkEventMappingEx
    .get(NetworkEventMappingEx.java:25)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.frameworks.nio.network.protocol.ProtocolProcessor.dec
    ode(ProtocolProcessor.java:272)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      ... 8 more
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
    com.q1labs.sem.nio.network.ReceiverServerWithChannelActivity
    0.0.0.0:32005: [WARN] [NOT:0000004000][X.X.X.X/- -] [-/-
    -]Error: /127.0.0.1:41930 : RuntimeException : 2 records read,
    type: 68, expected buffer size after decompression: 0, expected
    record size: 540, java.nio.DirectByteBuffer[pos=1130 lim=1411
    cap=65536], Serializer:
    com.q1labs.core.types.networkevent.mapping.NetworkEventMappings$
    ECSMappingAll@1
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
    java.lang.RuntimeException: 2 records read, type: 68, expected
    buffer size after decompression: 0, expected record size: 540,
    java.nio.DirectByteBuffer[pos=1130 lim=1411 cap=65536],
    Serializer:
    com.q1labs.core.types.networkevent.mapping.NetworkEventMappings$
    ECSMappingAll@1
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.frameworks.nio.network.protocol.ProtocolProcessor.dec
    ode(ProtocolProcessor.java:281)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.frameworks.nio.network.protocol.ProtocolProcessor.dec
    odeCompressedObjectsSync(ProtocolProcessor.java:302)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.frameworks.nio.network.protocol.Protocol.pollMessage(
    Protocol.java:1185)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.frameworks.nio.network.protocol.Protocol$2.readFromCh
    annel(Protocol.java:126)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.frameworks.nio.network.protocol.Protocol.read(Protoco
    l.java:396)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.frameworks.nio.network.ReceiverServerProtocol.readAll
    (ReceiverServerProtocol.java:85)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.frameworks.nio.network.ReceiverServer.read(ReceiverSe
    rver.java:229)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.sem.nio.network.ReceiverServerWithChannelActivity.run
    (ReceiverServerWithChannelActivity.java:140)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at java.lang.Thread.run(Thread.java:818)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
    Caused by: java.nio.BufferUnderflowException
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at java.nio.DirectByteBuffer.get(DirectByteBuffer.java:271)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at java.nio.ByteBuffer.get(ByteBuffer.java:715)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.core.types.networkevent.CustomPropertyRecord.fromByte
    BufferForMPC(CustomPropertyRecord.java:164)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.core.types.networkevent.mapping.NetworkEventMappingUt
    ils.readCustomPropertiesWithMPCAttributes(NetworkEventMappingUti
    ls.java:435)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.core.types.flow.mapping.FlowRecordMappingECS.readCust
    omProperties(FlowRecordMappingECS.java:139)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.core.types.flow.mapping.FlowRecordMapping.getData(Flo
    wRecordMapping.java:393)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.core.types.flow.mapping.FlowRecordMapping.get(FlowRec
    ordMapping.java:226)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.core.types.flow.mapping.FlowRecordMappingECS.get(Flow
    RecordMappingECS.java:65)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.core.types.flow.mapping.FlowRecordMappingECSAll.get(F
    lowRecordMappingECSAll.java:30)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.core.types.networkevent.mapping.NetworkEventMappings$
    ECSMappingAll.getFlow(NetworkEventMappings.java:71)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.core.types.networkevent.mapping.NetworkEventMappingEx
    .get(NetworkEventMappingEx.java:86)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.core.types.networkevent.mapping.NetworkEventMappingEx
    .get(NetworkEventMappingEx.java:25)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.frameworks.nio.network.protocol.ProtocolProcessor.dec
    ode(ProtocolProcessor.java:272)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      ... 8 more
    

Local fix

  • Potential workaround for this issue:
    Note: This will impact all event and flow forwarding of
    normalized data, setting it to the the default domain
    
    
    
    1) On the QRadar console that is sending:
    vi /store/configservices/staging/globalconfig/nva.conf
    Add and save the following:
    IS_DOMAIN_FORWARDING=0
    2) Perform a QRadar Deploy function
    3) On the Managed Host that is sending events or flows, restart
    the ecs-ec service:
    systemctl restart ecs-ec
    

Problem summary

  • This issue was fixed in QRadar QRM QVM release of 7.4.2 FixPack
    2 and 7.3.3 FixPack 8.
    

Problem conclusion

  • This issue was fixed in QRadar QRM QVM release of 7.4.2 FixPack
    2 and 7.3.3 FixPack 8.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IJ26689

  • Reported component name

    QRADAR SOFTWARE

  • Reported component ID

    5725QRDSW

  • Reported release

    730

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2020-07-29

  • Closed date

    2021-01-26

  • Last modified date

    2021-05-03

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    QRADAR SOFTWARE

  • Fixed component ID

    5725QRDSW

Applicable component levels

[{"Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU029","label":"Software"},"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"730"}]

Document Information

Modified date:
04 May 2021