IBM Support

IJ26748: AMAZON AWS S3 REST API PROTOCOL CAN POLL FOR PREVIOUSLY PROCESSED EVENTS DUE TO AN AWS API CHANGE

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • It has been identified that when using the Amazon AWS S3 REST
    API protocol that the QRadar appliance can poll for older
    events. This causes Amazon AWS S3 and Cisco Umbrella log
    sources to poll for events that were previously processed by
    QRadar. Previously, QRadar used a marker file to determine the
    last polling interval to ensure that the AWS S3 buckets polled
    did not request older events in the API query. This
    functionality has changed recently in the Amazon AWS REST API.
    The root cause of this issue is a transition of the Amazon AWS
    REST API to use a new startAfter key value in API
    queries.
    
    Issues is reported in the following protocol versions:
    
    AmazonAWSRESTAPI-7.3-20200618175646.noarch.rpm
    AmazonAWSRESTAPI
    -7.4-20200619004601.noarch.rpm
    

Local fix

  • An update is in progress for the Amazon AWS S3 REST API
    protocol to include
    a new startAfter key in event queries. A
    protocol RPM update is required to resolve this issue.To
    determine your current Amazon AWS S3 REST API protocol version,
    use the Admin > Auto Update icon in QRadar user interface or
    yum info PROTOCOL-AmazonAWS from the command line.
    Administrators with impacted protocol versions can subscribe to
    this APAR or open a case for QRadar Support and reference the
    APAR number.
    

Problem summary

  • This fix is available in the weekly auto update for 19 January
    2021 (Build 1610658801) and in the following RPMs on IBM Fix
    Central:
    PROTOCOL-AmazonAWSRESTAPI-7.3-20201202211715.noarch.rpm
    PROTOCOL-AmazonAWSRESTAPI-7.4-20201202211650.noarch.rpm
    

Problem conclusion

  • This fix is available in the weekly auto update for 19 January
    2021 (Build 1610658801) and in the following RPMs on IBM Fix
    Central:
    PROTOCOL-AmazonAWSRESTAPI-7.3-20201202211715.noarch.rpm
    PROTOCOL-AmazonAWSRESTAPI-7.4-20201202211650.noarch.rpm
    

Temporary fix

Comments

APAR Information

  • APAR number

    IJ26748

  • Reported component name

    QRADAR SOFTWARE

  • Reported component ID

    5725QRDSW

  • Reported release

    732

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2020-07-31

  • Closed date

    2021-01-26

  • Last modified date

    2021-01-26

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    QRADAR SOFTWARE

  • Fixed component ID

    5725QRDSW

Applicable component levels

[{"Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU029","label":"Software"},"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"732"}]

Document Information

Modified date:
27 January 2021