IBM Support

IJ27346: OFFENSE API CALLS CAN CAUSE A HOSTCONTEXT TXSENTRY TO OCCUR AS NO LIMIT IS APPLIED TO THE NUMBER OF FIELDS TO BE RETURNED

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • The hostcontext process can experience a TxSentry (process is
    killed when taking too long to complete) that is caused by the
    Offense API not having limits set on the number of fields that
    it can return.
    This behavior can be observed during the usage of some QRadar
    apps that use Offense API calls (eg. Incident Overview app).
    Messages similar to the following might be visible in
    /var/log/qradar.log when this issue occurs:
    [hostcontext.hostcontext]
    [baa9069a-d7b2-48bf-ab9b-32962f1f8055/SequentialEventDispatcher]
    com.q1labs.hostcontext.tx.TxSentry: [WARN]
    [NOT:0000004000][X.X.X.X/- -] [-/- -] Lock acquired on host
    X.X.X.X: rel=offense_device_link_pkey age=638 granted=t
    mode=AccessShareLock query='SELECT DISTINCT (CASE WHEN
    offense_properties.user'
    [hostcontext.hostcontext]
    [baa9069a-d7b2-48bf-ab9b-32962f1f8055/SequentialEventDispatcher]
    com.q1labs.hostcontext.tx.TxSentry: [WARN]
    [NOT:0000004000][X.X.X.X/- -] [-/- -] Lock acquired on host
    X.X.X.X: rel=sensordevicetype age=638 granted=t
    mode=AccessShareLock query='SELECT DISTINCT (CASE WHEN
    offense_properties.user'
    [hostcontext.hostcontext]
    [baa9069a-d7b2-48bf-ab9b-32962f1f8055/SequentialEventDispatcher]
    com.q1labs.hostcontext.tx.TxSentry: [WARN]
    [NOT:0000004000][X.X.X.X/- -] [-/- -] Lock acquired on host
    X.X.X.X: rel=sensordevice_eccomponentid_idx age=638 granted=t
    mode=AccessShareLock query='SELECT DISTINCT (CASE WHEN
    offense_properties.user'
    

Local fix

  • Contact Support for a possible workaround that might address
    this issue in some instances.
    

Problem summary

  • This issue was fixed in QRadar QRM QVM release of 7.4.1 FixPack
    1.
    

Problem conclusion

  • This issue was fixed in QRadar QRM QVM release of 7.4.1 FixPack
    1.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IJ27346

  • Reported component name

    QRADAR SOFTWARE

  • Reported component ID

    5725QRDSW

  • Reported release

    741

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2020-08-28

  • Closed date

    2020-09-18

  • Last modified date

    2020-09-18

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    QRADAR SOFTWARE

  • Fixed component ID

    5725QRDSW

Applicable component levels

[{"Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU029","label":"Software"},"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"741"}]

Document Information

Modified date:
19 September 2020