IBM Support

IJ28166: LOG SOURCES CONFIGURED TO USE THE WINDOWS EVENT LOG RPC PROTOCOL CAN GO INTO ERROR STATE DISPLAYING 'INTERNAL ERROR'

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as Vendor Solution.

Error description

  • Some log source that are configured to use the Windows Event
    Log RPC Protocol can go into "Error" state with an "Internal
    Error".
    These instances have been identified as being caused when the
    jNQ jar file is required for use by the Protocol.
    Messages similar to the following might be visible in
    /var/log/qradar.log when this issue is occurs:
    [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for
    host [127.0.0.1]] java.lang.ArrayIndexOutOfBoundsException
    [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for
    host [127.0.0.1]]    at
    jcifs.util.Encdec.dec_uint32le(Encdec.java:90)
    [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for
    host [127.0.0.1]]    at
    ndr.NdrBuffer.dec_ndr_long(NdrBuffer.java:135)
    [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for
    host [127.0.0.1]]    at
    ndr.NetworkDataRepresentation.readUnsignedLong(NetworkDataRepres
    entation.java:64)
    [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for
    host [127.0.0.1]]    at
    com.q1labs.semsources.sources.windowseventrpc.ndr.util.NetworkDa
    taRepresentationAdapter.readUnsignedLong(NetworkDataRepresentati
    onAdapter.java:34)
    [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for
    host [127.0.0.1]] java.lang.NullPointerException
    [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for
    host [127.0.0.1]]    at
    com.visuality.nq.client.rpc.Dcerpc.close(Dcerpc.java:901)
    [ecs-ec-ingress.ecs-ec-ingress] [Windows RPC Event Monitor for
    host [127.0.0.1]]    at
    com.q1labs.semsources.sources.windowseventrpc.eventsource.common
    .EventLogWinRegistry.disconnectRemoteRegistry(EventLogWinRegistr
    y.java:245)
    

Local fix

  • No workaround available. APARs identified with no workaround
    may require a software delivery to resolve. This reported issue
    will be considered for a future release and administrators can
    subscribe to the APAR to get updates by clicking on the
    Subscribe button on the right side of this page or ask a
    question about this APAR in ourSupport Forums.
    https://ibm.biz/qradarforums
    

Problem summary

Problem conclusion

Temporary fix

Comments

  • This fix is available in the following RPMs on IBM Fix Central:
    PROTOCOL-SmbTailProtocol-7.3-20201007124637.noarch.rpm
    PROTOCOL-SmbTailProtocol-7.4-20201007123631.noarch.rpm
    PROTOCOL-WindowsEventRPC-7.3-20210315133009.noarch.rpm
    PROTOCOL-WindowsEventRPC-7.4-20210113131122.noarch.rpm
    The PROTOCOL-SmbTailProtocol release is also available in the
    weekly auto update for 25 April 2021 (Build 1619381033). The
    PROTOCOL-WindowsEventRPC RPM release is not included in the auto
    updates. Administrators must download and install the latest
    version of the Microsoft Windows Security Event Log over MSRPC
    RPM file on the Console using the YUM command.
    

APAR Information

  • APAR number

    IJ28166

  • Reported component name

    QRADAR SOFTWARE

  • Reported component ID

    5725QRDSW

  • Reported release

    730

  • Status

    CLOSED ISV

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2020-09-17

  • Closed date

    2021-04-26

  • Last modified date

    2021-04-26

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

Applicable component levels

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"730"}]

Document Information

Modified date:
27 April 2021