IBM Support

IJ28708: ALL QRADAR EVENT COLLECTION CAN UNEXPECTEDLY STOP WHEN USING A LOG SOURCE WITH THE AMAZON AWS S3 REST API PROTOCOL

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • QRadar administrators can sometimes observe that no events are
    being received/processed by QRadar in instances where they have
    a Log Source in use configured with the Amazon AWS S3 Rest API
    protocol.
    Messages similar to the following might be visible in
    /var/log/qradar.log when this issue occurs:
    [ecs-ec-ingress.ecs-ec-ingress] [ECS Runtime Thread]
    java.lang.RuntimeException: Error attempting to load
    host.q1labs.lab:ecs-ec-ingress/EC_Ingress/Q1Labs_AmazonAWSREST
    Error : java.lang.NoClassDefFoundError:
    com.amazonaws.auth.AWSCredentialsProvider
    [ecs-ec-ingress.ecs-ec-ingress] [ECS Runtime Thread] Since
    there isn't a configuration error handler defined, the original
    error is wrapped in a new RuntimeException
    [ecs-ec-ingress.ecs-ec-ingress] [ECS Runtime Thread] at
    com.eventgnosis.system.SystemObject.installChildByName(SystemObj
    ect.java:317)
    [ecs-ec-ingress.ecs-ec-ingress] [ECS Runtime Thread] at
    com.eventgnosis.sources.EventSourceListenerManager.doWork(EventS
    ourceListenerManager.java:88)
    [ecs-ec-ingress.ecs-ec-ingress] [ECS Runtime Thread] at
    com.eventgnosis.system.SystemObject$DoWork.doIt(SystemObject.jav
    a:876)
    [ecs-ec-ingress.ecs-ec-ingress] [ECS Runtime Thread] at
    com.eventgnosis.system.SystemObject.doForAllMembers(SystemObject
    .java:854)
    

Local fix

  • Contact Support for a possible workaround that might address
    this issue in some instances.
    

Problem summary

  • This issue was fixed in QRadar QRM QVM release of 7.4.2 FixPack
    3 and 7.3.3 FixPack 8.
    

Problem conclusion

  • This issue was fixed in QRadar QRM QVM release of 7.4.2 FixPack
    3 and 7.3.3 FixPack 8.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IJ28708

  • Reported component name

    QRADAR SOFTWARE

  • Reported component ID

    5725QRDSW

  • Reported release

    733

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2020-10-14

  • Closed date

    2021-04-12

  • Last modified date

    2021-05-03

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    QRADAR SOFTWARE

  • Fixed component ID

    5725QRDSW

Applicable component levels

[{"Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU029","label":"Software"},"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"733"}]

Document Information

Modified date:
04 May 2021