IBM Support

IJ31840: LOG SOURCES CONFIGURED FOR IBM SECURITY IDENTITY MANAGER JDBC CAN FAIL TO PARSE AS EXPECTED

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as Permanent restriction.

Error description

  • Log Sources configured for use with IBM Security Identity
    Manager JDBC can fail to work as expected.
    
    Messages similar to the following might be visible in
    /var/log/qradar.log when this issue occurs:
    [ecs-ec-ingress.ecs-ec-ingress] [DB2//ITIMDB@dbHost Protocol
    Provider Thread: class
    com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
    r2018]
    com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
    r: [INFO] [NOT:0000006000][epIp/- -] [-/- -]disconnected
    [ecs-ec-ingress.ecs-ec-ingress] [DB2//ITIMDB@dbHost Protocol
    Provider Thread: class
    com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
    r2018]
    com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventSource:
    [INFO] [NOT:0000006000][epIp/- -] [-/- -]Provider 'class
    com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
    r2018' stopped.
    [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021]
    com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
    r: [INFO] [NOT:0000006000][epIp/- -] [-/- -]Polling interval in
    milliseconds = 30000
    [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021]
    com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
    r: [INFO] [NOT:0000006000][epIp/- -] [-/- -]jdbc session
    properties file already exists, loading its values
    [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021]
    com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
    r: [WARN] [NOT:0000004000][epIp/- -] [-/- -]null on
    DB2//ITIMDB@dbHost
    [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021]
    java.lang.NullPointerException
    [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021]   at
    com.q1labs.semsources.sources.jdbc.SourceDatabaseType$2.composeU
    rl(SourceDatabaseType.java:90)
    [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021]   at
    com.q1labs.semsources.sources.jdbc.JdbcEventConnector.connect(Jd
    bcEventConnector.java:482)
    [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021]   at
    com.q1labs.semsources.sources.jdbc.JdbcEventConnector.preExecute
    Configure(JdbcEventConnector.java:1060)
    [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021]   at
    com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
    r.preExecuteConfigure(IBMSIMJDBCEventConnector.java:483)
    [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021]   at
    com.q1labs.semsources.sources.base.SourceProvider.run(SourceProv
    ider.java:179)
    [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021]
    com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
    r: [ERROR] [NOT:0000003000][epIp/- -] [-/- -]Unable to obtain a
    comparable value for the RECERTIFICATIONLOG table!
    [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021]
    java.lang.NullPointerException
    [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021]   at
    com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
    r.preExecuteConfigure(IBMSIMJDBCEventConnector.java:500)
    [ecs-ec-ingress.ecs-ec-ingress] [Thread-4540021]   at
    com.q1labs.semsources.sources.base.SourceProvider.run(SourceProv
    ider.java:179)
    [ecs-ec-ingress.ecs-ec-ingress] [DB2//ITIMDB@dbHost Protocol
    Provider Thread: class
    com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
    r2018]
    com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventSource:
    [INFO] [NOT:0000006000][epIp/- -] [-/- -]IBMSIMJDBC provider
    'class
    com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
    r2018' config ok; now trying to run...
    [ecs-ec-ingress.ecs-ec-ingress]
    [a5a99e1b-3d31-4659-8586-b5dcbbe148c6/SequentialEventDispatcher]
    com.q1labs.semsources.sources.base.SourceConfigDB: [INFO]
    [NOT:0000006000][epIp/- -] [-/- -]Updating provider (id = 2018)
    because its parameters have changed.
    [ecs-ec-ingress.ecs-ec-ingress]
    [a5a99e1b-3d31-4659-8586-b5dcbbe148c6/SequentialEventDispatcher]
    com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventSource:
    [INFO] [NOT:0000006000][epIp/- -] [-/- -]Stopping provider
    'class
    com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
    r2018'.
    [ecs-ec-ingress.ecs-ec-ingress] [DB2//ITIMDB@dbHost Protocol
    Provider Thread: class
    com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
    r2018]
    com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
    r: [INFO] [NOT:0000006000][epIp/- -] [-/- -]disconnected
    

Local fix

  • 1) Open the affected Log Source
    2) Save it
    Verify that the Log Source is parsing the expected data from
    new events after re-saving it.
    Note: In some instances, a change to the Log Source might be
    needed, then save the Log Source anc cehck for proper event
    parsing.
    

Problem summary

  • This issue will not be fixed.
    

Problem conclusion

  • This issue will not be fixed.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IJ31840

  • Reported component name

    QRADAR SOFTWARE

  • Reported component ID

    5725QRDSW

  • Reported release

    730

  • Status

    CLOSED PRS

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2021-03-29

  • Closed date

    2021-04-15

  • Last modified date

    2021-04-15

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

Applicable component levels

[{"Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU029","label":"Software"},"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"730"}]

Document Information

Modified date:
16 April 2021