IBM Support

IJ31843: WINCOLLECT 7.3.0 P1 AGENTS CAN STOP SENDING LOGS WHEN INFORMATION AND WARN EVENT TYPES ARE NOT SELECTED

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • WinCollect 7.3.0 P1 agents can stop sending logs to QRadar when
    information and warn type events are not selected.
    When this issue occurs, affected WinCollect agent hosts can be
    checked for messages that include "Error code 15001: The
    specified query is invalid." when the host agent logs are
    placed into debug.
    To place a WinCollect agent host into debug:
    https://www.ibm.com/support/pages/node/6404330#localsrv
    Note: Ensure to disable Debug as soon as possible to prevent
    log bloat.
    

Local fix

  • 1) Ensure that information, and warning messages are selected
    to be sent to QRadar from the WinCollect agent.
    or
    2) Configure Xpath for required Critical and Error logs to be
    retrieved:
    https://www.ibm.com/support/pages/how-use-xpath-queries-wincolle
    ct-suppress-specific-events
    For example:
    <QueryList>
    <Query Id="0" Path="System">
    <Select Path="System">*[System[(Level=1 or Level=2)]]</Select>
    </Query>
    </QueryList>
    

Problem summary

  • WinCollect 7.3.0 P1 agents can stop sending logs to QRadar when
    information and warn type events are not selected.
    When this issue occurs, affected WinCollect agent hosts can be
    checked for messages that include "Error code 15001: The
    specified query is invalid." when the host agent logs are
    placed into debug.
    To place a WinCollect agent host into debug:
    https://www.ibm.com/support/pages/node/6404330#localsrv
    Note: Ensure to disable Debug as soon as possible to prevent
    log bloat.
    

Problem conclusion

  • This APAR has been fixed in WinCollect version 7.3.1
    

Temporary fix

Comments

APAR Information

  • APAR number

    IJ31843

  • Reported component name

    QRADAR SOFTWARE

  • Reported component ID

    5725QRDSW

  • Reported release

    730

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2021-03-29

  • Closed date

    2021-05-04

  • Last modified date

    2021-05-04

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    QRADAR SOFTWARE

  • Fixed component ID

    5725QRDSW

Applicable component levels

[{"Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU029","label":"Software"},"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"730"}]

Document Information

Modified date:
05 May 2021