IBM Support

IJ32090: LOG SOURCES CONFIGURED TO USE THE SALESFORCE PROTOCOL CAN GO INTO ERROR STATE DUE TO PROTOCOL PARSING ISSUE

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • Log Sources configured to use the Salesforce Protocol can go
    into Error status with error message "Event size is different
    from the schema size" due to a parsing issue with received
    events containing complex format that contains JSON object as
    part of the "URL" field.
    Messages similar to the following
    might be visible in /var/log/qradar.log when this issue occurs:
    
    com.q1labs.semsources.sources.salesforcerestapi.eventformatter.E
    ventFormatterException: Event size is different from the schema
    size, schema '....' payload '...'
    at com.q1labs.semsources.sourc
    es.salesforcerestapi.SalesforceRESTAPIProvider.processEventLogFi
    le(SalesforceRESTAPIProvider.java:550)
    at com.q1labs.semsources.
    sources.salesforcerestapi.eventformatter.EventLogFileFormatter.f
    ormatEventLogFile(EventLogFileFormatter.java:181)
    at com.q1labs.
    semsources.sources.salesforcerestapi.SalesforceRESTAPIProvider.p
    rocessEventLogFileAPIResults(SalesforceRESTAPIProvider.java:509)
    
    at com.q1labs.semsources.sources.salesforcerestapi.SalesforceRE
    STAPIProvider.getEvents(SalesforceRESTAPIProvider.java:407)
    at c
    om.q1labs.semsources.sources.salesforcerestapi.SalesforceRESTAPI
    Provider.execute(SalesforceRESTAPIProvider.java:357)
    at com.q1la
    bs.semsources.sources.base.SourceProvider.run(SourceProvider.jav
    a:195)
    

Local fix

  • No workaround available.
    APARs identified with no workaround
    may require a software delivery to resolve. This reported issue
    will be considered for a future release and administrators can
    subscribe to the APAR to get updates by clicking on the
    Subscribe button on the right side of this page or ask a
    question about this APAR in our Support
    Forums.
    https://ibm.biz/qradarforums
    

Problem summary

  • This fix is available in the following RPMs on IBM Fix Central:
    PROTOCOL-SalesforceRESTAPI-7.3-20210427155539.noarch.rpm
    PROTOCOL-SalesforceRESTAPI-7.4-20210427155613.noarch.rpm
    

Problem conclusion

  • Resolves multiple issues in the Salesforce REST API protocol: 1.
     Resolved an issue where a new event types resulted in null
    pointer exceptions and could generate a 'Unable to retrieve some
     event log file events' error in the user interface as described
     in APAR IJ30702. 2. Resolves an issue to update CSV parsing and
     correctly handle escaped characters that might cause the
    protocol to error and display an 'Event size is different from
    the schema size' message as described in APAR IJ32090.
    This fix is available in the following RPMs on IBM Fix Central:
    PROTOCOL-SalesforceRESTAPI-7.3-20210427155539.noarch.rpm
    PROTOCOL-SalesforceRESTAPI-7.4-20210427155613.noarch.rpm
    

Temporary fix

Comments

APAR Information

  • APAR number

    IJ32090

  • Reported component name

    QRADAR SOFTWARE

  • Reported component ID

    5725QRDSW

  • Reported release

    730

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2021-04-13

  • Closed date

    2021-07-05

  • Last modified date

    2021-07-05

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    QRADAR SOFTWARE

  • Fixed component ID

    5725QRDSW

Applicable component levels

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
06 July 2021