IBM Support

IJ33892: AUTO UPDATE FOR 20 JULY 2021 CAN ROUTE EVENTS TO STORAGE AFTER A DSM COMMON RPM UPDATE

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • The QRadar auto update released on 20 July 2021 introduced a
    problem where the Traffic Analysis service that auto discovers
    and creates log sources is no longer working as expected due to
    a class loading issue. For customers with affected log sources
    configured on their QRadar appliances, the event pipeline can
    experience an uncaught exception, which causes events to be
    routed directly to storage.
    
    
    QRadar SIEM 7.4.x on-premise and QRadar on Cloud versions with
    DSMCommon-7.4-20210624145517.noarch.rpm installed from the 20
    July 2021 auto update can experience this issue.
    
    The following DSMs can cause exceptions to be generated in the
    logs as described in the flash notice:
    - Array Networks SSL VPN Access Gateways
    - Cisco Aironet
    - CRYPTOCard CRYPTOShield
    - Extreme HiGuard
    - Extreme XSR Security Routers
    - Fair Warning
    - HP Network Automation
    - IBM DB2
    - IBM Informix Audit
    - Itron Smart Meter
    - Juniper vGW
    - Juniper Networks AVT
    - Juniper SRC
    - McAfee Application/Change Control
    - Microsoft ISA
    - Motorola SymbolAP
    - Redback ASE
    - Sentrigo Hedgehog
    - Silver Springs Networks Smart Meter
    - Sophos Enterprise Console
    - Sophos PureMessage
    - Tropos Control
    

Local fix

  • Administrators who encounter issues with events being routed to
    storage for the DSMs outlined in this APAR can review the
    associated flash notice that includes the latest information. To
    read the flash notice, see:
    https://www.ibm.com/support/pages/node/6474189 .
    

Problem summary

  • This fix is available in the weekly auto update for 22 July 2021
     (Build 1626984260) and in the following RPM on IBM Fix Central:
    DSM-DSMCommon-7.4-20210721162935.noarch.rpm
    

Problem conclusion

  • Resolves an issue where the Traffic Analysis service that auto
    discovers and creates log sources is no longer working as
    expected due to a class loading issue.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IJ33892

  • Reported component name

    QRADAR SOFTWARE

  • Reported component ID

    5725QRDSW

  • Reported release

    740

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2021-07-21

  • Closed date

    2021-07-23

  • Last modified date

    2021-07-23

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    QRADAR SOFTWARE

  • Fixed component ID

    5725QRDSW

Applicable component levels

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"740"}]

Document Information

Modified date:
24 July 2021