APAR status
Closed as program error.
Error description
Viewing offense records from the QRadar User Interface and then clicking "By Destination IP" can sometimes take longer to complete than the 10 minutes that are allowed for the process. Hostcontext stops tomcat from running using TxSentry to kill the process, and then the tomcat service is restarted. When this TxSentry on tomcat occurs, searches and/or reports that were running are killed and access to the User Interface is interrupted until the tomcat service restart is completed successfully. Messages similar to the following might be visible in /var/log/qradar.log when this issue is occuring: [hostcontext.hostcontext] [548d814d-9b94-4054-bbcf-c0c60709d535/SequentialEventDispatcher] com.q1labs.hostcontext.tx.TxSentry: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/- -]Found a process on host 127.0.0.1: tomcat, pid=16443, TX age=634 secs [hostcontext.hostcontext] [548d814d-9b94-4054-bbcf-c0c60709d535/SequentialEventDispatcher] com.q1labs.hostcontext.tx.TxSentry: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/- -] TX on host 127.0.0.1: pid=16443 age=634 IP=127.0.0.1 port=58785 locks=62 query='SELECT DISTINCT t0.id, t0.attackerCount, t0.attacker_impact, t0.domain_id, t0.domain_name, t0.event_count, t0.start_time, t0.network_details_id, t0.ip_order, t0.end_time, t0.magnitude, t0.followup, t0.network, t0.network_object, t0.notes_count, t0.offense_count, t0.threat_under, t0.threat_under_delta, t0.threat_under_last_update, t0.va_risk, t0.weight, t2.magnitude FROM target_view t0 INNER JOIN offense_target_link t1 ON t0.id = t1.target_id INNER JOIN offense_view t2 ON t1.offense_id = t2.id INNER JOIN offense_target_network_link t3 ON t2.id = t3.offense_id INNER JOIN network_details t4 ON t3.network_details_id = t4.id WHERE (t0.network <> $1 AND t2.active_code > $2 AND t0.end_time >= (SELECT MIN(t5.start_time) FROM offense t5 WHERE (t5.active_code > $3)) AND 1 = 1) ORDER BY t2.magnitude DESC, t0.threat_under DESC, t0.va_risk DESC LIMIT $4' [hostcontext.hostcontext] [548d814d-9b94-4054-bbcf-c0c60709d535/SequentialEventDispatcher] com.q1labs.hostcontext.tx.TxSentry: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/- -] Lock acquired on host 127.0.0.1: rel=offense_target_network_link_pkey age=634 granted=t mode=AccessShareLock query='SELECT DISTINCT t0.id, t0.attackerCount, t0.attack' [hostcontext.hostcontext] [548d814d-9b94-4054-bbcf-c0c60709d535/SequentialEventDispatcher] com.q1labs.hostcontext.tx.TxSentry: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/- -] Lock acquired on host 127.0.0.1: rel=offense_target_network_link age=634 granted=t mode=AccessShareLock query='SELECT DISTINCT t0.id, t0.attackerCount, t0.attack' [hostcontext.hostcontext] [548d814d-9b94-4054-bbcf-c0c60709d535/SequentialEventDispatcher] com.q1labs.hostcontext.tx.TxSentry: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/- -] Lock acquired on host 127.0.0.1: rel=offense_pkey age=634 granted=t mode=AccessShareLock query='SELECT DISTINCT t0.id, t0.attackerCount, t0.attack' [hostcontext.hostcontext] [548d814d-9b94-4054-bbcf-c0c60709d535/SequentialEventDispatcher] com.q1labs.hostcontext.tx.TxSentry: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/- -] Lock acquired on host 127.0.0.1: rel=offense_notes_link_pkey age=634 granted=t mode=AccessShareLock query='SELECT DISTINCT t0.id, t0.attackerCount, t0.attack' [hostcontext.hostcontext] [548d814d-9b94-4054-bbcf-c0c60709d535/SequentialEventDispatcher] com.q1labs.hostcontext.tx.TxSentry: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/- -] Lock acquired on host 127.0.0.1: rel=offense_username age=634 granted=t mode=AccessShareLock query='SELECT DISTINCT t0.id, t0.attackerCount, t0.attack' [hostcontext.hostcontext] [548d814d-9b94-4054-bbcf-c0c60709d535/SequentialEventDispatcher] com.q1labs.hostcontext.tx.TxSentry: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/- -] Lock acquired on host 127.0.0.1: rel=network_details_pkey age=634 granted=t mode=AccessShareLock query='SELECT DISTINCT t0.id, t0.attackerCount, t0.attack' [hostcontext.hostcontext] [548d814d-9b94-4054-bbcf-c0c60709d535/SequentialEventDispatcher] com.q1labs.hostcontext.tx.TxSentry: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/- -] Lock acquired on host 127.0.0.1: rel=offense_notes_link_offense_id_idx age=634 granted=t mode=AccessShareLock query='SELECT DISTINCT t0.id, t0.attackerCount, t0.attack' [hostcontext.hostcontext] [548d814d-9b94-4054-bbcf-c0c60709d535/SequentialEventDispatcher] com.q1labs.hostcontext.tx.TxSentry: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/- -] Lock acquired on host 127.0.0.1: rel=offense_username_link age=634 granted=t mode=AccessShareLock query='SELECT DISTINCT t0.id, t0.attackerCount, t0.attack' [hostcontext.hostcontext] [548d814d-9b94-4054-bbcf-c0c60709d535/SequentialEventDispatcher] com.q1labs.hostcontext.tx.TxSentry: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/- -] Lock acquired on host 127.0.0.1: rel=assetview_ip_idx age=634 granted=t mode=AccessShareLock query='SELECT DISTINCT t0.id, t0.attackerCount, t0.attack' [hostcontext.hostcontext] [548d814d-9b94-4054-bbcf-c0c60709d535/SequentialEventDispatcher] com.q1labs.hostcontext.tx.TxSentry: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/- -] [hostcontext.hostcontext] [548d814d-9b94-4054-bbcf-c0c60709d535/SequentialEventDispatcher] com.q1labs.hostcontext.tx.TxSentry: [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Process to stop: tomcat pid='16443' [tomcat]: JVMDUMP039I Processing dump event "user", detail "" at 2016/01/21 12:13:47 - please wait. ::ffff:127.0.0.1 [hostcontext.hostcontext] [548d814d-9b94-4054-bbcf-c0c60709d535/SequentialEventDispatcher] com.q1labs.hostcontext.capabilities.TomcatAction: [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]stopping tomcat
Local fix
No workaround available.
Problem summary
This issue was resolved with QRadar 7.2.7 Patch 1.
Problem conclusion
This issue was resolved with QRadar 7.2.7 Patch 1.
Temporary fix
Comments
APAR Information
APAR number
IV82814
Reported component name
QRADAR SOFTWARE
Reported component ID
5725QRDSW
Reported release
726
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2016-03-18
Closed date
2016-08-04
Last modified date
2016-08-04
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
QRADAR SOFTWARE
Fixed component ID
5725QRDSW
Applicable component levels
R727 PSY
UP
[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"726"}]
Document Information
Modified date:
10 September 2020