IBM Support

IV82814: OFFENSE SEARCH BY 'DESTINATION IP' CAN CAUSE A TOMCAT TXSENTRY MAKING THE USER INTERFACE TEMPORARILY INACCESSIBLE

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Viewing offense records from the QRadar User Interface and then
    clicking "By Destination IP" can sometimes take longer to
    complete than the 10 minutes that are allowed for the process.
    Hostcontext stops tomcat from running using TxSentry to kill
    the process, and then the tomcat service is restarted.
    When this TxSentry on tomcat occurs, searches and/or reports
    that were running are killed and access to the User Interface
    is interrupted until the tomcat service restart is completed
    successfully.
    
    Messages similar to the following might be visible in
    /var/log/qradar.log when this issue is occuring:
    
    [hostcontext.hostcontext]
    [548d814d-9b94-4054-bbcf-c0c60709d535/SequentialEventDispatcher]
    com.q1labs.hostcontext.tx.TxSentry: [WARN]
    [NOT:0000004000][127.0.0.1/- -] [-/- -]Found a process on host
    127.0.0.1: tomcat, pid=16443, TX age=634 secs
    [hostcontext.hostcontext]
    [548d814d-9b94-4054-bbcf-c0c60709d535/SequentialEventDispatcher]
    com.q1labs.hostcontext.tx.TxSentry: [WARN]
    [NOT:0000004000][127.0.0.1/- -] [-/- -] TX on host 127.0.0.1:
    pid=16443 age=634 IP=127.0.0.1 port=58785 locks=62
    query='SELECT DISTINCT t0.id, t0.attackerCount,
    t0.attacker_impact, t0.domain_id, t0.domain_name,
    t0.event_count, t0.start_time, t0.network_details_id,
    t0.ip_order, t0.end_time, t0.magnitude, t0.followup,
    t0.network, t0.network_object, t0.notes_count,
    t0.offense_count, t0.threat_under, t0.threat_under_delta,
    t0.threat_under_last_update, t0.va_risk, t0.weight,
    t2.magnitude FROM target_view t0 INNER JOIN offense_target_link
    t1 ON t0.id = t1.target_id INNER JOIN offense_view t2 ON
    t1.offense_id = t2.id INNER JOIN offense_target_network_link t3
    ON t2.id = t3.offense_id INNER JOIN network_details t4 ON
    t3.network_details_id = t4.id WHERE (t0.network <> $1 AND
    t2.active_code > $2 AND t0.end_time >= (SELECT
    MIN(t5.start_time) FROM offense t5 WHERE (t5.active_code > $3))
    AND 1 = 1) ORDER BY t2.magnitude DESC, t0.threat_under DESC,
    t0.va_risk DESC LIMIT $4'
    [hostcontext.hostcontext]
    [548d814d-9b94-4054-bbcf-c0c60709d535/SequentialEventDispatcher]
    com.q1labs.hostcontext.tx.TxSentry: [WARN]
    [NOT:0000004000][127.0.0.1/- -] [-/- -] Lock acquired on host
    127.0.0.1: rel=offense_target_network_link_pkey age=634
    granted=t mode=AccessShareLock query='SELECT DISTINCT t0.id,
    t0.attackerCount, t0.attack'
    [hostcontext.hostcontext]
    [548d814d-9b94-4054-bbcf-c0c60709d535/SequentialEventDispatcher]
    com.q1labs.hostcontext.tx.TxSentry: [WARN]
    [NOT:0000004000][127.0.0.1/- -] [-/- -] Lock acquired on host
    127.0.0.1: rel=offense_target_network_link age=634 granted=t
    mode=AccessShareLock query='SELECT DISTINCT t0.id,
    t0.attackerCount, t0.attack'
    [hostcontext.hostcontext]
    [548d814d-9b94-4054-bbcf-c0c60709d535/SequentialEventDispatcher]
    com.q1labs.hostcontext.tx.TxSentry: [WARN]
    [NOT:0000004000][127.0.0.1/- -] [-/- -] Lock acquired on host
    127.0.0.1: rel=offense_pkey age=634 granted=t
    mode=AccessShareLock query='SELECT DISTINCT t0.id,
    t0.attackerCount, t0.attack'
    [hostcontext.hostcontext]
    [548d814d-9b94-4054-bbcf-c0c60709d535/SequentialEventDispatcher]
    com.q1labs.hostcontext.tx.TxSentry: [WARN]
    [NOT:0000004000][127.0.0.1/- -] [-/- -] Lock acquired on host
    127.0.0.1: rel=offense_notes_link_pkey age=634 granted=t
    mode=AccessShareLock query='SELECT DISTINCT t0.id,
    t0.attackerCount, t0.attack'
    [hostcontext.hostcontext]
    [548d814d-9b94-4054-bbcf-c0c60709d535/SequentialEventDispatcher]
    com.q1labs.hostcontext.tx.TxSentry: [WARN]
    [NOT:0000004000][127.0.0.1/- -] [-/- -] Lock acquired on host
    127.0.0.1: rel=offense_username age=634 granted=t
    mode=AccessShareLock query='SELECT DISTINCT t0.id,
    t0.attackerCount, t0.attack'
    [hostcontext.hostcontext]
    [548d814d-9b94-4054-bbcf-c0c60709d535/SequentialEventDispatcher]
    com.q1labs.hostcontext.tx.TxSentry: [WARN]
    [NOT:0000004000][127.0.0.1/- -] [-/- -] Lock acquired on host
    127.0.0.1: rel=network_details_pkey age=634 granted=t
    mode=AccessShareLock query='SELECT DISTINCT t0.id,
    t0.attackerCount, t0.attack'
    [hostcontext.hostcontext]
    [548d814d-9b94-4054-bbcf-c0c60709d535/SequentialEventDispatcher]
    com.q1labs.hostcontext.tx.TxSentry: [WARN]
    [NOT:0000004000][127.0.0.1/- -] [-/- -] Lock acquired on host
    127.0.0.1: rel=offense_notes_link_offense_id_idx age=634
    granted=t mode=AccessShareLock query='SELECT DISTINCT t0.id,
    t0.attackerCount, t0.attack'
    [hostcontext.hostcontext]
    [548d814d-9b94-4054-bbcf-c0c60709d535/SequentialEventDispatcher]
    com.q1labs.hostcontext.tx.TxSentry: [WARN]
    [NOT:0000004000][127.0.0.1/- -] [-/- -] Lock acquired on host
    127.0.0.1: rel=offense_username_link age=634 granted=t
    mode=AccessShareLock query='SELECT DISTINCT t0.id,
    t0.attackerCount, t0.attack'
    [hostcontext.hostcontext]
    [548d814d-9b94-4054-bbcf-c0c60709d535/SequentialEventDispatcher]
    com.q1labs.hostcontext.tx.TxSentry: [WARN]
    [NOT:0000004000][127.0.0.1/- -] [-/- -] Lock acquired on host
    127.0.0.1: rel=assetview_ip_idx age=634 granted=t
    mode=AccessShareLock query='SELECT DISTINCT t0.id,
    t0.attackerCount, t0.attack'
    [hostcontext.hostcontext]
    [548d814d-9b94-4054-bbcf-c0c60709d535/SequentialEventDispatcher]
    com.q1labs.hostcontext.tx.TxSentry: [WARN]
    [NOT:0000004000][127.0.0.1/- -] [-/- -]
    [hostcontext.hostcontext]
    [548d814d-9b94-4054-bbcf-c0c60709d535/SequentialEventDispatcher]
    com.q1labs.hostcontext.tx.TxSentry: [INFO]
    [NOT:0000006000][127.0.0.1/- -] [-/- -]Process to stop: tomcat
    pid='16443'
    [tomcat]: JVMDUMP039I Processing dump event "user", detail ""
    at 2016/01/21 12:13:47 - please wait.
    ::ffff:127.0.0.1 [hostcontext.hostcontext]
    [548d814d-9b94-4054-bbcf-c0c60709d535/SequentialEventDispatcher]
    com.q1labs.hostcontext.capabilities.TomcatAction: [INFO]
    [NOT:0000006000][127.0.0.1/- -] [-/- -]stopping tomcat
    

Local fix

  • No workaround available.
    

Problem summary

  • This issue was resolved with QRadar 7.2.7 Patch 1.
    

Problem conclusion

  • This issue was resolved with QRadar 7.2.7 Patch 1.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IV82814

  • Reported component name

    QRADAR SOFTWARE

  • Reported component ID

    5725QRDSW

  • Reported release

    726

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2016-03-18

  • Closed date

    2016-08-04

  • Last modified date

    2016-08-04

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    QRADAR SOFTWARE

  • Fixed component ID

    5725QRDSW

Applicable component levels

  • R727 PSY

       UP

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"726"}]

Document Information

Modified date:
10 September 2020