IBM Support

IV87497: IO ERRORS WHEN PERFORMING SEARCHES AFTER A DEPLOY FUNCTION WHERE AN ENCRYPTED MANAGED HOST EXISTS IN THE DEPLOYMENT

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Ø
    In QRadar deplyments where an encrypted managed host
    exists, I/O errors can sometimes be observed during searches
    after a deploy function is performed.
    
    Messages similar to the following might be visible in
    /var/log/qradar-ha.log and/or /var/log/qradar.log when this
    issue is occurring:
    
    qradar-ha.log
    [HA Setup (S-M---D)] [35m[DEBUG]
    remote_hostname=qradar_hostname[m
    May 10 11:52:58: [HA Setup (S-M---D)] [35m[DEBUG] Updating
    hosts file [m
    cat: /etc/hosts: No such file or directory
    May 10 11:52:58: [HA Setup (S-M---D)] [35m[DEBUG] Checking
    remote access [m
    
    qradar.log
    [hostcontext.hostcontext] [Thread-1976161]
    com.q1labs.hostcontext.configuration.ConfigMetaDataProcessor:
    [WARN] [NOT:0000004000][127.0.0.1/- -] [-/- -]Restarting
    processes as part of deployment
    [hostcontext.hostcontext] [Thread-1976164] ComponentOutput:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
    merge hosts files: mv: cannot create regular file ´/etc/hosts':
    File exists
    [hostcontext.hostcontext] [Thread-1976166] ComponentOutput:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
    restart syslog-ng: Error resolving hostname; host='localhost'
    [hostcontext.hostcontext] [Thread-1976166] ComponentOutput:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
    restart syslog-ng: Initiating connection failed, reconnecting;
    time_reopen='60'
    

Local fix

  • Contact Support for a possible workaround that might address
    this issue in some instances.
    

Problem summary

  • In QRadar deplyments where an encrypted managed host
    exists, I/O errors can sometimes be observed during searches
    after a deploy function is performed.
    
    Messages similar to the following might be visible in
    /var/log/qradar-ha.log and/or /var/log/qradar.log when this
    issue is occurring:
    
    qradar-ha.log
    [HA Setup (S-M---D)] [35m[DEBUG]
    remote_hostname=qradar_hostname[m
    May 10 11:52:58: [HA Setup (S-M---D)] [35m[DEBUG] Updating
    hosts file [m
    cat: /etc/hosts: No such file or directory
    May 10 11:52:58: [HA Setup (S-M---D)] [35m[DEBUG] Checking
    remote access [m
    
    qradar.log
    [hostcontext.hostcontext] [Thread-1976161]
    com.q1labs.hostcontext.configuration.ConfigMetaDataProcessor:
    [WARN] [NOT:0000004000][127.0.0.1/- -] [-/- -]Restarting
    processes as part of deployment
    [hostcontext.hostcontext] [Thread-1976164] ComponentOutput:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
    merge hosts files: mv: cannot create regular file ´/etc/hosts':
    File exists
    [hostcontext.hostcontext] [Thread-1976166] ComponentOutput:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
    restart syslog-ng: Error resolving hostname; host='localhost'
    [hostcontext.hostcontext] [Thread-1976166] ComponentOutput:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
    restart syslog-ng: Initiating connection failed, reconnecting;
    time_reopen='60'
    

Problem conclusion

  • This issue was resolved with QRadar/QRM/QVM/QRIF 7.3.0
    

Temporary fix

Comments

APAR Information

  • APAR number

    IV87497

  • Reported component name

    QRADAR SOFTWARE

  • Reported component ID

    5725QRDSW

  • Reported release

    723

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2016-08-01

  • Closed date

    2017-04-11

  • Last modified date

    2017-04-11

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    QRADAR SOFTWARE

  • Fixed component ID

    5725QRDSW

Applicable component levels

  • R730 PSY

       UP

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"723","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
11 April 2017