IBM Support

IV91638: IMPORTING VULNERABILITY SCAN DATA FROM XML INTO QRADAR CAN SOMETIMES FAIL WITH AN EXCEPTION IN THE LOGS

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • It has been observed in some instances that importing
    vulnerability scan data via XML into QRadar can soemtimes fail
    and an exception is thrown in the QRadar logging.
    
    Messages similar to the following might be visibile in
    /var/log/qradar.log when this issue is occurring:
    
    [tomcat] [configservices@127.0.0.1 (1454) /console/JSON-RPC
    System.postScanResponse] Caused by:
    [tomcat] [configservices@127.0.0.1 (1454) /console/JSON-RPC
    System.postScanResponse] com.sun.messaging.jms.JMSException:
    [C4095]: Message exceeds the single message size limit for the
    broker or destination: VisTopicRESPONSE user=qradar,
    broker=127.0.0.1:7676(7677)
    [tomcat] [configservices@127.0.0.1 (1454) /console/JSON-RPC
    System.postScanResponse]    at
    com.sun.messaging.jmq.jmsclient.ProtocolHandler.writeJMSMessage(
    ProtocolHandler.java:1958)
    [tomcat] [configservices@127.0.0.1 (1454) /console/JSON-RPC
    System.postScanResponse]    at
    com.sun.messaging.jmq.jmsclient.WriteChannel.sendWithFlowControl
    (WriteChannel.java:173)
    [tomcat] [configservices@127.0.0.1 (1454) /console/JSON-RPC
    System.postScanResponse]    at
    com.sun.messaging.jmq.jmsclient.WriteChannel.writeJMSMessage(Wri
    teChannel.java:126)
    [tomcat] [configservices@127.0.0.1 (1454) /console/JSON-RPC
    System.postScanResponse]    at
    com.sun.messaging.jmq.jmsclient.Transaction.send(Transaction.jav
    a:510)
    [tomcat] [configservices@127.0.0.1 (1454) /console/JSON-RPC
    System.postScanResponse]    at
    com.sun.messaging.jmq.jmsclient.SessionImpl.writeJMSMessage(Sess
    ionImpl.java:776)
    [tomcat] [configservices@127.0.0.1 (1454) /console/JSON-RPC
    System.postScanResponse]    at
    com.sun.messaging.jmq.jmsclient.MessageProducerImpl.writeJMSMess
    age(MessageProducerImpl.java:207)
    [tomcat] [configservices@127.0.0.1 (1454) /console/JSON-RPC
    System.postScanResponse]    at
    com.sun.messaging.jmq.jmsclient.MessageProducerImpl.writeJMSMess
    age(MessageProducerImpl.java:196)
    [tomcat] [configservices@127.0.0.1 (1454) /console/JSON-RPC
    System.postScanResponse]    at
    com.sun.messaging.jmq.jmsclient.MessageProducerImpl.send(Message
    ProducerImpl.java:628)
    [tomcat] [configservices@127.0.0.1 (1454) /console/JSON-RPC
    System.postScanResponse]    at
    com.q1labs.frameworks.session.FrameworksMessageProducer$SendComm
    andD.execute(FrameworksMessageProducer.java:288)
    [tomcat] [configservices@127.0.0.1 (1454) /console/JSON-RPC
    System.postScanResponse]    at
    com.q1labs.frameworks.session.FrameworksMessageProducer.flush(Fr
    ameworksMessageProducer.java:440)
    [tomcat] [configservices@127.0.0.1 (1454) /console/JSON-RPC
    System.postScanResponse]    at
    com.q1labs.frameworks.session.FrameworksJMSSession.commit(Framew
    orksJMSSession.java:166)
    [tomcat] [configservices@127.0.0.1 (1454) /console/JSON-RPC
    System.postScanResponse]    at
    com.q1labs.frameworks.session.SessionContext.commitTransaction(S
    essionContext.java:1000)
    [tomcat] [configservices@127.0.0.1 (1454) /console/JSON-RPC
    System.postScanResponse]    ... 34 more
    

Local fix

  • No workaround available.
    

Problem summary

  • It has been observed in some instances that importing
    vulnerability scan data via XML into QRadar can soemtimes fail
    and an exception is thrown in the QRadar logging.
    
    Messages similar to the following might be visibile in
    /var/log/qradar.log when this issue is occurring:
    
    [tomcat] [configservices@127.0.0.1 (1454) /console/JSON-RPC
    System.postScanResponse] Caused by:
    [tomcat] [configservices@127.0.0.1 (1454) /console/JSON-RPC
    System.postScanResponse] com.sun.messaging.jms.JMSException:
    [C4095]: Message exceeds the single message size limit for the
    broker or destination: VisTopicRESPONSE user=qradar,
    broker=127.0.0.1:7676(7677)
    [tomcat] [configservices@127.0.0.1 (1454) /console/JSON-RPC
    System.postScanResponse]    at
    com.sun.messaging.jmq.jmsclient.ProtocolHandler.writeJMSMessage(
    ProtocolHandler.java:1958)
    [tomcat] [configservices@127.0.0.1 (1454) /console/JSON-RPC
    System.postScanResponse]    at
    com.sun.messaging.jmq.jmsclient.WriteChannel.sendWithFlowControl
    (WriteChannel.java:173)
    [tomcat] [configservices@127.0.0.1 (1454) /console/JSON-RPC
    System.postScanResponse]    at
    com.sun.messaging.jmq.jmsclient.WriteChannel.writeJMSMessage(Wri
    teChannel.java:126)
    [tomcat] [configservices@127.0.0.1 (1454) /console/JSON-RPC
    System.postScanResponse]    at
    com.sun.messaging.jmq.jmsclient.Transaction.send(Transaction.jav
    a:510)
    [tomcat] [configservices@127.0.0.1 (1454) /console/JSON-RPC
    System.postScanResponse]    at
    com.sun.messaging.jmq.jmsclient.SessionImpl.writeJMSMessage(Sess
    ionImpl.java:776)
    [tomcat] [configservices@127.0.0.1 (1454) /console/JSON-RPC
    System.postScanResponse]    at
    com.sun.messaging.jmq.jmsclient.MessageProducerImpl.writeJMSMess
    age(MessageProducerImpl.java:207)
    [tomcat] [configservices@127.0.0.1 (1454) /console/JSON-RPC
    System.postScanResponse]    at
    com.sun.messaging.jmq.jmsclient.MessageProducerImpl.writeJMSMess
    age(MessageProducerImpl.java:196)
    [tomcat] [configservices@127.0.0.1 (1454) /console/JSON-RPC
    System.postScanResponse]    at
    com.sun.messaging.jmq.jmsclient.MessageProducerImpl.send(Message
    ProducerImpl.java:628)
    [tomcat] [configservices@127.0.0.1 (1454) /console/JSON-RPC
    System.postScanResponse]    at
    com.q1labs.frameworks.session.FrameworksMessageProducer$SendComm
    andD.execute(FrameworksMessageProducer.java:288)
    [tomcat] [configservices@127.0.0.1 (1454) /console/JSON-RPC
    System.postScanResponse]    at
    com.q1labs.frameworks.session.FrameworksMessageProducer.flush(Fr
    ameworksMessageProducer.java:440)
    [tomcat] [configservices@127.0.0.1 (1454) /console/JSON-RPC
    System.postScanResponse]    at
    com.q1labs.frameworks.session.FrameworksJMSSession.commit(Framew
    orksJMSSession.java:166)
    [tomcat] [configservices@127.0.0.1 (1454) /console/JSON-RPC
    System.postScanResponse]    at
    com.q1labs.frameworks.session.SessionContext.commitTransaction(S
    essionContext.java:1000)
    [tomcat] [configservices@127.0.0.1 (1454) /console/JSON-RPC
    System.postScanResponse]    ... 34 more
    

Problem conclusion

  • This issue was resolved with QRadar/QRM/QVM/QRIF 7.3.0
    

Temporary fix

Comments

APAR Information

  • APAR number

    IV91638

  • Reported component name

    QRADAR SOFTWARE

  • Reported component ID

    5725QRDSW

  • Reported release

    726

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2016-12-19

  • Closed date

    2017-04-11

  • Last modified date

    2017-04-11

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    QRADAR SOFTWARE

  • Fixed component ID

    5725QRDSW

Applicable component levels

  • R730 PSY

       UP

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"726","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
11 April 2017