APAR status
Closed as program error.
Error description
It has been observed in some instances that importing vulnerability scan data via XML into QRadar can soemtimes fail and an exception is thrown in the QRadar logging. Messages similar to the following might be visibile in /var/log/qradar.log when this issue is occurring: [tomcat] [configservices@127.0.0.1 (1454) /console/JSON-RPC System.postScanResponse] Caused by: [tomcat] [configservices@127.0.0.1 (1454) /console/JSON-RPC System.postScanResponse] com.sun.messaging.jms.JMSException: [C4095]: Message exceeds the single message size limit for the broker or destination: VisTopicRESPONSE user=qradar, broker=127.0.0.1:7676(7677) [tomcat] [configservices@127.0.0.1 (1454) /console/JSON-RPC System.postScanResponse] at com.sun.messaging.jmq.jmsclient.ProtocolHandler.writeJMSMessage( ProtocolHandler.java:1958) [tomcat] [configservices@127.0.0.1 (1454) /console/JSON-RPC System.postScanResponse] at com.sun.messaging.jmq.jmsclient.WriteChannel.sendWithFlowControl (WriteChannel.java:173) [tomcat] [configservices@127.0.0.1 (1454) /console/JSON-RPC System.postScanResponse] at com.sun.messaging.jmq.jmsclient.WriteChannel.writeJMSMessage(Wri teChannel.java:126) [tomcat] [configservices@127.0.0.1 (1454) /console/JSON-RPC System.postScanResponse] at com.sun.messaging.jmq.jmsclient.Transaction.send(Transaction.jav a:510) [tomcat] [configservices@127.0.0.1 (1454) /console/JSON-RPC System.postScanResponse] at com.sun.messaging.jmq.jmsclient.SessionImpl.writeJMSMessage(Sess ionImpl.java:776) [tomcat] [configservices@127.0.0.1 (1454) /console/JSON-RPC System.postScanResponse] at com.sun.messaging.jmq.jmsclient.MessageProducerImpl.writeJMSMess age(MessageProducerImpl.java:207) [tomcat] [configservices@127.0.0.1 (1454) /console/JSON-RPC System.postScanResponse] at com.sun.messaging.jmq.jmsclient.MessageProducerImpl.writeJMSMess age(MessageProducerImpl.java:196) [tomcat] [configservices@127.0.0.1 (1454) /console/JSON-RPC System.postScanResponse] at com.sun.messaging.jmq.jmsclient.MessageProducerImpl.send(Message ProducerImpl.java:628) [tomcat] [configservices@127.0.0.1 (1454) /console/JSON-RPC System.postScanResponse] at com.q1labs.frameworks.session.FrameworksMessageProducer$SendComm andD.execute(FrameworksMessageProducer.java:288) [tomcat] [configservices@127.0.0.1 (1454) /console/JSON-RPC System.postScanResponse] at com.q1labs.frameworks.session.FrameworksMessageProducer.flush(Fr ameworksMessageProducer.java:440) [tomcat] [configservices@127.0.0.1 (1454) /console/JSON-RPC System.postScanResponse] at com.q1labs.frameworks.session.FrameworksJMSSession.commit(Framew orksJMSSession.java:166) [tomcat] [configservices@127.0.0.1 (1454) /console/JSON-RPC System.postScanResponse] at com.q1labs.frameworks.session.SessionContext.commitTransaction(S essionContext.java:1000) [tomcat] [configservices@127.0.0.1 (1454) /console/JSON-RPC System.postScanResponse] ... 34 more
Local fix
No workaround available.
Problem summary
It has been observed in some instances that importing vulnerability scan data via XML into QRadar can soemtimes fail and an exception is thrown in the QRadar logging. Messages similar to the following might be visibile in /var/log/qradar.log when this issue is occurring: [tomcat] [configservices@127.0.0.1 (1454) /console/JSON-RPC System.postScanResponse] Caused by: [tomcat] [configservices@127.0.0.1 (1454) /console/JSON-RPC System.postScanResponse] com.sun.messaging.jms.JMSException: [C4095]: Message exceeds the single message size limit for the broker or destination: VisTopicRESPONSE user=qradar, broker=127.0.0.1:7676(7677) [tomcat] [configservices@127.0.0.1 (1454) /console/JSON-RPC System.postScanResponse] at com.sun.messaging.jmq.jmsclient.ProtocolHandler.writeJMSMessage( ProtocolHandler.java:1958) [tomcat] [configservices@127.0.0.1 (1454) /console/JSON-RPC System.postScanResponse] at com.sun.messaging.jmq.jmsclient.WriteChannel.sendWithFlowControl (WriteChannel.java:173) [tomcat] [configservices@127.0.0.1 (1454) /console/JSON-RPC System.postScanResponse] at com.sun.messaging.jmq.jmsclient.WriteChannel.writeJMSMessage(Wri teChannel.java:126) [tomcat] [configservices@127.0.0.1 (1454) /console/JSON-RPC System.postScanResponse] at com.sun.messaging.jmq.jmsclient.Transaction.send(Transaction.jav a:510) [tomcat] [configservices@127.0.0.1 (1454) /console/JSON-RPC System.postScanResponse] at com.sun.messaging.jmq.jmsclient.SessionImpl.writeJMSMessage(Sess ionImpl.java:776) [tomcat] [configservices@127.0.0.1 (1454) /console/JSON-RPC System.postScanResponse] at com.sun.messaging.jmq.jmsclient.MessageProducerImpl.writeJMSMess age(MessageProducerImpl.java:207) [tomcat] [configservices@127.0.0.1 (1454) /console/JSON-RPC System.postScanResponse] at com.sun.messaging.jmq.jmsclient.MessageProducerImpl.writeJMSMess age(MessageProducerImpl.java:196) [tomcat] [configservices@127.0.0.1 (1454) /console/JSON-RPC System.postScanResponse] at com.sun.messaging.jmq.jmsclient.MessageProducerImpl.send(Message ProducerImpl.java:628) [tomcat] [configservices@127.0.0.1 (1454) /console/JSON-RPC System.postScanResponse] at com.q1labs.frameworks.session.FrameworksMessageProducer$SendComm andD.execute(FrameworksMessageProducer.java:288) [tomcat] [configservices@127.0.0.1 (1454) /console/JSON-RPC System.postScanResponse] at com.q1labs.frameworks.session.FrameworksMessageProducer.flush(Fr ameworksMessageProducer.java:440) [tomcat] [configservices@127.0.0.1 (1454) /console/JSON-RPC System.postScanResponse] at com.q1labs.frameworks.session.FrameworksJMSSession.commit(Framew orksJMSSession.java:166) [tomcat] [configservices@127.0.0.1 (1454) /console/JSON-RPC System.postScanResponse] at com.q1labs.frameworks.session.SessionContext.commitTransaction(S essionContext.java:1000) [tomcat] [configservices@127.0.0.1 (1454) /console/JSON-RPC System.postScanResponse] ... 34 more
Problem conclusion
This issue was resolved with QRadar/QRM/QVM/QRIF 7.3.0
Temporary fix
Comments
APAR Information
APAR number
IV91638
Reported component name
QRADAR SOFTWARE
Reported component ID
5725QRDSW
Reported release
726
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2016-12-19
Closed date
2017-04-11
Last modified date
2017-04-11
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
QRADAR SOFTWARE
Fixed component ID
5725QRDSW
Applicable component levels
R730 PSY
UP
[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"726","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Document Information
Modified date:
11 April 2017