IBM Support

IV92211: EVENT PAYLOAD IS TRUNCATED AFTER 'MESSAGE=' FOR WINDOWS EVENT ID 4688 WHEN USING AN XPATH QUERY IN A WINCOLLECT LOG SOURCE

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • It has been observerd that when an XPath Query is configured in
    a WinCollect Log Source for Windows Event ID 4688, the Event
    payload received into QRadar is truncated after 'Message='
    

Local fix

  • No workaround available.
    

Problem summary

  • Event Payload is truncated after Message= for Windows Event ID
     4688 when using an XPath query in a WinCollect Log Source
    

Problem conclusion

  • Fixed in WinCollect Version 7.2.6
    
    720_QRadar_wincollectupdate-7.2.0.484.sfs
    730_QRadar_wincollectupdate-7.3.0.77.sfs
    

Temporary fix

Comments

APAR Information

  • APAR number

    IV92211

  • Reported component name

    QRADAR SOFTWARE

  • Reported component ID

    5725QRDSW

  • Reported release

    720

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2017-01-11

  • Closed date

    2017-05-29

  • Last modified date

    2017-05-29

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    QRADAR SOFTWARE

  • Fixed component ID

    5725QRDSW

Applicable component levels

  • R726 PSY

       UP

[{"Business Unit":{"code":"BU048","label":"IBM Software"}, "Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"720","Edition":""}]

Document Information

Modified date:
29 May 2017