IBM Support

OA57212: LINE FEED CHARACTERS ARE NOT CONVERTED TO BLANKS IN LEEF RECORDS

A fix is available

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Line feed characters are not converted to blanks in LEEF
    records.
    This can mean that the SIEM splits the LEEF records causing
    parsing errors.
    

Local fix

  • N/A
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED: Users of zSecure Audit exploiting the        *
    *                 software to prepare data for QRadar SIEM.    *
    ****************************************************************
    * PROBLEM DESCRIPTION: The zSecure Audit QRadar SIEM interface *
    *                      generates LEEF files that contain line  *
    *                      feed (X'25') characters while they      *
    *                      should be converted to blanks.          *
    ****************************************************************
    * RECOMMENDATION: Apply the PTF provided and review the        *
    *                 documentation updates.                       *
    ****************************************************************
    When the zSecure Audit QRadar SIEM interface processes SMF data
    that contain line feed characters (X'25') (like SQL commands),
    these characters are not converted to blanks while the LEEF file
    is generated. The resulting LEEF file cannot be parsed properly
    by the QRadar SIEM.
    

Problem conclusion

  • The zSecure Audit QRadar SIEM interface has been modified so
    that line feed characters (X'25') are converted to blanks.
    Please note the documentation changes as provided by the APAR
    tracking comment data.
    

Temporary fix

Comments

APAR Information

  • APAR number

    OA57212

  • Reported component name

    ZSEC BASE,ADMIN

  • Reported component ID

    5655T0100

  • Reported release

    231

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2019-03-28

  • Closed date

    2019-04-26

  • Last modified date

    2019-05-02

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    UA99197

Modules/Macros

  • CKRINP@  GKRINP@
    

Fix information

  • Fixed component name

    ZSEC BASE,ADMIN

  • Fixed component ID

    5655T0100

Applicable component levels

  • R231 PSY UA99197

       UP19/04/30 P F904

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Business Unit":{"code":"BU048","label":"IBM Software"}, "Product":{"code":"SSCE68R","label":"zSecure Admin"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"231","Edition":""}]

Document Information

Modified date:
02 May 2019