IBM Support

QRadar: Offenses stop generating with error message "Exception encountered when executing transaction"

Question & Answer


Question

How to resolve an issue where offenses stop being generated or updated with error "Exception encountered when executing transaction"?

Cause

Offense database model can get corrupted due to bad transactions, caused by certain situations, like services not gracefully stopped or a failed upgrade. When QRadar® is in this state, no offenses are updated or created. 
The stack trace of the error can vary based on the cause of the problem related to the transactions, however the stack trace will always contain a message starting with "Exception encounted when executing transaction".

Here are some examples of the stack trace that is included with these kind of errors: 
Jun 19 10:21:46 ::ffff:X.X.X.X [ecs-ep.ecs-ep] [MPC/PersisterThread@0000035761] com.q1labs.sem.magi.contrib.ModelPersister: [WARN] [NOT:0180002100][X.X.X.X/- -] [-/- -]Exception encounted when executing transaction 35761.
Jun 19 10:21:46 ::ffff:X.X.X.X [ecs-ep.ecs-ep] [MPC/PersisterThread@0000035761] com.q1labs.sem.magi.contrib.PersistenceException: Failed to persist sem model
Example 2: 
Jul 13 02:15:50 ::ffff:x.x.x.x [ecs-ep.ecs-ep] [MPC/PersisterThread@0000000002] com.q1labs.sem.magi.contrib.ModelPersister: [WARN] [NOT:0180002100][x.x.x.x/- -] [-/- -]Exception encounted when executing transaction 2.
Jul 13 02:15:50 ::ffff:x.x.x.x [ecs-ep.ecs-ep] [MPC/PersisterThread@0000000002] java.lang.NullPointerException
Example 3:
Jul 17 07:25:59 ::ffff:xxx.xxx.xxx.xxx [ecs-ep.ecs-ep] [MPC/PersisterThread@0000004985] com.q1labs.sem.magi.contrib.ModelPersister: [WARN] [NOT:0180002100][xxx.xxx.xxx.xxx/- -] [-/- -]Exception encounted when executing transaction 4985.
Jul 17 07:25:59 ::ffff:xxx.xxx.xxx.xxx [ecs-ep.ecs-ep] [MPC/PersisterThread@0000004985] java.lang.IllegalStateException: Cause already initialized

Answer

There are several ways to resolve this issue, with only one permanent solution:
  1. Restarting the ecs-ep service (systemctl restart ecs-ep) can resolve the problem temporarily, for a few minutes or even hours, but the issue will eventually return. 
  2. Soft clean is also an option that will temporarily fix the issue for days or even possibly weeks. For more information on the soft vs hard sim clean model, see our QRadar documentation.
  3. The recommended option to permanently resolve this issue, is to perform a hard clean which will wipe whatever is corrupted in the model along with the active/closed offenses. Aside from this procedure, there is no other path that can be taken to resolve the issue.

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwthAAA","label":"Offenses"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)"}]

Document Information

Modified date:
03 October 2020

UID

ibm16340913

Page Feedback