An issue identified in QRadar 7.3.2 Patch 3 as APAR IJ18032 is resolved where events received by QRadar Event Collector (15xx) appliances can fail to process/parse when a routing rule is configured. See the notice section for the latest information and how to contact support if affected.
Important. Administrators who have downloaded or installed QRadar 7.3.2 patch 3 should be aware of APAR IJ18032. QRadar Development has confirmed that APAR IJ18032 impacts users with Event Collector (15xx) appliances and routing rules configured in their QRadar deployment only. Deployments that contain both an Event Collector and enabled routing rules experience an issue where the events are successfully received by the collector's ecs-ec-ingress process, but the events are not sent to ecs-ec for parsing. This leads to a situation where events are in queue waiting to be processed by the next step in the event pipeline for QRadar 7.3.2 Patch 3 Event Collector appliances.
Affected products and versions
- Fix Pack (file name): 7.3.2-QRADAR-QRSIEM-20190705120852.sfs
- SHA256 SUM: 7fd49feea4c8171c74f561479a1f5b3568289c2b94a3795f3b376f80dc8fc05e
- ISO (file name): 7.3.2-QRADAR-QRFULL-20190705120852.iso
- SHA256 SUM: fa30031746e38ebc1d7df2c16836b136640da0c506dfa753eacae8261ffb40df
How to diagnose this issue
What to review
- From the Admin tab, click System & License Management.
Administrators can review the list of systems in your deployment. Event Collectors will be identified as 15xx appliances. Where xx is a numeric identifier for appliance capability, virtual appliances are 1599, physical servers will be identified as 1501 (MTM 4412-Q4D) appliances.
- Optional. Administrators with root access or large deployments can get a report of appliances using the following command: /opt/qradar/support/deployment_info.sh -O
[root@qr732-3199-2553 support]# ./deployment_info.sh -O
INFO: Gathering deployment information. This may take a while...
Hostname IP HA Status Appliance Hardware
qr732-3199-2553 10.10.219.230 N/A 3199 VMware Virtual Platform
qr732-1699-2566 10.10.219.231 N/A 1699 VMware Virtual Platform
qr732-1599-2570 10.10.219.232 N/A 1599 VMware Virtual Platform
If you have Event Collector (15xx) appliances in your QRadar deployment, review the Admin tab > Routing Rules icon to determine if any routing rules are enabled. A stack trace for the error message is provided in APAR IJ18032 or on our QRadar APARs 101 page by searching for IJ18032.
What to do
- Affected administrators
Deployments impacted by APAR IJ18032 on QRadar version 188.8.131.5290705120852 can upgrade to QRadar 7.3.2 Patch 4 or contact QRadar Support for assistance and open a Severity 1 case. Our development team provided a hot fix for this issue. The QRadar Support team can assist with both verification and installation of the fix for APAR IJ18032.
- Unaffected administrators
It is advised that administrators with Event Collector appliances (15xx) and routing rules wait for QRadar 7.3.2 Patch 4 (published). If you have downloaded the SFS or ISO file listed in the affected version list, you should NOT install QRadar 184.108.40.20690705120852 until this notice is updated to alert administrators to the release of QRadar 7.3.2 Patch 4 (published).
NOTE: If you are unsure of the impact to your system or if you have follow-up questions, you can contact the QRadar Support team. We have created a forum post as well for users who might want additional clarification or to follow updates here: https://developer.ibm.com/answers/questions/513409/qradar-732-patch-3-updates-known-issues-added.html.
02 April 2020