IBM Support

RESOLVED. QRadar 7.3.2 Patch 3: Event Collector Appliances and Routing Rules (APAR IJ18032)

Flashes (Alerts)


Abstract

An issue identified in QRadar 7.3.2 Patch 3 as APAR IJ18032 is resolved where events received by QRadar Event Collector (15xx) appliances can fail to process/parse when a routing rule is configured. See the notice section for the latest information and how to contact support if affected.

Content


NOTICE: APAR IJ18032 is resolved with the release of QRadar 7.3.2 Patch 4. Administrators with Event Collectors and routing rules as described in this notice can download the QRadar 7.3.2 Patch 4 SFS file from IBM Fix Central and schedule a maintenance window to update their deployment. QRadar on Cloud administrators will be contacted via email regarding scheduled updates. A full list of closed APARs relating to QRadar 7.3.2 Patch 4 is available on the QRadar APARs 101 page.

Urgency

Important. Administrators who have downloaded or installed QRadar 7.3.2 patch 3 should be aware of APAR IJ18032. QRadar Development has confirmed that APAR IJ18032 impacts users with Event Collector (15xx) appliances and routing rules configured in their QRadar deployment only. Deployments that contain both an Event Collector and enabled routing rules experience an issue where the events are successfully received by the collector's ecs-ec-ingress process, but the events are not sent to ecs-ec for parsing. This leads to a situation where events are in queue waiting to be processed by the next step in the event pipeline for QRadar 7.3.2 Patch 3 Event Collector appliances.
 

Affected products and versions

QRadar appliances that update to QRadar 7.3.2 Patch 3 (7.3.2.20190705120852) can be impacted by this issue when the deployment contains both Event Collector (15xx) appliances with routing rules configured at the following versions:
 
  • Fix Pack (file name): 7.3.2-QRADAR-QRSIEM-20190705120852.sfs
  • SHA256 SUM: 7fd49feea4c8171c74f561479a1f5b3568289c2b94a3795f3b376f80dc8fc05e
     
  • ISO (file name): 7.3.2-QRADAR-QRFULL-20190705120852.iso
  • SHA256 SUM: fa30031746e38ebc1d7df2c16836b136640da0c506dfa753eacae8261ffb40df

How to diagnose this issue

There are several methods to determine if you have QRadar Event Collectors in your QRadar Deployment. Administrators can review their deployment before upgrading to QRadar 7.3.2 Patch 3.

What to review
  • From the Admin tab, click System & License Management. 
    Administrators can review the list of systems in your deployment. Event Collectors will be identified as 15xx appliances. Where xx is a numeric identifier for appliance capability, virtual appliances are 1599, physical servers will be identified as 1501 (MTM 4412-Q4D) appliances.
  • Optional. Administrators with root access or large deployments can get a report of appliances using the following command: /opt/qradar/support/deployment_info.sh -O
    [root@qr732-3199-2553 support]# ./deployment_info.sh -O
    INFO: Gathering deployment information. This may take a while...

    Hostname             IP              HA Status    Appliance   Hardware
    qr732-3199-2553      10.10.219.230   N/A          3199        VMware Virtual Platform
    qr732-1699-2566      10.10.219.231   N/A          1699        VMware Virtual Platform
    qr732-1599-2570      10.10.219.232   N/A          1599        VMware Virtual Platform

    Results
    If you have Event Collector (15xx) appliances in your QRadar deployment, review the Admin tab > Routing Rules icon to determine if any routing rules are enabled. A stack trace for the error message is provided in APAR IJ18032 or on our QRadar APARs 101 page by searching for IJ18032.

What to do

  • Affected administrators
    Deployments impacted by APAR IJ18032 on QRadar version 7.3.2.20190705120852 can upgrade to QRadar 7.3.2 Patch 4 or contact QRadar Support for assistance and open a Severity 1 case. Our development team provided a hot fix for this issue. The QRadar Support team can assist with both verification and installation of the fix for APAR IJ18032.
     
  • Unaffected administrators
    It is advised that administrators with Event Collector appliances (15xx) and routing rules wait for QRadar 7.3.2 Patch 4  (published). If you have downloaded the SFS or ISO file listed in the affected version list, you should NOT install QRadar 7.3.2.20190705120852 until this notice is updated to alert administrators to the release of QRadar 7.3.2 Patch 4 (published).


    NOTE: If you are unsure of the impact to your system or if you have follow-up questions, you can contact the QRadar Support team. We have created a forum post as well for users who might want additional clarification or to follow updates here: https://developer.ibm.com/answers/questions/513409/qradar-732-patch-3-updates-known-issues-added.html.

 


 

[{"Business Unit":{"code":"BU008","label":"Security"},"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Component":"Event Collectors","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3.2 Patch 3","Edition":""}]

Document Information

Modified date:
02 April 2020

UID

ibm10964540