IBM Support

QRadar Web UI down or unresponsive from TxSentry

Troubleshooting


Problem

QRadar 7.3.X and 7.4.X Web User Interface are down or are unresponsive due to TxSentry error messages.

Symptom

The following error messages can be found in, 
[hostcontext.hostcontext] [{UUID}/SequentialEventDispatcher] com.q1labs.hostcontext.tx.TxSentry: [WARN] [NOT:{N}][{IP}/- -] [-/- -]Found a process on host {IP}: tomcat, pid={PID}, TX age={N} secs

[hostcontext.hostcontext] [{UUID}/SequentialEventDispatcher] com.q1labs.hostcontext.tx.TxSentry: [WARN] [NOT:{N}][{IP}/- -] [-/- -] Lock acquired on host {IP}: rel=reference_data_key_pkey age={N} granted=t mode=AccessShareLock query='select * from get_expired_reference_data_elements()'
A notification for Tomcat stating: "Transaction Sentry: Found an unmanaged process causing unusually long transaction that negatively effects system stability".

Resolving The Problem

  1. Log in to QRadar as an administrator.
  2. Click the Admin tab.
  3. Click the Reference Set Management.
  4. Any Reference Set with more than 100,000 elements needs to have a shorter time to live. Default for out of the box is usually Lives Forever checked.
  5. Uncheck Lives Forever
  6. Set time to live.
    For example, setting the 4th box to 3 hours and selecting since last seen. More information on these settings can be found in Adding, editing, and deleting reference sets
  7. Go to Admin tab.
  8. Click the System Settings.
  9. Select Advanced
  10. Under Transaction Sentry Settings, increase Transaction Max Time Limit to maximum value 30 minutes.
  11. Run a Deploy Full Configuration in Advanced under the Admin tab during your next maintenance cycle.

    IMPORTANT: Deploy Full Configuration results in services being restarted. While services are restarting, event processing stops until services restart. Scheduled reports that are in-progress will need to be manually restarted by users. Administrators with strict outage policies are advised to complete the next step during a scheduled maintenance window for their organization.

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000CbWFAA0","label":"QRadar->Deployment->Components->Tomcat"}],"ARM Case Number":"TS003667832","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3.2;7.3.3;7.4.0","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
06 October 2020

UID

ibm16205958

Page Feedback