Flash Notice: SIM Generic events with IPv4/IPv6 header issue reported

5. RE: Flash Notice: SIM Generic events with IPv4/IPv6 header issue reported
Best Answer

Like

Jonathan Pechta

Posted Mon February 03, 2025 11:09 AM
Edited by Jonathan Pechta Mon February 03, 2025 11:16 AM

Notice: An updated SIM Generic DSM is available to resolve the dropped events issue for all users. Administrators can download the latest version of SIM Generic to the Console appliance from IBM Fix Central: SIMGenericLog-7.5-20250130145444.noarch.rpm.

The associated flash notice was updated to change the instructions to yum -y install and users can install the latest SIM Generic RPM on the Console to resolve this issue. An RPM downgrade is no longer required, just install the latest. The Flash Notice associated to this issue can be found here: https://www.ibm.com/support/pages/node/7182076.

------------------------------
Jonathan Pechta
IBM Security - Community of Practice Lead
jonathan.pechta1@ibm.com
------------------------------

Original Message

Original Message:
Sent: Fri January 31, 2025 09:51 AM
From: Karl Jaeger
Subject: Flash Notice: SIM Generic events with IPv4/IPv6 header issue reported

Paul

thx a lot. While working on my DSMedit BLOG article I ran into this. Downgrade went fine.

Regards

Karl

------------------------------
[Karl] [Jaeger] [#ibmchampion]
[QRadar Specialist]
[cnag]
[Siegen] [Germany]

Original Message:
Sent: Fri January 31, 2025 05:25 AM
From: Paul Ford-Hutchinson
Subject: Flash Notice: SIM Generic events with IPv4/IPv6 header issue reported

The workaround document seems to miss out the step where you need to download the 'old' DSM rpm from FixCentral and put it in your current directory before running the 'yum downgrade'

# yum downgrade DSM-SIMGenericLog-7.5-20241204152906.noarch.rpmCan not load RPM file: DSM-SIMGenericLog-7.5-20241204152906.noarch.rpm.Error: No packages marked for downgrade.

but it works with the file: DSM-SIMGenericLog-7.5-20241204152906.noarch.rpm is present.

Paul

------------------------------
Paul Ford-Hutchinson

Original Message:
Sent: Fri January 31, 2025 04:07 AM
From: Stefano Pasa
Subject: Flash Notice: SIM Generic events with IPv4/IPv6 header issue reported

Hi

The workaround it's not really working like this in default configuration

yum downgrade DSM-SIMGenericLog-7.5-20241204152906.noarch.rpm
Loaded plugins: product-id, search-disabled-repos, subscription-manager

This system is not registered with an entitlement server. You can use subscription-manager to register.

There are no enabled repos.

------------------------------
Stefano Pasa

Original Message:
Sent: Thu January 30, 2025 02:25 PM
From: Jonathan Pechta
Subject: Flash Notice: SIM Generic events with IPv4/IPv6 header issue reported

I'm raising visibility to an issue that support is tracking related to the SIM Generic log source. A flash notice was issued where SIM Generic log sources (the catch all bucket when events do not match a specific DSM) can drop events unexpectedly. There is an existing workaround for this issue, but support is encouraging all admins to confirm their version of SIM Generic on the Console, and if they have the affected version to downgrade the RPM. A flash notice was released by support for this specific issue.

What to do:

Review the technical note associated to this issue: QRadar: Unknown log events which have IPv4 or IPv6 in the syslog header that would be associated with the SIM Generic logsource are being dropped.
If the reported version is: SM-SIMGenericLog-7.5-20241220124142 then you should complete the workaround to downgrade the RPM. If you are on any other version, then you are not affected. The issue is specific to build 20241220124142.
As this issue is a DSM issue, all users at 7.5.0 can be affected so review your current SIM Generic version to verify if you are affected.

If you have concerns or questions, you can ask here or contact QRadar Support for direct help.

------------------------------
Jonathan Pechta
IBM Security - Community of Practice Lead
jonathan.pechta1@ibm.com
------------------------------

6. RE: Flash Notice: SIM Generic events with IPv4/IPv6 header issue reported

Like

Tamás Simon

Posted Tue February 04, 2025 06:57 AM

There are some typo in the Flash Notice:

You need to run "yum -y install DSM-SIMGenericLog-7.5-20250130145444.noarch.rpm" instead of "yum -y install SIMGenericLog-7.5-20250130145444.noarch.rpm"

And you need to add -C to all_server command to run on Console (or on all in one) also like this: "

/opt/qradar/support/all_servers.sh -k -C "systemctl restart ecs-ec"

"

------------------------------
Tamás Simon
------------------------------

Original Message

Original Message:
Sent: Mon February 03, 2025 11:08 AM
From: Jonathan Pechta
Subject: Flash Notice: SIM Generic events with IPv4/IPv6 header issue reported

Notice: An updated SIM Generic DSM is available to resolve the dropped events issue for all users. Administrators can download the latest version of SIM Generic to the Console appliance from IBM Fix Central: SIMGenericLog-7.5-20250130145444.noarch.rpm.

The associated flash notice was updated to change the instructions to yum -y install and users can install the latest SIM Generic RPM on the Console to resolve this issue. An RPM downgrade is no longer required, just install the latest. The Flash Notice associated to this issue can be found here: https://www.ibm.com/support/pages/node/7182076.

------------------------------
Jonathan Pechta
IBM Security - Community of Practice Lead
jonathan.pechta1@ibm.com

Original Message:
Sent: Fri January 31, 2025 09:51 AM
From: Karl Jaeger
Subject: Flash Notice: SIM Generic events with IPv4/IPv6 header issue reported

Paul

thx a lot. While working on my DSMedit BLOG article I ran into this. Downgrade went fine.

Regards

Karl

------------------------------
[Karl] [Jaeger] [#ibmchampion]
[QRadar Specialist]
[cnag]
[Siegen] [Germany]

Original Message:
Sent: Fri January 31, 2025 05:25 AM
From: Paul Ford-Hutchinson
Subject: Flash Notice: SIM Generic events with IPv4/IPv6 header issue reported

The workaround document seems to miss out the step where you need to download the 'old' DSM rpm from FixCentral and put it in your current directory before running the 'yum downgrade'

# yum downgrade DSM-SIMGenericLog-7.5-20241204152906.noarch.rpmCan not load RPM file: DSM-SIMGenericLog-7.5-20241204152906.noarch.rpm.Error: No packages marked for downgrade.

but it works with the file: DSM-SIMGenericLog-7.5-20241204152906.noarch.rpm is present.

Paul

------------------------------
Paul Ford-Hutchinson

Original Message:
Sent: Fri January 31, 2025 04:07 AM
From: Stefano Pasa
Subject: Flash Notice: SIM Generic events with IPv4/IPv6 header issue reported

Hi

The workaround it's not really working like this in default configuration

yum downgrade DSM-SIMGenericLog-7.5-20241204152906.noarch.rpm
Loaded plugins: product-id, search-disabled-repos, subscription-manager

This system is not registered with an entitlement server. You can use subscription-manager to register.

There are no enabled repos.

------------------------------
Stefano Pasa

Original Message:
Sent: Thu January 30, 2025 02:25 PM
From: Jonathan Pechta
Subject: Flash Notice: SIM Generic events with IPv4/IPv6 header issue reported

I'm raising visibility to an issue that support is tracking related to the SIM Generic log source. A flash notice was issued where SIM Generic log sources (the catch all bucket when events do not match a specific DSM) can drop events unexpectedly. There is an existing workaround for this issue, but support is encouraging all admins to confirm their version of SIM Generic on the Console, and if they have the affected version to downgrade the RPM. A flash notice was released by support for this specific issue.

What to do:

Review the technical note associated to this issue: QRadar: Unknown log events which have IPv4 or IPv6 in the syslog header that would be associated with the SIM Generic logsource are being dropped.
If the reported version is: SM-SIMGenericLog-7.5-20241220124142 then you should complete the workaround to downgrade the RPM. If you are on any other version, then you are not affected. The issue is specific to build 20241220124142.
As this issue is a DSM issue, all users at 7.5.0 can be affected so review your current SIM Generic version to verify if you are affected.

If you have concerns or questions, you can ask here or contact QRadar Support for direct help.

------------------------------
Jonathan Pechta
IBM Security - Community of Practice Lead
jonathan.pechta1@ibm.com
------------------------------

7. RE: Flash Notice: SIM Generic events with IPv4/IPv6 header issue reported

Like

Chase Blitz

Posted 2 days ago

Your site offers a clear, focused place for users to complete SIM card registration in the Philippines. It simplifies the process by guiding visitors through the required fields and documentation.Good layout and straightforward instructions can really help reduce user confusion and support requests. Consider adding FAQs and a contact/help option for edge cases or verification issues. Visit tnt sim registration link to see the live workflow and test the user experience.

------------------------------
Chase Blitz
------------------------------

Original Message

Original Message:
Sent: Tue February 04, 2025 04:59 AM
From: Tamás Simon
Subject: Flash Notice: SIM Generic events with IPv4/IPv6 header issue reported

There are some typo in the Flash Notice:

You need to run "yum -y install DSM-SIMGenericLog-7.5-20250130145444.noarch.rpm" instead of "yum -y install SIMGenericLog-7.5-20250130145444.noarch.rpm"

And you need to add -C to all_server command to run on Console (or on all in one) also like this: "

/opt/qradar/support/all_servers.sh -k -C "systemctl restart ecs-ec"

"

------------------------------
Tamás Simon

Original Message:
Sent: Mon February 03, 2025 11:08 AM
From: Jonathan Pechta
Subject: Flash Notice: SIM Generic events with IPv4/IPv6 header issue reported

Notice: An updated SIM Generic DSM is available to resolve the dropped events issue for all users. Administrators can download the latest version of SIM Generic to the Console appliance from IBM Fix Central: SIMGenericLog-7.5-20250130145444.noarch.rpm.

The associated flash notice was updated to change the instructions to yum -y install and users can install the latest SIM Generic RPM on the Console to resolve this issue. An RPM downgrade is no longer required, just install the latest. The Flash Notice associated to this issue can be found here: https://www.ibm.com/support/pages/node/7182076.

------------------------------
Jonathan Pechta
IBM Security - Community of Practice Lead
jonathan.pechta1@ibm.com

Original Message:
Sent: Fri January 31, 2025 09:51 AM
From: Karl Jaeger
Subject: Flash Notice: SIM Generic events with IPv4/IPv6 header issue reported

Paul

thx a lot. While working on my DSMedit BLOG article I ran into this. Downgrade went fine.

Regards

Karl

------------------------------
[Karl] [Jaeger] [#ibmchampion]
[QRadar Specialist]
[cnag]
[Siegen] [Germany]

Original Message:
Sent: Fri January 31, 2025 05:25 AM
From: Paul Ford-Hutchinson
Subject: Flash Notice: SIM Generic events with IPv4/IPv6 header issue reported

The workaround document seems to miss out the step where you need to download the 'old' DSM rpm from FixCentral and put it in your current directory before running the 'yum downgrade'

# yum downgrade DSM-SIMGenericLog-7.5-20241204152906.noarch.rpmCan not load RPM file: DSM-SIMGenericLog-7.5-20241204152906.noarch.rpm.Error: No packages marked for downgrade.

but it works with the file: DSM-SIMGenericLog-7.5-20241204152906.noarch.rpm is present.

Paul

------------------------------
Paul Ford-Hutchinson

Original Message:
Sent: Fri January 31, 2025 04:07 AM
From: Stefano Pasa
Subject: Flash Notice: SIM Generic events with IPv4/IPv6 header issue reported

Hi

The workaround it's not really working like this in default configuration

yum downgrade DSM-SIMGenericLog-7.5-20241204152906.noarch.rpm
Loaded plugins: product-id, search-disabled-repos, subscription-manager

This system is not registered with an entitlement server. You can use subscription-manager to register.

There are no enabled repos.

------------------------------
Stefano Pasa

Original Message:
Sent: Thu January 30, 2025 02:25 PM
From: Jonathan Pechta
Subject: Flash Notice: SIM Generic events with IPv4/IPv6 header issue reported

I'm raising visibility to an issue that support is tracking related to the SIM Generic log source. A flash notice was issued where SIM Generic log sources (the catch all bucket when events do not match a specific DSM) can drop events unexpectedly. There is an existing workaround for this issue, but support is encouraging all admins to confirm their version of SIM Generic on the Console, and if they have the affected version to downgrade the RPM. A flash notice was released by support for this specific issue.

What to do:

Review the technical note associated to this issue: QRadar: Unknown log events which have IPv4 or IPv6 in the syslog header that would be associated with the SIM Generic logsource are being dropped.
If the reported version is: SM-SIMGenericLog-7.5-20241220124142 then you should complete the workaround to downgrade the RPM. If you are on any other version, then you are not affected. The issue is specific to build 20241220124142.
As this issue is a DSM issue, all users at 7.5.0 can be affected so review your current SIM Generic version to verify if you are affected.

If you have concerns or questions, you can ask here or contact QRadar Support for direct help.

------------------------------
Jonathan Pechta
IBM Security - Community of Practice Lead
jonathan.pechta1@ibm.com
------------------------------

IBM QRadar