IBM QRadar

Hi community,

today i updated successfully my CE from 7.5.0 UP10IF02 to the current Updatepackage UP12. Then i tried to load the current auto updates starting "Get new updates". It has taken a very long time to finish and ends up with errors if i kill the process for autoupdate.

After starting auto updates it works till this point:

--snap

May 15 11:25:11 qradarce75.localdomain AUTOUPDATE[1202082]: Downloading "sqlite.latest.db.gz" and placing in "/store/autoupdates/dau/vuln/".
May 15 11:25:11 qradarce75.localdomain AUTOUPDATE[1202082]: PERL: Attempting to retrieve https://auto-update.qradar.ibmcloud.com/autoupdates/dau/vuln/sqlite.latest.db.gz?version=7.5.0%20UpdatePackage%2012&iv=2021.6.12.20250509154206&customer=Community%20Edition&lastau=1746736560&lastpatch=1746736560&vendor=Q1%20Labs -- dau/vuln/sqlite.latest.db.gz
May 15 11:25:11 qradarce75.localdomain AUTOUPDATE[1202082]: Attempting to retrieve https://auto-update.qradar.ibmcloud.com/autoupdates/dau/vuln/sqlite.latest.db.gz?version=7.5.0%20UpdatePackage%2012&iv=2021.6.12.20250509154206&customer=Community%20Edition&lastau=1746736560&lastpatch=1746736560&vendor=Q1%20Labs
May 15 11:25:28 qradarce75.localdomain AUTOUPDATE[1202082]: Checking /store/autoupdates/dau/vuln/sqlite.latest.db.gz
May 15 11:25:28 qradarce75.localdomain AUTOUPDATE[1202082]: Executing: gunzip -f /store/autoupdates/dau/vuln/sqlite.latest.db.gz
May 15 12:19:32 ::ffff:127.0.0.1 [hostcontext.hostcontext] [0ce976f4-5589-497b-be40-91dfaf2aa438/SequentialEventDispatcher] com.q1labs.hostcontext.tx.TxSentry: [WARN] [NOT:0150134100][172.16.xxx.xxx/- -] [-/- -]Found unmanaged process on host 172.16.xxx.xxx: /opt/ibm/ibm-semeru-certified-11-jdk/bin/java, pid=1219608, TX age=1816 secs, command=[1219442 1205256 /opt/ibm/ibm-semeru-certified-11-jdk/bin/java -Xmx1024m -cp /store/autoupdates/scripts/7.3/q1labs_vis_qvdb_importer.jar:/opt/qradar/jars/q1labs_assetprofile.jar:/opt/qradar/jars/ibm-si-mks.jar:/opt/qradar/jars/xml-May 15 12:20:32 ::ffff:127.0.0.1 [hostcontext.hostcontext] [0ce976f4-5589-497b-be40-91dfaf2aa438/SequentialEventDispatcher] com.q1labs.hostcontext.tx.TxSentry: [WARN] [NOT:0150134100][172.16.xxx.xxx/- -] [-/- -]Found unmanaged process on host 172.16.xxx.xxx: /opt/ibm/ibm-semeru-certified-11-jdk/bin/java, pid=1219608, TX age=1876 secs, command=[1219442 1205256 /opt/ibm/ibm-semeru-certified-11-jdk/bin/java -Xmx1024m -cp /store/autoupdates/scripts/7.3/q1labs_vis_qvdb_importer.jar:/opt/qradar/jars/q1labs_assetprofile.jar:/opt/qradar/jars/ibm-si-mks.jar:/opt/qradar/jars/xml-apis-1.4.01.jar:/opt/qradar/jars/sca.jar:/...

-- snap

And then after this time this TxSenty message shows up frequently...

--snap

May 15 12:49:32 ::ffff:127.0.0.1 [hostcontext.hostcontext] [0ce976f4-5589-497b-be40-91dfaf2aa438/SequentialEventDispatcher] com.q1labs.hostcontext.tx.TxSentry: [WARN] [NOT:0000004000][172.16.xxx.xxx/- -] [-/- -]    Lock acquired on host 172.16.xxx.xxx: rel=extref_pkey age=3616 granted=t mode=AccessShareLock query='SELECT * FROM qvmui.rebuild_vuln_class_mat_view()'
May 15 12:49:32 ::ffff:127.0.0.1 [hostcontext.hostcontext] [0ce976f4-5589-497b-be40-91dfaf2aa438/SequentialEventDispatcher] com.q1labs.hostcontext.tx.TxSentry: [WARN] [NOT:0000004000][172.16.xxx.xxx/- -] [-/- -]    Lock acquired on host 172.16.xxx.xxx: rel=vuln_custom_risk age=3616 granted=t mode=SIReadLock query='SELECT * FROM qvmui.rebuild_vuln_class_mat_view()'
-- snap

It seems to be an issue with auto updates and this sqlite.latest.db.gz to extract and apply this huge content and at this time this unmanaged process issue shows up frequently. After killing this auto update process the TxSentry Notification disappeared and auto updates finished successful so far but with errors. Here the output of autoupdate log:

--snap

An error occurred while updating vulnerabilities.
DAU 1746736560 applied auto update package from 05/08/2025 at 22:36 with errors.
Latest patches are already installed with serial 1746736560 from 05/08/2025 at 22:36.
Latest WAU is already installed with serial 1746736560 from 05/08/2025 at 22:36.

--snap

@IBM Support any similar experiences or any idea to workaround or investigate to fix this issue?

Regards,

Ralph

Hey Ralph,

Can you please open cases for each of these you see and ask that they are tagged to the known issue?

Thanks

Hi community,

today i updated successfully my CE from 7.5.0 UP10IF02 to the current Updatepackage UP12. Then i tried to load the current auto updates starting "Get new updates". It has taken a very long time to finish and ends up with errors if i kill the process for autoupdate.

After starting auto updates it works till this point:

--snap

May 15 11:25:11 qradarce75.localdomain AUTOUPDATE[1202082]: Downloading "sqlite.latest.db.gz" and placing in "/store/autoupdates/dau/vuln/".
May 15 11:25:11 qradarce75.localdomain AUTOUPDATE[1202082]: PERL: Attempting to retrieve https://auto-update.qradar.ibmcloud.com/autoupdates/dau/vuln/sqlite.latest.db.gz?version=7.5.0%20UpdatePackage%2012&iv=2021.6.12.20250509154206&customer=Community%20Edition&lastau=1746736560&lastpatch=1746736560&vendor=Q1%20Labs -- dau/vuln/sqlite.latest.db.gz
May 15 11:25:11 qradarce75.localdomain AUTOUPDATE[1202082]: Attempting to retrieve https://auto-update.qradar.ibmcloud.com/autoupdates/dau/vuln/sqlite.latest.db.gz?version=7.5.0%20UpdatePackage%2012&iv=2021.6.12.20250509154206&customer=Community%20Edition&lastau=1746736560&lastpatch=1746736560&vendor=Q1%20Labs
May 15 11:25:28 qradarce75.localdomain AUTOUPDATE[1202082]: Checking /store/autoupdates/dau/vuln/sqlite.latest.db.gz
May 15 11:25:28 qradarce75.localdomain AUTOUPDATE[1202082]: Executing: gunzip -f /store/autoupdates/dau/vuln/sqlite.latest.db.gz
May 15 12:19:32 ::ffff:127.0.0.1 [hostcontext.hostcontext] [0ce976f4-5589-497b-be40-91dfaf2aa438/SequentialEventDispatcher] com.q1labs.hostcontext.tx.TxSentry: [WARN] [NOT:0150134100][172.16.xxx.xxx/- -] [-/- -]Found unmanaged process on host 172.16.xxx.xxx: /opt/ibm/ibm-semeru-certified-11-jdk/bin/java, pid=1219608, TX age=1816 secs, command=[1219442 1205256 /opt/ibm/ibm-semeru-certified-11-jdk/bin/java -Xmx1024m -cp /store/autoupdates/scripts/7.3/q1labs_vis_qvdb_importer.jar:/opt/qradar/jars/q1labs_assetprofile.jar:/opt/qradar/jars/ibm-si-mks.jar:/opt/qradar/jars/xml-May 15 12:20:32 ::ffff:127.0.0.1 [hostcontext.hostcontext] [0ce976f4-5589-497b-be40-91dfaf2aa438/SequentialEventDispatcher] com.q1labs.hostcontext.tx.TxSentry: [WARN] [NOT:0150134100][172.16.xxx.xxx/- -] [-/- -]Found unmanaged process on host 172.16.xxx.xxx: /opt/ibm/ibm-semeru-certified-11-jdk/bin/java, pid=1219608, TX age=1876 secs, command=[1219442 1205256 /opt/ibm/ibm-semeru-certified-11-jdk/bin/java -Xmx1024m -cp /store/autoupdates/scripts/7.3/q1labs_vis_qvdb_importer.jar:/opt/qradar/jars/q1labs_assetprofile.jar:/opt/qradar/jars/ibm-si-mks.jar:/opt/qradar/jars/xml-apis-1.4.01.jar:/opt/qradar/jars/sca.jar:/...

-- snap

And then after this time this TxSenty message shows up frequently...

--snap

May 15 12:49:32 ::ffff:127.0.0.1 [hostcontext.hostcontext] [0ce976f4-5589-497b-be40-91dfaf2aa438/SequentialEventDispatcher] com.q1labs.hostcontext.tx.TxSentry: [WARN] [NOT:0000004000][172.16.xxx.xxx/- -] [-/- -]    Lock acquired on host 172.16.xxx.xxx: rel=extref_pkey age=3616 granted=t mode=AccessShareLock query='SELECT * FROM qvmui.rebuild_vuln_class_mat_view()'
May 15 12:49:32 ::ffff:127.0.0.1 [hostcontext.hostcontext] [0ce976f4-5589-497b-be40-91dfaf2aa438/SequentialEventDispatcher] com.q1labs.hostcontext.tx.TxSentry: [WARN] [NOT:0000004000][172.16.xxx.xxx/- -] [-/- -]    Lock acquired on host 172.16.xxx.xxx: rel=vuln_custom_risk age=3616 granted=t mode=SIReadLock query='SELECT * FROM qvmui.rebuild_vuln_class_mat_view()'
-- snap

It seems to be an issue with auto updates and this sqlite.latest.db.gz to extract and apply this huge content and at this time this unmanaged process issue shows up frequently. After killing this auto update process the TxSentry Notification disappeared and auto updates finished successful so far but with errors. Here the output of autoupdate log:

--snap

An error occurred while updating vulnerabilities.
DAU 1746736560 applied auto update package from 05/08/2025 at 22:36 with errors.
Latest patches are already installed with serial 1746736560 from 05/08/2025 at 22:36.
Latest WAU is already installed with serial 1746736560 from 05/08/2025 at 22:36.

--snap

@IBM Support any similar experiences or any idea to workaround or investigate to fix this issue?

Regards,

Ralph

Hi community,

today i updated successfully my CE from 7.5.0 UP10IF02 to the current Updatepackage UP12. Then i tried to load the current auto updates starting "Get new updates". It has taken a very long time to finish and ends up with errors if i kill the process for autoupdate.

After starting auto updates it works till this point:

--snap

May 15 11:25:11 qradarce75.localdomain AUTOUPDATE[1202082]: Downloading "sqlite.latest.db.gz" and placing in "/store/autoupdates/dau/vuln/".
May 15 11:25:11 qradarce75.localdomain AUTOUPDATE[1202082]: PERL: Attempting to retrieve https://auto-update.qradar.ibmcloud.com/autoupdates/dau/vuln/sqlite.latest.db.gz?version=7.5.0%20UpdatePackage%2012&iv=2021.6.12.20250509154206&customer=Community%20Edition&lastau=1746736560&lastpatch=1746736560&vendor=Q1%20Labs -- dau/vuln/sqlite.latest.db.gz
May 15 11:25:11 qradarce75.localdomain AUTOUPDATE[1202082]: Attempting to retrieve https://auto-update.qradar.ibmcloud.com/autoupdates/dau/vuln/sqlite.latest.db.gz?version=7.5.0%20UpdatePackage%2012&iv=2021.6.12.20250509154206&customer=Community%20Edition&lastau=1746736560&lastpatch=1746736560&vendor=Q1%20Labs
May 15 11:25:28 qradarce75.localdomain AUTOUPDATE[1202082]: Checking /store/autoupdates/dau/vuln/sqlite.latest.db.gz
May 15 11:25:28 qradarce75.localdomain AUTOUPDATE[1202082]: Executing: gunzip -f /store/autoupdates/dau/vuln/sqlite.latest.db.gz
May 15 12:19:32 ::ffff:127.0.0.1 [hostcontext.hostcontext] [0ce976f4-5589-497b-be40-91dfaf2aa438/SequentialEventDispatcher] com.q1labs.hostcontext.tx.TxSentry: [WARN] [NOT:0150134100][172.16.xxx.xxx/- -] [-/- -]Found unmanaged process on host 172.16.xxx.xxx: /opt/ibm/ibm-semeru-certified-11-jdk/bin/java, pid=1219608, TX age=1816 secs, command=[1219442 1205256 /opt/ibm/ibm-semeru-certified-11-jdk/bin/java -Xmx1024m -cp /store/autoupdates/scripts/7.3/q1labs_vis_qvdb_importer.jar:/opt/qradar/jars/q1labs_assetprofile.jar:/opt/qradar/jars/ibm-si-mks.jar:/opt/qradar/jars/xml-May 15 12:20:32 ::ffff:127.0.0.1 [hostcontext.hostcontext] [0ce976f4-5589-497b-be40-91dfaf2aa438/SequentialEventDispatcher] com.q1labs.hostcontext.tx.TxSentry: [WARN] [NOT:0150134100][172.16.xxx.xxx/- -] [-/- -]Found unmanaged process on host 172.16.xxx.xxx: /opt/ibm/ibm-semeru-certified-11-jdk/bin/java, pid=1219608, TX age=1876 secs, command=[1219442 1205256 /opt/ibm/ibm-semeru-certified-11-jdk/bin/java -Xmx1024m -cp /store/autoupdates/scripts/7.3/q1labs_vis_qvdb_importer.jar:/opt/qradar/jars/q1labs_assetprofile.jar:/opt/qradar/jars/ibm-si-mks.jar:/opt/qradar/jars/xml-apis-1.4.01.jar:/opt/qradar/jars/sca.jar:/...

-- snap

And then after this time this TxSenty message shows up frequently...

--snap

May 15 12:49:32 ::ffff:127.0.0.1 [hostcontext.hostcontext] [0ce976f4-5589-497b-be40-91dfaf2aa438/SequentialEventDispatcher] com.q1labs.hostcontext.tx.TxSentry: [WARN] [NOT:0000004000][172.16.xxx.xxx/- -] [-/- -]    Lock acquired on host 172.16.xxx.xxx: rel=extref_pkey age=3616 granted=t mode=AccessShareLock query='SELECT * FROM qvmui.rebuild_vuln_class_mat_view()'
May 15 12:49:32 ::ffff:127.0.0.1 [hostcontext.hostcontext] [0ce976f4-5589-497b-be40-91dfaf2aa438/SequentialEventDispatcher] com.q1labs.hostcontext.tx.TxSentry: [WARN] [NOT:0000004000][172.16.xxx.xxx/- -] [-/- -]    Lock acquired on host 172.16.xxx.xxx: rel=vuln_custom_risk age=3616 granted=t mode=SIReadLock query='SELECT * FROM qvmui.rebuild_vuln_class_mat_view()'
-- snap

It seems to be an issue with auto updates and this sqlite.latest.db.gz to extract and apply this huge content and at this time this unmanaged process issue shows up frequently. After killing this auto update process the TxSentry Notification disappeared and auto updates finished successful so far but with errors. Here the output of autoupdate log:

--snap

An error occurred while updating vulnerabilities.
DAU 1746736560 applied auto update package from 05/08/2025 at 22:36 with errors.
Latest patches are already installed with serial 1746736560 from 05/08/2025 at 22:36.
Latest WAU is already installed with serial 1746736560 from 05/08/2025 at 22:36.

--snap

@IBM Support any similar experiences or any idea to workaround or investigate to fix this issue?

Regards,

Ralph

Hey Ralph, just curious, is it just one system or different installations?  (So I know to check all of ours)

Hi community,

today i updated successfully my CE from 7.5.0 UP10IF02 to the current Updatepackage UP12. Then i tried to load the current auto updates starting "Get new updates". It has taken a very long time to finish and ends up with errors if i kill the process for autoupdate.

After starting auto updates it works till this point:

--snap

May 15 11:25:11 qradarce75.localdomain AUTOUPDATE[1202082]: Downloading "sqlite.latest.db.gz" and placing in "/store/autoupdates/dau/vuln/".
May 15 11:25:11 qradarce75.localdomain AUTOUPDATE[1202082]: PERL: Attempting to retrieve https://auto-update.qradar.ibmcloud.com/autoupdates/dau/vuln/sqlite.latest.db.gz?version=7.5.0%20UpdatePackage%2012&iv=2021.6.12.20250509154206&customer=Community%20Edition&lastau=1746736560&lastpatch=1746736560&vendor=Q1%20Labs -- dau/vuln/sqlite.latest.db.gz
May 15 11:25:11 qradarce75.localdomain AUTOUPDATE[1202082]: Attempting to retrieve https://auto-update.qradar.ibmcloud.com/autoupdates/dau/vuln/sqlite.latest.db.gz?version=7.5.0%20UpdatePackage%2012&iv=2021.6.12.20250509154206&customer=Community%20Edition&lastau=1746736560&lastpatch=1746736560&vendor=Q1%20Labs
May 15 11:25:28 qradarce75.localdomain AUTOUPDATE[1202082]: Checking /store/autoupdates/dau/vuln/sqlite.latest.db.gz
May 15 11:25:28 qradarce75.localdomain AUTOUPDATE[1202082]: Executing: gunzip -f /store/autoupdates/dau/vuln/sqlite.latest.db.gz
May 15 12:19:32 ::ffff:127.0.0.1 [hostcontext.hostcontext] [0ce976f4-5589-497b-be40-91dfaf2aa438/SequentialEventDispatcher] com.q1labs.hostcontext.tx.TxSentry: [WARN] [NOT:0150134100][172.16.xxx.xxx/- -] [-/- -]Found unmanaged process on host 172.16.xxx.xxx: /opt/ibm/ibm-semeru-certified-11-jdk/bin/java, pid=1219608, TX age=1816 secs, command=[1219442 1205256 /opt/ibm/ibm-semeru-certified-11-jdk/bin/java -Xmx1024m -cp /store/autoupdates/scripts/7.3/q1labs_vis_qvdb_importer.jar:/opt/qradar/jars/q1labs_assetprofile.jar:/opt/qradar/jars/ibm-si-mks.jar:/opt/qradar/jars/xml-May 15 12:20:32 ::ffff:127.0.0.1 [hostcontext.hostcontext] [0ce976f4-5589-497b-be40-91dfaf2aa438/SequentialEventDispatcher] com.q1labs.hostcontext.tx.TxSentry: [WARN] [NOT:0150134100][172.16.xxx.xxx/- -] [-/- -]Found unmanaged process on host 172.16.xxx.xxx: /opt/ibm/ibm-semeru-certified-11-jdk/bin/java, pid=1219608, TX age=1876 secs, command=[1219442 1205256 /opt/ibm/ibm-semeru-certified-11-jdk/bin/java -Xmx1024m -cp /store/autoupdates/scripts/7.3/q1labs_vis_qvdb_importer.jar:/opt/qradar/jars/q1labs_assetprofile.jar:/opt/qradar/jars/ibm-si-mks.jar:/opt/qradar/jars/xml-apis-1.4.01.jar:/opt/qradar/jars/sca.jar:/...

-- snap

And then after this time this TxSenty message shows up frequently...

--snap

May 15 12:49:32 ::ffff:127.0.0.1 [hostcontext.hostcontext] [0ce976f4-5589-497b-be40-91dfaf2aa438/SequentialEventDispatcher] com.q1labs.hostcontext.tx.TxSentry: [WARN] [NOT:0000004000][172.16.xxx.xxx/- -] [-/- -]    Lock acquired on host 172.16.xxx.xxx: rel=extref_pkey age=3616 granted=t mode=AccessShareLock query='SELECT * FROM qvmui.rebuild_vuln_class_mat_view()'
May 15 12:49:32 ::ffff:127.0.0.1 [hostcontext.hostcontext] [0ce976f4-5589-497b-be40-91dfaf2aa438/SequentialEventDispatcher] com.q1labs.hostcontext.tx.TxSentry: [WARN] [NOT:0000004000][172.16.xxx.xxx/- -] [-/- -]    Lock acquired on host 172.16.xxx.xxx: rel=vuln_custom_risk age=3616 granted=t mode=SIReadLock query='SELECT * FROM qvmui.rebuild_vuln_class_mat_view()'
-- snap

It seems to be an issue with auto updates and this sqlite.latest.db.gz to extract and apply this huge content and at this time this unmanaged process issue shows up frequently. After killing this auto update process the TxSentry Notification disappeared and auto updates finished successful so far but with errors. Here the output of autoupdate log:

--snap

An error occurred while updating vulnerabilities.
DAU 1746736560 applied auto update package from 05/08/2025 at 22:36 with errors.
Latest patches are already installed with serial 1746736560 from 05/08/2025 at 22:36.
Latest WAU is already installed with serial 1746736560 from 05/08/2025 at 22:36.

--snap

@IBM Support any similar experiences or any idea to workaround or investigate to fix this issue?

Regards,

Ralph