Hey community,

today I had again a great learning related to QRadar. In System Notifications a frequently message shows up: Data Replication difficult..

The deployment has been updated this week from 7.5.0 UP14 IF02 to 7.5.0 UP14 IF03. At the end of last year I had the same issue after 7.5.0 UP14 IF02 has been applied successfully. At this time I had the great pleasure to meet @John Dawson in person at the QRadar User Group Meeting in Frankfurt. We had a great talk during coffee breaks and by the way I mentioned this issue.. To make it short: we had a short investigation session in the affected deployment and were able to fix it running QRadar 7.5.0 UP14 IF02!

The root cause was on the EP related to a misconfig parameter in conjunction with Postgresql.. In qradar.log we could identify the a similar error message like this:

ErrorStream replication: DBI connect ..'qradar' .. connection to server on socket.. failed: FATAL: sorry, too many clients already at ..

A few days later the following IBM Known Issue Dokument DT458064 has been released:

Known Issue: Replication Difficulty: too many clients already

The solution was to adjust a parameter in the involved .conf file and restarting services. Done! After adjusting this value the data replication has been started to work as expected.

The point of this thread is, that this "misconfiguration" related to this max_connections value reappeared after applying IF03! 

@IBM Support just to keep you informed to be aware about this issue permanently will be fixed with UP15?!

Regards,

Ralph

-------------------------------------------


------------------------------
Ralph Belfiore
Managing Consultant | CyberSecurity Strategy | SIEM & Data Resilience
connecT SYSTEMHAUS AG
Siegen
------------------------------

Hey community,

today I had again a great learning related to QRadar. In System Notifications a frequently message shows up: Data Replication difficult..

The deployment has been updated this week from 7.5.0 UP14 IF02 to 7.5.0 UP14 IF03. At the end of last year I had the same issue after 7.5.0 UP14 IF02 has been applied successfully. At this time I had the great pleasure to meet @John Dawson in person at the QRadar User Group Meeting in Frankfurt. We had a great talk during coffee breaks and by the way I mentioned this issue.. To make it short: we had a short investigation session in the affected deployment and were able to fix it running QRadar 7.5.0 UP14 IF02!

The root cause was on the EP related to a misconfig parameter in conjunction with Postgresql.. In qradar.log we could identify the a similar error message like this:

ErrorStream replication: DBI connect ..'qradar' .. connection to server on socket.. failed: FATAL: sorry, too many clients already at ..

A few days later the following IBM Known Issue Dokument DT458064 has been released:

Known Issue: Replication Difficulty: too many clients already

The solution was to adjust a parameter in the involved .conf file and restarting services. Done! After adjusting this value the data replication has been started to work as expected.

The point of this thread is, that this "misconfiguration" related to this max_connections value reappeared after applying IF03! 

@IBM Support just to keep you informed to be aware about this issue permanently will be fixed with UP15?!

Regards,

Ralph

-------------------------------------------


------------------------------
Ralph Belfiore
Managing Consultant | CyberSecurity Strategy | SIEM & Data Resilience
connecT SYSTEMHAUS AG
Siegen
------------------------------