IBM QRadar

Be aware, we are tracking a number of cases where a DSM Common issue from the 20 July 2021 auto update is causing thread exceptions for certain DSMs on QRadar 7.4.x versions. These errors can occur when Traffic Analysis (TA) is enabled and events can route to store due to thread exceptions in ECS-EC for the Event Parser. Development is working on an updated jar file to resolve this issue, but wanted to post a link to the flash notice for this issue. If there are questions, let me know. The resolution to this issue will require a software RPM or jar to officially resolve.

Attempting to uninstall the DSM Common RPM if you are on QRadar 7.4.x does not resolve the problem, but everyone can review to see if events are being routed to storage on their appliance or confirm if you are hitting this issue.

Flash notice

• QRadar 7.4.x: Auto update 20 July 2021 and traffic analysis errors for DSM Common RPM

RPM that introduced the issue:

• DSMCommon-7.4-20210624145517.noarch.rpm

A workaround is available in the flash notice for users to resolve this issue.

Hello Jonathan,

The 'wordaround' did work for a while, I applied the fix around 3.15 PM it was working but at 7:08 PM all events started coming in as "stored"

Jul 22 19:08:57 ::ffff:10.10.x.x [ecs-ec.ecs-ec] [Event Parser[1]] com.q1labs.frameworks.core.ThreadExceptionHandler: [ERROR] [NOT:0000003000][10.10.x.x/- -] [-/- -]Exception was uncaught in thread: Event Parser[1]

Jul 22 19:08:57 ::ffff:10.10.x.x [ecs-ec.ecs-ec] [Event Parser[1]] java.lang.NoClassDefFoundError: com/q1labs/sem/dsm/build/base/Utils

Jul 22 19:08:57 ::ffff:10.10.x.x [ecs-ec.ecs-ec] [Event Parser[1]] at com.q1labs.sem.dsm.cisco.aironet.Aironet.populateNevBuilder(Aironet.java:92)

Jul 22 19:08:57 ::ffff:10.10.x.x [ecs-ec.ecs-ec] [Event Parser[1]] at com.q1labs.sem.dsm.NevBuilderDSM.parseInternal(NevBuilderDSM.java:223)

Jul 22 19:08:57 ::ffff:10.10.x.x [ecs-ec.ecs-ec] [Event Parser[1]] at com.q1labs.sem.dsm.DSMBase.parse(DSMBase.java:336)

Jul 22 19:08:57 ::ffff:10.10.x.x [ecs-ec.ecs-ec] [Event Parser[1]] at com.q1labs.sem.dsm.DSMBase.parse(DSMBase.java:311)

Jul 22 19:08:57 ::ffff:10.10.x.x [ecs-ec.ecs-ec] [Event Parser[1]] at com.ibm.si.ec.filters.normalize.Processor.parse(Processor.java:315)

Jul 22 19:08:57 ::ffff:10.10.x.x [ecs-ec.ecs-ec] [Event Parser[1]] at com.ibm.si.ec.filters.normalize.Processor.run(Processor.java:181)

Jul 22 19:08:57 ::ffff:10.10.x.x [ecs-ec.ecs-ec] [Event Parser[7]] com.q1labs.frameworks.core.ThreadExceptionHandler: [ERROR] [NOT:0000003000][10.10.x.x/- -] [-/- -]Exception was uncaught in thread: Event Parser[7]

**

Should I open a case?

T&R

Arjun Kumar

An update is published now via Auto Updates and a new version of DSM Common 20210721 is available on IBM Fix Central. I reissued the flash notice late last night (EDT time) for all users.

If you have not done so, run an auto update with the "Get New Updates" button from Admin > Auto Updates user interface, then deploy change. Optionally, users can install the latest version of DSM Common from IBM Fix Central. If you are still experiencing any issues after you completed the Auto Update, open a case for us to investigate.

Flash Notice Updated (latest version date July 22 Support Member:30PM EDT)

I can confirm it is now working fine after applying the new update.

T&R

I'm adding an uypdate here to raise awareness to users that a new flash notice was issued for 7.4.x users to provide an overview of the DSM Common issue from 20 July 2021.

This is not an issue flash notice, but a follow-up to provide users with more details. It is a common practice for QRadar Support to follow-up with users after a flash notice is sent for an important issue. The report includes further details on the issue and lists preventative actions taken by the development team.

Link: QRadar: Overview of auto update issue for 20 July 2021 (IJ33892)