IBM Support

IJ17394: WINCOLLECT UNABLE TO REGISTER NEW AGENTS "...INVALID TOKEN ROLE" IN QRADAR LOGGING AFTER APPLYING QRADAR 7.3.2 PATCH 2

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

APAR status

  • Closed as program error.

Error description

  • It has been identified that after applying QRadar 7.3.2 Patch 2
    WinCollect is unable to register new agents, and existing
    agents report errors related to "invalid token role" in QRadar
    logging, if the "Admin" or "All" user role authentication token
    is used.
    Messages similar to the following might be visible
    in /var/log/qradar.error when this issue is occuring:
    [tomcat.tomcat] [Token: WinCollectAgent@127.0.0.1 (7331)
    /console/wincollect] com.q1labs.core.ui.servlet.WinCollect:
    [WARN] [NOT:0000004000][127.0.0.1/- -] [-/-
    -]Session:DFC95AEF26CC2DA38F5BB0C611D52CA5 - possible CSRF
    attack detected, invalid token role 'All'
    [tomcat.tomcat] [Token: WinCollectAgent@127.0.0.1 (7481)
    /console/wincollect] com.q1labs.core.ui.servlet.WinCollect:
    [WARN] [NOT:0000004000][127.0.0.1/- -] [-/-
    -]Session:02CC745E11B1A731ADB0021C525A0A6A - possible CSRF
    attack detected, invalid token role 'All'
    [tomcat.tomcat] [Token: WinCollectAgent@127.0.0.1 (7600)
    /console/wincollect] com.q1labs.core.ui.servlet.WinCollect:
    [WARN] [NOT:0000004000][127.0.0.1/- -] [-/-
    -]Session:D9E0340E0A9BC084E6B73484FC33C1A9 - possible CSRF
    attack detected, invalid token role 'All
    

Local fix

  • Contact Support for a possible workaround that might address
    this issue in some instances.
    

Problem summary

  • It has been identified that after applying QRadar 7.3.2 Patch
    WinCollect is unable to register new agents, and existing
    agents report errors related to "invalid token role" in QRada
    logging, if the "Admin" or "All" user role authentication tok
    is used.
    Messages similar to the following might be visible
    in /var/log/qradar.error when this issue is occuring:
    [tomcat.tomcat] [Token: WinCollectAgent@127.0.0.1 (7331)
    /console/wincollect] com.q1labs.core.ui.servlet.WinCollect:
    [WARN] [NOT:0000004000][127.0.0.1/- -] [-/-
    -]Session:DFC95AEF26CC2DA38F5BB0C611D52CA5 - possible CSRF
    attack detected, invalid token role 'All'
    [tomcat.tomcat] [Token: WinCollectAgent@127.0.0.1 (7481)
    /console/wincollect] com.q1labs.core.ui.servlet.WinCollect:
    [WARN] [NOT:0000004000][127.0.0.1/- -] [-/-
    -]Session:02CC745E11B1A731ADB0021C525A0A6A - possible CSRF
    attack detected, invalid token role 'All'
    [tomcat.tomcat] [Token: WinCollectAgent@127.0.0.1 (7600)
    /console/wincollect] com.q1labs.core.ui.servlet.WinCollect:
    [WARN] [NOT:0000004000][127.0.0.1/- -] [-/-
    -]Session:D9E0340E0A9BC084E6B73484FC33C1A9 - possible CSRF
    attack detected, invalid token role 'All'
    

Problem conclusion

  • The issue was resolved in QRadar version 7.3.2 Patch 2 Interim
    Fix 2 and 7.3.2 Patch 3.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IJ17394

  • Reported component name

    QRADAR SOFTWARE

  • Reported component ID

    5725QRDSW

  • Reported release

    732

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2019-07-03

  • Closed date

    2019-07-12

  • Last modified date

    2019-07-24

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    QRADAR SOFTWARE

  • Fixed component ID

    5725QRDSW

Applicable component levels



Document information

More support for: IBM QRadar SIEM

Software version: 732

Reference #: IJ17394

Modified date: 24 July 2019