IBM Support

IV69658: WINCOLLECT AGENTS FAILING TO REGISTER WITH THE CONSOLE AFTER UPGRADING THE WINCOLLECT .SFS VERSION

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • After applying an updated WinCollect sfs to QRadar, WinCollect
    agents might stop being able to connect to the Console.
    
    Messages similar to the following might be seen in
    /var/log/qradar.error when this is occurring:
    
    [ecs-ec] [Thread-148]
    com.q1labs.sem.semsources.wincollectconfigserver.WinCollectConfi
    gServer: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/-
    -]Encountered a problem in WinCollect Config Server Thread
    [ecs-ec] [Thread-148] java.net.SocketException: Connection reset
    [ecs-ec] [Thread-148] at
    java.net.SocketInputStream.read(SocketInputStream.java:207)
    [ecs-ec] [Thread-148] at
    java.net.SocketInputStream.read(SocketInputStream.java:133)
    [ecs-ec] [Thread-148] at com.ibm.jsse2.a.a(a.java:110)
    [ecs-ec] [Thread-148] at com.ibm.jsse2.a.a(a.java:141)
    [ecs-ec] [Thread-148] at com.ibm.jsse2.qc.a(qc.java:691)
    [ecs-ec] [Thread-148] at com.ibm.jsse2.qc.d(qc.java:337)
    [ecs-ec] [Thread-148] at com.ibm.jsse2.i.flush(i.java:18)
    [ecs-ec] [Thread-148] at com.ibm.jsse2.cb.a(cb.java:694)
    [ecs-ec] [Thread-148] at com.ibm.jsse2.cb.a(cb.java:625)
    [ecs-ec] [Thread-148] at com.ibm.jsse2.ab.r(ab.java:528)
    [ecs-ec] [Thread-148] at com.ibm.jsse2.ab.a(ab.java:39)
    [ecs-ec] [Thread-148] at com.ibm.jsse2.qc.a(qc.java:758)
    [ecs-ec] [Thread-148] at com.ibm.jsse2.qc.h(qc.java:266)
    [ecs-ec] [Thread-148] at com.ibm.jsse2.qc.a(qc.java:770)
    [ecs-ec] [Thread-148] at
    com.ibm.jsse2.qc.startHandshake(qc.java:476)
    [ecs-ec] [Thread-148] at
    com.q1labs.sem.semsources.wincollectconfigserver.WinCollectConfi
    gProvider.acceptConnection(WinCollectConfigProvider.java:85)
    [ecs-ec] [Thread-148] at
    com.q1labs.sem.semsources.wincollectconfigserver.WinCollectConfi
    gServer$WinCollectConfigSocketCreator.run(WinCollectConfigServer
    .java:157)
    

Local fix

  • No workaround availalble
    

Problem summary

  • After applying an updated WinCollect sfs to QRadar, WinCollect
    agents might stop being able to connect to the Console.
    
    Messages similar to the following might be seen in
    /var/log/qradar.error when this is occurring:
    
    [ecs-ec] [Thread-148]
    com.q1labs.sem.semsources.wincollectconfigserver.WinCollectConfi
    gServer: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/-
    -]Encountered a problem in WinCollect Config Server Thread
    [ecs-ec] [Thread-148] java.net.SocketException: Connection reset
    [ecs-ec] [Thread-148] at
    java.net.SocketInputStream.read(SocketInputStream.java:207)
    [ecs-ec] [Thread-148] at
    java.net.SocketInputStream.read(SocketInputStream.java:133)
    [ecs-ec] [Thread-148] at com.ibm.jsse2.a.a(a.java:110)
    [ecs-ec] [Thread-148] at com.ibm.jsse2.a.a(a.java:141)
    [ecs-ec] [Thread-148] at com.ibm.jsse2.qc.a(qc.java:691)
    [ecs-ec] [Thread-148] at com.ibm.jsse2.qc.d(qc.java:337)
    [ecs-ec] [Thread-148] at com.ibm.jsse2.i.flush(i.java:18)
    [ecs-ec] [Thread-148] at com.ibm.jsse2.cb.a(cb.java:694)
    [ecs-ec] [Thread-148] at com.ibm.jsse2.cb.a(cb.java:625)
    [ecs-ec] [Thread-148] at com.ibm.jsse2.ab.r(ab.java:528)
    [ecs-ec] [Thread-148] at com.ibm.jsse2.ab.a(ab.java:39)
    [ecs-ec] [Thread-148] at com.ibm.jsse2.qc.a(qc.java:758)
    [ecs-ec] [Thread-148] at com.ibm.jsse2.qc.h(qc.java:266)
    [ecs-ec] [Thread-148] at com.ibm.jsse2.qc.a(qc.java:770)
    [ecs-ec] [Thread-148] at
    com.ibm.jsse2.qc.startHandshake(qc.java:476)
    [ecs-ec] [Thread-148] at
    com.q1labs.sem.semsources.wincollectconfigserver.WinCollectConfi
    gProvider.acceptConnection(WinCollectConfigProvider.java:85)
    [ecs-ec] [Thread-148] at
    com.q1labs.sem.semsources.wincollectconfigserver.WinCollectConfi
    gServer$WinCollectConfigSocketCreator.run(WinCollectConfigServer
    .java:157)
    

Problem conclusion

  • An updated WinCollect Configuration Server Protocol source RPM
    was release which resolves an issue where a connection handshake
     error could prevent multiple WinCollect agents from
    establishing a connection to the appliance as expected; resolves
     an issue where a disable agent could generate an SQL error;
    and, enhanced the Configuration Server protocol to provide the
    log source identifier of agents that have incorrect public keys.
    PROTOCOL-WinCollectConfigServer-7.1-1046397.noarch.rpm
    PROTOCOL-WinCollectConfigServer-7.2-1046399.noarch.rpm
    

Temporary fix

Comments

APAR Information

  • APAR number

    IV69658

  • Reported component name

    QRADAR SOFTWARE

  • Reported component ID

    5725QRDSW

  • Reported release

    723

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2015-02-18

  • Closed date

    2015-04-06

  • Last modified date

    2015-04-06

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    QRADAR SOFTWARE

  • Fixed component ID

    5725QRDSW

Applicable component levels

  • R710 PSY

       UP



Document information

More support for: IBM QRadar SIEM

Software version: 723

Reference #: IV69658

Modified date: 06 April 2015