QRadar: Troubleshooting UBA V2.0.0 Failed Upgrades

Resolving The Problem

Quick links:

• Before you begin
• Step 1: Preserving your UBA application configuration
• Step 2: Preserving your LDAP application configuration
• Step 3: Removing UBA from the QRadar console
• Step 4: Installing UBA V2.0.1
• Step 5: Restoring Configuration Files to the UBA V2.0.1 App
  
  





Before you begin


Administrators who want to preserve their LDAP configuration and UBA configuration data from their v1.4 installation must complete all steps in this procedure. If the administrator wants to configure the application as a fresh install and not preserve any application settings, then the administrator can go directly to Step 3.




Step 1: Preserving your UBA application configuration


This step allows administrators with root access to SSH to the QRadar Console and copy settings files from the UBA app to a safe directory. This ensures that UBA settings can be restored later on in this technical note.


Procedure
1. Using SSH, log in to the QRadar Console as the root user.
2. To create a backup directory, type the following command: mkdir uba_backup
3. To navigate to the newly created directory, type: cd uba_backup
4. Type the following commands based on your QRadar version:
• If you are using QRadar V7.2.6 to V7.2.8, type the following command: find /store/docker/vfs/dir/ -name uba.db
• If you are using QRadar V7.3.0, type the following command: find /store/docker/volumes/ -name uba.db
  
  The PATH_TO_UBA_STORE_FOLDER is the returned value less the file name part.
  
5. To backup settings files, copy the UBA configuration files with the following commands:
   cp [PATH_TO_UBA_STORE_FOLDER]/uba.db ./    
   cp [PATH_TO_UBA_STORE_FOLDER] /config.json ./    
   
   



Step 2: Preserving your LDAP application configuration


Procedure
1. Using SSH, log in to the QRadar Console as the root user.
2. To create a backup directory, type the following command: mkdir ldap_backup
3. To navigate to the newly created directory, type: cd ldap_backup
4. Type the following commands based on your QRadar version:
• If you are using QRadar V7.2.6 to V7.2.8, type the following command: find /store/docker/vfs/dir/ -name ldap-reference.db
• If you are using QRadar V7.3.0, type the following command: find /store/docker/volumes/ -name ldap-reference.db
  
  The PATH_TO_UBA_STORE_FOLDER is the returned value less the file name part.
  
5. To backup settings files, copy the UBA configuration files with the following commands:
   cp [PATH_TO_LDAP_STORE_FOLDER]/ldap-reference.db ./    
   cp  ./[PATH_TO_LDAP_STORE_FOLDER]/config.json  ./  
   cp  -r [PATH_TO_LDAP_STORE_FOLDER] /certs  ./certs    
   
   
   





Step 3: Removing UBA from the QRadar console


This procedure outlines how to remove the UBA application from QRadar. There are two possible methods of removing the application from QRadar and both procedures are defined below:

Procedure 1: Uninstalling from the User Interface
1. Log in to the QRadar Console as an administrator.
2. Click the Admin tab.
3. Click the Extensions Management icon.
4. Select User Behavior Analytics 2.0.0 app.
5. Click the Uninstall button.
6. To confirm the app removal, click Uninstall.
   
   Results
   A message is displayed to the administrator that any content added by the application, such as rules or custom properties will still remain on the QRadar Console. When the uninstallation completes, a summary is displayed.


Proceure 2: Uninstalling the UBA V2.0.0 Using the QRadar API

1. Log in to the QRadar Console as an administrator and from the navigation bar, select Help-> Interactive API for Developer or from your browser address bar type: https://ConsoleIPAddress/api_doc. Both methods will navigate the administrators to the QRadar API.
2. Authenticate to the QRadar API.
3. Select the top API version on the left panel, such as v8.0 or v7.0, depending on your QRadar version.
4. Expand the /gui_app_framework endpoint.
5. Select /applications.
6. From the GET - /gui_app_frameworks/applications screen, click the Try It Out! button.
7. In the Response Body, locate the application_id or app_id number for the UBA application.
   
   NOTE: To verify, ensure that the “name” field of the entry is “uba_core.application_name" and record the numeric value.
   
8. Select the /{application_id} endpoint and then click the DELETE tab.
9. In the application_id field, type the number for the applciation_id that you recorded in step 7 into the Value field.
10. Click Try It Out!.
    
    Results
    A 204 response should be returned with the message: The application has been successfully unregistered.
    
    NOTE: If you get any of the following response codes, you might need to contact QRadar Support: 409 or 500. If you receive a 404 response code, verify that you typed the correct application_id number as the API is informing the administrator that the specific application_id does not exist, so there was nothing to delete.






Step 4: Installing UBA V2.0.1


This procedure walks the administrator through the process of installing UBA V2.0.1 and then restoring the configuration files.

Procedure
1. Download the UBA v2.0.1 application from X-Force App Exchange (https://exchange.xforce.ibmcloud.com/)
2. Log in to the QRadar Console as an administrator.
3. Click the Admin tab and then click the Extensions Management icon
4. In the Extension Management window, click Add and select the UBA V2.0.1 zip archive to upload.
5. Select the Install immediately check box.
6. On the Admin tab, click Advanced > Deploy Full Configuration.
   
   Results
   
• The UBA V2.0.1 app is installed. If you did not saving any backup settings from your V1.4 or V2.0.0 UBA installation, then you should review the setup procedures for the UBA app from the official documentation, see: Configuring the User Behavioral Analytics App.
• If you are restoring configuration files, see Step 5:






Step 5: Restoring Configuration Files to the UBA V2.0.1 App


This procedure walks the administrator through the process of installing UBA V2.0.1 and then restoring the configuration files.

NOTE: Only perform these steps to restore your original UBA and LDAP settings:

Procedure
1. Using SSH, log in to the QRadar Console as the root user.
2. Navigate to the following directory: uba_backup
3. If you are using QRadar V7.2.6 to V7.2.8, run the following command: find /store/docker/vfs/dir/ -name uba.db
4. If you are using QRadar V7.3.0, run the following commands: find /store/docker/volumes/ -name uba.db
   
   The PATH_TO_UBA_STORE_FOLDER is the value returned from the first command less the file name part.
   
5. To restore settings files, copy the UBA configuration files with the following commands:
   cp uba.db [PATH_TO_UBA_STORE_FOLDER]
   cp config.json [PATH_TO_UBA_STORE_FOLDER]
6. Navigate to the following folder containing your LDAP configuration backup: ldap_backup
• If you are using QRadar V7.2.6 to V7.2.8, run the following command: find /store/docker/vfs/dir/ -name ldap-reference.db
• If you are using QRadar V7.3.0, run the following commands: find /store/docker/volumes/ -name ldap-reference.db
  
  The PATH_TO_LDAP_STORE_FOLDER is the value returned from the first command less the file name part.
  
7. To restore the LDAP configuration files, type the following commands:
   cp  ./ldap-reference.db [PATH_TO_LDAP_STORE_FOLDER]
   cp  ./config.json [PATH_TO_LDAP_STORE_FOLDER]
   cp  -r  ./certs/* [PATH_TO_LDAP_STORE_FOLDER]/certs/
   
   Results
   From the QRadar user interface, launch the UBA application and verify that the configuration is complete and that data is restored.