QRADAR APARS 101

1. Log in to the QRadar UI.
2. Click the Reports tab.
3. Click Actions > Create.
4. Click Next.
5. Choose a report schedule and click Next.
6. Select any layout and click Next.
7. Fill in the required information.
8. Chart Type choose Events/Logs, or Flows.
   Note: This might happen with other Chart Types.
9. Scroll to the bottom of the page.
   
   Results
   The last field on the page is not accessible.

1. On the navigation menu (Navigation menu icon), click Admin.
2. On the Advanced menu, click Restart Event Collection Services.
3. Event collection is briefly interrupted while the service restarts.

1. On the navigation menu, click Admin.
   
2. On the Advanced menu, click Deploy Full Configuration.
   Note: Deploy Full Configuration results in services being restarted. While services are restarting, event processing stops until services restart. Scheduled reports that are in-progress need to be manually restarted by users. Administrators with strict outage policies are advised to complete the next step during a scheduled maintenance window for their organization.

[ecs-ep.ecs-ep]
[fcfa6359-f3a6-4f85-8bac-2f5b1bdc380b/SequentialEventDispatcher]
com.q1labs.semsources.cre.tests.RuleMatch_Test: [ERROR]
[NOT:0000003000][IPADDR/- -] [-/- -]rule_id was not found for UUID = SYSTEM-1263

1. Log in to the QRadar UI.
2. Click the Admin tab.
3. From the Admin navigation menu, expand the Apps list.
4. Click QRadar Log Source Management.
   
   Results
   A blank page is shown.

Error: Default namespace not found at
/opt/app-root/app/public/static/locales/en_us/common.json
   at createConfig (/opt/app-root/app/node_modules/next-i18next
/dist/commonjs/config/createConfig.js:165:19)
   at _callee$ (/opt/app-root/app/node_modules/next-i18next/dis
t/commonjs/serverSideTranslations.js:201:53)
   at tryCatch (/opt/app-root/app/node_modules/next-i18next/nod
e_modules/@babel/runtime/helpers/regeneratorRuntime.js:86:17)
   at Generator._invoke (/opt/app-root/app/node_modules/next-i1
8next/node_modules/@babel/runtime/helpers/regeneratorRuntime.js:66:24)
   at Generator.next (/opt/app-root/app/node_modules/next-i18ne
xt/node_modules/@babel/runtime/helpers/regeneratorRuntime.js:117:21)
   at asyncGeneratorStep (/opt/app-root/app/node_modules/next-i
18next/node_modules/@babel/runtime/helpers/asyncToGenerator.js:3:24)
   at _next (/opt/app-root/app/node_modules/next-i18next/node_m
odules/@babel/runtime/helpers/asyncToGenerator.js:25:9)
   at processTicksAndRejections
(node:internal/process/task_queues:96:5)

[tomcat.tomcat] [XXXXXXX@(1471)
/console/JSON-RPC/QRadar.saveRole QRadar.saveRole]
com.q1labs.core.ui.servlet.RemoteJavaScript: [WARN]
[NOT:0000004000]The user XXXXX does not have access to the
method saveRole in application QRadar

1. To create an Advanced Search in the Offenses tab, Click Search > New Search.
2. Click any of the Search buttons.
   
   Results
   Now you can sort the results by any column, without the 2 default filters ‘Exclude Hidden Offenses’ and ‘Exclude Closed Offenses’ being removed.

1. Log in to the QRadar UI.
2. Click the Offenses tab.
3. From the list, hide or close some of the offenses. Note: Here you will see the 2 default filters ‘Exclude Hidden Offenses’ and ‘Exclude Closed Offenses’ are applied.
4. Click an column heading to sort the offenses.
   
   Results
   The two default filters are no longer applied and the offenses that were hidden or closed are visible again.

[Python tool]: [INFO] 'Setting the system time and timezone configuration. '
[Python tool]: [INFO] 'Setting the time zone America/Halifax in /etc/localtime'
[Python tool]: [INFO] Failed to perform the task.
[Python tool]: [INFO] 
[Python tool]: [INFO] Traceback (most recent call last):
[Python tool]:   File
"/opt/qradar/conf/../lib/python/qradar/systemTimeSetup.py", line 458, in main
[Python tool]:     manager.set(args)
[Python tool]:   File
"/opt/qradar/conf/../lib/python/qradar/systemTimeSetup.py", line 183, in set
[Python tool]:     self._setTZ(args.timezone)
[Python tool]:   File "/opt/qradar/conf/../lib/python/qradar/systemTimeSetup.py", line 238, in _setTZ
[Python tool]:     for line in fileinput.input(TZ_CONF_PATH, inplace=True):
[Python tool]:   File "/usr/lib64/python3.6/fileinput.py", line 250, in _next_
[Python tool]:     line = self._readline()
[Python tool]:   File "/usr/lib64/python3.6/fileinput.py", line 364, in _readline
[Python tool]:     return self._readline()
[Python tool]:   File "/usr/lib64/python3.6/codecs.py", line 321, in decode
[Python tool]:     (result, consumed) = self._buffer_decode(data, self.errors, final)
[Python tool]: UnicodeDecodeError: 'utf-8' codec can't decode byte 0xa2 in position 44: invalid start byte
[Python tool]: [INFO] 'Getting the system time and timezone settings. '
[Python tool]: [INFO] {
[Python tool]:     "timezone_id": "../../../etc/localtime",
[Python tool]:     "is_sync_with_ntp_server": false,
[Python tool]:     "ntp_server_addresses": null,
[Python tool]:     "current_date": "2022-08-02 10:50:53"
[Python tool]: }
[Python tool]: [INFO] 'Getting the system time and timezone settings. '
[Python tool]: [INFO] {
[Python tool]:     "timezone_id": "../../../etc/localtime",
[Python tool]:     "is_sync_with_ntp_server": false,
[Python tool]:     "ntp_server_addresses": null,
[Python tool]:     "current_date": "2022-08-02 10:51:29"

[hostcontext.hostcontext] [/SequentialEventDispatcher] Caused by:
[hostcontext.hostcontext] [/SequentialEventDispatcher]
com.q1labs.hostcontext.exception.HostContextConfigException:
Failed to download and process global set
[hostcontext.hostcontext] [/SequentialEventDispatcher] at com.q1
labs.hostcontext.configuration.ConfigSetUpdater.downloadAndApply
Configuration(ConfigSetUpdater.java:380)
[hostcontext.hostcontext] [/SequentialEventDispatcher] at com.q1
labs.hostcontext.configuration.ConfigSetUpdater.startDownloadAnd
ApplyConfiguration(ConfigSetUpdater.java:222)
[hostcontext.hostcontext] [/SequentialEventDispatcher] ... 6 more
[hostcontext.hostcontext]
[/SequentialEventDispatcher] Caused by:
[hostcontext.hostcontext] [/SequentialEventDispatcher]
com.q1labs.hostcontext.exception.HostContextConfigException:
Failed to build local configuration set
[hostcontext.hostcontext] [/SequentialEventDispatcher] at com.q1
labs.hostcontext.configuration.ConfigSetUpdater.runLocalTransfor
mers(ConfigSetUpdater.java:581)
[hostcontext.hostcontext] [/SequentialEventDispatcher] at com.q1
labs.hostcontext.configuration.ConfigSetUpdater.downloadAndApply
Configuration(ConfigSetUpdater.java:299)
[hostcontext.hostcontext] [/SequentialEventDispatcher] ... 7 more
[hostcontext.hostcontext]
[/SequentialEventDispatcher] Caused by:
[hostcontext.hostcontext] [/SequentialEventDispatcher]
com.q1labs.hostcontext.exception.HostContextConfigException:
Failed to build local configuration set
[hostcontext.hostcontext] [/SequentialEventDispatcher] at com.q1
labs.hostcontext.configuration.ConfigSetUpdater.transformLocalCo
nfiguration(ConfigSetUpdater.java:878)
[hostcontext.hostcontext] [/SequentialEventDispatcher] at com.q1
labs.hostcontext.configuration.ConfigSetUpdater.runLocalTransfor
mers(ConfigSetUpdater.java:530)
[hostcontext.hostcontext] [/SequentialEventDispatcher] ... 8 more
[hostcontext.hostcontext]
[/SequentialEventDispatcher] Caused by:
[hostcontext.hostcontext] [/SequentialEventDispatcher]
com.q1labs.configservices.common.ConfigServicesException:
Failed to build configuration set for host com.q1labs.configserv
ices.schemaext.HostCapabilitiesTypeExt@2b24xxxx
[hostcontext.hostcontext] [/SequentialEventDispatcher] at com.q1
labs.configservices.config.localset.LocalSetBuilder.buildConfigS
ets(LocalSetBuilder.java:80)
[hostcontext.hostcontext]
[/SequentialEventDispatcher] at com.q1labs.hostcontext.configura
tion.ConfigSetUpdater.transformLocalConfiguration(ConfigSetUpdater.java:873)
[hostcontext.hostcontext]
[/SequentialEventDispatcher] ... 9 more
[hostcontext.hostcontext] [/SequentialEventDispatcher] Caused by:
[hostcontext.hostcontext]
[/SequentialEventDispatcher]
java.util.MissingFormatArgumentException: Format specifier '%s'

[tomcat.tomcat] [admin@x.x.x.x (4743)
/console/do/sem/offensesearch]
com.q1labs.uiframeworks.action.ExceptionHandler: [ERROR] Chained
SQL Exception [2/2]: ERROR: invalid input syntax for type inet: "12.34"
[tomcat.tomcat] [admin@x.x.x.x (4743)
/console/do/sem/offensesearch]
com.q1labs.uiframeworks.action.ExceptionHandler: [ERROR]
[NOT:0000003000][x.x.x.x/- -] [-/- -]An exception occurred while
processing the request:
[tomcat.tomcat] [admin@x.x.x.x (4743) /console/do/sem/offensesearch]
org.apache.openjpa.lib.jdbc.ReportingSQLException: ERROR:
invalid input syntax for type inet: "12.34" {prepstmnt
-567847484 SELECT offense_id FROM offense_remote_targets ort
JOIN offense_properties op ON ort.offense_id=op.id JOIN offense
o ON ort.offense_id=o.id WHERE (INET(?) >>= ANY(targets)) AND
op.dismissed_code < 1} 
[tomcat.tomcat] [admin@x.x.x.x (4743)
/console/do/sem/offensesearch]    at org.apache.openjpa.lib.jdb
c.LoggingConnectionDecorator.wrap(LoggingConnectionDecorator.java:218)
[tomcat.tomcat] [admin@x.x.x.x (4743)
/console/do/sem/offensesearch]    at org.apache.openjpa.lib.jdb
c.LoggingConnectionDecorator.wrap(LoggingConnectionDecorator.java:202)
[tomcat.tomcat] [admin@x.x.x.x (4743)
/console/do/sem/offensesearch]    at org.apache.openjpa.lib.jdb
c.LoggingConnectionDecorator.access$700(LoggingConnectionDecorator.java:58)
[tomcat.tomcat] [admin@x.x.x.x (4743)
/console/do/sem/offensesearch]    at org.apache.openjpa.lib.jdb
c.LoggingConnectionDecorator$LoggingConnection$LoggingPreparedS
tatement.executeQuery(LoggingConnectionDecorator.java:1117)
[tomcat.tomcat] [admin@x.x.x.x (4743)
/console/do/sem/offensesearch]    at org.apache.openjpa.lib.jdb
c.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:268)
[tomcat.tomcat] [admin@x.x.x.x (4743)
/console/do/sem/offensesearch]    at org.apache.openjpa.jdbc.sq
l.PostgresDictionary$PostgresPreparedStatement.executeQuery(PostgresDictionary.java:1011)
[tomcat.tomcat] [admin@x.x.x.x (4743)
/console/do/sem/offensesearch]    at org.apache.openjpa.lib.jdb
c.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:268)
[tomcat.tomcat] [admin@x.x.x.x (4743)
/console/do/sem/offensesearch]    at org.apache.openjpa.jdbc.ke
rnel.JDBCStoreManager$CancelPreparedStatement.executeQuery(JDBCStoreManager.java:1800)
[tomcat.tomcat] [admin@x.x.x.x (4743)
/console/do/sem/offensesearch]    at org.apache.openjpa.lib.jdb
c.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:268)
[tomcat.tomcat] [admin@x.x.x.x (4743)
/console/do/sem/offensesearch]    at org.apache.openjpa.lib.jdb
c.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:258)
[tomcat.tomcat] [admin@x.x.x.x (4743)
/console/do/sem/offensesearch]    at com.q1labs.frameworks.sess
ion.PreparedStatementWrapper.executeQuery(PreparedStatementWrapper.java:270)
[tomcat.tomcat] [admin@x.x.x.x (4743)
/console/do/sem/offensesearch]    at com.q1labs.core.shared.sem
.OffenseSearchSupport.getOffenseIdsForRemoteTargets(OffenseSearchSupport.java:767)
[tomcat.tomcat] [admin@x.x.x.x (4743)
/console/do/sem/offensesearch]    at com.q1labs.core.shared.sem
.OffenseSearchSupport.getWhereClause(OffenseSearchSupport.java:219)
[tomcat.tomcat] [admin@x.x.x.x (4743)
/console/do/sem/offensesearch]    at com.q1labs.sem.ui.semservi
ces.UISemServices.getWhereClauseForSearch(UISemServices.java:3867)
[tomcat.tomcat] [admin@x.x.x.x (4743)
/console/do/sem/offensesearch]    at com.q1labs.core.ui.action.
SearchGenericList.addSearchInProcessor(SearchGenericList.java:103)
[tomcat.tomcat] [admin@x.x.x.x (4743)
/console/do/sem/offensesearch]    at com.q1labs.core.ui.action.
SearchGenericList.execute(SearchGenericList.java:70)

ERROR: Failed to run qradar_netsetup!

Updated rule response="Notify=yes"

Updated rule response= " " (empty)

[tomcat-rm.tomcat-rm] [Device Add Job]
com.q1labs.simulator.jobframework.logging.JobLogger: [ERROR]
[NOT:0000003000][XXX/- -] [-/- -]Scheduled adapter backup for device: XXX

[tomcat.tomcat] [admin@x.x.x.x (908)
/console/JSON-RPC/1556.escalateButtonData1556.escalateButtonData]
com.q1labs.frameworks.crypto.trustmanager.Q1X509TrustManager:
[INFO] [NOT:0000006000][x.x.x.x/- -] [-/- -]Audit logging
msg:(tomcat) Server Certificate Validation failed.
chain:[0]X509Certificate : { SubjectDN : CN=console.example.com,
IssuerDN : CN=QRadar Local CA},
exception:java.security.cert.CertificateException: No subject
alternative DNS name Matching localhost found.

[ecs-ep.ecs-ep] [ECS Runtime Thread] com.eventgnosis.ecs:
[ERROR] [NOT:0000003000][x.x.x.x/- -] [-/- -]Error attempting to
load site.com:ecs-ep/EP/Processor2/EventCRE  Error :
java.lang.OutOfMemoryError: Java heap space

[ecs-ep.ecs-ep] [ECS Runtime Thread] java.lang.OutOfMemoryError:
Java heap space
[ecs-ep.ecs-ep] [ECS Runtime Thread]    at
java.lang.String.{init}(String.java:687)
[ecs-ep.ecs-ep] [ECS Runtime Thread]    at org.postgresql.core.
OptimizedUTF8Encoder.charDecode(OptimizedUTF8Encoder.java:71)
[ecs-ep.ecs-ep] [ECS Runtime Thread]    at org.postgresql.core.
CharOptimizedUTF8Encoder.decode(CharOptimizedUTF8Encoder.java:22)
[ecs-ep.ecs-ep] [ECS Runtime Thread]    at
org.postgresql.core.Encoding.decode(Encoding.java:252)
[ecs-ep.ecs-ep] [ECS Runtime Thread]    at
org.postgresql.jdbc.PgResultSet.getString(PgResultSet.java:1926)
[ecs-ep.ecs-ep] [ECS Runtime Thread]    at com.mchange.v2.c3p0.
impl.NewProxyResultSet.getString(NewProxyResultSet.java:3316)
[ecs-ep.ecs-ep] [ECS Runtime Thread]    at org.apache.openjpa.l
ib.jdbc.DelegatingResultSet.getString(DelegatingResultSet.java:121)
[ecs-ep.ecs-ep] [ECS Runtime Thread]    at com.q1labs.core.shar
ed.qidmap.QidMapFactory.reloadSensorDeviceMaps(QidMapFactory.java:1227)
[ecs-ep.ecs-ep] [ECS Runtime Thread]    at com.q1labs.core.shar
ed.qidmap.QidMapFactory.doInitialQidMapLoad(QidMapFactory.java:425)
[ecs-ep.ecs-ep] [ECS Runtime Thread]    at com.q1labs.core.shar
ed.qidmap.QidMapFactory.onInit(QidMapFactory.java:167)
[ecs-ep.ecs-ep] [ECS Runtime Thread]    at com.q1labs.framework
s.naming.FrameworksNaming.initializeNewComponent(FrameworksNaming.java:916)
[ecs-ep.ecs-ep] [ECS Runtime Thread]    at com.q1labs.framework
s.naming.FrameworksNaming.getApplicationScopedComponent(FrameworksNaming.java:897)
[ecs-ep.ecs-ep] [ECS Runtime Thread]    at com.q1labs.framework
s.core.FrameworksContext.getSingletonInstance(FrameworksContext.java:1372)
[ecs-ep.ecs-ep] [ECS Runtime Thread]    at com.q1labs.core.shar
ed.qidmap.QidMapServices.onInit(QidMapServices.java:31)
[ecs-ep.ecs-ep] [ECS Runtime Thread]    at com.q1labs.framework
s.naming.FrameworksNaming.initializeNewComponent(FrameworksNaming.java:916)
[ecs-ep.ecs-ep] [ECS Runtime Thread]    at com.q1labs.framework
s.session.SessionContext.objectCreated(SessionContext.java:1865)
[ecs-ep.ecs-ep] [ECS Runtime Thread]    at com.q1labs.framework
s.naming.NamingCacheDecorator.fireObjectCreatedEvent(NamingCacheDecorator.java:272)
[ecs-ep.ecs-ep] [ECS Runtime Thread]    at com.q1labs.framework
s.naming.NamingCacheDecorator.createObject(NamingCacheDecorator.java:197)
[ecs-ep.ecs-ep] [ECS Runtime Thread]    at com.q1labs.framework
s.naming.NamingCacheDecorator.createObject(NamingCacheDecorator.java:209)

/opt/qradar/bin/deploy_known_hosts.sh

Grub Files Check
Ensures grub files and settings are correct    
[FAILURE]
File /etc/default/grub has an unexpected value for the field        
'GRUB_SERIAL_COMMAND'. This field is expected to have the
following
keys: '-unit=', 'speed=', 'word=', 'parity=', '-stop='
[REMEDIATION]
None Provided

[DEBUG](patchmode) Running SQL: f=$(cat /media/updates/opt/qrad
ar/conf/templates/qrm/srm_update_1138.sql);echo "SET TRANSACTION
ISTICS AS TRANSACTION READ WRITE ; $f" | /usr/pgsql-11/bin/psql
-Uqradar -p15432 -d patch_test_qradar -v ON_ERROR_STOP=1 -L
/var/log/setup-2021.6.1.20220215133427/patches.log.sql
[WARN](patchmode) WARNING:  SET TRANSACTION can only be used in transaction blocks
[WARN](patchmode) ERROR:  relation
"firewall_ziptie_rules_ruleid_index" does not exist

[tomcat.tomcat] [admin@x.x.x.x (6664)
/console/do/core/genericsearchlist]
com.q1labs.reporting.ReportServices: [DEBUG] SQLSubreport chart:
Form field 'ipAddress_operator' was not found.
[tomcat.tomcat] [admin@x.x.x.x (6664)
/console/do/core/genericsearchlist]
com.q1labs.reporting.ReportServices: [DEBUG] SQLSubreport chart:
Form field 'sub_ipAddress_operator' was not found
...
[report_runner] [main] org.apache.openjpa.
lib.jdbc.ReportingSQLException: ERROR: column reference
"ipaddress" is ambiguous Position: 15595 {prepstmnt 1641450167
SELECT "assetid" || '_' ||questionid AS assetpolicykey,
"assetid" || '_' ||ruleid AS assetrulekey,
               "ipaddress",
               "domainname",
[report_runner] [main]    at org.apache.openjpa.lib.jdbc.Loggi
ngConnectionDecorator.wrap(LoggingConnectionDecorator.java:218)
[report_runner] [main]    at org.apache.openjpa.lib.jdbc.Loggi
ngConnectionDecorator.wrap(LoggingConnectionDecorator.java:202)
[report_runner] [main]    at org.apache.openjpa.lib.jdbc.Loggin
gConnectionDecorator.access$700(LoggingConnectionDecorator.java:58)
[report_runner] [main]    at org.apache.openjpa.lib.jdbc.Loggi
ngConnectionDecorator$LoggingConnection$LoggingPreparedStatemen
t.executeQuery(LoggingConnectionDecorator.java:1117)
[report_runner] [main]    at org.apache.openjpa.lib.jdbc.Delega
tingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:268)
[report_runner] [main]    at org.apache.openjpa.jdbc.sql.Postgr
esDictionary$PostgresPreparedStatement.executeQuery(PostgresDictionary.java:1011)
[report_runner] [main]    at org.apache.openjpa.lib.jdbc.Deleg
atingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:268)
[report_runner] [main]    at org.apache.openjpa.jdbc.kernel.JDB
CStoreManager$CancelPreparedStatement.executeQuery(JDBCStoreManager.java:1800)
[report_runner] [main]    at org.apache.openjpa.lib.jdbc.Deleg
atingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:268)
[report_runner] [main]    at org.apache.openjpa.lib.jdbc.Delega
tingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:258)
[report_runner] [main]    at com.q1labs.reporting.charts.Asset
ComplianceChart.getData(AssetComplianceChart.java:201)
[report_runner] [main]    at
com.q1labs.reporting.Chart.getXML(Chart.java:246)

1. Go to Assets tab, and prepare test data.
2. Create an Asset Search with default Columns, Add Filter with IP address, then save.
3. Enable debug log for reports.
4. Go to the Reports tab, select Asset Compliance as Chart Type, select the saved search created in step 2 for the Search To Use.
5. Check the box: “Yes – Run this report when the wizard is complete”.
6. Select the report and Run Report.
   
   Results
   No report will be generated from step 5 or 6.

1. Create a log source for Microsoft Azure Platform with the Microsoft Azure Event Hubs protocol.
2. Click the Admin tab.
3. Install latest QRadar weekly auto update.
4. From the Admin tab, open the QRadar Log Source Management app.
   
   Results
   The Log Source Management app might display an error informing the admin that the RPM is out of date after a recent weekly update completed.

[ecs-ep.ecs-ep] [xxxxx-xxxx-xxxx-xxxxxxxxxx/SequentialEventDispatcher]
com.q1labs.semsources.cre.tests.RuleMatch_Test: [ERROR]
[NOT:0000003000][x.x.x.x/- -] [-/- -]rule_id was not found for UUID = SYSTEM-1151

1. On the QRadar console, set the system time to 30 October.
2. Create a daily accumulated report to include data for the last 24 hours.
   
   Results
   The daily report created on 1 November is generated from 31 October 00:00 to 31 October 23:00.

[HA Setup (P-M----)] ESC[35m[DEBUG] Log
/etc/hosts file before run
/opt/qradar/bin/mergeHostsFiles.shESC[m
127.0.0.1 localhost.localdomain localhost::1 localhost6.localdomain6 localhost6 localhost.localdomain localhost
x.x.x.x8  example-primary.test.com   example-primary
x.x.x.x0   example-secondary.test.com example-secondary
x.x.x.x3  example.test.com example
[HA Setup (P-M----)] ESC[35m[DEBUG] Log
/etc/hosts file after run
/opt/qradar/bin/mergeHostsFiles.shESC[m
127.0.0.1       localhost.localdomain localhost
x.x.x.3  example.test.com example
22ac4c87f40c0f8f6f2b.localdeployment console.localdeployment::1 localhost6.localdomain6 localhost6 localhost.localdomain localhost
x.x.x.x8  example-primary.test.com example-primary

• Perform manual cleaning of the scanner every 2 scans.
  OR
• Delete the vulnerability from the asset User Interface or delete the asset.

1. Select ‘Hostname’ is response limiter.
2. Save the rule.
3. Reopen the Rule Wizard.
   
   Results
   The name is changed to ‘Host Name’

<feff><?xml version=\\\"1.0\\\" encoding=

1. Click Admin > User roles.
2. Click the Delegated administrator role to update.
3. Select the QRadar Log Source Management check box.
4. Click Save.
   Important: Deploy Full Configuration can cancel searches, reports and might interrupt QRadar services. Plan a scheduled maintenance period before doing the next step.
5. During a scheduled maintenance period, click Deploy Full Configuration.

1. Have a QRadar “Software Install” at version 7.4.0 or below.
2. Have that installation ISO in the /etc/fstab as a mount point to /media/cdrom.
3. Upgrade to QRadar 7.4.1 or above.
4. After the server reboots, si-qinit runs and attempts to reinstall QRadar at the older version, but fails.
   
   Results
   The install.log and the login prompt display an error similar to the following:

   Running "/media/cdrom/setup --no-screen fromqsetup" in
   /media/cdrom using ISO XXXXX for OS RheXXX
   ERROR: Yum operation 'Installing new RPMs' failed!

1. Remove the report for glusterfs_migration_manager located at:

   /etc/qradar/ha/glusterfs_migration_report.json

2. Re-run the QRadar upgrade.

1. Have a QRadar deployment that requires Event Collector migration off of DRBD.
2. Migrate the hosts using glsuterfs_migration_manager 1.0.5.
3. Attempt to upgrade to 7.4.1 FP2 (uses 1.0.4).
   
   Results
   Patch errors out with sha256 issues for glusterfs_migration_manager.

1. Switch to using non TLS MySQL connections in the configured Log Source.
   OR
   
2. For QRadar 7.3.1 and later, restart ecs-ec-ingress process daily after 2:00 AM.
   
   This restart can be performed manually via an SSH session to the QRadar console, configured in crond, or by using the User Interface (Admin > Restart Event Collection Service) NOTE: There is an interruption to Event collection when ecs-ec-ingress is restarted until all requred services are running as expected.

[ecs-ec-ingress.ecs-ec-ingress] MySQL//[mysql@IPADDR
com.q1labs.semsources.sources.jdbc.JdbcEventConnector: [WARN]
[NOT:0000004000][IPADDR/- -] [-/- -]Cannot open JKS
[/storetmp/ecs-ec-ingress/keystore3747616715109128189q1labs (No
such file or directory)] on MySQL//mysql@IPADDR
[ecs-ec-ingress.ecs-ec-ingress] MySQL//[mysql@IPADDR
com.mysql.jdbc.exceptions.jdbc4.MySQLNonTransientConnectionException: Cannot open JKS
[/storetmp/ecs-ec-ingress/keystore3747616715109128189q1labs 
(No such file or directory)]

1. Go to System Settings and update Geographic Settings > Country Selection: Physical Location.
2. Perform a Deploy Full Configuration: Admin > Advanced > Deploy Full Configuration.
3. To restart the webserver (Tomcat): Admin > Advanced > Restart Web Server.
   
   Note1: For more information about a Deploy Full Configuration and the impact to the system, see: What is the difference between “Deploy Changes” and “Deploy Full Configuration”?
   
   Note2: Performing a tomcat restart causes an interruption to the availability of the QRadar User Interface until all required services are functioning as expected.

1. Configure the DSM Editor to parse stored events. For more information, see DSM Editor overview.

1. Use offline forwarding instead of online.
2. Use payload forwarding. For more information, see Configuring QRadar to forward data to other systems.

• IBM QRadar SIEM 7.5.0 GA to 7.5.0 Update Pack 2
• IBM QRadar SIEM 7.4.3 GA – 7.4.3 Fix Pack 6

• CVE-2022-21299: An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 5.3
• CVE-2021-41041: Eclipse Openj9 could allow a remote attacker to bypass security restrictions, caused by failing to throw the exception captured during bytecode verification when verification. By sending a specially-crafted request, an attacker could exploit this vulnerability to make unverified methods to be invoked using MethodHandles. CVSS Base score: 5.3
• CVE-2021-3656: An unspecified vulnerability in Java SE related to the JNDI component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. CVSS Base score: 5.3
• CVE-2021-37576: An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. CVSS Base score: 5.3
• CVE-2021-37576: An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 3.7
• CVE-2021-37576: An unspecified vulnerability in Java SE related to the Utility component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 5.3

• IBM QRadar SIEM 7.5.0 GA to 7.5.0 Update Pack 2
• IBM QRadar SIEM 7.4.3 GA – 7.4.3 Fix Pack 6

• CVE-2021-43859: XStream is vulnerable to a denial of service, caused by improper input validation. By injecting highly recursive collections or maps, a remote attacker could exploit this vulnerability to allocate 100% CPU time on the system. CVSS Base score: 7.5
• CVE-2022-24407: Cyrus SASL is vulnerable to SQL injection. A remote authenticated attacker could send a specially-crafted SQL statements to view, add, modify or delete information in the back-end database. CVSS Base score: 8.8
• CVE-2021-22060: VMware Tanzu Spring Framework could allow a remote authenticated attacker to bypass security restrictions, caused by improper input validation. By sending a specially-crafted request, an attacker could exploit this vulnerability to insert additional log entries. CVSS Base score: 4.3
• CVE-2021-3677: Postgresql could allow a remote authenticated attacker to obtain sensitive information, caused by the memory disclosure in certain queries. By sending a specially-crafted query, an attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 6.5
• CVE-2022-22720: Apache HTTP Server is vulnerable to HTTP request smuggling, caused by the failure to close inbound connection when errors are encountered discarding the request body. An attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks. CVSS Base score: 7.3
• CVE-2021-28169: Eclipse Jetty could allow a remote attacker to obtain sensitive information, caused by a flaw in the ConcatServlet. By sending a specially-crafted request using a doubly encoded path, an attacker could exploit this vulnerability to obtain sensitive information from protected resources within the WEB-INF directory, and use this information to launch further attacks against the affected system. CVSS Base score: 5.3
• CVE-2021-34428: Eclipse Jetty could allow a physical attacker to bypass security restrictions, caused by a session ID is not invalidated flaw when an exception is thrown from the SessionListener#sessionDestroyed() method. By gaining access to the application on the shared computer, an attacker could exploit this vulnerability to bypass access restrictions. CVSS Base score: 3.2
• CVE-2021-28163: Eclipse Jetty could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw when the ${jetty.base} directory or the ${jetty.base}/webapps directory is a symlink. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain webapp directory contents information, and use this information to launch further attacks against the affected system. CVSS Base score: 2.7
• CVE-2021-28164: Eclipse Jetty could allow a remote attacker to obtain sensitive information, caused by improper input validation by the default compliance mode. By sending specially-crafted requests with URIs that contain %2e or %2e%2e segments, an attacker could exploit this vulnerability to access protected resources within the WEB-INF directory, and use this information to launch further attacks against the affected system. CVSS Base score: 5.3
• CVE-2021-28165: Eclipse Jetty is vulnerable to a denial of service, caused by improper input valistion. By sending a specially-crafted TLS frame, a remote attacker could exploit this vulnerability to cause CPU resources to reach to 100% usage. CVSS Base score: 7.5
• CVE-2021-34429: Eclipse Jetty could allow a remote attacker to obtain sensitive information, caused by improper access control. By sending a specially-crafted URI, an attacker could exploit this vulnerability to obtain the content of the WEB-INF directory, and use this information to launch further attacks against the affected system. CVSS Base score: 5.3
• CVE-2021-45960: Expat (aka libexpat) is vulnerable to a denial of service, caused by a realloc misbehavior issue in the storeAtts function in xmlparse.c. By persuading a victim to open a specially-crafted XML content, a remote attacker could exploit this vulnerability to cause a the application to crash. CVSS Base score: 5.5
• CVE-2021-46143: Expat could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow of m_groupSize in doProlog in xmlparse.c. By persuading a victim to open a specially-crafted file, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 7.8
• CVE-2022-22822: Expat could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow of addBinding in xmlparse.c. By persuading a victim to open a specially-crafted file, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 7.8
• CVE-2022-22823: Expat could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow of build_model in xmlparse.c. By persuading a victim to open a specially-crafted file, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 7.8
• CVE-2022-22824: Expat could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow of defineAttribute in xmlparse.c. By persuading a victim to open a specially-crafted file, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 7.8
• CVE-2022-22825: Expat could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow of lookup in xmlparse.c. By persuading a victim to open a specially-crafted file, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 7.8
• CVE-2022-22826: Expat could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow of nextScaffoldPart in xmlparse.c. By persuading a victim to open a specially-crafted file, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 7.8
• CVE-2022-22827: Expat could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow of storeAtts in xmlparse.c. By persuading a victim to open a specially-crafted file, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 7.8
• CVE-2022-23852: Expat (aka libexpat) could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow in the XML_GetBuffer function. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8
• CVE-2022-25235: libexpat is vulnerable to a denial of service, caused by improper input validation in xmltok_impl.c. By persuading a victim to open a specially-crafted content with malformed encoding, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 3.3
• CVE-2022-25236: libexpat is vulnerable to a denial of service, caused by improper protection against insertion of namesep characters into namespace URIs in xmlparse.c. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 5.3
• CVE-2022-25315: libexpat could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow in storeRawNames. By persuading a victim to open a specially-crafted file, an attacker could overflow a buffer and execute arbitrary code on the system. CVSS Base score: 7.8
• CVE-2021-4083: Linux Kernel could allow a local attacker to gain elevated privileges on the system, caused by a read-after-free memory flaw in the garbage collection for Unix domain socket file handlers. By simultaneously calling close() and fget() functions to trigger a race condition, an attacker could exploit this vulnerability to gain elevated privileges or cause the system to crash. CVSS Base score: 7.4
• IBM X-Force ID: 230016 : Eclipse Jetty is vulnerable to a denial of service, caused by an error related to some of the production servers spiking with CPU use. A remote attacker could exploit this vulnerability to consume CPU that remains high even without any traffic. CVSS Base score: 7.5

• IBM QRadar SIEM 7.5.0 GA to 7.5.0 Update Pack 2
• IBM QRadar SIEM 7.4.3 GA – 7.4.3 Fix Pack 6

• CVE-2018-25032: Zlib is vulnerable to a denial of service, caused by a memory corruption in the deflate operation. By using many distant matches, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 7.5
• CVE-2022-30126: Apache Tika is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the StandardsText class in the StandardsExtractingContentHandler. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 6.5
• CVE-2022-1271: GNU gzip could allow a remote authenticated attacker to bypass security restrictions, caused by improper validation of file name by the zgrep utility. By using a specially-crafted file name, an attacker could exploit this vulnerability to write arbitrary files on the system. CVSS Base score: 7.1
• CVE-2021-37404: Apache Hadoop is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the libhdfs native code. By opening a specially-crafted file path, a remote attacker could overflow a buffer and execute arbitrary code or cause a denial of service condition on the system. CVSS Base score: 9.8
• CVE-2022-2047: Eclipse Jetty could allow a remote authenticated attacker to bypass security restrictions, caused by a flaw in the HttpURI class. By sending a specially-crafted request, an attacker could exploit this vulnerability to the HttpClient and ProxyServlet/AsyncProxyServlet/AsyncMiddleManServlet wrongly interpreting an authority with no host as one with a host. CVSS Base score: 2.7
• CVE-2022-2048: Eclipse Jetty is vulnerable to a denial of service, caused by a flaw in the error handling of an invalid HTTP/2 request. By sending specially-crafted HTTP/2 requests, a remote attacker could exploit this vulnerability to cause the server to become unresponsive, and results in a denial of service condition. CVSS Base score: 7.5
• CVE-2020-15522: Bouncy Castle BC Java, BC C# .NET, BC-FJA, BC-FNA could allow a remote attacker to obtain sensitive information, caused by a timing issue within the EC math library. By utilize cryptographic attack techniques, an attacker could exploit this vulnerability to obtain the private key information, and use this information to launch further attacks against the affected system. CVSS Base score: 5.9
• CVE-2022-1729: Linux Kernel could allow a local authenticated attacker to gain elevated privileges on the system, caused by a race condition in the perf subsystem. By sending specially-crafted syscalls, an authenticated attacker could exploit this vulnerability to gain elevated privileges to root. CVSS Base score: 7.8
• CVE-2022-32250: Linux Kernel could allow a local authenticated attacker to gain elevated privileges on the system, caused by a use-after-free write flaw in the netfilter subsystem. By executing a specially-crafted program, an authenticated attacker could exploit this vulnerability to gain elevated privileges. CVSS Base score: 7.8
• CVE-2022-1552: PostgreSQL remote authenticated attacker to bypass security restrictions, caused by an issue with not activate protection or too late with the Autovacuum, REINDEX, CREATE INDEX, REFRESH MATERIALIZED VIEW, CLUSTER, and pg_amcheck commands. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary SQL functions under a superuser identity. CVSS Base score: 8.8
• CVE-2022-30973: Apache Tika is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the StandardsText class in the StandardsExtractingContentHandler. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 6.5
• CVE-2022-25169: Apache Tika is vulnerable to a denial of service, caused by improper input validation in the BPG parser. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 6.5
• CVE-2022-33879: Apache Tika is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the StandardsExtractingContentHandler function. By sending a specially-crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 7.5
• CVE-2022-22968: Spring Framework could provide weaker than expected security, caused by a data binding rules vulnerability in which the patterns for disallowedFields on a DataBinder are case sensitive. The case sensitivity allows that a field is insufficiently protected unless it is listed with both upper and lower case for the first character of the field. An attacker could exploit this vulnerability to launch further attacks on the system. CVSS Base score: 3.7
• CVE-2022-29885: Apache Tomcat is vulnerable to a denial of service, caused by an use-after-free flaw in theEncryptInterceptor in an untrusted network. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 5.3
• CVE-2022-0492: Linux Kernel could allow a local authenticated attacker to gain elevated privileges on the system, caused by a flaw in the cgroups v1 release_agent feature. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to gain elevated privileges and bypass namespace isolation unexpectedly. CVSS Base score: 7.8
• CVE-2021-33036: Apache Hadoop could allow a remote authenticated attacker to gain elevated privileges on the system, caused by improper permission assignment. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability execute arbitrary commands with root privileges. CVSS Base score: 8.8
• CVE-2022-25762: Apache Tomcat could allow a remote attacker to bypass security restrictions, caused by improper error handling in WebSocket connection. By sending a specially-crafted WebSocket message concurrently with the WebSocket connection closing, an attacker could exploit this vulnerability to continue to use the socket after it has been closed. CVSS Base score: 8.6

[tomcat.tomcat] [pool-209-thread-1]
com.q1labs.configservices.capabilities.AddHostManager: [ERROR]
[NOT:0000003000][{IP}/- -] [-/- -]Timed out while waiting for status file: File '/storetmp/addHost_{host IP}1/status.txt' does not exist

[ariel.ariel_query_server] [agt0_3:events]
com.ibm.si.ariel.dcs.databalancing.DTClient: [INFO]
[NOT:0000006000][x.x.x.x/- -] [-/- -]DataBlockBegin to
x.x.x.x:32006 (101 -> 102, Path: BlockInfo [fInfo=/store/ariel/
events/records/yyyy/mm/dd/hh[yy-mm-dd,hh:mm:ss],attrs={}])  DNSt
usableSpace=20236057202688, totalSpace=49111457857536,
volume=/dev/drbd0, storeInfo/store (/dev/drbd0)]
[ariel.ariel_query_server] [agt0_4:events]
com.ibm.si.ariel.dcs.databalancing.DTClient: [INFO]
[NOT:0000006000][x.x.x.x/- -] [-/- -]DataBlockBegin to
x.x.x.x:32006 (101 -> 102, Path: BlockInfo [fInfo=/store/ariel/
events/records/yyyy/mm/dd/hh[yy-mm-dd,hh:mm:ss],attrs={}])  DNSt
usableSpace=20236057202688, totalSpace=49111457857536,
volume=/dev/drbd0, storeInfo/store (/dev/drbd0)]

[tomcat.tomcat] [pool-209-thread-1]
com.q1labs.configservices.capabilities.AddHostManager: [ERROR]
[NOT:0000003000][{IP}/- -] [-/- -]Timed out while waiting for status file: File '/storetmp/addHost_{host IP}1/status.txt' does not exist

[ecs-ep.ecs-ep] [CRE Processor [1462]] com.q1labs.semsources.cre.CREThreadUncaughtExceptionHandler:
[WARN] [NOT:0000004000][X.X.X.X/- -] [-/- -]CRE Thread CRE Processor [1462] shut down unexpectedly. A replacement one was
created. Check to ensure all CRE Processor threads are running using the commandline: [ /opt/qradar/support/threadTop.sh -p
7799 -e 'CRE Processor' ] If CRE Processor threads are not running, you need to restart ecs-ep by running the following
command: [ systemctl stop ecs-ep && systemctl start ecs-ep ] 
[ecs-ep.ecs-ep] [CRE Processor [1463]] com.q1labs.semsources.cre.CREThreadUncaughtExceptionHandler: 
[WARN] [NOT:0000004000][X.X.X.X/- -] [-/- -]CRE Thread CRE Processor [1463] shut down unexpectedly. A replacement one was
created. Check to ensure all CRE Processor threads are running using the commandline: [ /opt/qradar/support/threadTop.sh -p
7799 -e 'CRE Processor' ] If CRE Processor threads are not running, you need to restart ecs-ep by running the following
command: [ systemctl stop ecs-ep && systemctl start ecs-ep ] 
[ecs-ep.ecs-ep] [CRE Processor [1464]] com.q1labs.semsources.cre.CREThreadUncaughtExceptionHandler:
[WARN] [NOT:0000004000][X.X.X.X/- -] [-/- -]CRE Thread CRE Processor [1464] shut down unexpectedly. A replacement one was
created. Check to ensure all CRE Processor threads are running using the commandline: [ /opt/qradar/support/threadTop.sh -p
7799 -e 'CRE Processor' ] If CRE Processor threads are not running, you need to restart ecs-ep by running the following
command: [ systemctl stop ecs-ep && systemctl start ecs-ep ]
[ecs-ep.ecs-ep] [CRE Processor [1465]] com.q1labs.semsources.cre.CREThreadUncaughtExceptionHandler:
[WARN] [NOT:0000004000][X.X.X.X/- -] [-/- -]CRE Thread CRE Processor [1465] shut down unexpectedly. A replacement one was
created. Check to ensure all CRE Processor threads are runningusing the commandline: [ /opt/qradar/support/threadTop.sh -p
7799 -e 'CRE Processor' ] If CRE Processor threads are notrunning, you need to restart ecs-ep by running the following
command: [ systemctl stop ecs-ep && systemctl start ecs-ep ]
[ecs-ep.ecs-ep] [CRE Processor [1466]] com.q1labs.semsources.cre.CREThreadUncaughtExceptionHandler:
[WARN] [NOT:0000004000][X.X.X.X/- -] [-/- -]CRE Thread CRE Processor [1466] shut down unexpectedly. A replacement one was
created. Check to ensure all CRE Processor threads are running using the commandline: [ /opt/qradar/support/threadTop.sh -p
7799 -e 'CRE Processor' ] If CRE Processor threads are not running, you need to restart ecs-ep by running the following
command: [ systemctl stop ecs-ep && systemctl start ecs-ep ]

1. Use SSH to login to your QRadar Console as the root user.
2. Type the following command:

   systemctl restart chronyd-socat.service

[time_sync]: [ERROR] [NOT:0150003100] Time Synchronization to Console has failed - chrony error
[time_sync]: [ERROR] [NOT:0150003100] Time Synchronization to Console has failed - chrony error 

Select * FROM GLOBALVIEW('Event Rate (EPS)','HOURLY') last 5 hours

[ariel_proxy.ariel_proxy_server] [ariel_client
/IPADDR:53540] com.q1labs.frameworks.nio.exceptions.ExtendedRuntimeException: Error calling function
com.q1labs.cve.aql.GlobalViewFunction(Event Rate (EPS), HOURLY):
java.lang.NullPointerException
[ariel_proxy.ariel_proxy_server] [ariel_client
/IPADDR:53540] at com.q1labs.ariel.metadata.Metadata$ScalarFunctionBase.createException(Metadata.java:132)
[ariel_proxy.ariel_proxy_server] [ariel_client
/IPADDR:53540] at com.q1labs.ariel.metadata.Metadata$ScalarFunctionBase.call(Metadata.java:103)
[ariel_proxy.ariel_proxy_server] [ariel_client
/IPADDR:53540] at com.q1labs.ariel.ql.parser.ScalarFunctionInfo.initializeAndCall(ScalarFunctionInfo.java:786)
[ariel_proxy.ariel_proxy_server] [ariel_client
/IPADDR:53540] at com.q1labs.ariel.ql.parser.ScalarFunctionInfo.createLiteral(ScalarFunctionInfo.java:709)
[ariel_proxy.ariel_proxy_server] [ariel_client
/IPADDR:53540] at com.q1labs.ariel.ql.parser.ScalarFunctionInfo.create(ScalarFunctionInfo.java:730)
[ariel_proxy.ariel_proxy_server] [ariel_client
/IPADDR:53540] at com.q1labs.ariel.ql.parser.ScalarFunctionInfo.create(ScalarFunctionInfo.java:716)
[ariel_proxy.ariel_proxy_server] [ariel_client
/IPADDR:53540] at com.q1labs.ariel.ql.parser.ScalarFunctionInfo.create(ScalarFunctionInfo.java:636)
[ariel_proxy.ariel_proxy_server] [ariel_client
/IPADDR:53540] at com.q1labs.ariel.ql.parser.ParserBase.processScalarFunction(ParserBase.java:218)
[ariel_proxy.ariel_proxy_server] [ariel_client
/IPADDR:53540] at com.q1labs.ariel.ql.parser.ParserBase.processExpression(ParserBase.java:356)
[ariel_proxy.ariel_proxy_server] [ariel_client
/IPADDR:53540] at com.q1labs.ariel.ql.parser.ParserBase.processExpression(ParserBase.java:322)
[ariel_proxy.ariel_proxy_server] [ariel_client
/IPADDR:53540] at com.q1labs.ariel.ql.parser.ParserBase.processLiteralExpression(ParserBase.java:314)
[ariel_proxy.ariel_proxy_server] [ariel_client
/IPADDR:53540] at com.q1labs.ariel.ql.parser.ParserBase.getCatalog(ParserBase.java:149)
[ariel_proxy.ariel_proxy_server] [ariel_client
/IPADDR:53540] at com.q1labs.ariel.ql.parser.ParserBase.processQueryContext(ParserBase.java:477)
[ariel_proxy.ariel_proxy_server] [ariel_client
/IPADDR:53540] at com.q1labs.ariel.ql.parser.ParserBase.createQueryParams(ParserBase.java:1412)
[ariel_proxy.ariel_proxy_server] [ariel_client
/IPADDR:53540] at com.q1labs.ariel.ql.parser.ParserBase.parseBatch(ParserBase.java:1650)
[ariel_proxy.ariel_proxy_server] [ariel_client
/IPADDR:53540] at com.q1labs.ariel.ql.parser.Parser.parseStatement(Parser.java:156)
[ariel_proxy.ariel_proxy_server] [ariel_client
/IPADDR:53540] at com.q1labs.ariel.ql.parser.Parser.executeStatement(Parser.java:66)
[ariel_proxy.ariel_proxy_server] [ariel_client
/IPADDR:53540] at com.q1labs.ariel.ConnectedClient.processStatement(ConnectedClient.java:367)
[ariel_proxy.ariel_proxy_server] [ariel_client
/IPADDR:53540] at com.q1labs.ariel.ConnectedClient.processMessage(ConnectedClient.java:308)
[ariel_proxy.ariel_proxy_server] [ariel_client
/IPADDR:53540] at com.q1labs.ariel.ConnectedClient.run(ConnectedClient.java:136)
[ariel_proxy.ariel_proxy_server] [ariel_client
/IPADDR:53540] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160)

1. Click the Admin tab.
2. Click Index Management.
3. Review any enabled indexes on AQL custom event property.
4. Click Disable Index on any AQL custom event properties that are indexed until this issue is resolved.
5. Select one of the following options:
   • Recommended. Click Advanced > Deploy Full Configuration.
   • Advanced. Use SSH to log in to the QRadar Console and type:

     /opt/qradar/bin/all_servers.sh "systemctl restart ecs-ep"

   
   Results
   The ecs-ep service restarts and loads the indexing changes. For more information about Index Management in QRadar, see Searching Your QRadar Data Efficiently: Part 2 – Leveraging Indexed Values. If you continue to experience performance issues, contact QRadar Support.

1. Create a Reference Set for IP addresses (alphanumeric, ignore case) and name it IndexTest.
2. Added a known Source IP from an event your reference set.
3. On the Log Activity tab, select Advanced Search.
4. Add the following search,

   select 1 from events where
   REFERENCESETCONTAINS('IndexTest', yoursourceip) last 6 HOURS'

   .
   
   Result
   The search runs, but no indexes are used to retrieve the results. If you create this search using Add Filter from the user interface, the results count indexes reviewed by the search and the results return quickly. For more information on AQL functions, see https://ibm.biz/aqlfunctions.

• From the Admin tab, select Log Source Extensions.
• Select an extension and attempt to edit it.
  
  Result
  A blank page is displayed, preventing users from editing the extension.

1. Login to QRadar UI.
2. From the QRadar user interface select Preferences, User Preferences, Locale and select a language other than English (‘espanol’ for example).
3. Click the Admin tab.
4. Under User Management click Users.
   
   Result
   The User Management screen is blank.

• QRadar 7.3.2 Fix Pack 3 to Fix Pack 7 where users update directly to 7.5.0 Update Pack 2.
• QRadar 7.3.3 GA to Fix Pack 12 where users update directly to 7.5.0 Update Pack 2.

Error: Incompatible version, this PROTOCOL requires build
version 7.4.x.x, exiting
error: %pre(PROTOCOL-Common-7.4-20210914195614.noarch) scriptlet
failed, exit status 5
Error in PREIN scriptlet in rpm package
PROTOCOL-Common-7.4.20210914195614.noarch
error: PROTOCOL-Common-7.4-20210914195614.noarch: install failed

[DEBUG](patchmode) lc_ctype values for database "postgres" do
not match:  old "", new "C" 
[DEBUG](patchmode) Failure, exiting 
[DEBUG](patchmode) ERROR: Failed to pass the migration check for qradar database. (1)

psql -U qradar -c "update custom_rule set link_uuid = null where link_uuid not in (select uuid from custom_rule );"

tomcat[21077]: [user@x.x.x.x (9823)
/console/do/assetprofile/MaintainExceptionRule] WARN
org.apache.struts2.dispatcher.Dispatcher - Could not find action or result: /console/do/assetprofile/MaintainExceptionRule?dispatch=newExceptionRule
tomcat[21077]: No result defined for action com.q1labs.assetprofile.bean.action.struts2.MaintainExceptionRuleand result input -B-INF/struts/struts.xml:1461:151
tomcat[21077]: at com.opensymphony.xwork2.DefaultActionInvocation.executeResult(DefaultActionInvocation.java:377)
tomcat[21077]: at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:279)
tomcat[21077]: at com.opensymphony.xwork2.validator.ValidationInterceptor.doIntercept(ValidationInterceptor.java:263)
tomcat[21077]: at org.apache.struts2.interceptor.validation.AnnotationValidationInterceptor.doIntercept(AnnotationValidationInterceptor.java:49)
tomcat[21077]: at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:99)
tomcat[21077]: at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249)
tomcat[21077]: at com.opensymphony.xwork2.interceptor.ConversionErrorInterceptor.doIntercept(ConversionErrorInterceptor.java:142)
tomcat[21077]: at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:99)
tomcat[21077]: at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249)
tomcat[21077]: at com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:140)
tomcat[21077]: at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:99)
tomcat[21077]: at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249)
tomcat[21077]: at com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:140)
tomcat[21077]: at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:99)
tomcat[21077]: at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249)
tomcat[21077]: at com.opensymphony.xwork2.interceptor.StaticParametersInterceptor.intercept(StaticParametersInterceptor.java:201)
tomcat[21077]: at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249)
tomcat[21077]: at org.apache.struts2.interceptor.MultiselectInterceptor.intercept(MultiselectInterceptor.java:67)

[tomcat.tomcat] [api@ (2889)
/console/restapi/api/reference_data_collections/set_entries]
com.q1labs.core.shared.util.SqlUtil: [ERROR] Chained SQL Exception [2/2]:
ERROR: invalid byte sequence for encoding "UTF8": 0x00
[tomcat.tomcat] [api@{IP} (2889)
/console/restapi/api/reference_data_collections/set_entries]
com.q1labs.core.shared.util.SqlUtil: [ERROR] [NOT:0000003000][{IP}/- -]
ERROR: invalid byte sequence for encoding "UTF8": 0x00
{prepstmnt 180895
432 WITH X AS (SELECT rde.id, rdk.rd_id as collection_id,
rd.collection_type, NULLIF(rdk.domain_info, 1234567890) as
domain_id, convert_from(rde.d
ata, 'UTF8') as value, rde.source, rde.notes,
round(EXTRACT(epoch FROM rde.first_seen)*1000) as first_seen,
round(EXTRACT(epoch FROM rde.last_seen)*1000) as last_seen,
rd.tenant_info FROM reference_data_element rde JOIN 
reference_data_key rdk ON rde.rdk_id=rdk.id JOIN
reference_data rd ON rd.id=rdk.rd_id) SELECT count(*) FROM X WHERE
(collection_type=?) AND ((domain_id in (0,1234567890) or
domain_id is null)) AND (((collection_id) = ?))} 

tomcat[25826]: Error including jsp /qradar/jsp/RoutingRules.jsp
tomcat[25826]: org.apache.jasper.JasperException: An exception occurred processing 
[/qradar/jsp/RoutingRules.jsp] at line [23]
tomcat[25826]: 20: String firstRecord = "";
tomcat[25826]: 21:
tomcat[25826]: 22: boolean isLogAggregation =
LicenseKeyManager.getInstance().isApplicationLicensed(
LicenseKeys.LOGAGGREGATION_LICENSED );
tomcat[25826]: 23: boolean isQRoC = LicenseKeyManager.getInstan
ce().getHardwareApplianceType().equals("3178");
tomcat[25826]: 24: String selectedId =
HTMLUtils.escapeHTMLAttr(request.getParameter("selectedId"));
tomcat[25826]: 25:
tomcat[25826]: 26: // get the suppressLogOnlyWarning flag.. have
to do this because when creating new routing rule, there is no
default form value from the server side.
tomcat[25826]: Stacktrace: 
tomcat[25826]: at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:831)
tomcat[25826]: at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1650)
tomcat[25826]: at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
tomcat[25826]: at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
tomcat[25826]: at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
tomcat[25826]: at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
tomcat[25826]: at java.lang.Thread.run(Thread.java:825)
tomcat[25826]: Caused by: java.lang.NullPointerException
tomcat[25826]: at org.apache.jsp.qradar.jsp.RoutingRules_jsp._jspService(RoutingRules_jsp.java:152)
tomcat[25826]: at org.apache.jasper.runtime.HttpJspBase.service
(HttpJspBase.java:70)
tomcat[25826]: at
javax.servlet.http.HttpServlet.service(HttpServlet.java:764)
tomcat[25826]: at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:465)

The following stack is visible in /var/log/qradar.log:
Task CreateBondedNetworkInterfaceTask 338 is about to run
[Python tool]: [INFO] Failed to run ethtool ens224
[Python tool]: [INFO] 
[Python tool]: [INFO] Traceback (most recent call last):
[Python tool]: File
"/opt/qradar/lib/python/qradar//bondedInterfaceSetup.py", line 180, in _doesExist
[Python tool]: for line in output.split("\n"):
[Python tool]: TypeError: a bytes-like object is required, not 'str'
[Python tool]: [INFO] Failed to perform the task.
[Python tool]: [INFO] {class 'TypeError'}
[Python tool]: [INFO] Traceback (most recent call last):
[Python tool]: File
"/opt/qradar/lib/python/qradar//bondedInterfaceSetup.py", line 616, in main
[Python tool]: manager.validate(args)
[Python tool]: File
"/opt/qradar/lib/python/qradar//bondedInterfaceSetup.py", line 364, in validate
[Python tool]: if not self._doesExist(s):
[Python tool]: File
"/opt/qradar/lib/python/qradar//bondedInterfaceSetup.py", line 188, in _doesExist
[Python tool]: raise err
[Python tool]: File
"/opt/qradar/lib/python/qradar//bondedInterfaceSetup.py", line 180, in _doesExist
[Python tool]: for line in output.split("\n"):
[Python tool]: TypeError: a bytes-like object is required, not 'str'

1. Deploy a 7.5.0 GA/FP1 AIO console.
2. Add two new network adaptors to the AIO console in VCentre: Edit settings > Add New Device.
3. Login to the UI and navigate to Admin > System and License Management > Double Click on Console > Network Interfaces
4. Ensure both the extra interfaces have a role of "Monitor". If not edit them and set them to "Monitor"
5. Highlight both interfaces and select "Bond". Ensure the role is "Monitor"
   
   Result
   The error occurs in the UI and qradar.log

"Operation refused.
Command 'drbdmeta 0 v08 /dev/mapper/storerhel-store internal
create-md' terminated with exit code 40"

1. Create a simple rule with name containing special chars like 'Test@123' or '$UsernameChecks'
2. Add this new rule to a second rule using the Rule Test:
   - when all of these rules, in|in any order, from the same|any source IP to the same|any destination IP, over this many seconds.

[QRADAR-9104] [pretest:Error] [ERROR] MKS files are not staged
in /opt/qradar/conf/mks/mh/
Run the following command on the console before patching this host:
/opt/qradar/bin/mks_integration.sh -p
ERROR: [pretest] [QRADAR-9104] MKS files are not staged in
/opt/qradar/conf/mks/mh/
Run the following command on the console before patching this host:
/opt/qradar/bin/mks_integration.sh -p
[ERROR](-i-testmode) Pretest failed:
"/media/updates/scripts/QRADAR-6181.install --mode pretest"
[ERROR](-i-testmode) Failed pretests
[DEBUG](-i-testmode) returning code 4

[tomcat.tomcat] [host@x.x.x.x (373) /console/restapi/api/refere
nce_data/maps/map_name/www.domain.com]com.q1labs.core.api.v3_0.r
[DEBUG] ReferenceDataAPI_Maps.removeMapValue() entered. Name:
map_name key: map _key value: 71700
[tomcat.tomcat] [host@x.x.x.x (373) /console/restapi/api/refere
nce_data/maps/map_name/www.domain.com]com.q1labs.core.api.v3_0.r
[DEBUG] ReferenceDataAPI_Maps.removeMapValue()Map {map_name} does not contain key map_key

[tomcat.tomcat] [pool-1-thread-1] com.q1labs.uiframeworks.application.api.service.builders.shared.AsyncBuildStageTask: 
[ERROR] [IPADDRESS/- -][-/- -]An exception occurred while building app asynchronously.
Triggering rollback.
[tomcat.tomcat] [pool-1-thread-1] com.q1lab
s.restapi_annotations.content.exceptions.endpointExceptions.Serv
erProcessingException: An exception occurred while waiting for task to complete.
[tomcat.tomcat] [pool-1-thread-1] at com.q1lab
s.configservices.task.AbstractTaskPoller.getFinishedTaskState(AbstractTaskPoller.java:41)
[tomcat.tomcat] [pool-1-thread-1] at 
com.q1labs.configservices.task.AbstractTaskPoller.getFinishedTaskState(AbstractTaskPoller.java:22)
[tomcat.tomcat] [pool-1-thread-1] at com.q1labs.uiframeworks.application.api.ser
vice.builders.shared.DockerBuildProcessor.process(DockerBuildProcessor.java:94)
[tomcat.tomcat] [pool-1-thread-1] at com.q1labs.
uiframeworks.application.api.service.builders.shared.Conditional
HostTypeDecorator.process(ConditionalHostTypeDecorator.java:60)
[tomcat.tomcat] [pool-1-thread-1] at com.q1labs.uiframeworks.app
lication.api.service.builders.shared.AsyncBuildStageTask.runTask(AsyncBuildStageTask.java:231)
[tomcat.tomcat] [pool-1-thread-1] at com.ibm.si.frameworks.taskmanagement.Task.run(Task.java:108)
[tomcat.tomcat] [pool-1-thread-1] at java.util .concurrent.Executors$RunnableAdapter.call(Executors.java:522)
[tomcat.tomcat] [pool-1-thread-1] at java.util.concurrent.FutureTask.run(FutureTask.java:277)
[tomcat.tomcat] [pool-1-thread-1] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160)
[tomcat.tomcat] [pool-1-thread-1] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
[tomcat.tomcat] [pool-1-thread-1] at java.lang.Thread.run(Thread.java:822)
[tomcat.tomcat] [pool-1-thread-1] Caused by:
[tomcat.tomcat] [pool-1-thread-1] java.util.concurrent.ExecutionException:
com.q1labs.configservices.task.TaskTimeoutException: Task has not completed and file at
[/var/log/qradar/app/docker_build/docker_build.log.0] was not updated within [900] attempts

"Secure boot status: 'This system doesn't support Secure Boot'"

[hostcontext.hostcontext]
[0bc4934b-31f8-4273-8577-608a0d79cf30/SequentialEventDispatcher]
com.q1labs.hostcontext.replication.MHReplication: [INFO]
[NOT:0000006000][IPADDRESS/- -] Timer expired.  Attempting to download updates
[hostcontext.hostcontext]
[0bc4934b-31f8-4273-8577-608a0d79cf30/SequentialEventDispatcher]
com.q1labs.hostcontext.replication.MHReplication: [INFO]
[NOT:0000006000][IPADDRESS/- -] Downloading updates request starting...
[hostcontext.hostcontext] [Thread-777] ComponentOutput: [ERROR]
[NOT:0000003000][IPADDRESS/- -] [-/- -]ErrorStream
replication: Bareword found where operator expected at (eval 74)
line 42, near "'This system doesn't"
hostcontext.hostcontext] [Thread-777] ComponentOutput: [ERROR]
[NOT:0000003000][IPADDRESS/- -] [-/- -]ErrorStream replication: (Missing operator before t?)
ip-XXX-XXX replication[9007]: Using XXX.XX.XXX.XXX as our local IP.
ip-XXX-XXX replication[9007]: Downloading and applying latest database dumps from the console.
ip-XXX-XXX replication[9007]: No new database updates to apply.
ip-XXX-XXX replication[9007]: Replication download timing: Downloading: 2628 ms Overall: 2628 ms

1. Have a basic event rule that dispatches an offense for renaming with rule response limiter configured.
2. Have a configured test (example: when at least 1 events are seen with the same Source IP in 10 minutes).
3. Have a rule response configured: Ensure the detected event is part of an offense: index based on source ip; dispatch new event (configure an event name and description), ensure the dispatched event is part of an offense: Index based on Source IP, and tick This information should set or replace the name of the associated offense
4. Set up the response limiter (example: Respond no more than 1 time per 4 hours per Source IP)
5. Have events run in the QRadar environment that trigger the rule.
6. The custom rule engine fires the new event name in Log Activity.
7. In the Offenses tab, the offense is renamed correctly.
8. Within the window configured above for the rule response limit, close any listed offences and wait for the events and offences to generate again.
   
   Result They won't generate as expected until the offense is closed after the rule response limit window that is configured.

ERRO[1691] Error waiting for container: container {containerID}:
driver "devicemapper" failed to remove root filesystem:
failed to remove device {deviceID}: devicemapper: Error running
DeleteDevice dm_task_run failed

1. Click the Admin tab > System Settings > Geographic Settings.
2. Set "Disable Automatic content Updates" to "True" (default is False).

[ecs-ep.ecs-ep] Ariel Writer#events java.lang.InternalError: SIGBUS
[ecs-ep.ecs-ep] Ariel Writer#events at
java.nio.DirectByteBuffer.get(DirectByteBuffer.java:252)
[ecs-ep.ecs-ep] Ariel Writer#events at
com.maxmind.db.Reader.readNode(Reader.java:219)
[ecs-ep.ecs-ep] Ariel Writer#events at
com.maxmind.db.Reader.findAddressInTree(Reader.java:174)
[ecs-ep.ecs-ep] Ariel Writer#events at
com.maxmind.db.Reader.get(Reader.java:146)
[ecs-ep.ecs-ep] Ariel Writer#events at
com.maxmind.geoip2.DatabaseReader.get(DatabaseReader.java:151)
[ecs-ep.ecs-ep] Ariel Writer#events at
com.maxmind.geoip2.DatabaseReader.city(DatabaseReader.java:202)
[ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.core.shared.l
ocation.LocationUtils.lookup(LocationUtils.java:524)
[ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.core.shared.l
ocation.LocationUtils.lookup(LocationUtils.java:377)
[ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.core.shared.l
ocation.LocationUtils.lookup(LocationUtils.java:329)
[ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.core.types.ev
ent.NormalizedEventProperties$SourceGeographicLocation.createKe
y(NormalizedEventProperties.java:108)
[ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.core.types.ev
ent.NormalizedEventProperties$SourceGeographicLocation.createKey
(NormalizedEventProperties.java:94)
[ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.ariel.Index.add(Index.java:267)
[ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.ariel.io.Buck
etWriter.writeRecord(BucketWriter.java:67)
[ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.ariel.io.Abst
ractDatabaseWriter.put(AbstractDatabaseWriter.java:114)
[ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.ariel.Databas
eWriterAsync.processRecord(DatabaseWriterAsync.java:131)
[ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.ariel.Scatter
ingDatabaseWriter.access$401(ScatteringDatabaseWriter.java:30)
[ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.ariel.Scatter
ingDatabaseWriter$Node.writeRecord(ScatteringDatabaseWriter.java:87)
[ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.ariel.Scatter
ingDatabaseWriter$Node.processRecord(ScatteringDatabaseWriter.java:55)
[ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.ariel.Scatter
ingDatabaseWriter$Node.access$1100(ScatteringDatabaseWriter.java:32)
[ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.ariel.Scatter
ingDatabaseWriter$DataNodes.processRecord(ScatteringDatabaseWriter.java:247)
[ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.ariel.Scatter
ingDatabaseWriter.processRecord(ScatteringDatabaseWriter.java:450)
[ecs-ep.ecs-ep] Ariel Writer#events at com.q1labs.ariel.Databas
eWriterAsync.run(DatabaseWriterAsync.java:115)
[ecs-ep.ecs-ep] Ariel Writer#events at
java.lang.Thread.run(Thread.java:822)

com.q1labs.frameworks.crypto.trustmanager.CertificateValidator:
[ERROR] [NOT:0000003000][IPADDRESS/- -] [-/--]checkCertificatePinning failed.

[ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470]
com.q1labs.ariel.ql.parser.Parser: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]Failed to instantiate function 'inoffense'
[ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470]
java.lang.reflect.InvocationTargetException
[ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470]
at sun.reflect.GeneratedConstructorAccessor77.newInstance(UnknownSource)
[ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470]
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(De
legatingConstructorAccessorImpl.java:57)
[ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470]
at java.lang.reflect.Constructor.newInstance(Constructor.java:437)
[ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470]
at com.q1labs.ariel.ql.parser.ScalarFunctionInfo.constructFunction(ScalarFunctionInfo.java:474)
[ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470]
at com.q1labs.ariel.ql.parser.ScalarFunctionInfo.create(ScalarFunctionInfo.java:557)
[ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470]
at com.q1labs.ariel.ql.parser.ParserBase.processScalarFunction(ParserBase.java:218)
[ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470]
at com.q1labs.ariel.ql.parser.ParserBase.processBooleanExpression(ParserBase.java:1176)
[ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470]
at com.q1labs.ariel.ql.parser.ParserBase.createQueryParams(ParserBase.java:1436)
[ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470]
at com.q1labs.ariel.ql.parser.ParserBase.parseBatch(ParserBase.java:1650)
[ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470]
at com.q1labs.ariel.ql.parser.Parser.parseStatement(Parser.java:156)
[ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470]
at com.q1labs.ariel.ql.parser.Parser.executeStatement(Parser.java:66)
[ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470]
at com.q1labs.ariel.ConnectedClient.processStatement(ConnectedClient.java:367)
[ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470]
at com.q1labs.ariel.ConnectedClient.processMessage(ConnectedClient.java:308)
[ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470]
at com.q1labs.ariel.ConnectedClient.run(ConnectedClient.java:136)
[ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160)
[ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
[ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470]
at java.lang.Thread.run(Thread.java:822)
[ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470]
Caused by:
[ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470]
java.lang.IllegalArgumentException: Invalid interval
[ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470]
at com.q1labs.ariel.Interval.{init}(Interval.java:165)
[ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470]
at com.q1labs.ariel.Expression.{init}(Expression.java:40)
[ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470]
at com.q1labs.ariel.Expression.add(Expression.java:128)
[ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470]
at com.q1labs.ariel.util.TimeIntervals.addInterval(TimeIntervals.java:21)
[ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470]
at com.q1labs.core.types.networkevent.NetworkEventMPCPredicate.addEPs(NetworkEventMPCPredicate.java:208)
[ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470]
at com.q1labs.core.aql.Base.{init}(OffenseFunctions.java:64)
[ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470]
at com.q1labs.core.aql.OffenseFunctions$OffenseEvents.{init}OffenseFunctions.java:122)
[ariel_proxy.ariel_proxy_server] [ariel_client /x.x.x.x:55470]
... 17 more

[tomcat.tomcat] [user@127.0.0.1(2560)
/console/restapi/api/siem/local_destination_addresses] com.q1la
bs.restapi_annotations.content.exceptions.APIMappedException:Pro
[tomcat.tomcat] [user@127.0.0.1 (2560)
/console/restapi/api/siem/local_destination_addresses] at com.q
1abs.restapi_annotations.content.exceptions.APIMappedException.
init(APIMappedException.java:132)
[tomcat.tomcat] [user@127.0.0.1(2560)
/console/restapi/api/siem/local_destination_addresses] at com.q
1labs.restapi.exceptionmapper.ExceptionMapper.mapException(ExceptionMapper.java:141)
[tomcat.tomcat][user@127.0.0.1(2560)
/console/restapi/api/siem/local_destination_addresses] 
Caused by: 
[tomcat.tomcat] [user@127.0.0.1 (2560)
/console/restapi/api/siem/local_destination_addresses]
org.postgresql.util.PSQLException: Bad value for type short : 32976.8000000000029

systemctl restart ecs-ep

systemctl restart tomcat

conwrap[1048]: time="2022-03-20T06:45:21Z" level=error
msg="Health status polling has ended as the count of 1 has been hit."

• timeoutType
• timeToLive
• keyType
• key1Label
• valueLabel

• keyType
• valueLabel

root: tar:
/storetmp/backup.nightly.naming_53.13_01_2020.config.1608181708813.tgz: Cannot open: Not a directory

[ERROR] [NOT:0000003000][IPADD/- -] [-/- -]Error exporting data
java.lang.NullPointerException
at com.q1labs.core.ui.util.QueryUtils.getQVMQuery(QueryUtils.java:1481)
at com.q1labs.core.ui.util.QueryUtils.prepareQueryString(QueryUtils.java:1194)
at com.q1labs.core.ui.util.QueryUtils.getQueryCount(QueryUtils.java:583)
at com.q1labs.core.ui.util.QueryUtils.getQueryCount(QueryUtils.java:562)
at com.q1labs.core.ui.coreservices.export.ExportJobProcessor.exportJDBCSearchQRadarQuery(ExportJobProcessor.java:387)
at com.q1labs.core.ui.coreservices.export.ExportJobProcessor.run(ExportJobProcessor.java:206)

hostname postgres[26685]: [182-1] ERROR: collation "pl" for encoding "UTF8" does not exist at character 11
hostname postgres[26685]: [182-2] STATEMENT: SELECT '' COLLATE "pl"

• IBM QRadar SIEM 7.5.0 GA - 7.5.0 Update Package 1
• IBM QRadar SIEM 7.4.3 GA - 7.4.3 Fix Pack 5
• IBM QRadar SIEM 7.3.3 GA - 7.3.3 Fix Pack 11

• CVE-2022-22963: VMware Spring Cloud Function could allow a remote attacker to execute arbitrary code on the system, caused by an error when using the routing functionality. By providing a specially crafted SpEL as a routing-expression, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8
• CVE-2022-22965: Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by the improper handling of PropertyDescriptor objects used with data binding. By sending specially-crafted data to a Spring Java application, an attacker could exploit this vulnerability to execute arbitrary code on the system. Note: The exploit requires Spring Framework to be run on Tomcat as a WAR deployment with JDK 9 or higher using spring-webmvc or spring-webflux. Note: This vulnerability is also known as Spring4Shell or SpringShell. CVSS Base score: 9.8
• CVE-2022-22950: VMware Tanzu Spring Framework is vulnerable to a denial of service, caused by improper input validation. By sending a specially-crafted crafted SpEL expression, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 5.4

• IBM QRadar SIEM 7.5.0 GA
• IBM QRadar SIEM 7.4.3 GA - 7.4.3 Fix Pack 4
• IBM QRadar SIEM 7.3.3 GA - 7.3.3 Fix Pack 10

• CVE-2021-22543: Linux Kernel could allow a local authenticated attacker to gain elevated privileges on the system, caused by improper handling of VM_IO|VM_PFNMAP vmas in KVM. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to gain elevated privileges to start and control a VM to read/write random pages of memory. CVSS Base score: 7.1
• CVE-2021-3653: Linux Kernel is vulnerable to a denial of service, caused by improper input validation of the "int_ctl" VMCB field. By sending a specially-crafted request, a local authenticated attacker could exploit this vulnerability to cause the system to crash or obtain sensitive information from the physical memory. CVSS Base score: 7.1
• CVE-2021-3656: Linux Kernel is vulnerable to a denial of service, caused by improper input validation of the "virt_ext" VMCB field. By sending a specially-crafted request, a local authenticated attacker could exploit this vulnerability to cause the system to crash or obtain sensitive information from the physical memory. CVSS Base score: 7.1
• CVE-2021-37576: Linux Kernel for PowerPC could allow a local authenticated attacker to execute arbitrary code on the system, caused by a memory corruption flaw in the handling of the H_RTAS hypercall. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system. CVSS Base score: 7.8

1. Click the Admin tab.
2. Click Advanced > Restart Web Server.
3. Add encryption to the Manged host experiencing this issue where possible.

[tomcat.tomcat] [ReceiverServer(0.0.0.0:7801)]
com.q1labs.core.shared.ariel.streaming.StreamConsumer$Receiver
0.0.0.0:7801: [INFO] [NOT:0000006000][x.x.x.x/- -] [-/-
-]2021-06-13 12:37:44.0601 Info: /x.x.x.x:59036 : Inactivity :
Connection reset by peer [31]
[tomcat.tomcat] [ReceiverServer(0.0.0.0:7800)]
com.q1labs.core.shared.ariel.streaming.StreamConsumer$Receiver
0.0.0.0:7800: [WARN] [NOT:0000004000][x.x.x.x/- -] [-/-
-]Error: /x.x.x.x:50194 : IOException : Broken pipe

while true; do echo $(date +"%T") | tee -a /root/lsof-mon.txt
&& lsof -p $(systemctl status tomcat | grep "Main PID" | awk
'{print $3}') | grep 'protocol: TCPv6' | wc -l 2>&1 | tee -a
/root/lsof-mon.txt; sleep 5; done;

[ecs-ec.ecs-ec] [Timer-18]
com.ibm.si.ec.filters.normalize.DSMFilter: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]Failed to get MBean value
for "Average". javax.management.AttributeNotFoundException: No
such attribute: Average

systemctl restart ecs-ec-ingress

1. Click the Admin tab.
2. Click Advanced > Restart Event Collection Services.
   
   For more information, see Restarting the event collection service.

[ecs-ec-ingress.ecs-ec-ingress] [StreamListenerThread]
com.q1labs.frameworks.core.ThreadExceptionHandler: [ERROR]
[NOT:0000003000][X.X.X.X/- -] [-/- -]Exception was uncaught in thread: StreamListenerThread
[ecs-ec-ingress.ecs-ec-ingress] [StreamListenerThread] java.util.ConcurrentModificationException
[ecs-ec-ingress.ecs-ec-ingress] [StreamListenerThread] at java.util.HashMap$HashIterator.nextNode(HashMap.java:1456)
[ecs-ec-ingress.ecs-ec-ingress] [StreamListenerThread] at java.util.HashMap$KeyIterator.next(HashMap.java:1480)
[ecs-ec-ingress.ecs-ec-ingress] [StreamListenerThread] at com.q1labs.frameworks.nio.loadbalancing.AbstractLoadBalancer.addClient(AbstractLoadBalancer.java:88)
[ecs-ec-ingress.ecs-ec-ingress] [StreamListenerThread] at com.q1labs.sem.nio.network.StreamingServer.run(StreamingServer.java:108)
[ecs-ec-ingress.ecs-ec-ingress] [StreamListenerThread] at java.lang.Thread.run(Thread.java:822)

1. Log in to the QRadar Console.
2. From the Offenses > Log Activity tab, click Rules.
3. Select the rule 'All Exploits Become Offenses' as the default state for this rule is False.
4. Click Actions > Enable/Disable.
5. The rule's state is still False, but should display True.
6. Double click the rule to open the Rule Wizard.
7. In the Enable Rule section, click the Enable this rule if you want it to begin watching events or flows right away check box.
8. Click Finish.
   
   Results
   The user interface is refreshed and rule state displays True.

[tomcat.tomcat][ReferenceDataUpdateServiceThread_1] com.q1labs.core.shared.referencedata.ReferenceDataManager:
[ERROR] [NOT:0000003000][/- -] [-/--]ReferenceDataManager.addToReferenceDataCollection()
rdata=name=UBA : Users Last Country size=24 {domain 0:[{data}...
[tomcat.tomcat][ReferenceDataUpdateServiceThread_1] com.q1labs.core.shared.referencedata.ReferenceDataUpdateServiceThread:
[ERROR] [NOT:0000003-]ReferenceDataUpdateServiceThread An unexpected exception was encountered processing name=UBA : Users Last Country size=24
{domain 0:[{data}...
[tomcat.tomcat][ReferenceDataUpdateServiceThread_1] com.q1labs.core.dao.referencedata.light.RefDataDomainRestrictionException:Can't use domain domains.
[tomcat.tomcat][ReferenceDataUpdateServiceThread_1] at com.q1labs.core.dao.referencedata.RefDataDomainRestrictions.verifyWriteAccess(RefDataDomainRestrictions.java:176)
[tomcat.tomcat][ReferenceDataUpdateServiceThread_1] at com.q1labs.core.dao.referencedata.light.RefDataDomainProtection.addElement(RefDataDomainProtection.java:54)
[tomcat.tomcat][ReferenceDataUpdateServiceThread_1] at com.q1labs.core.dao.referencedata.RefDataDomainRestrictions.verifyWriteAccess(RefDataDomainRestrictions.java:188)
[tomcat.tomcat][ReferenceDataUpdateServiceThread_1] at com.q1labs.core.shared.referencedata.ReferenceDataManager.addToReferenceDataCollection(ReferenceDataManager.java:825)
[tomcat.tomcat][ReferenceDataUpdateServiceThread_1] at com.q1labs.core.shared.referencedata.ReferenceDataUpdateServiceThread.run(ReferenceDataUpdateServiceThread.java:100)

1. Create a domain and a reference set.
2. Create a rule to add a property to a reference set and choose domain specific data.
3. Verify elements can be added either from default domain or other domains.
4. Remove all domains.
5. Log in to the QRadar Console, click Admin tab > Advanced > Restart Web Server.
6. Attempt to update a rule with domain specific data.
   
   Results
   Elements cannot be added. Users encounter the error, "RefDataDomainRestrictionException: Can't use domains for Reference Data. This system has no domains."

Failed to run command 'mh_setup': Failed to add host
'xx.xxx.xxx.xxx' to deployment 'xxxxxxconsole.qradar.ibm.com':
Failed to add host to deployment: Check console logs for
details.

com.q1labs.configservices.common.ConfigServicesException:
Failed to connect to xx.xxx.xxx.xxx password may be invalid or
the connection was refused.

1. If this issue occurs on a managed host, a version mismatch between the Console (Postgres V11) and the host (Postgres V9.6) can occur that must be corrected by support as the host cannot receive the latest system settings and configuration from the Console.
2. If this issue occurs on the Console, the system configuration can not be loaded successfully due to the Postgres errors that occurred during the reinstall attempt.

1. Administrator experiences an upgrade issue where the patch failed, but successfully rolled back.
2. A second attempt to upgrade leads to a 'failure to install new postgresql rpms'.
3. The Postgres configuration might be in a bad state and support assistance is required.

Examining /media/updates/repo//postgresql11-contrib-11.14-1PGDG
.rhel7.x86_64.rpm:postgresql11-contrib-11.14-1PGDG.rhel7.x86_64
/media/updates/repo//postgresql11-contrib-11.14-1PGDG.rhel7.x86_64.rpm:
does not update installed package. Error: Nothing to do
[DEBUG](-i-patchmode) ERROR: Failed to install new postgresql
rpms. (1) a[DEBUG](-i-patchmode) Error running 270:
/media/updates/scripts/QRADAR-6666.install --mode presql; Got error code of 1.
[ERROR](-i-patchmode) Error running 270:
/media/updates/scripts/QRADAR-6666.install --mode presql

/opt/qradar/support/all_servers.sh -Ck "ls -1
/opt/ibm/java-x86_64-80/jre/lib/security/*.jar"

/opt/ibm/java-x86_64-80/jre/lib/security/local_policy.jar

/opt/ibm/java-x86_64-80/jre/lib/security/US_export_policy.jar

ls: cannot access
/opt/ibm/java-x86_64-80/jre/lib/security/*.jar: No such file or directory

[hostcontext.hostcontext] [main]
com.q1labs.frameworks.core.FrameworksContext: [INFO]
[NOT:0000006000][IPADDRESS/- -] [-/- -]Initializing resource loggers: 
[com.q1labs.frameworks.core.IFrameworksContext$ResourceLogger;e03cd69c
[hostcontext.hostcontext] [main]
com.q1labs.frameworks.core.FrameworksContext: [INFO]
[NOT:0000006000][IPADDRESS/- -] [-/- -]Frameworks instance name: hostcontext.hostcontext
[hostcontext.hostcontext] [main] com.q1labs.frameworks.core.FrameworksContext: [INFO]
[NOT:0000006000][IPADDRESS/- -] [-/- -]Initializing with URL: file:/opt/qradar/conf/
[hostcontext.hostcontext] [main] com.q1labs.frameworks.core.FrameworksContext: [INFO]
[NOT:0000006000][IPADDRESS/- -] [-/- -]Frameworks booting - logging, loader complete
[hostcontext.hostcontext] [main] com.q1labs.frameworks.core.FrameworksContext: [INFO]
[NOT:0000006000][IPADDRESS/- -] [-/- -]Loading frameworks.properties
[hostcontext.hostcontext] [main] com.q1labs.frameworks.util.NamedThreadFactory: [INFO]
[NOT:0000006000][IPADDRESS/- -] [-/- -]Thread factory created: Spillover Cache Vacuum
[hostcontext.hostcontext] [main] com.q1labs.frameworks.core.FrameworksContext: [INFO]
[NOT:0000006000][IPADDRESS/- -] [-/- -]Frameworks global cache manager was initialized using: /opt/qradar/conf/ehcache.xml
[hostcontext.hostcontext] [main] com.q1labs.frameworks.core.JMXHelper: [INFO]
[NOT:0000006000][IPADDRESS/- -] [-/- -]Initializing JMX for RMI
[hostcontext.hostcontext] [main] com.q1labs.frameworks.core.JMXHelper: [INFO]
[NOT:0000006000][IPADDRESS/- -] [-/- -]Constructing mbean server at: service:jmx:rmi://IPADDRESS:7778/jndi/rmi://IPADDRESS:7778/jmxrmi
[hostcontext.hostcontext] [main] com.q1labs.frameworks.logging.LogManagementAgent: [INFO]
[NOT:0000006000][IPADDRESS/- -] [-/- -]Log management agent started.
[hostcontext.hostcontext] [main] com.q1labs.frameworks.core.FrameworksContext: [INFO]
[NOT:0000006000][IPADDRESS/- -] [-/- -]Initializing jpa helipad hostcontext[21113]: Destroying HostContext

[ERROR](-i-patchmode) Error applying script [14/87] '/media/upd
ates/opt/qradar/conf/templates/db_update_247342.ref_set_import1
.sql'for Test_qradar database.; details: WARNING:  SET TRANSACTI
can only be used in transaction blocks NOTICE:  index
"reference_data_element_unique_rdata1" does not exist, skipping
ERROR:  could not create unique index
"reference_data_element_unique_rdata1" DETAIL:  Key
(md5((rdk_id::text || '_'::text) || data))=(0139237e0f70a8400c8

[DEBUG](patchmode) Checking that tomcat is running and ready:
(attempt 2/120) (24 seconds) Exception in thread "main"
java.lang.NoClassDefFoundError:
javax.persistence.EntityManagerFactory         
at com.q1labs.hostcontext.backup.core.BackupUtils.main(BackupUtils.java:2771)
  Caused by: java.lang.ClassNotFoundException: javax.persistence.EntityManagerFactory         
at java.net.URLClassLoader.findClass(URLClassLoader.java:610)  
at java.lang.ClassLoader.loadClassHelper(ClassLoader.java:942)    
at java.lang.ClassLoader.loadClass(ClassLoader.java:887)         
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:349)         
at java.lang.ClassLoader.loadClass(ClassLoader.java:870)

[Connection [OK Applying presql script: (127/139)
[Connection to x.x.x.x closed by remote host.
[ERROR](patchingHost:x.x.x.x) Could not apply patch on HOSTNAME at x.x.x.x
[DEBUG](patchingHost:x.x.x.x) report='Could not apply patch on HOSTNAME at x.x.x.x

systemd[1]: Starting hostservices alias script...
hostservices.sh[6708]: Job for postgresql-qrd.service failed because the control 
process exited with error code. See "systemctl status postgresql-qrd.service" and "journalctl -x
hostservices.sh[6708]: Job for postgresql-qrd.service failed because the control 
process exited with error code. See "systemctl status postgresql-qrd.service" and "journalctl -x
hostservices.sh[6708]: Job for postgresql-qrd.service failed because the control 
process exited with error code. See "systemctl status postgresql-qrd.service" and "journalctl -x
hostservices.sh[6708]: Job for postgresql-qrd.service failed because the control 
process exited with error code. See "systemctl status postgresql-qrd.service" and "journalctl -x
hostservices.sh[6708]: Job for postgresql-qrd.service failed because the control 
process exited with error code. See "systemctl status postgresql-qrd.service" and "journalctl -x
hostservices.sh[6708]: Job for postgresql-qrd.service failed because the control 
process exited with error code. See "systemctl status postgresql-qrd.service" and "journalctl -x
init_script[10300]: [/opt/qradar/systemd/bin/hostservices.sh] [WARN] 'postgresql-qrd' failed to start. Will try 4 more times. 
hostservices.sh[6708]: Job for postgresql-qrd.service failed because the control 
process exited with error code. See "systemctl status postgresql-qrd.service" and "journalctl -x
init_script[10390]: [/opt/qradar/systemd/bin/hostservices.sh] [WARN] 'postgresql-qrd' failed to start. Will try 3 more times.
hostservices.sh[6708]: Job for postgresql-qrd.service failed because the control 
process exited with error code. See "systemctl status postgresql-qrd.service" and "journalctl -x
hostservices.sh[6708]: Job for postgresql-qrd.service failed because the control 
process exited with error code. See "systemctl status postgresql-qrd.service" and "journalctl -x
hostservices.sh[6708]: Job for postgresql-qrd.service failed because the control 
process exited with error code. See "systemctl status postgresql-qrd.service" and "journalctl -x
hostservices.sh[6708]: Re-installing postgresql RPMs:  tr: when not truncating set1, string2 must be non-empty
hostservices.sh[6708]: error: package postgresql-contrib is not installed
hostservices.sh[6708]: error: package postgresql-server is not installed
hostservices.sh[6708]: error: package postgresql-libs is not installed
hostservices.sh[6708]: error: package postgresql is not installed
hostservices.sh[6708]: FAILED
hostservices.sh[6708]: Could not re-install postgresql rpms.

1. On the QRadar Console, Forensics must be added as a managed host IJ38824(https://ibm.biz/qifaddhost)
2. Deploy the changes.
   Ensure the Packet Capture is connected or added to the Forensics appliance (https://ibm.biz/addingpcap).
3. Navigate to the Forensics tab.
4. Attempt to perform a Forensic Recovery with an IP specified to limit results.
   
   Results The forensics recovery search fails to complete with a "There was an error running Forensic Recovery" when this issue occurs.

[predown:Error] [ERROR] Unable to export SOLR data: code 1
[WARN](-i-testmode) ERROR: [predown] QRADAR-4105 Unable to export SOLR data: code 1
[DEBUG](-i-testmode) Error running 26:
/media/updates/scripts/QRADAR-4105.install --mode predown; Got error code of 255.

"[Pending] This scan job was detected to be in an inconsistent
state".
com.q1labs.vis.messages.VisRequestMessageEnum$1.process(VisRequestMessageEnum.java:42)
[vis] [Scanner Manager]    at
com.q1labs.vis.ScannerManager.run(ScannerManager.java:152)
[vis] [Scanner Manager]    at
java.lang.Thread.run(Thread.java:825)
[vis] [Scanner Manager] Caused by:
[vis] [Scanner Manager] java.lang.ClassNotFoundException:
com.ctc.wstx.stax.WstxInputFactory# Temporary workaround for  -
enable crl check on select processes only

executeQuery(): Attempting to execute ldap query
[(uid=test*contractor*user)] executeQuery(): Found [1] search results.
executeQuery(): Attempting to execute ldap query [(memberUid=test*contractor*user)] executeQuery(): Found [0] search results.
executeQuery(): Attempting to execute ldap query [(memberUid=uid=test*CONTRACTOR*user,dc=example,dc=org)] executeQuery(): Found [0] search results.

ERROR: Discovered extra databases which must be removed before continuing.
ERROR: If you would like to preserve the contents, backup the database before removing it.
ERROR: Make sure the database instance service is running before removing the extra database.
ERROR: The extra databases are:
* 'patch_test_qradar' in PostgreSQL instance 'postgresql-qrd'.
To remove, run: psql -U postgres -p 5432 -c 'drop database patch_test_qradar'.
* 'patch_test_fusionvm' in PostgreSQL instance 'postgresql-qvm'.
To remove, run: psql -U postgres -p 15433 -c 'drop database patch_test_fusionvm'.
* 'patch_test_qradar' in PostgreSQL instance 'postgresql-rm'. To
remove, run: psql -U postgres -p 15432 -c 'drop database patch_test_qradar'.
[ERROR](testmode) Pretest failed: "/media/updates/scripts/QRADAR-6666.install --mode pretest"
[ERROR](testmode) Failed pretests
[ERROR](testmode) Pre Patch Testing shows a configuration issue.
Patching this host cannot continue.
 [INFO](testmode) Waiting for hostcontext to fully start
 [INFO](testmode) Set ip-xx-xx status to 'Patch Test Failed'
[ERROR](testmode) Patching can not continue
[ERROR] Failed to apply patch on localhost, not checking any managed hosts.
An error was encountered attempting to process patches.
Please contact customer support for further assistance.

[mks_integration] [get_ssh_ip DeletedWed] IPDeletedWed is reachable. 
ssh: Could not resolve hostname deletedwed: Name or service not known

1. Click the Offenses tab.
2. On the navigation menu, click Rules.

• APPFW_HEALTH_CHECK_DELAY_SECONDS=10
• APPFW_HEALTH_CHECK_RETRY_LIMIT=50

APPFW_HEALTH_CHECK_DELAY_SECONDS
APPFW_HEALTH_CHECK_RETRY_LIMIT

[tomcat.tomcat] [pool-1-thread-7] com.q1labs.uiframeworks.appli
cation.api.service.builders.shared.AsyncBuildStageTask:[ERROR] [
thrown during the execution of task: 84434 ....
[tomcat.tomcat] [pool-1-thread-7]    at com.q1labs.uiframeworks.application.api.service.builders.SimpleBuildProcessor.trigger
Rollback(SimpleBuildProcessor.java:240)
[tomcat.tomcat] [pool-1-thread-7]    at com.q1labs.uiframeworks.application.api.service.builders.shared.AsyncBuildStageTask.runTask(AsyncBuildStageTask.java:236)
[tomcat.tomcat] [pool-1-thread-7]    at com.ibm.si.frameworks.taskmanagement.Task.run(Task.java:108)
[tomcat.tomcat] [pool-1-thread-7]    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:522)[tomcat.tomcat]
java.util.concurrent.FutureTask.run(FutureTask.java:277)
[tomcat.tomcat] [pool-1-thread-7]    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160)
[tomcat.tomcat] [pool-1-thread-7]    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)[tomcat
java.lang.Thread.run(Thread.java:822)
[tomcat.tomcat] [pool-1-thread-7] Caused by:
[tomcat.tomcat] [pool-1-thread-7]
{openjpa-2.4.3-r422266:1833086 fatal store error}
org.apache.openjpa.persistence.RollbackException: This connection has been closed.
[tomcat.tomcat] [pool-1-thread-7]    at org.apache.openjpa.persistence.EntityManagerImpl.commit(EntityManagerImpl.java:595)
[tomcat.tomcat] [pool-1-thread-7]    at com.q1labs.frameworks.session.SessionContext.commitTransaction(SessionContext.java:10
39)[tomcat.tomcat] [pool-1-thread-7]    ... 9 more
[tomcat.tomcat] [pool-1-thread-7] Caused by:
[tomcat.tomcat] [pool-1-thread-7] {openjpa-2.4.3-r422266:1833086 fatal general error}
org.apache.openjpa.persistence.PersistenceException: This connection has been closed. .....
[tomcat.tomcat] [pool-1-thread-7] Caused by:
[tomcat.tomcat] [pool-1-thread-7] org.postgresql.util.PSQLException: This connection has been closed.

1. Open Offense tab.
2. Select Search > New Search.
3. Specific Interval > select the checkbox Start Date Between.
4. Select dates.
5. Search.
6. After search is complete, click the Save Criteria button.
7. Type a name for the search.
8. Click OK.
   
   Results
   Nothing happens, the specific interval value displayed is 'null'.

Tue Jul 27 16:15:29 CDT 2021 /dev/mapper/storerhel-store is corrupted. Fixing it by running xfs_repair
Tue Jul 27 16:15:29 CDT 2021 Running 'xfs_repair /dev/mapper/storerhel-store' in '/root'
xfs_repair: /dev/mapper/storerhel-store contains a mounted filesystem
xfs_repair: /dev/mapper/storerhel-store contains a mounted and writable filesystem
fatal error ? couldn't initialize XFS library
Tue Jul 27 16:15:29 CDT 2021 ERROR: Failed to repair /dev/mapper/storerhel-store with return code: 1

[ecs-ep.ecs-ep] [CRE Processor [2]] com.q1labs.core.assetprofile.dao.light.Asset: [ERROR]
[NOT:0000003000][X.X.X.X/- -] [-/- -] unable to pre-load asset IPs
[ecs-ep.ecs-ep] [CRE Processor [2]] java.lang.NullPointerException
[ecs-ep.ecs-ep] [CRE Processor [2]] at com.google.common.net.InetAddresses.ipStringToBytes(InetAddresses.java:164)
[ecs-ep.ecs-ep] [CRE Processor [2]] at com.google.common.net.InetAddresses.forString(InetAddresses.java:139)
[ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.core.platform.Qip.of(Qip.java:108)
[ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.core.assetprofile.dao.light.Asset.lambda$preload$0(Asset.java:632)
[ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.core.assetprofile.dao.light.Asset$$Lambda$102/0x00000000e000f680.call(UnknownSource)
[ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.core.shared.util.SqlUtil.runQuery(SqlUtil.java:202)
[ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.core.assetprofile.dao.light.Asset.preload(Asset.java:627)
[ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.core.assetprofile.dao.light.Asset.lazyNotificationInit(Asset.java:704)
[ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.core.assetprofile.dao.light.Asset.findByNetwork(Asset.java:405)
[ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.jstl.test.Jstl.hostAsset(Jstl.java:950)
[ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.jstl.test.Jstl.targetHostAsset(Jstl.java:980)
[ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.jstl.gen.OptJstl.targetHostAsset(OptJstl.java:728)
[ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.semsources.cre.tests.ExternalEventTests.targetHostAsset(ExternalEventTests.java:633)
[ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.semsources.cre.tests.gen.targetAssetValue_lt.test(targetAssetValue_lt.java)
[ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.semsources.cre.tests.IntCompare_Test.test(IntCompare_Test.java:44)
[ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.semsources.cre.gen.TestExecutor_0_2.test(TestExecutor_0_2.java)
[ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.semsources.cre.CustomRule.test(CustomRule.java:524)
[ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.semsources.cre.CustomRule.test(CustomRule.java:477)
[ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.semsources.cre.CustomRuleSetExecutor.testRule(CustomRuleSetExecutor.java:342)
[ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.semsources.cre.CustomRuleSetExecutor.test(CustomRuleSetExecutor.java:210)
[ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.semsources.cre.LocalRuleExecutor.processEventInPropertyMode(LocalRuleExecutor.java:229)
[ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.semsources.cre.LocalRuleExecutor.processEvent(LocalRuleExecutor.java:158)
[ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.semsources.cre.CREEventProcessor.processEvent(CustomRuleEngine.java:544)
[ecs-ep.ecs-ep] [CRE Processor [2]] at com.q1labs.semsources.cre.CREEventProcessor.run(CustomRuleEngine.java:484)

[ecs-ep.ecs-ep] [ECS Runtime Thread] com.q1labs.core.assetprofile.dao.light.Asset: [ERROR]
[NOT:0000003000][X.X.X.X/- -] [-/- -] unable to pre-load asset IPs
[ecs-ep.ecs-ep] [ECS Runtime Thread] java.lang.NullPointerException
[ecs-ep.ecs-ep] [ECS Runtime Thread] at com.google.common.net.InetAddresses.ipStringToBytes(InetAddresses.java:164)
[ecs-ep.ecs-ep] [ECS Runtime Thread] at com.google.common.net.InetAddresses.forString(InetAddresses.java:139)
[ecs-ep.ecs-ep] [ECS Runtime Thread] at com.q1labs.core.platform.Qip.of(Qip.java:108)
[ecs-ep.ecs-ep] [ECS Runtime Thread] at com.q1labs.core.assetprofile.dao.light.Asset.lambda$preload$0(Asset.java:632)
[ecs-ep.ecs-ep] [ECS Runtime Thread] at com.q1labs.core.assetprofile.dao.light.Asset$$Lambda$88/0x0000000024ed6df0.call(UnknownSource)
[ecs-ep.ecs-ep] [ECS Runtime Thread] at com.q1labs.core.shared.util.SqlUtil.runQuery(SqlUtil.java:202)
[ecs-ep.ecs-ep] [ECS Runtime Thread] at com.q1labs.core.assetprofile.dao.light.Asset.preload(Asset.java:627)
[ecs-ep.ecs-ep] [ECS Runtime Thread] at com.q1labs.core.assetprofile.dao.light.Asset.lazyNotificationInit(Asset.java:704)
[ecs-ep.ecs-ep] [ECS Runtime Thread] at com.q1labs.core.assetprofile.dao.light.Asset.assetExists(Asset.java:377)
[ecs-ep.ecs-ep] [ECS Runtime Thread] at com.ibm.si.mpc.magi.OffenseManagerDelegate.preloadCaches(OffenseManagerDelegate.java:816)
[ecs-ep.ecs-ep] [ECS Runtime Thread] at com.ibm.si.mpc.magi.OffenseManagerDelegate.configure(OffenseManagerDelegate.java:365)
[ecs-ep.ecs-ep] [ECS Runtime Thread] at com.ibm.si.mpc.filters.OffenseManagerFilter.setVars(OffenseManagerFilter.java:90)
[ecs-ep.ecs-ep] [ECS Runtime Thread] at com.eventgnosis.system.SystemObject.installChildByName(SystemObject.java:296)
[ecs-ep.ecs-ep] [ECS Runtime Thread] at com.eventgnosis.system.SystemObject.installChildByName(SystemObject.java:232)
[ecs-ep.ecs-ep] [ECS Runtime Thread] at com.eventgnosis.filters.FilterStack.createContainedFilters(FilterStack.java:71)
[ecs-ep.ecs-ep] [ECS Runtime Thread] at com.eventgnosis.filters.FilterStackManager.create(FilterStackManager.java:219)
[ecs-ep.ecs-ep] [ECS Runtime Thread] at com.eventgnosis.filters.FilterStackManager.doWork(FilterStackManager.java:90)
[ecs-ep.ecs-ep] [ECS Runtime Thread] at com.eventgnosis.system.SystemObject$DoWork.doIt(SystemObject.java:886)
[ecs-ep.ecs-ep] [ECS Runtime Thread] at com.eventgnosis.system.SystemObject.doForAllMembers(SystemObject.java:864)
[ecs-ep.ecs-ep] [ECS Runtime Thread] at com.eventgnosis.system.SystemObject.doWork(SystemObject.java:905)
[ecs-ep.ecs-ep] [ECS Runtime Thread] at com.eventgnosis.system.RuntimeController.doWork(RuntimeController.java:227)
[ecs-ep.ecs-ep] [ECS Runtime Thread] at com.eventgnosis.system.RuntimeController.run(RuntimeController.java:527)
[ecs-ep.ecs-ep] [ECS Runtime Thread] at java.lang.Thread.run(Thread.java:822)

The backup repository path must contain a valid directory. The
directory you specify must not be a system directory

[ecs-ep.ecs-ep] [ECS Runtime Thread] at java.lang.Thread.run(Thread.java:822)
[ecs-ep.ecs-ep] [ECS Runtime Thread] Caused by:
java.lang.IllegalArgumentException: bound must be positive
[ecs-ep.ecs-ep] [ECS Runtime Thread] at java.util.Random.nextInt(Random.java:399)
[ecs-ep.ecs-ep] [ECS Runtime Thread] at com.ibm.si.ep.filters.hp.HostProfiler.initTimeStamps(HostProfiler.java:335)
[ecs-ep.ecs-ep] [ECS Runtime Thread] at com.ibm.si.ep.filters.hp.HostProfiler.onInit(HostProfiler.java:292)
[ecs-ep.ecs-ep] [ECS Runtime Thread] at com.q1labs.frameworks.naming.FrameworksNaming.initializeNewComponent(FrameworksNaming.java:916)

1. Create a user role with Remote Networks and Services Configuration selected.
2. Create a test user.
3. Add the user role from step 1 to the user from step 2.
4. Add a security profile: Admin.
5. Log in with the new user.
6. Click Admin tab > Remote Networks and Services Configuration in the left pane.
   
   Results
   The screen is blank and the user interface does not display values when you use the navigation sidebar.

[tomcat.tomcat] [admin@127.0.0.1(6796)
/console/JSON-RPC/QVM.getCronScanProfilesQVM.getCronScanProfiles]
com.q1labs.core.ui.servlet.RemoteJavaScript: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]An exception
occurred while executing the remote method 'getCronScanProfiles'
[tomcat.tomcat] [admin@127.0.0.1(6796)
/console/JSON-RPC/QVM.getCronScanProfilesQVM.getCronScanProfiles]
org.springframework.dao.IncorrectResultSizeDataAccessException: Incorrect result size: expected 1, actual 2
[tomcat.tomcat] [admin@127.0.0.1(6796)
/console/JSON-RPC/QVM.getCronScanProfiles
QVM.getCronScanProfiles] at org.springframework.dao.support.DataAccessUtils.nullableSingleResult(DataAccessUtils.java:100)
[tomcat.tomcat] [admin@127.0.0.1(6796)
/console/JSON-RPC/QVM.getCronScanProfilesQVM.getCronScanProfiles] at org.springframework.jdbc.core.JdbcTemplate.queryForObject(JdbcTemplate.java:777)
[tomcat.tomcat] [admin@127.0.0.1(6796)
/console/JSON-RPC/QVM.getCronScanProfiles
QVM.getCronScanProfiles] at org.springframework.jdbc.core.JdbcTemplate.queryForObject(JdbcTemplate.java:799)
[tomcat.tomcat] [admin@127.0.0.1(6796)
/console/JSON-RPC/QVM.getCronScanProfiles
QVM.getCronScanProfiles] at com.q1labs.qvm.workflow.processor.dao.scanprofile.CronSchedulerDAO.getCronSchedules(CronSchedulerDAO.java:384)
[tomcat.tomcat] [admin@127.0.0.1(6796)
/console/JSON-RPC/QVM.getCronScanProfiles
QVM.getCronScanProfiles] at com.q1labs.qvm.workflow.processor.ws.scanprofile.ScanProfileServiceImpl.getCronSchedules(ScanProfileServiceImpl.java:2008)
[tomcat.tomcat] [admin@127.0.0.1(6796)
/console/JSON-RPC/QVM.getCronScanProfiles
QVM.getCronScanProfiles] at com.q1labs.qvm.service.UIScheduledScansService.getCronScanProfiles(UIScheduledScansService.java:72)

[ecs-ep.ecs-ep] [ECS Runtime Thread] com.eventgnosis.ecs:
[ERROR] [NOT:0000003000][x.x.x.x/- -] [-/- -] Error attempting to load 
console.ibm.com:ecs-ep/MPC/Magistrate1/MPC  
Error: java.lang.RuntimeException: Failed to configure Offense Manager
Since there isn't a configuration error handler defined, the
original error is wrapped in a new RuntimeException
[ecs-ep.ecs-ep] [ECS Runtime Thread] java.lang.RuntimeException: Failed to configure Offense Manager
[ecs-ep.ecs-ep] [ECS Runtime Thread] at com.ibm.si.mpc.filters.OffenseManagerFilter.setVars(OffenseManagerFilter.java:94)
[ecs-ep.ecs-ep] [ECS Runtime Thread] at com.eventgnosis.system.SystemObject.installChildByName(SystemObject.java:296)
[ecs-ep.ecs-ep] [ECS Runtime Thread] at com.eventgnosis.system.SystemObject.installChildByName(SystemObject.java:232)
[ecs-ep.ecs-ep] [ECS Runtime Thread] at com.eventgnosis.filters.FilterStack.createContainedFilters(FilterStack.java:71)
[ecs-ep.ecs-ep] [ECS Runtime Thread] at com.eventgnosis.filters.FilterStackManager.create(FilterStackManager.java:219)
[ecs-ep.ecs-ep] [ECS Runtime Thread] at com.eventgnosis.filters.FilterStackManager.doWork(FilterStackManager.java:90)
[ecs-ep.ecs-ep] [ECS Runtime Thread] at com.eventgnosis.system.SystemObject$DoWork.doIt(SystemObject.java:876)
[ecs-ep.ecs-ep] [ECS Runtime Thread] at com.eventgnosis.system.SystemObject.doForAllMembers(SystemObject.java:854)
[ecs-ep.ecs-ep] [ECS Runtime Thread] at com.eventgnosis.system.SystemObject.doWork(SystemObject.java:895)
[ecs-ep.ecs-ep] [ECS Runtime Thread] at com.eventgnosis.system.RuntimeController.doWork(RuntimeController.java:227)
[ecs-ep.ecs-ep] [ECS Runtime Thread] at com.eventgnosis.system.RuntimeController.run(RuntimeController.java:527)
[ecs-ep.ecs-ep] [ECS Runtime Thread] at java.lang.Thread.run(Thread.java:818)
[ecs-ep.ecs-ep] [ECS Runtime Thread] Caused by:
java.lang.IllegalArgumentException: Invalid domain ID: 1
[ecs-ep.ecs-ep] [ECS Runtime Thread] at com.q1labs.core.util.domain.DomainCache.requireValidDomainID(DomainCache.java:749)
[ecs-ep.ecs-ep] [ECS Runtime Thread] at com.q1labs.core.platform.QipSet.add(QipSet.java:168)
[ecs-ep.ecs-ep] [ECS Runtime Thread] at com.q1labs.core.dao.sem.light.Attacker.preloadCreatedCache(Attacker.java:966)
[ecs-ep.ecs-ep] [ECS Runtime Thread] at com.q1labs.core.dao.sem.light.Attacker.preloadCaches(Attacker.java:949)
[ecs-ep.ecs-ep] [ECS Runtime Thread] at com.ibm.si.mpc.magi.OffenseManagerDelegate.preloadCaches(OffenseManagerDelegate.java:763)
[ecs-ep.ecs-ep] [ECS Runtime Thread] at com.ibm.si.mpc.magi.OffenseManagerDelegate.configure(OffenseManagerDelegate.java:365)
[ecs-ep.ecs-ep] [ECS Runtime Thread] at com.ibm.si.mpc.filters.OffenseManagerFilter.setVars(OffenseManagerFilter.java:90)
[ecs-ep.ecs-ep] [ECS Runtime Thread] ... 11 more

Failed to run command 'mh_setup': Failed to add host
'XX.XX.XX.XX' to deployment 'console-XXXXX.qradar.ibmcloud.com':
Failed to add host to deployment: Check console logs for details
File "/opt/qradar/lib/python/qradar/command_line.py", line 179,
in executeCommand self.cmd.execute(self.opts, self.args, self.parser)
File "/opt/qradar/bin/setup_qradar_host.py", line 399, in setup
input_obj.proxy_port, input_obj.proxy_username, input_obj.proxy_password)
File "/opt/qradar/bin/setup_qradar_host.py", line 443, in setupImpl
if addToDeploymentImpl(existing_server, server_host, token,
private_ip, public_ip, nat_id, encrypt, compress, host_password,
skip_deploy=True) is True:
File "/opt/qradar/bin/setup_qradar_host.py", line 534, in
addToDeploymentImpl addHostToDeployment(deployment, private_ip, 
public_ip, nat_id, encrypt, compress, host_password)
File "/opt/qradar/bin/setup_qradar_host.py", line 1240, in addHostToDeployment
raise SystemException(error_message, exit_code)

[accumulator.accumulator] [Preprocessor(events)_2]
com.q1labs.cve.accumulation.ObjectArrayAccessors: [ERROR]
[NOT:0000003000][xxx.xx.xx/- -] [-/- -]Unexpected error while building record
[accumulator.accumulator] [Preprocessor(events)_2] at com.q1labs.cve.aggregation.props.AggregatedRecordPropertyBase.createKey(AggregatedRecordPropertyBase.java:17)
[accumulator.accumulator] [Preprocessor(events)_2]
java.lang.ClassCastException:
com.q1labs.core.types.event.NormalizedEvent incompatible with java.util.Map$Entry
[accumulator.accumulator] [Preprocessor(events)_2] at com.q1labs.cve.accumulation.ObjectArrayAccessors$ObjectArrayAccessor.getKey(ObjectArrayAccessors.java:355)
[accumulator.accumulator] [Preprocessor(events)_2] at com.q1labs.cve.accumulation.ObjectArrayAccessors.getKey(ObjectArrayAccessors.java:265)
[accumulator.accumulator] [Preprocessor(events)_2] at com.q1labs.cve.accumulation.ObjectArrayAccessors.buildRecord(ObjectArrayAccessors.java:233)
[accumulator.accumulator] [Preprocessor(events)_2] at com.q1labs.cve.accumulation.Preprocessor$PreprocessTask.run(Preprocessor.java:26)
[accumulator.accumulator] [Preprocessor(events)_2] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160)
[accumulator.accumulator] [Preprocessor(events)_2] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
[accumulator.accumulator] [Preprocessor(events)_2] at
java.lang.Thread.run(Thread.java:818)

systemctl restart ecs-ec

[ecs-ec.ecs-ec] [SFCT_1247137] com.q1labs.sem.selectiveforwarding.
SelectiveForwardingCommunicatorThread:[WARN] [NOT:0000004000][xxx.xxx.xxx.xxx
[Global SOC_Forwarding Win:xxx.xxx.xxx.xxx:5003]
Event Processing Error (SocketTimeoutException) [1].
[ecs-ec.ecs-ec] [SFCT_1247137] com.q1labs.sem.selectiveforwarding.SelectiveForwardingCommunicatorThread:[WARN] 
[NOT:0000004000][xxx.xxx.xxx.xxx
19:25:59.0715 [Global SOC_Forwarding Win:xxx.xxx.xxx.xxx:5003]
Unable to retry event[Queue Full], dropping event[104361].

1. On the console, from the command line, issue the following:
   

   ls- lah /opt/qradar/conf/licensekey/

2. You should see something similar to:
   

   -rwxrwxr-x 1 ecuunpack swsupt 0 Apr 13 2018 history
   -rwxrwxr-x 1 ecuunpack swsupt 811 Feb 1 17:34 licensekey.355
   -rwxrwxr-x 1 ecuunpack swsupt 996 Feb 1 17:34 licensekey.52
   -rwxrwxr-x 1 ecuunpack swsupt 0 Apr 13 2018 null

   
   Notice that the "history" and "null" file have a size of 0. These are the empty files we will remove
3. Make a copy of them to another directory, such as /store/ibm_support.
   

   cd /opt/qradar/conf/licensekey/
   cp /history null /store/ibm_support

4. Then remove each one.
   

   rm history
   rm null

5. Then refresh the browser.
   
   Results
   Attempt to open the Admin tab. If you have any questions about the workaround, or are still facing an issue after completing the workaround, contact support.

Issue
If an empty file is present in /opt/qradar/conf/licensekey a message similar to the following is displayed on the left side of the browser when opening the Admin tab of the QRadar user interface:

Application Error
An error has occourred.
Return and attempt the action again.
If the Problem persists, please contact customer support for assistance.

/console/restapi/api/config/event_sources/log_source_management/log_sources/595412] 
javax.crypto.BadPaddingException: Given final block not properly padded
/console/restapi/api/config/event_sources/log_source_management/log_sources/595412] at
com.ibm.crypto.provider.AbstractBufferingCipher.a(UnknownSource)
/console/restapi/api/config/event_sources/log_source_management/log_sources/595412] at
com.ibm.crypto.provider.AbstractBufferingCipher.engineDoFinal(Unknown Source)
/console/restapi/api/config/event_sources/log_source_management/log_sources/595412] at 
javax.crypto.Cipher.doFinal(Unknown source)
/console/restapi/api/config/event_sources/log_source_management/log_sources/595412] 
java.lang.RuntimeException: com.q1labs.frameworks.crypto.DecryptException:
com.ibm.si.mks.CryptoException: Failed to decrypt data
/console/restapi/api/config/event_sources/log_source_management/log_sources/595412] at
com.q1labs.core.dao.qidmap.SensorProtocolConfigParameters.decrypt(SensorProtocolConfigParameters.java:212)
/console/restapi/api/config/event_sources/log_source_management/log_sources/595412] at
com.q1labs.core.dao.qidmap.SensorProtocolConfigParameters.getValue(SensorProtocolConfigParameters.java:135)
/console/restapi/api/config/event_sources/log_source_management/log_sources/595412] at
com.q1labs.core.dao.qidmap.SensorDevice.getProtocolParameterValue(SensorDevice.java:1407)
/console/restapi/api/config/event_sources/log_source_management/log_sources/595412] at
com.ibm.si.data_ingestion.api.impl.logsource.model.LogSource.{init}(LogSource.java:88)
/console/restapi/api/config/event_sources/log_source_management/log_sources/595412] at
com.ibm.si.data_ingestion.api.impl.logsource.LogSourceUpdater.updateAndFetch(LogSourceUpdater.java:116)
/console/restapi/api/config/event_sources/log_source_management/log_sources/595412] at
com.ibm.si.data_ingestion.api.v13_0.logsource.LogSourceAPI.update(LogSourceAPI.java:717)
/console/restapi/api/config/event_sources/log_source_management/log_sources/595412] at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

1. Have group ldapuser 1.
2. Add it to one of the security profiles in LDAP configuration, it changes to ldapuser%201.
3. If adding another LDAP group ldapuser 2 to the same security profile, the first one is loaded to the ldapuser%25201.
   
   Result
   This breaks the LDAP authentication.

1. Click User Preferences.
2. Click Offenses.
3. Click Rules.
4. Click Actions > New Event Rule.
5. Click Next.
6. Select Events > Next.
7. In the filter enter location:
8. Choose one of the two rules.
   
   • when the source is located in this geographic location
   • when the source IP is a part of any of the following geographic network locations
   
   Results
   When you expand the locations, the list of countries are not displayed in alphabetical order.

sed -i 's/ssh -N -T -v/ssh -N -T/g' \/etc/systemd/system/managed-tunnel\@.service; systemctl \daemon-reload; systemctl restart tunnel_manager

hostname ssh[5759]: debug1: channel 6: connected to localhost port 443
hostname ssh[3083]: debug1: client_input_channel_open: ctype forwarded-tcpip rchan 12 win 2097152 max 32768
hostname ssh[3083]: debug1: client_request_forwarded_tcpip: listen localhost port 443, originator 127.0.0.1 port 39748
hostname ssh[3083]: debug1: connect_next: host localhost ([127.0.0.1]:443) in progress, fd=14
hostname ssh[3083]: debug1: channel 10: new [127.0.0.1]
hostname ssh[3083]: debug1: confirm forwarded-tcpip
hostname ssh[3083]: debug1: channel 10: connected to localhost port 443
hostname ssh[3132]: debug1: client_input_global_request: rtype ***@openssh.com want_reply 1
hostname ssh[3163]: debug1: client_input_channel_req: channel 0 rtype ***@openssh.com reply1
hostname ssh[3151]: debug1: client_input_channel_req: channel 0 rtype ***@openssh.com reply1
hostname ssh[2936]: debug1: channel 14: free: 127.0.0.1, nchannels 16

Error applying script [31/136] '/media/updates/opt/qradar/conf/
templates/db_update_offense.inet.0.sql'for Test_qradar database.
WARNING:  SET TRANSACTION can only be used in transaction blocks
NOTICE:  Finding duplicate IP addresses in ...
NOTICE:  Duplicate IP addresses  found in ...

• If the patch on the Destination site has failed, please contact support for assistance.
  or
  
• Prior to starting the patching process, the issue can be avoided by performing the following:
  1. Patching the Main site (while active).
  2. Activate the Destination site.
  3. Patch the Destination site.

systemctl restart solr

systemctl restart solr

1. Have a reference set, TestRefSet.
2. Create a custom rule. Add a test using "when the event matches this search filter"
3. Select Reference set , and select Username from Data Entry, operator : Exists in any of . Set the filter value to "and when the event matches Username exists in any of TestRefSet"
4. Select finish.
5. Open Admin-> Reference Set Management
6. Search for TestRefSet. Note that Associate Rules displays as 0.
7. Double click on TestRefSet and then click on References. Note that "No items to display" is displayed.
   
   Expected result: Dependent Rules are listed

[report_runner] [main] com.q1labs.reporting.ReportServices:
[ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]REPORT [MANUAL#^
#admin#$#9ec2259b-df99-4b5e-a8ea-087c1a704b99#^#1625732490790]:A
[MANUAL#^#admin#$#9ec2259b-df99-4b5e-a8ea-087c1a704b99#^#162573
2490790].java.lang.NumberFormatException:For input string: "4.54
[report_runner] [main] com.q1labs.reporting.ReportServices:
[ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]REPORT [MANUAL#^
#admin#$#9ec2259b-df99-4b5e-a8ea-087c1a704b99#^#1625732490790]:R
admin#$#9ec2259b-df99-4b5e-a8ea-087c1a704b99.xml
[report_runner] [main] java.lang.RuntimeException: REPORT [MANUAL#^
#admin#$#9ec2259b-df99-4b5e-a8ea087c1a704b99#^#1625732490790]:Failed to generate report version.
[report_runner] [main] at com.q1labs.reporting.Report.process(Report.java:623)
[report_runner] [main] at com.q1labs.reporting.ReportRunner.main(ReportRunner.java:284)
[report_runner] [main] com.q1labs.reporting.ReportRunner:
[ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- ]Run report
"admin#$#9ec2259b-df99-4b5e-a8ea-087c1a704b99" Error
[report_runner] [main] java.lang.RuntimeException: REPORT [MAN
UAL#^#admin#$#9ec2259b-df99-4b5e-a8ea-087c1a704b99#^#1625732490
790]:Failed to run using template
admin#$#9ec2259b-df99-4b5e-a8ea-087c1a704b99.xml.

qradar_netsetup.py[6638]: ibm_logging error [ERROR] The script
cannot determine if this IP has been reused.
Jun 25 05:03:35 qradar_netsetup.py[6638]: qradar_netsetup
finalBlock [ERROR] Exceptions:
Jun 25 05:03:35 qradar_netsetup.py[6638]: qradar_netsetup
finalBlock [ERROR] Traceback (most recent call last):
Jun 25 05:03:35 qradar_netsetup.py[6638]: qradar_netsetup
finalBlock [ERROR] File "/opt/qradar/bin/qradar_netsetup.py",
line 3969, in main
Jun 25 05:03:35 qradar_netsetup.py[6638]: qradar_netsetup
finalBlock [ERROR] qradarNetsetup.doJob()
Jun 25 05:03:35 qradar_netsetup.py[6638]: qradar_netsetup
finalBlock [ERROR] File "/opt/qradar/bin/qradar_netsetup.py",
line 961, in doJob

1. Navigate to Admin > Asset Profiler Configuration.
2. Change the Asset Profile Retention Period from Default 30 days to 'Use advanced'.
3. Under the use advanced section, change one of the values from 30 to another value.
4. Select Save and close the asset profiler configuration.
5. Re-open the asset profiler configuration.
   
   Result
   Values are set to 0. No errors are generated in QRadar logging when this occurs and functionality works as expected when using the default 30 days value.

admin@127.0.0.1 (5437)
/console/JSON-RPC/QRadar.saveChangesAssetProfiler
QRadar.saveChangesAssetProfiler | [Action]
[QRadarSystemSettings] [SystemSettingsChange] admin changed
'Enable Client Application Profiling' from '0' to '13' (
initiating-user="admin" )
admin@127.0.0.1 (5437)
/console/JSON-RPC/QRadar.saveChangesAssetProfiler
QRadar.saveChangesAssetProfiler | [Action]
[QRadarSystemSettings] [SystemSettingsChange] admin changed
'Enable Client Application Profiling' from '13' to '0' (
initiating-user="admin" )

1. Have a user (eg. testuser3) that has rules created by them and assign them to a group.
2. Navigate to Offense > Rules > Groups button, click on the group that were assigned to these rules (rule owner displays as testsuser3).
3. Login as admin, delete the user testuser3, the dependents check dialog pops up, re-assign all ownership to admin, and then deploy the changes.
4. Navigate back to Offense > Rules > Groups, click on the group that were assigned to these rules.
   
   Result
   The owner is still displayed as testuser3 when it should be admin in this example.

3a30ea5c-e061-4a00-bb0f-2ea592d148f2/SequentialEventDispatcher
at java.io.ByteArrayOutputStream.grow(I)V
(ByteArrayOutputStream.java(Compiled Code))
 at java.io.ByteArrayOutputStream.write([BII)V
(ByteArrayOutputStream.java:164(Compiled Code))
 at java.io.OutputStream.write([B)V
(OutputStream.java:86(Compiled Code))
 at com.ibm.security.util.DerValue.toByteArray()[B
(DerValue.java:1034(Compiled Code))
 at com.ibm.security.x509.X509CRLEntryImpl.parse(Lcom/ibm/secur
ity/util/DerValue;)V(X509CRLEntryImpl.java:609(Compiled Code))
 at com.ibm.security.x509.X509CRLEntryImpl.(Lcom/ibm/secu
rity/util/DerValue;)V(X509CRLEntryImpl.java:193(Compiled Code))
 at com.ibm.security.x509.X509CRLImpl.parse(Lcom/ibm/security/u
til/DerValue;)V(X509CRLImpl.java:1634(Compiled Code))
 at
com.ibm.security.x509.X509CRLImpl.<init>(Ljava/io/InputStream;)V
(X509CRLImpl.java:228)
 at com.ibm.crypto.provider.X509Factory.engineGenerateCRL(Ljava
/io/InputStream;)Ljava/security/cert/CRL;(null)
 at java.security.cert.CertificateFactory.generateCRL(Ljava/io/
InputStream;)Ljava/security/cert/CRL;(CertificateFactory.java:50
 at com.q1labs.frameworks.crypto.trustmanager.Q1X509Certificate
Factory.generateCrlURL(Ljava/lang/String;)Ljava/security/cert/X
509CRL;(Q1X509CertificateFactory.java:569)
 at com.q1labs.frameworks.crypto.trustmanager.Q1X509CrlStore.ge
nerateCrl(Ljava/lang/String;Ljava/lang/String;)Lcom/q1labs/fram
eworks/crypto/trustmanager/Q1X509Crl;(Q1X509CrlStore.java:265)
 at com.q1labs.frameworks.crypto.trustmanager.Q1X509CrlStore.ge
tCrl(Ljava/lang/String;)Lcom/q1labs/frameworks/crypto/trustmana
ger/Q1X509Crl;(Q1X509CrlStore.java:243)
 at com.q1labs.frameworks.crypto.trustmanager.CertificateValida
tor.checkCertPath([Ljava/security/cert/X509Certificate;Lcom/q1l
abs/frameworks/crypto/trustmanager/Q1X509TrustStore;Lcom/q1labs
/frameworks/crypto/trustmanager/Q1X509CrlStore;)V(CertificateVal
 at com.q1labs.frameworks.crypto.trustmanager.CertificateValida
tor.validate([Ljava/security/cert/X509Certificate;Lcom/q1labs/f
rameworks/crypto/trustmanager/CertValidatorParameters;)V(Certifi
 at com.q1labs.hostcontext.KeyStoreExpiryMonitor.monitorCertifi
cateInfo(Lcom/q1labs/frameworks/crypto/KeyStoreManager;Lcom/q1l
abs/frameworks/crypto/CertificateInfo;)V(KeyStoreExpiryMonitor.j
 at com.q1labs.hostcontext.KeyStoreExpiryMonitor.monitorEndCert
ificates()V(KeyStoreExpiryMonitor.java:277)
 at com.q1labs.hostcontext.KeyStoreExpiryMonitor.timeExpired(Lc
om/q1labs/frameworks/events/timer/TimerEvent;)V(KeyStoreExpiryMo
 at com.q1labs.frameworks.events.timer.TimerEventGenerator$Time
rEventInfo.dispatchEvent()V(TimerEventGenerator.java:234)
 at com.q1labs.frameworks.events.SequentialEventDispatcher$Disp
atchThread.run()V(SequentialEventDispatcher.java:129)

systemctl stop crond

systemctl start crond

1. Create a Log Source that can receive events via syslog.
2. Create and enable obfuscation on the 'Target Account Name'.
3. For the Custom Event Property, check the "Enable for use in Rules, Forwarding Profiles and Search Indexing" checkbox.
4. Replay events.
   
   Result
   The Custom Event Property parsing is broken.

curl -S -X POST -u admin -H 'Version: 17.0' -H 'Accept:application/json' 'https://x.x.x.x/api/siem/offenses/111?status=CLOSED'

1. Identify the corrupt reference data instances, run the following from an SSH session to the QRadar Console:

   psql -U qradar -c "select rd.id,rd.name,rd.current_count,rd.key1_label,rd.value_label,rd.is_table from reference_data rd
   where rd.is_table = 't' and id NOT in (select rd_id from reference_data_key_type)"

2. Use the Reference Data Management app to remove the corrupt reference data.

[tomcat.tomcat] [user@127.0.0.1(4521) /console/do/rulewizard]
org.apache.jsp.sem.jsp.ruleWizard.RuleWizard_002daction_jsp:
[ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]An error occurred
in the _jspService method for org.apache.jsp.sem.jsp.ruleWizard.
RuleWizard_002daction_jsp: null 
[tomcat.tomcat] [user@127.0.0.1(4521) /console/do/rulewizard] java.lang.NullPointerException
[tomcat.tomcat] [user@127.0.0.1(4521) /console/do/rulewizard] at
org.apache.jsp.sem.jsp.ruleWizard.RuleWizard_002daction_jsp._js
pService(RuleWizard_002daction_jsp.java:2104)[tomcat.tomcat] [us
com.q1labs.uiframeworks.jsp.HttpJspBase.service(HttpJspBase.java:148)
[tomcat.tomcat] [user@127.0.0.1(4521) /console/do/rulewiza javax.servlet.http.HttpServlet.service(HttpServlet.java:733)
[tomcat.tomcat] [user@127.0.0.1(4521) /console/do/rulewizard] at
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:476)
[tomcat.tomcat] [user@127.0.0.1(4521) /console/do/org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:386)
[tomcat.tomcat] [user@127.0.0.1(4521) /console/do/ruleworg.apache.jasper.servlet.JspServlet.service(JspServlet.java:33
0)[tomcat.tomcat] [user@127.0.0.1(4521) /console/do/rulewizard]
javax.servlet.http.HttpServlet.service(HttpServlet.java:733)
[tomcat.tomcat] [user@127.0.0.1(4521) /console/do/rulewizard] at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)

1. An asset exists in QRadar with DNS Hostname 'AB-123' and no MAC address.
2. A DHCP event generated with hostname 'Ab-123' with MAC and IP is processed.
   
   Result
   A new asset is created for Ab-123

[ecs-ep.ecs-ep] [[type=com.eventgnosis.system.ThreadedEventTerminator][parent=hostname:ecs-ep/EP/Emai
lDestination]]com.q1labs.sem.util.EmailSender: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]
Exception attempting to send email: Illegal semicolon, not in group 
[ecs-ep.ecs-ep] [[type=com.eventgnosis.system.ThreadedEventTerminator][parent=hostname:ecs-ep/EP/EmailDestination]]org.ap
[ecs-ep.ecs-ep] [[type=com.eventgnosis.system.ThreadedEventTerminator][parent=hostname:ecs-ep/EP/EmailDestination]]at 
org.apache.commons.mail.Email.createIn
va:605)[ecs-ep.ecs-ep] [[type=com.eventgnosis.system.ThreadedEve
inator][parent=hostname:ecs-ep/EP/EmailDestination]]at org.apache.commons.mail.Email.addTo(Email.java)
[ecs-ep.ecs-ep] [[type=com.eventgnosis.system.ThreadedEventTerminator][parent=hostname:ecs-ep/EP/Emai
lDestination]]at org.apache.commons.mail.Email.addTo(Email.java:
[ecs-ep.ecs-ep] [[type=com.eventgnosis.system.ThreadedEventTerminator][parent=hostname:ecs-ep/EP/Emai
lDestination]]at org.apache.commons.mail.Email.addTo(Email.java)
[ecs-ep.ecs-ep] [[type=com.eventgnosis.system.ThreadedEventTerminator][parent=hostname:ecs-ep/EP/Emai
lDestination]]at com.q1labs.sem.util.EmailSender.send(EmailSende
[ecs-ep.ecs-ep] [[type=com.eventgnosis.system.ThreadedEventTerminator][parent=hostname:ecs-ep/EP/Emai
lDestination]]at com.ibm.si.ep.destinations.EmailDestination.outDestination.java:42)
[ecs-ep.ecs-ep] [[type=com.eventgnosis.syst
inator][parent=hostname:ecs-ep/EP/EmailDestination]]at com.eventgnosis.system.ThreadedEventTerminator.
ventTerminator.java:51)[ecs-ep.ecs-ep] [[type=com.eventgnosis.sy
inator][parent=hostname:ecs-ep/EP/EmailDestination]]at java.lang.Thread.run(Thread.java:822)

systemctl restart accumulator

[accumulator.accumulator] [SentryAlertProcessor]
com.q1labs.cve.sentryengine.AlertProcessor: [WARN]
[NOT:0000004000][IP/- -] [-/- -][localhost:32005] 
Unable to connect to: "localhost/127.0.0.1:32005".
java.net.ProtocolException: Wrong protocol from
java.nio.channels.SocketChannel[connected local=/127.0.0.1:59414
remote=localhost/127.0.0.1:32005]

[hostcontext.hostcontext] [BackupServices_restore]
com.q1labs.configservices.hostcontext.exception.RestoreException: 
No host id mapping supplied with asset restore
[hostcontext.hostcontext] [BackupServices_restore] at 
com.q1labs.hostcontext.backup.core.HostRemappingUtils.remapScannerHostIds(HostRemappingUtils.java:372)
[hostcontext.hostcontext] [BackupServices_restore] at 
com.q1labs.hostcontext.backup.core.HostRemappingUtils.remap(HostRemappingUtils.java:439)
[hostcontext.hostcontext] [BackupServices_restore] at com.q1
labs.hostcontext.backup.BackupRecoveryEngine.doDbRestore(BackupRecoveryEngine.java:3068)
[hostcontext.hostcontext] [BackupServices_restore]    
... 5 more

500 Can't connect to proxy_ip_address:proxy_port at
/opt/qradar/bin/geoipupdate-pureperl.pl line 180, <STDIN> line 1.

This query has timed out, and is no longer valid. Please use
the search to perform a new query."

systemctl restart ecs-ec-ingress

# systemctl restart ecs-ec

[ecs-ec.ecs-ec] [FlowGovernerProcessor]
com.q1labs.frameworks.core.ThreadExceptionHandler: [ERROR]
[NOT:0000003000][/- -] [-/- -]Exception was uncaught in thread:
FlowGovernerProcessor
[ecs-ec.ecs-ec] [FlowGovernerProcessor]
java.lang.NullPointerException
[ecs-ec.ecs-ec] [FlowGovernerProcessor]    at
com.ibm.si.ec.filters.FlowGoverner$FlowProcessor.run(FlowGoverner.java:345)

systemctl start httpd

Restoring previous SSL configuration ... (OK)
Reloading httpd configuration:
(SKIPPED): httpd not running
Mon Nov 30 17:23:27 GTM 2020 [install-ssl-cert.sh] ERROR: Could
not update SSL certificate - previous config restored

[WARN] HA is active but this is not the active box. Exiting..."

Job for qflow.service failed because a timeout was exceeded.
See "systemctl status qflow.service" and "journalctl -xe" for details.

1. Remove the .remote_ha_install file from /opt/qradar/ha/conf
2. Restart ha_manager via an SSH session on the Secondary appliance:

   systemctl restart ha_manager

   
   
   Results
   The Secondary appliance should then return to "standby" state.

• norsk
• norsk (Norge,nynorsk)
• Norwegian Bokmal (Norge)

Issue
Setting the QRadar locale to 'norsk (Norge)' can cause an API error when using the Log Source Managment (LSM) app. For example,
1. Ensure the LSM app is installed.
2. Change locale to norsk (Norge).
3. Open the LSM app and proceed to click on "Log Sources".
   
   Result
   The following API error is generated:

   "Could not load log source data
   An unexpected API error has occured."

   
   
   Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
   

   [tomcat.tomcat] [admin@IP (2372)
   /console/restapi/api/config/event_sources/log_source_management/
   log_sources] Caused by:
   [tomcat.tomcat] [admin@IP (2372)
   /console/restapi/api/config/event_sources/log_source_management/
   log_sources] org.apache.openjpa.lib.jdbc.ReportingSQLException:
   ERROR: collation "no_NO" for encoding "UTF8" does not exist
   Position: 2097 {prepstmnt -2104345788 INSERT INTO
   logsourcereader_temp (id, spid, deviceinternal, status,
   end_time) SELECT id, spid, deviceinternal, status, end_time
   FROM (SELECT *   FROM (SELECT sd.id, sd.devicename,
   sd.devicedescription, sd.devicetypeid, sd.spconfig,
   coalesce(spc.spid, 0) as spid, sd.hostname, sd.deviceenabled,
   sd.gateway, sd.devicecredibility, sd.eccomponentid, sd.dlcid, 
   sd.encoding, sd.coalesce_events, sd.store_event_payload, 
   sd.extension_id, sd.languageid, sd.deployed, sd.autodiscovered, 
   sd.eps60s, sd.creationdate, sd.editdate, sd.timestamp_last_seen,
   sd.sending_ip, sd.parsing_order, sdba.bulk_group_name,
   sps.end_time, asdtdm.destination_id, CASE
   WHEN (sdt.mask = 1 OR sdt.devicecategoryid = 4) and
   sdt.id <> 246 THEN true ELSE false END AS
   deviceinternal, CASE WHEN 
   sd.deviceenabled = false THEN 4 WHEN
   ((spc.spid IS NULL OR spc.spid IN (0, 12, 22, 24, 50) 
   OR spc.spid IN (SELECT sensorprotocolid FROM sensorprotocolparameter 
   WHERE name = 'WinCollectInstanceName'))) THEN
   CASE WHEN sd.timestamp_last_seen = 0 THEN 0 
   WHEN sd.timestamp_last_seen < 1601515622685 THEN 3 ELSE 1
   END WHEN sps.last_known_status IS NOT NULL THEN sps.last_known_status
   ELSE 0 END AS status FROM sensordevice sd INNER JOIN sensordevicetype sdt ON
   (sdt.id = sd.devicetypeid) 
   LEFT JOIN sensorprotocolconfig spc ON (sd.spconfig = spc.id)
   LEFT JOIN sensordevicebulkadd sdba ON (sdba.id = sd.bulk_added_id 
   and sd.bulk_added = true)
   LEFT JOIN sensorprotocolstatus sps ON (sps.id = coalesce
   (sd.status_record, spc.status_record))
   LEFT JOIN ale_sensor_device_to_destination_mapping asdtdm ON 
   (asdtdm.sensor_device_id = sd.id AND asdtdm.internal = true))
   AS DUMMY  WHERE ((eccomponentid <> -1 OR eccomponentid IS
   NULL))  ORDER BY devicename COLLATE "no_NO" ASC  LIMIT 20
   OFFSET 0) AS DUMMY} 

1. Select any routing rule.
2. Switch Mode between online and offline.
3. Check the Event Filters that are displayed in the drop down for each mode respectively.
   
   • Expected result: The dropdown list should reload properly so that the expected event filter options (either for online or for offline) are displayed.
   • Actual result: The dropdown list does not change.

[ProcessMonitor] com.q1labs.hostcontext.processmonitor.ProcessManager: [ERROR]
[NOT:0150114103][ip_address/- -] [-/- -]Process
qvmprocessor.qvm has failed to start for 6606 intervals.
Continuing to try to start...

qvmprocessor[29794]: Error creating bean with name
'cronSchedulerDAO' defined in class path resource
[scheduler.spring.xml]: Cannot resolve reference to bean
'quartzScheduler' while setting bean property 'scheduler';
nested exception is
org.springframework.beans.factory.BeanCreationException: Error
creating bean with name 'quartzScheduler' defined in class path
resource [sqlagents.spring.xml]: Invocation of init method
failed; nested exception is org.quartz.JobPersistenceException:
Couldn't retrieve trigger: No record found for selection of
Trigger with key: 'qvmScheduling.checkQRMLicenseTrigger' and
statement: SELECT * FROM quartz.SIMPLE_TRIGGERS WHERE
SCHED_NAME = 'qvmScheduler' AND TRIGGER_NAME = ? AND
TRIGGER_GROUP = ? [See nested exception:
java.lang.IllegalStateException: No record found for selection
of Trigger with key: 'qvmScheduling.checkQRMLicenseTrigger' and
statement: SELECT * FROM quartz.SIMPLE_TRIGGERS WHERE
SCHED_NAME = 'qvmScheduler' AND TRIGGER_NAME = ? AND
TRIGGER_GROUP = ?]
org.springframework.beans.factory.BeanCreationException: Error
creating bean with name 'cronSchedulerDAO' defined in class
path resource [scheduler.spring.xml]: Cannot resolve reference
to bean 'quartzScheduler' while setting bean property
'scheduler'; nested exception is
org.springframework.beans.factory.BeanCreationException: Error
creating bean with name 'quartzScheduler' defined in class path
resource [sqlagents.spring.xml]: Invocation of init method
failed; nested exception is org.quartz.JobPersistenceException:
Couldn't retrieve trigger: No record found for selection of
Trigger with key: 'qvmScheduling.checkQRMLicenseTrigger' and
statement: SELECT * FROM quartz.SIMPLE_TRIGGERS WHERE
SCHED_NAME = 'qvmScheduler' AND TRIGGER_NAME = ? AND
TRIGGER_GROUP = ? [See nested exception:
java.lang.IllegalStateException: No record found for selection
of Trigger with key: 'qvmScheduling.checkQRMLicenseTrigger' and
statement: SELECT * FROM quartz.SIMPLE_TRIGGERS WHERE
SCHED_NAME = 'qvmScheduler' AND TRIGGER_NAME = ? AND
TRIGGER_GROUP = ?]
...
qvmprocessor[29794]: Caused by:
org.springframework.beans.factory.BeanCreationException: Error
creating bean with name 'quartzScheduler' defined in class path
resource [sqlagents.spring.xml]: Invocation of init method
failed; nested exception is org.quartz.JobPersistenceException:
Couldn't retrieve trigger: No record found for selection of
Trigger with key: 'qvmScheduling.checkQRMLicenseTrigger' and
statement: SELECT * FROM quartz.SIMPLE_TRIGGERS WHERE
SCHED_NAME = 'qvmScheduler' AND TRIGGER_NAME = ? AND
TRIGGER_GROUP = ? [See nested exception:
java.lang.IllegalStateException: No record found for selection
of Trigger with key: 'qvmScheduling.checkQRMLicenseTrigger' and
statement: SELECT * FROM quartz.SIMPLE_TRIGGERS WHERE
SCHED_NAME = 'qvmScheduler' AND TRIGGER_NAME = ? AND
TRIGGER_GROUP = ?]
...
qvmprocessor[29794]: Caused by:
org.quartz.JobPersistenceException: Couldn't retrieve trigger:
No record found for selection of Trigger with key:
'qvmScheduling.checkQRMLicenseTrigger' and statement: SELECT *
FROM quartz.SIMPLE_TRIGGERS WHERE SCHED_NAME = 'qvmScheduler'
AND TRIGGER_NAME = ? AND TRIGGER_GROUP = ? [See nested
exception: java.lang.IllegalStateException: No record found for
selection of Trigger with key:
'qvmScheduling.checkQRMLicenseTrigger' and statement: SELECT *
FROM quartz.SIMPLE_TRIGGERS WHERE SCHED_NAME = 'qvmScheduler'
AND TRIGGER_NAME = ? AND TRIGGER_GROUP = ?]

1. Use an SSH session to log in to the QRadar Console as root user.
2. Run at the command line
   

   sed -i 's/geodata.Europe.Belarus=Brasil/geodata.Europe.Belarus=Bielo
   russia/g' /opt/qradar/conf/localization/geodata_es.properties

1. Log in to the QRadar Console.
2. Change locale to español.
3. Click Offenses.
4. Create a new event rule.
5. Click Next.
6. Click Events > Next
7. Filter on "location" and choose either of these rules:
   - when the source is located in this geographic location
   - when the source IP is a part of any of the following geographic network locations
8. Select the location parameter and go in to "Europa".
   
   Result
   Brasil will be visible in the list of countries.

1. Have a rule with Rule Response > Dispatch a new event > Ensure the dispatched event is part of an offense.
2. Select "This information should not contribute to the naming of the associated offense(s)".
3. Use the search option to find the offense using the "Description" field under the "Offenses" tab.
   
   Results
   No search results are returned

com.q1labs.hostcontext.KeyStoreExpiryMonitor: [WARN]
NOT:0030004104][127.0.0.1/- -] [-/- -]The certificate named
QRadar_SAML will expire on Sun Dec 01 02:06:40 AST 2019. Please
update the certificate  soon.

Jan 20 14:47:48 2022: Jan 20 14:47:48
2022:[DEBUG](-ni-patchmode) Running script
/media/updates/scripts/QRADAR-9108.install --mode mainpatch
Jan 20 14:47:53 2022: Jan 20 14:47:53 2022:
[WARN](-ni-patchmode) ERROR: Failed to decrypt
Jan 20 14:47:55 2022: Jan 20 14:47:55 2022:
[WARN](-ni-patchmode) ERROR: Failed to decrypt
Jan 20 14:48:00 2022: Jan 20 14:48:00 2022:
[WARN](-ni-patchmode) ERROR: Failed to decrypt
Jan 20 14:48:01 2022: Jan 20 14:48:01 2022:
[WARN](-ni-patchmode) ERROR: Failed to decrypt
Jan 20 14:48:03 2022: Jan 20 14:48:03 2022:
[WARN](-ni-patchmode) ERROR: Failed to decrypt
Jan 20 14:48:07 2022: Jan 20 14:48:07 2022:
[WARN](-ni-patchmode) ERROR: Failed to decrypt
Jan 20 14:48:09 2022: Jan 20 14:48:09 2022:
[WARN](-ni-patchmode) ERROR: Failed to decrypt

1. A Console is rebuilt or reinstalled and the admin attempts to restore the latest night configuration backup.
2. Hardware migrations from an old Console to a new Console appliance.
3. Administrators who use a lab Console appliance to validation changes, then attempt to restore a nightly configuration backup to the production Console.

com.q1labs.frameworks.crypto.DecryptException:
com.ibm.si.mks.CryptoException: Failed to decrypt data
[hostcontext.hostcontext] [pool-2-thread-1] at com.q1labs.frame
works.crypto.CryptoUtils.decrypt(CryptoUtils.java:56)
[hostcontext.hostcontext] [pool-2-thread-1]
com.ibm.si.mks.CryptoException: Failed to decrypt data
[hostcontext.hostcontext] [pool-2-thread-1] at
com.ibm.si.mks.KeyStoreCrypto.decrypt(KeyStoreCrypto.java:385)
[hostcontext.hostcontext] [pool-2-thread-1] at
com.ibm.si.mks.Crypto.decrypt(Crypto.java:70)
[hostcontext.hostcontext] [pool-2-thread-1] at com.q1labs.frame
works.crypto.CryptoUtils.decrypt(CryptoUtils.java:53)
[hostcontext.hostcontext] [pool-2-thread-1] at
javax.crypto.Cipher.a(Unknown Source)
[hostcontext.hostcontext] [pool-2-thread-1] at
javax.crypto.Cipher.init(Unknown Source)
[hostcontext.hostcontext] [pool-2-thread-1] at
javax.crypto.Cipher.init(Unknown Source)
[hostcontext.hostcontext] [pool-2-thread-1] at
com.ibm.si.mks.KeyStoreCrypto.decrypt(KeyStoreCrypto.java:376)
java.io.IOException: Integrity check failed:
java.security.UnrecoverableKeyException: Failed PKCS12 integrity checking

• IBM QRadar SIEM 7.5.0 GA
• IBM QRadar SIEM 7.4.3 GA - 7.4.3 Fix Pack 4
• IBM QRadar SIEM 7.3.3 GA - 7.3.3 Fix Pack 10

• IBM QRadar SIEM 7.5.0 GA
• IBM QRadar SIEM 7.4.3 GA - 7.4.3 Fix Pack 4
• IBM QRadar SIEM 7.3.3 GA - 7.3.3 Fix Pack 10

• IBM QRadar SIEM 7.5.0 GA
• IBM QRadar SIEM 7.4.3 GA - 7.4.3 Fix Pack 4
• IBM QRadar SIEM 7.3.3 GA - 7.3.3 Fix Pack 10

• CVE-2015-5237: Apache HTTP Server is vulnerable to a buffer overflow, caused by improper bounds checking in the mod_lua multipart parser called from Lua scripts). By sending a specially crafted request, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVSS Base score: 9.8
• CVE-2019-17195: Apache HTTP Server is vulnerable to a denial of service, caused by a NULL pointer dereference in httpd core. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service. CVSS Base score: 5.9
• CVE-2012-6708: Apache HTTP Server is vulnerable to a buffer overflow, caused by improper bounds checking by the ap_escape_quotes() function. By sending specially crafted input, a remote attacker could write beyond the end of a buffer. CVSS Base score: 3.7

1. Restart the docker-distribution service by running the following command from an SSH session to the QRadar console:

   systemctl restart docker-distribution

2. Attempt the App install again.

In some instances, a QRadar user is unable to reinstall a QRadar
App after uninstalling it from an Apphost in the deployment when
a "manifest unknown" error is generated.


Messages similar to the following might be visible in
/var/log/qradar.log when this issue occurs:

[tomcat.tomcat] [admin@127.0.0.1]
com.ibm.si.cmt.utils.app.AppFrameworkAPIClient: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]null
[tomcat.tomcat] [admin@127.0.0.1] com.ibm.si.cmt.utils.app.ApplicationErrorStateException
[tomcat.tomcat] [admin@127.0.0.1] at com.ibm.si.cmt.utils.app.AppFrameworkAPIClient.waitForInstallStatusChange(AppFrameworkAPIClient.java:503)
[tomcat.tomcat] [admin@127.0.0.1] at com.ibm.si.cmt.utils.app.AppFrameworkAPIClient.getAppInstallResult(AppFrameworkAPIClient.java:239)
[tomcat.tomcat] [admin@127.0.0.1] at com.ibm.si.cmt.utils.app.AppFrameworkAPIClient.performInstallOrUpgrade(AppFrameworkAPIClient.java:202)
[tomcat.tomcat] [admin@127.0.0.1] at com.ibm.si.cmt.utils.app.AppFrameworkAPIClient.installAppWithOneInstance(AppFrameworkAPIClient.java:118)
[tomcat.tomcat] [admin@127.0.0.1] at com.ibm.si.cmt.utils.app.AppFrameworkAPIClient.installApplication(AppFrameworkAPIClient.java:101)
[tomcat.tomcat] [admin@127.0.0.1] at com.ibm.si.content_management.ContentCustom.importApplicationViaZip(ContentCustom.java:4404)
[tomcat.tomcat] [admin@127.0.0.1] at com.ibm.si.content_management.ContentCustom.importCustom(ContentCustom.java:646)
[tomcat.tomcat] [admin@127.0.0.1] at com.ibm.si.content_management.Content.importCustomContent(Content.java:3870)
[tomcat.tomcat] [admin@127.0.0.1] at com.ibm.si.content_management.ContentManager.importContent(ContentManager.java:1942)
[tomcat.tomcat] [admin@127.0.0.1] at com.ibm.si.content_management.ContentManager.doImport(ContentManager.java:4039)
[tomcat.tomcat] [admin@127.0.0.1] at com.ibm.si.data_ingestion.api.impl.cmt.install.ExtensionInstaller.doImport(ExtensionInstaller.java:201)
[tomcat.tomcat] [admin@127.0.0.1] at com.ibm.si.data_ingestion.api.impl.cmt.install.ExtensionInstaller.installExtension(ExtensionInstaller.java:82)
[tomcat.tomcat] [admin@127.0.0.1] at com.ibm.si.data_ingestion.api.impl.cmt.tasks.InstallExtensionTask.runTask(InstallExtensionTask.java:81)
[tomcat.tomcat] [admin@127.0.0.1] at com.ibm.si.frameworks.taskmanagement.Task.run(Task.java:108)
[tomcat.tomcat] [admin@127.0.0.1] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:522)
[tomcat.tomcat] [admin@127.0.0.1] at java.util.concurrent.FutureTask.run(FutureTask.java:277)
[tomcat.tomcat] [admin@127.0.0.1] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160)
[tomcat.tomcat] [admin@127.0.0.1] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
[tomcat.tomcat] [admin@127.0.0.1] at java.lang.Thread.run(Thread.java:822)
[tomcat.tomcat] [admin@127.0.0.1] com.ibm.si.content_management.ContentManager: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]
Failed to import content ile [/store/tmp/cmt/out/QDI-2/QDIocp-ContentExport-20200221185554.xml]
[tomcat.tomcat] [admin@127.0.0.1] com.ibm.si.data_ingestion.api.impl.cmt.tasks.InstallExtensionTask:[ERROR] [NOT:0000003000]
[extension with id = 451 failed: appfw.app.health.check.failed
[tomcat.tomcat] [admin@127.0.0.1] java.lang.Exception: appfw.app.health.check.failed
[tomcat.tomcat] [admin@127.0.0.1] at com.ibm.si.data_ingestion.api.impl.cmt.tasks.InstallExtensionTask.runTask(InstallExtensionTask.java:84)
[tomcat.tomcat] [admin@127.0.0.1] at com.ibm.si.frameworks.taskmanagement.Task.run(Task.java:108)
[tomcat.tomcat] [admin@127.0.0.1] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:522)
[tomcat.tomcat] [admin@127.0.0.1] at java.util.concurrent.FutureTask.run(FutureTask.java:277)
[tomcat.tomcat] [admin@127.0.0.1] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160)
[tomcat.tomcat] [admin@127.0.0.1] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
[tomcat.tomcat] [admin@127.0.0.1] at java.lang.Thread.run(Thread.java:822)
console-test-primary testregistry[28344]:
time="2021-02-12T14:07:54-04:00" level=error msg="response
completed with error" err.code="manifest unknown"
err.detail="unknown manifest name=qapp/1158
revision=sha256:df8d466107eda22d9c59818d6c834e92c4d656d2
32b9a512ad5d166a391a0023" err.message="manifest unknown"
go.version=go1.9.2
http.request.host="console.localdeployment:5000"
http.request.id=da0263ba-1fe4-4826-8c45-69ade7306f42
http.request.method=GET
http.request.remoteaddr="0.0.0.0:41414" http.request.uri="/
v2/qapp/1158/manifests/2.2.5-20210212140020"
http.request.useragent="docker/18.09.2 go/go1.10.6
git-commit/6247962 kernel/3.10.0-1160.6.1.el7.x86_64 os/linux
arch/amd64 UpstreamClient(Docker-Client/18.09.2 \\(linux
))" http.response.contenttype="application/json; charset=utf-8" 
http.response.duration=1.991631ms http.response.status=404 
http.response.written=185 instance.id=62e5af6b-0bd7-4094-bd71-c13da0a1c0bf
vars.name="qapp/1158" vars.reference=2.2.5-20210212140020
version="v2.6.2+unknown"

1. Perform a restart of the ecs-ep service from an SSH session on affected appliances can temporarily correct this issue:
   

   systemctl restart ecs-ep

2. Investigate and fix the reason the remote port isn't available then restart the service that has run out of file handles.

1. Log in to the Console as the administrator.
2. Click the Admin tab > System and License Management.
3. Select the Event or Flow Processor
4. Click Deployment Actions > Edit Managed host.
5. Clear the check box Encrypt Host Connections.

[tomcat.tomcat] [x.x.x.x] com.q1labs.configservices.config.globalset.platform.GlobalArielServerListTransformer: 
[INFO] [NOT:0000006000][x.x.x.x/- -] [-/--]Ariel list transformer has changed the deployment file.

systemctl restart qflow

1. Use an SSH session to connect to the QRadar Console.
   IMPORTANT: Administrators must backup your existing nva.conf before you attempt to make any changes. It is typically recommended that administrators create a folder for save files before a change. For example, administrators can use the mkdir command to create /store/IBM or /store/ibmsupport for temporary files before you apply a configuration change.
2. To backup your nva.conf file, type:

   cp /opt/qradar/conf/nva.conf /store/IBM/nva.conf

3. Navigate to /store/configservices/staging/globalconfig/nva.conf.
4. Edit /store/configservices/staging/globalconfig/nva.conf and add the FQDN of the console in lower case letters to the list: APP_PROXY_NO_PROXY_LIST=
   
   Note: If you have multiple addresses, you can use commas to separate values between multiple hosts. For example:

   APP_PROXY_NO_PROXY_LIST=example-host.net,example-host2.net

5. Log in to the QRadar Console user interface.
6. Click the Admin tab and select Deploy changes.

For more information on Deploy Changes, see https://www.ibm.biz/qradardeploy

1. Have a console with a FQDN in capital letters.
2. Configure the Console to use a proxy for Auto updates.
3. Install Pulse or Network Hierarchy app on the Console.
4. Attempt to access Pulse's Threat Globe dashboard or try to do a backup in Network Hierarchy.
   
   Result
   The backup fails and on Pulse app displays the error 'Unable to Connect to QRadar - Cannot establish a connection to the console.'

[ecs-ep.ecs-ep] [CRE Processor [3]]
com.q1labs.semsources.cre.responses.ReferenceDataResponse:
[ERROR] [NOT:0000003000][QRADARIP/- -] [-/- -]Failed to get
values from event: property="eventProcessorId",
key1Val="127.0.0.1", key2Val=null, doSend=true, unRollFlow=false
[ecs-ep.ecs-ep] [CRE Processor [3]] java.lang.RuntimeException:
java.lang.ClassNotFoundException:
com.q1labs.ariel.ui.formatters.EventProcessorIdFormatter
[ecs-ep.ecs-ep] [CRE Processor [3]] at
com.q1labs.core.shared.ariel.ArielUtils.getFormatter(ArielUtils.java:933)
[ecs-ep.ecs-ep] [CRE Processor [3]] at
com.q1labs.semsources.cre.responses.AbstractReferenceDataResponse.getValuesFromEvent(AbstractReferenceDataResponse.java:253)
[ecs-ep.ecs-ep] [CRE Processor [3]] at
com.q1labs.semsources.cre.responses.AbstractReferenceDataResponse.extractValuesFromEventAndSend(AbstractReferenceDataResponse.java:223)
[ecs-ep.ecs-ep] [CRE Processor [3]] at
com.q1labs.semsources.cre.responses.AbstractReferenceDataResponse.performResponse(AbstractReferenceDataResponse.java:360)
[ecs-ep.ecs-ep] [CRE Processor [3]] at
com.q1labs.semsources.cre.CustomRule.performResponses(CustomRule.java:1049)
[ecs-ep.ecs-ep] [CRE Processor [3]] at com.q1labs.semsources.cre.CustomRule.test(CustomRule.java:578)
[ecs-ep.ecs-ep] [CRE Processor [3]] at com.q1labs.semsources.cre.CustomRule.test(CustomRule.java:496)
[ecs-ep.ecs-ep] [CRE Processor [3]] at com.q1labs.semsources.cre.CustomRuleSetExecutor.testRule(CustomRuleSetExecutor.java:342)
[ecs-ep.ecs-ep] [CRE Processor [3]] at com.q1labs.semsources.cre.CustomRuleSetExecutor.test(CustomRuleSetExecutor.java:210)
[ecs-ep.ecs-ep] [CRE Processor [3]] at com.q1labs.semsources.cre.LocalRuleExecutor.processEventInPropertyMode(LocalRuleExecutor.java:229)
[ecs-ep.ecs-ep] [CRE Processor [3]] at com.q1labs.semsources.cre.LocalRuleExecutor.processEvent(LocalRuleExecutor.java:158)
[ecs-ep.ecs-ep] [CRE Processor [3]] at com.q1labs.semsources.cre.CREEventProcessor.processEvent(CustomRuleEngine.java:544)
[ecs-ep.ecs-ep] [CRE Processor [3]] at com.q1labs.semsources.cre.CREEventProcessor.run(CustomRuleEngine.java:484)
[ecs-ep.ecs-ep] [CRE Processor [3]] Caused by:
java.lang.ClassNotFoundException:
com.q1labs.ariel.ui.formatters.EventProcessorIdFormatter
[ecs-ep.ecs-ep] [CRE Processor [3]] at java.lang.Class.forNameImpl(Native Method)
[ecs-ep.ecs-ep] [CRE Processor [3]] at java.lang.Class.forName(Class.java:337)
[ecs-ep.ecs-ep] [CRE Processor [3]] at com.q1labs.core.shared.ariel.ArielUtils.getFormatter(ArielUtils.java:927)
[ecs-ep.ecs-ep] [CRE Processor [3]] ... 12 more
Feb 26 12:03:55 ::ffff:9.180.234.72 [ecs-ep.ecs-ep] [CRE Processor [3]] at
com.q1labs.semsources.cre.responses.AbstractReferenceDataResponse.performResponse(AbstractReferenceDataResponse.java:360)
Feb 26 12:03:55 ::ffff:9.180.234.72 [ecs-ep.ecs-ep] [CRE Processor [3]] at
com.q1labs.semsources.cre.CustomRule.performResponses(CustomRule.java:1049)
Feb 26 12:03:55 ::ffff:9.180.234.72 [ecs-ep.ecs-ep] [CREProcessor [3]] at
com.q1labs.semsources.cre.CustomRule.test(CustomRule.java:578)
Feb 26 12:03:55 ::ffff:9.180.234.72 [ecs-ep.ecs-ep] [CRE Processor [3]] at
com.q1labs.semsources.cre.CustomRule.test(CustomRule.java:496)
Feb 26 12:03:55 ::ffff:9.180.234.72 [ecs-ep.ecs-ep] [CRE Processor [3]] at
com.q1labs.semsources.cre.CustomRuleSetExecutor.testRule(CustomRuleSetExecutor.java:342)
Feb 26 12:03:55 ::ffff:9.180.234.72 [ecs-ep.ecs-ep] [CRE Processor [3]] at
com.q1labs.semsources.cre.CustomRuleSetExecutor.test(CustomRuleSetExecutor.java:210)
Feb 26 12:03:55 ::ffff:9.180.234.72 [ecs-ep.ecs-ep] [CRE Processor [3]] at
com.q1labs.semsources.cre.LocalRuleExecutor.processEventInPropertyMode(LocalRuleExecutor.java:229)
Feb 26 12:03:55 ::ffff:9.180.234.72 [ecs-ep.ecs-ep] [CRE Processor [3]] at
com.q1labs.semsources.cre.LocalRuleExecutor.processEvent(LocalRuleExecutor.java:158)
Feb 26 12:03:55 ::ffff:9.180.234.72 [ecs-ep.ecs-ep] [CRE Processor [3]] at
com.q1labs.semsources.cre.CREEventProcessor.processEvent(CustomRuleEngine.java:544)
Feb 26 12:03:55 ::ffff:9.180.234.72 [ecs-ep.ecs-ep] [CRE Processor [3]] at
com.q1labs.semsources.cre.CREEventProcessor.run(CustomRuleEngine.java:484)
Feb 26 12:03:55 ::ffff:9.180.234.72 [ecs-ep.ecs-ep] [CRE Processor [3]] Caused by: java.lang.ClassNotFoundException:
com.q1labs.ariel.ui.formatters.EventProcessorIdFormatter
Feb 26 12:03:55 ::ffff:9.180.234.72 [ecs-ep.ecs-ep] [CRE Processor [3]] at java.lang.Class.forNameImpl(Native Method)
Feb 26 12:03:55 ::ffff:9.180.234.72 [ecs-ep.ecs-ep] [CRE Processor [3]] at java.lang.Class.forName(Class.java:337)
Feb 26 12:03:55 ::ffff:9.180.234.72 [ecs-ep.ecs-ep] [CRE Processor [3]] 
at com.q1labs.core.shared.ariel.ArielUtils.getFormatter(ArielUtils.java:927)
Feb 26 12:03:55 ::ffff:9.180.234.72 [ecs-ep.ecs-ep] [CRE
Processor [3]] ... 12 more

1. Open the forensics user permission window.
2. Assign a user and assign some cases.
3. Select save user.
   
   Messages similar to the following might be visible in the /var/log/qradar-sql.log when this issue occurs:
   

   postgres[9113]: [3-1] ERROR: syntax error at or near "select"
   at character 91
   postgres[9113]: [3-2] STATEMENT: BEGIN;
   postgres[9113]: [3-3] SET search_path TO
   forensics,"$user",public;
   postgres[9113]: [3-4] UPDATE forensics.users SET username =
   select '174' WHERE id = '57' AND NOT EXISTS (SELECT * from
   forensics.users where username='174');
   postgres[9113]: [3-5]
   postgres[9159]: [3-1] ERROR: syntax error at or near "select"
   at character 91
   postgres[9159]: [3-2] STATEMENT: BEGIN;
   postgres[9159]: [3-3] SET search_path TO
   forensics,"$user",public;
   postgres[9159]: [3-4] UPDATE forensics.users SET username =
   select '174' WHERE id = '57' AND NOT EXISTS (SELECT * from
   forensics.users where username='174');
   ...and if the database is busy, messages similar to the
   following might also be visible:
   postgres[13432]: [3-1] ERROR: duplicate key value violates
   unique constraint "users_username_key"
   postgres[13432]: [3-2] DETAIL: Key (username)=(430007059)
   already exists.
   postgres[13432]: [3-3] STATEMENT: BEGIN;
   postgres[13432]: [3-4] SET search_path TO
   forensics,"$user",public;
   postgres[13432]: [3-5] INSERT INTO forensics.users (username)
   select '430007059' WHERE NOT EXISTS (SELECT * from
   forensics.users where username='430007059') RETURNING lastval()
   as insert_id;
   postgres[13432]: [3-6]
   postgres[13432]: [4-1] ERROR: current transaction is aborted,
   commands ignored until end of transaction block
   postgres[13432]: [4-2] STATEMENT: SET search_path TO
   forensics,"$user",public;
   postgres[13432]: [5-1] ERROR: current transaction is aborted,
   commands ignored until end of transaction block
   postgres[13432]: [5-2] STATEMENT: SELECT id FROM users WHERE
   username = '430007059'

1. Copy /opt/qradar/conf/IPFIXFields.conf to /store/configservices/staging/globalconfig/ on the Console.
2. Edit /store/configservices/staging/globalconfig/IPFIXFields.conf to add lines for the fields you wish to exclude. Example:
   

       2,158,PROTOCOL_NAME,0
       2,159,PROTOCOL_VERSION,0

3. Save the file.
4. From the Admin tab, click Deploy changes.
For more information on TLV or Payload for QFlow, see https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc/t_qni_configure_qflow_settings.html

Issue
There are several newer TLVs (type-length-value) that are not excluded from payload mode in the IPFIXFields.conf. These internal properties can fill up the payload block. A flow can have it's payload filled with an incorrect property when this occurs instead of the true payload.

[tomcat.tomcat] [HttpServletRequest-87-Idle]
com.ibm.qradar.wfObjects.wfDBConnect: [ERROR] Database error:
SQLException: FATAL: password authentication failed for user
"qradar"
SQLState: 28P01
VendorError: 0
--
Checking the postgresql-qrd service in the Console it still
shows this connection failures.
x.x.x.x.ent postgres[173526]: [3-3] Connection matched
pg_hba.conf line 54: "host all all 127.0.0.1 255.255.255.255
md5"
 x.x.x.x.ent postgres[173909]: [3-1] FATAL: password
authentication failed for user "qradar"
 x.x.x.x.ent postgres[173909]: [3-2] DETAIL: Password does not
match for user "qradar".
 x.x.x.x.ent postgres[173909]: [3-3] Connection matched
pg_hba.conf line 54: "host all all 127.0.0.1 255.255.255.255
md5"
 x.x.x.x.ent postgres[173914]: [3-1] FATAL: password
authentication failed for user "qradar"
 x.x.x.x.ent postgres[173914]: [3-2] DETAIL: Password does not
match for user "qradar".
 x.x.x.x.ent postgres[173914]: [3-3] Connection matched
pg_hba.conf line 54: "host all all 127.0.0.1 255.255.255.255
md5"
 x.x.x.x.ent postgres[173929]: [3-1] FATAL: password
authentication failed for user "qradar"
 x.x.x.x.ent postgres[173929]: [3-2] DETAIL: Password does not
match for user "qradar".
 x.x.x.x.ent postgres[173929]: [3-3] Connection matched
pg_hba.conf line 54: "host all all 127.0.0.1 255.255.255.255
md5"

127.0.0.1 [Timer-0] com.ibm.qradar.forensics.watcher.watchers.UserChecker: [ERROR] Failed to get users
127.0.0.1 com.ibm.qradar.forensics.watcher.utils.Database$DatabaseException: Failed to retrieve console host.
127.0.0.1 at com.ibm.qradar.forensics.watcher.utils.Database.getFTPUsernameList(Database.java:198)
127.0.0.1 at com.ibm.qradar.forensics.watcher.watchers.UserChecker.getFTPUsernameList(UserChecker.java:92)
127.0.0.1 at com.ibm.qradar.forensics.watcher.watchers.UserChecker.processFTPUsers(UserChecker.java:107)
127.0.0.1 at com.ibm.qradar.forensics.watcher.watchers.UserChecker.run(UserChecker.java:58)
127.0.0.1 at java.util.TimerThread.mainLoop(Timer.java:566)
127.0.0.1 at java.util.TimerThread.run(Timer.java:516)
127.0.0.1 Caused by: org.postgresql.util.PSQLException: FATAL: password authentication failed for user "username"
127.0.0.1 at org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:514)
127.0.0.1 at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:141)
127.0.0.1 at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
127.0.0.1 at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
127.0.0.1 at org.postgresql.jdbc.PgConnection.(PgConnection.java:195)
127.0.0.1 at org.postgresql.Driver.makeConnection(Driver.java:454)
127.0.0.1 at org.postgresql.Driver.connect(Driver.java:256)
127.0.0.1 at java.sql.DriverManager.getConnection(DriverManager.java:675)
127.0.0.1 at java.sql.DriverManager.getConnection(DriverManager.java:281)
127.0.0.1 at com.ibm.qradar.forensics.watcher.utils.Database.connect(Database.java:59)
127.0.0.1 at com.ibm.qradar.forensics.watcher.utils.Database.getFTPUsernameList(Database.java:183)
127.0.0.1 ... 5 more

[tomcat.tomcat] [pool-1-thread-7]
com.q1labs.restapi_annotations.content.exceptions.endpointExcept
ions.ServerProcessingException: An error occurred setting app
status to [STOPPED]. Task state found to be [EXCEPTION].
[tomcat.tomcat] [pool-1-thread-7]    at
com.q1labs.uiframeworks.application.api.service.status.tasks.RestartAppAsyncTask.stopAppInstance(RestartAppAsyncTask.java:149)
[tomcat.tomcat] [pool-1-thread-7]    at
com.q1labs.uiframeworks.application.api.service.status.tasks.RestartAppAsyncTask.runTask(RestartAppAsyncTask.java:112)
[tomcat.tomcat] [pool-1-thread-7]    at com.ibm.si.frameworks.taskmanagement.Task.run(Task.java:108)
[tomcat.tomcat] [pool-1-thread-7]    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:522) 
[tomcat.tomcat] [pool-1-thread-7]    at java.util.concurrent.FutureTask.run(FutureTask.java:277)
[tomcat.tomcat] [pool-1-thread-7]    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160) 
[tomcat.tomcat] [pool-1-thread-7]    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) 
[tomcat.tomcat] [pool-1-thread-7]    at java.lang.Thread.run(Thread.java:818)

[tomcat.tomcat] [x(3588)
/console/do/rulewizard/saveCustomizeConditionParameter]
com.q1labs.sem.ui.util.RuleConditionUtils: [WARN]
[NOT:0000004000][/- -] [-/- -]No lookup results found for user
selection(s) URI-Domain+Path+Query for method
com.q1labs.sem.ui.semservices.UISemServices.getEventDatabaseFields

1. Log into QRadar.
2. Click Vulnerbilities.
3. Click adminstration, then scan profile.
4. Click Add to create a acan profile.
5. Give scan profile a name, click Use centralized credentials checkbox.
6. Save the Scan.
7. Click the newly created scan, click Edit.
   
   Expected results
   The use centralized credentials checkbox is selected.
   
   Actual result The use centralized credentials checkbox is unchecked.
   Note: Scans saved with the use centalized creditionals selected save correctly and still run correctly.

'License {name}', allocated to host '{hostname}' will expire soon. 
Its expiration date is '{date}'

[ecs-ep.ecs-ep] [MPC/PersisterThread@0000778355]
com.ibm.si.mpc.magi.contrib.ModelPersister: [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Processed 39 commands in
0:00:00.023 including offense: 2, attacker: 1, target: 1,
network: 2, cat: 2, off-cre-agg: 2, off-cat-sum: 4, annot: 2,
device: 1, user: 1, offenseEP: 2, mac: 0, qid: 0, appId: 0,
host: 0, asset: 0, port: 0, rule: 0, ipv6: 0, asn: 0, regex: 0,
calculated: 0, mpcQueryReq: 0. New Load: 0.00
[ecs-ep.ecs-ep] [[type=com.eventgnosis.system.ThreadedEventProcessor]
[parent=hostname:ecs-ep/MPC/Magistrate1/MPC]]
com.ibm.si.mpc.magi.schedule.EventScheduler: [INFO]
[NOT:0000006000][127.0.0.1/- -] [-/- -]Scheduling 1 of 1 offenses. 
(events-rcvd: 10, event-errs: 6, events-rejected: 0,
MT-recs: 4, MT-recs-rejected: 0 (eq: 0), capDropped: 0,
off-create-err: 0, off-contrib-err: 0, schd: 4, wait: 0,
bytes-sched: 0.00MB, bytes-wait: 0.00MB, total rcvd: 1144987).
init-sched: 0, dorm-sched: 0, def-sched: 0, def: 0, active: 4,
dormant: 53, Load: 0.00, Throughput: 100.00%

1. Log in as an administrator and click the Admin tab.
2. Click the Aggregated Data Management icon.
3. Select an Aggregated Data view in the Display dropdown.
4. Change view dropdown. (eg. Last 3 days or Last 7 days)
5. Click the Data Written Column to sort the data.
   
   Result An error occurred
   For input string: "2198937739"

[tomcat.tomcat] [admin@127.0.0.1 (268)
/console/JSON-RPC/QRadar.getListPortion QRadar.getListPortion]
com.q1labs.core.ui.servlet.RemoteJavaScript: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]An exception occurred
while executing the remote method 'getListPortion'
[tomcat.tomcat] [admin@127.0.0.1 (268)
/console/JSON-RPC/QRadar.getListPortion QRadar.getListPortion]
java.lang.NumberFormatException: For input string: "2198937739"
[tomcat.tomcat] [admin@127.0.0.1 (268)
/console/JSON-RPC/QRadar.getListPortion QRadar.getListPortion]
  at
java.lang.NumberFormatException.forInputString(NumberFormatException.java:76)
[tomcat.tomcat] [admin@127.0.0.1 (268)
/console/JSON-RPC/QRadar.getListPortion QRadar.getListPortion]
  at java.lang.Integer.parseInt(Integer.java:595)
[tomcat.tomcat] [admin@127.0.0.1 (268)
/console/JSON-RPC/QRadar.getListPortion QRadar.getListPortion]
  at java.lang.Integer.parseInt(Integer.java:627)
[tomcat.tomcat] [admin@127.0.0.1 (268)
/console/JSON-RPC/QRadar.getListPortion QRadar.getListPortion]
  at
com.q1labs.gvmanagement.ui.services.GVStats$GVStatsComparator.compare(GVStats.java:86)
[tomcat.tomcat] [admin@127.0.0.1 (268)
/console/JSON-RPC/QRadar.getListPortion QRadar.getListPortion]
  at
com.q1labs.gvmanagement.ui.services.GVStats$GVStatsComparator.compare(GVStats.java:40)
[tomcat.tomcat] [admin@127.0.0.1 (268)
/console/JSON-RPC/QRadar.getListPortion QRadar.getListPortion]
  at java.util.TimSort.binarySort(TimSort.java:307)
[tomcat.tomcat] [admin@127.0.0.1 (268)
/console/JSON-RPC/QRadar.getListPortion QRadar.getListPortion]
  at java.util.TimSort.sort(TimSort.java:250)
[tomcat.tomcat] [admin@127.0.0.1 (268)
/console/JSON-RPC/QRadar.getListPortion QRadar.getListPortion]
  at java.util.Arrays.sort(Arrays.java:1856)
[tomcat.tomcat] [admin@127.0.0.1 (268)
/console/JSON-RPC/QRadar.getListPortion QRadar.getListPortion]
  at java.util.ArrayList.sort(ArrayList.java:1473)
[tomcat.tomcat] [admin@127.0.0.1 (268)
/console/JSON-RPC/QRadar.getListPortion QRadar.getListPortion]
  at java.util.Collections.sort(Collections.java:186)
........
[tomcat.tomcat] [admin@127.0.0.1 (268)
/console/JSON-RPC/QRadar.getListPortion QRadar.getListPortion]
  at
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
[tomcat.tomcat] [admin@127.0.0.1 (268)
/console/JSON-RPC/QRadar.getListPortion QRadar.getListPortion]
  at
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:800)
[tomcat.tomcat] [admin@127.0.0.1 (268)
/console/JSON-RPC/QRadar.getListPortion QRadar.getListPortion]
  at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1471)
[tomcat.tomcat] [admin@127.0.0.1 (268)
/console/JSON-RPC/QRadar.getListPortion QRadar.getListPortion]
  at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
[tomcat.tomcat] [admin@127.0.0.1 (268)
/console/JSON-RPC/QRadar.getListPortion QRadar.getListPortion]
  at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160)
[tomcat.tomcat] [admin@127.0.0.1 (268)
/console/JSON-RPC/QRadar.getListPortion QRadar.getListPortion]
  at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
[tomcat.tomcat] [admin@127.0.0.1 (268)
/console/JSON-RPC/QRadar.getListPortion QRadar.getListPortion]
  at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
[tomcat.tomcat] [admin@127.0.0.1 (268)
/console/JSON-RPC/QRadar.getListPortion QRadar.getListPortion]
  at java.lang.Thread.run(Thread.java:811)

AES: Datasize not exactly blocksize (16 bytes) at
/opt/qradar/lib/Q1/auCrypto.pm line 79.
Oct 28 18:20:49 2021: Oct 28 18:20:49 2021:[ERROR](patchmode)
deploy failed.

[WARN](patchmode) (date) 16:37:09,517 - WARNING -
CustomPropertiesScript - process_searches_preload -
Custom property Target Process Name exists, but not with system
id 7453f3f4-58b3-4e08-aa35-372e2a029deb. Skipping custom-data.
[tomcat.tomcat] [admin@127.0.0.1] com.ibm.si.data_ingestion.api
.impl.cmt.tasks.InstallExtensionTask:[ERROR] [NOT:0000003000][12
extension with id = 74 failed: Detected a conflict while
importing a custom property.
[tomcat.tomcat] [admin@127.0.0.1] java.lang.Exception: 
Detected a conflict while importing a custom property. 
[tomcat.tomcat] [admin@127.0.0.1]
com.ibm.si.content_management.ContentCustom: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]Property with id
[DEFAULTCUSTOMEVENT8] already exists but has a different name
[tomcat.tomcat] [admin@127.0.0.1]
com.ibm.si.content_management.ContentManager: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]Failed to import content
file [/store/tmp/cmt/out/20210823183050/CustomProperties_Micros
oftWindows.xml]
[tomcat.tomcat] [admin@127.0.0.1]
com.ibm.si.content_management.ContentManager: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]Failed to import content
file [/store/tmp/cmt/out/MicrosoftWindows-CustomProperties-1/Cu
stomProperties_MicrosoftWindows.xml]
[tomcat.tomcat] [admin@127.0.0.1] com.ibm.si.data_ingestion.api
.impl.cmt.tasks.InstallExtensionTask:[ERROR] [NOT:0000003000][12
extension with id = 75 failed: Detected a conflict while
importing a custom property.
[tomcat.tomcat] [admin@127.0.0.1] java.lang.Exception: 
Detected a conflict while importing a custom property.

java.lang.NullPointerException
at com.ibm.si.content_management.ContentParser.getCustomRuleLogSource(ContentParser.java:5150)
at com.ibm.si.content_management.ContentParser.getParsed(ContentParser.java:149)
at com.ibm.si.content_management.Content.exportContent(Content.java:2853)
at com.ibm.si.content_management.Content.exportContent(Content.java:3388)
at com.ibm.si.content_management.Content.exportContent(Content.java:3277)
at com.ibm.si.content_management.Content.exportContent(Content.java:3388)
at com.ibm.si.content_management.Content.exportContent(Content.java:3277)
at com.ibm.si.content_management.Content.exportContent(Content.java:3388)
at com.ibm.si.content_management.Content.exportContent(Content.java:3277)
at com.ibm.si.content_management.Content.exportContent(Content.java:3388)
at com.ibm.si.content_management.Content.exportContent(Content.java:3277)
at com.ibm.si.content_management.Content.exportContent(Content.java:3388)
at com.ibm.si.content_management.ContentManager.exportContent(ContentManager.java:1310)
at com.ibm.si.content_management.ContentManager.doExport(ContentManager.java:3495)
at com.ibm.si.content_management.ContentManager.doExport(ContentManager.java:3455)
at com.ibm.si.content_management.ContentManager.doExport(ContentManager.java:3539)
at com.ibm.si.content_management.CommandLineManager.processExport(CommandLineManager.java:323)
at com.ibm.si.content_management.CommandLineManager.main(CommandLineManager.java:149)

Caused by:
com.q1labs.configservices.common.ConfigServicesException:
Unable to get properties to build the forensics_config.xml file
  at com.q1labs.configservices.config.localset.forensics.ForensicsRealtimeConfigTransformer.buildThreatAnalyticsConfigFile(ForensicsRealtimeConfigTransformer.java:199)
  at com.q1labs.configservices.config.localset.forensics.ForensicsRealtimeConfigTransformer.configure(ForensicsRealtimeConfigTransformer.java:87)
  at com.q1labs.configservices.config.localset.forensics.ForensicsRealtimeConfigTransformer.buildConfig(ForensicsRealtimeConfigTransformer.java:71)
  at com.q1labs.configservices.config.AbstractComponentConfigBuilder.buildComponentConfig(AbstractComponentConfigBuilder.java:65)
  at com.q1labs.configservices.config.localset.component.ComponentTransformerManager.processComponent(ComponentTransformerManager.java:206)
  at com.q1labs.configservices.config.localset.component.ComponentTransformerManager.buildConfiguration(ComponentTransformerManager.java:117)
  ... 9 more

Grub Files Check
 Ensures grub files and settings are correct
    [FAILURE]

        The symlink /etc/grub2-efi.cfg does not have the correct
target. Found:
        /boot/efi/EFI/grub/grub.cfg Expected:
../boot/efi/EFI/redhat/grub.cfg
       [REMEDIATION]

        Delete /etc/grub2-efi.cfg (if it exists) using 'rm
/etc/grub2-efi.cfg',
        then re-create the symlink by running 'ln -s
        ../boot/efi/EFI/redhat/grub.cfg /etc/grub2-efi.cfg'

• IBM QRadar SIEM 7.3.0 to 7.3.3 Fix Pack 9
• IBM QRadar SIEM 7.4.0 to 7.4.3 Fix Pack 2

• IBM QRadar SIEM 7.3.0 to 7.3.3 Fix Pack 9
• IBM QRadar SIEM 7.4.0 to 7.4.3 Fix Pack 2

• IBM QRadar SIEM 7.3.0 to 7.3.3 Fix Pack 9
• IBM QRadar SIEM 7.4.0 to 7.4.3 Fix Pack 2

• IBM QRadar SIEM 7.3.0 to 7.3.3 Fix Pack 9
• IBM QRadar SIEM 7.4.0 to 7.4.3 Fix Pack 2

• CVE-2020-12362: Intel Graphics Drivers could allow a local authenticated attacker to gain elevated privileges on the system, caused by an integer overflow in the firmware. An attacker could exploit this vulnerability to gain elevated privileges on the system. CVSS Base score: 7.5
• CVE-2020-12363: Intel Graphics Drivers are vulnerable to a denial of service, caused by improper input validation. A local authenticated attacker could exploit this vulnerability to cause a denial of service. CVSS Base score: 1.9
• CVE-2020-12364: Intel Graphics Drivers are vulnerable to a denial of service, caused by a NULL pointer reference error. A local authenticated attacker could exploit this vulnerability to cause a denial of service. CVSS Base score: 1.9
• CVE-2020-27170: Linux Kernel could allow a local authenticated attacker to obtain sensitive information, caused by an out-of-bounds loads flaw. By executing specially-crafted BPF programs, an attacker could exploit this vulnerability to obtain contents of kernel memory, and use this information to launch further attacks against the affected system. CVSS Base score: 5.5
• CVE-2020-8648: Linux kernel could allow a remote attacker to obtain sensitive information, caused by a use-after-free in the n_tty_receive_buf_common function of drivers/tty/n_tty.c. An attacker could exploit this vulnerability to read memory that should not be available for access. CVSS Base score: 5.3
• CVE-2021-3347: Linux Kernel could allow a local authenticated attacker to gain elevated privileges on the system, caused by a kernel stack use-after-free during fault handling in PI futexes. An attacker could exploit this vulnerability to gain elevated privileges and execute arbitrary code in the kernel. CVSS Base score: 7.8
• CVE-2020-24489: Multiple Intel Virtualization Technology for Directed I/0 (VT-d) products could allow a local authenticated attacker to gain elevated privileges on the system, caused by an incomplete cleanup. An attacker could exploit this vulnerability to gain elevated privileges on the system. CVSS Base score: 8.8
• CVE-2020-24511: Intel Processors could allow a local authenticated attacker to obtain sensitive information, caused by improper isolation of shared resources. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 5.6
• CVE-2020-24512: Intel Processors could allow a local authenticated attacker to obtain sensitive information, caused by the observable timing discrepancy issue. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 2.8
• CVE-2020-24513: Intel Atom could allow a local authenticated attacker to obtain sensitive information, caused by domain-bypass transient execution vulnerability. A local attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 5.6

• IBM QRadar SIEM 7.3.0 to 7.3.3 Fix Pack 9
• IBM QRadar SIEM 7.4.0 to 7.4.3 Fix Pack 2

• CVE-2021-32028: PostgreSQL could allow a remote authenticated attacker to obtain sensitive information, caused by a memory disclosure vulnerability when using an INSERT … ON CONFLICT … DO UPDATE command on a purpose-crafted table. By creating prerequisite objects, an attacker could exploit this vulnerability to read arbitrary bytes of server memory. CVSS Base score: 6.5
• CVE-2021-32027: PostgreSQL could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an integer overflow while modifying certain SQL array values. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 7.5

• IBM QRadar SIEM 7.3.0 to 7.3.3 Fix Pack 9
• IBM QRadar SIEM 7.4.0 to 7.4.3 Fix Pack 2

• CVE-2021-31811: Apache PDFBox is vulnerable to a denial of service, caused by an out-of-memory exception while loading a file. By persuading a victim to open a specially-crafted PDF file, a remote attacker could exploit this vulnerability to cause a denial of service. CVSS Base score: 5.5
• CVE-2021-31812: Apache PDFBox is vulnerable to a denial of service, caused by an error while loading a file. By persuading a victim to open a specially-crafted PDF file, a remote attacker could exploit this vulnerability to cause the system to enter into an infinite loop. CVSS Base score: 5.5

• IBM QRadar SIEM 7.3.0 to 7.3.3 Fix Pack 9
• IBM QRadar SIEM 7.4.0 to 7.4.3 Fix Pack 2

• IBM QRadar SIEM 7.3.0 to 7.3.3 Fix Pack 9
• IBM QRadar SIEM 7.4.0 to 7.4.3 Fix Pack 2

• IBM QRadar SIEM 7.3.0 to 7.3.3 Fix Pack 9
• IBM QRadar SIEM 7.4.0 to 7.4.3 Fix Pack 2

• IBM QRadar SIEM 7.3.0 to 7.3.3 Fix Pack 9
• IBM QRadar SIEM 7.4.0 to 7.4.3 Fix Pack 2

• CVE-2021-3541: GNOME libxml2 is vulnerable to a denial of service, caused by an exponential entity expansion attack which bypasses all existing protection mechanisms. A remote authenticated attacker could exploit this vulnerability to consume all available resources. CVSS Base score: 6.5
• CVE-2021-3516: libxml2 could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free in xmlEncodeEntitiesInternal() in entities.c. By persuading a victim to open a specially crafted file, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 7.8
• CVE-2021-3520: lz4 could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow. By sending a specially crafted file, an attacker could invoke memmove() on a negative size argument leading to memory corruption and trigger an out-of-bounds write or cause the library to crash. CVSS Base score: 8.6
• CVE-2017-14502: libarchive is vulnerable to a buffer overflow, caused by improper bounds checking by the read_header function in archive_read_support_format_rar.c. By persuading a victim to open a specially-crafted RAR file, a remote attacker could overflow a buffer and execute arbitrary code on the system. CVSS Base score: 7.8
• CVE-2021-20271: RPM could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the signature check function. By persuading a victim to open a specially-crafted package file, an attacker could exploit this vulnerability to cause RPM database corruption and execute arbitrary code on the system. CVSS Base score: 6.7
• CVE-2021-33503: urllib3 is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw due to catastrophic backtracking. By sending a specially-crafted URL request, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 5.3
• CVE-2019-20387: libsolv is vulnerable to a denial of service, caused by a heap-based buffer over-read in the repodata_schema2id function in repodata.c. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 7.5
• CVE-2020-29361: p11-glue p11-kit are vulnerable to a denial of service, caused by multiple integer overflows when allocating memory for arrays of attributes and object identifiers. By sending a specially-crafted request using realloc or calloc function, an attacker could exploit this vulnerability to cause a denial of service or possibly execute arbitrary code on the system. CVSS Base score: 7.5
• CVE-2020-29363: p11-glue p11-kit is vulnerable to a denial of service, caused by a heap-based buffer overflow in the RPC protocol. By sending a serialized byte array in a CK_ATTRIBUTE, a remote attacker could overflow a buffer and cause a denial of service. CVSS Base score: 7.5
• CVE-2020-15358: SQLite is vulnerable to a denial of service, caused by a heap-based buffer overflow in the mishandling of query-flattener optimization in select.c. By sending a specially-crafted query, a local authenticated attacker could overflow a buffer and cause the application to crash. CVSS Base score: 5.5
• CVE-2020-13776: systemd could allow a local authenticated attacker to gain elevated privileges on the system, caused by the mishandling of numerical usernames. By sending a specially-crafted request, an attacker could exploit this vulnerability to gain elevated privileges as root. CVSS Base score: 6.7
• CVE-2018-18751: GNU gettext is vulnerable to a denial of service, caused by a double free flaw in the default_add_message function in read-catalog.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 3.3
• CVE-2019-18276: GNU Bash could allow a remote authenticated attacker to gain elevated privileges on the system, caused by a flaw in the disable_priv_mode in shell.c. By sending a specially-crafted command, an attacker could exploit this vulnerability to escalate privileges. CVSS Base score: 8.8
• CVE-2020-9951: Apple Safari could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free in the WebKit component. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 8.8
• CVE-2020-13543: Webkit WebKitGTK could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free in the WebSocket functionality. By persuading a victim to visit a specially crafted Web site, an attacker could exploit this vulnerability to execute arbitrary code or cause the application to crash. CVSS Base score: 8.8
• CVE-2020-13584: Webkit WebKitGTK could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free in the ImageDecoderGStreamer functionality. By persuading a victim to visit a specially crafted Web site, an attacker could exploit this vulnerability to execute arbitrary code or cause the application to crash. CVSS Base score: 8.8
• CVE-2019-14889: libssh could allow a remote authenticated attacker to execute arbitrary commands on the system, caused by a flaw in the ssh_scp_new(). By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system. CVSS Base score: 8.8
• CVE-2019-20916: pypa pip package for python could allow a remote attacker to traverse directories on the system, caused by a flaw when installing package via a specified URL. An attacker could use a specially-crafted Content-Disposition header with filename containing "dot dot" sequences (/../) to overwrite arbitrary files on the system. CVSS Base score: 8.2
• CVE-2021-20305: Nettle could allow a remote attacker to bypass security restrictions, caused by a flaw related to several signature verification functions result in the Elliptic Curve Cryptography point (ECC) multiply function being invoked with out-of-range scalers. An attacker could exploit this vulnerability to force an invalid signature, causing an assertion failure or possible validation. CVSS Base score: 8.1
• CVE-2020-14352: Librepo could allow a remote authenticated attacker to traverse directories on the system, caused by the failure to sanitize paths in remote repository metadata. An attacker could send a specially-crafted URL request containing directory traversal sequences to copy files outside of the destination directory and compromise the system. CVSS Base score: 8
• CVE-2020-24977: GNOME libxml2 is vulnerable to a buffer overflow, caused by improper bounds checking by the xmlEncodeEntitiesInternal function in libxml2/entities.c. By persuading a victim to open a specially-crafted file, a remote attacker could overflow a buffer and execute arbitrary code on the system. CVSS Base score: 7.8
• CVE-2020-8285: cURL libcurl is vulnerable to a denial of service, caused by a stack-based buffer overflow in the wildcard matching function. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 7.5
• CVE-2020-8286: cURL libcurl could allow a remote attacker to bypass security restrictions, caused by improper OCSP response verification. By sending a specially-crafted request, an attacker could exploit this vulnerability to breach a TLS server. CVSS Base score: 7.5
• CVE-2019-25013: GNU glibc is vulnerable to a denial of service, caused by a buffer over-read in iconv feature. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a SIGSEGV. CVSS Base score: 7.5
• CVE-2021-3326: GNU C Library (aka glibc or libc6) is vulnerable to a denial of service, caused by an assertion failure when processing invalid input sequences in the ISO-2022-JP-3 encoding in the iconv function. By sending specially-crafted input, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 7.5
• CVE-2020-28196: MIT Kerberos 5 (aka krb5) is vulnerable to a denial of service, caused by an unbounded recursion flaw in lib/krb5/asn.1/asn1_encode.c. By sending a specially-crafted ASN.1-encoded Kerberos message, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 7.5
• CVE-2020-7595: GNOME libxml2 is vulnerable to a denial of service, caused by an error in xmlStringLenDecodeEntities in parser.c. An attacker could exploit this vulnerability to cause the application to enter into an infinite loop. CVSS Base score: 7.5
• CVE-2021-3449: OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference in signature_algorithms processing. By sending a specially crafted renegotiation ClientHello message from a client, a remote attacker could exploit this vulnerability to cause the TLS server to crash. CVSS Base score: 7.5
• CVE-2020-14422: Python is vulnerable to a denial of service, caused by improper computing hash values in the IPv4Interface and IPv6Interface classes in Lib/ipaddress.py. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 7.5
• CVE-2020-13434: SQLite is vulnerable to a denial of service, caused by an integer overflow in the sqlite3_str_vappendf function. By sending a specially-crafted request, a remote attacker could overflow a buffer and cause a denial of service. CVSS Base score: 7.5
• CVE-2020-13777: GnuTLS could allow a remote attacker to obtain sensitive information, caused by the use of incorrect cryptography for encrypting a session ticket. By using man-in-the-middle attack techniques, an attacker could exploit this vulnerability to obtain previous conversations in TLS and bypass the authentication process. CVSS Base score: 7.4
• CVE-2021-3450: OpenSSL could allow a remote attacker to bypass security restrictions, caused by a a missing check in the validation logic of X.509 certificate chains by the X509_V_FLAG_X509_STRICT flag. By using any valid certificate or certificate chain to sign a specially crafted certificate, an attacker could bypass the check that non-CA certificates must not be able to issue other certificates and override the default purpose. CVSS Base score: 7.4
• CVE-2019-9169: GNU glibc is vulnerable to a heap-based buffer overflow, caused by a buffer over-read flaw in the proceed_next_node function in posix/regexec.c. By sending a specially-crafted argument using a case-insensitive regular-expression match, a remote attacker could overflow a buffer and execute arbitrary code on the system. CVSS Base score: 7.3
• CVE-2019-14866: GNU cpio could allow a local authenticated attacker to gain elevated privileges on the system, caused by the failure to properly validate input files when generating TAR archives. An attacker could exploit this vulnerability to inject any tar content and compromise the system. CVSS Base score: 6.7
• CVE-2020-8284: cURL libcurl could allow a remote attacker to obtain sensitive information, caused by improper validation of FTP PASV responses. By persuading a victim to connect a specially-crafted server, an attacker could exploit this vulnerability to obtain sensitive information about services, and use this information to launch further attacks against the affected system. CVSS Base score: 6.5
• CVE-2020-26116: Python is vulnerable to CRLF injection, caused by improper validation of user-supplied input in http.client. By inserting CR and LF control characters in the first argument of HTTPConnection.request, a remote attacker could exploit this vulnerability to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. CVSS Base score: 6.5
• CVE-2020-9948: Apple Safari could allow a remote attacker to execute arbitrary code on the system, caused by a type confusion in the WebKit component. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 6.3
• CVE-2020-9983: Apple Safari could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds write in the WebKit component. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 6.3
• CVE-2020-9983: Apple Safari could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds write in the WebKit component. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 6.3
• CVE-2019-16935: Python is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the python/Lib/DocXMLRPCServer.py. A remote attacker could exploit this vulnerability using the server_title field to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base score: 6.1
• CVE-2020-24659: GnuTLS is vulnerable to a denial of service, caused by a NULL pointer dereference. By sending specially-crafted messages, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 5.9
• CVE-2019-13627: libgcrypt20 cryptographic library could allow a remote attacker to obtain sensitive information, caused by a ECDSA timing attack. An attacker could exploit this vulnerability to obtain private key information, and use this information to launch further attacks against the affected system. CVSS Base score: 5.9
• CVE-2021-23336: Python CPython could allow a remote attacker to bypass security restrictions, caused by a web cache poisoning flaw via urllib.parse.parse_qsl and urllib.parse.parse_qs. By sending a specially-crafted request parameter cloaking, an attacker could exploit this vulnerability to cause a difference in the interpretation of the request between the proxy and the server. CVSS Base score: 5.9
• CVE-2020-27618: GNU C Library (aka glibc or libc6) is vulnerable to a denial of service, caused by an error when processing some invalid inputs from several IBM character sets in the iconv function. By sending invalid multi-byte input sequences in IBM1364, IBM1371, IBM1388, IBM1390, IBM1399 encodings, a local authenticated attacker could exploit this vulnerability to cause the application to enter into an infinite loop. CVSS Base score: 5.5
• CVE-2019-20907: Python is vulnerable to a denial of service, caused by a flaw in the tarfile module in Lib/tarfile.py. By persuading a victim to open a specially-craft a TAR archive, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop. CVSS Base score: 5.5
• CVE-2020-8927: Brotli is vulnerable to buffer overflow. By controlling the input length of a "one-shot" decompression request to a script, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVSS Base score: 5.3
• CVE-2020-8177: cURL could allow a remote attacker to overwrite arbitrary files on the system, caused by the improper handling of certain parameters when using -J (--remote-header-name) and -I (--include) in the same command line. An attacker could exploit this vulnerability to overwrite a local file. CVSS Base score: 5.3
• CVE-2020-8231: cURL libcurl could allow a remote attacker to obtain sensitive information, caused by the improper handling of the CURLOPT_CONNECT_ONLY option. The raw data is sent over that connection to the wrong destination. An attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 5.3
• CVE-2019-19906: cyrus-sasl is vulnerable to a denial of service, caused by an off-by-one error in _sasl_add_string in common.c. By sending a malformed LDAP packet, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 5.3
• CVE-2019-15903: libexpat is vulnerable to a denial of service, caused by a heap-based buffer over-read in XML_GetCurrentLineNumber. By using a specially-crafted XML input, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 5.3
• CVE-2016-10228: GNU C Library (glibc) is vulnerable to a denial of service, caused by an error in the iconv program. By processing invalid multi-byte input sequences, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop. CVSS Base score: 5.3
• CVE-2019-13050: GNU Privacy Guard (GnuPG) is vulnerable to a denial of service, caused by a certificate spamming attack when referring to a host on the SKS keyserver network in the keyserver configuration. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 5.3
• CVE-2020-1730: libssh is vulnerable to a denial of service, caused by the use of uninitialized AES-CTR ciphers. A remote attacker could exploit this vulnerability to crash the implemented counterpart. CVSS Base score: 5.3
• CVE-2020-29362: p11-glue p11-kit could allow a remote attacker to obtain sensitive information, caused by a heap-based buffer over-read flaw in the RPC protocol. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain up to 4 bytes of memory past the heap allocation, and use this information to launch further attacks against the affected system. CVSS Base score: 5.3
• CVE-2019-20454: PCRE is vulnerable to a denial of service, caused by an out-of-bounds read in the do_extuni_no_utf function in pcre2_jit_compile.c. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 5.3
• CVE-2020-8492: Python is vulnerable to a denial of service, caused by a flaw in the urllib.request.AbstractBasicAuthHandler. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a Regular Expression Denial of Service (ReDoS). CVSS Base score: 5.3
• CVE-2020-27619: An unspecified error with CJK codec tests call eval() on content retrieved throug HTTP in multibytecodec_support.py in Python has an unknown impact and attack vector. CVSS Base score: 5.3
• CVE-2021-23240: sudo could allow a local authenticated attacker to launch a symlink attack. The selinux_edit_copy_tfiles() and selinux_edit_create_tfiles functions creates temporary files insecurely. An attacker could exploit this vulnerability by creating a symbolic link from a temporary file to various files on the system, which could allow the attacker to overwrite arbitrary files on the system with elevated privileges. CVSS Base score: 5.3
• CVE-2019-3842: systemd could allow a local authenticated attacker to gain elevated privileges on the system, caused by the failure to properly sanitize the environment before using the XDG_SEAT variable by pam_systemd. By spoofing an active session to PolicyKit, an authenticated attacker could exploit this vulnerability to gain additional PolicyKit privileges. CVSS Base score: 4.5
• CVE-2018-1000858: GnuPG is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input by dirmngr. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities. CVSS Base score: 4.3
• CVE-2020-11080: Node.js is vulnerable to a denial of service, caused by an error in the HTTP/2 session frame which is limited to 32 settings by default. By sending overly large HTTP/2 SETTINGS frames, an attacker could exploit this vulnerability to consume all available CPU resources. CVSS Base score: 3.7
• CVE-2018-20843: libexpat is vulnerable to a denial of service, caused by an error in the XML parser. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to consume all available CPU resources. CVSS Base score: 3.3
• CVE-2019-13012: GNOME GLib could allow a local attacker to bypass security restrictions, caused by improper permission control in the keyfile settings backend. An attacker could exploit this vulnerability to bypass access restrictions. CVSS Base score: 3.3
• CVE-2019-19221: libarchive is vulnerable to a denial of service, caused by an out-of-bounds read in the archive_wstring_append_from_mbs in archive_string.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 3.3
• CVE-2019-19956: libxml2 is vulnerable to a denial of service, caused by a memory leak in xmlParseBalancedChunkMemoryRecover in parser.c. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 3.3
• CVE-2019-2708: An unspecified vulnerability in Oracle Berkeley DB related to the Data Store component could allow an authenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 3.3
• CVE-2019-20388: GNOME libxml2 could allow a remote attacker to obtain sensitive information, caused by a xmlSchemaValidateStream memory leak in xmlSchemaPreRun in xmlschemas.c. By persuading a victim to open a specially crafted file, an attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 3.3
• CVE-2021-23239: sudo could allow a local authenticated attacker to obtain sensitive information, caused by a race condition in sudoedit. By using symlink attack techniques, an attacker could exploit this vulnerability to obtain directory information, and use this information to launch further attacks against the affected system. CVSS Base score: 3.3

• IBM QRadar SIEM 7.3.0 to 7.3.3 Fix Pack 9
• IBM QRadar SIEM 7.4.0 to 7.4.3 Fix Pack 2

• CVE-2020-7226: Cryptacular is vulnerable to a denial of service, caused by an excessive memory allocation during a decode operation in CiphertextHeader.java. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 5.3
• CVE-2021-29425: Apache Commons IO could allow a remote attacker to traverse directories on the system, caused by improper input validation by the FileNameUtils.normalize method. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. CVSS Base score: 7.5
• CVE-2021-28165: Eclipse Jetty is vulnerable to a denial of service, caused by improper input valistion. By sending a specially-crafted TLS frame, a remote attacker could exploit this vulnerability to cause CPU resources to reach to 100% usage. CVSS Base score: 7.5
• CVE-2021-28169: Eclipse Jetty could allow a remote attacker to obtain sensitive information, caused by a flaw in the ConcatServlet. By sending a specially-crafted request using a doubly encoded path, an attacker could exploit this vulnerability to obtain sensitive information from protected resources within the WEB-INF directory, and use this information to launch further attacks against the affected system. CVSS Base score: 5.3
• CVE-2021-28163: Eclipse Jetty could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw when the ${jetty.base} directory or the ${jetty.base}/webapps directory is a symlink. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain webapp directory contents information, and use this information to launch further attacks against the affected system. CVSS Base score: 2.7
• CVE-2021-22696: Apache CXF is vulnerable to a denial of service, caused by improper validation of request_uri parameter by the OAuth 2 authorization service. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition on the authorization server. CVSS Base score: 7.5
• CVE-2020-13954: Apache CXF is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the services listing page. A remote attacker could exploit this vulnerability using the styleSheetPath in a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base score: 6.1
• CVE-2018-8029: Apache Hadoop could allow a remote authenticated attacker to gain elevated privileges on the system. An attacker could exploit this vulnerability to run arbitrary commands as root user. CVSS Base score: 8.8
• CVE-2020-9492: Apache Hadoop could allow a remote authenticated attacker to gain elevated privileges on the system, caused by improper validation of SPNEGO authorization header. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to gain elevated privileges to trigger services to send server credentials to a webhdfs path for capturing the service principal. CVSS Base score: 8.8
• CVE-2018-11768: Apache Hadoop is vulnerable to a denial of service, caused by a mismatch in the size of the fields used to store user/group information between memory and disk representation. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause the user/group information to be corrupted across storing in fsimage and reading back from fsimage. CVSS Base score: 7.5
• CVE-2017-15713: Apache Hadoop could allow a remote authenticated attacker to obtain sensitive information. By using a specially-crafted file, a remote attacker could exploit this vulnerability to expose private files. CVSS Base score: 4.3
• CVE-2018-18751: GNU gettext is vulnerable to a denial of service, caused by a double free flaw in the default_add_message function in read-catalog.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 3.3
• CVE-2019-9924: Bash could allow a remote authenticated attacker to execute arbitrary commands on the system, caused by the failure to prevent the shell user from modifying BASH_CMDS in the rbash. By modifying BASH_CMDS, an attacker could exploit this vulnerability to execute arbitrary commands on the system with the permissions of the shell. CVSS Base score: 8.8
• CVE-2021-3715: Linux Kernel could allow a local authenticated attacker to gain elevated privileges on the system, caused by a use-after-free in route4_change() in net/sched/cls_route.c. By sending a specially-crafted request, an attacker could exploit this vulnerability to escalate privileges. CVSS Base score: 7.8
• CVE-2020-27777: Linux Kernel for PowerPC could allow a local authenticated attacker to bypass security restrictions, caused by a flaw with the Run-Time Abstraction Services (RTAS) interface. By sending a specially-crafted request, an attacker could exploit this vulnerability to overwrite some parts of memory, including kernel memory. CVSS Base score: 6.8
• CVE-2021-22555: Linux Kernel could allow a local authenticated attacker to gain elevated privileges on the system, caused by a heap out-of-bounds write flaw in net/netfilter/x_tables.c. By sending a specially-crafted request through user name space, an authenticated attacker could exploit this vulnerability to gain elevated privileges or cause a denial of service condition. CVSS Base score: 7.8
• CVE-2021-29154: Linux Kernel could allow a could allow a local authenticated attacker to gain elevated privileges on the system, caused by an issue with incorrect computation of branch displacements in BPF JIT compiler. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to gain elevated privileges, and execute arbitrary code in the Kernel mode. CVSS Base score: 7.8
• CVE-2021-29650: Linux Kernel is vulnerable to a denial of service, caused by the lack of a full memory barrier upon the assignment of a new table value in the netfilter subsystem. By sending a specially-crafted request, a local attacker could exploit this vulnerability to cause the system to crash. CVSS Base score: 6.2
• CVE-2021-32399: Linux Kernel could allow a local authenticated attacker to gain elevated privileges on the system, caused by a race condition in the BlueTooth subsystem. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to execute arbitrary code with elevated privileges. CVSS Base score: 7.8

systemctl restart ecs-ep

/opt/qradar/support/threadTop.sh -p 7799 --full > threads.txt

at sun.misc.Unsafe.park(Native Method) 
at java.util.concurrent.locks.LockSupport.park(LockSupport.java:186) 
at java.util.concurrent.locks.AbstractQueuedSynchronizer.parkAndCheckInterrupt
 (AbstractQueuedSynchronizer.java:847) 
at java.util.concurrent.locks.AbstractQueuedSynchronizer.doAcquireShared(
 AbstractQueuedSynchronizer.java:978) 
at java.util.concurrent.locks.AbstractQueuedSynchronizer.acquireShared(Abstract
 QueuedSynchronizer.java:1294) 
at java.util.concurrent.locks.ReentrantReadWriteLock$ReadLock.lock(ReentrantReadWriteLock
 .java:738) 
at com.q1labs.core.shared.ariel.CustomPropertyServices.parseAllProperties(Custom
 PropertyServices.java:166) 
at com.q1labs.semsources.cre.responses.templates.CustomAlertFieldsManager.replace
CustomPropertiesNullValues(CustomAlertFieldsManager.java:536) 
at com.q1labs.semsources.cre.responses.templates.CustomAlertFieldsManager.build
 ResponseFromXML(CustomAlertFieldsManager.java:351) 
at com.q1labs.semsources.cre.responses.templates.CustomAlertFieldsManager.loadTemplate
 (CustomAlertFieldsManager.java:145) 
at com.q1labs.semsources.cre.responses.Email_Response.performResponse(Email_Response.java:51) 
at com.q1labs.semsources.cre.CustomRule.performResponses(CustomRule.java:1049) 
at com.q1labs.semsources.cre.CustomRule.test(CustomRule.java:578) 
at com.q1labs.semsources.cre.CustomRule.test(CustomRule.java:496) 
at com.q1labs.semsources.cre.CustomRuleSetExecutor.testRule(CustomRuleSetExecutor.java:342) 
at com.q1labs.semsources.cre.CustomRuleSetExecutor.test(CustomRuleSetExecutor.java:210) 
at com.q1labs.semsources.cre.CRERuleExecutor.processEventInAllMode(CRERuleExecutor.java:177) 
at com.q1labs.semsources.cre.GlobalRuleExecutor.processEvent(GlobalRuleExecutor.java:207) 
at com.q1labs.semsources.cre.CREEventProcessor.processEvent(CustomRuleEngine.java:544) 
at com.q1labs.semsources.cre.CREEventProcessor.run(CustomRuleEngine.java:484)

[tomcat.tomcat] [USER@IP2 (5852) /console/do/qradar/retention]
com.q1labs.qradar.ui.action.Retention: [ERROR]
[NOT:0000003000][IP/- -] [-/- -]Retention Bucket save failed
[tomcat.tomcat] [USER@IP2 (5852) /console/do/qradar/retention]
java.lang.NumberFormatException: For input string: ""
[tomcat.tomcat] [USER@IP2 (5852) /console/do/qradar/retention]
  at
java.lang.NumberFormatException.forInputString(NumberFormatException.java:76)
[tomcat.tomcat] [USER@IP2 (5852) /console/do/qradar/retention]
  at java.lang.Integer.parseInt(Integer.java:604)
[tomcat.tomcat] [USER@IP2 (5852) /console/do/qradar/retention]
  at java.lang.Integer.parseInt(Integer.java:627)
[tomcat.tomcat] [USER@IP2 (5852) /console/do/qradar/retention]
  at
com.google.gson.JsonPrimitive.getAsInt(JsonPrimitive.java:260)
[tomcat.tomcat] [USER@IP2 (5852) /console/do/qradar/retention]
  at
com.q1labs.qradar.ui.bean.RetentionForm$1.deserialize(RetentionForm.java:97)
[tomcat.tomcat] [USER@IP2 (5852) /console/do/qradar/retention]
  at
com.q1labs.qradar.ui.bean.RetentionForm$1.deserialize(RetentionForm.java:79)
[tomcat.tomcat] [USER@IP2 (5852) /console/do/qradar/retention]
  at
com.google.gson.internal.bind.TreeTypeAdapter.read(TreeTypeAdapter.java:69)
[tomcat.tomcat] [USER@IP2 (5852) /console/do/qradar/retention]
  at
com.google.gson.internal.bind.TypeAdapterRuntimeTypeWrapper.read
(TypeAdapterRuntimeTypeWrapper.java:41)

SELECT DOUBLE(sum("BytesSent")) / 1073741824 As "Bytes Sent(GB)"
FROM events

[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
com.q1labs.ariel.ql.parser.Parser: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]Parse error: missing FROM at 'Bytes'
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
com.q1labs.ariel.ql.parser.AQLParserException: Parse error:
missing FROM at 'Bytes') / 1073741824 As ""Bytes Sent"(GB)" From^
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
at com.q1labs.ariel.ql.parser.AQLErrorListener.syntaxError(ParserUtils.java:84)
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
at org.antlr.v4.runtime.ProxyErrorListener.syntaxError(ProxyErrorListener.java:65)
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
at org.antlr.v4.runtime.Parser.notifyErrorListeners(Parser.java:564)
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
at org.antlr.v4.runtime.DefaultErrorStrategy.reportMissingToken(DefaultErrorStrategy.java:407)
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
at org.antlr.v4.runtime.DefaultErrorStrategy.singleTokenInsertion(DefaultErrorStrategy.java:510)
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
at org.antlr.v4.runtime.DefaultErrorStrategy.recoverInline(DefaultErrorStrategy.java:474)
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
at org.antlr.v4.runtime.Parser.match(Parser.java:227)
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
at com.q1labs.ariel.ql.parser.antlr.AQLParser.query(AQLParser.java:725)
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
at com.q1labs.ariel.ql.parser.antlr.AQLParser.batch(AQLParser.java:404)
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
at com.q1labs.ariel.ql.parser.ParserUtils.parse(ParserUtils.java:413)
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
at com.q1labs.ariel.ql.parser.ParserBase.parseBatch(ParserBase.java:1623)
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
at com.q1labs.ariel.ql.parser.Parser.parseStatement(Parser.java:172)
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
at com.q1labs.ariel.ql.parser.Parser.executeStatement(Parser.java:67)
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
at com.q1labs.ariel.ConnectedClient.processStatement(ConnectedClient.java:367)
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
at com.q1labs.ariel.ConnectedClient.processMessage(ConnectedClient.java:308)
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
at com.q1labs.ariel.ConnectedClient.run(ConnectedClient.java:136)
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160)
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
at java.lang.Thread.run(Thread.java:822) 

/opt/qradar/support/all_servers.sh -C "systemctl restart ecs-ep"

[tomcat.tomcat] [ReceiverServer(0.0.0.0:7801)]
com.q1labs.core.shared.ariel.streaming.StreamConsumer$Receiver
0.0.0.0:7801: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/--]
Error: /127.0.0.1:49432 : IOException : Broken pipe
[tomcat.tomcat] [ReceiverServer(0.0.0.0:7801)]
java.io.IOException: Broken pipe
[tomcat.tomcat] [ReceiverServer(0.0.0.0:7800)]
com.q1labs.core.shared.ariel.streaming.StreamConsumer$Receiver
0.0.0.0:7800: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/-
-]Error: /127.0.0.1:52834 : IOException : Broken pipe
[tomcat.tomcat] [ReceiverServer(0.0.0.0:7800)]
java.io.IOException: Broken pipe

"user@127.0.0.1 (4918) /console/do/qradar/arielProperties"
Id=1835698 in RUNNABLE
at org.postgresql.core.PGStream.receive(PGStream.java:467)
at org.postgresql.core.PGStream.receiveTupleV3(PGStream.java:422)
at org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:2146)
at org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:308)
- locked org.postgresql.core.v3.QueryExecutorImpl@cdad6869
at org.postgresql.jdbc.PgStatement.executeInternal(PgStatement.java:441)
at org.postgresql.jdbc.PgStatement.execute(PgStatement.java:365)
at org.postgresql.jdbc.PgPreparedStatement.executeWithFlags(PgPreparedStatement.java:143)
at org.postgresql.jdbc.PgPreparedStatement.executeQuery(PgPreparedStatement.java:106)
at com.mchange.v2.c3p0.impl.NewProxyPreparedStatement.executeQuery(NewProxyPreparedStatement.java:76)
at org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:270)
at org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator$LoggingConnection$LoggingPreparedStatement.executeQuery(LoggingConnection
Decorator.java:1115)
at org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:268)
at org.apache.openjpa.jdbc.sql.PostgresDictionary$PostgresPreparedStatement.executeQuery(PostgresDictionary.java:1011)
at org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:268)
at org.apache.openjpa.jdbc.kernel.JDBCStoreManager$CancelPreparedStatement.executeQuery(JDBCStoreManager.java:1800)
at org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:268)
at org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:258)
at com.q1labs.frameworks.session.PreparedStatementWrapper.executeQuery(PreparedStatementWrapper.java:270)
at com.q1labs.core.shared.util.SqlUtil.runQuery(SqlUtil.java:177)
at com.q1labs.core.shared.util.SqlUtil.runQuery(SqlUtil.java:162)
at com.q1labs.core.util.sensors.SensorDeviceUtil.getAllLogSources(SensorDeviceUtil.java:27)
at com.q1labs.core.shared.util.UserUtils.getUserDeviceIds(UserUtils.java:803)
at com.q1labs.core.shared.util.UserUtils.userHasDevices(UserUtils.java:741)
at com.q1labs.core.shared.util.UserUtils.userHasDevices(UserUtils.java:1080)
at com.q1labs.sem.ui.semservices.UISemServices.getSensorDevicesByDe
viceType(UISemServices.java:3302)
at com.q1labs.ariel.ui.action.ArielProperty.prepareDefaultRequestOpions(ArielProperty.java:120)
at com.q1labs.ariel.ui.action.ArielProperty.executeEdit(ArielProperty.java:793)
at com.q1labs.uiframeworks.actions.DispatchAction.edit(DispatchAction.java:253)
at sun.reflect.GeneratedMethodAccessor2973.invoke(UnknownSource)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
at java.lang.reflect.Method.invoke(Method.java:508)

/store/configservices/staging/globalconfig/dtlspki

/opt/qradar/conf/dtls/client/

1. Log in to the QRadar Console as the root user.
2. To restart the reporting executor, type:

   systemctl restart reporting_executor

3. To verify the issue, manually start the report in the QRadar interface.

[reporting_executor.reporting_executor] [Report Queue]
com.q1labs.reporting.ReportServices: [INFO]
[NOT:0000006000][xx.xx.xx.xx/- -] [-/- -]Reporting Scheduler is enabled
[reporting_executor.reporting_executor] [Report Queue]
com.q1labs.reporting.ReportServices: [ERROR]
[NOT:0000003000][xx.xx.xx.xx/- -] [-/- -]Lock to templates
folder is acquired by another process, skipping templates reload.
[reporting_executor.reporting_executor] [Report Queue]
com.q1labs.core.shared.ariel.CustomKeyCreator: [ERROR]
[NOT:0000003000][xx.xx.xx.xx/- -] [-/- -]Exception loading
custom property ID ed1cbe38-1f8a-4621-a838-8a6400c61384
[reporting_executor.reporting_executor] [Report Queue]
{openjpa-2.4.3-r422266:1833086 fatal general error}
org.apache.openjpa.persistence.PersistenceException: This
connection has been closed. {SELECT t0.id, t0.autodiscovered,
t0.creationdate, t0.database, t0.datepattern, t0.description,
t0.description_id, t0.editdate, t0.forceparse, t0.languagetag,
t0.propertyname, t0.sequenceid, t0.tenant_id, t0.propertytype,
t0.username FROM ariel_regex_property t0 WHERE (t0.id = ?)}
{code=0, state=08003}
FailedObject: SELECT a FROM ArielRegexProperty a WHERE a.id =
?1 [java.lang.String]
[reporting_executor.reporting_executor] [Report Queue]    at
org.apache.openjpa.jdbc.sql.DBDictionary.narrow(DBDictionary.jav
a:5003)
..
[reporting_executor.reporting_executor] [Report Queue] Caused
by:
[reporting_executor.reporting_executor] [Report Queue]
org.apache.openjpa.lib.jdbc.ReportingSQLException: This
connection has been closed. {SELECT t0.id, t0.autodiscovered,
t0.creationdate, t0.database, t0.datepattern, t0.description,
t0.description_id, t0.editdate, t0.forceparse, t0.languagetag,
t0.propertyname, t0.sequenceid, t0.tenant_id, t0.propertytype,
t0.username FROM ariel_regex_property t0 WHERE (t0.id = ?)}

1. After the restore process completes, perform a Deploy Full Configuration: Admin > Advanced > Deploy Full Configuration.
2. Wait for the Deploy Full Configuration to complete.
3. Use SSH to log in to QRadar as the root user.
4. To verify tomcat is running, type:

   systemctl status tomcat

5. Verify tomcat is running, look for "Active: active (running)" in the status output
6. After confirming tomcat is running, type:

   systemctl restart tomcat

[ERROR] [Fri May 07 2021 13:12:44 GMT-0300 (Atlantic Daylight
Time)] 'An error occured retrieving backups from QRadar API: No
SEC header present in request. Please provide it via "SEC:
token". You may also use BASIC authentication parameters if this
host supports it. e.g. "Authorization: Basic base64Encoding"',
[ERROR] [Fri May 07 2021 13:12:44 GMT-0300 (Atlantic Daylight
Time)] toString: ^Function: toString] } 

[hostcontext.hostcontext] [Thread-1913] ComponentOutput: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
flush-key-for-ipaddress: # ipaddress:22 SSH-2.0-OpenSSH_7.4 May
13 10:14:28 ::ffff:127.0.0.1 [hostcontext.hostcontext]
[Thread-1917] ComponentOutput: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
flush-key-for-ipaddress: # ipaddress:22 SSH-2.0-OpenSSH_7.4 May
13 10:14:28 ::ffff:127.0.0.1 [hostcontext.hostcontext]
[Thread-1919] ComponentOutput: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
flush-key-for-ipaddress: # ipaddress:22 SSH-2.0-OpenSSH_7.4 May
13 10:14:28 ::ffff:127.0.0.1 [hostcontext.hostcontext]
[Thread-1921] ComponentOutput: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
flush-key-for-ipaddress: # ipaddress:22 SSH-2.0-OpenSSH_7.4 May
13 10:14:29 ::ffff:127.0.0.1 [hostcontext.hostcontext]
[Thread-1923] ComponentOutput: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
flush-key-for-ipaddress: # ipaddress:22 SSH-2.0-OpenSSH_7.4 May
13 10:14:30 ::ffff:127.0.0.1 [hostcontext.hostcontext]
[Thread-1925] ComponentOutput: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
flush-key-for-ipaddress: # ipaddress:22 SSH-2.0-OpenSSH_7.4

1. Mount the 7.4.2 Fix Pack 3 file on the appliance.
2. Run the following command:
   

   /media/updates/supplementary_scripts/run_yum.py --baseurl /media/updates/repo --clean all

3. Run the pre-test on the appliance and confirm the error no longer displays.

[INFO](testmode) Not using downloaded
qradar-upgrade-local/repomd.xml because it is older than what we have:
Current : Wed Apr 28 16:45:33 2021
Downloaded: Tue Mar 23 18:56:37 2021

[main] java.lang.NullPointerException
[main] at com.q1labs.hostcontext.HostContext.destroy(HostContext.java:1168)
[main] at com.q1labs.hostcontext.HostContext.main(HostContext.java:1319)
hostcontext[131454]: at com.mchange.v2.sql.SqlUtils.toSQLException(SqlUtils.java:106)
hostcontext[131454]: at com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool.checkoutPooledConnection(C3P0PooledConnectionPool.java:529)
hostcontext[131454]: at com.mchange.v2.c3p0.impl.AbstractPoolBackedDataSource.getConnection(AbstractPoolBackedDataSource.java:128)

1. Run the required Offense Details report on a smaller set of data.
   OR
2. Change the report to excel/csv output instead of pdf.


Issue
The QRadar report_runner process can go out of memory when running an Offense Details report that is configured for PDF output.

This out of memory occurs when there is too much data for the PDF rendering to handle (example: over month of data). When this occurs, the report fails to generate.

# chmod 775 /opt/qradar/conf/localization

1. Create a basic search.
2. Add the filter "Payload Contains" Admin.
3. Add the payload column.
4. Save the search and run it.
5. Notice the expected output of the payload column.
6. Convert the search to AQL by clicking > Log Activity > Edit Search > Show AQL.
7. Have an AQL:
   

   select "payload" as 'Payload',QIDNAME(qid) as 'Event
   Name',logsourcename(logSourceId) as 'Log Source',"eventCount"
   as 'Event Count',"startTime" as 'Start
   Time',categoryname(category) as 'Low Level Category',"sourceIP"
   as 'Source IP',"sourcePort" as 'Source Port',"destinationIP" as
   'Destination IP',"destinationPort" as 'Destination
   Port',"userName" as 'Username',"magnitude" as 'Magnitude' from
   events where icu4jsearch('Admin', payload) != -1 order by
   "startTime" desc LIMIT 1000 last 5 minutes

8. Run the AQL search.
   
   Results
   An illegal argument exception is generated and the payload is incorrect.

com.q1labs.frameworks.nio.exceptions.ExtendedRuntimeException:
Error calling function
com.q1labs.ariel.ql.parser.ICU4jSearch([B@e6bc0507):
java.lang.IllegalArgumentException
at com.q1labs.frameworks.util.Utils.icu4jSearch(Utils.java:672)
at com.q1labs.frameworks.util.Utils.icu4jSearch(Utils.java:647)
at com.q1labs.ariel.ql.parser.ICU4jSearch.calculate(Functions.java:799)
at com.q1labs.ariel.ql.parser.ICU4jSearch.calculate(Functions.java:774)

1. Have more than three (3) WinCollect clients, ensure the Agents have been connected.
2. Launch the LSM app, click New Log Source button
3. Select Single Log Source, select LST as Microsoft Windows Security Event Log, and select WinCollect protocol type.
4. Fill all required fields, in Configure Protocol Parameters page, scroll down to the bottom and select WinCollect Agent.
   
   Results
   Only the three (3) agents are displayed

select REFERENCETABLE('test','number',LOWER(username)) as
'number',REFERENCETABLE('test','test',LOWER(username)) as
'test', username from events GROUP BY
username,'numOfParts','SHA256' ORDER BY username,'number','test'
DESC last 1 HOURS

[tomcat.tomcat] [configservices@127.0.0.1(4359)
/console/restapi/api/gui_app_framework/applications/1101]
com.q1labs.restapi_annotations.content.exceptions.APIMappedExcep
tion: Unable to process request because Container Manager
service is unavailable
[tomcat.tomcat] [configservices@127.0.0.1(4359)
/console/restapi/api/gui_app_framework/applications/1101]    at
com.q1labs.restapi.exceptionmapper.ExceptionMapper.mapException(
ExceptionMapper.java:141)
[tomcat.tomcat] [configservices@127.0.0.1(4359)
/console/restapi/api/gui_app_framework/applications/1101]    at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(T
askThread.java:61)
...
[tomcat.tomcat] [configservices@127.0.0.1(4359)
/console/restapi/api/gui_app_framework/applications/1101]    at
java.lang.Thread.run(Thread.java:812)
[tomcat.tomcat] [configservices@127.0.0.1(4359)
/console/restapi/api/gui_app_framework/applications/1101]
Caused by:
[tomcat.tomcat] [configservices@127.0.0.1(4359)
/console/restapi/api/gui_app_framework/applications/1101]
com.q1labs.restapi_annotations.content.exceptions.endpointExcept
ions.ServerProcessingException: Unable to process request
because Container Manager service is unavailable
[tomcat.tomcat] [configservices@127.0.0.1(4359)
/console/restapi/api/gui_app_framework/applications/1101]    at
com.q1labs.uiframeworks.application.api.service.DefaultApplicati
onAPIService.abortIfConManIsUnavailable(DefaultApplicationAPISer
vice.java:556)
[tomcat.tomcat] [configservices@127.0.0.1(4359)
/console/restapi/api/gui_app_framework/applications/1101]    at
com.q1labs.uiframeworks.application.api.service.DefaultApplicati
onAPIService.deleteApp(DefaultApplicationAPIService.java:577)
[tomcat.tomcat] [configservices@127.0.0.1(4359)
/console/restapi/api/gui_app_framework/applications/1101]    at
com.q1labs.uiframeworks.application.api.v10_0.ApplicationsAPI.de
leteApplication(ApplicationsAPI.java:423)
[tomcat.tomcat] [configservices@127.0.0.1(4359)
/console/restapi/api/gui_app_framework/applications/1101]    at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[tomcat.tomcat] [configservices@127.0.0.1(4359)
/console/restapi/api/gui_app_framework/applications/1101]    at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessor
Impl.java:90)
[tomcat.tomcat] [configservices@127.0.0.1(4359)
/console/restapi/api/gui_app_framework/applications/1101]    at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod
AccessorImpl.java:55)
[tomcat.tomcat] [configservices@127.0.0.1(4359)
/console/restapi/api/gui_app_framework/applications/1101]    at
java.lang.reflect.Method.invoke(Method.java:508)
[tomcat.tomcat] [configservices@127.0.0.1(4359)
/console/restapi/api/gui_app_framework/applications/1101]    at
com.q1labs.restapi.servlet.utilities.APIRequestHandler.invokeMet
hod(APIRequestHandler.java:1031)
[tomcat.tomcat] [configservices@127.0.0.1(4359)
/console/restapi/api/gui_app_framework/applications/1101]    at
com.q1labs.restapi.servlet.utilities.APIRequestHandler.redirectR
equest(APIRequestHandler.java:399)
[tomcat.tomcat] [configservices@127.0.0.1(4359)
/console/restapi/api/gui_app_framework/applications/1101]
... 61 more
[tomcat.tomcat] [com@127.0.0.1]
com.ibm.si.content_management.utils.AppFrameworkAPIClient:
[ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Delete failed
for app 1101

1. Perform a factory reset on main and destination sites:https://www.ibm.com/docs/en/qradar-common?topic=app-implementing-factory-reset.
2. Run through the failover process again, making sure not to select 'Reactivate Main Site' until a few moments after the notification that the ariel copy is caught up.

"qw_2:2500ba82-b58c-4906-b20b-04f05fbed185" Id=188 in RUNNABLE
at com.q1labs.core.shared.ariel.CustomKeyCreator.createKey(CustomKeyCreator.java:95)
at com.q1labs.core.shared.ariel.CustomKeyCreator.createKey(CustomKeyCreator.java:30)
at com.q1labs.ariel.IndexPredicate$ExpressionPredicate.evaluate(IndexPredicate.java:50)
at com.q1labs.ariel.IndexPredicate.evaluate(IndexPredicate.java:247)
at com.q1labs.frameworks.util.predicate.AndPredicate.evaluate(AndPredicate.java:15)
at com.q1labs.ariel.searches.service.ids.FilteredSource.next(FilteredSource.java:40)
at com.q1labs.ariel.searches.tasks.QueryWorker.execute(QueryWorker.java:53)
at com.q1labs.ariel.searches.tasks.ServiceTaskBase.runTask(ServiceTaskBase.java:89)
at com.q1labs.ariel.searches.tasks.ServiceTask.runTask(ServiceTask.java:69)
at com.q1labs.ariel.searches.tasks.ServiceTaskBase$Runner.run(ServiceTaskBase.java:32)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.lang.Thread.run(Thread.java:812)
"qw_3:2500ba82-b58c-4906-b20b-04f05fbed185" Id=241 in BLOCKED
on lock=com.q1labs.core.shared.ariel.CustomKeyCreator@e58ce78d
owned by qw_2:2500ba82-b58c-4906-b20b-04f05fbed185 Id=188
at com.q1labs.core.shared.ariel.CustomKeyCreator.createKey(CustomKeyCreator.java:95)
at com.q1labs.core.shared.ariel.CustomKeyCreator.createKey(CustomKeyCreator.java:30)
at com.q1labs.ariel.IndexPredicate$ExpressionPredicate.evaluate(IndexPredicate.java:50)
at com.q1labs.ariel.IndexPredicate.evaluate(IndexPredicate.java:247)
at com.q1labs.frameworks.util.predicate.AndPredicate.evaluate(AndPredicate.java:15)
at com.q1labs.ariel.searches.service.ids.FilteredSource.next(FilteredSource.java:40)
at com.q1labs.ariel.searches.tasks.QueryWorker.execute(QueryWorker.java:53)
at com.q1labs.ariel.searches.tasks.ServiceTaskBase.runTask(ServiceTaskBase.java:89)
at com.q1labs.ariel.searches.tasks.ServiceTask.runTask(ServiceTask.java:69)
at com.q1labs.ariel.searches.tasks.ServiceTaskBase$Runner.run(ServiceTaskBase.java:32)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.lang.Thread.run(Thread.java:812)

1. Click the Admin tab > Custom Event Property.
2. From Search Field, search (s)
3. Multiple results are returned, such as "Object name(s)" and "Object type(s)", click one of them
4. Click Save button.
   
   Results
   An error message is generated - "Property name cannot contain following characters: \ , . & ', " ( ) [ ]"

1. Use a hostname starting with a letter instead of digits or special characters.
   or
   
2. Contact Support for another workaround that might work in these instances.

Issue
"IP or Hostname must be a valid IPv4 address or hostname" message can be observed when attempting to create a Log Source using the JDBC protocol when the configured hostname begins with a number or special character.

# systemctl stop postfix

# systemctl restart docker

1. Have LDAP group based authentication.
2. Select the '+' to add a group mapping and use a group with spaces in the name (for ex. "group with space")
3. The group adds with the space replaced with a '%20' (this is expected)
4. Confirm you can logon with a user in the mapping using the group with the space.
5. Select the '+' again to add another group to the same mapping (with or without spaces.)
6. The existing group with the space changes from '%20' to '%2520'
7. Save the changes.
8. Attempt to login
   
   Results
   Unable to login as the mapping no longer matches.

1. Confirm the /opt/qradar/conf/datanode.history appears as follows:

   {"history":[...<skipped>...],"id":8,"master_id":8,"status":{"sta
   tus":"requiresRebalancing","databases":{"flows":{"status":"requi
   resRebalancing"},"events":{"status":"requiresRebalancing"}},"mod
   e":"Active"},"nodes":[8]}

2. Make a backup of the file.
3. Using the vi command, edit the 3 occurrences of "requiresRebalancing" references to "ready" and save.
4. Perform the command:
   

   systemctl restart ariel_proxy_server

1. Have a QRadar Console and a Data Node.
2. Add a Data Node.
3. Without performing a deploy after the Data Node is added, change its mode to "archive".
4. Perform the Deploy function.
5. The data node's rebalancing status stays as "Waiting for Rebalancing"

WARN: No Interfaces are assigned to routing-instance default

1. Check for two Tika instances on 6690.
   

   pgrep -af "tika.py.*6690"
       27350 /usr/bin/python
   /opt/ibm/forensics/decapper/python/tika.py watch
   /opt/ibm/forensics/decapper/decap/tika/tika.sh
   /opt/ibm/forensics/decapper/decap/tika/TikaServer.jar
   /opt/ibm/forensics/decapper/decap/tika/tika_log4j.xml 6144 6690
      45730 /usr/bin/python
   /opt/ibm/forensics/decapper/python/tika.py watch
   /opt/ibm/forensics/decapper/decap/tika/tika.sh
   /opt/ibm/forensics/decapper/decap/tika/TikaServer.jar
   /opt/ibm/forensics/decapper/decap/tika/tika_log4j.xml 6144 6690

2. Kill any Tika instances on 6690 and let the watcher script restart Tika.
   

   pkill -f "tika.py.*6690"

3. Double check there is only a single instance of Tika on that port after

   pgrep -af "tika.py.*6690"
      27350 /usr/bin/python
   /opt/ibm/forensics/decapper/python/tika.py watch
   /opt/ibm/forensics/decapper/decap/tika/tika.sh
   /opt/ibm/forensics/decapper/decap/tika/TikaServer.jar
   /opt/ibm/forensics/decapper/decap/tika/tika_log4j.xml 6144 6690

TikaServer (6690) Watcher - INFO - TikaServer (6690) is not
running
TikaServer (6690) - INFO - Starting
TikaServer (6690) - INFO - Started

1. Stop the asset profiler:
   

   systemctl stop assetprofiler

2. Remove the spillover files (backup the files from this location prior to deleting them):

   rm /store/transient/spillover/queue/assetprofiler.assetprofiler/*

3. Restart the assetprofiler:

   systemctl restart assetprofiler

::ffff:x.x.x.x [tomcat.tomcat] [rhc_x.x.x.x]
com.q1labs.configservices.config.globalset.platform.GlobalArielS
erverListTransformer: [INFO] [NOT:0000006000][x.x.x.x/- -] [-/-
-]Ariel list transformer has changed the deployment file.

       ./setup
       File "./setup", line 86
global NTADAPTER = napatech_adapters [0]
SyntaxError: invalid syntax

1. Admin > System & License Management > Edit Managed Host > Component Management- Event Collector- Autodetection Enabled-True Autodetection - Use Global settings -True
2. Perform a Deploy Changes function For more information on global autodetection, see https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc/t_qradar_adm_dsm_ed_auto_log_source_config.html.

1. Use SSH to log in to the QRadar Console.
2. Open an SSH session to the appliance that has stopped sending IBM Security Identity Manager JDBC events.
3. Type the following command:

   systemctl restart ecs-ec-ingress

4. Confirm events are received from your IBM Security Identity Manager JDBC log source. To force the JDBC protocol to collect events you can disable, then enable the IBM Security Identity Manager log source from the Log Source Management application.
   
   Note: In most cases, administrators only need to restart ecs-ec-ingress on one appliance that polls their IBM Security Identity Manager JDBC database. Administrators can restart ecs-ec-ingress globally on all appliances from the Admin tab in QRadar if you have a number of IBM Security Identity Manager appliances. The navigation bar includes an Advanced menu. Selecting ?Restart Event Collection Service? halts event collection globally while the ecs-ec-ingress service restarts.

[ecs-ec-ingress.ecs-ec-ingress] [com.q1labs.
semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnector1954]
java.lang.OutOfMemoryError: Direct buffer memory::Please use
appropriate 'size' via -XX:MaxDirectMemorySize={size}
[ecs-ec-ingress.ecs-ec-ingress] [
com.q1labs.semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnecto
r1954] at java.nio.Bits.reserveMemory(Bits.java:747)
[ecs-ec-ingress.ecs-ec-ingress] [com.q1labs.semsources.sources.ibmsimjdbc.
IBMSIMJDBCEventConnector1954] at java.nio.DirectByteBuffer.{init}
(DirectByteBuffer.java:123)
[ecs-ec-ingress.ecs-ec-ingress] [com.q1labs.
semsources.sources.ibmsimjdbc.IBMSIMJDBCEventConnector1954] 
at java.nio.ByteBuffer.allocateDirect(ByteBuffer.java:311)
[ecs-ec-ingress.ecs-ec-ingress] [com.q1labs.semsources.sources.ib
msimjdbc.IBMSIMJDBCEventConnector1954] at com.q1labs.frameworks.
cache.ResizableBufferPool.{init}(ResizableBufferPool.java:50)
[ecs-ec-ingress.ecs-ec-ingress] [com.q1labs.semsources.sources.ibm
simjdbc.IBMSIMJDBCEventConnector1954] at com.q1labs.frameworks.c
ache.ResizableBufferPool.{init}(ResizableBufferPool.java:26)