Network baseline creation fails

When QRadar® Network Threat Analytics fails to create the network baseline, the home page does not show any findings. The baseline can fail when you do not have enough flow data in QRadar or when your certificate does not validate.
Look for messages in the log file that might indicate the reason for the failure. To view the log file, follow these steps:
  1. Use SSH to log in to the system that hosts the app.
  2. Type this command to determine the qapp ID of the app:
    /opt/qradar/support/recon ps | grep "Network Threat Analytics"
  3. View the log file in one of the following ways:
    • View the log file from the app host.

      /store/docker/volumes/<qapp-####>/log/app.log

      where <qapp-####> is the qapp ID for QRadar Network Threat Analytics.
    • View the log file from within the app container.

      /opt/app-root/store/log/app.log

Example messages from the log file

The following examples show log file messages that might be related to baseline failures, and explains how you can resolve the problem.

Not enough flow data available

If the log file includes a message like this one, your QRadar instance does not have enough flow data.

[WARNING] - invalid flow rate for task id: root 
[WARNING] - No flow records retrieved for generating a new cluster node, task id: root, exception: flow rate is zero
[ERROR] - empty flow tree to optimize

To successfully complete the baseline process, your QRadar instance must have at least one week of continuous flow data. Depending on your environment, you might need to configure QRadar with proper flow sources. To view the flow data that is in QRadar, click the Network Activity tab.

Important: The flow data must represent typical network activity. Flow data in a testing environment, or data that is collected during holidays might not be representative of typical network activity.

Three days after the network baseline process fails, the app automatically tries again. This cycle repeats until the system has enough flow data to successfully create the network baseline.

Failure to verify the certificate

If the log file includes a message like this one, the certificate that is used by QRadar Network Threat Analytics cannot be validated.

SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate','certificate verify failed')],)",),)

The QRadar Network Threat Analytics app validates the certificate when it creates a connection to the QRadar Console. The baseline process can fail if the QRadar Console certificate is not valid, or if the connection parameters do not match the certificate contents.

To disable certificate validation and recreate the network baseline, follow these steps.
  1. Use SSH to log in to the system that hosts the app, such as the App Host.
  2. Run the following command to disable the certificate validation and restart the startmmgr service.
    CON=$(docker ps|grep "qapp-$(/opt/qradar/support/recon ps|grep "Network Threat Analytics"|sed 's/\s\+.*//')-"|sed 's/\s\+.*//'); docker exec $CON cp /opt/app-root/container/conf/mmgr/mmgr.json /opt/app-root/store/conf/mmgr/mmgr.json; docker exec $CON sed -si 's/"VERSION": ""$/"VERSION": "",\n "VERIFY": false/' /opt/app-root/store/conf/mmgr/mmgr.json; docker exec $CON psql -U appuser -d nta_anomflows -c "truncate table modelmanager.flowtree CASCADE"; docker exec $CON supervisorctl restart startmmgr
    Warning: Do not run this command if the baseline is already created for this QRadar Network Threat Analytics installation. If you run this command after network baseline is created, the status is erased which can cause unpredictable behavior in the app.

    After the service restarts, the QRadar Network Threat Analytics app attempts to create the network baseline again.