Network baseline creation fails
- Use SSH to log in to the system that hosts the app.
- Type this command to determine the
qapp ID
of the app:/opt/qradar/support/recon ps | grep "Network Threat Analytics"
-
View the log file in one of the following ways:
- View the log file from the app
host.
/store/docker/volumes/<qapp-####>/log/app.log
where <qapp-####> is theqapp ID
for QRadar Network Threat Analytics. - View the log file from within the app
container.
/opt/app-root/store/log/app.log
- View the log file from the app
host.
Example messages from the log file
The following examples show log file messages that might be related to baseline failures, and explains how you can resolve the problem.
- Not enough flow data available
-
If the log file includes a message like this one, your QRadar instance does not have enough flow data.
[WARNING] - invalid flow rate for task id: root [WARNING] - No flow records retrieved for generating a new cluster node, task id: root, exception: flow rate is zero [ERROR] - empty flow tree to optimize
To successfully complete the baseline process, your QRadar instance must have at least one week of continuous flow data. Depending on your environment, you might need to configure QRadar with proper flow sources. To view the flow data that is in QRadar, click the Network Activity tab.
Important: The flow data must represent typical network activity. Flow data in a testing environment, or data that is collected during holidays might not be representative of typical network activity.Three days after the network baseline process fails, the app automatically tries again. This cycle repeats until the system has enough flow data to successfully create the network baseline.
- Failure to verify the certificate
-
If the log file includes a message like this one, the certificate that is used by QRadar Network Threat Analytics cannot be validated.
SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate','certificate verify failed')],)",),)
The QRadar Network Threat Analytics app validates the certificate when it creates a connection to the QRadar Console. The baseline process can fail if the QRadar Console certificate is not valid, or if the connection parameters do not match the certificate contents.
To disable certificate validation and recreate the network baseline, follow these steps.- Use SSH to log in to the system that hosts the app, such as the App Host.
- Run the following command to disable the certificate validation and restart the
startmmgr
service.
CON=$(docker ps|grep "qapp-$(/opt/qradar/support/recon ps|grep "Network Threat Analytics"|sed 's/\s\+.*//')-"|sed 's/\s\+.*//'); docker exec $CON cp /opt/app-root/container/conf/mmgr/mmgr.json /opt/app-root/store/conf/mmgr/mmgr.json; docker exec $CON sed -si 's/"VERSION": ""$/"VERSION": "",\n "VERIFY": false/' /opt/app-root/store/conf/mmgr/mmgr.json; docker exec $CON psql -U appuser -d nta_anomflows -c "truncate table modelmanager.flowtree CASCADE"; docker exec $CON supervisorctl restart startmmgr
Warning: Do not run this command if the baseline is already created for this QRadar Network Threat Analytics installation. If you run this command after network baseline is created, the status is erased which can cause unpredictable behavior in the app.After the service restarts, the QRadar Network Threat Analytics app attempts to create the network baseline again.