IBM Support

User Behavior Analytics: Troubleshooting Machine Learning after message 'Installation has failed' in QRadar 7.3.1 Patch 5

Troubleshooting


Problem

When an administrator attempts to update or install the QRadar User Behavior Analytics (UBA) application in QRadar 7.3.1 Patch 5, the installation can fail. The issue is an incompatibility between cryptography v1.18 and request v2.4.  The procedure listed in this article instructs the administrator on how to work around this issue to update their UBA version and prevent the installation from failing on the Machine Learning portion of the install process.

Symptom

 

 

 

Diagnosing The Problem

Look in /var/log/qradar.error for similar messages:
Aug 16 16:19:24 ::ffff:192.168.0.22[tomcat.tomcat] [Token: UBA@IP ADDRESS (1225) /console/restapi/api/gui_app_framework/application_creation_task] com.q1labs.restapi_annotations.content.exceptions.endpointExceptions.ServerProcessingException: An error occurred while copying source zip for application 1201 to [/storetmp/AppFW_1005.zip]
Aug 16 16:19:24 ::ffff:192.168.0.22[tomcat.tomcat] [Token: UBA@IP ADDRESS (1225) /console/restapi/api/gui_app_framework/application_creation_task]    at com.q1labs.uiframeworks.application.api.service.builders.shared.InputStreamProcessor.process(InputStreamProcessor.java:66)
Aug 16 16:19:24 ::ffff:192.168.0.22[tomcat.tomcat] [Token: UBA@IP ADDRESS (1225) /console/restapi/api/gui_app_framework/application_creation_task]    at com.q1labs.uiframeworks.application.api.service.builders.SimpleBuildProcessor.executeProcesses(SimpleBuildProcessor.java:122)
Aug 16 16:19:24 ::ffff:192.168.0.22[tomcat.tomcat] [Token: UBA@IP ADDRESS (1225) /console/restapi/api/gui_app_framework/application_creation_task]    at com.q1labs.restapi.servlet.utilities.APIRequestHandler.redirectRequest(APIRequestHandler.java:399)
Aug 16 16:19:24 ::ffff:192.168.0.22[tomcat.tomcat] [Token: UBA@IP ADDRESS (1225) /console/restapi/api/gui_app_framework/application_creation_task]    ... 46 more
Aug 16 16:19:24 ::ffff:192.168.0.22[tomcat.tomcat] [Token: UBA@IP ADDRESS (1225) /console/restapi/api/gui_app_framework/application_creation_task] Caused by:
Aug 16 16:19:24 ::ffff:192.168.0.22[tomcat.tomcat] [Token: UBA@IP ADDRESS (1225) /console/restapi/api/gui_app_framework/application_creation_task] java.io.EOFException
Aug 16 16:19:24 ::ffff:192.168.0.22[tomcat.tomcat] [Token: UBA@IP ADDRESS (1225) /console/restapi/api/gui_app_framework/application_creation_task]    at com.q1labs.uiframeworks.application.api.util.DefaultFileSystemUtils.copyFileFromStream(DefaultFileSystemUtils.java

 

Resolving The Problem

Administrators who need to update their UBA version can use the following procedure to update their requests version on QRadar 7.3.1 Patch 5 deployments. This update allows the installation to complete successfully when users experience an installation failure due to copying files required for the Machine Learning portion of the UBA update.

 

Procedure

  1. Download the attached requests file to your desktop: requests-2.18.4.tar.gz
     
  2. Use WinSCP to copy the requests-2.18.4.tar.gz file to the QRadar Console.
     
  3. Log in to the Console using an SSH session as root user.
     
  4. Find the app_id by typing the command: /opt/qradar/support/qapp_utils_730.py ps

    image-20180823165455-3
    The application ID <app_id> in this example is 1201. The Container id <container_id> is 6e51e6f35315. The administrator should note both of these values as they are required in the procedure listed below.
     
  5. To copy the requests-2.18.4.tar.gz file to the app, type:
    cp requests-2.18.4.tar.gz /store/docker/volumes/qapp-<app_id>/log/ 
     
  6. To connect to the docker container using the container_id, type: docker exec -ti <container_id> bash   

    The Container_id for the User Analytics app can be found using /opt/qradar/support/qapp_utils_730.py ps command as noted in step #4.
     
  7. Install the requests file on the docker container with the following command: pip install /store/log/requests-2.18.4.tar.gz   
     
  8.  To reload the supervisor service, type: /usr/bin/supervisorctl reload 
     
  9. To confirm the version of the file installed, type: pip show requests

    The result output should display version 2.18.4.
     
  10. Install Machine Learning again through User Behavior Analytics.

    Results
    Attempt to reinstall the User Behavior Analytics application and the Machine Learning portion of the application should install without issue. Administrators should be aware that if the web server is restarted on the Console (Tomcat) or if the app is restarted, then the requests file will revert to version 2.4.3.

 

If you have questions about this issue, you can ask in the QRadar development forum, found here: https://developer.ibm.com/answers/topics/qradar_appdev/.

 


Where do you find more information?

 


[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"Application Framework","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3.1","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
30 August 2018

UID

ibm10729051

Page Feedback