IBM Support

IJ18161: CUSTOM RULE FAILS TO LOAD DUE TO ORPHANED LINK_UUID IN THE CUSTOM_RULE DATABASE TABLE

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as duplicate of another APAR.

Error description

  • It has been identified that a QRadar custom rule fails to load
    when it is associated with an orphaned link_uuid within the
    custom_rule table of the database.
    Messages similar to the following might be visible in
    /var/log/qradar.log whe this issue is occurring:
    [ecs-ep.ecs-ep]
    [95ae8741-7474-4b9e-91a1-aefbf5480097/SequentialEventDispatcher]
    com.q1labs.core.dao.cre.CustomRule: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Error while
    unmarshalling rule id 108018 from DB table custom_rule
    [ecs-ep.ecs-ep]
    [95ae8741-7474-4b9e-91a1-aefbf5480097/SequentialEventDispatcher]
    java.lang.NullPointerException
    [ecs-ep.ecs-ep]
    [95ae8741-7474-4b9e-91a1-aefbf5480097/SequentialEventDispatcher]
       at
    com.q1labs.core.dao.cre.CustomRule.getRule(CustomRule.java:301)
    [ecs-ep.ecs-ep]
    [95ae8741-7474-4b9e-91a1-aefbf5480097/SequentialEventDispatcher]
       at
    com.q1labs.core.shared.cre.CREServices.getCustomRules(CREService
    s.java:1933)
    [ecs-ep.ecs-ep]
    [95ae8741-7474-4b9e-91a1-aefbf5480097/SequentialEventDispatcher]
       at
    com.q1labs.core.shared.cre.CREServices.getCustomRules(CREService
    s.java:1952)
    [ecs-ep.ecs-ep]
    [95ae8741-7474-4b9e-91a1-aefbf5480097/SequentialEventDispatcher]
       at
    com.q1labs.core.shared.cre.CREServices.getAllFlowAndEventRules(C
    REServices.java:1779)
    [ecs-ep.ecs-ep]
    [95ae8741-7474-4b9e-91a1-aefbf5480097/SequentialEventDispatcher]
       at
    com.q1labs.semsources.cre.CustomRuleReader.readRules(CustomRuleR
    eader.java:320)
    [ecs-ep.ecs-ep]
    [95ae8741-7474-4b9e-91a1-aefbf5480097/SequentialEventDispatcher]
       at
    com.q1labs.semsources.cre.CustomRuleReader.objectChanged(CustomR
    uleReader.java:1109)
    [ecs-ep.ecs-ep]
    [95ae8741-7474-4b9e-91a1-aefbf5480097/SequentialEventDispatcher]
       at
    com.q1labs.frameworks.events.config.ConfigurationChangeEvent.dis
    patchEvent(ConfigurationChangeEvent.java:125)
    [ecs-ep.ecs-ep]
    [95ae8741-7474-4b9e-91a1-aefbf5480097/SequentialEventDispatcher]
       at
    com.q1labs.frameworks.events.SequentialEventDispatcher$DispatchT
    hread.run(SequentialEventDispatcher.java:129)
    

Local fix

  • Contact Support for a possible workaround that might address
    this issue in some instances.
    

Problem summary

Problem conclusion

Temporary fix

Comments

  • This APAR is marked as duplicate of IJ15968.
    

APAR Information

  • APAR number

    IJ18161

  • Reported component name

    QRADAR SOFTWARE

  • Reported component ID

    5725QRDSW

  • Reported release

    732

  • Status

    CLOSED DUB

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2019-08-06

  • Closed date

    2020-02-05

  • Last modified date

    2020-02-05

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

Applicable component levels

[{"Business Unit":{"code":"BU048","label":"IBM Software"}, "Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"732","Edition":""}]

Document Information

Modified date:
05 February 2020