IBM Support

IJ19268: LOADING RULES FROM EVENTS GENERATES '[UNKNOWN RULE NAME]' AND 'INVALID XML CONTENT' MESSAGES IN QRADAR LOGGING

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • It has been identified that when loading Rules from within
    events, messages containing "UNKNOWN RULE NAME" might be
    displayed.
    These have been observed when control characters are present in
    data within the rule_data database table.
    Messages similar to the following might be visible in
    /var/log/qradar.log when this issue is occurring:
    [tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069)
    /console/restapi/api/analytics/rules] Caused by:
    [tomcat.tomcat]
    [Token: UBA@127.0.0.1 (24205069)
    /console/restapi/api/analytics/rules] com.q1labs.restapi_annotat
    ions.content.exceptions.endpointExceptions.ServerProcessingExcep
    tion: An error occured while trying to retrieve the
    rule
    [tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069)
    /console/restapi/api/analytics/rules] at com.q1labs.core.api.imp
    l.customrule.CustomRuleAPIImpl.getCustomRules(CustomRuleAPIImpl.
    java:77)
    [tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069)
    /console/restapi/api/analytics/rules] at com.q1labs.core.api.R2_
    2016.customrule.CustomRuleAPI.getCustomRules(CustomRuleAPI.java:
    109)
    [tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069)
    /console/restapi/api/analytics/rules] at
    sun.reflect.GeneratedMethodAccessor526.invoke(Unknown
    Source)
    [tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069)
    /console/restapi/api/analytics/rules] at sun.reflect.DelegatingM
    ethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
    [
    tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069)
    /console/restapi/api/analytics/rules] at
    java.lang.reflect.Method.invoke(Method.java:508)
    [tomcat.tomcat]
    [Token: UBA@127.0.0.1 (24205069)
    /console/restapi/api/analytics/rules] at com.q1labs.restapi.serv
    let.utilities.APIRequestHandler.invokeMethod(APIRequestHandler.j
    ava:1024)
    [tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069)
    /console/restapi/api/analytics/rules] at com.q1labs.restapi.serv
    let.utilities.APIRequestHandler.redirectRequest(APIRequestHandle
    r.java:399)
    [tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069)
    /console/restapi/api/analytics/rules] ... 46
    more
    [tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069)
    /console/restapi/api/analytics/rules] Caused by:
    [tomcat.tomcat]
    [Token: UBA@127.0.0.1 (24205069)
    /console/restapi/api/analytics/rules]
    <openjpa-2.2.2-r422266:1468616 fatal general error>
    org.apache.openjpa.persistence.PersistenceException: ERROR:
    invalid XML content
     Detail: line 1: xmlParseCharRef: invalid
    xmlChar value 6
    lt;a href='javascript:editParameter("12", "3")'
    class='dynamic'&gt;metadata&#x6;
     ^
    line 1: xmlParseCharRef:
    invalid xmlChar value 6
    ns multiselect="false" source="user"
    format="user"/><userSelection>metadata&#x6;
     ^
    line 1: chunk is
    not well balanced {prepstmnt 1473478204 SELECT * FROM
    custom_rule WHERE (CAST( xpath( '/rule[@buildingBlock="false"]',
    CAST( (encode(rule_data, 'escape')) AS XML)) AS text ARRAY) !=
    '{}' AND rule_type NOT IN (6, 7, 8)) ORDER BY id ASC} [code=0,
    state=2200N]
    [tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069)
    /console/restapi/api/analytics/rules] at org.apache.openjpa.jdbc
    .sql.DBDictionary.narrow(DBDictionary.java:4962)
    [tomcat.tomcat]
    [Token: UBA@127.0.0.1 (24205069)
    /console/restapi/api/analytics/rules] at org.apache.openjpa.jdbc
    .sql.DBDictionary.newStoreException(DBDictionary.java:4922)
    [tom
    cat.tomcat] [Token: UBA@127.0.0.1 (24205069)
    /console/restapi/api/analytics/rules] at org.apache.openjpa.jdbc
    .sql.SQLExceptions.getStore(SQLExceptions.java:136)
    [tomcat.tomc
    at] [Token: UBA@127.0.0.1 (24205069)
    /console/restapi/api/analytics/rules] at org.apache.openjpa.jdbc
    .sql.SQLExceptions.getStore(SQLExceptions.java:110)
    [tomcat.tomc
    at] [Token: UBA@127.0.0.1 (24205069)
    /console/restapi/api/analytics/rules] at org.apache.openjpa.jdbc
    .sql.SQLExceptions.getStore(SQLExceptions.java:62)
    [tomcat.tomca
    t] [Token: UBA@127.0.0.1 (24205069)
    /console/restapi/api/analytics/rules] at org.apache.openjpa.jdbc
    .kernel.SQLStoreQuery$SQLExecutor.executeQuery(SQLStoreQuery.jav
    a:238)
    [tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069)
    /console/restapi/api/analytics/rules] at org.apache.openjpa.kern
    el.QueryImpl.execute(QueryImpl.java:1005)
    [tomcat.tomcat]
    [Token: UBA@127.0.0.1 (24205069)
    /console/restapi/api/analytics/rules] at org.apache.openjpa.kern
    el.QueryImpl.execute(QueryImpl.java:863)
    [tomcat.tomcat] [Token:
    UBA@127.0.0.1 (24205069) /console/restapi/api/analytics/rules]
    at org.apache.openjpa.kernel.QueryImpl.execute(QueryImpl.java:79
    4)
    [tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069)
    /console/restapi/api/analytics/rules] at org.apache.openjpa.kern
    el.DelegatingQuery.execute(DelegatingQuery.java:542)
    [tomcat.tom
    cat] [Token: UBA@127.0.0.1 (24205069)
    /console/restapi/api/analytics/rules] at org.apache.openjpa.pers
    istence.QueryImpl.execute(QueryImpl.java:286)
    [tomcat.tomcat]
    [Token: UBA@127.0.0.1 (24205069)
    /console/restapi/api/analytics/rules] at org.apache.openjpa.pers
    istence.QueryImpl.getResultList(QueryImpl.java:302)
    [tomcat.tomc
    at] [Token: UBA@127.0.0.1 (24205069)
    /console/restapi/api/analytics/rules] at com.q1labs.core.api.imp
    l.customrule.CustomRuleAPIImpl.getCustomRules(CustomRuleAPIImpl.
    java:61)
    [tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069)
    /console/restapi/api/analytics/rules] ... 52
    more
    [tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069)
    /console/restapi/api/analytics/rules] Caused by:
    [tomcat.tomcat]
    [Token: UBA@127.0.0.1 (24205069)
    /console/restapi/api/analytics/rules] Caused by:
    [tomcat.tomcat]
    [Token: UBA@127.0.0.1 (24205069)
    /console/restapi/api/analytics/rules]
    org.apache.openjpa.lib.jdbc.ReportingSQLException: ERROR:
    invalid XML content
     Detail: line 1: xmlParseCharRef: invalid
    xmlChar value 6
    lt;a href='javascript:editParameter("12", "3")'
    class='dynamic'&gt;metadata&#x6;
     ^
    line 1: xmlParseCharRef:
    invalid xmlChar value 6
    ns multiselect="false" source="user"
    format="user"/><userSelection>metadata&#x6;
     ^
    line 1: chunk is
    not well balanced {prepstmnt 1473478204 SELECT * FROM
    custom_rule WHERE (CAST( xpath( '/rule[@buildingBlock="false"]',
    CAST( (encode(rule_data, 'escape')) AS XML)) AS text ARRAY) !=
    '{}' AND rule_type NOT IN (6, 7, 8)) ORDER BY id ASC} [code=0,
    state=2200N]
    [tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069)
    /console/restapi/api/analytics/rules] at org.apache.openjpa.lib.
    jdbc.LoggingConnectionDecorator.wrap(LoggingConnectionDecorator.
    java:219)
    [tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069)
    /console/restapi/api/analytics/rules] at org.apache.openjpa.lib.
    jdbc.LoggingConnectionDecorator.wrap(LoggingConnectionDecorator.
    java:203)
    [tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069)
    /console/restapi/api/analytics/rules] at org.apache.openjpa.lib.
    jdbc.LoggingConnectionDecorator.access$700(LoggingConnectionDeco
    rator.java:59)
    [tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069)
    /console/restapi/api/analytics/rules] at org.apache.openjpa.lib.
    jdbc.LoggingConnectionDecorator$LoggingConnection$LoggingPrepare
    dStatement.executeQuery(LoggingConnectionDecorator.java:1118)
    

Local fix

  • Contact Support for a possible workaround that might address
    this issue in some instances.
    

Problem summary

  • This issue was fixed in QRadar QRM QVM release of 7.4.0.
    

Problem conclusion

  • This issue was fixed in QRadar QRM QVM release of 7.4.0.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IJ19268

  • Reported component name

    QRADAR SOFTWARE

  • Reported component ID

    5725QRDSW

  • Reported release

    731

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2019-09-11

  • Closed date

    2020-03-18

  • Last modified date

    2020-03-18

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    QRADAR SOFTWARE

  • Fixed component ID

    5725QRDSW

Applicable component levels

[{"Business Unit":{"code":"BU048","label":"IBM Software"}, "Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"731","Edition":""}]

Document Information

Modified date:
18 March 2020