IBM Support

IJ21487: RULE FIRING FALSE POSITIVE/NEGATIVE CAN OCCUR DUE TO A RULE WITH A USER THAT NO LONGER EXISTS IN THE DEPLOYMENT

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as Permanent restriction.

Error description

  • It has been identified that Rules are not being properly loaded
    when the origin user does not exist anymore in the QRadar
    deployment.  This has been observed after Content Managment
    Tool (CMT) imports have been performed as it allows the import
    of data even if a user does not exist.
    False positive/negative Rule firing can be experienced when
    this issue is occurring.
    Messages similar to the following might be visble in
    /var/log/qradar.log when this issue is occurring:
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]
    com.ibm.si.ariel.aql.metadata.exceptions.InsufficientUserCapabil
    itiesException: User "xxxxx@domain.com" does not have required
    capabilities to access catalog "events"
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    com.ibm.si.ariel.aql.metadata.MetadataFactory.createUserCatalog(
    MetadataFactory.java:748)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    com.ibm.si.ariel.aql.metadata.MetadataFactory.getCatalogByName(M
    etadataFactory.java:694)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    com.q1labs.ariel.ql.parser.Parser.getMetadata(Parser.java:212)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    com.q1labs.ariel.ql.parser.Parser.getMetadata(Parser.java:238)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    com.q1labs.ariel.protocol.ClientData.initColumns(ClientData.java
    :125)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    com.q1labs.ariel.protocol.SearchAlias.clientData(SearchAlias.jav
    a:59)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    com.q1labs.ariel.searches.tasks.Result.resultForAlias(Result.jav
    a:215)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    com.q1labs.ariel.protocol.SearchAlias.result(SearchAlias.java:89
    )
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    com.q1labs.ariel.searches.AccessManager.updateResult(AccessManag
    er.java:126)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    com.q1labs.ariel.searches.AccessManager.findQueryResult(AccessMa
    nager.java:155)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    com.q1labs.ariel.ConnectedClient.findQueryResult(ConnectedClient
    .java:420)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    com.q1labs.ariel.ConnectedClient.findQueryResult(ConnectedClient
    .java:415)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    com.q1labs.ariel.ConnectedClient.processMessage(ConnectedClient.
    java:278)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    com.q1labs.ariel.ConnectedClient.run(ConnectedClient.java:136)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec
    utor.java:1160)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe
    cutor.java:635)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at java.lang.Thread.run(Thread.java:812)
    

Local fix

  • To workaround this issue administrators can create the user from
    the errors via Admin > User Management. Once the user is
    created, perform a restart of ecs-ep via the command line
    -> systemctl restart ecs-ep
    It is then possible to reassign the data from the newly created
    user to a different user if administrators wish to remove and
    no longer use said user.
    

Problem summary

  • This is closed as a permanent restriction. Please view the Local
    Fix for a workaround.
    

Problem conclusion

  • This is closed as a permanent restriction. Please view the Local
    Fix for a workaround.
    

Temporary fix

  • 
    

Comments

  • 
    

APAR Information

  • APAR number

    IJ21487

  • Reported component name

    QRADAR SOFTWARE

  • Reported component ID

    5725QRDSW

  • Reported release

    732

  • Status

    CLOSED PRS

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2019-12-06

  • Closed date

    2021-01-13

  • Last modified date

    2021-01-13

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

Applicable component levels

[{"Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU029","label":"Software"},"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"732"}]

Document Information

Modified date:
09 March 2021