APAR status
Closed as program error.
Error description
When validating the configuration of the alert-config.xml file with the script /opt/qradar/bin/runCustAlertValidator.sh no issue is found, but when the configured event is triggered, no emails are sent. Examples Curly: Service Name: ${body.CustomProperty( DataPower Service )} Normal: Service Name: ${body.CustomProperty("DataPower Service")} Step to reproduce 1. Create a new email template and add it to the alert-config.xml file. Example of email template with curly quotations. <template> <templatename>curly quotations</templatename> <templatetype>event</templatetype> <active>true</active> <filename></filename> <subject> <![CDATA[${RuleName}]]> </subject> <body> <![CDATA[The following is an automated response sent to you by the ${AppName} event custom rules engine: CEP: ${body.CustomProperty( DataPower Service )} ]]> </body> <from></from> <to></to> <cc></cc> <bcc></bcc> </template> 2. Validate the alert-config.xml template. [root@qradar75-console-primary email_templates]# /opt/qradar/bin/runCustAlertValidator.sh ./ File alert-config.xml was deployed successfully to staging! [root@qradar75-console-primary email_templates]# md5sum /opt/qradar/bin/runCustAlertValidator.sh 50845d672934710f44b86b07333438d1 /opt/qradar/bin/runCustAlertValidator.sh 3. Create and deploy a new rule. 4. Trigger the rule and watch for the emails, you should not receive any emails. 5. Verify the events triggered the new rule. [ecs-ep.ecs-ep] [CRE Processor [1]] com.q1labs.semsources.cre.CustomRule: [ERROR] [NOT:0000003000][XXX.XXX.XXX.XXX/- -] [-/- -]Exception performing Email response for rule WithCurly_helloNeeta [ecs-ep.ecs-ep] [CRE Processor [1]] org.apache.velocity.exception.ParseErrorException: Lexical error, Encountered: "\u201c" (8220), after : "" at *unset*[line 4, column 77] [ecs-ep.ecs-ep] [CRE Processor [1]] at org.apache.velocity.r untime.RuntimeInstance.evaluate(RuntimeInstance.java:1301) [ecs-ep.ecs-ep] [CRE Processor [1]] at org.apache.velocity.a pp.VelocityEngine.evaluate(VelocityEngine.java:272) [ecs-ep.ecs-ep] [CRE Processor [1]] at com.q1labs.semsources .cre.responses.templates.CustomAlertFieldsManager.buildResponse FromXML(CustomAlertFieldsManager.java:460) [ecs-ep.ecs-ep] [CRE Processor [1]] at com.q1labs.semsources .cre.responses.templates.CustomAlertFieldsManager.loadTemplate( CustomAlertFieldsManager.java:145) [ecs-ep.ecs-ep] [CRE Processor [1]] at com.q1labs.semsources .cre.responses.Email_Response.performResponse(Email_Response.ja va:51) [ecs-ep.ecs-ep] [CRE Processor [1]] at com.q1labs.semsources .cre.CustomRule.performResponses(CustomRule.java:1049) [ecs-ep.ecs-ep] [CRE Processor [1]] at com.q1labs.semsources.cre.CustomRule.test(CustomRule.java:578)
Local fix
In the alert-config.xml file use normal quotations " instead of using curly quotations.
Problem summary
This issue has been resolved in QRadar 7.5.0 Update Package 6.
Problem conclusion
This issue has been resolved in QRadar 7.5.0 Update Package 6.
Temporary fix
Comments
APAR Information
APAR number
IJ43771
Reported component name
QRADAR SOFTWARE
Reported component ID
5725QRDSW
Reported release
742
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2022-10-11
Closed date
2023-06-26
Last modified date
2023-06-26
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
QRADAR SOFTWARE
Fixed component ID
5725QRDSW
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"742","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Document Information
Modified date:
26 June 2023