APAR status
Closed as program error.
Error description
'Exception Reading CRE Rules' Errors may be observed after modifying system rules that are used in Cause and Effect tests. This occurs due to a NullPointerException, which can be seen in /var/log/qradar.error: [ecs-ep.ecs-ep] [xxxx-xxxx-xxxx-xxxx-xxxx/SequentialEventDispatcher] com.q1labs.semsources.cre.CustomRule: [ERROR] [NOT:0000003000][x.x.x.x/- -] [-/- -]The Custom Rule ID is ########, Rule Name is: "Rule Name": null [ecs-ep.ecs-ep] [xxxx-xxxx-xxxx-xxxx-xxxx/SequentialEventDispatcher] java.lang.NullPointerException [ecs-ep.ecs-ep] [xxxx-xxxx-xxxx-xxxx-xxxx/SequentialEventDispatcher] at com. q1labs.semsources.cre.tests.CauseAndEffect_Test.setParms(CauseA ndEffect_Test.java:228) [ecs-ep.ecs-ep] [xxxx-xxxx-xxxx-xxxx-xxxx/SequentialEventDispatcher] at com. q1labs.semsources.cre.tests.CREStatefulEventTest.setParms(CRESt atefulEventTest.java:28) [ecs-ep.ecs-ep] [xxxx-xxxx-xxxx-xxxx-xxxx/SequentialEventDispatcher] at com. q1labs.semsources.cre.tests.CREEventTest.init(CREEventTest.java :123) [ecs-ep.ecs-ep] [xxxx-xxxx-xxxx-xxxx-xxxx/SequentialEventDispatcher] at com.q1labs.semsources.cre.CustomRule.<init>(CustomRule.java:251) [ecs-ep.ecs-ep] [xxxx-xxxx-xxxx-xxxx-xxxx/SequentialEventDispatcher] at com. q1labs.semsources.cre.CustomRuleReader.preProcessNewRules(Custo mRuleReader.java:1135) [ecs-ep.ecs-ep] [xxxx-xxxx-xxxx-xxxx-xxxx/SequentialEventDispatcher] at com. q1labs.semsources.cre.CustomRuleReader.readRules(CustomRuleRead er.java:649) [ecs-ep.ecs-ep] [xxxx-xxxx-xxxx-xxxx-xxxx/SequentialEventDispatcher] at com. q1labs.semsources.cre.CustomRuleReader.objectChanged(CustomRule Reader.java:1615) [ecs-ep.ecs-ep] [xxxx-xxxx-xxxx-xxxx-xxxx/SequentialEventDispatcher] at com. q1labs.frameworks.events.config.ConfigurationChangeEvent.dispat chEvent(ConfigurationChangeEvent.java:125) [ecs-ep.ecs-ep] [xxxx-xxxx-xxxx-xxxx-xxxx/SequentialEventDispatcher] at com. q1labs.frameworks.events.SequentialEventDispatcher$DispatchThre ad.run(SequentialEventDispatcher.java:129)
Local fix
Contact Support for a possible workaround that might address this issue in some instances.
Problem summary
This issue has been resolved in QRadar 7.5.0 Update Package 6.
Problem conclusion
This issue has been resolved in QRadar 7.5.0 Update Package 6.
Temporary fix
Comments
APAR Information
APAR number
IJ44654
Reported component name
QRADAR SOFTWARE
Reported component ID
5725QRDSW
Reported release
750
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2022-12-16
Closed date
2023-06-26
Last modified date
2023-06-26
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
QRADAR SOFTWARE
Fixed component ID
5725QRDSW
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"750","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Document Information
Modified date:
26 June 2023