IBM Support

QRadar: Unable to delete 'log source groups' from QRadar console

Troubleshooting


Problem

This technote describes an error that can occur when a user who is not a member of the Log Source Security Profile attempts to remove a Log Source Group.

Symptom

When the user attempts to delete a Log Source Group, the following error is displayed:



Cause

There is a Security Profile associated with the Log Source Group, which prevents the user from properly removing the Log Source Group.

Diagnosing The Problem

There are two methods to verify this issue.

  1. Verify that the user attempting to delete the Log Source Group has the correct permissions in their Security Profile to access the Log Sources contained within the group they are attempting to delete.
  2. Review the /var/log/qradar.error log to determine if the following text is displayed:

    Mar 12 15:07:04 IP address [tomcat] [admin@IP address (8692) /console/JSON-RPC/QRadar.deleteSelectedGroupContext QRadar.deleteSelectedGroupContext] com.q1labs.core.ui.coreservices.UICoreServices: [ERROR] SQL Exception: ER
    ROR: update or delete on table "fgroup" violates foreign key constraint "sp_sensordevice_group_link_dg_id_fkey" on table "sp_sensordevice_group_link"
    Detail: Key (id)=(100069) is still referenced from table "sp_sensordevice_group_link". {stmnt -369506896 DELETE FROM fgroup WHERE id in(100069)} [code=0, state=23503]
    Mar 12 15:07:04 IP address [tomcat] [admin@IP address (8692) /console/JSON-RPC/QRadar.deleteSelectedGroupContext QRadar.deleteSelectedGroupContext] org.apache.openjpa.lib.jdbc.ReportingSQLException: ERROR: update or delet
    e on table "fgroup" violates foreign key constraint "sp_sensordevice_group_link_dg_id_fkey" on table "sp_sensordevice_group_link"
    Detail: Key (id)=(100069) is still referenced from table "sp_sensordevice_group_link". {stmnt -369506896 DELETE FROM fgroup WHERE id in(100069)} [code=0, state=23503]

Resolving The Problem

To resolve this issue, the Administrator might be required to update the Security Profile to remove the Log Source Groups that cannot be removed.

  1. Log in to the QRadar Web User Interface as an Admin user.
  2. Click the Admin tab.
  3. Click the Security Profiles icon to display the Security Profile Manager.
  4. Select the user that has the difficulty removing the Log Source Group.
  5. Click the Log Sources tab.
  6. Remove the Log Sources that contribute to the group from the Assigned Log Sources list.
  7. Click Save to close the window.
  8. Click Deploy Changes.
  9. Attempt to remove the Log Source Group.



Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Admin Console","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"7.1;7.2","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg21667166

Page Feedback