An API Failure is seen in /var/log/audit/audit.log that looks similar to this: Sep 7 11:41:38 127.0.0.1 Token UBA@x.x.x.x (7318) /console/restapi/api/ariel/searches/49790aa6-d605-4602-9d5c- 3a53dba442bb | [Action] [RestAPI] [APIFailure] [Token: UBA] [0a302e73- 66a5-45a4-a041-c2498366c0b0] [SECURE]
This may happen if the data or cursor has been deleted after the retention period has expired.
Diagnosing The Problem
Look in /var/log/audit/audit.log for similar messages.
Sep 7 11:41:38 127.0.0.1 Token UBA@x.x.x.x (7318)
3a53dxxxxxx | [Action] [RestAPI] [APIFailure] [Token: UBA] [0a30xxxx-
Resolving The Problem
Verify within /var/log/qradar.log file or within /var/log/qradar.old/qradar.log.1.gz to see whether the data for that search was deleted as part of disk maintenance. If they were you should see messages similar to this:
Sep 7 10:36:33 ::ffff:x.x.x.x [ariel.ariel_proxy_server]
[q1labs_worker_2] com.q1labs.ariel.searches.Locations: [INFO]
[NOT:0000006000][x.x.x.x/- -] [-/- -]Data for
497xxxxx-d6xx-46xx-9dxx-3a53dbxxxxxx was deleted, 13 KB was freed on
hard drive, reason: data is expired, exp.date: 17-09-07,10:34:38
Sep 7 11:11:43 ::ffff:x.x.x.x [ariel.ariel_proxy_server]
[ariel_client /127.0.0.1:38490] com.q1labs.ariel.ConnectedClient: [INFO]
[NOT:0000006000][x.x.x.x/- -] [-/- -]Query
497xxxxx-d6xx-46xx-9dxx-3a53dxxxxxx does not exist
These messages will correspond to the time stamp of the entry in /var/log/audit/audit.log
Those are only informational messages, therefore there is nothing to worry about as UBA is working as expected.
Where do you find more information?
Was this topic helpful?
30 August 2018