IBM Support

QRadar: User Behavior Analytics (UBA) API Access Request Failure

Troubleshooting


Problem

An API Failure is seen in /var/log/audit/audit.log that looks similar to this: Sep 7 11:41:38 127.0.0.1 Token [email protected] (7318) /console/restapi/api/ariel/searches/49790aa6-d605-4602-9d5c- 3a53dba442bb | [Action] [RestAPI] [APIFailure] [Token: UBA] [0a302e73- 66a5-45a4-a041-c2498366c0b0] [SECURE]

Cause

This may happen if the data or cursor has been deleted after the retention period has expired.

Diagnosing The Problem

Look in /var/log/audit/audit.log for similar messages.

Sep 7 11:41:38 127.0.0.1 Token [email protected] (7318)
/console/restapi/api/ariel/searches/497xxxxx-d6xx-46xx-9d5c-
3a53dxxxxxx | [Action] [RestAPI] [APIFailure] [Token: UBA] [0a30xxxx-
66xx-45xx-a0xx-c24983xxxxxx] [SECURE]

Resolving The Problem

Verify within /var/log/qradar.log file or within /var/log/qradar.old/qradar.log.1.gz to see whether the data for that search was deleted as part of disk maintenance. If they were you should see messages similar to this:

 


Sep  7 10:36:33 ::ffff:x.x.x.x [ariel.ariel_proxy_server]            
[q1labs_worker_2] com.q1labs.ariel.searches.Locations: [INFO]           
[NOT:0000006000][x.x.x.x/- -] [-/- -]Data for                        
497xxxxx-d6xx-46xx-9dxx-3a53dbxxxxxx was deleted
, 13 KB was freed on    
hard drive, reason: data is expired, exp.date: 17-09-07,10:34:38        

                                                                        
Sep  7 11:11:43 ::ffff:x.x.x.x [ariel.ariel_proxy_server]            
[ariel_client /127.0.0.1:38490] com.q1labs.ariel.ConnectedClient: [INFO]
[NOT:0000006000][x.x.x.x/- -] [-/- -]Query                           
497xxxxx-d6xx-46xx-9dxx-3a53dxxxxxx does not exist


These messages will correspond to the time stamp of the entry in /var/log/audit/audit.log

 


Those are only informational messages, therefore there is nothing to worry about as UBA is working as expected. 


Where do you find more information?



[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"UBA","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
30 August 2018

UID

swg22008467