IBM Support

QRadar: Old log source UI having issues when creating Cisco AMP log sources

Troubleshooting


Problem

When you create and configure a Cisco AMP log source with the old log source UI, the password that is used for the Cisco AMP for Endpoints API event stream is not registering or updating correctly in the QRadar database. As a result, the Cisco AMP log source displays an ACCESS_ REFUSED error.

Symptom

Cisco AMP log source showing the following error in the Web UI: 
Error Message: ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.
Failed to establish the message queue connection.
Login refused. Ensure that the username and password are valid.
An attempt to reconnect will occur in 10 minutes
Errors seen in qradar.error and qradar.log file: 
[ecs-ec-ingress.ecs-ec-ingress] [Thread-2866003] com.rabbitmq.jms.util.RMQJMSSecurityException: ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.
Note:  You can find the qradar.error and qradar.log file in the following path: /var/log

Environment

Qradar version 7.3.1

Resolving The Problem

Workaround: 
  1. Delete the log source created with the old source UI using the steps outlined in Deleting a log source.
  2. Recreate the log source using the latest version of the log source management app in order to correctly configure the Cisco AMP log source using the steps outlined in Configure a log source for a user to manage the Cisco AMP event stream.
  3. Deploy the changes by logging into the QRadar console UI, going to the "Admin" tab and clicking the "Deploy changes" button. 
  4. Disable and enable the new create log source using the log source management app.
  

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000GnfdAAC","label":"QRadar->Events->Log Source"}],"ARM Case Number":"TS003115477","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
14 May 2020

UID

ibm16202723