IBM Support

QRadar: Content Extension or Application Installation Fails on CEP Conflict

Troubleshooting


Problem

When an administrator attempts to install a content package or application with Custom Extraction Properties (CEP) through Extensions Management, the installation preview sometimes shows a single property and a status of FAILED. If the administrator chooses to continue with the installation, it fails to proceed with the message "An error occurred. See console logs for details." This behavior normally indicates a CEP that's being imported is in conflict with one that's already on the system. 

Symptom

During a content pack or application installation, there is a screen to preview the changes it is installing. If there is a conflicting CEP, it shows a FAILED message:
Install Preview Example
This Originating_User is the name of the CEP in conflict, but this name might differ on your system. Throughout this technote, we are using the Originating_User property as an example.

Diagnosing The Problem

  1. SSH to the console as the root user
  2. Search the logs for a more detailed error with the following command: 
    ​grep -i contentcustom /var/log/qradar.log
    There are two possible messages that can be corrected:
    1. There's a conflict with an existing name 
      Conflict during the import of property [Originating_User], found an existing property with the same name but different [type/id]
    2. There's a conflict with an existing UUID 
      ​Property with id [c5496d4e-dd49-46ab-b6dc-04a892757a23] already exists but have a different name
  3. Important: If the output seen doesn't match either of these messages, contact QRadar® Support for further assistance.
  4. If the issue is identified as a conflict with an existing UUID in step 2, query Postgres to find the CEP name with this command: 
    ​# psql -U qradar -c "select id, propertyname, database, username from ariel_regex_property where id='<UUID>';"
    Here's an example output:
    ​# psql -U qradar -c "select id, propertyname, database, username from ariel_regex_property where id='c5496d4e-dd49-46ab-b6dc-04a892757a23';"
                  id                  |   propertyname   | database | username
--------------------------------------+------------------+----------+----------
 0d7b6408-e76c-4765-95e9-c9a8c3693a0e | Originating User | events   | admin
(1 row)

Resolving The Problem

  1. Log in to the QRadar® UI
  2. Locate the CEP following this documentation
  3. If the CEP is not being used (e.g. it is a flow property, but your system doesn't collect flows), or you would like to remove it directly, proceed to step 7
  4. In the Custom Property Definition screen, choose New Property and give a new name, but do not change anything else: image 6461
  5. Save the CEP
  6. If there are multiple search results from step 2, copy each of the rest, but choose Existing Property and the new property name from step 4: image 6464
  7. Delete all of the original CEPs
    1. If there are dependencies, either remove the dependencies or replace them with the newly created property
  8. Try installing the content pack again

    Results
    After following the above steps, if the installation continues to give issues, contact QRadar® Support for further assistance.

 

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt3AAA","label":"QRadar Apps"}],"Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
08 October 2020

UID

ibm16205797

Page Feedback