IBM Support

QRadar: Application error message when opening events

Troubleshooting


Problem

When opening any event in Log Activity, an "Application error" message is displayed.

Symptom

The error message will look similar to:

image 9283

Cause

This problem can be caused by an AQL property that is still assigned to a user that has already been deactivated.

Diagnosing The Problem

In the /var/log/qradar.error file you find a message which tells you which property ID is the problematic. The message is similar to the following:
Exception creating AQL key creator for property ID 99555295-29ae-4c23-9ef6-6f7e8fc5d2c2

Resolving The Problem

Once you have found the problematic AQL property ID in  /var/log/qradar.error file, you must reassign the AQL property ID to the Admin user in the database. See the following steps:
  1. SSH into the QRadar Console as the root user.
  2. It is always advisable to create a backup of the table to which we are going to apply the changes, therefore first run this command to generate the backup:
    ​pg_dump -U qradar -t ariel_aql_property > /store/tmp/ariel_aql_property.sql
  3. Enter the database with the following command:
    psql -U qradar
  4. Determine which user is still assigned to the problematic AQL property ID. For this, you need to run the following select statement using the AQL property ID found in the /var/log/qradar.error file:
    select username from ariel_aql_property where id='99555295-29ae-4c23-9ef6-6f7e8fc5d2c2';
  5. You will see an output with a username similar to this:
    ​username
    -----------
    QradarTest
    ​
  6. After identifying the username, you must reassign the problematic AQL properties to the username admin.  For this, you need to run the following update statement by using the username that you found in step #4:
    ​update ariel_aql_property set username='admin' where username='QradarTest';
  7. After the update, a message  "UPDATE 1" is displayed. This message means that the changes were made successfully.
  8. Exit the database with the following command:
    \q

    Important
    When restarting the QRadar web service, the QRadar UI is not available to all users, exporting events, and generating reports stop. Administrators with strict outage policies are advised to complete the next step during a scheduled maintenance window for their organization.
  9. Restart the hostcontext and tomcat services with the following commands:
    ​systemctl stop hostcontext
    systemctl restart tomcat
    systemctl start hostcontext
Results
After completing these steps, go to your QRadar Console Web UI and validate that you can open any event successfully in log activity.

Document Location

Worldwide

[{"Type":"SW","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtEAAQ","label":"Log Activity"}],"ARM Case Number":"TS005395729","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)"}]

Document Information

Modified date:
22 April 2021

UID

ibm16442081