IBM Support

QRadar: How to identify missing content that can cause application errors in the user interface (APAR IJ23859)

How To


Summary

The purpose of this article is to provide more information on APAR IJ23859 for users who experience application errors related to missing content. The most common cause of APAR IJ23895 is security content owned by a disabled user account. The user interface attempts to display results, but the content owned by a disabled user generates Tomcat errors related to missing content. The procedure in this technical note outlines how to identify and resolve the application error.

Environment

Users affected by this issue can see this error when they navigate to the Log Activity tab in the user interface: "An error has occurred. Return and attempt the action again. If the problem persists, please contact customer support for assistance."
image 11730
When you review the QRadar logs, an error is displayed that identifies data or a property does not exist:
[tomcat.tomcat] [username@IPAddress (7192) 
/console/do/ariel/arielDetails] com.q1labs.ariel.ql.parser.AQLParserException: 
Catalog "events" does not exist.
concat('http://',"URL
^
Note: This error message can display in either /var/log/qradar.log or /var/log/qradar.error.

Steps

The issue is caused by a user that was disabled, but its dependencies were not reassigned. You can use the error message to identify which users created the property, then you can reassign the dependency in the user interface.

Before you begin
  • The procedure in this section applies to QRadar SIEM on-premise appliances. QRadar on Cloud administrators do not have root access to the Console to view logs.
  • If you are a QRadar on Cloud administrator and require assistance verifying disabled content from the command line, contact QRadar Support.
  • QRadar on Cloud administrators cannot delete users. If you need to delete a user or reassign content for a QRadar on Cloud Console, contact QRadar Support.
Procedure
  1. Use SSH to log in to the QRadar Console as the root user.
  2. To review the logs to identify properties generating the error, type: 
    grep "Exception creating AQL" /var/log/qradar.error
  3. The output identifies the user, property, and IP address. For example, 
    [tomcat.tomcat] [username@IPAddress (7192) /console/do/ariel/arielDetails] 
com.q1labs.core.shared.ariel.AqlCustomKeyCreator: [ERROR] [NOT:0000003000][IPADDRESS/- -] [-/- -]
Exception creating AQL key creator for property ID 4dd61ea4-b492-4e27-93a7-ad187a69210d
    • username: The user that is unable to access the Log Activity tab or feature in the user interface.
    • IPAddress: IP address of the device from where the user is accessing QRadar.
    • property ID: This ID is what we are looking for as it is the one causing the issue, take this ID and use it in the next step.
  4. To identify the user who owns the property, type: 
    psql -U qradar -c "select id,username from ariel_property;" | grep <id>
    Note: You do not need to include the full property ID, you can grep for the last unique identifying digits. For example, 
    psql -U qradar -c "select id,username from ariel_property;" | grep 69210d

    Results
    The user name is displayed for the owner of the property that is generating the error. This user might be disabled in the user interface and dependencies must be reassigned to resolve the error in the user interface. 
    4dd61ea4-b492-4e27-93a7-ad187a69210d  | firstname.lastname

Additional Information

How to reassign dependencies for disabled users
QRadar administrators can reassign dependencies without removing the user by completing the delete function, but cancelling out of the process before the user is deleted. It is important for administrators to reassign security content owned when you disable a user account. Reassigning security content prevents errors where the product does not display data as expected due to properties or content owned by a disabled or removed user.

Procedure
The procedure reassigns content for a disabled user.
  1. Log in to the QRadar Console as an administrator.
  2. On the Admin tab, click Users.
  3. Search for the owner of the property generating the error message.
  4. Select the user, then click the Delete button.
    image 11738
    A search for dependencies starts for all content owned by the user.
  5. Click View to review existing dependencies by type.
    image 11737
  6. Select any properties that need to be migrated from the disabled user and click Re-assign Ownership.
    image 11736
  7. Select the new owner for the security content and click Re-assign.
    image 11739
  8. When reassignment is complete, click OK.
    image 11740
    You are returned to the dependency list.
  9. Click Cancel to exit the delete user interface to leave the user in the disabled state.
    image 11741
    Important: If you need to keep the user in the disabled state, do NOT select Delete User. By cancelling out of the user interface, the user is left in the disabled state with their security content reassigned. QRadar on Cloud administrators cannot delete users. If you need to delete a user on a QRadar on Cloud appliance, contact QRadar Support

    Result
    After you are done reassigning the dependencies, return to the Log Activity tab. You can verify the user interface displays and or run searches with the removed properties to confirm they function as expected. If you continue to experience errors with APAR IJ23859, contact QRadar Support
 

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
13 October 2021

UID

ibm16454901

Page Feedback