The purpose of this article is to provide more information on APAR IJ23859 for users who experience application errors related to missing content. The most common cause of APAR IJ23895 is security content owned by a disabled user account. The user interface attempts to display results, but the content owned by a disabled user generates Tomcat errors related to missing content. The procedure in this technical note outlines how to identify and resolve the application error.
[tomcat.tomcat] [username@IPAddress (7192) /console/do/ariel/arielDetails] com.q1labs.ariel.ql.parser.AQLParserException: Catalog "events" does not exist. concat('http://',"URL ^
Before you begin
- The procedure in this section applies to QRadar SIEM on-premise appliances. QRadar on Cloud administrators do not have root access to the Console to view logs.
- If you are a QRadar on Cloud administrator and require assistance verifying disabled content from the command line, contact QRadar Support.
- QRadar on Cloud administrators cannot delete users. If you need to delete a user or reassign content for a QRadar on Cloud Console, contact QRadar Support.
- Use SSH to log in to the QRadar Console as the root user.
- To review the logs to identify properties generating the error, type:
grep "Exception creating AQL" /var/log/qradar.error
- The output identifies the user, property, and IP address. For example,
[tomcat.tomcat] [username@IPAddress (7192) /console/do/ariel/arielDetails] com.q1labs.core.shared.ariel.AqlCustomKeyCreator: [ERROR] [NOT:0000003000][IPADDRESS/- -] [-/- -] Exception creating AQL key creator for property ID 4dd61ea4-b492-4e27-93a7-ad187a69210d
username: The user that is unable to access the Log Activity tab or feature in the user interface.
IPAddress: IP address of the device from where the user is accessing QRadar.
property ID: This ID is what we are looking for as it is the one causing the issue, take this ID and use it in the next step.
To identify the user who owns the property, type:
psql -U qradar -c "select id,username from ariel_property;" | grep <id>
psql -U qradar -c "select id,username from ariel_property;" | grep 69210d
The user name is displayed for the owner of the property that is generating the error. This user might be disabled in the user interface and dependencies must be reassigned to resolve the error in the user interface.
4dd61ea4-b492-4e27-93a7-ad187a69210d | firstname.lastname
QRadar administrators can reassign dependencies without removing the user by completing the delete function, but cancelling out of the process before the user is deleted. It is important for administrators to reassign security content owned when you disable a user account. Reassigning security content prevents errors where the product does not display data as expected due to properties or content owned by a disabled or removed user.
The procedure reassigns content for a disabled user.
- Log in to the QRadar Console as an administrator.
- On the Admin tab, click Users.
- Search for the owner of the property generating the error message.
- Select the user, then click the Delete button.
A search for dependencies starts for all content owned by the user.
- Click View to review existing dependencies by type.
- Select any properties that need to be migrated from the disabled user and click Re-assign Ownership.
- Select the new owner for the security content and click Re-assign.
- When reassignment is complete, click OK.
You are returned to the dependency list.
- Click Cancel to exit the delete user interface to leave the user in the disabled state.
Important: If you need to keep the user in the disabled state, do NOT select Delete User. By cancelling out of the user interface, the user is left in the disabled state with their security content reassigned. QRadar on Cloud administrators cannot delete users. If you need to delete a user on a QRadar on Cloud appliance, contact QRadar Support.
After you are done reassigning the dependencies, return to the Log Activity tab. You can verify the user interface displays and or run searches with the removed properties to confirm they function as expected. If you continue to experience errors with APAR IJ23859, contact QRadar Support.
Was this topic helpful?
13 October 2021