Troubleshooting
Problem
Log source is displaying a warning status with the following messages:
No new files matching the directory prefix and file pattern.
No download errors, but no files were processed.
No new files matching the directory prefix and file pattern.
No download errors, but no files were processed.
This technote is intended for S3 Bucket, but it can also apply for SQS events.
Symptom
No events are being pulled from AWS. An error message is displayed in the Log Source management app.
If you run the test in the log source management app, it runs successfully and displays events that are in the S3 bucket.
If you run the test in the log source management app, it runs successfully and displays events that are in the S3 bucket.
Cause
The log source configuration does not match the configuration in AWS. Files might exist in the bucket, but the format of events given in the log source configuration does not correctly identify how to choose the events to pull.
Environment
QRadar 7.3.x and 7.4.x
Diagnosing The Problem
Look for similar errors in the /var/log/qradar.error:
Jun 10 00:04:51 ::ffff:x.x.x.x [ecs-ec-ingress.ecs-ec-ingress] [Amazon AWS S3 REST API Protocol
Provider Thread: class
com.q1labs.semsources.sources.amazonawsrest.AmazonAWSRESTProvider7]
com.q1labs.semsources.sources.amazonawsrest.AmazonAWSRESTProvider: [WARN]
[NOT:0000004000][x.x.x.x/- -] [-/-
-]No new files matching the directory prefix and file pattern
Resolving The Problem
Before you begin:
- Make sure that you use the most current AWS CloudTrail DSM and Protocols.
- For QRadar 7.4
- For QRadar 7.3
- Refer to the IBM® Documentation for Amazon AWS CloudTrail log source on the QRadar Console using a directory prefix
-
Log in to the QRadar Console as admin user.
-
Click the Admin tab > Log Source Management.
-
Click +New Log Source > Single Log Source.
-
Click Amazon® AWS CloudTrail.
-
Click Select a protocol type > Amazon® AWS S3 REST API.
-
Using the IBM Documentation, follow the instructions for configuring the Log Source Parameters.
-
Add a Log Source Identifier.
-
Configure the parameters for Authentication method, Access Key ID, and Secret Key.
-
Configure all AWS S3 Collection method parameters
-
Configure Event Format by using these examples,
-
Event TypeIn AWS S3 buckets, you can send AWS events and other event types. The various AWS DSMs in QRadar parse only audit events. Using a custom DSM or Universal DSM, you can also pull other event types. If you are sending audit events, make sure to select the correct event format in the log source configuration. If the events you are trying to pull are not supported event types, for example, .txt, try the Event Generator parameter LINEBYLINE.
The files in the bucket are assumed to be text files with one event on each line. -
Unzipped eventsIn order for QRadar to be able to pull the logs, the events must be zipped: .zip,.gzip,.gz. The compressed type format might vary based on the selected event format.
- AWS CloudTrail®JSON - Files that contain JSON formatted events for Amazon® Cloud Trail® use only .json.gz files. In the case of Universal or custom DSMs, this could include non-AWS JSON-formatted events as well.
- LINEBYLINE - Compression that support gzip use the extensions .gz, .gzip, or zip (.zip).
- AWS VPC Flow Logs - Compression is used with txt.gz files only. This is used only in the case of pulling actual VPC flows.
- AWS Network Firewall Logs - Files that contain AWS Network Firewall Alert or Flow logs. This option sends flow logs to the Network Activity tab and sends alert logs as events to the Log Activity tab in QRadar. The Amazon® AWS Network Firewall DSM parses the logs. If your system is not licensed for flows, use the Event generator parameter LINEBYLINE so that the DSM can parse the AWS Network Firewall logs.
- W3C - Cisco® Cloud Web Services DSM uses only files with .gz extensions.
- Cisco® Umbrella CSV - The Cisco® Umbrella DSM use files ending only with the .gz extension.
-
Directory PrefixEnsure the directory prefix field matches the directory prefix where the logs are saved in the AWS S3 Bucket. Within that directory, the subdirectories can be only in a date format, such as \YEAR\MONTH\DAY. For example, \2021\06\20. The directory prefix method does not traverse any other directory names.
-
RegEx - File PatternConfigure a RegEx to match the log extension. It is recommended to use Regex testing tools to ensure the Regex is configured correctly. For example,
This is the name format for the logs: thisislog1.zip The regex can be: .*?\.zip
ResultsAfter the AWS log source configuration is corrected, events are pulled and the error message is not longer displayed.
-
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.3.3;7.4.0;7.4.1;7.4.2;7.4.3"}]
Was this topic helpful?
Document Information
Modified date:
18 July 2022
UID
ibm16462535