IBM Support

QRadar: Microsoft Azure AD event collection failing: Unable to connect to the Storage Account

Troubleshooting


Problem

Microsoft® Azure® AD integration cannot connect to the storage account to retrieve events as expected.

Symptom

Tests with the Log Source Management application can fail with the following error:

Cause

This error message is caused by a limitation in the current Azure SDK packaged with the Azure Event Hub Protocol. This issue requires a software update to resolve.

Microsoft Azure Support confirmed the Azure Event Hub Protocol is trying to complete a storage lease operation and fails with an error. The lease ID specified in its request did not match the lease ID for the binary large object (blob).
 
  • The Microsoft Azure API request responds to QRadar with: Error message: 409, LeaseIdMismatchWithLeaseOperation
    Note: The API error is only visible from the Microsoft Azure logs and this issue can be confirmed by your Microsoft Azure administrator.
  • The QRadar Log Source Management app reports Error: The specified container is being deleted.

Diagnosing The Problem

You can contact your Azure administrator to validate that the Azure logs match the reported exception from Microsoft:
https://github.com/Azure/azure-webjobs-sdk/issues/822


Optional troubleshooting
  • When this issue occurs, the Azure Event Hub protocol times out and sample events are not collected from the test tool in the Log Source Management app. Administrators can review the logs in /var/log/qradar.error to determine whether the ecs-ec-ingress service reports a timeout exception for the Azure Event Hub:
    Jul 9 09:21:18 ::ffff:10.168.21.102 [ecs-ec-ingress.ecs-ec-ingress] [[<hubName>|qradar|EPHxxxx]-5-15] Caused by: java.util.concurrent.TimeoutException: The client could not finish the operation within specified maximum execution timeout.
    Jul 9 09:21:21 ::ffff:10.168.21.102 [ecs-ec-ingress.ecs-ec-ingress] [[<hubName>|qradar|EPHxxxx]-5-15] Caused by: java.util.concurrent.TimeoutException: The client could not finish the operation within specified maximum execution timeout.
    Jul 9 09:21:24 ::ffff:10.168.21.102 [ecs-ec-ingress.ecs-ec-ingress] [[<hubName>|qradar|EPHxxxx]-5-15] Caused by: java.util.concurrent.TimeoutException: The client could not finish the operation within specified maximum execution timeout.
  • Confirm the required Microsoft Azure certificate on managed host and certificate is present in the /opt/qradar/conf/trusted_certificates folder: /opt/qradar/bin/getcert.sh
  • Confirm network connectivity to the remote Azure host and that the log source configuration is correct: openssl s_client -connect <host>.blob.core.windows.net:443

Resolving The Problem

As a workaround you can delete the leasing files in the Storage blob when this issue occurs. Log in to the Azure portal and go to the Storage account to remove the leasing files created by the QRadar protocol in the eventHub.

IMPORTANT: If your Azure administrator deletes the lease files from Azure Storage, the deleted files reset the recorded position for the last query and can cause the Azure Event Hub protocol in QRadar to retrieve previously collected events. The next Azure Event Hub protocol query from QRadar starts from the current time (now) of the next polling interval.

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}},{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSKMKU","label":"IBM QRadar on Cloud"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
25 August 2021

UID

ibm16479551

Page Feedback