IBM Support

QRadar: Not able to upgrade to the latest version of the UBA app “Internal Server Error: http://<IP_address>/user_import/index”

Troubleshooting


Problem

Administrators might notice that they are not able to upgrade to the latest version of the UBA app or they cannot import users from LDAP to UBA.

Symptom

When the UBA app loads in the QRadar UI a similar message is displayed.
Message:  “Internal Server Error:  http://<IP_address>/user_import/index”
Status:        500
[“message”:”Internal Server Error:  [http://<IP_address>>next-dashboard”,”status”:
 500|http://%3c...%3enext-dashboard”,”status”:500]

Diagnosing The Problem

  1. Use an SSH session to log in to the QRadar Console as root user.
  2. Locate the UBA App-ID by using the command: 
    # /opt/qradar/support/recon ps
App-ID  Name                            Managed Host ID Workload ID             Service Name    AB      Container Name  CDEGH   Port    IJKL
1055    QRadar Use Case Manager         53              apps                    qapp-1055       ++      qapp-1055       +++++   5000    ++++
1052    QRadar Log Source Management    53              apps                    qapp-1052       ++      qapp-1052       +++++   5000    ++++
1054    Pulse - Threat Globe            53              apps                    qapp-1054       ++      qapp-1054       +++++   5000    ++++
1051    QRadar Assistant                53              apps                    qapp-1051       ++      qapp-1051       +++++   5000    ++++
1053    Pulse - Dashboard               53              apps                    qapp-1053       ++      qapp-1053       +++++   5000    ++++
1101    User Analytics                  53              apps                    qapp-1101       -n                              0
                                        0               ui                      ui              ++      ui              +++++   5000    ++++
                                        0               graphql                 graphql         ++      graphql         +++++   5000    ++++
  3. Connect to the container for UBA by using the command: 
    /opt/qradar/support/recon connect 1101
    Note: In this example, the App-ID is 1101
  4. Change directories to /opt/app-root/store/psql/log by using the command: 
    cd /opt/app-root/store/psql/log
  5. in the file postgresql-<day>.log look for messages similar to: 
    “PANIC:  could not locate a valid checkpoint record”
“LOG:  startup process … was terminated by signal 6:  Aborted”
“LOG:  aborting startup due to startup process failure”
“LOG:  database system is shut down”
  6. Close the container by typing exit.

Resolving The Problem

The database within the UBA app is not running. Use this procedure to reset the write-ahead log.
  1. Use an SSH session to log in to the QRadar Console as root user.
  2. Stop the Postgresql service: 
    supervisorctl stop psql
  3. Reset the write-ahead log by using the command: 
    su postgres -c '/usr/pgsql-10/bin/pg_resetwal -f /store/psql'
  4. Restart the Postgresql service: 
    supervisorctl start psql
  5. Stop the application by using the qappmanager. 
    /opt/qradar/support/qappmanager
    1. After you located the App-ID for UBA, stop the application by using option 24.
    2. Choose a security profile.
    3. Choose the app instance to stop. 
      Choose option: 24

To execute this option, you must supply an Admin-capable Authorized Service authentication token

AUTHORIZED SERVICES (SP=Security Profile):
 ID | Name          | SP    | Role
------------------------------------
 2  | Assistant app | Admin | Admin
App instance - stop > Choose Authorized Service ID: 2

NOTE: Authorized Service Assistant app will be used for any further options that require authentication

APP INSTANCES (SP=Security Profile):
 ID   | Name                         | Status  | Task Status | Installed        | SP
-------------------------------------------------------------------------------------
 1051 | QRadar Assistant             | RUNNING | COMPLETED   | 2021-05-26 15:04 |
 1052 | QRadar Log Source Management | RUNNING | COMPLETED   | 2021-05-26 15:10 |
 1053 | pulse.full_name              | RUNNING | COMPLETED   | 2021-05-26 15:13 |
 1054 | threatglobe.name             | RUNNING | COMPLETED   | 2021-05-26 15:18 |
 1055 | QRadar Use Case Manager      | RUNNING | COMPLETED   | 2021-05-26 15:22 |
 1101 | User Analytics               | RUNNING | COMPLETED   | 2021-09-23 12:42 |
App instance - stop > Choose app instance ID:
    4. Repeat the procedure by using option 23 to start the application. 
      Choose option: 23

APP INSTANCES (SP=Security Profile):
 ID   | Name                         | Status   | Task Status | Installed        | SP
--------------------------------------------------------------------------------------
 1051 | QRadar Assistant             | RUNNING  | COMPLETED   | 2021-05-26 15:04 |
 1052 | QRadar Log Source Management | RUNNING  | COMPLETED   | 2021-05-26 15:10 |
 1053 | pulse.full_name              | RUNNING  | COMPLETED   | 2021-05-26 15:13 |
 1054 | threatglobe.name             | RUNNING  | COMPLETED   | 2021-05-26 15:18 |
 1055 | QRadar Use Case Manager      | RUNNING  | COMPLETED   | 2021-05-26 15:22 |
 1101 | User Analytics               | STOPPING | STOPPING    | 2021-09-23 12:42 |
App instance - start > Choose app instance ID: 1101
    5. Choose 0 to quit the qappmanager.
  6. Start a new browser session.
Results
The postgresql service is running and the UBA app can be upgraded.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt3AAA","label":"QRadar Apps"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.4.2;7.4.3"}]

Document Information

Modified date:
27 September 2021

UID

ibm16488491

Page Feedback