IBM Support

QRadar: Manually installed DSM or Protocol RPMs do not display in UI due to permissions

Troubleshooting


Problem

The installation output of a manual rpm installation shows that the rpm was installed successfully, however the DSM or Protocol is not displayed as an option on the Log Source Management App.

Symptom

The rpm shows as installed. However, it is not displayed as a log source type option when you create a new log source nor in the DSM Editor.
The installation output shows the following error messages:
cp: cannot create regular file ‘<path_to_file>’: No such file or directory
Error: Execution Failed of :cp -pf <path_to_file> <path_to_file> :, exiting
Example:
image 12410

Cause

This issue occurs due to permissions issues when running the RPM installation while logged in to an account other than root even if the other account has sudo permission.

Environment

All QRadar versions except QRadar on Cloud.

Diagnosing The Problem

The output of the installation shows the rpm as installed. To validate if the rpm is installed, you can run this command:
rpm -qa rpm | grep -i <rpm-name>

Example:
rpm -qa | grep -i DSM-WinCollect
DSM-WinCollect-7.4-20210817165702.noarch

rpm -qa | grep -i PROTOCOL-Microsoft
PROTOCOL-MicrosoftGraphSecurityAPI-7.4-20211004154952.noarch
PROTOCOL-MicrosoftAzureEventHubs-7.4-20191218165336.noarch

Resolving The Problem

  1. Download the RPM from Fix Central.
  2. Use an SCP client to transfer the RPM to the Console in a directory such as /storetmp or /store/IBM_Support.
  3. Use SSH to log in to the Console as root user.
  4. Remove the RPM by using the command:
    yum -y remove <rpmname>
  5. Navigate to the directory where the RPM file is located.
  6. Reinstall the RPM by using the command:
    yum -y install <rpmname>
    Important: When the Tomcat service restarts, the QRadar UI is not available to all users. Administrators with strict outage policies are advised to complete the next step during a scheduled maintenance window for their organization.
  7. Restart the Tomcat service by using the command:
    systemctl restart tomcat
Note: If you use another account other than root run "su - " or "sudo -i" to switch to root. For more information on how to use sudo with QRadar see: How to sudo or su to root in QRadar
Results
The Log Source Type now appears in the Log Source Management app.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
30 November 2021

UID

ibm16509516