Troubleshooting
Problem
When an API is used to query a log source, it can display "null" values in the JSON response. Null data in most fields of the API queries can indicate a lack of permissions to pull all of the data from the /config/event_sources/log_source_management/log_sources endpoint. It is not uncommon for a user with incorrect permissions to receive only the log source ID and the name, with the rest of the parameters returned as null. If most values are null, review the permissions for the user or authorized service token permissions.
Cause
The common cause for this issue is incorrect permissions for the user or token.
Diagnosing The Problem
To diagnose this issue, you can either use the Interactive API for Developers page, or you can log in on the Console CLI.
Procedure
- Log in to the QRadar Console.
- Click the Admin tab, Log Sources icon.
- Retrieve the Log Source ID for the log source. In this example, the log source ID is 512.
- In the Interactive API for Developers, navigate to the /config/event_sources/log_source_management/log_sources/{id} endpoint.
- In the Parameters, type your log source ID and click Try it Out.
Results
As all fields are null, except for the name, id, and description, the user or authorized token does not have the correct permissions to poll for all data.
Optionally, administrators familiar with the command line can use curl to verify the results. For example,
Response output,curl -S -X GET -H 'SEC:<token>' -H 'Range: items=0-49' -H 'Version: 16.0' -H 'Accept: application/json' 'https://<console-IP>/api/config/event_sources/log_source_management/log_sources' | grep <Log source ID>{"sending_ip":null,"internal":null,"protocol_parameters":null,"description":"", "coalesce_events":null,"enabled":null,"parsing_order":null,"average_eps":null, "group_ids":null,"credibility":null,"id":818,"store_event_payload":null, "target_event_collector_id":null,"protocol_type_id":null,"language_id":null, "creation_date":null,"wincollect_external_destination_ids":null, "log_source_extension_id":null,"name":"4913-Linux","modified_date":null, "auto_discovered":null,"type_id":null,"last_event_time":null,"requires_deploy":null, "gateway":null,"wincollect_internal_destination_id":null,"status":null, "disconnected_log_collector_id":null}
Resolving The Problem
Create an authorized services token with the required permissions.
Procedure
- To create an Authorized Services token, you must configure:
- User role: The User Role must have either "System Administrator", "Security Admin" or "Manage Log Sources" permissions to retrieve all fields of a log source. If we do not have those permissions, we can still call the GET endpoints, but we get the ID and name fields only, and none of the configuration details. For more information, see User roles.
- Security profile: Security profiles define which networks, log sources, and domains that a user can access. The user role is relevant, but not the security profile for this permission issue. For more information, see Security profiles.
- Verify sure the User Role has the following permissions:
- Delegated Administration
- Manage Log Source
- Log Activity (managing Log Sources requires Log Activity)
Note: Other QRadar API endpoints also exhibit the same behavior of 'null' values when the particular user or token does not have correct permission.
Results
After the authentication token or user is configured with the correct permissions, the JSON response displays all values for the log source. For example, the interactive API response is 200 and includes all configured fields for the log source.
Example curl output:{"sending_ip":xx.xx.xx.xx.xx,"internal":false,"protocol_parameters": [{"name":"identifier","id":12,"value":"example"}, {"name":"incomingPayloadEncoding","id":1,"value":"UTF-8"}], "description":"","coalesce_events":true,"enabled":true,"parsing_order":2, "average_eps":3,"group_ids":[0],"credibility":5,"id":818, "store_event_payload":true,"target_event_collector_id":7, "protocol_type_id":0,"language_id":1,"creation_date":1650385422568, "wincollect_external_destination_ids":null,"log_source_extension_id":null,"name":"test- Linux","modified_date":1650385422568,"auto_discovered":false,"type_id":11, "last_event_time":1650387600885,"requires_deploy":false,"gateway":false, "wincollect_internal_destination_id":null,"status":{"last_updated":0,"messages": [{"severity":"ERROR","text":"Events have not been received from this Log Source in over 720 minutes.","timestamp":null}],"status":"ERROR"},"disconnected_log_collector_id":null}
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"TS008111064","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
27 February 2023
UID
ibm16562259