QRadar: A user is missing Quick Searches in the Log Activity window

Resolving The Problem

Important: This procedure involves restarting the Web Server service (Tomcat), which causes a disruption to accessing the GUI, and any user sessions on the GUI are disconnected during the restart. You might need to schedule a maintenance window for a restart, if unsure, check with your QRadar admin team.

1. Stop the Tomcat service

   systemctl stop tomcat

2. Open directory to view user configuration

   cd /store/users/;ls -lsa

3. Backup the affected user's current configuration. Substitute "user1" with your affected user.

   cp -v /store/users/user1/data.conf /store/users/user1/data.conf.old

4. Confirm that there are no arielSearches or dashboardSearches already configured (remove by manually editing the file in vi or vim if necessary):

   grep "arielSearches" /store/users/user1/data.conf
   grep "dashboardSearches" /store/users/user1/data.conf

5. To see the "admin" user configuration, you can use the previous grep command on the admin/data.conf file.

   Example output:

   [root@qradar ~]# grep "arielSearches" /store/users/admin/data.conf
   arielSearches.events=SYSTEM-46,58fbb7a2-b193-482b-bd5a-40e572f203f7,b35c8bba-e645-477f-8ee4-0dfd3d5165c5,SYSTEM-13,SYSTEM-49,SYSTEM-47,SYSTEM-48,e8a78a39-5560-4206-9c8c-6e348b867f31,DEFAULT-11,fd1d8b6d-c6b3-4a48-b90e-464d49db017e,726125ab-10d9-420d-ad08-1e2e255eae83,0af343b1-c856-4744-9567-4805880c0776,DEFAULT-12,e4629b2a-fcb0-4687-baa2-9d09b00668af,da80e139-bbeb-4d3b-8182-6e5a21e182a3,a0044158-61ea-4d65-9354-24e64c4ef277,e4668ef0-d628-4d28-90fd-64e35c18fe1a,5b490b12-1cf6-43f1-adfd-5172eae0c379,ea086de0-65ee-4960-86ea-133e68483172,b7d4479d-f886-47d0-8c23-0941850913fa,6acb65c6-a02f-40d0-8514-28f97c7ef1e9,DEFAULT-5,DEFAULT-7,843cdf57-ce35-475a-ad3d-73221e15c2c1,0d3cc801-52c3-4dbd-a43c-320cca195adc,1063430b-8c3c-41fb-984c-50550537a88a,7526e088-860e-4400-816e-e941837afd8e,83ec8164-6e0d-4f71-87da-2e86936d056b,5cf59874-edea-42ad-b845-ce4bdbe1abc8,6fc8e880-3d7c-44e8-98f7-883672fcd28c,12381bd2-f27f-4b45-9669-0db8043883e5,78d6a762-8480-4494-bc20-10540d4cc580,4a7d14b2-7c9a-4ea4-8e1a-db2d167cd37b,b233182f-b32d-4294-9b01-b1989fc18401,1319242b-615f-4976-829f-6fd62f735cc7,SYSTEM-DLP-35,SYSTEM-17,SYSTEM-16,DEFAULT-1,ecbff5ae-d9de-4fbf-a76b-f59d40744437
   arielSearches.flows=ed30e868-c726-4f40-a4c4-525931f63014,7864efb1-9fa3-461c-adfc-5bb4c44163cc,5f1fac19-9d38-4cc0-ad73-1dd2a0c2663c,0fe9b644-2660-4465-a2a5-ccaf7c167b1f,599c01f0-b8f8-4143-8e62-ba79f16d937d,81e5d75d-924d-4d72-97e9-a2096fa5e784,dc3906a8-c380-477f-ad01-e96b1e900d6d,f889a382-182b-4252-814b-b9128bf02cd2,6f2e9965-7d5f-423b-975e-5d92176c99a2,1fc0c21a-8e6a-4f58-9c77-8fc534691d82,ba619aed-70cc-4eeb-ba23-452ceb81b72a,2c7800c3-a5a0-47f4-92c7-f0c0e3a42708,2f3c3af5-f76f-4d15-9a8d-c154a1e15772,91c512fb-69ae-4a2f-ba12-dccc308db1d6,089ef438-dae0-4dec-b263-19232d5f9fce,e24debde-55bb-4e03-b9a8-aefb70827108,c9a98ae2-1554-4245-a7d6-f7a5f0d0fdee,DEFAULT-8,3dccb52e-f69e-4820-a42f-349e5d357d9d,3627a24b-7d7d-4465-a714-98a98415cb93,b36aaee8-d1f3-44ae-82a0-db18ac8de7d2,29426d78-ff75-4516-bd8a-0c796c2f996b,78b782f0-75ae-448a-ba2f-54b9170f3112
   [root@qradar ~]# 

    
6. Copy the arielSearches and dashboardSearches sections from the admin user the affected user.

   grep "arielSearches.events" /store/users/admin/data.conf >> /store/users/user1/data.conf
   grep "arielSearches.flows" /store/users/admin/data.conf >> /store/users/user1/data.conf
   grep "dashboardSearches.events" /store/users/admin/data.conf >> /store/users/user1/data.conf
   grep "dashboardSearches.flows" /store/users/admin/data.conf >> /store/users/user1/data.conf

7. Start the Tomcat service.

   systemctl start tomcat

8. Check the result in Log Activity. If the result does not look correct, you can revert the data.conf file to the original file in Step 3, and use another user than "admin" to copy the information from.