Troubleshooting
Problem
QRadar: Log Activity search returning error with message: The server encountered an error reading one or more files.
Symptom
On the Log Activity tab, the search fails to complete showing Error:
The server encountered an error reading one or more files
Diagnosing The Problem
At times, you observe that the search is not completing and you get the error.
If you observe the following message on Log Activity tab: The server encountered an error reading one or more files.
Request you to review the /var/log/qradar.error file around the time of search for the following messages:
May 5 19:12:57 ::ffff:N.N.N.N [ariel_proxy.ariel_proxy_server] [ariel_client /N.N.N.N:56398]
com.q1labs.ariel.searches.AccessManager: [WARN] [NOT:0000004000][N.N.N.N/- -] [-/- -]
Security check failed, using admin only permission
May 5 19:12:57 ::ffff:N.N.N.N [ariel_proxy.ariel_proxy_server] [ariel_client /N.N.N.N:56398]
java.lang.RuntimeException:
Unable to get ACL for ariel_proxy, id=1aa37869-9eb2-4389-bf23-e00bd77159b9,
sid=10b4881c-b360-4392-bea4-1b46e21b688b
..
May 5 19:12:57 ::ffff:N.N.N.N [ariel_proxy.ariel_proxy_server] [ariel_client /N.N.N.N:56398]
Caused by:
May 5 19:12:57 ::ffff:N.N.N.N [ariel_proxy.ariel_proxy_server] [ariel_client /N.N.N.N:56398]
com.ibm.si.security_model.access_control.exceptions.InvalidAclIdException:
No ACL Descriptor exists: 1aa37869-9eb2-4389-bf23-e00bd77159b9
The key here is to note the message:
java.lang.RuntimeException: Unable to get ACL for ariel_proxy,
id=1aa37869-9eb2-4389-bf23-e00bd77159b9, sid=10b4881c-b360-4392-bea4-1b46e21b688b
which indicates missing ACL Descriptor for the id=1aa37869-9eb2-4389-bf23-e00bd77159b9. The ID in your qradar.error log file might differ from the one shown in the example here.
Resolving The Problem
In this example, we see the following entry for ID in our sample logs:
id=1aa37869-9eb2-4389-bf23-e00bd77159b9
You need to perform the steps against all the entries found with the command:
grep -r "Unable to get ACL for ariel" /var/log/qradar.error | grep -o -E 'id=[0-9a-z-]+, sid=[0-9a-z-]+' | sort --unique
Important: The next set of steps requires service reinitializing. Administrators with strict outage policies are advised to complete the next step during a scheduled maintenance window for their organization.
For each record in the output from the grep command, follow these steps on the console. You need to restart ariel_proxy_server service on the QRadar console after you move the files associated with all the IDs reported in the qradar.error log file.
- Create a backup directory on the QRadar console, for example:
mkdir -p /store/ibm_support/search_issue - Stop ariel proxy server service on console:
/opt/qradar/systemd/bin/manual.sh ariel_proxy_server systemctl stop ariel_proxy_server - Find the files, for the specified ID value:
ls -larth /store/transient/ariel_proxy.ariel_proxy_server/data/ | grep -i 1aa37869-9eb2-4389-bf23-e00bd77159b9 - Move the associated alias, desc, meta, data, off extension files found in the 3rd step for the ID to the example folder.
mv /store/transient/ariel_proxy.ariel_proxy_server/data/1aa37869-9eb2-4389-bf23-e00bd77159b9* /store/ibm_support/search_issue/ - After you move all such files associated with the ID identified in the output of grep command for "Unable to get ACL for ariel", start the ariel proxy server service on console:
/opt/qradar/systemd/bin/manual.sh ariel_proxy_server systemctl start ariel_proxy_server - Run the Log Activity search again to confirm that you get the search results successfully. If you observe the same search error again on the Log Activity tab, analyze the qradar.error file for any new IDs reporting the ACL Descriptor error and resolve it by using the steps provided earlier.
Results
The steps provided resolve the message "The server encountered an error reading one or more files".
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt8AAA","label":"Ariel"}],"ARM Case Number":"TS009097958","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
21 February 2023
UID
ibm16619599