IBM Support

QRadar: Disconnected Log Collector service fails to start with the error log message "Exception was uncaught in thread: main java.lang.NullPointerException: null"

Troubleshooting


Problem

After you configure the connection between an IBM Disconnected Log Collector (DLC) and QRadar®, the DLC service might fail to start with a NullPointerException error.

Symptom

When this issue occurs, the following error message in the /var/log/dlc/dlc.log is seen:
[main] com.q1labs.frameworks.core.ThreadExceptionHandler: [ERROR] [NOT:0000003000]Exception was uncaught in thread: main java.lang.NullPointerException: null
        at com.q1labs.frameworks.core.JMXHelper.<init>(JMXHelper.java:53) ~[q1labs_core_frameworks.jar:?]
        at com.q1labs.frameworks.core.FrameworksContext.initServices(FrameworksContext.java:552) ~[q1labs_core_frameworks.jar:?]
        at com.q1labs.frameworks.core.FrameworksContext.initFrameworks(FrameworksContext.java:247) ~[q1labs_core_frameworks.jar:?]
        at com.eventgnosis.system.RuntimeController.main(RuntimeController.java:647) ~[q1labs_sem.jar:?]
        at com.ibm.si.service.dlc.ServiceRunner.main(ServiceRunner.java:26) ~[q1labs_dlc-service.jar:?]

Cause

The problem might be caused by a missing entry in the /etc/hosts file. The entry must contain the Disconnected Log Collector IP address and fully qualified domain name (FQDN).

Diagnosing The Problem

Use the following steps to determine whether the problem affects your Disconnected Log Collector.
  1. SSH in to your QRadar console.
  2. SSH to the Disconnected Log Collector host.
  3. Look for the IP address for the primary network connection of the Disconnected Log Collector by running the following command: 
    ip addr show
    The primary network connection interface is usually eth0 or ens192. For example, in the following output, the IP address is 10.11.12.13 associated to ens192:
      
    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc prio state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc prio state UP group default qlen 1000
    link/ether 00:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
    inet 10.11.12.13/24 brd 10.0.0.8 scope global ens192
       valid_lft forever preferred_lft forever
  4. Get the fully qualified domain name by running the following command: 
    hostnamectl

    The fully qualified domain name is the Static hostname. For example: 
    Static hostname: machinename.ibm.com
  5. Check the /etc/hosts file with a text editor and confirm whether the IP address and FQDN for the machine are present by using the following command: 
    cat /etc/hosts

    Result
    This sample output contains the local loopback addresses, but not the IP address or fully qualified domain name obtained in the procedure, so it exhibits the issue:
    127.0.0.1       localhost.localdomain localhost
::1     localhost6.localdomain6 localhost6 localhost.localdomain localhost

     

Resolving The Problem

To correct the problem, edit manually the /etc/hosts file and add the missing entry.
  1. SSH in to your QRadar console.
  2. SSH to the Disconnected Log Collector host.
  3. Back up the /etc/hosts file by running the following commands: 
    mkdir -p /store/IBM_Support/
cp -fv /etc/hosts /store/IBM_Support/hosts-$(date +%F)
  4. Edit the /etc/hosts file and add an entry for the local machine IP address, fully qualified domain name, and short name to the file. Use the local Disconnected Log Collector machine name and IP address. 
    You can use vim to edit the file: 
    vim /etc/hosts
    Edited example:
    127.0.0.1       localhost.localdomain localhost
10.11.12.13    machinename.ibm.com machinename
  5. Save the changes to the file.
  6. Restart the DLC service by using the following command: 
    systemctl restart dlc

    Result
    The DLC service starts and administrators can proceed to add log sources to the Disconnected Log Collector. If the DLC service does not start, contact QRadar Support for assistance

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt9AAA","label":"DLC"}],"ARM Case Number":"TS010134796","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
31 October 2022

UID

ibm16832476

Page Feedback