IBM Support

QRadar: Disconnected Log Collector service fails to start with the error log message "Exception was uncaught in thread: main java.lang.NullPointerException: null"



After you configure the connection between an IBM Disconnected Log Collector (DLC) and QRadar®, the DLC service might fail to start with a NullPointerException error.


When this issue occurs, the following error message in the /var/log/dlc/dlc.log is seen:
[main] com.q1labs.frameworks.core.ThreadExceptionHandler: [ERROR] [NOT:0000003000]Exception was uncaught in thread: main java.lang.NullPointerException: null
        at com.q1labs.frameworks.core.JMXHelper.<init>( ~[q1labs_core_frameworks.jar:?]
        at com.q1labs.frameworks.core.FrameworksContext.initServices( ~[q1labs_core_frameworks.jar:?]
        at com.q1labs.frameworks.core.FrameworksContext.initFrameworks( ~[q1labs_core_frameworks.jar:?]
        at com.eventgnosis.system.RuntimeController.main( ~[q1labs_sem.jar:?]
        at ~[q1labs_dlc-service.jar:?]


The problem might be caused by a missing entry in the /etc/hosts file. The entry must contain the Disconnected Log Collector IP address and fully qualified domain name (FQDN).

Diagnosing The Problem

Use the following steps to determine whether the problem affects your Disconnected Log Collector.
  1. SSH in to your QRadar console.
  2. SSH to the Disconnected Log Collector host.
  3. Look for the IP address for the primary network connection of the Disconnected Log Collector by running the following command:
    ip addr show 
    The primary network connection interface is usually eth0 or ens192. For example, in the following output, the IP address is associated to ens192:
    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc prio state UNKNOWN group default qlen 1000
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
        inet scope host lo
           valid_lft forever preferred_lft forever
        inet6 ::1/128 scope host
           valid_lft forever preferred_lft forever
    2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc prio state UP group default qlen 1000
        link/ether 00:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
        inet brd scope global ens192
           valid_lft forever preferred_lft forever
  4. Get the fully qualified domain name by running the following command:

    The fully qualified domain name is the Static hostname. For example:
    Static hostname:
  5. Check the /etc/hosts file with a text editor and confirm whether the IP address and FQDN for the machine are present by using the following command:
    cat /etc/hosts

    This sample output contains the local loopback addresses, but not the IP address or fully qualified domain name obtained in the procedure, so it exhibits the issue:       localhost.localdomain localhost
    ::1     localhost6.localdomain6 localhost6 localhost.localdomain localhost


Resolving The Problem

To correct the problem, edit manually the /etc/hosts file and add the missing entry.
  1. SSH in to your QRadar console.
  2. SSH to the Disconnected Log Collector host.
  3. Back up the /etc/hosts file by running the following commands:
    mkdir -p /store/IBM_Support/
    cp -fv /etc/hosts /store/IBM_Support/hosts-$(date +%F)
  4. Edit the /etc/hosts file and add an entry for the local machine IP address, fully qualified domain name, and short name to the file. Use the local Disconnected Log Collector machine name and IP address. 
    You can use vim to edit the file:
    vim /etc/hosts
    Edited example:       localhost.localdomain localhost machinename 
  5. Save the changes to the file.
  6. Restart the DLC service by using the following command:
    systemctl restart dlc

    The DLC service starts and administrators can proceed to add log sources to the Disconnected Log Collector. If the DLC service does not start, contact QRadar Support for assistance

Document Location


[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt9AAA","label":"DLC"}],"ARM Case Number":"TS010134796","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
31 October 2022