IBM Support

QRadar: "Failed to parse IP address" errors from the Accumulator

Troubleshooting


Problem

The following error is constantly logged in /var/log/qradar.log:
 
[accumulator.accumulator] [Preprocessor(events)_765][ERROR] [NOT:0000003000][-/- -]Exception was uncaught in thread: Preprocessor(events)_765 
 
[accumulator.accumulator] [Preprocessor(events)_765] com.q1labs.frameworks.exceptions.CIDRNetworkException: Failed to parse IP address:
 
The amount of these events logged in the qradar.log file grows rapidly, potentially increasing disk usage quickly on the /var/log/ partition.

Cause

The accumulator service is running an invalid search. QRadar cannot find a property that contains a string or numeric data against a reference set containing the IP data.

Resolving The Problem

You need to disable any Global View that is trying to find a value that is not an IP in a reference set. Use the collectGvStats.sh tool to get the Accumulator running configuration to review all the Global Views with saved searches related to reference sets.
  1. SSH to the QRadar console as the root user.
  2. Run the following command to get the Accumulator running configuration: 
    /opt/qradar/support/collectGvStats.sh -c
    Output example:
    The file with the configuration and its path is at the last line of the output. In this example is /root/Accumulator.RunningConfig.1685407167.xml. 
    Invoking operation: dumpRunningConfig ( /tmp/AccumulatorTMP.1685407167.xml )
Result: Done.

INFO: The Accumulator's running config has been written to /root/Accumulator.RunningConfig.1685407167.xml
  3. From the Accumulator.RunningConfig file, you can get the ID of the Global Views that use reference sets. Run the following command: 
    grep -iB20 "ReferenceSetPredicate" /root/Accumulator.RunningConfig.*.xml | grep -i "globalView id"
    Output Example:
    In this example, the ID is GV 10074.
      
    <globalView id="10074" version="1" recordClassName="NormalizedEvent" retention="0" hourly="-1" hourlyTime="1687292453784" daily="-1" dailyTime="1687292453784" intervalMilliseconds="900000" writeUniqueCountersTime="0">
  4. Log in to the QRadar user interface, go to Admin, then click Aggregated Data Management.
  5. Select Aggregated Data View in the Display field, and use the search bar to type your GV ID, for example, 10074:image-20230620151000-1
  6. Double-click the Aggregated Data Id to open the content dependencies and review the saved searches linked to your Global View by clicking the search in blue under Search Details section:  
    image-20230620143912-3
  7. Analyze which of the Current Filters is searching for an IP address. For this example, the problem is with the filter QID Number exists in any of test1. This saved search is trying to find a QID in the IP type reference set called test1:
    image-20230620144000-4Note: Be aware that if you disabled the report or Toggle Scheduling, the Global View disappears from the  Aggregated Data management app, however the issue persists in your system.

    Result
    The Current Filter that is searching for an invalid IP is fixed. This action stops the Failed to parse IP address errors in qradar.log.

 

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwstAAA","label":"Accumulator"}],"ARM Case Number":"TS012644745","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
22 June 2023

UID

ibm16999195

Page Feedback