IBM Support

[IJ25819] QRadar: How to resolve "java.lang.NoClassDefFoundError"

Troubleshooting


Problem

Steps to resolve defect IJ25819, "java.lang.NoClassDefFoundError" exception.

Symptom

  • The ecs-ec-Ingress service can fail to load properly due to:
    Error : java.lang.NoClassDefFoundError: com.amazonaws.auth.AWSCredentialsProvider
    NOTE: When the ecs-ec-ingress service fails to load, events are not being collected or processed by QRadar.
  • Error from /var/log/qradara.log indicating a missing class (java.lang.NoClassDefFoundError):
    Oct 2 22:52:46 ::ffff:10.204.251.206 [ecs-ec-ingress.ecs-ec-ingress] [Thread-20] Caused by: 
    java.lang.NoClassDefFoundError: com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException

Cause

A missing file from the lib directory.

Resolving The Problem

  1. SSH into the QRadar as the root user.
  2. Locate which file includes the missing class:
    grep -ir <class_name> /opt/qradar/jars/*
    Example:
    grep -ir com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException /opt/qradar/jars/*
    Binary file /opt/qradar/jars/aws-java-sdk-1.11.545.jar matches
     
  3. Verify whether the file is missing
    1. Update the locate command database:
      updatedb
    2. To find the file, run:
      locate aws-java-sdk-1.11.545.jar
    3. Locate the run location:
      grep aws-java-sdk-1.11.545.jar  /opt/ibm/si/services/ecs-ec-ingress/current/eventgnosis/config/EC_Ingress.xml

      Note: If the command says q1labs/AmazonAWSRESTAPI/aws-java-sdk-1.11.545.jar, then check whether the file exists in /opt/ibm/si/services/ecs-ec-ingress/eventgnosis/lib/q1labs/AmazonAWSRESTAPI/.
  4.  If the file is missing, then copy the file to /opt/ibm/si/services/ecs-ec-ingress/eventgnosis/lib/q1labs/AmazonAWSRESTAPI/
    cp /opt/qradar/jars/aws-java-sdk-1.11.545.jar /opt/ibm/si/services/ecs-ec-ingress/eventgnosis/lib/q1labs/AmazonAWSRESTAPI/
  5. Force reload of AmazonAWSRESTAPI protocol:
    touch /opt/ibm/si/services/ecs-ec-ingress/eventgnosis/lib/q1labs/q1labs_semsources_protocol_amazonawsrest.jar

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
18 September 2023

UID

ibm17028900