IBM Support

QRadar: How to determine if your UBA database is corrupted and how to re-create it

Troubleshooting


Problem

It is possible to encounter corruption in the UBA postgres database. In this instance, you can re-create the database without having to uninstall and reinstall UBA.

This workaround applies to UBA 4.1.9 and higher.

Symptom

If you see similar errors as in the following examples, you might have a corrupted database.

messages log file:

Jan 24 13:02:38 qradar_apphost_server kernel: [6316612.508367] [<ffffffffa7fc25ad>] oom_kill_process+0x2cd/0x490
Jan 24 13:02:50 qradar_apphost_server kernel: postgres invoked oom-killer: gfp_mask=0xd0, order=0, oom_score_adj=0

You can check the UBA logs to help you determine whether the UBA database is corrupted. Enter the directory and check the log files:

cd /store/docker/volumes/qapp-1101/logs

app.log:

2023-02-01 16:55:42,222 [DummyThread-4] [ERROR] [APP_ID:1101] [NOT:0000003000] Failed to generate dashboard top panel: server closed the connection unexpectedly
This probably means the server terminated abnormally
before or while processing the request.

2023-02-01 16:55:42,231 [DummyThread-5] [ERROR] [APP_ID:1101] [NOT:0000003000] Failed to generate system score graph data: FATAL: the database system is in recovery mode

user_import_service.log:

2023-02-01 14:49:07,751 [user_import_service.run] [ERROR] - FATAL: the database system is in recovery mode

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt3AAA","label":"QRadar Apps"}],"ARM Case Number":"TS011924617","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Log InLog in to view more of this document

This document has the abstract of a technical article that is available to authorized users once you have logged on. Please use Log in button above to access the full document. After log in, if you do not have the right authorization for this document, there will be instructions on what to do next.

Document Information

Modified date:
20 October 2023

UID

ibm17054882