IBM Support

QRadar: Logs can display a benign error for skipped searches when Manage Identity Exclusion interface is loaded

Troubleshooting


Problem

Administrators can see a benign error display in the QRadar logs when they attempt to use the Manage Identity Exclusion user interface. The error displays an AssetProfilerConfig error with a message related to a search name that is not loaded due to a missing attribute column. As the search does not contain any asset fields, it is not loaded by the user interface and a message is logged. The message in the logs is not a true error, but a confirmation that the search was not displayed in the user interface as it does not include asset data.

Symptom

Order of operations that can cause this error message to display in the logs:
  1. Log in to the QRadar Console with an administrator permission.
  2. Click the Admin tab.
  3. Click the Manage Identity Exclusion icon.
    image-20231106151340-1
  4. As the interface loads, the system confirms what data to display to the user. If a search does not relate to asset data, the following message with the search is written to the logs to display it was skipped on purpose.
    com.q1labs.assetprofilerconfiguration.ui.util.AssetProfilerConfig: [ERROR] [NOT:0000003000][<IP>/- -] 
    [-/- -]Cannot add event query "Nonassets_event_search" to list due to missing attribute column. Skipping.
  5. The user interface loads as expected. No errors are displayed in the Manage Identity Exclusions interface.

    Results
    The search mentioned in the log is not displayed by design as the search does not include any asset information, such as an asset ID. The type for the message displays ERROR, but it is benign and can be ignored by the administrator.

Cause

This benign error is generated when the user interface when asset profiler attempts to get a list of saved searches for the user. The Manage Identity Exclusions interface completes several checks to determine whether a saved search is displayed to the user. If any search does not fit the purpose or contain asset related fields, it is skipped and the benign error message is written to the logs.

Full log error message:
Oct 13 10:39:28 :127.0.0.1 [tomcat.tomcat] [<user>@<IP> (5632) /console/adminconsole/jsp/assets/ManageIdentityExclusion.jsp] 
com.q1labs.assetprofilerconfiguration.ui.util.AssetProfilerConfig: [ERROR] [NOT:0000003000][<IP>/- -] 
[-/- -]Cannot add event query Noassets_event_searches to list due to missing attribute column. Skipping.

Environment

All QRadar versions.

Resolving The Problem

There is no issue to resolve and the message is generated in the logs to inform administrators of a search that did not display in the user interface as the search is not related to assets.

Document Location

Worldwide

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.5.0","Type":"MASTER"}]

Document Information

Modified date:
07 November 2023

UID

ibm17060775