Troubleshooting
Problem
Users on QRadar 7.5.0 Update Package 4 or can experience an issue where the machine learning model fails to build and displays an "unable to connect to Ariel" error. This issue is resolved in the latest release of UBA, which is 4.1.14.
Symptom
Machine learning models fail to build.
Environment
QRadar 7.5.0 Update Package 4 or later with UBA app version 4.1.13 installed. The changes described in this technical note to resolve the issue must be made on the Console or the App Host, depending on where the application is running.
Diagnosing The Problem
When this issue occurs, administrator might experience issues with the machine learning model as it cannot connect to query the Console. To diagnose this issue, administrators can review the app.log for IOException or RESTClient error messages.
Example 1: The app.log can display a connect timed out error.
ERROR c.i.s.j.r.RESTClient [pool-26-thread-1] IOException: Could not connect to Ariel Server:
Connect to xxx.xxx.xxx.xxx:443 [/xxx.xxx.xxx.xxx] failed: connect timed out
Example 2: The RESTAPIClient can display a connect timed out error.
FATAL c.i.i.c.RESTClientFactory [pool-26-thread-1] Could not instantiate RESTClient
com.ibm.si.jaql.api.ArielConnectionException: Connect to xxx.xxx.xxx.xxx:443 [/xxx.xxx.xxx.xxx] failed: connect timed out
at com.ibm.si.jaql.rest.RESTClient.tryClientOnQRestAPI(RESTClient.java:141) ~[jaql-4.1.3-jar-with-dependencies.jar:?]
at com.ibm.si.jaql.rest.RESTClient.<init>(RESTClient.java:95) ~[jaql-4.1.3-jar-with-dependencies.jar:?]
at com.ibm.itp.configuration.RESTClientFactory.getQRClient(RESTClientFactory.java:78) ~[itp-core-4.1.3.jar:?]
Resolving The Problem
As this issue affects UBA and ML apps trying to query the Console, users with an App Host appliance need to connect to the appliance make the change on the App Host.
Procedure
Procedure
- Use SSH to log in to the QRadar Console as the root user.
- Optional. If your UBA and ML app runs on the App Host, open an SSH session to the App Host appliance.
- To locate the application identifiers for the ML and UBA, type the following command:
/opt/qradar/support/qappmanager - The menu displays multiple options, administrators can select App instance - list all.
- Record the Instance ID (IID) values for the UBA and ML applications from the table output.
- Find the container associated to the IDS for both ML and UBA.
conman-support files | grep "Config"The output displays the app containers that are associated to the Instance ID (IID) you recorded for UBA and ML applications.[Hostname /]# conman-support files | grep "Config" apps > qapp-1301 > qapp-1301 > Config /etc/conman/container@9802445022671735942 apps > qapp-1351 > qapp-1351 > Config /etc/conman/container@2039317911663602192 apps > qapp-1352 > qapp-1352 > Config /etc/conman/container@6824813238417686552 - Edit the containers with any text editor, such as vi or vim:
vi /etc/conman/container@<ID> - Modify both of the environment variables to use your Private IP address. Note: These values are not located next to each other in the output.
QRADAR_CONSOLE_IP QRADAR_APPLICATION_BASE_URL - Save your changes to the config file.
- To stop and start the containers, type:
systemctl stop container@<containerID> systemctl start container@<containerID>
Results
After the containers restart, verify in the app.log that the error is resolved. If you continue to experience this error message or are unsure of how to complete and steps in this procedure, contact QRadar Support before you begin any changes.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSV4BL","label":"IBM QRadar"},"ARM Category":[{"code":"a8m0z000000cwt3AAA","label":"QRadar Apps"}],"ARM Case Number":"TS014719741","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
15 December 2023
UID
ibm17095015