Troubleshooting
Problem
When executing the pearl script /opt/qradar/support/mod_log4j.pl the error message /opt/qradar/support/mod_log4j.pl not well-formed (invalid token) is returned in QRadar SIEM.
Resolving The Problem
To resolve the /opt/qradar/support/mod_log4j.pl not well-formed (invalid token) message complete the following steps.
- SSH into the QRadar Console as the root user.
- Create a directory location to take a backup of the mod_log4j.pl file.
In this example I have created a backup directory in /storetmp/ibm_support/.mkdir -v /storetmp/ibm_support/mod_log4j_backup mkdir: created directory ‘/storetmp/ibm_support/mod_log4j_backup’
- Copy the current log4j2.xml file to the newly created location.
cp -pv /opt/qradar/conf/log4j2.xml /storetmp/ibm_support/mod_log4j_backup ‘/opt/qradar/conf/log4j2.xml’ -> ‘/storetmp/ibm_support/mod_log4j_backup/log4j2.xml’
- Now we replace the current log4j2.xml file with the version from the template directory.
Answer Yes to overwrite the current file.cp -pv /opt/qradar/conf/templates/log4j2.xml /opt/qradar/conf/log4j2.xml cp: overwrite ‘/opt/qradar/conf/log4j2.xml’? y ‘/opt/qradar/conf/templates/log4j2.xml’ -> ‘/opt/qradar/conf/log4j2.xml’
- Now restart the Event Collection Service to detect and use the new log4j2.xml file.
systemctl restart ecs-ec
Result: Execute the mod_log4j.pl script, the script will execute and the message /opt/qradar/support/mod_log4j.pl not well-formed (invalid token) is no longer visible.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"TS013825403","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.5.0"}]
Was this topic helpful?
Document Information
Modified date:
15 May 2024
UID
ibm17150814