IBM Support

QRadar: Cisco Umbrella logs are not processed nor displayed in Log activity

Troubleshooting


Problem

A Cisco Umbrella Log Source using the AWS REST API protocol displays the log source in a success state, but events are not displayed in QRadar Log Activity. If you look in /store/tmp/marker_number you will see that the files have been downloaded but are not processed. The screenshot in this example shows logs stored in the /store/tmp/marker_number.

image-20190710094554-1

Example 1: Unprocessed Cisco Umbrella logs

Symptom

When you check in the /var/log/qradar.error you might see messages similar to:

Mar 14 14:14:23 ::ffff:10.x.x.12 [ecs-ec-ingress.ecs-ec-ingress] 
[Amazon AWS S3 REST API Protocol Provider Thread: class com.q1labs.semsources.sources.
amazonawsrest.AmazonAWSRESTProvider804] java.
lang.NoClassDefFoundError: au.com.bytecode.opencsv.CSVReader

Cause

This happens because the opencsv-1.8.jar file is not present in the required locations.

/opt/ibm/si/services/ecs-ec-ingress/current/bin/
/opt/ibm/si/services/ecs-ec/current/bin/
/opt/ibm/si/services/ecs-ec-ingress/eventgnosis/lib/q1labs/

To Verify that the files exist in the required locations type:
locate opencsv-1.8.jar

The output should look similar to this:
Note: The if the files exist in the required locations, they will appear in the output of the locate command.
 

# locate opencsv-1.8.jar                              
/opt/ibm/si/services/ecs-ec/732.2.14/bin/opencsv-1.8.jar
/opt/ibm/si/services/ecs-ec-ingress/732.2.14/bin/opencsv-1.8.jar
/opt/ibm/si/services/ecs-ec-ingress/eventgnosis/lib/q1labs/opencsv-1.8.jar
/opt/qradar/jars/opencsv-1.8.jar
/opt/qradar/webapps/console/WEB-INF/lib/opencsv-1.8.jar
/opt/qradar/webapps/restapi/WEB-INF/lib/opencsv-1.8.jar
/opt/tomcat-rm/webapps/simulator/WEB-INF/lib/opencsv-1.8.jar

Resolving The Problem

If these files are not present in the required locations, you will need to use this procedure.

Note: This procedure requires restarting the Event Collection Services which may cause an interruption in collecting events. Plan a maintenance period before restarting Services.

  1. Copy the files to their required locations using these commands: 
    cp -p /opt/qradar/jars/opencsv-1.8.jar /opt/ibm/si/services/ecs-ec-ingress/current/bin/
cp -p /opt/qradar/jars/opencsv-1.8.jar /opt/ibm/si/services/ecs-ec/current/bin/
cp -p /opt/qradar/jars/opencsv-1.8.jar /opt/ibm/si/services/ecs-ec-ingress/eventgnosis/lib/q1labs/
  2. Log into the QRadar User Interface.
  3. Click the Admin tab.
  4. Click Advanced > Restart Event Collection Services.


Result
After restarting the Event Collection Services, Cisco Umbrella events should now be displayed in Log Activity.

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
11 January 2021

UID

ibm10887067

Page Feedback