IBM Support

QRadar: Cisco Umbrella logs are not processed nor displayed in Log activity



A Cisco Umbrella Log Source using the AWS REST API protocol displays the log source in a success state, but events are not displayed in QRadar Log Activity. If you look in /store/tmp/marker_number you will see that the files have been downloaded but are not processed. The screenshot in this example shows logs stored in the /store/tmp/marker_number.


Example 1: Unprocessed Cisco Umbrella logs


When you check in the /var/log/qradar.error you might see messages similar to:

Mar 14 14:14:23 ::ffff:10.x.x.12 [ecs-ec-ingress.ecs-ec-ingress] 
[Amazon AWS S3 REST API Protocol Provider Thread: class com.q1labs.semsources.sources.
amazonawsrest.AmazonAWSRESTProvider804] java.


This happens because the opencsv-1.8.jar file is not present in the required locations.


To Verify that the files exist in the required locations type:
locate opencsv-1.8.jar

The output should look similar to this:
Note: The if the files exist in the required locations, they will appear in the output of the locate command.


# locate opencsv-1.8.jar                              

Resolving The Problem

If these files are not present in the required locations, you will need to use this procedure.

Note: This procedure requires restarting the Event Collection Services which may cause an interruption in collecting events. Plan a maintenance period before restarting Services.

  1. Copy the files to their required locations using these commands:
    cp -p /opt/qradar/jars/opencsv-1.8.jar /opt/ibm/si/services/ecs-ec-ingress/current/bin/
    cp -p /opt/qradar/jars/opencsv-1.8.jar /opt/ibm/si/services/ecs-ec/current/bin/
    cp -p /opt/qradar/jars/opencsv-1.8.jar /opt/ibm/si/services/ecs-ec-ingress/eventgnosis/lib/q1labs/ 
  2. Log into the QRadar User Interface.
  3. Click the Admin tab.
  4. Click Advanced > Restart Event Collection Services.

After restarting the Event Collection Services, Cisco Umbrella events should now be displayed in Log Activity.

Document Location


[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
11 January 2021