QRadar: Problem Gathering or Parsing Events From Bluecoat Device

Troubleshooting

Problem

The customer created new bluecoat devices Log Source that uses FTP protocol and is getting the following error message []INFO - Authentication Status: Successful INFO - File Transfer Status: File(s) transferred successfully ERROR - Event Collection Status: Problem gathering/parsing events[]

Symptom

The qradar.error log file shows the following error:

Mar 12 07:45:23 10.x.x.x [ecs] [FTP Provider Protocol Provider Thread: class com.q1labs.semsources.sources.remote.transferprotocol.ftp.FTPProvider470] com.q1labs.semsources.sources.remote.transferprotocol.ftp.FTPProvider: [ERROR] [NOT:0000003000][10.x.x.x/- -] [-/- -]unable to process remote stream reference: file pre-processing failed

Cause

Most likely this is an issue with the bluecoat device. It might be caused if the file on the Blue Coat FTP server is corrupted or not valid.

Environment

QRadar 7.2 or above

Resolving The Problem

Verify on the Blue Coat FTP server that the .gz file is valid and not corrupted. You can verify this by trying to manually gunzip the .gz file. If successful the .gz file is not corrupt.

Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"General Information","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3;7.2","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Tips

QRadar: Problem Gathering or Parsing Events From Bluecoat Device

Troubleshooting

Problem

Symptom

Cause

Environment

Resolving The Problem

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?