IBM Support

QRadar: Unable to delete log sources that were added in bulk (multiple addition) in the Log Source Management app

Troubleshooting


Problem

QRadar allows the creation of multiple log sources at once. Occasionally, administrators require to delete only one log source.
When a log source is added with the bulk option, it cannot be removed alone, the error "This method is not supported for this log source because it is part of a bulk group" is displayed.
image-20220415121114-1

Diagnosing The Problem

The error message can be reproduced by following the next steps:
  1. Log in to the QRadar Console Web UI as the administrator user.
  2. On the Admin tab, open the IBM QRadar Log Source Management page and select Log Sources.
  3. Search and select the required log source and click Delete. The error "This method is not supported for this log source because it is part of a bulk group" is displayed.
Follow the next steps to confirm if the log source was added by using bulk:
  1. Log in to the QRadar Console CLI as the root user.
  2. Run the following PostgreSQL command, replace <Log_Source_Name> with the exact log source name:
    psql -U qradar -c "select id,hostname,devicename,bulk_added from sensordevice where devicename = '<Log_Source_Name>';"
    Output example:
    psql -U qradar -c "select id,hostname,devicename,bulk_added from sensordevice where devicename = 'Test Log Source @ 172.16.0.1';"
      id  |  hostname  |                       devicename                        | bulk_added
    ------+------------+---------------------------------------------------------+------------
     1262 | 172.16.0.1 | Test Log Source @ 172.16.0.1                            | t
    
    The column bulk_added reports "t" (true), which indicates that this log source was added with the bulk (multiple log sources) option.

Resolving The Problem

The log sources that were added with bulk in the Log Source Management App cannot be removed one by one. When only one log source needs to be removed, the administrator can use the following steps:
Important disclaimer:
The next steps require advanced knowledge. Administrators who feel uncomfortable with this procedure or need assistance can contact QRadar Support.
  1. Create a backup for the sensordevice table.
    1. Create the backup directory:
      mkdir -p /store/IBM_Support/
    2. Back up the sensordevice table:
      pg_dump -U qradar -t sensordevice --inserts -f /store/IBM_Support/sensordevice.sql-$(date +%F)
  2. Search for the log source ID.
    Use the next command, replace <Log_Source_Name> with the log source name that needs to be removed.
    psql -U qradar -c "select id,hostname,devicename,bulk_added from sensordevice where devicename = '<Log_Source_Name>';"
    The id column will show the id needed, in the next sample, this id is 1234:
    psql -U qradar -c "select id,hostname,devicename,bulk_added from sensordevice where devicename = 'Test Log Source @ 10.10.10.1';"
      id  |  hostname  |                       devicename                        | bulk_added
    ------+------------+---------------------------------------------------------+------------
     1234 | 10.10.10.1 | Test Log Source @ 10.10.10.1                            | t
    
  3. Change the "bulk_added" column value from "t" (true) to "f" (false).
    Use the next command, replace <ID> with the actual ID of the log source that needs to be removed obtained in the previous step.
    psql -U qradar -c "UPDATE sensordevice SET bulk_added='f' WHERE id=<ID>;"
    For example, if the ID was 1234:
    psql -U qradar -c "UPDATE sensordevice SET bulk_added='f' WHERE id=1234;"
  4. Log in to the QRadar Console WebUI as the administrator user.
  5. On the Admin tab, open the IBM QRadar Log Source Management app and select the required log source and click the Delete button to delete the log source.
Result:
The required log source is now removed. If the log source still fails to be removed, contact QRadar Support for assistance.

Related Information

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"},{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"TS008597055","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
26 May 2022

UID

ibm16568847