IBM Support

QRadar: User Behavior Analytics app missing configuration after upgrade to UBA V4.1.3 or V4.1.4 (Updated)

Troubleshooting


Problem

Administrators who upgrade to User Behavior Analytics version 4.1.3 or 4.1.4 can experience a configuration migration issue depending on their upgrade path. Users reported issues where upgrading from a UBA version 4.1.2 or earlier to UBA version 4.1.3 or 4.1.4 did not display any configuration information in the application after the upgrade installation completes. This issue affects users who were on a CentOS6 version of the UBA application, then upgrade to UBA 4.1.3 or 4.1.4. When this issue occurs, the startup log displays a 'database user “appuser” is not the install user' error message. The UBA application launches in the user interface with the latest version, but the configuration data for the app is not migrated properly and appears to be incorrectly configured or reset to a default state.
Important: A new version of UBA is released to prevent the database migration issue for users who upgrade from a CentOS 6 version of UBA or versions before 4.1.2. Administrators can download User Behavior Analytics 4.1.5 from the X-Force App Exchange and upgrade their application to mitigate CVE-2021-44228 as described in the IBM Security Bulletin for User Behavior Analytics.

Symptom

Users who upgrade to User Behavior Analytics V4.1.3 or V4.1.4 can complete the installation of the application; however, the database configuration is not properly migrated to the most recent database version. When the error occurs, the application does not appear to be set up properly and a default app information is displayed. The application configuration is not loaded properly during the upgrade.

Cause

The migration of the application's configuration does not complete as expected during the upgrade to UBA 4.1.3 or 4.1.4. The following message is displayed in the startup.log in the UBA container when the error occurs:
  
as_root command [chown appuser:appuser /opt/app-root/store/psql/postgresql.conf] exited with status 0
psql configruation complete.
Performing Consistency Checks
-----------------------------
Checking cluster versions                                  ok
Checking database user is the install user
database user “appuser” is not the install user
Failure, exiting
psql 10 to 13 conv
To confirm the error message, administrators can connect to the UBA container to view log information. You must use SSH to either the Console or the App Host, depending on where the app is installed and run the recon tool to determine the UBA app ID. Administrators can review the startup logs with the command: less /store/docker/volumes/qapp-{UBA App ID}/log/startup.log. For more information, see QRadar: How to use recon to troubleshoot QRadar applications.

Environment

User Behavior Analytics application upgrades for the following versions are affected by this issue:
 
  • UBA 4.1.2 or earlier to 4.1.3 or 4.1.4.
  • CentOS6-based versions of UBA that upgrade from any prior version to 4.1.3 or 4.1.4.

    Note: Users can determine whether you use a CentOS6 version of UBA from the following technical note: CentOS6 applications and mitigation for CVEs.

Resolving The Problem

User Behavior Analytics (UBA) 4.1.5 is released to IBM Fix Central to resolve a reported upgrade issue in versions 4.1.3 or 4.1.4. Administrators who experienced issues with their UBA upgrade where the user interface did not display a configuration can upgrade to the latest version to resolve this issue. Installing UBA 4.1.5 properly migrates the existing configuration from prior UBA installations.

Procedure
Administrators must upgrade to UBA 4.1.5 to mitigate the Log4j vulnerability as described in the security bulletin.
 
  1. Log in to the QRadar Console.
  2. On the Dashboard, click the Shield icon to open the QRadar Assistant App.
    image-20211217214059-2
  3. Click Applications.
  4. Click Update.
    image-20211217213318-3
  5. Wait for the application to install.

    Results
    After the application is installed, clear your browser cache. Click the User Analytics tab from the user interface and review to confirm the user interface displays the application. If your application does not display data as expected, contact QRadar Support.
     

Manually installing User Behavior Analytics V4.1.5

If you manually update your application and have an older UBA 3.x version installed, you must install UBA 4.0.1, then upgrade the application to UBA 4.1.5. For more information, see Upgrading the User Behavior Analytics app.

Procedure
  1. Download UBA 4.1.5 from the X-Force App Exchange.
  2. Log in to the QRadar Console as an administrator.
  3. Click the Admin tab.
  4. Click Extension Management.
  5. Click Add and select the UBA 4.1.5 application. 
  6. Select the Install immediately checkbox.
  7. Click OK to begin the app update.
  8. Wait for the application to install.

    Results
    After the application is installed, clear your browser cache. Click the User Analytics tab from the user interface and review to confirm the user interface displays the application. If your application does not display data as expected, contact QRadar Support.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt3AAA","label":"QRadar Apps"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
21 December 2021

UID

ibm16527260

Page Feedback