Troubleshooting
Problem
This technote describes an error that can occur when a user who is not a member of the Log Source Security Profile attempts to remove a Log Source Group.
Symptom
When the user attempts to delete a Log Source Group, the following error is displayed:
Cause
There is a Security Profile associated with the Log Source Group, which prevents the user from properly removing the Log Source Group.
Diagnosing The Problem
There are two methods to verify this issue.
- Verify that the user attempting to delete the Log Source Group has the correct permissions in their Security Profile to access the Log Sources contained within the group they are attempting to delete.
- Review the /var/log/qradar.error log to determine if the following text is displayed:
Mar 12 15:07:04 IP address [tomcat] [admin@IP address (8692) /console/JSON-RPC/QRadar.deleteSelectedGroupContext QRadar.deleteSelectedGroupContext] com.q1labs.core.ui.coreservices.UICoreServices: [ERROR] SQL Exception: ER
ROR: update or delete on table "fgroup" violates foreign key constraint "sp_sensordevice_group_link_dg_id_fkey" on table "sp_sensordevice_group_link"
Detail: Key (id)=(100069) is still referenced from table "sp_sensordevice_group_link". {stmnt -369506896 DELETE FROM fgroup WHERE id in(100069)} [code=0, state=23503]
Mar 12 15:07:04 IP address [tomcat] [admin@IP address (8692) /console/JSON-RPC/QRadar.deleteSelectedGroupContext QRadar.deleteSelectedGroupContext] org.apache.openjpa.lib.jdbc.ReportingSQLException: ERROR: update or delet
e on table "fgroup" violates foreign key constraint "sp_sensordevice_group_link_dg_id_fkey" on table "sp_sensordevice_group_link"
Detail: Key (id)=(100069) is still referenced from table "sp_sensordevice_group_link". {stmnt -369506896 DELETE FROM fgroup WHERE id in(100069)} [code=0, state=23503]
Resolving The Problem
To resolve this issue, the Administrator might be required to update the Security Profile to remove the Log Source Groups that cannot be removed.
- Log in to the QRadar Web User Interface as an Admin user.
- Click the Admin tab.
- Click the Security Profiles icon to display the Security Profile Manager.
- Select the user that has the difficulty removing the Log Source Group.
- Click the Log Sources tab.
- Remove the Log Sources that contribute to the group from the Assigned Log Sources list.
- Click Save to close the window.
- Click Deploy Changes.
- Attempt to remove the Log Source Group.
Where do you find more information?
[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Admin Console","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"7.1;7.2","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21667166