Troubleshooting
Problem
The customer created new bluecoat devices Log Source that uses FTP protocol and is getting the following error message
[]INFO - Authentication Status: Successful
INFO - File Transfer Status: File(s) transferred successfully
ERROR - Event Collection Status: Problem gathering/parsing events[
]
Symptom
The qradar.error log file shows the following error:
Mar 12 07:45:23 10.x.x.x [ecs] [FTP Provider Protocol Provider Thread: class com.q1labs.semsources.sources.remote.transferprotocol.ftp.FTPProvider470] com.q1labs.semsources.sources.remote.transferprotocol.ftp.FTPProvider: [ERROR] [NOT:0000003000][10.x.x.x/- -] [-/- -]unable to process remote stream reference: file pre-processing failed
Cause
Most likely this is an issue with the bluecoat device. It might be caused if the file on the Blue Coat FTP server is corrupted or not valid.
Environment
QRadar 7.2 or above
Resolving The Problem
Verify on the Blue Coat FTP server that the .gz file is valid and not corrupted. You can verify this by trying to manually gunzip the .gz file. If successful the .gz file is not corrupt.
Where do you find more information?
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21699403