Troubleshooting
Problem
When an administrator attempts to install a content package or application with Custom Extraction Properties (CEP) through Extensions Management, the installation preview sometimes shows a single property and a status of FAILED. If the administrator chooses to continue with the installation, it fails to proceed with the message "An error occurred. See console logs for details." This behavior normally indicates a CEP that's being imported is in conflict with one that's already on the system.
Symptom
During a content pack or application installation, there is a screen to preview the changes it is installing. If there is a conflicting CEP, it shows a FAILED message:
This Originating_User is the name of the CEP in conflict, but this name might differ on your system. Throughout this technote, we are using the Originating_User property as an example.
Diagnosing The Problem
- SSH to the console as the root user
- Search the logs for a more detailed error with the following command:
grep -i contentcustom /var/log/qradar.log
There are two possible messages that can be corrected:- There's a conflict with an existing name
Conflict during the import of property [Originating_User], found an existing property with the same name but different [type/id]
- There's a conflict with an existing UUID
Property with id [c5496d4e-dd49-46ab-b6dc-04a892757a23] already exists but have a different name
- There's a conflict with an existing name
-
Important: If the output seen doesn't match either of these messages, contact QRadar® Support for further assistance.
-
If the issue is identified as a conflict with an existing UUID in step 2, query Postgres to find the CEP name with this command:
# psql -U qradar -c "select id, propertyname, database, username from ariel_regex_property where id='<UUID>';"
Here's an example output:# psql -U qradar -c "select id, propertyname, database, username from ariel_regex_property where id='c5496d4e-dd49-46ab-b6dc-04a892757a23';" id | propertyname | database | username --------------------------------------+------------------+----------+---------- 0d7b6408-e76c-4765-95e9-c9a8c3693a0e | Originating User | events | admin (1 row)
Resolving The Problem
- Log in to the QRadar® UI
- Locate the CEP following this documentation
- If the CEP is not being used (e.g. it is a flow property, but your system doesn't collect flows), or you would like to remove it directly, proceed to step 7
- In the Custom Property Definition screen, choose New Property and give a new name, but do not change anything else:
- Save the CEP
- If there are multiple search results from step 2, copy each of the rest, but choose Existing Property and the new property name from step 4:
- Delete all of the original CEPs
- If there are dependencies, either remove the dependencies or replace them with the newly created property
- Try installing the content pack again
Results
After following the above steps, if the installation continues to give issues, contact QRadar® Support for further assistance.
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt3AAA","label":"QRadar Apps"}],"Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
08 October 2020
UID
ibm16205797