IBM Support

QRadar: Application error message when opening events

Troubleshooting


Problem

When you open any event in Log Activity, an "Application error" message is displayed.

Symptom

An error message is present in the GUI.

image 9283

Cause

This problem can be caused by an AQL property that is assigned to a user that is deactivated.

Diagnosing The Problem

In the /var/log/qradar.error file, you find an "Exception creating AQL key creator" message. This message identifies the property ID triggering the error.
Exception creating AQL key creator for property ID 99555295-29ae-4c23-9ef6-6f7e8fc5d2c2

Resolving The Problem

The best way to resolve this condition is to reenable the disabled user, reassign the dependencies to another user, and then disable the user again.
Note: The process here prevents the specific errors noted in this technote, but changing the username of the AQL property can cause more issues with dependent content. After you resolve these AQL property errors, be sure to check for and resolve any remaining dependencies owned by the disabled user.
Once you identify the problematic AQL property ID in  /var/log/qradar.error, you must reassign the AQL property ID to the admin user in the database.
  1. SSH into the QRadar Console as the root user.
  2. It is always advisable to create a backup of the table to which we are going to apply the changes, therefore first run this command to generate the backup: 
    ​pg_dump -U qradar -t ariel_aql_property > /store/tmp/ariel_aql_property.sql
  3. Confirm which user is assigned to the problematic AQL property ID. Use the AQL property ID found in the original error from the /var/log/qradar.error file as the "id" value: 
    psql -Uqradar -c "select username from ariel_aql_property where id='99555295-29ae-4c23-9ef6-6f7e8fc5d2c2';"
    You see an output with a username similar to this: 
    ​username
-----------
QradarTest
​
  4. After you identify the username, you must reassign the problematic AQL properties to the username admin.  Run the following update statement with the username (found in the previous step) in the "where" clause: 
    psql -Uqradar -c "​update ariel_aql_property set username='admin' where username='QradarTest';"
  5. After the update, a message "UPDATE 1" is displayed. This message means that the changes were successful.
    Important
    When you restart the QRadar web service, the QRadar UI is not available to all users. Any running event exports or reports stop. Administrators with strict outage or change management policies are advised to complete the next step during a scheduled maintenance window in compliance with their organization's policies.
  6. Restart the hostcontext and tomcat services with the following commands: 
    ​systemctl stop hostcontext
systemctl restart tomcat
systemctl start hostcontext
Results
You can open any event successfully in log activity.

Document Location

Worldwide

[{"Type":"SW","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtEAAQ","label":"Log Activity"}],"ARM Case Number":"TS005395729","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)"}]

Document Information

Modified date:
11 December 2023

UID

ibm16442081

Page Feedback