Troubleshooting
Problem
Offenses in QRadar are not escalated to IBM Security QRadar SOAR or Cloud Pak for Security because of a problem with the QRadar event collector service stating:
"Status Conflict".
Symptom
Offenses are not escalated and cases are not created.
The Status tab might return a conflict as mentioned in Troubleshooting IBM QRadar SOAR Plug-in app
The plug-in's app.log might report a conflict status.
[DEBUG] [APP_ID:2706] [NOT:0000006000] Connection test status: {"created_by":"6c78b189-1c82-4464-946f-bcc3eaea22b1","created":1681918259175,"name":"Resilient Connection Test Task","error_message":null,"modified":1681918275424,"error_code":null,"started":1681918259175,"id":490,"completed":1681918266077,"status":"CONFLICT"}
Cause
The conflict errors can appear when the QRadar event collection service is not able to connect successfully to the SOAR inbound destination. These errors can happen when all the steps in Configuring access to the inbound destinations are not completed.
Other causes for offenses not escalating
- A connection problem between the QRadar console and SOAR
- Problems associated with the QRadar event collection service
Environment
Version 5.x of the plug-in with versions of QRadar SIEM and SOAR or CP4S that supports it.
Diagnosing The Problem
SSL certificates
If the SOAR SSL certificate is not installed on the QRadar console, the following error can be seen in /var/log/qradar.log when the QRadar event collection service tries to connect to the SOAR inbound destination.
[ecs-ep.ecs-ep] [Thread-48] com.q1labs.frameworks.crypto.trustmanager.CertificateValidator: [INFO] [NOT:0000006000][<IP_ADDRESS>/- -] [-/- -]Audit logging msg:(ecs-ep) Validating certficate chain failed. chain:[0]X509Certificate : { SubjectDN : CN=resilient.localdomain, IssuerDN : CN=resilient.localdomain},, params:CertValidatorParameters [enableLegacySupport :true,checkPinning :true,checkRevocation :true,checkSelfsigned :true,checkUsage :true,checkCaIssuersInAuthInfoAccess :false,trustStores :/opt/ibm/si/services/ecs-ep/current/frameworks_conf//trusted_certificates,], exception:com.q1labs.frameworks.crypto.trustmanager.exceptions.Q1CertificateException: checkCertificatePinning failed.
[ecs-ep.ecs-ep] [Thread-48] com.q1labs.frameworks.crypto.trustmanager.CertificateValidator: [ERROR] [NOT:0000003000][<IP_ADDRESS>/- -] [-/- -]checkCertificatePinning failed.
[ecs-ep.ecs-ep] [Thread-48] com.q1labs.frameworks.crypto.trustmanager.exceptions.Q1CertificateException: checkCertificatePinning failed.
[ecs-ep.ecs-ep] [Thread-48] at com.q1labs.frameworks.crypto.trustmanager.CertificateValidator.checkCertificatePinning(CertificateValidator.java:548)
[ecs-ep.ecs-ep] [Thread-48] at com.q1labs.frameworks.crypto.trustmanager.CertificateValidator.validate(CertificateValidator.java:111)
[ecs-ep.ecs-ep] [Thread-48] at com.q1labs.frameworks.crypto.trustmanager.Q1X509TrustManager.checkCertificatesTrusted(Q1X509TrustManager.java:411)
[ecs-ep.ecs-ep] [Thread-48] at com.q1labs.frameworks.crypto.trustmanager.Q1X509TrustManager.checkServerTrusted(Q1X509TrustManager.java:307)
The QRadar event collections service is unable to send messages to the inbound destination on SOAR because SOAR's SSL certificate is not trusted.
Connection problems
Connection problems can be seen in /var/log/qradar.log.
[ecs-ep.ecs-ep] [Thread-62] com.ibm.si.ep.destinations.ResilientServerQueue: [ERROR] [NOT:0000003000][<IP_ADDRESS>/- -] [-/- -]Resilient Integration:Failed to send the data to inbound_destinations.202.{HOSTNAME_or_IP}
[ecs-ep.ecs-ep] [Thread-62] com.ibm.si.ep.destinations.ResilientServerQueue: [ERROR] [NOT:0000003000][<IP_ADDRESS>/- -] [-/- -]Resilient Integration:
[ecs-ep.ecs-ep] [Thread-62] org.apache.activemq.ConnectionFailedException: The JMS connection has failed: Connection reset
[ecs-ep.ecs-ep] [Thread-49] com.ibm.si.ep.destinations.ResilientServerQueue: [ERROR] [NOT:0000003000][<IP_ADDRESS>/- -] [-/- -]Resilient Integration:Failed to send the data to inbound_destinations.202.{HOSTNAME_or_IP}
[ecs-ep.ecs-ep] [Thread-49] com.ibm.si.ep.destinations.ResilientServerQueue: [INFO] [NOT:0000006000][<IP_ADDRESS>/- -] [-/- -]Following message suppressed 5336628 times in 300000 milliseconds
[ecs-ep.ecs-ep] [Thread-49] com.ibm.si.ep.destinations.ResilientServerQueue: [ERROR] [NOT:0000003000][<IP_ADDRESS>/- -] [-/- -]Resilient Integration:
[ecs-ep.ecs-ep] [Thread-49] org.apache.activemq.ConnectionFailedException: The JMS connection has failed: Channel was inactive for too (>30000) long: tcp://<IP_ADDRESS>:65000
Other event collector-related problems
[ecs-ep.ecs-ep] [Thread-56] com.ibm.si.ep.destinations.ResilientServerQueue: [ERROR] [NOT:0000003000][<IP_ADDRESS>/- -] [-/- -]Resilient Integration:Failed to send the data to inbound_destinations.202.{HOSTNAME_or_IP}
[ecs-ep.ecs-ep] [Thread-56] com.ibm.si.ep.destinations.ResilientServerQueue: [ERROR] [NOT:0000003000][<IP_ADDRESS>/- -] [-/- -]Resilient Integration:
[ecs-ep.ecs-ep] [Thread-56] org.apache.activemq.ConnectionFailedException: The JMS connection has failed: java.io.EOFException
......
[ecs-ep.ecs-ep] [Thread-56] com.ibm.si.ep.destinations.ResilientDestination: [ERROR] [NOT:0000003000][<IP_ADDRESS>/- -] [-/- -]Connection Problem with inbound_destinations.202.{HOSTNAME_or_IP}
[accumulator.accumulator] [SE Interval Timer] com.q1labs.cve.sentryengine.AlertProcessor: [WARN] [NOT:0000004000][<IP_ADDRESS>/- -] [-/- -][localhost:32005] Output queue is full. Unable to send alert. To see alert info for these warnings, enable debugging for this class
In all cases, messages that contain information related to offenses are not sent from the QRadar console to the SOAR inbound destination. These messages include details about offenses that are created, updated, or closed. Without these messages, the plug-in is not able to act on them to make the required updates to SOAR.
Resolving The Problem
- Check that all steps listed in Configuring access to the inbound destinations are completed
- Restart the event collector service, systemctl restart ecs-ep
- Install 7.5.0 UP6 which includes a fix so the JMS connection reconnects after a connectivity problem
If none of these actions resolve the problem or you face the problem repeatedly, raise a support case with IBM Support.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSA230","label":"IBM Security QRadar SOAR"},"ARM Category":[{"code":"a8m0z0000001gyGAAQ","label":"Integrations-\u003EQRadar app"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEGM63","label":"IBM Security QRadar SOAR on Cloud"},"ARM Category":[{"code":"a8m0z0000001gyGAAQ","label":"Integrations-\u003EQRadar app"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTDPP","label":"IBM Cloud Pak for Security"},"ARM Category":[{"code":"a8m0z0000001h8pAAA","label":"Support-\u003ECases"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSA230","label":"IBM Security QRadar SOAR"},"ARM Category":[{"code":"a8m0z000000cw4bAAA","label":"Resilient Core"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
30 June 2023
UID
ibm16999965