Troubleshooting
Problem
If a dependency check is not performed upon a user account deletion, it can cause errors with the rules owned by that user. This article explains how to fix the issue.
Exceptions related to the rules as:
[ecs-ep.ecs-ep] [/SequentialEventDispatcher] com.q1labs.semsources.cre.CustomRule: [WARN] [-/- -]Expecting a non-null userNets for user <USERNAME>. It was probably removed without updating the rule. User permissions will not be applied to rule <RULE_NAME>
[ecs-ep.ecs-ep] [/SequentialEventDispatcher] com.q1labs.semsources.cre.CustomRule: [WARN] [-/- -]Expecting a non-null userNets for user <USERNAME>. It was probably removed without updating the rule. User permissions will not be applied to rule <RULE_NAME>
Cause
When a user has been deleted, but rule(s) owned by them has not, the Custom Rule Engine is unable to load the rule into it's running config and will throw the "Expecting a non-null userNets for user" exception.
Diagnosing The Problem
- SSH into the QRadar Console.
- Run the following command:
grep -i "Expecting a non-null userNets" /var/log/qradar.error - If it prints an error similar to the following, proceed to the next step:
[ecs-ep.ecs-ep] [/SequentialEventDispatcher] com.q1labs.semsources.cre.CustomRule: [WARN] [-/- -]Expecting a non-null userNets for user <USERNAME>. It was probably removed without updating the rule. User permissions will not be applied to rule <RULE_NAME>
Resolving The Problem
- SSH into the QRadar Console.
- Run the following command:
grep non-null /var/log/qradar.error | grep -oP '(?<=userNets for user).*(?=\. It was probably)' | sort -u - This command lists all the users who are facing the issue.
- Verify whether these users are disabled or deleted from the system.
- If the user is disabled, you can start deleting the users in order to initiate the dependency checker and reassign the content owned by the user to another active user.
- If the user is deleted, try adding the user and delete again. These steps are required to initiate the dependency checker and be able to reassign the rules to an active user.
- If the users are active, then check one of the rules in question to see whether the tests are missing any values.
Result
To learn more about CRE-related errors, see that CRE failed to read rules. If you are still experiencing the issue, contact support.
To learn more about CRE-related errors, see that CRE failed to read rules. If you are still experiencing the issue, contact support.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtrAAA","label":"Rules"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
09 February 2024
UID
ibm17031877