Troubleshooting
Problem
The admin is not able to add a log source to multiple log source groups, after they try to save the changes, it fails with the following error:
Could not update log source XXXXX
An unexpected API error has occurred.
Please refer to the QRadar error logs for additional information.
Symptom
- Unable to add a log source to multiple log source groups.
- After trying to save the changes, they get the following error:
- The following error is seen in /var/log/qradar.error after the admin tries to save the changes:
Mar 8 13:09:55 [ERROR] Domain assignment conflict: Log Source 'Log Source @ MyServer01' would be assigned to both domains: 'Domain01' (via group 'Group01_In_Domain01') and 'Domain02' (via group 'Group02_In_Domain02')
Cause
It is not allowed to add a log source to log source groups that are assigned to different domains.
Diagnosing The Problem
In the following capture, the admin is trying to add Log Source @ MyServer01 to the log source groups Group01_In_Domain01 and Group01_In_Domain01, but these log source groups belong to different domains:
This action is not allowed, that is the reason why the following error is seen in /var/log/qradar.error:
[ERROR] Domain assignment conflict:
Log Source 'Log Source @ MyServer01' would be assigned to both domains:
'Domain01' (via group 'Group01_In_Domain01') and 'Domain02' (via group 'Group02_In_Domain02')
Resolving The Problem
You can assign a log source to multiple log source groups as long as all the log source groups belong to the same domain.
Document Location
Worldwide
[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSV4BL","label":"IBM QRadar"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions","Type":"MASTER"}]
Was this topic helpful?
Document Information
Modified date:
16 April 2024
UID
ibm17131470