IBM Support

QRadar: Amazon AWS protocols temporarily removed from automatic updates

News


Abstract

Administrators are being alerted to the temporary removal of the Amazon Web Services and Amazon AWS S3 REST API protocol from QRadar auto updates. A JAR file loading issue can occur when the protocols are delivered and installed through the QRadar auto updates. This technical note informs administrators how to manually install the latest protocol RPMs from IBM Fix Central on the QRadar Console. Further changes are expected in this technical note to inform users when Amazon protocols are available in the QRadar weekly auto update to resolve this issue.

Content

  • Troubleshooting: Failed to install the latest Amazon protocols
    Users who update their Amazon AWS protocols might be required to manually install missing intermediate RPM files. If you experience an error when you install the latest Amazon protocols, review the on-screen message to determine whether an intermediate RPM is required.

    For example, the RPM installation error highlights the missing RPMs required from IBM Fix Central.
    image-20230227162807-1
    Note: Another RPM that can be reported as failing to update with the Amazon protocols is the PROTOCOL-IBMCloudObjectStorage<version>.noarch.rpm. If this one is reported, follow the same following procedure to upgrade the PROTOCOL-IBMCloudObjectStorage RPM.
    Procedure
    1. Navigate to IBM Fix Central and download the required files.
      Tip: Use SFTP to download the files directly to your Console.
    2. To install the RPM files, type: 
      yum -y install <protocol RPM filename>
      For example, 
      yum -y install PROTOCOL-AmazonAWSRESTAPI-7.5-20220426150330.noarch.rpm PROTOCOL-AmazonWebServices-7.5-20220421060011.noarch.rpm
    3. Log in to the QRadar Console user interface as an administrator.
    4. Click the Admin tab.
    5. Click Advanced > Deploy Full Configuration.
    6. Wait for the deployment to replicate changes to the managed hosts.
    7. Click Advanced > Restart Event Collection Service.
    8. From the Admin tab, click the Auto Update icon.
    9. Click Get New Updates to download the latest Amazon protocols.
    10. Repeat steps 5 to 7 to complete the procedure.

    Results
    After services restart, the RPM installation is complete. If administrators do not complete an event collection restart (ecs-ec-ingress), the following system notification can display in /var/log/qradar.log: 
    notification_log_classifier.pl  [NOT:0000004000][IPADDRESS/- -] [-/- -][WARN] A newer version of PROTOCOL-AmazonWebServices rpm 
has been installed. In order to continue collecting events properly via Amazon Web Services or Amazon S3 REST API, 
restarting event collection service is required. Please go to Admin tab menu in the user interface, 
select Advanced > Restart Event Collection Services

IMPORTANT

IBM temporarily removed the Amazon Web Services and Amazon AWS S3 REST API protocols from QRadar weekly auto updates due to a JAR file loading issue that can occur during the auto update of the protocol. As this issue is under investigation, protocol updates for the Amazon protocols can be downloaded and manually installed on the QRadar Console.

Affected protocol versions

The following protocols are removed from the QRadar weekly automatic updates temporarily and must be manually installed:

  • Protocol-AmazonWebServices
  • Protocol-AmazonAWSRESTAPI
Note: Another protocol that can be affected is PROTOCOL-IBMCloudObjectStorage. If it is reported together with the Amazon protocols, follow the same steps to update it.

 

What to do

QRadar SIEM administrators can download and manually install the Amazon AWS and Amazon Web Services protocol RPM files on the QRadar SIEM Console.

Note: If you are a QRadar on Cloud administrator, you can open a case with QRadar Support for the DevOps team to install the protocol RPM files on your QRadar on Cloud Console. For more information, see Case instructions for QRadar on Cloud administrators.


Instructions for QRadar SIEM (on-prem) administrators:

  1. Download the latest Amazon protocol RPMs from IBM Fix Central.
  2. Copy the files to the /storetmp directory on the QRadar Console. 
    Note: DSM, Protocol, and Scanner RPM files are only installed on the QRadar Console. You are not required to install the RPM files on managed hosts as the Console replicates RPM installation files to all appliances in the deployment.
  3. To set permissions on the files, type: 
    chmod +x *.rpm
  4. To install the files, type: 
    yum -y install PROTOCOL-AmazonWebServices*
yum -y install PROTOCOL-AmazonAWS_RESTAPI*
  5. The command prompt provides instruction to complete a full deploy and restart the event collection services. 
    PLEASE NOTE 
=========== 
After installation has completed you must Deploy Full Configuration and restart Event Collection Services to complete the installation. 
Step 1: From the Admin tab menu in the user interface, select Advanced > Deploy Full Configuration. 
Step 2: From the Admin tab menu in the user interface, select Advanced > Restart Event Collection Services.
  6. Log in to the QRadar Console user interface as an administrator.
  7. Click the Admin tab.
  8. Click Advanced > Deploy Full Configuration.
  9. Wait for the deployment to replicate changes to the managed hosts.
  10. Click Advanced > Restart Event Collection Service.

    Results
    After services restart, the RPM installation is complete. If administrators do not complete an event collection restart (ecs-ec-ingress), the following system notification can display in /var/log/qradar.log: 
    notification_log_classifier.pl  [NOT:0000004000][IPADDRESS/- -] [-/- -][WARN] A newer version of PROTOCOL-AmazonWebServices rpm 
has been installed. In order to continue collecting events properly via Amazon Web Services or Amazon S3 REST API, 
restarting event collection service is required. Please go to Admin tab menu in the user interface, 
select Advanced > Restart Event Collection Services
 
 

Case instructions for QRadar on Cloud administrators

QRadar on Cloud administrators must open a case with QRadar Support to ensure Amazon protocol RPM files are installed on the Console appliance. The QRadar DevOps team can install any files from IBM Fix Central that are not included in a QRadar auto update.

To request protocol installation for your QRadar Console:

  1. Open a new case with QRadar Support.
  2. Request that the support team installs the latest protocols from IBM Fix Central.
    image-20220602214136-2
  3. If you have your Console URL, include it in the QRoC hostname field. For example, 
    console-<console_number>.qradar.ibmcloud.com
  4. In the Case Description field, request the following protocol installations:
    • PROTOCOL-AmazonAWSRESTAPI-7.5-<latest>.noarch.rpm
    • PROTOCOL-AmazonWebServices-7.5-<latest>.noarch.rpm
  5. Wait for QRadar Support to install the RPM and restart services.

    Results
    After services restart, the latest versions of the Amazon protocols are installed, and the case closed. Administrators are not expected to request file installation from Fix Central often. As this issue is related to a JAR file issue, Amazon protocols were temporarily removed from the QRadar auto update. Further changes are expected in this technical note to inform users when Amazon protocols are available in the QRadar weekly auto update to resolve this issue.

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSKMKU","label":"IBM QRadar on Cloud"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
31 July 2023

UID

ibm16578969

Page Feedback