Troubleshooting
Problem
A Cisco Umbrella Log Source using the AWS REST API protocol displays the log source in a success state, but events are not displayed in QRadar Log Activity. If you look in /store/tmp/marker_number you will see that the files have been downloaded but are not processed. The screenshot in this example shows logs stored in the /store/tmp/marker_number.
Example 1: Unprocessed Cisco Umbrella logs
Symptom
When you check in the /var/log/qradar.error you might see messages similar to:
Mar 14 14:14:23 ::ffff:10.x.x.12 [ecs-ec-ingress.ecs-ec-ingress]
[Amazon AWS S3 REST API Protocol Provider Thread: class com.q1labs.semsources.sources.
amazonawsrest.AmazonAWSRESTProvider804] java.
lang.NoClassDefFoundError: au.com.bytecode.opencsv.CSVReader
Cause
This happens because the opencsv-1.8.jar file is not present in the required locations.
/opt/ibm/si/services/ecs-ec-ingress/current/bin/
/opt/ibm/si/services/ecs-ec/current/bin/
/opt/ibm/si/services/ecs-ec-ingress/eventgnosis/lib/q1labs/
To Verify that the files exist in the required locations type:
locate opencsv-1.8.jar
The output should look similar to this:
Note: The if the files exist in the required locations, they will appear in the output of the locate command.
# locate opencsv-1.8.jar
/opt/ibm/si/services/ecs-ec/732.2.14/bin/opencsv-1.8.jar
/opt/ibm/si/services/ecs-ec-ingress/732.2.14/bin/opencsv-1.8.jar
/opt/ibm/si/services/ecs-ec-ingress/eventgnosis/lib/q1labs/opencsv-1.8.jar
/opt/qradar/jars/opencsv-1.8.jar
/opt/qradar/webapps/console/WEB-INF/lib/opencsv-1.8.jar
/opt/qradar/webapps/restapi/WEB-INF/lib/opencsv-1.8.jar
/opt/tomcat-rm/webapps/simulator/WEB-INF/lib/opencsv-1.8.jar
Resolving The Problem
If these files are not present in the required locations, you will need to use this procedure.
Note: This procedure requires restarting the Event Collection Services which may cause an interruption in collecting events. Plan a maintenance period before restarting Services.
- Copy the files to their required locations using these commands:
cp -p /opt/qradar/jars/opencsv-1.8.jar /opt/ibm/si/services/ecs-ec-ingress/current/bin/ cp -p /opt/qradar/jars/opencsv-1.8.jar /opt/ibm/si/services/ecs-ec/current/bin/ cp -p /opt/qradar/jars/opencsv-1.8.jar /opt/ibm/si/services/ecs-ec-ingress/eventgnosis/lib/q1labs/
- Log into the QRadar User Interface.
- Click the Admin tab.
- Click Advanced > Restart Event Collection Services.
Result
After restarting the Event Collection Services, Cisco Umbrella events should now be displayed in Log Activity.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
11 January 2021
UID
ibm10887067