Troubleshooting
Problem
Errors, similar to the following can be seen in the /var/log/qradar.error file:
[ecs-ep.ecs-ep] [<ecs-ep_thread_id>/SequentialEventDispatcher] com.q1labs.semsources.cre.CustomRule: [ERROR] [NOT:0000003000][x.x.x.x/- -] [-/- -]The Custom Rule ID is #111003, Rule Name is: Excessive Firewall Denies from Local Host followed by Exploit: null
[ecs-ep.ecs-ep] [<ecs-ep_thread_id>/SequentialEventDispatcher] java.lang.NullPointerException
...
[ecs-ep.ecs-ep] [<ecs-ep_thread_id>/SequentialEventDispatcher] com.q1labs.semsources.cre.CustomRuleReader: [ERROR] [NOT:0000003000][x.x.x.x/- -] [-/- -]Exception parsing rule #111003.
[ecs-ep.ecs-ep] [<ecs-ep_thread_id>/SequentialEventDispatcher] java.lang.Exception: java.lang.NullPointerException
...
[ecs-ep.ecs-ep] [<ecs-ep_thread_id>/SequentialEventDispatcher] Caused by:
[ecs-ep.ecs-ep] [<ecs-ep_thread_id>/SequentialEventDispatcher] java.lang.NullPointerException
...
[ecs-ep.ecs-ep] [<ecs-ep_thread_id>/SequentialEventDispatcher] com.q1labs.semsources.cre.tests.refdata.RefDataCollections: [ERROR] [NOT:0000003000][x.x.x.x/- -] [-/- -]Unable to find Reference Data Collection with ID = 143
Any rules listed in the error trace will not be loaded into the Custom Rule Engine running configuration and will not fire. These rules are identified by ID and rule name in the following part of the trace:
The Custom Rule ID is #111003, Rule Name is: Excessive Firewall Denies from Local Host followed by Exploit
Cause
One or more Reference Data objects that is referenced in the rule tests does not exist. The ID of the effected objects can be found after the:
Unable to find Reference Data Collection with ID
part of the log message
Environment
QRadar 7.x
Diagnosing The Problem
Confirm that the reference data object with the particular ID (143 in this case) does not exist in the database. If it does not you will see "0 rows" returned as follows. :
[root@console ~]# psql -U qradar -c "select * from reference_data where id=143;"
id | name | collection_type | element_type | created_time | timeout_type | time_to_live | current_count | key1_label | value_label | is_table | bulk_update_timestamp | tenant_info | log_separately | uuid
----+------+-----------------+--------------+--------------+--------------+--------------+---------------+------------+-------------+----------+-----------------------+-------------+----------------+------
(0 rows)
Resolving The Problem
1. Go to Offenses->Rules or the Use Case Manager app.
2. Locate the effected rule(s). In this case Rule Name is: Excessive Firewall Denies from Local Host followed by Exploit
3. Open the Rule to edit it via Rule Wizard.
4. Locate rule tests that refer to Reference Data collections and change these to refer to an existing Reference Data collection or remove them from the rule.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSV4BL","label":"IBM QRadar"},"ARM Category":[{"code":"a8m0z000000cwtrAAA","label":"Rules"}],"ARM Case Number":"TS013742893","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
17 April 2024
UID
ibm17103047