How To
Summary
The purpose of this article is to provide more information on APAR IJ23859 for users who experience application errors related to missing content. The most common cause of APAR IJ23895 is security content owned by a disabled user account. The user interface attempts to display results, but the content owned by a disabled user generates Tomcat errors related to missing content. The procedure in this technical note outlines how to identify and resolve the application error.
Environment
Users affected by this issue can see this error when they navigate to the Log Activity tab in the user interface: "An error has occurred. Return and attempt the action again. If the problem persists, please contact customer support for assistance."
When you review the QRadar logs, an error is displayed that identifies data or a property does not exist:
[tomcat.tomcat] [username@IPAddress (7192)
/console/do/ariel/arielDetails] com.q1labs.ariel.ql.parser.AQLParserException:
Catalog "events" does not exist.
concat('http://',"URL
^
Note: This error message can display in either /var/log/qradar.log or /var/log/qradar.error.
Steps
The issue is caused by a user that was disabled, but its dependencies were not reassigned. You can use the error message to identify which users created the property, then you can reassign the dependency in the user interface.
Before you begin
Before you begin
- The procedure in this section applies to QRadar SIEM on-premise appliances. QRadar on Cloud administrators do not have root access to the Console to view logs.
- If you are a QRadar on Cloud administrator and require assistance verifying disabled content from the command line, contact QRadar Support.
- QRadar on Cloud administrators cannot delete users. If you need to delete a user or reassign content for a QRadar on Cloud Console, contact QRadar Support.
Procedure
- Use SSH to log in to the QRadar Console as the root user.
- To review the logs to identify properties generating the error, type:
grep "Exception creating AQL" /var/log/qradar.error
- The output identifies the user, property, and IP address. For example,
[tomcat.tomcat] [username@IPAddress (7192) /console/do/ariel/arielDetails] com.q1labs.core.shared.ariel.AqlCustomKeyCreator: [ERROR] [NOT:0000003000][IPADDRESS/- -] [-/- -] Exception creating AQL key creator for property ID 4dd61ea4-b492-4e27-93a7-ad187a69210d
-
username: The user that is unable to access the Log Activity tab or feature in the user interface.
-
IPAddress: IP address of the device from where the user is accessing QRadar.
-
property ID: This ID is what we are looking for as it is the one causing the issue, take this ID and use it in the next step.
-
-
To identify the user who owns the property, type:
psql -U qradar -c "select id,username from ariel_property;" | grep <id>
psql -U qradar -c "select id,username from ariel_property;" | grep 69210d
Results
The user name is displayed for the owner of the property that is generating the error. This user might be disabled in the user interface and dependencies must be reassigned to resolve the error in the user interface.4dd61ea4-b492-4e27-93a7-ad187a69210d | firstname.lastname
Additional Information
How to reassign dependencies for disabled users
QRadar administrators can reassign dependencies without removing the user by completing the delete function, but cancelling out of the process before the user is deleted. It is important for administrators to reassign security content owned when you disable a user account. Reassigning security content prevents errors where the product does not display data as expected due to properties or content owned by a disabled or removed user.
Procedure
The procedure reassigns content for a disabled user.
QRadar administrators can reassign dependencies without removing the user by completing the delete function, but cancelling out of the process before the user is deleted. It is important for administrators to reassign security content owned when you disable a user account. Reassigning security content prevents errors where the product does not display data as expected due to properties or content owned by a disabled or removed user.
Procedure
The procedure reassigns content for a disabled user.
- Log in to the QRadar Console as an administrator.
- On the Admin tab, click Users.
- Search for the owner of the property generating the error message.
- Select the user, then click the Delete button.
A search for dependencies starts for all content owned by the user. - Click View to review existing dependencies by type.
- Select any properties that need to be migrated from the disabled user and click Re-assign Ownership.
- Select the new owner for the security content and click Re-assign.
- When reassignment is complete, click OK.
You are returned to the dependency list. - Click Cancel to exit the delete user interface to leave the user in the disabled state.
Important: If you need to keep the user in the disabled state, do NOT select Delete User. By cancelling out of the user interface, the user is left in the disabled state with their security content reassigned. QRadar on Cloud administrators cannot delete users. If you need to delete a user on a QRadar on Cloud appliance, contact QRadar Support.
Result
After you are done reassigning the dependencies, return to the Log Activity tab. You can verify the user interface displays and or run searches with the removed properties to confirm they function as expected. If you continue to experience errors with APAR IJ23859, contact QRadar Support.
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
13 October 2021
UID
ibm16454901