Troubleshooting
Problem
Administrators might notice that they are not able to upgrade to the latest version of the UBA app or they cannot import users from LDAP to UBA.
Symptom
When the UBA app loads in the QRadar UI a similar message is displayed.
Message: “Internal Server Error: http://<IP_address>/user_import/index”
Status: 500
[“message”:”Internal Server Error: [http://<IP_address>>next-dashboard”,”status”:
500|http://%3c...%3enext-dashboard”,”status”:500]
Diagnosing The Problem
- Use an SSH session to log in to the QRadar Console as root user.
- Locate the UBA App-ID by using the command:
# /opt/qradar/support/recon ps App-ID Name Managed Host ID Workload ID Service Name AB Container Name CDEGH Port IJKL 1055 QRadar Use Case Manager 53 apps qapp-1055 ++ qapp-1055 +++++ 5000 ++++ 1052 QRadar Log Source Management 53 apps qapp-1052 ++ qapp-1052 +++++ 5000 ++++ 1054 Pulse - Threat Globe 53 apps qapp-1054 ++ qapp-1054 +++++ 5000 ++++ 1051 QRadar Assistant 53 apps qapp-1051 ++ qapp-1051 +++++ 5000 ++++ 1053 Pulse - Dashboard 53 apps qapp-1053 ++ qapp-1053 +++++ 5000 ++++ 1101 User Analytics 53 apps qapp-1101 -n 0 0 ui ui ++ ui +++++ 5000 ++++ 0 graphql graphql ++ graphql +++++ 5000 ++++
- Connect to the container for UBA by using the command:
/opt/qradar/support/recon connect 1101
Note: In this example, the App-ID is 1101 - Change directories to /opt/app-root/store/psql/log by using the command:
cd /opt/app-root/store/psql/log
- in the file postgresql-<day>.log look for messages similar to:
“PANIC: could not locate a valid checkpoint record” “LOG: startup process … was terminated by signal 6: Aborted” “LOG: aborting startup due to startup process failure” “LOG: database system is shut down”
- Close the container by typing exit.
Resolving The Problem
The database within the UBA app is not running. Use this procedure to reset the write-ahead log.
- Use an SSH session to log in to the QRadar Console as root user.
- Stop the Postgresql service:
supervisorctl stop psql
- Reset the write-ahead log by using the command:
su postgres -c '/usr/pgsql-10/bin/pg_resetwal -f /store/psql'
- Restart the Postgresql service:
supervisorctl start psql
- Stop the application by using the qappmanager.
/opt/qradar/support/qappmanager
- After you located the App-ID for UBA, stop the application by using option 24.
- Choose a security profile.
- Choose the app instance to stop.
Choose option: 24 To execute this option, you must supply an Admin-capable Authorized Service authentication token AUTHORIZED SERVICES (SP=Security Profile): ID | Name | SP | Role ------------------------------------ 2 | Assistant app | Admin | Admin App instance - stop > Choose Authorized Service ID: 2 NOTE: Authorized Service Assistant app will be used for any further options that require authentication APP INSTANCES (SP=Security Profile): ID | Name | Status | Task Status | Installed | SP ------------------------------------------------------------------------------------- 1051 | QRadar Assistant | RUNNING | COMPLETED | 2021-05-26 15:04 | 1052 | QRadar Log Source Management | RUNNING | COMPLETED | 2021-05-26 15:10 | 1053 | pulse.full_name | RUNNING | COMPLETED | 2021-05-26 15:13 | 1054 | threatglobe.name | RUNNING | COMPLETED | 2021-05-26 15:18 | 1055 | QRadar Use Case Manager | RUNNING | COMPLETED | 2021-05-26 15:22 | 1101 | User Analytics | RUNNING | COMPLETED | 2021-09-23 12:42 | App instance - stop > Choose app instance ID:
- Repeat the procedure by using option 23 to start the application.
Choose option: 23 APP INSTANCES (SP=Security Profile): ID | Name | Status | Task Status | Installed | SP -------------------------------------------------------------------------------------- 1051 | QRadar Assistant | RUNNING | COMPLETED | 2021-05-26 15:04 | 1052 | QRadar Log Source Management | RUNNING | COMPLETED | 2021-05-26 15:10 | 1053 | pulse.full_name | RUNNING | COMPLETED | 2021-05-26 15:13 | 1054 | threatglobe.name | RUNNING | COMPLETED | 2021-05-26 15:18 | 1055 | QRadar Use Case Manager | RUNNING | COMPLETED | 2021-05-26 15:22 | 1101 | User Analytics | STOPPING | STOPPING | 2021-09-23 12:42 | App instance - start > Choose app instance ID: 1101
- Choose 0 to quit the qappmanager.
- Start a new browser session.
Results
The postgresql service is running and the UBA app can be upgraded.
The postgresql service is running and the UBA app can be upgraded.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt3AAA","label":"QRadar Apps"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.4.2;7.4.3"}]
Was this topic helpful?
Document Information
Modified date:
27 September 2021
UID
ibm16488491