Troubleshooting
Problem
Opening the QRadar Rule Wizard, and hitting the next button after the Rule tests are completed results in a blank page. Users may also notice that email notifications are not sent.
Checking /var/log/qradar.error at this time shows an exception such as:
[tomcat.tomcat] [<user>@<ip_address> (8393) /console/do/rulewizard] com.q1labs.uiframeworks.struts2.interceptors.RequestProcessorInterceptor: [ERROR] [NOT:0000003000][<ip_address>/- -] [-/- -]Error executing JSP
[tomcat.tomcat] [<user>@<ip_address> (8393) /console/do/rulewizard] javax.xml.bind.UnmarshalException
[tomcat.tomcat] [<user>@<ip_address> (8393) /console/do/rulewizard] - with linked exception:
[tomcat.tomcat] [<user>@<ip_address> (8393) /console/do/rulewizard] [org.xml.sax.SAXParseException: Invalid byte 1 of 1-byte UTF-8 sequence.]
Cause
The SAXParseException shown indicates that the Rule Wizard encountered an encoding issue when attempting to parse an xml file for use. This is most typically caused by a problem with the alert-config.xml file that QRadar uses to store email notification templates.
Environment
QRadar 7.5.x
Diagnosing The Problem
Run the following command from the QRadar Console command line:
xmllint --noout /opt/qradar/conf/templates/custom_alerts/alert-config.xml && echo "XML is valid" || echo "XML is not valid"
If the problem is caused by an invalid character or format in the alert-config.xml file the command will return "XML is not valid" and indicate the problematic line. For example:
/opt/qradar/conf/templates/custom_alerts/alert-config.xml:8: parser error : Input is not proper UTF-8, indicate encoding !
Bytes: 0x9D 0x5D 0x20 0x2D
<subject><Email subject here> ▒] - <Email Subject here>
^
XML is not valid
The '^' character indicates where there is an improper character that can not be parsed using UTF-8.
Resolving The Problem
If the
xmllint --noout /opt/qradar/conf/templates/custom_alerts/alert-config.xml && echo "XML is valid" || echo "XML is not valid"
command helps to identify a character that is invalidating the alert-config.xml file, follow these steps to remove the character and implement the change to resolve the issue.
If the problem still persists or if you have any questions contact IBM Support for further assistance.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtrAAA","label":"Rules"}],"ARM Case Number":"TS016426856","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Historical Number
TS016426856
Was this topic helpful?
Document Information
Modified date:
07 June 2024
UID
ibm17156759