IBM Support

QRadar: Troubleshooting steps for data export queue

Troubleshooting


Problem

Log activity events can be exported into either xml or csv format in the user interface.  However, QRadar can run one export at a time, and all other exported are queued. The queued exported are executed by QRadar in the order that they are submitted.

The user can opt to be notified by email when their specific export completes.   However, there is no indication in the UI of which export is running.

The following data can assist with troubleshooting which export is active, which are queued, and when they are complete.

Symptom

This is the dialog with options when starting an export and no other export is running:

Initializing export dialog

This is the dialog received when attempting to start an export when another export is already running:
There is already an export running image
Followed by dialog:

Initializing export dialog

Cause

The cause varies depending upon the error message found.  

Diagnosing The Problem

The files and directories on the QRadar console that contain information about the export events are:

  1. /var/log/qradar.log
  2. /var/log/audit/audit log
  3. /store/exports
  • Use the following Linux command to search for entries in audit.log that pinpoint when an export is initialized from the UI.   The following example command is a search specifically for "Full Export|Visible Columns" exports:
grep -iE "Full Export|Visible Columns" /var/log/audit/audit.log|grep -v grep
The results look similar to:
Jul 13 18:45:39 admin@x.x.x.x (5753) /console/JSON-RPC/QRadar.auditMenuItemSelected QRadar.auditMenuItemSelected | [Action] [AuditLogs] [AuditStarted] Selected Menu Item : Full Export (All Columns) by | Username : admin | Security ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Jul 13 19:17:40 user1@x.x.x.x (8058) /console/JSON-RPC/QRadar.auditMenuItemSelected QRadar.auditMenuItemSelected | [Action] [AuditLogs] [AuditStarted] Selected Menu Item : Full Export (All Columns) by | Username : user1 | Security ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Jul 13 19:49:36 user2@x.x.x.x (8184) /console/JSON-RPC/QRadar.auditMenuItemSelected QRadar.auditMenuItemSelected | [Action] [AuditLogs] [AuditStarted] Selected Menu Item : Full Export (All Columns) by | Username : user2 | Security ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
  • To identify the current export file that is being written and also the files for the queued exports use the command: 
ls -ltr /store/exports
Results: 
-rw-r--r-- 1 nobody nobody       0 Jul 13 19:17 user116892908525672030791404275189805.zip
-rw-r--r-- 1 nobody nobody       0 Jul 13 19:49 user216892909000217755202499081823793.zip
-rw-r--r-- 1 nobody nobody  274770734 Jul 13 19:28 admin16892908252664454563789275095125.zip
The file should be removed when the export is successfully completed. The size of the file for the active export will be growing. The size of the files for queued exported with be 0 bytes.
  • Entry from qradar.log when starting an export:
Jul 13 19:47:05 [tomcat.tomcat] [ExportJob-admin-4abee769-3312-44e2-bd45-4aadbb4ba65c] com.q1labs.core.ui.coreservices.export.ExportJobProcessor: [INFO] [NOT:0000006000]Initiating EventViewer data export requested by admin, job is assigned id 4abee769-3312-44e2-bd45-4aadbb4ba65c
  • Entry from qradar.log when clicking the “Notify when done” button:
Jul 13 19:49:24 [tomcat.tomcat] [admin@x.x.x.x (1561) /console/JSON-RPC/QRadar.backgroundExportJob QRadar.backgroundExportJob] com.q1labs.core.ui.coreservices.export.ExportJob: [INFO] [NOT:0000006000]Backgrounding export job 4abee769-3312-44e2-bd45-4aadbb4ba65c for user admin
  • Entry from qradar.log when export completes:
Jul 13 20:09:59 [tomcat.tomcat] [ExportJob-admin-d761f42c-13a0-4088-b6d7-a742e475bbfe] com.q1labs.core.ui.coreservices.export.ExportJobProcessor: [INFO] [NOT:0000006000]Export job d761f42c-13a0-4088-b6d7-a742e475bbfe for user admin is complete

Resolving The Problem

To resolve the problem, look for error messages around the log data in previous steps.   If you need more assistance, contact support.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSV4BL","label":"IBM QRadar"},"ARM Category":[{"code":"a8m0z000000cwtEAAQ","label":"Log Activity"}],"ARM Case Number":"TS013601717","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
03 November 2023

UID

ibm17012041

Page Feedback