Hi,

with QRadar 7.5.0 UP7 IF04 the following exception message does not appear...After applying QRadar 7.5.0 UP7 IF05 i can see the following exception messages in qradar.log regarding to the accumulator service:

--

Feb 14 15:00:10 ::ffff:127.0.0.1 [accumulator.accumulator] [AccumulationService] com.q1labs.cve.accumulation.AccumulationService: [INFO] [NOT:0000006000][xx.xx.xx.xx/- -] [-/- -]Start processing interval: Wed Feb 14 14:59:00 CET 2024
Feb 14 15:00:10 ::ffff:127.0.0.1 [accumulator.accumulator] [Preprocessor(events)_80] com.q1labs.frameworks.core.ThreadExceptionHandler: [ERROR] [NOT:0000003000][xx.xx.xx.xx/- -] [-/- -]Exception was uncaught in thread: Preprocessor(events)_80
Feb 14 15:00:10 ::ffff:127.0.0.1 [accumulator.accumulator] [Preprocessor(events)_80] java.lang.NullPointerException
Feb 14 15:00:10 ::ffff:127.0.0.1 [accumulator.accumulator] [Preprocessor(events)_80]    at com.q1labs.core.types.networkevent.ReferenceSetPredicate.evaluate(ReferenceSetPredicate.java:113)
Feb 14 15:00:10 ::ffff:127.0.0.1 [accumulator.accumulator] [Preprocessor(events)_80]    at com.q1labs.frameworks.util.predicate.NotPredicate.evaluate(NotPredicate.java:15)
Feb 14 15:00:10 ::ffff:127.0.0.1 [accumulator.accumulator] [Preprocessor(events)_80]    at com.q1labs.ariel.IndexPredicate$DelegatedPredicate.evaluate(IndexPredicate.java:142)
Feb 14 15:00:10 ::ffff:127.0.0.1 [accumulator.accumulator] [Preprocessor(events)_80]    at com.q1labs.ariel.IndexPredicate.evaluate(IndexPredicate.java:247)
Feb 14 15:00:10 ::ffff:127.0.0.1 [accumulator.accumulator] [Preprocessor(events)_80]    at com.q1labs.frameworks.util.predicate.AndPredicate.evaluate(AndPredicate.java:15)
Feb 14 15:00:10 ::ffff:127.0.0.1 [accumulator.accumulator] [Preprocessor(events)_80]    at com.q1labs.frameworks.util.predicate.AndPredicate.evaluate(AndPredicate.java:15)
Feb 14 15:00:10 ::ffff:127.0.0.1 [accumulator.accumulator] [Preprocessor(events)_80]    at com.q1labs.cve.accumulation.ObjectArrayAccessors$RecordPredicate.evaluate(ObjectArrayAccessors.java:81)
Feb 14 15:00:10 ::ffff:127.0.0.1 [accumulator.accumulator] [Preprocessor(events)_80]    at com.q1labs.cve.accumulation.ObjectArrayAccessors.buildRecord(ObjectArrayAccessors.java:243)
Feb 14 15:00:10 ::ffff:127.0.0.1 [accumulator.accumulator] [Preprocessor(events)_80]    at com.q1labs.cve.accumulation.Preprocessor$PreprocessTask.run(Preprocessor.java:26)
Feb 14 15:00:10 ::ffff:127.0.0.1 [accumulator.accumulator] [Preprocessor(events)_80]    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160)
Feb 14 15:00:10 ::ffff:127.0.0.1 [accumulator.accumulator] [Preprocessor(events)_80]    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
Feb 14 15:00:10 ::ffff:127.0.0.1 [accumulator.accumulator] [Preprocessor(events)_80]    at java.lang.Thread.run(Thread.java:825)
Feb 14 15:00:12 ::ffff:127.0.0.1 [accumulator.accumulator] [AccumulationService] com.q1labs.cve.accumulation.AccumulationService: [INFO] [NOT:0000006000][xx.xx.xx.xx/- -] [-/- -]Finished processing interval: Wed Feb 14 14:59:00 CET 2024 in 2100ms

--

The accumulator service is running.. any other experiences or messages like this? I'm going to observe the behavior of accumulator and this message for a while and maybe i will create a support ticket for further investigation by @IBM Support? Any other options?

Regards,

Ralph

Hi Ralph

Without seeing the full logs I can't be entirely sure.  However looking at the stack trace it looks like from the stack trace that you have a CEP checking against a reference set which is not of the type that the CEP is extracting, so something probably checking against an IP based reference set

com.q1labs.core.types.networkevent.ReferenceSetPredicate.evaluate(ReferenceSetPredicate.java:113)
Feb 14 15:00:10 ::ffff:127.0.0.1 [accumulator.accumulator] [Preprocessor(events)_80]    at com.q1labs.frameworks.util.predicate.NotPredicate.evaluate(NotPredicate.java:15)
Feb 14 15:00:10 ::ffff:127.0.0.1 [accumulator.accumulator] [Preprocessor(events)_80]    at com.q1labs.ariel.IndexPredicate$DelegatedPredicate.evaluate(IndexPredicate.java:142)

A support case would be needed to further investigate the full lows.

Thanks

Hi,

with QRadar 7.5.0 UP7 IF04 the following exception message does not appear...After applying QRadar 7.5.0 UP7 IF05 i can see the following exception messages in qradar.log regarding to the accumulator service:

--

Feb 14 15:00:10 ::ffff:127.0.0.1 [accumulator.accumulator] [AccumulationService] com.q1labs.cve.accumulation.AccumulationService: [INFO] [NOT:0000006000][xx.xx.xx.xx/- -] [-/- -]Start processing interval: Wed Feb 14 14:59:00 CET 2024
Feb 14 15:00:10 ::ffff:127.0.0.1 [accumulator.accumulator] [Preprocessor(events)_80] com.q1labs.frameworks.core.ThreadExceptionHandler: [ERROR] [NOT:0000003000][xx.xx.xx.xx/- -] [-/- -]Exception was uncaught in thread: Preprocessor(events)_80
Feb 14 15:00:10 ::ffff:127.0.0.1 [accumulator.accumulator] [Preprocessor(events)_80] java.lang.NullPointerException
Feb 14 15:00:10 ::ffff:127.0.0.1 [accumulator.accumulator] [Preprocessor(events)_80]    at com.q1labs.core.types.networkevent.ReferenceSetPredicate.evaluate(ReferenceSetPredicate.java:113)
Feb 14 15:00:10 ::ffff:127.0.0.1 [accumulator.accumulator] [Preprocessor(events)_80]    at com.q1labs.frameworks.util.predicate.NotPredicate.evaluate(NotPredicate.java:15)
Feb 14 15:00:10 ::ffff:127.0.0.1 [accumulator.accumulator] [Preprocessor(events)_80]    at com.q1labs.ariel.IndexPredicate$DelegatedPredicate.evaluate(IndexPredicate.java:142)
Feb 14 15:00:10 ::ffff:127.0.0.1 [accumulator.accumulator] [Preprocessor(events)_80]    at com.q1labs.ariel.IndexPredicate.evaluate(IndexPredicate.java:247)
Feb 14 15:00:10 ::ffff:127.0.0.1 [accumulator.accumulator] [Preprocessor(events)_80]    at com.q1labs.frameworks.util.predicate.AndPredicate.evaluate(AndPredicate.java:15)
Feb 14 15:00:10 ::ffff:127.0.0.1 [accumulator.accumulator] [Preprocessor(events)_80]    at com.q1labs.frameworks.util.predicate.AndPredicate.evaluate(AndPredicate.java:15)
Feb 14 15:00:10 ::ffff:127.0.0.1 [accumulator.accumulator] [Preprocessor(events)_80]    at com.q1labs.cve.accumulation.ObjectArrayAccessors$RecordPredicate.evaluate(ObjectArrayAccessors.java:81)
Feb 14 15:00:10 ::ffff:127.0.0.1 [accumulator.accumulator] [Preprocessor(events)_80]    at com.q1labs.cve.accumulation.ObjectArrayAccessors.buildRecord(ObjectArrayAccessors.java:243)
Feb 14 15:00:10 ::ffff:127.0.0.1 [accumulator.accumulator] [Preprocessor(events)_80]    at com.q1labs.cve.accumulation.Preprocessor$PreprocessTask.run(Preprocessor.java:26)
Feb 14 15:00:10 ::ffff:127.0.0.1 [accumulator.accumulator] [Preprocessor(events)_80]    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160)
Feb 14 15:00:10 ::ffff:127.0.0.1 [accumulator.accumulator] [Preprocessor(events)_80]    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
Feb 14 15:00:10 ::ffff:127.0.0.1 [accumulator.accumulator] [Preprocessor(events)_80]    at java.lang.Thread.run(Thread.java:825)
Feb 14 15:00:12 ::ffff:127.0.0.1 [accumulator.accumulator] [AccumulationService] com.q1labs.cve.accumulation.AccumulationService: [INFO] [NOT:0000006000][xx.xx.xx.xx/- -] [-/- -]Finished processing interval: Wed Feb 14 14:59:00 CET 2024 in 2100ms

--

The accumulator service is running.. any other experiences or messages like this? I'm going to observe the behavior of accumulator and this message for a while and maybe i will create a support ticket for further investigation by @IBM Support? Any other options?

Regards,

Ralph

Hi John,

thanks for this very useful hint. You have absolutely hit the bull's eye with this :)

It was an existing issue with an ip based ref set! 

Why ever this nonsense was the value of this IP based RefSet (Asset Reconciliation IPv4 Whitelist)! I never noticed that before. After deleting this entry and restarting the accumulator service, the exception messages disappeared :) You made my day :)

Hi Ralph

Without seeing the full logs I can't be entirely sure.  However looking at the stack trace it looks like from the stack trace that you have a CEP checking against a reference set which is not of the type that the CEP is extracting, so something probably checking against an IP based reference set

com.q1labs.core.types.networkevent.ReferenceSetPredicate.evaluate(ReferenceSetPredicate.java:113)
Feb 14 15:00:10 ::ffff:127.0.0.1 [accumulator.accumulator] [Preprocessor(events)_80]    at com.q1labs.frameworks.util.predicate.NotPredicate.evaluate(NotPredicate.java:15)
Feb 14 15:00:10 ::ffff:127.0.0.1 [accumulator.accumulator] [Preprocessor(events)_80]    at com.q1labs.ariel.IndexPredicate$DelegatedPredicate.evaluate(IndexPredicate.java:142)

A support case would be needed to further investigate the full lows.

Thanks

Hi,

with QRadar 7.5.0 UP7 IF04 the following exception message does not appear...After applying QRadar 7.5.0 UP7 IF05 i can see the following exception messages in qradar.log regarding to the accumulator service:

--

Feb 14 15:00:10 ::ffff:127.0.0.1 [accumulator.accumulator] [AccumulationService] com.q1labs.cve.accumulation.AccumulationService: [INFO] [NOT:0000006000][xx.xx.xx.xx/- -] [-/- -]Start processing interval: Wed Feb 14 14:59:00 CET 2024
Feb 14 15:00:10 ::ffff:127.0.0.1 [accumulator.accumulator] [Preprocessor(events)_80] com.q1labs.frameworks.core.ThreadExceptionHandler: [ERROR] [NOT:0000003000][xx.xx.xx.xx/- -] [-/- -]Exception was uncaught in thread: Preprocessor(events)_80
Feb 14 15:00:10 ::ffff:127.0.0.1 [accumulator.accumulator] [Preprocessor(events)_80] java.lang.NullPointerException
Feb 14 15:00:10 ::ffff:127.0.0.1 [accumulator.accumulator] [Preprocessor(events)_80]    at com.q1labs.core.types.networkevent.ReferenceSetPredicate.evaluate(ReferenceSetPredicate.java:113)
Feb 14 15:00:10 ::ffff:127.0.0.1 [accumulator.accumulator] [Preprocessor(events)_80]    at com.q1labs.frameworks.util.predicate.NotPredicate.evaluate(NotPredicate.java:15)
Feb 14 15:00:10 ::ffff:127.0.0.1 [accumulator.accumulator] [Preprocessor(events)_80]    at com.q1labs.ariel.IndexPredicate$DelegatedPredicate.evaluate(IndexPredicate.java:142)
Feb 14 15:00:10 ::ffff:127.0.0.1 [accumulator.accumulator] [Preprocessor(events)_80]    at com.q1labs.ariel.IndexPredicate.evaluate(IndexPredicate.java:247)
Feb 14 15:00:10 ::ffff:127.0.0.1 [accumulator.accumulator] [Preprocessor(events)_80]    at com.q1labs.frameworks.util.predicate.AndPredicate.evaluate(AndPredicate.java:15)
Feb 14 15:00:10 ::ffff:127.0.0.1 [accumulator.accumulator] [Preprocessor(events)_80]    at com.q1labs.frameworks.util.predicate.AndPredicate.evaluate(AndPredicate.java:15)
Feb 14 15:00:10 ::ffff:127.0.0.1 [accumulator.accumulator] [Preprocessor(events)_80]    at com.q1labs.cve.accumulation.ObjectArrayAccessors$RecordPredicate.evaluate(ObjectArrayAccessors.java:81)
Feb 14 15:00:10 ::ffff:127.0.0.1 [accumulator.accumulator] [Preprocessor(events)_80]    at com.q1labs.cve.accumulation.ObjectArrayAccessors.buildRecord(ObjectArrayAccessors.java:243)
Feb 14 15:00:10 ::ffff:127.0.0.1 [accumulator.accumulator] [Preprocessor(events)_80]    at com.q1labs.cve.accumulation.Preprocessor$PreprocessTask.run(Preprocessor.java:26)
Feb 14 15:00:10 ::ffff:127.0.0.1 [accumulator.accumulator] [Preprocessor(events)_80]    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160)
Feb 14 15:00:10 ::ffff:127.0.0.1 [accumulator.accumulator] [Preprocessor(events)_80]    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
Feb 14 15:00:10 ::ffff:127.0.0.1 [accumulator.accumulator] [Preprocessor(events)_80]    at java.lang.Thread.run(Thread.java:825)
Feb 14 15:00:12 ::ffff:127.0.0.1 [accumulator.accumulator] [AccumulationService] com.q1labs.cve.accumulation.AccumulationService: [INFO] [NOT:0000006000][xx.xx.xx.xx/- -] [-/- -]Finished processing interval: Wed Feb 14 14:59:00 CET 2024 in 2100ms

--

The accumulator service is running.. any other experiences or messages like this? I'm going to observe the behavior of accumulator and this message for a while and maybe i will create a support ticket for further investigation by @IBM Support? Any other options?

Regards,

Ralph