IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

View Only

Back to discussions

Expand all | Collapse all

Log Source Management app install error

1. Log Source Management app install error

Like
Abdul Rahman
Posted Wed July 07, 2021 08:44 AM

Reply
Hello all,
I am using QRadar 7.4.1 and a separate app host with the same version connected with console. All my apps are running on that host fine but suddenly Log Source management app got into error and couldn't start. I tried to troubleshoot the qradar.log file and found this error as below:

Jul 7 16:32:13 ::ffff:10.10.10.16 [tomcat.tomcat] [rahman@10.10.20.18] com.ibm.si.cmt.utils.app.AppFrameworkAPIClient: [ERROR] [NOT:0000003000][10.10.10.16/- -] [-/- -]Message in timeout: {"error_messages":"[Application install could not be completed. See server logs for further details., An error occurred while creating app instance. Task state found to be [EXCEPTION]., LOCAL : 0 : javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate, LOCAL : 0 : javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate]","application_id":1504,"error_messages_json":[{"message":"Application install could not be completed. See server logs for further details."},{"message":"An error occurred while creating app instance. Task state found to be [EXCEPTION]."},{"code":"0","source":"LOCAL","message":"javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate"},{"code":"0","source":"LOCAL","message":"javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate"}],"status":"ERROR"}

Jul 7 16:32:13 ::ffff:10.10.10.16 [tomcat.tomcat] [rahman@10.10.20.18] com.ibm.si.content_management.ContentManager: [INFO] [NOT:0000006000][10.10.10.16/- -] [-/- -]Following message suppressed 1 times in 300000 milliseconds

Jul 7 16:32:13 ::ffff:10.10.10.16 [tomcat.tomcat] [rahman@10.10.20.18] com.ibm.si.content_management.ContentManager: [ERROR] [NOT:0000003000][10.10.10.16/- -] [-/- -]Failed to import content file [/store/tmp/cmt/out/20210707160756/extension_zip.xml]

Jul 7 16:32:14 ::ffff:10.10.10.16 [tomcat.tomcat] [rahman@10.10.20.18] com.ibm.si.data_ingestion.api.impl.cmt.tasks.InstallExtensionTask: [INFO] [NOT:0000006000][10.10.10.16/- -] [-/- -]Following message suppressed 1 times in 300000 milliseconds

Jul 7 16:32:14 ::ffff:10.10.10.16 [tomcat.tomcat] [rahman@10.10.20.18] com.ibm.si.data_ingestion.api.impl.cmt.tasks.InstallExtensionTask: [ERROR] [NOT:0000003000][10.10.10.16/- -] [-/- -]installing extension with id = 73 failed: An error occurred installing application. Please see error logs for details.

Jul 7 16:32:14 ::ffff:10.10.10.16 [tomcat.tomcat] [rahman@10.10.20.18] java.lang.Exception: An error occurred installing application. Please see error logs for details.

I tried to search on internet for the issue but couldn't find suitable solution. Anyone please help with a possible solution.

Thanks,

------------------------------
Abdul Rahman
------------------------------
2. RE: Log Source Management app install error

Like
Abdul Rahman
Posted Thu July 08, 2021 03:18 AM

Reply
Anyone who can help?

------------------------------
Abdul Rahman
------------------------------

Original Message
3. RE: Log Source Management app install error

Like
Ali Okan Yuksel
Posted Thu July 08, 2021 03:33 AM

Reply
Hello Abdul,

There is a APAR page which can be related with your issue.

https://www.ibm.com/support/pages/apar/IJ25911

Alterantively reseting certs, restarting services and full deploy may help also.

# rm -rf /opt/qradar/ca/certs/*; /opt/qradar/ca/bin/reset-qradar-ca.sh all --reset

# systemctl restart tomcat hostcontext

I think, for a production system raising to a support case is the best option for you.

------------------------------
Ali Okan Yuksel
------------------------------

Original Message
4. RE: Log Source Management app install error

Like
Abdul Rahman
Posted Thu July 08, 2021 04:39 AM

Reply
Thank you Ali for reply. I have run the command and restarted the services but now my all apps on app host are in error. What should I do now?

------------------------------
Abdul Rahman
------------------------------

Original Message
5. RE: Log Source Management app install error

Like
Ali Okan Yuksel
Posted Thu July 08, 2021 07:29 AM

Reply
On this state I think raising to a support ticket is the best option for you.

------------------------------
Ali Okan Yuksel
------------------------------

Original Message
6. RE: Log Source Management app install error

Like
Alisher Sapiyev
Posted Thu July 08, 2021 10:27 AM

Reply
Hi!

You can try /opt/qradar/support/qappmanager to troubleshoot apps.

Check status of applications. If apps status is ok, try to reinstall app with Extension Manager

------------------------------
Alisher Sapiyev
------------------------------

Original Message
7. RE: Log Source Management app install error

Like
Abdul Rahman
Posted Fri July 09, 2021 03:30 AM

Reply
Yeah, I have tried that and all apps instances were in error state. The error displayed in app.log is:

javax.net.ssl.SSLHandshakeException: com.q1labs.frameworks.crypto.trustmanager.exceptions.Q1CertificatePathValidatorException: Path does not chain with any of the trust anchors.
2021-07-08 15:54:27,574 [abstract_qpylib.log] [MainThread] [INFO] - 127.0.0.1 [APP_ID/1105][NOT:0000006000] Error in getting metric resolution of the host: [Errno bad handshake] [('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')]
2021-07-08 15:54:27,588 [abstract_qpylib.log] [MainThread] [INFO] - 127.0.0.1 [APP_ID/1105][NOT:0000006000] Error in startArielSearch: [Errno bad handshake] [('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')]
2021-07-08 15:54:27,592 [abstract_qpylib.log] [MainThread] [INFO] - 127.0.0.1 [APP_ID/1105][NOT:0000006000] Error in getting Top Security Data, Method:getTopSecurityData: [Errno bad handshake] [('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')]

I tried to replace certificate by using above commands suggested by Ali but error displayed same.

------------------------------
Abdul Rahman
------------------------------

Original Message

IBM QRadar

IBM QRadar

Log Source Management app install error

Abdul RahmanWed July 07, 2021 08:44 AM

Abdul RahmanThu July 08, 2021 03:18 AM

Ali Okan YukselThu July 08, 2021 03:33 AM

Abdul RahmanThu July 08, 2021 04:39 AM

Ali Okan YukselThu July 08, 2021 07:29 AM

Alisher SapiyevThu July 08, 2021 10:27 AM

Abdul RahmanFri July 09, 2021 03:30 AM

1. Log Source Management app install error

2. RE: Log Source Management app install error

3. RE: Log Source Management app install error

4. RE: Log Source Management app install error

5. RE: Log Source Management app install error

6. RE: Log Source Management app install error

7. RE: Log Source Management app install error

Additional
Resources

Office

Quick Links

IBM QRadar

IBM QRadar

Log Source Management app install error

Abdul RahmanWed July 07, 2021 08:44 AM

Abdul RahmanThu July 08, 2021 03:18 AM

Ali Okan YukselThu July 08, 2021 03:33 AM

Abdul RahmanThu July 08, 2021 04:39 AM

Ali Okan YukselThu July 08, 2021 07:29 AM

Alisher SapiyevThu July 08, 2021 10:27 AM

Abdul RahmanFri July 09, 2021 03:30 AM

1. Log Source Management app install error

2. RE: Log Source Management app install error

3. RE: Log Source Management app install error

4. RE: Log Source Management app install error

5. RE: Log Source Management app install error

6. RE: Log Source Management app install error

7. RE: Log Source Management app install error

Related Content

Event Rule Wizard: Reference Table Key test usage

tls syslog certificate

WinCollect Standalone mode installation Issues

WinCollect connection error

Top Rules generating offenses

Additional Resources

Office

Quick Links

Additional
Resources