IBM QRadar

Hello All,

We have recently installed IBM Qradar ALL-IN-ONE console with 7.5 version. When we use experience center to simulate the attack pattern and generate the offense. But we are not getting any offense in console not we are getting any log pertaining to this in log activity tab. 

We also used log run script to run the sample logs. but that also did not work and no logs shown on console. We are getting audit and health related logs in console. 

Tried restating the ec service, wen service also reinstalled the app as well. But no luck.

It was working earlier and all of a sudden its stopped working not sure what is the issue. Please help us in identifying the issue.

below are few error message that i see from qradr.log

Jan 31 11:40:04 ::ffff:127.0.0.1 [ecs-ec.ecs-ec] [com.ibm.si.ec.filters.LicenseGivebackFilter] com.ibm.si.ec.filters.ForwardingFilter: [ERROR] [NOT:0000003000][/- -] [-/- -]Failed to set EC's givebackToLicense count.
Jan 31 11:40:05 ::ffff:127.0.0.1 [ecs-ec.ecs-ec] [SourceMonitor-2/ecs-ec.ecs-ec] com.q1labs.sem.monitors.SourceMonitor: [ERROR] [NOT:0000003000][/- -] [-/- -]Failed to get EC's thorttle count.
Jan 31 11:40:05 ::ffff:127.0.0.1 [ecs-ec.ecs-ec] [SourceMonitor-2/ecs-ec.ecs-ec] com.q1labs.sem.monitors.SourceMonitor: [ERROR] [NOT:0000003000][/- -] [-/- -]Failed to retrieve RMIServer stub: javax.naming.ServiceUnavailableException [Root exception is java.rmi.ConnectException: Connection refused to host: localhost; nested exception is: 

• have a look at qradar.error as well
• reboot
• check ressources via QDI and CLI - disk full?
• host context and all services related running?
• log run script now showing any results in log activity prooves there is some process down - license issue?
• contact IBM support!

Hello All,

We have recently installed IBM Qradar ALL-IN-ONE console with 7.5 version. When we use experience center to simulate the attack pattern and generate the offense. But we are not getting any offense in console not we are getting any log pertaining to this in log activity tab. 

We also used log run script to run the sample logs. but that also did not work and no logs shown on console. We are getting audit and health related logs in console. 

Tried restating the ec service, wen service also reinstalled the app as well. But no luck.

It was working earlier and all of a sudden its stopped working not sure what is the issue. Please help us in identifying the issue.

below are few error message that i see from qradr.log

Jan 31 11:40:04 ::ffff:127.0.0.1 [ecs-ec.ecs-ec] [com.ibm.si.ec.filters.LicenseGivebackFilter] com.ibm.si.ec.filters.ForwardingFilter: [ERROR] [NOT:0000003000][/- -] [-/- -]Failed to set EC's givebackToLicense count.
Jan 31 11:40:05 ::ffff:127.0.0.1 [ecs-ec.ecs-ec] [SourceMonitor-2/ecs-ec.ecs-ec] com.q1labs.sem.monitors.SourceMonitor: [ERROR] [NOT:0000003000][/- -] [-/- -]Failed to get EC's thorttle count.
Jan 31 11:40:05 ::ffff:127.0.0.1 [ecs-ec.ecs-ec] [SourceMonitor-2/ecs-ec.ecs-ec] com.q1labs.sem.monitors.SourceMonitor: [ERROR] [NOT:0000003000][/- -] [-/- -]Failed to retrieve RMIServer stub: javax.naming.ServiceUnavailableException [Root exception is java.rmi.ConnectException: Connection refused to host: localhost; nested exception is: 

Hello @Karl Jaeger,

Thanks for the reply.

I have verified all these parameters and we have enough space and all the service are up and running. Restart the host context and also restarted the VM server as well. Still the issue persist.

Even qradar error log file does not show any issues. Reaching IBM support is the only option.

Any other solution comes to your top of the mind at this time.?

Regards,

Punith R

• have a look at qradar.error as well
• reboot
• check ressources via QDI and CLI - disk full?
• host context and all services related running?
• log run script now showing any results in log activity prooves there is some process down - license issue?
• contact IBM support!

Hello All,

We have recently installed IBM Qradar ALL-IN-ONE console with 7.5 version. When we use experience center to simulate the attack pattern and generate the offense. But we are not getting any offense in console not we are getting any log pertaining to this in log activity tab. 

We also used log run script to run the sample logs. but that also did not work and no logs shown on console. We are getting audit and health related logs in console. 

Tried restating the ec service, wen service also reinstalled the app as well. But no luck.

It was working earlier and all of a sudden its stopped working not sure what is the issue. Please help us in identifying the issue.

below are few error message that i see from qradr.log

Jan 31 11:40:04 ::ffff:127.0.0.1 [ecs-ec.ecs-ec] [com.ibm.si.ec.filters.LicenseGivebackFilter] com.ibm.si.ec.filters.ForwardingFilter: [ERROR] [NOT:0000003000][/- -] [-/- -]Failed to set EC's givebackToLicense count.
Jan 31 11:40:05 ::ffff:127.0.0.1 [ecs-ec.ecs-ec] [SourceMonitor-2/ecs-ec.ecs-ec] com.q1labs.sem.monitors.SourceMonitor: [ERROR] [NOT:0000003000][/- -] [-/- -]Failed to get EC's thorttle count.
Jan 31 11:40:05 ::ffff:127.0.0.1 [ecs-ec.ecs-ec] [SourceMonitor-2/ecs-ec.ecs-ec] com.q1labs.sem.monitors.SourceMonitor: [ERROR] [NOT:0000003000][/- -] [-/- -]Failed to retrieve RMIServer stub: javax.naming.ServiceUnavailableException [Root exception is java.rmi.ConnectException: Connection refused to host: localhost; nested exception is: 

Hello,

I don't believe the error highlighted pretains to the issue at hand. 

Please review the App Troubleshooting guide:

https://www.ibm.com/support/pages/qradar-app-troubleshooting

in particular:
https://www.ibm.com/support/pages/node/6256046

The app.log for this particulur app may provide more insight. 

Regards

Hello @Karl Jaeger,

Thanks for the reply.

I have verified all these parameters and we have enough space and all the service are up and running. Restart the host context and also restarted the VM server as well. Still the issue persist.

Even qradar error log file does not show any issues. Reaching IBM support is the only option.

Any other solution comes to your top of the mind at this time.?

Regards,

Punith R

• have a look at qradar.error as well
• reboot
• check ressources via QDI and CLI - disk full?
• host context and all services related running?
• log run script now showing any results in log activity prooves there is some process down - license issue?
• contact IBM support!

Hello All,

We have recently installed IBM Qradar ALL-IN-ONE console with 7.5 version. When we use experience center to simulate the attack pattern and generate the offense. But we are not getting any offense in console not we are getting any log pertaining to this in log activity tab. 

We also used log run script to run the sample logs. but that also did not work and no logs shown on console. We are getting audit and health related logs in console. 

Tried restating the ec service, wen service also reinstalled the app as well. But no luck.

It was working earlier and all of a sudden its stopped working not sure what is the issue. Please help us in identifying the issue.

below are few error message that i see from qradr.log

Jan 31 11:40:04 ::ffff:127.0.0.1 [ecs-ec.ecs-ec] [com.ibm.si.ec.filters.LicenseGivebackFilter] com.ibm.si.ec.filters.ForwardingFilter: [ERROR] [NOT:0000003000][/- -] [-/- -]Failed to set EC's givebackToLicense count.
Jan 31 11:40:05 ::ffff:127.0.0.1 [ecs-ec.ecs-ec] [SourceMonitor-2/ecs-ec.ecs-ec] com.q1labs.sem.monitors.SourceMonitor: [ERROR] [NOT:0000003000][/- -] [-/- -]Failed to get EC's thorttle count.
Jan 31 11:40:05 ::ffff:127.0.0.1 [ecs-ec.ecs-ec] [SourceMonitor-2/ecs-ec.ecs-ec] com.q1labs.sem.monitors.SourceMonitor: [ERROR] [NOT:0000003000][/- -] [-/- -]Failed to retrieve RMIServer stub: javax.naming.ServiceUnavailableException [Root exception is java.rmi.ConnectException: Connection refused to host: localhost; nested exception is: 

Hello @Comghall Morgan,

Thanks for the update. We have already verified the app.log as we as suggested above and there is no error in app.log as well. What we are suspecting is that there is a issue in the SIEM itself. Because when we run the logrun script through the CLI by providing sample logs. even these logs are also not appearing in log activity tab. Something which is blocking at EC level i guess. But we are not able to find it out.

Hello,

I don't believe the error highlighted pretains to the issue at hand. 

Please review the App Troubleshooting guide:

https://www.ibm.com/support/pages/qradar-app-troubleshooting

in particular:
https://www.ibm.com/support/pages/node/6256046

The app.log for this particulur app may provide more insight. 

Regards

Hello @Karl Jaeger,

Thanks for the reply.

I have verified all these parameters and we have enough space and all the service are up and running. Restart the host context and also restarted the VM server as well. Still the issue persist.

Even qradar error log file does not show any issues. Reaching IBM support is the only option.

Any other solution comes to your top of the mind at this time.?

Regards,

Punith R

• have a look at qradar.error as well
• reboot
• check ressources via QDI and CLI - disk full?
• host context and all services related running?
• log run script now showing any results in log activity prooves there is some process down - license issue?
• contact IBM support!

Hello All,

We have recently installed IBM Qradar ALL-IN-ONE console with 7.5 version. When we use experience center to simulate the attack pattern and generate the offense. But we are not getting any offense in console not we are getting any log pertaining to this in log activity tab. 

We also used log run script to run the sample logs. but that also did not work and no logs shown on console. We are getting audit and health related logs in console. 

Tried restating the ec service, wen service also reinstalled the app as well. But no luck.

It was working earlier and all of a sudden its stopped working not sure what is the issue. Please help us in identifying the issue.

below are few error message that i see from qradr.log

Jan 31 11:40:04 ::ffff:127.0.0.1 [ecs-ec.ecs-ec] [com.ibm.si.ec.filters.LicenseGivebackFilter] com.ibm.si.ec.filters.ForwardingFilter: [ERROR] [NOT:0000003000][/- -] [-/- -]Failed to set EC's givebackToLicense count.
Jan 31 11:40:05 ::ffff:127.0.0.1 [ecs-ec.ecs-ec] [SourceMonitor-2/ecs-ec.ecs-ec] com.q1labs.sem.monitors.SourceMonitor: [ERROR] [NOT:0000003000][/- -] [-/- -]Failed to get EC's thorttle count.
Jan 31 11:40:05 ::ffff:127.0.0.1 [ecs-ec.ecs-ec] [SourceMonitor-2/ecs-ec.ecs-ec] com.q1labs.sem.monitors.SourceMonitor: [ERROR] [NOT:0000003000][/- -] [-/- -]Failed to retrieve RMIServer stub: javax.naming.ServiceUnavailableException [Root exception is java.rmi.ConnectException: Connection refused to host: localhost; nested exception is: 

Hello,

That does seem like a pipeline issue. 

A few things. 

Are you receiving any other syslog events in the log activity view?

Run these commands to see if the ports are up and listening:

Syslog Port:

netstat -anp | grep 514

Tomcat realtime streaming port for events:

netstat -anp | grep 7800

Note for the syslog port to be up and running you must have at least one log source configured with this protocol. 

Lastly restart ecs-ec-ingress, ecs-ec and ecs-ep and monitor the qradar.error log. 

ex. systemctl restart ecs-ec-ingress
Restart them individually (approx 5 mins apart). 

Regards

Hello @Comghall Morgan,

Thanks for the update. We have already verified the app.log as we as suggested above and there is no error in app.log as well. What we are suspecting is that there is a issue in the SIEM itself. Because when we run the logrun script through the CLI by providing sample logs. even these logs are also not appearing in log activity tab. Something which is blocking at EC level i guess. But we are not able to find it out.

Hello,

I don't believe the error highlighted pretains to the issue at hand. 

Please review the App Troubleshooting guide:

https://www.ibm.com/support/pages/qradar-app-troubleshooting

in particular:
https://www.ibm.com/support/pages/node/6256046

The app.log for this particulur app may provide more insight. 

Regards

Hello @Karl Jaeger,

Thanks for the reply.

I have verified all these parameters and we have enough space and all the service are up and running. Restart the host context and also restarted the VM server as well. Still the issue persist.

Even qradar error log file does not show any issues. Reaching IBM support is the only option.

Any other solution comes to your top of the mind at this time.?

Regards,

Punith R

• have a look at qradar.error as well
• reboot
• check ressources via QDI and CLI - disk full?
• host context and all services related running?
• log run script now showing any results in log activity prooves there is some process down - license issue?
• contact IBM support!

Hello All,

We have recently installed IBM Qradar ALL-IN-ONE console with 7.5 version. When we use experience center to simulate the attack pattern and generate the offense. But we are not getting any offense in console not we are getting any log pertaining to this in log activity tab. 

We also used log run script to run the sample logs. but that also did not work and no logs shown on console. We are getting audit and health related logs in console. 

Tried restating the ec service, wen service also reinstalled the app as well. But no luck.

It was working earlier and all of a sudden its stopped working not sure what is the issue. Please help us in identifying the issue.

below are few error message that i see from qradr.log

Jan 31 11:40:04 ::ffff:127.0.0.1 [ecs-ec.ecs-ec] [com.ibm.si.ec.filters.LicenseGivebackFilter] com.ibm.si.ec.filters.ForwardingFilter: [ERROR] [NOT:0000003000][/- -] [-/- -]Failed to set EC's givebackToLicense count.
Jan 31 11:40:05 ::ffff:127.0.0.1 [ecs-ec.ecs-ec] [SourceMonitor-2/ecs-ec.ecs-ec] com.q1labs.sem.monitors.SourceMonitor: [ERROR] [NOT:0000003000][/- -] [-/- -]Failed to get EC's thorttle count.
Jan 31 11:40:05 ::ffff:127.0.0.1 [ecs-ec.ecs-ec] [SourceMonitor-2/ecs-ec.ecs-ec] com.q1labs.sem.monitors.SourceMonitor: [ERROR] [NOT:0000003000][/- -] [-/- -]Failed to retrieve RMIServer stub: javax.naming.ServiceUnavailableException [Root exception is java.rmi.ConnectException: Connection refused to host: localhost; nested exception is: