IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  QRadar CE APP Log Management error 404

    Posted Mon February 27, 2023 09:30 AM

    Good morning friends all right? I have a problem with the log management app, has anyone had this problem?

    i am using qradar CE



    ------------------------------
    Gafanhoto Inseto
    ------------------------------


  • 2.  RE: QRadar CE APP Log Management error 404

    Posted Mon February 27, 2023 09:39 AM
    Hi,

    Step 1
    Restart the application from CLI and try to use from other browser


    If step 1 doesn't works then try below steps
    If still it is not working. 
    1. Try to reset SSL certs from console.
    2. Restart application from qappmanager.
    3. Try to use applications

    Thanks,
    Jaswinder Singh



    Original Message


  • 3.  RE: QRadar CE APP Log Management error 404

    Posted Mon February 27, 2023 11:58 AM

    Please verify that the IP address is the one for QRadar. This is done looking up the Managed host IP in Postgres table and compare to IP config output.



    ------------------------------
    [Karl] [Jaeger] [Business Partner]
    [QRadar Specialist]
    [pro4bizz]
    [Karlsruhe] [Germany]
    [4972190981722]
    ------------------------------

    Original Message


  • 4.  RE: QRadar CE APP Log Management error 404

    Posted Mon February 27, 2023 10:22 PM
    Edited by Jonathan Pechta Mon February 27, 2023 10:23 PM

    This issue could either be something blocking traffic or it could be as simple as a service issue with docker and stopping and restarting the app might work. 

    What to do

    This procedure is intended for QRadar SIEM. If you are on QRadar on Cloud, you will require a case to have this issue validated as QRadar on Cloud users cannot access the command line where the application resides. 

    The goal of this procedure is to determine if you connect on port 8080 and port 443. 

    1. Use SSH to log in to the QRadar Console (or App host, if present) as an administrator. 
    2. To get your LSM app ID, type:  
      /opt/qradar/support/recon ps
    3. To connect to the container with the LSM app, type:  
      /opt/qradar/support/recon connect ####
    4. To curl for the index page of nginx, type: 
      curl http://127.0.0.1:5002/index.html
    5. If you receive an error message, there is likely a proxy config issue going on or the port is being blocked by an iptables rule. 
      For example, if I have a bad proxy or port, the following is displayed as localhost (127.0.0.1 should not be hitting the proxy): 
      curl: (7) Failed to connect to proxy.example.test port 8080: Connection timed out
    6. To confirm your environment variables, type: 
      printenv
    7. If the output does not list QRadar_NO_PROXY in the environment variables, then this might be your issue. 
    8. When we've seen this in the past, support needed to set APP_PROXY_NO_PROXY_LIST to enable the environment variables, but the root cause ended up being a --dport 443 -j DROP in iptables that caused the issue. The logs should tell us more, but this is an issue that needs to be confirmed in nva.conf and also in the app config.

      Results
      As this is QRadar CE, you should check to see what the CURL command reports. As this issue is QRadar CE, there is no support for this product and only the forums are available. 



    ------------------------------
    Jonathan Pechta
    QRadar Support Content Lead
    Support forums: ibm.biz/qradarforums
    jonathan.pechta1@ibm.com
    ------------------------------

    Original Message