IBM Security QRadar

 View Only

  • 1.  Qradar Content Pack installation failed

    Posted Tue March 31, 2020 11:43 AM

    Hello, I'm using Qradar 7.3.2.20190522204210 and when I try to install "IBM Qradar Content Extensions for Microsoft Windows Custom Properties" fails. The output indicates a fail in one of the Custom Extraction Properties, but when I look for that property it doesn't exists.

    I tried to create that property name with the regex in the content pack documentation and try to install again, but I get the same error. Looking in the qradar.log I can see: installing extension with ID = 1362 failed: Detected a conflict while importing a custom property, but I can't find that property in "custom property" neither psql database. (select id,propertyname from public.ariel_regex_property WHERE propertyname ilike '%Parent%') the query returns data, but not the custom property failing. Any clue about this problem?



    ------------------------------
    Roberto Ivars
    ------------------------------


  • 2.  RE: Qradar Content Pack installation failed

    Posted Wed April 01, 2020 09:00 AM
    Hi Roberto,

    I think I answered this question in another forum, but in case it's just a similar-sounding problem I'll discuss here too. Typically custom property installation conflicts happen when an extension contains a custom property with the same name as one already on the installing system but a different ID. We are working on a major update to Extension Management right now that will allow such conflicts to be presented in the user interface and allow you to choose which of the conflicting properties you want to "win" the conflict but for now it would be necessary to update the ID or name of the existing property on the system to either avoid the conflict (change the name, this could have many negative side effects) or to solve the conflict (the change the ID so it matches the inbound one). If you can provide more information about what the exact error message is from /var/log/qradar.log or /var/log/qradar.error hen I can probably guide you to a solution.

    Cheers
    Colin

    ------------------------------
    COLIN HAY
    ------------------------------

    Original Message


  • 3.  RE: Qradar Content Pack installation failed

    Posted Mon April 12, 2021 05:28 PM
    Hello,

      Wondered if there was any updates on the update to Extension Management to better handle the Conflicts when trying to update Content Extensions?  Is there any work around to handle things?

      Thanks,
        Evan

    ------------------------------
    Evan Cardanha
    ------------------------------

    Original Message


  • 4.  RE: Qradar Content Pack installation failed

    Posted Tue April 13, 2021 09:46 AM
    Hi Evan,

    Nothing has been released yet, the work was somewhat deprioritized but is still progressing. The best thing you can do right now is check /var/log/qradar.error when a conflict error occurs - it will give an indication of what item(s) are in conflict and may give an indication of how to address it.

    Cheers
    Colin

    ------------------------------
    COLIN HAY
    IBM Security
    ------------------------------

    Original Message