IBM Security QRadar SOAR

Hi,

Resilient app for qradar fails to send offenses to resilient. There are error in circuits.log as below. We have to click the "save configuration" manually but after that the app stops to send offenses.

STOMP connection is down

As qradar support doesn't help about resilient app, I have to post it here. Any help would be appreciated. 


2019-10-21 14:36:01,552 INFO [actions_component] Skipping retry of any failed messages because STOMP connection is down
2019-10-21 14:37:01,552 INFO [actions_component] Skipping retry of any failed messages because STOMP connection is down
2019-10-21 14:37:21,107 INFO [qradar_poll] Starting poll...
2019-10-21 14:37:21,145 INFO [qradar_poll_handler] Starting poll...
2019-10-21 14:37:21,146 INFO [qradar_poll_handler] Last poll: 2019-10-21 11:34:46.000000; Config Change: 2019-10-21 11:28:57.849533, UTC Time; Last max offense ID: 417603.
2019-10-21 14:37:24,836 INFO [qradar_poll_handler] These offenses have been updated since last poll: ['417598', '417591', '417590', '417501', '417471', '417465', '417464', '417394', '417367', '417363', '417235', '417146', '416915', '416898', '416824', '416748', '416734', '416659', '416654', '416653', '416651', '416650', '416649', '416647', '416646', '416644', '416641', '416633', '416403', '416339', '415941', '415845', '414672', '414639', '413033', '412930', '411165', '411160', '409591']
2019-10-21 14:37:25,631 INFO [qradar_poll_handler] Found 39 offenses ((last_updated_time>1571657686000 and status = "OPEN") or (id>417603 and status = "OPEN")) that we need to check for escalation
2019-10-21 14:37:25,902 INFO [qradar_poll] Found 0 closed offenses
2019-10-21 14:38:01,553 INFO [actions_component] Skipping retry of any failed messages because STOMP connection is down
2019-10-21 14:39:01,553 INFO [actions_component] Skipping retry of any failed messages because STOMP connection is down
2019-10-21 14:39:25,640 INFO [qradar_poll] Starting poll...
2019-10-21 14:39:25,674 INFO [qradar_poll_handler] Starting poll...
2019-10-21 14:39:25,675 INFO [qradar_poll_handler] Last poll: 2019-10-21 11:36:51.000000; Config Change: 2019-10-21 11:28:57.849533, UTC Time; Last max offense ID: 417603.
2019-10-21 14:39:29,583 INFO [qradar_poll_handler] These offenses have been updated since last poll: ['417598', '417591', '417590', '417501', '417471', '417465', '417464', '417452', '417373', '417367', '417363', '417235', '416915', '416898', '416824', '416748', '416734', '416659', '416653', '416651', '416650', '416649', '416647', '416646', '416644', '416641', '416633', '416403', '415941', '415845', '414672', '414639', '413036', '413033', '412930', '411202', '411163', '411160', '409591']
2019-10-21 14:39:30,268 INFO [qradar_poll_handler] Found 39 offenses ((last_updated_time>1571657811000 and status = "OPEN") or (id>417603 and status = "OPEN")) that we need to check for escalation
2019-10-21 14:39:31,110 INFO [qradar_poll] Found 0 closed offenses
2019-10-21 14:40:01,553 INFO [actions_component] Skipping retry of any failed messages because STOMP connection is down
2019-10-21 14:41:01,554 INFO [actions_component] Skipping retry of any failed messages because STOMP connection is down

------------------------------
Jasmine
------------------------------

Hello Jasmine,

Thanks for contacting us.

From the log file error, this looks like a connection issue between the QRadar plugin and the Resilient server. There are several things to check:
1. Is the connection ok? You will need to ssh to QRadar server and then go into the docker container that runs resilient plugin. Once there, try a curl command:
curl -v https://your_resilient_server:65001
2. If the above does not work, maybe the port 65001 is blocked for some reason? Try
curl -v https://your_resilient_server:443
If this works, the connection shall be good, maybe only the 65001 port was blocked somehow. It this does not work either, most likely the physical connection is broken?

3. Sometimes this can be fixed by restarting our plugin.

Thanks,

Yongjian Feng

------------------------------
Yongjian Feng
------------------------------

Original Message:
Sent: Mon October 21, 2019 07:48 AM
From: Jasmine
Subject: Resilient App For Qradar Stops Send Offenses : STOMP connection is down

Hi,

Resilient app for qradar fails to send offenses to resilient. There are error in circuits.log as below. We have to click the "save configuration" manually but after that the app stops to send offenses.

STOMP connection is down

As qradar support doesn't help about resilient app, I have to post it here. Any help would be appreciated. 


2019-10-21 14:36:01,552 INFO [actions_component] Skipping retry of any failed messages because STOMP connection is down
2019-10-21 14:37:01,552 INFO [actions_component] Skipping retry of any failed messages because STOMP connection is down
2019-10-21 14:37:21,107 INFO [qradar_poll] Starting poll...
2019-10-21 14:37:21,145 INFO [qradar_poll_handler] Starting poll...
2019-10-21 14:37:21,146 INFO [qradar_poll_handler] Last poll: 2019-10-21 11:34:46.000000; Config Change: 2019-10-21 11:28:57.849533, UTC Time; Last max offense ID: 417603.
2019-10-21 14:37:24,836 INFO [qradar_poll_handler] These offenses have been updated since last poll: ['417598', '417591', '417590', '417501', '417471', '417465', '417464', '417394', '417367', '417363', '417235', '417146', '416915', '416898', '416824', '416748', '416734', '416659', '416654', '416653', '416651', '416650', '416649', '416647', '416646', '416644', '416641', '416633', '416403', '416339', '415941', '415845', '414672', '414639', '413033', '412930', '411165', '411160', '409591']
2019-10-21 14:37:25,631 INFO [qradar_poll_handler] Found 39 offenses ((last_updated_time>1571657686000 and status = "OPEN") or (id>417603 and status = "OPEN")) that we need to check for escalation
2019-10-21 14:37:25,902 INFO [qradar_poll] Found 0 closed offenses
2019-10-21 14:38:01,553 INFO [actions_component] Skipping retry of any failed messages because STOMP connection is down
2019-10-21 14:39:01,553 INFO [actions_component] Skipping retry of any failed messages because STOMP connection is down
2019-10-21 14:39:25,640 INFO [qradar_poll] Starting poll...
2019-10-21 14:39:25,674 INFO [qradar_poll_handler] Starting poll...
2019-10-21 14:39:25,675 INFO [qradar_poll_handler] Last poll: 2019-10-21 11:36:51.000000; Config Change: 2019-10-21 11:28:57.849533, UTC Time; Last max offense ID: 417603.
2019-10-21 14:39:29,583 INFO [qradar_poll_handler] These offenses have been updated since last poll: ['417598', '417591', '417590', '417501', '417471', '417465', '417464', '417452', '417373', '417367', '417363', '417235', '416915', '416898', '416824', '416748', '416734', '416659', '416653', '416651', '416650', '416649', '416647', '416646', '416644', '416641', '416633', '416403', '415941', '415845', '414672', '414639', '413036', '413033', '412930', '411202', '411163', '411160', '409591']
2019-10-21 14:39:30,268 INFO [qradar_poll_handler] Found 39 offenses ((last_updated_time>1571657811000 and status = "OPEN") or (id>417603 and status = "OPEN")) that we need to check for escalation
2019-10-21 14:39:31,110 INFO [qradar_poll] Found 0 closed offenses
2019-10-21 14:40:01,553 INFO [actions_component] Skipping retry of any failed messages because STOMP connection is down
2019-10-21 14:41:01,554 INFO [actions_component] Skipping retry of any failed messages because STOMP connection is down

------------------------------
Jasmine
------------------------------

Hi Yongjian ,

Telnet from qradar console is successful. But:

docker exec -it <resilient_container_id> /bin/bash

From here, telnet is unsuccessful. Security team has changed some rules. But I don't know how they affect the plugin.

Best,
Jasmine




------------------------------
Jasmine
------------------------------

Original Message:
Sent: Mon October 21, 2019 01:36 PM
From: Yongjian Feng
Subject: Resilient App For Qradar Stops Send Offenses : STOMP connection is down

Hello Jasmine,

Thanks for contacting us.

From the log file error, this looks like a connection issue between the QRadar plugin and the Resilient server. There are several things to check:
1. Is the connection ok? You will need to ssh to QRadar server and then go into the docker container that runs resilient plugin. Once there, try a curl command:
curl -v https://your_resilient_server:65001
2. If the above does not work, maybe the port 65001 is blocked for some reason? Try
curl -v https://your_resilient_server:443
If this works, the connection shall be good, maybe only the 65001 port was blocked somehow. It this does not work either, most likely the physical connection is broken?

3. Sometimes this can be fixed by restarting our plugin.

Thanks,

Yongjian Feng

------------------------------
Yongjian Feng

Original Message:
Sent: Mon October 21, 2019 07:48 AM
From: Jasmine
Subject: Resilient App For Qradar Stops Send Offenses : STOMP connection is down

Hi,

Resilient app for qradar fails to send offenses to resilient. There are error in circuits.log as below. We have to click the "save configuration" manually but after that the app stops to send offenses.

STOMP connection is down

As qradar support doesn't help about resilient app, I have to post it here. Any help would be appreciated. 


2019-10-21 14:36:01,552 INFO [actions_component] Skipping retry of any failed messages because STOMP connection is down
2019-10-21 14:37:01,552 INFO [actions_component] Skipping retry of any failed messages because STOMP connection is down
2019-10-21 14:37:21,107 INFO [qradar_poll] Starting poll...
2019-10-21 14:37:21,145 INFO [qradar_poll_handler] Starting poll...
2019-10-21 14:37:21,146 INFO [qradar_poll_handler] Last poll: 2019-10-21 11:34:46.000000; Config Change: 2019-10-21 11:28:57.849533, UTC Time; Last max offense ID: 417603.
2019-10-21 14:37:24,836 INFO [qradar_poll_handler] These offenses have been updated since last poll: ['417598', '417591', '417590', '417501', '417471', '417465', '417464', '417394', '417367', '417363', '417235', '417146', '416915', '416898', '416824', '416748', '416734', '416659', '416654', '416653', '416651', '416650', '416649', '416647', '416646', '416644', '416641', '416633', '416403', '416339', '415941', '415845', '414672', '414639', '413033', '412930', '411165', '411160', '409591']
2019-10-21 14:37:25,631 INFO [qradar_poll_handler] Found 39 offenses ((last_updated_time>1571657686000 and status = "OPEN") or (id>417603 and status = "OPEN")) that we need to check for escalation
2019-10-21 14:37:25,902 INFO [qradar_poll] Found 0 closed offenses
2019-10-21 14:38:01,553 INFO [actions_component] Skipping retry of any failed messages because STOMP connection is down
2019-10-21 14:39:01,553 INFO [actions_component] Skipping retry of any failed messages because STOMP connection is down
2019-10-21 14:39:25,640 INFO [qradar_poll] Starting poll...
2019-10-21 14:39:25,674 INFO [qradar_poll_handler] Starting poll...
2019-10-21 14:39:25,675 INFO [qradar_poll_handler] Last poll: 2019-10-21 11:36:51.000000; Config Change: 2019-10-21 11:28:57.849533, UTC Time; Last max offense ID: 417603.
2019-10-21 14:39:29,583 INFO [qradar_poll_handler] These offenses have been updated since last poll: ['417598', '417591', '417590', '417501', '417471', '417465', '417464', '417452', '417373', '417367', '417363', '417235', '416915', '416898', '416824', '416748', '416734', '416659', '416653', '416651', '416650', '416649', '416647', '416646', '416644', '416641', '416633', '416403', '415941', '415845', '414672', '414639', '413036', '413033', '412930', '411202', '411163', '411160', '409591']
2019-10-21 14:39:30,268 INFO [qradar_poll_handler] Found 39 offenses ((last_updated_time>1571657811000 and status = "OPEN") or (id>417603 and status = "OPEN")) that we need to check for escalation
2019-10-21 14:39:31,110 INFO [qradar_poll] Found 0 closed offenses
2019-10-21 14:40:01,553 INFO [actions_component] Skipping retry of any failed messages because STOMP connection is down
2019-10-21 14:41:01,554 INFO [actions_component] Skipping retry of any failed messages because STOMP connection is down

------------------------------
Jasmine
------------------------------

and curl with --insecure is ok.

------------------------------
Jasmine
------------------------------

Original Message:
Sent: Mon October 21, 2019 01:36 PM
From: Yongjian Feng
Subject: Resilient App For Qradar Stops Send Offenses : STOMP connection is down

Hello Jasmine,

Thanks for contacting us.

From the log file error, this looks like a connection issue between the QRadar plugin and the Resilient server. There are several things to check:
1. Is the connection ok? You will need to ssh to QRadar server and then go into the docker container that runs resilient plugin. Once there, try a curl command:
curl -v https://your_resilient_server:65001
2. If the above does not work, maybe the port 65001 is blocked for some reason? Try
curl -v https://your_resilient_server:443
If this works, the connection shall be good, maybe only the 65001 port was blocked somehow. It this does not work either, most likely the physical connection is broken?

3. Sometimes this can be fixed by restarting our plugin.

Thanks,

Yongjian Feng

------------------------------
Yongjian Feng

Original Message:
Sent: Mon October 21, 2019 07:48 AM
From: Jasmine
Subject: Resilient App For Qradar Stops Send Offenses : STOMP connection is down

Hi,

Resilient app for qradar fails to send offenses to resilient. There are error in circuits.log as below. We have to click the "save configuration" manually but after that the app stops to send offenses.

STOMP connection is down

As qradar support doesn't help about resilient app, I have to post it here. Any help would be appreciated. 


2019-10-21 14:36:01,552 INFO [actions_component] Skipping retry of any failed messages because STOMP connection is down
2019-10-21 14:37:01,552 INFO [actions_component] Skipping retry of any failed messages because STOMP connection is down
2019-10-21 14:37:21,107 INFO [qradar_poll] Starting poll...
2019-10-21 14:37:21,145 INFO [qradar_poll_handler] Starting poll...
2019-10-21 14:37:21,146 INFO [qradar_poll_handler] Last poll: 2019-10-21 11:34:46.000000; Config Change: 2019-10-21 11:28:57.849533, UTC Time; Last max offense ID: 417603.
2019-10-21 14:37:24,836 INFO [qradar_poll_handler] These offenses have been updated since last poll: ['417598', '417591', '417590', '417501', '417471', '417465', '417464', '417394', '417367', '417363', '417235', '417146', '416915', '416898', '416824', '416748', '416734', '416659', '416654', '416653', '416651', '416650', '416649', '416647', '416646', '416644', '416641', '416633', '416403', '416339', '415941', '415845', '414672', '414639', '413033', '412930', '411165', '411160', '409591']
2019-10-21 14:37:25,631 INFO [qradar_poll_handler] Found 39 offenses ((last_updated_time>1571657686000 and status = "OPEN") or (id>417603 and status = "OPEN")) that we need to check for escalation
2019-10-21 14:37:25,902 INFO [qradar_poll] Found 0 closed offenses
2019-10-21 14:38:01,553 INFO [actions_component] Skipping retry of any failed messages because STOMP connection is down
2019-10-21 14:39:01,553 INFO [actions_component] Skipping retry of any failed messages because STOMP connection is down
2019-10-21 14:39:25,640 INFO [qradar_poll] Starting poll...
2019-10-21 14:39:25,674 INFO [qradar_poll_handler] Starting poll...
2019-10-21 14:39:25,675 INFO [qradar_poll_handler] Last poll: 2019-10-21 11:36:51.000000; Config Change: 2019-10-21 11:28:57.849533, UTC Time; Last max offense ID: 417603.
2019-10-21 14:39:29,583 INFO [qradar_poll_handler] These offenses have been updated since last poll: ['417598', '417591', '417590', '417501', '417471', '417465', '417464', '417452', '417373', '417367', '417363', '417235', '416915', '416898', '416824', '416748', '416734', '416659', '416653', '416651', '416650', '416649', '416647', '416646', '416644', '416641', '416633', '416403', '415941', '415845', '414672', '414639', '413036', '413033', '412930', '411202', '411163', '411160', '409591']
2019-10-21 14:39:30,268 INFO [qradar_poll_handler] Found 39 offenses ((last_updated_time>1571657811000 and status = "OPEN") or (id>417603 and status = "OPEN")) that we need to check for escalation
2019-10-21 14:39:31,110 INFO [qradar_poll] Found 0 closed offenses
2019-10-21 14:40:01,553 INFO [actions_component] Skipping retry of any failed messages because STOMP connection is down
2019-10-21 14:41:01,554 INFO [actions_component] Skipping retry of any failed messages because STOMP connection is down

------------------------------
Jasmine
------------------------------

Hi Yongjian ,

It happened because our security team's misconfiguration of firewall rules. They has fixed it.

Best,
Jasmine

------------------------------
Jasmine
------------------------------

Original Message:
Sent: Mon October 21, 2019 01:36 PM
From: Yongjian Feng
Subject: Resilient App For Qradar Stops Send Offenses : STOMP connection is down

Hello Jasmine,

Thanks for contacting us.

From the log file error, this looks like a connection issue between the QRadar plugin and the Resilient server. There are several things to check:
1. Is the connection ok? You will need to ssh to QRadar server and then go into the docker container that runs resilient plugin. Once there, try a curl command:
curl -v https://your_resilient_server:65001
2. If the above does not work, maybe the port 65001 is blocked for some reason? Try
curl -v https://your_resilient_server:443
If this works, the connection shall be good, maybe only the 65001 port was blocked somehow. It this does not work either, most likely the physical connection is broken?

3. Sometimes this can be fixed by restarting our plugin.

Thanks,

Yongjian Feng

------------------------------
Yongjian Feng

Original Message:
Sent: Mon October 21, 2019 07:48 AM
From: Jasmine
Subject: Resilient App For Qradar Stops Send Offenses : STOMP connection is down

Hi,

Resilient app for qradar fails to send offenses to resilient. There are error in circuits.log as below. We have to click the "save configuration" manually but after that the app stops to send offenses.

STOMP connection is down

As qradar support doesn't help about resilient app, I have to post it here. Any help would be appreciated. 


2019-10-21 14:36:01,552 INFO [actions_component] Skipping retry of any failed messages because STOMP connection is down
2019-10-21 14:37:01,552 INFO [actions_component] Skipping retry of any failed messages because STOMP connection is down
2019-10-21 14:37:21,107 INFO [qradar_poll] Starting poll...
2019-10-21 14:37:21,145 INFO [qradar_poll_handler] Starting poll...
2019-10-21 14:37:21,146 INFO [qradar_poll_handler] Last poll: 2019-10-21 11:34:46.000000; Config Change: 2019-10-21 11:28:57.849533, UTC Time; Last max offense ID: 417603.
2019-10-21 14:37:24,836 INFO [qradar_poll_handler] These offenses have been updated since last poll: ['417598', '417591', '417590', '417501', '417471', '417465', '417464', '417394', '417367', '417363', '417235', '417146', '416915', '416898', '416824', '416748', '416734', '416659', '416654', '416653', '416651', '416650', '416649', '416647', '416646', '416644', '416641', '416633', '416403', '416339', '415941', '415845', '414672', '414639', '413033', '412930', '411165', '411160', '409591']
2019-10-21 14:37:25,631 INFO [qradar_poll_handler] Found 39 offenses ((last_updated_time>1571657686000 and status = "OPEN") or (id>417603 and status = "OPEN")) that we need to check for escalation
2019-10-21 14:37:25,902 INFO [qradar_poll] Found 0 closed offenses
2019-10-21 14:38:01,553 INFO [actions_component] Skipping retry of any failed messages because STOMP connection is down
2019-10-21 14:39:01,553 INFO [actions_component] Skipping retry of any failed messages because STOMP connection is down
2019-10-21 14:39:25,640 INFO [qradar_poll] Starting poll...
2019-10-21 14:39:25,674 INFO [qradar_poll_handler] Starting poll...
2019-10-21 14:39:25,675 INFO [qradar_poll_handler] Last poll: 2019-10-21 11:36:51.000000; Config Change: 2019-10-21 11:28:57.849533, UTC Time; Last max offense ID: 417603.
2019-10-21 14:39:29,583 INFO [qradar_poll_handler] These offenses have been updated since last poll: ['417598', '417591', '417590', '417501', '417471', '417465', '417464', '417452', '417373', '417367', '417363', '417235', '416915', '416898', '416824', '416748', '416734', '416659', '416653', '416651', '416650', '416649', '416647', '416646', '416644', '416641', '416633', '416403', '415941', '415845', '414672', '414639', '413036', '413033', '412930', '411202', '411163', '411160', '409591']
2019-10-21 14:39:30,268 INFO [qradar_poll_handler] Found 39 offenses ((last_updated_time>1571657811000 and status = "OPEN") or (id>417603 and status = "OPEN")) that we need to check for escalation
2019-10-21 14:39:31,110 INFO [qradar_poll] Found 0 closed offenses
2019-10-21 14:40:01,553 INFO [actions_component] Skipping retry of any failed messages because STOMP connection is down
2019-10-21 14:41:01,554 INFO [actions_component] Skipping retry of any failed messages because STOMP connection is down

------------------------------
Jasmine
------------------------------

Jasmine, 

I recommend opening a support ticket for this issue.

------------------------------
Ben Lurie
------------------------------

Original Message:
Sent: Mon October 21, 2019 07:48 AM
From: Jasmine
Subject: Resilient App For Qradar Stops Send Offenses : STOMP connection is down

Hi,

Resilient app for qradar fails to send offenses to resilient. There are error in circuits.log as below. We have to click the "save configuration" manually but after that the app stops to send offenses.

STOMP connection is down

As qradar support doesn't help about resilient app, I have to post it here. Any help would be appreciated. 


2019-10-21 14:36:01,552 INFO [actions_component] Skipping retry of any failed messages because STOMP connection is down
2019-10-21 14:37:01,552 INFO [actions_component] Skipping retry of any failed messages because STOMP connection is down
2019-10-21 14:37:21,107 INFO [qradar_poll] Starting poll...
2019-10-21 14:37:21,145 INFO [qradar_poll_handler] Starting poll...
2019-10-21 14:37:21,146 INFO [qradar_poll_handler] Last poll: 2019-10-21 11:34:46.000000; Config Change: 2019-10-21 11:28:57.849533, UTC Time; Last max offense ID: 417603.
2019-10-21 14:37:24,836 INFO [qradar_poll_handler] These offenses have been updated since last poll: ['417598', '417591', '417590', '417501', '417471', '417465', '417464', '417394', '417367', '417363', '417235', '417146', '416915', '416898', '416824', '416748', '416734', '416659', '416654', '416653', '416651', '416650', '416649', '416647', '416646', '416644', '416641', '416633', '416403', '416339', '415941', '415845', '414672', '414639', '413033', '412930', '411165', '411160', '409591']
2019-10-21 14:37:25,631 INFO [qradar_poll_handler] Found 39 offenses ((last_updated_time>1571657686000 and status = "OPEN") or (id>417603 and status = "OPEN")) that we need to check for escalation
2019-10-21 14:37:25,902 INFO [qradar_poll] Found 0 closed offenses
2019-10-21 14:38:01,553 INFO [actions_component] Skipping retry of any failed messages because STOMP connection is down
2019-10-21 14:39:01,553 INFO [actions_component] Skipping retry of any failed messages because STOMP connection is down
2019-10-21 14:39:25,640 INFO [qradar_poll] Starting poll...
2019-10-21 14:39:25,674 INFO [qradar_poll_handler] Starting poll...
2019-10-21 14:39:25,675 INFO [qradar_poll_handler] Last poll: 2019-10-21 11:36:51.000000; Config Change: 2019-10-21 11:28:57.849533, UTC Time; Last max offense ID: 417603.
2019-10-21 14:39:29,583 INFO [qradar_poll_handler] These offenses have been updated since last poll: ['417598', '417591', '417590', '417501', '417471', '417465', '417464', '417452', '417373', '417367', '417363', '417235', '416915', '416898', '416824', '416748', '416734', '416659', '416653', '416651', '416650', '416649', '416647', '416646', '416644', '416641', '416633', '416403', '415941', '415845', '414672', '414639', '413036', '413033', '412930', '411202', '411163', '411160', '409591']
2019-10-21 14:39:30,268 INFO [qradar_poll_handler] Found 39 offenses ((last_updated_time>1571657811000 and status = "OPEN") or (id>417603 and status = "OPEN")) that we need to check for escalation
2019-10-21 14:39:31,110 INFO [qradar_poll] Found 0 closed offenses
2019-10-21 14:40:01,553 INFO [actions_component] Skipping retry of any failed messages because STOMP connection is down
2019-10-21 14:41:01,554 INFO [actions_component] Skipping retry of any failed messages because STOMP connection is down

------------------------------
Jasmine
------------------------------

I was a bug, as this apar:
https://www-01.ibm.com/support/entdocview.wss?uid=swg1IJ20143

------------------------------
Jasmine
------------------------------

Original Message:
Sent: Tue October 22, 2019 08:04 AM
From: Ben Lurie
Subject: Resilient App For Qradar Stops Send Offenses : STOMP connection is down

Jasmine, 

I recommend opening a support ticket for this issue.

------------------------------
Ben Lurie

Original Message:
Sent: Mon October 21, 2019 07:48 AM
From: Jasmine
Subject: Resilient App For Qradar Stops Send Offenses : STOMP connection is down

Hi,

Resilient app for qradar fails to send offenses to resilient. There are error in circuits.log as below. We have to click the "save configuration" manually but after that the app stops to send offenses.

STOMP connection is down

As qradar support doesn't help about resilient app, I have to post it here. Any help would be appreciated. 


2019-10-21 14:36:01,552 INFO [actions_component] Skipping retry of any failed messages because STOMP connection is down
2019-10-21 14:37:01,552 INFO [actions_component] Skipping retry of any failed messages because STOMP connection is down
2019-10-21 14:37:21,107 INFO [qradar_poll] Starting poll...
2019-10-21 14:37:21,145 INFO [qradar_poll_handler] Starting poll...
2019-10-21 14:37:21,146 INFO [qradar_poll_handler] Last poll: 2019-10-21 11:34:46.000000; Config Change: 2019-10-21 11:28:57.849533, UTC Time; Last max offense ID: 417603.
2019-10-21 14:37:24,836 INFO [qradar_poll_handler] These offenses have been updated since last poll: ['417598', '417591', '417590', '417501', '417471', '417465', '417464', '417394', '417367', '417363', '417235', '417146', '416915', '416898', '416824', '416748', '416734', '416659', '416654', '416653', '416651', '416650', '416649', '416647', '416646', '416644', '416641', '416633', '416403', '416339', '415941', '415845', '414672', '414639', '413033', '412930', '411165', '411160', '409591']
2019-10-21 14:37:25,631 INFO [qradar_poll_handler] Found 39 offenses ((last_updated_time>1571657686000 and status = "OPEN") or (id>417603 and status = "OPEN")) that we need to check for escalation
2019-10-21 14:37:25,902 INFO [qradar_poll] Found 0 closed offenses
2019-10-21 14:38:01,553 INFO [actions_component] Skipping retry of any failed messages because STOMP connection is down
2019-10-21 14:39:01,553 INFO [actions_component] Skipping retry of any failed messages because STOMP connection is down
2019-10-21 14:39:25,640 INFO [qradar_poll] Starting poll...
2019-10-21 14:39:25,674 INFO [qradar_poll_handler] Starting poll...
2019-10-21 14:39:25,675 INFO [qradar_poll_handler] Last poll: 2019-10-21 11:36:51.000000; Config Change: 2019-10-21 11:28:57.849533, UTC Time; Last max offense ID: 417603.
2019-10-21 14:39:29,583 INFO [qradar_poll_handler] These offenses have been updated since last poll: ['417598', '417591', '417590', '417501', '417471', '417465', '417464', '417452', '417373', '417367', '417363', '417235', '416915', '416898', '416824', '416748', '416734', '416659', '416653', '416651', '416650', '416649', '416647', '416646', '416644', '416641', '416633', '416403', '415941', '415845', '414672', '414639', '413036', '413033', '412930', '411202', '411163', '411160', '409591']
2019-10-21 14:39:30,268 INFO [qradar_poll_handler] Found 39 offenses ((last_updated_time>1571657811000 and status = "OPEN") or (id>417603 and status = "OPEN")) that we need to check for escalation
2019-10-21 14:39:31,110 INFO [qradar_poll] Found 0 closed offenses
2019-10-21 14:40:01,553 INFO [actions_component] Skipping retry of any failed messages because STOMP connection is down
2019-10-21 14:41:01,554 INFO [actions_component] Skipping retry of any failed messages because STOMP connection is down

------------------------------
Jasmine
------------------------------

Thanks for the information.

------------------------------
Ben Lurie
------------------------------

Original Message:
Sent: Mon November 11, 2019 06:35 AM
From: Jasmine
Subject: Resilient App For Qradar Stops Send Offenses : STOMP connection is down

I was a bug, as this apar:
https://www-01.ibm.com/support/entdocview.wss?uid=swg1IJ20143

------------------------------
Jasmine

Original Message:
Sent: Tue October 22, 2019 08:04 AM
From: Ben Lurie
Subject: Resilient App For Qradar Stops Send Offenses : STOMP connection is down

Jasmine, 

I recommend opening a support ticket for this issue.

------------------------------
Ben Lurie

Original Message:
Sent: Mon October 21, 2019 07:48 AM
From: Jasmine
Subject: Resilient App For Qradar Stops Send Offenses : STOMP connection is down

Hi,

Resilient app for qradar fails to send offenses to resilient. There are error in circuits.log as below. We have to click the "save configuration" manually but after that the app stops to send offenses.

STOMP connection is down

As qradar support doesn't help about resilient app, I have to post it here. Any help would be appreciated. 


2019-10-21 14:36:01,552 INFO [actions_component] Skipping retry of any failed messages because STOMP connection is down
2019-10-21 14:37:01,552 INFO [actions_component] Skipping retry of any failed messages because STOMP connection is down
2019-10-21 14:37:21,107 INFO [qradar_poll] Starting poll...
2019-10-21 14:37:21,145 INFO [qradar_poll_handler] Starting poll...
2019-10-21 14:37:21,146 INFO [qradar_poll_handler] Last poll: 2019-10-21 11:34:46.000000; Config Change: 2019-10-21 11:28:57.849533, UTC Time; Last max offense ID: 417603.
2019-10-21 14:37:24,836 INFO [qradar_poll_handler] These offenses have been updated since last poll: ['417598', '417591', '417590', '417501', '417471', '417465', '417464', '417394', '417367', '417363', '417235', '417146', '416915', '416898', '416824', '416748', '416734', '416659', '416654', '416653', '416651', '416650', '416649', '416647', '416646', '416644', '416641', '416633', '416403', '416339', '415941', '415845', '414672', '414639', '413033', '412930', '411165', '411160', '409591']
2019-10-21 14:37:25,631 INFO [qradar_poll_handler] Found 39 offenses ((last_updated_time>1571657686000 and status = "OPEN") or (id>417603 and status = "OPEN")) that we need to check for escalation
2019-10-21 14:37:25,902 INFO [qradar_poll] Found 0 closed offenses
2019-10-21 14:38:01,553 INFO [actions_component] Skipping retry of any failed messages because STOMP connection is down
2019-10-21 14:39:01,553 INFO [actions_component] Skipping retry of any failed messages because STOMP connection is down
2019-10-21 14:39:25,640 INFO [qradar_poll] Starting poll...
2019-10-21 14:39:25,674 INFO [qradar_poll_handler] Starting poll...
2019-10-21 14:39:25,675 INFO [qradar_poll_handler] Last poll: 2019-10-21 11:36:51.000000; Config Change: 2019-10-21 11:28:57.849533, UTC Time; Last max offense ID: 417603.
2019-10-21 14:39:29,583 INFO [qradar_poll_handler] These offenses have been updated since last poll: ['417598', '417591', '417590', '417501', '417471', '417465', '417464', '417452', '417373', '417367', '417363', '417235', '416915', '416898', '416824', '416748', '416734', '416659', '416653', '416651', '416650', '416649', '416647', '416646', '416644', '416641', '416633', '416403', '415941', '415845', '414672', '414639', '413036', '413033', '412930', '411202', '411163', '411160', '409591']
2019-10-21 14:39:30,268 INFO [qradar_poll_handler] Found 39 offenses ((last_updated_time>1571657811000 and status = "OPEN") or (id>417603 and status = "OPEN")) that we need to check for escalation
2019-10-21 14:39:31,110 INFO [qradar_poll] Found 0 closed offenses
2019-10-21 14:40:01,553 INFO [actions_component] Skipping retry of any failed messages because STOMP connection is down
2019-10-21 14:41:01,554 INFO [actions_component] Skipping retry of any failed messages because STOMP connection is down

------------------------------
Jasmine
------------------------------