IBM Security QRadar

View Only

Expand all | Collapse all

QRadar in Azure collecting Events through Azure Event Hub - FAILED

Peter FischerFri January 07, 2022 09:09 AM

Chris CollinsMon January 10, 2022 09:45 AM

Hi Peter, Regarding: Error: An error occurred that represents an exception for the Microsoft Azure ...

Peter FischerMon January 10, 2022 04:21 PM

Hi Chris Thank for your message. I looks that's a certificat error. But " Automatically Acquire ...

Karl JaegerWed January 12, 2022 12:03 PM

Hi Chris, unfortunately a full deploy does not fix the problem. We deleted old certificates and downloaded ...

1. QRadar in Azure collecting Events through Azure Event Hub - FAILED

0 Like
BrunoMarX
Posted Fri March 12, 2021 08:17 AM

Reply
Hi community,

I went through this forum and checked older posts related to the QRadar-Azure integration and could not find an answer.

My Setup:

QRadar in Azure in Tenant #1
Sign-In and Audit Logs from Tentant #1 are sent to an Event Hub in the same tentant.

My Problem:
Mar 12 12:50:40 ::ffff:IP [ecs-ec-ingress.ecs-ec-ingress] [Thread-6976] java.lang.NoSuchMethodError: com/q1labs/semsources/sources/utils/GatewayLogSourcePatternParser.setupSourceNameModifier(Ljava/util/List;)Ljava/util/List; (loaded from file:/opt/ibm/si/services/ecs-ec-ingress/eventgnosis/lib/q1labs/q1labs_semsources_protocol_common.jar by com.q1labs.core.util.classloader.ChildFirstClassLoader$ChildURLClassLoader@6035a74b) called from class com.q1labs.semsources.sources.microsoftazureeventhubs.MicrosoftAzureEventHubsProvider (loaded from file:/opt/ibm/si/services/ecs-ec-ingress/eventgnosis/lib/q1labs/q1labs_semsources_protocol_microsoftazureeventhubs.jar by com.q1labs.core.util.classloader.ChildFirstClassLoader$ChildURLClassLoader@6035a74b).

Mar 12 12:17:51 ::ffff:IP [ecs-ec-ingress.ecs-ec-ingress] [Thread-4546] com.q1labs.semsources.sources.microsoftazureeventhubs.MicrosoftAzureEventHubsSource: [ERROR] [NOT:0070003100][IP- -] [-/- -]There appears to be a configuration issue with the provider connection 'class com.q1labs.semsources.sources.microsoftazureeventhubs.MicrosoftAzureEventHubsProvider7'.

There are some similar threads here without solution:

https://www.ibm.com/mysupport/s/question/0D50z00006PFbmfCAD/errors-connecting-to-azure-event-hub?language=de

https://www.ibm.com/mysupport/s/question/0D50z00006PEGdKCAX/errors-connecting-to-azure-event-hub-protocol-error?language=de

What I've done so far?

- I've followed this guideline https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/c_logsource_Microsoft_Azure_Event_Hubs_protocol.html

and repeated this step many times. (Created the log source manually and also looked for auto discovered log sourcesI also asked another colleague to do the same. We both had the same problem.

. https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/c_dsm_guide_ms_azure_troubleshooting.html

We also tried to do some troubleshooting, but couldn't find any solution.
Telnet to Storage Account and Event Hub Namespace work. Ports are open.

We also created Event Hubs Namespaces and Eventhubs and allowed mostly everything to be sure it was not any permission problem.
The same with Storage Account.

Have we slipped up somewhere?

Thank you!

Greetings,

Bruno

------------------------------
BrunoMarX
------------------------------
2. RE: QRadar in Azure collecting Events through Azure Event Hub - FAILED

0 Like
Ian Lewis
Posted Mon March 15, 2021 09:52 AM

Reply
Hi - We had a recent issue with the eventhub integration too, but all i needed to do was disable and reenable and it was back up. I think we had some similar issues. One trick with log sources is you need to wait at least one min between changes ie enable or disable.

Original Message
3. RE: QRadar in Azure collecting Events through Azure Event Hub - FAILED

0 Like
Steven Beck
Posted Tue March 16, 2021 03:00 AM

Reply
Hello Bruno,

we have the same Issue since the last Auto Update "DSM-MicrosoftAzurePlatform-7.4-20210205160601.noarch.rpm"
Installed on "Mar 7, 2021, 2:15:37 AM".

If anyone have a solutions. please let us know.

------------------------------
Steven Beck
------------------------------

Original Message
4. RE: QRadar in Azure collecting Events through Azure Event Hub - FAILED

0 Like
Daniyal Abdul Razzak
Posted Thu May 20, 2021 10:50 AM

Reply
HI Steven,

To resolve this issue you should try to deploy full configuration after that may be this issue will resolve .

------------------------------
Daniyal Abdul Razzak
------------------------------

Original Message
5. RE: QRadar in Azure collecting Events through Azure Event Hub - FAILED

0 Like
COLIN HAY
Posted Tue March 16, 2021 10:24 AM

Reply
Hi Bruno,

Judging from that error, there's nothing wrong with your Azure setup. That's a classloading problem, which means one of the needed jar files is either missing completely or is out of date and missing an expected method. Basically there's missing code. You can ignore the second error, I know it says there was a configuration problem but that's just a catch-all for any exception being thrown, it's almost certainly a side effect of the first error.

You may be able to fix this by doing a full deploy from the Admin tab but if that doesn't solve it you should put in a support case.

Cheers
Colin

------------------------------
COLIN HAY
IBM Security
------------------------------

Original Message
6. RE: QRadar in Azure collecting Events through Azure Event Hub - FAILED

0 Like
BrunoMarX
Posted Tue March 30, 2021 09:09 PM

Reply
Thank you @COLIN HAY and others.

The integration just doesn't work.
I've tried many times to set it up.(new Log Source, Full Deploy, Enable, Disable...) --> Same Problem.
Followed every step and am sure made no mistakes. Using connection strings should make things easier and I am sure that I made no mistakes copying and pasting them.

I tried it with Qradar in Azure(7.4.2) and two other Qradar Systems on-prem(7.4.1 and 7.4.2).
Different Azure Protocol RPMs. PROTOCOL-MicrosoftAzureEventHubs-7.4-20200701234158.noarch and PROTOCOL-MicrosoftAzureEventHubs-7.4-20191218165336.noarch
Same problem.

Had another Qradar Colleague do the same idependently ---> Same problem.

Rebuild my Azure environment 2 or 3 times and had two Azure Colleagues assure the configuration was fine. --> Same Problem

I opened a ticket at IBM Support and after several messages, they told me to talk to azure and don't know what is going on.
Azure told me that as long as I can access the resources through the right ports and use the correct connection strings, it should be fine.

If I google the messages I get, I find other people facing the same problem but without any solution.

I don't know what to do next.

------------------------------
BrunoMarX
------------------------------

Original Message
7. RE: QRadar in Azure collecting Events through Azure Event Hub - FAILED

0 Like
BrunoMarX
Posted Wed March 31, 2021 11:27 AM

Reply
Quick update:
it worked with one on-prem system. with others same problem. used the same connection strings and verified networking to be sure traffic is not being blocked.
the only difference is the qradar version running on those systems. IBM support is informed.

------------------------------
BrunoMarX
------------------------------

Original Message
8. RE: QRadar in Azure collecting Events through Azure Event Hub - FAILED

0 Like
Ian Lewis
Posted Wed March 31, 2021 12:08 PM

Reply
I think I mentioned it before but we are on 7.4.2 and previously 7.4.1 and do all Azure log collection via event hub and it seems to be solid except for one time where I had to disable re-enable. Presumably all DSMs and Protocols updated?

Thanks,

Ian

Original Message
9. RE: QRadar in Azure collecting Events through Azure Event Hub - FAILED

0 Like
COLIN HAY
Posted Wed March 31, 2021 02:33 PM

Reply
Hi Bruno,

Are you still seeing this error:

Mar 12 12:50:40 ::ffff:IP [ecs-ec-ingress.ecs-ec-ingress] [Thread-6976] java.lang.NoSuchMethodError: com/q1labs/semsources/sources/utils/GatewayLogSourcePatternParser.setupSourceNameModifier(Ljava/util/List;)Ljava/util/List; (loaded from file:/opt/ibm/si/services/ecs-ec-ingress/eventgnosis/lib/q1labs/q1labs_semsources_protocol_common.jar by com.q1labs.core.util.classloader.ChildFirstClassLoader$ChildURLClassLoader@6035a74b) called from class com.q1labs.semsources.sources.microsoftazureeventhubs.MicrosoftAzureEventHubsProvider (loaded from file:/opt/ibm/si/services/ecs-ec-ingress/eventgnosis/lib/q1labs/q1labs_semsources_protocol_microsoftazureeventhubs.jar by com.q1labs.core.util.classloader.ChildFirstClassLoader$ChildURLClassLoader@6035a74b).

As I previously noted, this error means that code is outright missing on the QRadar side. There is no way this can possibly be resolved by configuration changes, either QRadar side (in the log source config) or Azure side - the code simply isn't present. So if you are indeed still hitting this error, I'd suggest reopening your support case or creating a new one. The support rep should recognize that this error is indicative of a QRadar-side problem but if they again tell you that it's an Azure issue, you can mention my name and ask the support person to contact me so I can assist them. I'm the Chief Software Architect for QRadar so if the rep does not know me, their team lead will. Either way I should be able to sort them out.

Cheers
Colin

------------------------------
COLIN HAY
IBM Security
------------------------------

Original Message
10. RE: QRadar in Azure collecting Events through Azure Event Hub - FAILED

1 Like
BrunoMarX
Posted Wed March 31, 2021 05:17 PM

Reply
Hi @COLIN HAY and others,

thank you!

Well...As I stated above, it worked in my on-prem environment. I then tried to reproduce the same configuration on my Qradar in the Azure Cloud. Same error. I then decided to create the virtual machine from scratch again and use the same credentials as before. It worked!
The VM is one Qradar from Azure Marketplace that I deployed and then patched it up to versin 7.4.2 FP2. I deployed the vm only for this purpose because I am migrating an on-prem system to a cloud system and wanted to test it before migrating. Therefore, there was no previous configuration since it was a fresh new QRadar System.

But as I wrote yesterday still on my on-prem system it didn't work at first. The reason was something weird. Don't know whether it is a casual relation or correlation, but here https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/c_dsm_guide_ms_azure_troubleshooting.html

there is this item:

Ensure that the port 443 is open to the storage account host. The storage account host is usually <Storage_Account_Name>.<something>, where <something> usually refers to the endpoint suffix.

also here Microsoft shows that port 443 should be open:
https://docs.microsoft.com/en-us/azure/event-hubs/troubleshooting-guide

I then tried to see whether network was fine

f you can also run the commands below and upload the output:

nmap -p 443 -P0 [StorageAccountName].blob.core.windows.net

nmap -p 5671,5672 -P0 [NamespaceName].servicebus.windows.net

openssl s_client -connect <storageAccountName>.blob.core.windows.net:443 < /dev/null

I could get the certificate and also use telnet to see whether the port was open. But then I was checking on the networking options inside my Azure Storage account and saw that my qradar system in fact was not allowed to access the StorageAccount. I then added the QRadar IP to the list of allowed addresses and it worked, but it doesn't make sense because otherwise I would not have been able to use openssl to connect to the storage account through 443.

to sum up, I think that
- This networking settings prevented me from connecting my on prem system to EventHub
- Some kind of error during the deployment of QRadar in Azure occurred that led to that class error. This is gone since I installed QRadar one more following the same steps as before, but this time no error showed up.

Thank you!

Regards,
Bruno

------------------------------
BrunoMarX
------------------------------

Original Message
11. RE: QRadar in Azure collecting Events through Azure Event Hub - FAILED

0 Like
Sujana Y
Posted Tue July 20, 2021 11:33 PM

Reply
Hi Bruno,

I faced the same issue but when i did deploy full configuration, issue has been resolved. Please check in your environment whether it solves the issue or not.

Regards,
Sujana Y

------------------------------
Sujana Y
------------------------------

Original Message
12. RE: QRadar in Azure collecting Events through Azure Event Hub - FAILED

1 Like
Sarfaraz Khan
Posted Wed December 15, 2021 01:30 AM

Reply
Hi BrunoMarX,

We had the same issue earlier, and when we checked it was in system somehow and we tried to fix the same. Some expert suggested us to go for Azure training and then ask from the expert yourself. They shared their insights for the issue and it got resolved. I would recommend you to do the same.

------------------------------
Sarfaraz Khan
SEO Associate
Edureka
Bengaluru
09606058405
------------------------------

Original Message
13. RE: QRadar in Azure collecting Events through Azure Event Hub - FAILED

0 Like
Peter Fischer
Posted Fri January 07, 2022 09:09 AM

Reply
Hi

we have a similar problem.
Checking the provided Storage Account's permissions failed with.
- Successfully parsed the Storage Account Connection String
- Successfully created a reference to the Storage Account Container : aadeventhub-test
- Checking if the container exist and creating it if it doesn't exist.
- Error: An error occurred that represents an exception for the Microsoft Azure Storage Service.
- Error: Unable to connect to the Storage Account [XXX]. Ensure that the Storage Account Connection String is valid and that QRadar can connect to [XXX.blob.core.windows.net]
- Error: The error didn't provide an error message that could be posted.

The checks above are passed. So
Attempting to parse the Event Hub Connection String. - Passed

Attempting to parse the Storage Account Connection String. - Passed

Testing DNS resolution of [XXX.servicebus.windows.net] - Passed
- Successfully resolved [XXX.servicebus.windows.net] to IP [51.107.58.132]

Testing TCP connection to [XXX.servicebus.windows.net:5671] - Passed
- Attempting TCP connection to [XXX.servicebus.windows.net:5671] with a timeout of 10000 ms
- Successful TCP connection to [XXX.servicebus.windows.net:5671]

Testing TCP connection to [XXX.servicebus.windows.net:5672] - Passed
- Attempting TCP connection to [XXX.servicebus.windows.net:5672] with a timeout of 10000 ms
- Successful TCP connection to [XXX.servicebus.windows.net:5672]

Testing DNS resolution of [XXX.blob.core.windows.net] - Passed
- Successfully resolved [XXX.blob.core.windows.net] to IP [52.239.251.68]

Testing TCP connection to [XXX.blob.core.windows.net:443] - Passed
- Attempting TCP connection to [XXX.blob.core.windows.net:443] with a timeout of 10000 ms
- Successful TCP connection to [XXX.blob.core.windows.net:443]

Does anyone know how to solve the problem?

Thank's for your help.

Cheers

Peter

------------------------------
Peter Fischer
------------------------------

Original Message
14. RE: QRadar in Azure collecting Events through Azure Event Hub - FAILED

0 Like
Chris Collins
Posted Mon January 10, 2022 09:45 AM
Edited by Chris Collins Mon January 10, 2022 09:50 AM

Reply
Hi Peter,

Regarding:

Error: An error occurred that represents an exception for the Microsoft Azure Storage Service.
There may be more errors either in the debug logs of the test, if you hit the gear icon in the top right of the Log Source Management app and toggle the debug option on you'll see additional logging.

If nothing shows up once the debug logs are on, check /var/log/qradar.error on the appliance doing the collection and additional info may be there. Originally in this topic a ClassNotFoundException was being hit by another user which should get resolved by a full deploy or a manual restart of ecs-ec-ingress on the affected appliance but you case could be something completely different.

Have a look and see if you can get any additional info and let us know, thanks!

------------------------------
Chris Collins
Software Architect / Technical Lead
QRadar Integration Team
------------------------------

Original Message
15. RE: QRadar in Azure collecting Events through Azure Event Hub - FAILED

0 Like
Peter Fischer
Posted Mon January 10, 2022 04:21 PM

Reply
Hi Chris

Thank for your message.

I looks that's a certificat error.
But "Automatically Acquire Server Certificate(s)" is enabled.

Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] com.q1labs.frameworks.crypto.trustmanager.CertificateValidator: [ERROR] [NOT:0000003000][1.2.3.4/- -] [-/- -]checkCertificatePinning failed.
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] com.q1labs.frameworks.crypto.trustmanager.exceptions.Q1CertificateException: checkCertificatePinning failed.
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.q1labs.frameworks.crypto.trustmanager.CertificateValidator.checkCertificatePinning(CertificateValidator.java:547)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.q1labs.frameworks.crypto.trustmanager.CertificateValidator.validate(CertificateValidator.java:110)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.q1labs.frameworks.crypto.trustmanager.Q1X509TrustManager.checkCertificatesTrusted(Q1X509TrustManager.java:411)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.q1labs.frameworks.crypto.trustmanager.Q1X509TrustManager.checkServerTrusted(Q1X509TrustManager.java:307)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.ibm.jsse2.z$c.a(z$c.java:30)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.ibm.jsse2.z$c.a(z$c.java:150)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.ibm.jsse2.z$c.consume(z$c.java:57)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.ibm.jsse2.p.consume(p.java:22)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.ibm.jsse2.aa.a(aa.java:233)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.ibm.jsse2.aa.a(aa.java:241)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.ibm.jsse2.bb.a(bb.java:211)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.ibm.jsse2.a0.a(a0.java:17)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.ibm.jsse2.bj.b(bj.java:419)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.ibm.jsse2.bj.f(bj.java:64)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.ibm.jsse2.bj.a(bj.java:1)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.ibm.jsse2.bj.startHandshake(bj.java:33)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java:80)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:84)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1582)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1510)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:491)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.ibm.net.ssl.www2.protocol.https.b.getResponseCode(b.java:74)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.microsoft.azure.storage.core.ExecutionEngine.executeWithRetry(ExecutionEngine.java:115)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.microsoft.azure.storage.blob.CloudBlobContainer.exists(CloudBlobContainer.java:744)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.microsoft.azure.storage.blob.CloudBlobContainer.createIfNotExists(CloudBlobContainer.java:354)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.microsoft.azure.storage.blob.CloudBlobContainer.createIfNotExists(CloudBlobContainer.java:301)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.q1labs.semsources.sources.microsoftazureeventhubs.test.protocoltesting.MicrosoftAzureEventHubsStorageAccountAccess.run(MicrosoftAzureEventHubsStorageAccountAccess.java:43)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.q1labs.semsources.sources.testing.base.ProtocolTesterExtended.runTest(ProtocolTesterExtended.java:212)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.q1labs.semsources.sources.testing.base.ProtocolTesterExtended.runTests(ProtocolTesterExtended.java:228)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.q1labs.semsources.sources.testing.base.ProtocolTesterExtended.start(ProtocolTesterExtended.java:73)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.q1labs.semsources.sources.base.testing.ProtocolTestJob$TestThread.runTests(ProtocolTestJob.java:215)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.q1labs.semsources.sources.base.testing.ProtocolTestJob$TestThread.run(ProtocolTestJob.java:194)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] com.q1labs.frameworks.crypto.trustmanager.Q1X509TrustManager: [ERROR] [NOT:0000003000][1.2.3.4/- -] [-/- -]checkCertificatePinning failed.
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] com.q1labs.frameworks.crypto.trustmanager.exceptions.Q1CertificateException: checkCertificatePinning failed.
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.q1labs.frameworks.crypto.trustmanager.CertificateValidator.checkCertificatePinning(CertificateValidator.java:547)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.q1labs.frameworks.crypto.trustmanager.CertificateValidator.validate(CertificateValidator.java:110)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.q1labs.frameworks.crypto.trustmanager.Q1X509TrustManager.checkCertificatesTrusted(Q1X509TrustManager.java:411)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.q1labs.frameworks.crypto.trustmanager.Q1X509TrustManager.checkServerTrusted(Q1X509TrustManager.java:307)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.ibm.jsse2.z$c.a(z$c.java:30)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.ibm.jsse2.z$c.a(z$c.java:150)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.ibm.jsse2.z$c.consume(z$c.java:57)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.ibm.jsse2.p.consume(p.java:22)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.ibm.jsse2.aa.a(aa.java:233)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.ibm.jsse2.aa.a(aa.java:241)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.ibm.jsse2.bb.a(bb.java:211)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.ibm.jsse2.a0.a(a0.java:17)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.ibm.jsse2.bj.b(bj.java:419)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.ibm.jsse2.bj.f(bj.java:64)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.ibm.jsse2.bj.a(bj.java:1)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.ibm.jsse2.bj.startHandshake(bj.java:33)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java:80)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:84)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1582)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1510)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:491)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.ibm.net.ssl.www2.protocol.https.b.getResponseCode(b.java:74)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.microsoft.azure.storage.core.ExecutionEngine.executeWithRetry(ExecutionEngine.java:115)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.microsoft.azure.storage.blob.CloudBlobContainer.exists(CloudBlobContainer.java:744)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.microsoft.azure.storage.blob.CloudBlobContainer.createIfNotExists(CloudBlobContainer.java:354)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.microsoft.azure.storage.blob.CloudBlobContainer.createIfNotExists(CloudBlobContainer.java:301)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.q1labs.semsources.sources.microsoftazureeventhubs.test.protocoltesting.MicrosoftAzureEventHubsStorageAccountAccess.run(MicrosoftAzureEventHubsStorageAccountAccess.java:43)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.q1labs.semsources.sources.testing.base.ProtocolTesterExtended.runTest(ProtocolTesterExtended.java:212)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.q1labs.semsources.sources.testing.base.ProtocolTesterExtended.runTests(ProtocolTesterExtended.java:228)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.q1labs.semsources.sources.testing.base.ProtocolTesterExtended.start(ProtocolTesterExtended.java:73)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.q1labs.semsources.sources.base.testing.ProtocolTestJob$TestThread.runTests(ProtocolTestJob.java:215)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.q1labs.semsources.sources.base.testing.ProtocolTestJob$TestThread.run(ProtocolTestJob.java:194)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] com.q1labs.semsources.sources.microsoftazureeventhubs.test.protocoltesting.MicrosoftAzureEventHubsConnectionTest: [ERROR] [NOT:0000003000][1.2.3.4/- -] [-/- -]Unable to connect to the Storage Account [StorageAccountXXX]. Ensure that the Storage Account Connection String is valid and that QRadar can connect to [XXX.blob.core.windows.net]
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] com.microsoft.azure.storage.StorageException:
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.microsoft.azure.storage.StorageException.translateException(StorageException.java:87)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.microsoft.azure.storage.core.ExecutionEngine.executeWithRetry(ExecutionEngine.java:209)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.microsoft.azure.storage.blob.CloudBlobContainer.exists(CloudBlobContainer.java:744)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.microsoft.azure.storage.blob.CloudBlobContainer.createIfNotExists(CloudBlobContainer.java:354)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.microsoft.azure.storage.blob.CloudBlobContainer.createIfNotExists(CloudBlobContainer.java:301)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.q1labs.semsources.sources.microsoftazureeventhubs.test.protocoltesting.MicrosoftAzureEventHubsStorageAccountAccess.run(MicrosoftAzureEventHubsStorageAccountAccess.java:43)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.q1labs.semsources.sources.testing.base.ProtocolTesterExtended.runTest(ProtocolTesterExtended.java:212)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.q1labs.semsources.sources.testing.base.ProtocolTesterExtended.runTests(ProtocolTesterExtended.java:228)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.q1labs.semsources.sources.testing.base.ProtocolTesterExtended.start(ProtocolTesterExtended.java:73)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.q1labs.semsources.sources.base.testing.ProtocolTestJob$TestThread.runTests(ProtocolTestJob.java:215)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.q1labs.semsources.sources.base.testing.ProtocolTestJob$TestThread.run(ProtocolTestJob.java:194)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] Caused by: javax.net.ssl.SSLHandshakeException: com.q1labs.frameworks.crypto.trustmanager.exceptions.Q1CertificateException: checkCertificatePinning failed.
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.ibm.jsse2.g.a(g.java:33)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.ibm.jsse2.bb.a(bb.java:153)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.ibm.jsse2.bb.a(bb.java:179)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.ibm.jsse2.bb.a(bb.java:21)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.ibm.jsse2.z$c.a(z$c.java:82)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.ibm.jsse2.z$c.a(z$c.java:150)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.ibm.jsse2.z$c.consume(z$c.java:57)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.ibm.jsse2.p.consume(p.java:22)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.ibm.jsse2.aa.a(aa.java:233)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.ibm.jsse2.aa.a(aa.java:241)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.ibm.jsse2.bb.a(bb.java:211)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.ibm.jsse2.a0.a(a0.java:17)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.ibm.jsse2.bj.b(bj.java:419)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.ibm.jsse2.bj.f(bj.java:64)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.ibm.jsse2.bj.a(bj.java:1)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.ibm.jsse2.bj.startHandshake(bj.java:33)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java:80)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:84)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1582)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1510)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:491)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.ibm.net.ssl.www2.protocol.https.b.getResponseCode(b.java:74)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.microsoft.azure.storage.core.ExecutionEngine.executeWithRetry(ExecutionEngine.java:115)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] ... 9 more
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] Caused by: com.q1labs.frameworks.crypto.trustmanager.exceptions.Q1CertificateException: checkCertificatePinning failed.
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.q1labs.frameworks.crypto.trustmanager.CertificateValidator.checkCertificatePinning(CertificateValidator.java:547)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.q1labs.frameworks.crypto.trustmanager.CertificateValidator.validate(CertificateValidator.java:110)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.q1labs.frameworks.crypto.trustmanager.Q1X509TrustManager.checkCertificatesTrusted(Q1X509TrustManager.java:411)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.q1labs.frameworks.crypto.trustmanager.Q1X509TrustManager.checkServerTrusted(Q1X509TrustManager.java:307)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.ibm.jsse2.z$c.a(z$c.java:30)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] ... 27 more
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] com.q1labs.semsources.sources.testing.base.EventSampleRetrieverExtended: [ERROR] [NOT:0000003000][1.2.3.4/- -] [-/- -]null
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] java.lang.NullPointerException
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.q1labs.semsources.sources.microsoftazureeventhubs.test.eventretriever.MicrosoftAzureEventHubsEventSampleRetriever.stopSampleEvents(MicrosoftAzureEventHubsEventSampleRetriever.java:89)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.q1labs.semsources.sources.testing.base.EventSampleRetrieverExtended.stop(EventSampleRetrieverExtended.java:124)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.q1labs.semsources.sources.base.testing.ProtocolTestJob$TestThread.getEvents(ProtocolTestJob.java:252)
Jan 10 16:32:36 ::ffff:1.2.3.4 [ecs-ec-ingress.ecs-ec-ingress] [ProtocolTestingThread-4d089ca5-efef-4a4e-ae46-355dda0a3f17] at com.q1labs.semsources.sources.base.testing.ProtocolTestJob$TestThread.run(ProtocolTestJob.java:198)

Thank's for your help.

Cheers

Peter

------------------------------
Peter Fischer
------------------------------

Original Message
16. RE: QRadar in Azure collecting Events through Azure Event Hub - FAILED

0 Like
IBM Champion

Karl Jaeger
Posted Wed January 12, 2022 12:03 PM

Reply
Hi Chris,
unfortunately a full deploy does not fix the problem. We deleted old certificates and downloaded new ones which cant be pinned:
log message says

Jan 12 16:56:08 127.0.0.1 ProtocolTestingThread-5b330a95-7043-444e-afca-a51f56cebe44 | [Q1X509TrustManager] [Validation] [ValidationFailed] (ecs-ec-ingress) Server Certificate Validation failed. chain:[0]X509Certificate : { SubjectDN : CN=*.blob.core.windows.net, IssuerDN : CN=Microsoft RSA TLS CA 02, O=Microsoft Corporation, C=US},[1]X509Certificate : { SubjectDN : CN=Microsoft RSA TLS CA 02, O=Microsoft Corporation, C=US, IssuerDN : CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE}, exception:com.q1labs.frameworks.crypto.trustmanager.exceptions.Q1CertificateException: checkCertificatePinning failed.

this can be tested from cli using openssl
[root@vQRadar ~]# openssl s_client -connect pro4bizz.blob.core.windows.net:443
CONNECTED(00000003)
depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
verify return:1
depth=1 C = US, O = Microsoft Corporation, CN = Microsoft RSA TLS CA 02
verify return:1
depth=0 CN = *.blob.core.windows.net
verify return:1
---
Certificate chain
0 s:/CN=*.blob.core.windows.net
i:/C=US/O=Microsoft Corporation/CN=Microsoft RSA TLS CA 02
1 s:/C=US/O=Microsoft Corporation/CN=Microsoft RSA TLS CA 02
i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIOMTCCDBmgAwIBAgITfwAfHLqLou0OZkwxIwAAAB8cujANBgkqhkiG9w0BAQsF
...
EctpJllHLQZGV2DRG7F+KSyTc9XfGDc2b6HmjzrU8Lo+Nl4Xw5vuGCeZkVSC7/de
mct1qk2DkhcyYAZclMfBiGuIEwhhYdTHYlm5gusVI2esFbo0pw==
-----END CERTIFICATE-----
subject=/CN=*.blob.core.windows.net
issuer=/C=US/O=Microsoft Corporation/CN=Microsoft RSA TLS CA 02
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-384, 384 bits
---
SSL handshake has read 5530 bytes and written 447 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 36030000E2712BB2B318E17D2A7D59A378F545A88BAC9E457342987728BD11CC
Session-ID-ctx:
Master-Key: BEC11C18E23FFFA3FFF122949CBF3D7A4EC3D993B4A28151C91970A1230A6988 1800863F3980021CB8AD02BC37895939
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1642001304
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
read:errno=104
[root@vQRadar ~]#

this is qradar specific. Works on other hosts. Pls advice
Thx
Karl

------------------------------
[Karl] [Jaeger] [Business Partner]
[QRadar Specialist]
[pro4bizz]
[Karlsruhe] [Germany]
[4972190981722]
------------------------------

Original Message

IBM Security QRadar

QRadar in Azure collecting Events through Azure Event Hub - FAILED

BrunoMarXFri March 12, 2021 08:17 AM

Ian LewisMon March 15, 2021 09:52 AM

Steven BeckTue March 16, 2021 03:00 AM

Daniyal Abdul RazzakThu May 20, 2021 10:50 AM

COLIN HAYTue March 16, 2021 10:24 AM

BrunoMarXTue March 30, 2021 09:09 PM

BrunoMarXWed March 31, 2021 11:27 AM

Ian LewisWed March 31, 2021 12:08 PM

COLIN HAYWed March 31, 2021 02:33 PM

BrunoMarXWed March 31, 2021 05:17 PM

Sujana YTue July 20, 2021 11:33 PM

Sarfaraz KhanWed December 15, 2021 01:30 AM

Peter FischerFri January 07, 2022 09:09 AM

Chris CollinsMon January 10, 2022 09:45 AM

Peter FischerMon January 10, 2022 04:21 PM

Karl JaegerWed January 12, 2022 12:03 PM

1. QRadar in Azure collecting Events through Azure Event Hub - FAILED

2. RE: QRadar in Azure collecting Events through Azure Event Hub - FAILED

3. RE: QRadar in Azure collecting Events through Azure Event Hub - FAILED

4. RE: QRadar in Azure collecting Events through Azure Event Hub - FAILED

5. RE: QRadar in Azure collecting Events through Azure Event Hub - FAILED

6. RE: QRadar in Azure collecting Events through Azure Event Hub - FAILED

7. RE: QRadar in Azure collecting Events through Azure Event Hub - FAILED

8. RE: QRadar in Azure collecting Events through Azure Event Hub - FAILED

9. RE: QRadar in Azure collecting Events through Azure Event Hub - FAILED

10. RE: QRadar in Azure collecting Events through Azure Event Hub - FAILED

11. RE: QRadar in Azure collecting Events through Azure Event Hub - FAILED

12. RE: QRadar in Azure collecting Events through Azure Event Hub - FAILED

13. RE: QRadar in Azure collecting Events through Azure Event Hub - FAILED

14. RE: QRadar in Azure collecting Events through Azure Event Hub - FAILED

15. RE: QRadar in Azure collecting Events through Azure Event Hub - FAILED

16. RE: QRadar in Azure collecting Events through Azure Event Hub - FAILED