IBM Security QRadar

Hello
after a rare recent crash our QRadar is no longer showing offenses or, if I try to access rules via the old school OFFENSES>RULES, I get the red triangle application error. A look at the Notifications tells me:
The last attempt to read in rules (usually due to a rule change) has failed. If look at the actual event it tells me: 
Mar 15 11:46:50 127.0.0.1  [Thread-50] com.q1labs.semsources.cre.CustomRuleReader: [ERROR] [NOT:0040023100][192.168.xxx.xxx/- -] [-/- -]Unknown exception occurred while reading CRE rules. To see the exceptions which caused this, view the error log. If this problem persists, please contact customer support.
I have stopped and started services, re-booted etc, but the problem stays the same.
Any thoughts?
Thanks in advance.

Hi Jan,

we ran into the same problem a few days ago. Pls check your rule changes for the last few days when this notification popped up first time (yesterday?). When you specifiy complex tests inide your rule an dependencies between rules you might run into this CRE problem. The only way to get it solved is

1st disable modified rule or remove rule test change

2nd close correspondent offenses and verify problem is gone

3rd reduce complexity , e.g. time condition and dependency from  other rules inside your rule test condition

4th restart CRE and execute full deployment if action 1-3 doesnt help

Hello
after a rare recent crash our QRadar is no longer showing offenses or, if I try to access rules via the old school OFFENSES>RULES, I get the red triangle application error. A look at the Notifications tells me:
The last attempt to read in rules (usually due to a rule change) has failed. If look at the actual event it tells me: 
Mar 15 11:46:50 127.0.0.1  [Thread-50] com.q1labs.semsources.cre.CustomRuleReader: [ERROR] [NOT:0040023100][192.168.xxx.xxx/- -] [-/- -]Unknown exception occurred while reading CRE rules. To see the exceptions which caused this, view the error log. If this problem persists, please contact customer support.
I have stopped and started services, re-booted etc, but the problem stays the same.
Any thoughts?
Thanks in advance.

Thanks a mil and will let you know the outcome

Hi Jan,

we ran into the same problem a few days ago. Pls check your rule changes for the last few days when this notification popped up first time (yesterday?). When you specifiy complex tests inide your rule an dependencies between rules you might run into this CRE problem. The only way to get it solved is

1st disable modified rule or remove rule test change

2nd close correspondent offenses and verify problem is gone

3rd reduce complexity , e.g. time condition and dependency from  other rules inside your rule test condition

4th restart CRE and execute full deployment if action 1-3 doesnt help

Hello
after a rare recent crash our QRadar is no longer showing offenses or, if I try to access rules via the old school OFFENSES>RULES, I get the red triangle application error. A look at the Notifications tells me:
The last attempt to read in rules (usually due to a rule change) has failed. If look at the actual event it tells me: 
Mar 15 11:46:50 127.0.0.1  [Thread-50] com.q1labs.semsources.cre.CustomRuleReader: [ERROR] [NOT:0040023100][192.168.xxx.xxx/- -] [-/- -]Unknown exception occurred while reading CRE rules. To see the exceptions which caused this, view the error log. If this problem persists, please contact customer support.
I have stopped and started services, re-booted etc, but the problem stays the same.
Any thoughts?
Thanks in advance.

Thanks a mil and will let you know the outcome

Hi Jan,

we ran into the same problem a few days ago. Pls check your rule changes for the last few days when this notification popped up first time (yesterday?). When you specifiy complex tests inide your rule an dependencies between rules you might run into this CRE problem. The only way to get it solved is

1st disable modified rule or remove rule test change

2nd close correspondent offenses and verify problem is gone

3rd reduce complexity , e.g. time condition and dependency from  other rules inside your rule test condition

4th restart CRE and execute full deployment if action 1-3 doesnt help

Hello
after a rare recent crash our QRadar is no longer showing offenses or, if I try to access rules via the old school OFFENSES>RULES, I get the red triangle application error. A look at the Notifications tells me:
The last attempt to read in rules (usually due to a rule change) has failed. If look at the actual event it tells me: 
Mar 15 11:46:50 127.0.0.1  [Thread-50] com.q1labs.semsources.cre.CustomRuleReader: [ERROR] [NOT:0040023100][192.168.xxx.xxx/- -] [-/- -]Unknown exception occurred while reading CRE rules. To see the exceptions which caused this, view the error log. If this problem persists, please contact customer support.
I have stopped and started services, re-booted etc, but the problem stays the same.
Any thoughts?
Thanks in advance.

Hello
after a rare recent crash our QRadar is no longer showing offenses or, if I try to access rules via the old school OFFENSES>RULES, I get the red triangle application error. A look at the Notifications tells me:
The last attempt to read in rules (usually due to a rule change) has failed. If look at the actual event it tells me: 
Mar 15 11:46:50 127.0.0.1  [Thread-50] com.q1labs.semsources.cre.CustomRuleReader: [ERROR] [NOT:0040023100][192.168.xxx.xxx/- -] [-/- -]Unknown exception occurred while reading CRE rules. To see the exceptions which caused this, view the error log. If this problem persists, please contact customer support.
I have stopped and started services, re-booted etc, but the problem stays the same.
Any thoughts?
Thanks in advance.

------------------------------
jan julicher
------------------------------