IBM QRadar

 View Only

  • 1.  Universal Cloud REST API - troubleshooting help

    Posted 5 days ago

    I am working on a custom Universal Cloud REST API log source.   I created the workflow.xml and workflow parameter values.xml.  I tested the Log Source from the GUI without error, and I see records returned.  I also tried the /opt/qradar/bin/test-workflow.sh command with no errors and I see JSON records in the output.  The Log Source status is "OK" but it never downloaded any logs.  I did the payload search and confirmed the logs are not in Qradar

    Can anyone help review the Workflow xml if I am missing anything?

    <?xml version="1.0" encoding="UTF-8"?>
    <Workflow name="Sailpoint" version="1.0" xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V1">
     
        <Parameters>
            <Parameter name="host" label="Host" required="true" />
            <Parameter name="client_id" label="Client ID" required="true" />
            <Parameter name="client_secret" label="Client Secret" required="true" secret="true" />
        </Parameters>
     
        <Actions>
     
            <!--
            //////////////////////////
            // Request Access Token //
            //////////////////////////
            -->
            <CallEndpoint url="https://${/host}/oauth/token" method="POST" savePath="/get_access_token">
                <UrlEncodedFormRequestBody>
                    <Parameter name="grant_type" value="client_credentials" />
                    <Parameter name="client_id" value="${/client_id}" />
                    <Parameter name="client_secret" value="${/client_secret}" />
                </UrlEncodedFormRequestBody>
            </CallEndpoint>
     
            <!-- Handle Errors -->
            <If condition="/get_access_token/status_code != 200">
                <Abort reason="${/get_access_token/body}" />
            </If>
     
            <!-- Extract the Access Token -->
            <Set path="/access_token" value="${/get_access_token/body/access_token}" />
     
            <!--
            ///////////////////////////////////////
            // Initialize bookmark default value //
            ///////////////////////////////////////
    --> 
    <Initialize path="/bookmark" value="2025-01-23T00:00:00Z" />
    <!-- 
    ////////////////////
            // Request Events //
            ////////////////////
            -->
            <CallEndpoint url="https://${/host}/v3/search" method="POST" savePath="/search">
                <QueryParameter name="limit" value="5000" />
                <RequestHeader name="Content-Type" value="application/json" />
                <RequestHeader name="Accept" value="application/json" />
                <RequestHeader name="Authorization" value="Bearer ${/access_token}" />
                <RequestBody type="application/json" encoding="UTF-8">
                    <![CDATA[
                    {
                        "query": {
                            "query": "created:[${/bookmark} TO now]"
                        },
                        "indices": [
                            "events"
                        ],
                        "includeNested": true,
                        "sort": [
                            "-created"
                        ]
                    }
                    ]]>
                </RequestBody>
            </CallEndpoint>
     
            <!-- Handle Errors -->
            <If condition="/search/status_code != 200">
                <Abort reason="${/search/body/error_description}" />
            </If>
     
            <!-- Post the Events -->
            <PostEvents path="/search/body" source="${/host}" />
     
            <!-- Update the Bookmark -->
            <If condition="/search/body != null">
                <Set path="/bookmark" value="${/search/body[0]/created}" />
            </If>
     
        </Actions>
     
        <Tests>
            <DNSResolutionTest host="${/host}" />
            <TCPConnectionTest host="${/host}" />
            <HTTPConnectionThroughProxyTest url="https://${/host}" />
        </Tests>
    </Workflow>






    ------------------------------
    Raymond Tam
    ------------------------------


  • 2.  RE: Universal Cloud REST API - troubleshooting help
    Best Answer

    Posted 2 days ago

    Hi Raymond,

    The workflow test seems to be working fine, so the workflow itself must be good. Events are displaying correctly, but it appears they aren't being tagged properly to the log source.

    Could you confirm the value set for ${/host} in the workflow parameters? Ensure the same value is used in the log source identifier for consistency.

    Best regards,



    ------------------------------
    Vishal Tangadkar
    IBM INDIA PVT LTD
    ------------------------------

    Original Message


  • 3.  RE: Universal Cloud REST API - troubleshooting help

    Posted 2 days ago

    Thanks for the advice.  I changed the Log Source Identifier and logs started to make it to the Log source.  I will let it run and see if it is working as expected.   This is the first time I work on the custom Universal Cloud RESTful API.  I want to see fi the bookmark I created actual works to pull the log correctly at each poll interval.



    ------------------------------
    Raymond Tam
    ------------------------------

    Original Message


  • 4.  RE: Universal Cloud REST API - troubleshooting help

    Posted 2 days ago

    The workflow looks fine, other than the hardcoded bookmark I don't see anything that raises an eyebrow. Plus, you see events in the tests.

    Any chance you've run the debug classpath on the target EC? com.q1labs.semsources.sources.universalcloudrestapi

    This will help you see where it's getting in the process. It's possible it is posting the events, look for something like com.q1labs.semsources.sources.universalcloudrestapi.v1.workflow.action.PostEventsAction: [DEBUG] Posting 15 events


    If the events are being posted, there might be a FormatException further along. I've seen a lot of dates cause issues. Check for something like this (or just FormatException) in qradar.error on the EC:
    [ecs-ec-ingress.ecs-ec-ingress] [Thread-2633018] java.lang.NumberFormatException: For input string: "2024-07-05T20:27:25.702Z"



    ------------------------------
    Joseph Gilbrook
    ------------------------------

    Original Message


  • 5.  RE: Universal Cloud REST API - troubleshooting help

    Posted 2 days ago

    The workflow looks fine as far as I can tell, plus you see the events in the tests alright.

    Any chance you're getting any kind of "java.lang.NumberFormatException" or other FormatException errors on the target EC? 
    And, have you given the debug classpath a shot? com.q1labs.semsources.sources.universalcloudrestapi

    Debug classpath will help you see if they're being Posted (look for something like com.q1labs.semsources.sources.universalcloudrestapi.v1.workflow.action.PostEventsAction: [DEBUG] Posting 15 events), which might help pinpoint a problem further along the line (like format exceptions).



    ------------------------------
    Joseph Gilbrook
    ------------------------------

    Original Message


  • 6.  RE: Universal Cloud REST API - troubleshooting help

    Posted 2 days ago

    Thanks! those are good debug tips.    I looked into the qradar.error and qradar.java.debug logs.  No errors showed up when I filter by the keyword "sources.universalcloudrestapi.

    To check my understanding, are the debug errors logged by default? Do I need to enable the debug in the workflow?



    ------------------------------
    Raymond Tam
    ------------------------------

    Original Message


  • 7.  RE: Universal Cloud REST API - troubleshooting help

    Posted 2 days ago

    Didn't mean to double post - sorry!

    Debug should not be enabled by default for protocols, you will need to run the mod_log4j.pl script to enable it. For URest, it would be:
    /opt/qradar/support/mod_log4j.pl -al com.q1labs.semsources.sources.universalcloudrestapi -w <user>

    Then when you're done, it will either turn itself off in 1 hour or you can turn it off with -r:
    /opt/qradar/support/mod_log4j.pl -r -w <user>



    ------------------------------
    Joseph Gilbrook
    ------------------------------

    Original Message