Hi all, I think that I've found what might be causing the error...
[DEBUG] [com.ibm.si.content_management.Content] [exportContent] [2314] Level-1 qidmap [qid=] is_active [true] on_hold [false] outputDir [/opt/qradar/bin/] outFileName [custom_rule-ContentExport-20240613145309]
[DEBUG] [com.ibm.si.content_management.Content] [exportContent] [2481] Select Query: (select severity,lowlevelcategory,reverseip,qid,uuid,ratethreshold,rateinterval,qdescription,catpipename,ratelongwindow,qname,rateshortwindow,id from qidmap where qid = ? and (qid between 2000000 and 2249999 or qid between 52000000 and 52999999 or qid between 53750000 and 53999999 or qid between 67500000 and 67749999 or qid between 90750000 and 90999999 or qid >= 1002250000))
[DEBUG] [com.ibm.si.content_management.Content] [exportContent] [2516] key-value in query: qid =
[ERROR] [com.ibm.si.content_management.Content] [exportContent] [2530] ID value provided is invalid, expecting a numeric value. Table[qidmap] ID[]
EDIT: oh, yes...
psql -U <USER_NAME> -t -c "select severity,lowlevelcategory,reverseip,qid,uuid,ratethreshold,rateinterval,qdescription,catpipename,ratelongwindow,qname,rateshortwindow,id from qidmap where qid = ? and (qid between 2000000 and 2249999 or qid between 52000000 and 52999999 or qid between 53750000 and 53999999 or qid between 67500000 and 67749999 or qid between 90750000 and 90999999 or qid >= 1002250000"
ERROR: syntax error at or near "and"
LINE 1: ...name,rateshortwindow,id from qidmap where qid = ? and (qid b...
no qid = ?:
psql -U <USER_NAME> -t -c "select severity,lowlevelcategory,reverseip,qid,uuid,ratethreshold,rateinterval,qdescription,catpipename,ratelongwindow,qname,rateshortwindow,id from qidmap where qid between 2000000 and 2249999 or qid between 52000000 and 52999999 or qid between 53750000 and 53999999 or qid between 67500000 and 67749999 or qid between 90750000 and 90999999 or qid >= 1002250000"
Actually fetches the data...
All in all, looking forward to a (quick) fix! :)
Have a nice afternoon,
kind regards,
------------------------------
Vedran Zulin
------------------------------
Original Message:
Sent: Thu June 13, 2024 08:22 AM
From: Vedran Zulin
Subject: CMT / contentManagement.pl - "[ERROR] ID value provided is invalid, expecting a numeric value. Table[qidmap]"?
Meanwhile, the qradar.error is showing the following (while running the CMT with debug and verbose switches):
Jun 12 12:47:19 IPv6_COMES_HERE:127.0.0.1 [ContentManager.cmt] [root@localhost (ContentManagementCLI)] com.ibm.si.content_management.ContentCustom: [ERROR] [NOT:0000003000][IP_COMES_HERE/- -] [-/- -]Failed to get linked SYSTEM custom rule for allFor input string: "all"
Jun 12 12:50:10 IPv6_COMES_HERE:127.0.0.1 [ContentManager.cmt] [root@localhost (ContentManagementCLI)] com.ibm.si.content_management.Content: [ERROR] [NOT:0000003000][IP_COMES_HERE/- -] [-/- -]ID value provided is invalid, expecting a numeric value. Table[qidmap] ID[]
and the qradar.log the following:
Jun 13 12:45:44 IPv6_COMES_HERE:127.0.0.1 [ContentManager.cmt] [root@localhost (ContentManagementCLI)] com.ibm.si.content_management.Content: [ERROR] [NOT:0000003000][IP_COMES_HERE/- -] [-/- -]ID value provided is invalid, expecting a numeric value. Table[qidmap] ID[]
upstream in the same log, the only following thing that seems suspicious to me is:
Jun 13 12:40:03 IPv6_COMES_HERE:127.0.0.1 [ContentManager.cmt] [main] com.q1labs.frameworks.naming.FrameworksNaming: [INFO] [NOT:0000006000][IP_COMES_HERE/- -] [-/- -]com.q1labs.assetprofile.service.ui.struts2.UIByVulnerability.NAME MUST be public, static and not final for naming to help with setting of NAME
------------------------------
Vedran Zulin
Original Message:
Sent: Wed June 12, 2024 07:33 AM
From: Vedran Zulin
Subject: CMT / contentManagement.pl - "[ERROR] ID value provided is invalid, expecting a numeric value. Table[qidmap]"?
Additonally, when looking into the content in the table mentioned in the error, I'm unable to find any non-numerical values.
Could it be that the error is caused by an empty row in the table or eventually something performance-related?
------------------------------
Vedran Zulin
Original Message:
Sent: Wed June 12, 2024 06:54 AM
From: Vedran Zulin
Subject: CMT / contentManagement.pl - "[ERROR] ID value provided is invalid, expecting a numeric value. Table[qidmap]"?
Hi all,
while running the CMT on one of my testing environments I´m getting the following output:
/opt/qradar/bin/contentManagement.pl -a export -c 3 --id all
[INFO] Initializing Content Management Tool...
[INFO] (ContentManagementCLI) Start Time: 2024-06-12 12:41:25
[INFO] Starting export process
[INFO] Processing Export: content-type 3 id all
[INFO] Exporting content of type [custom_rule] with id [all]
[ERROR] ID value provided is invalid, expecting a numeric value. Table[qidmap] I D[]
[INFO] Export Summary:
[INFO] Content Type - [Number of items exported]
[INFO] - custom_action_parameter - [11]
[INFO] - custom_action_script_metadata - [2]
[INFO] - custom_action - [2]
[INFO] - ade_custom_rule_view - [1]
[INFO] - qidmap - [197]
[INFO] - reference_data_rules - [44]
[INFO] - sensordevicetype - [78]
[INFO] - sensordeviceprotocols - [78]
[INFO] - sensordevicecategory - [4]
[INFO] - device_ext - [1]
[INFO] - ariel_property_leef_expression - [5]
[INFO] - ariel_property_aql_expression - [1]
[INFO] - ariel_property_expression - [1142]
[INFO] - ariel_regex_property - [327]
[INFO] - reference_data - [41]
[INFO] - offense_type - [18]
[INFO] - custom_rule - [626]
[INFO] - customviewparams - [1]
[INFO] - custom_action_script - [2]
[INFO] SUCCESS: Compressed exported bundle can be found here /opt/qradar/bin/...
Does anyone know what might be causing this, i.e. how to solve it?
Thanks,
kind regards,
------------------------------
Vedran Zulin
------------------------------