IBM Security QRadar

 View Only
  • 1.  CRE failed to read rules

    Posted Thu March 16, 2023 09:38 AM

    Hello
    after a rare recent crash our QRadar is no longer showing offenses or, if I try to access rules via the old school OFFENSES>RULES, I get the red triangle application error. A look at the Notifications tells me:
    The last attempt to read in rules (usually due to a rule change) has failed. If look at the actual event it tells me: 
    Mar 15 11:46:50 127.0.0.1  [Thread-50] com.q1labs.semsources.cre.CustomRuleReader: [ERROR] [NOT:0040023100][192.168.xxx.xxx/- -] [-/- -]Unknown exception occurred while reading CRE rules. To see the exceptions which caused this, view the error log. If this problem persists, please contact customer support.
    I have stopped and started services, re-booted etc, but the problem stays the same.
    Any thoughts?
    Thanks in advance.



    ------------------------------
    jan julicher
    ------------------------------


  • 2.  RE: CRE failed to read rules

    IBM Champion
    Posted Thu March 16, 2023 09:55 AM

    Hi Jan,

    we ran into the same problem a few days ago. Pls check your rule changes for the last few days when this notification popped up first time (yesterday?). When you specifiy complex tests inide your rule an dependencies between rules you might run into this CRE problem. The only way to get it solved is

    1st disable modified rule or remove rule test change

    2nd close correspondent offenses and verify problem is gone

    3rd reduce complexity , e.g. time condition and dependency from  other rules inside your rule test condition

    4th restart CRE and execute full deployment if action 1-3 doesnt help



    ------------------------------
    [Karl] [Jaeger] [Business Partner]
    [QRadar Specialist]
    [pro4bizz]
    [Karlsruhe] [Germany]
    [4972190981722]
    ------------------------------



  • 3.  RE: CRE failed to read rules

    Posted Thu March 16, 2023 10:43 AM

    Thanks a mil and will let you know the outcome



    ------------------------------
    jan julicher
    ------------------------------



  • 4.  RE: CRE failed to read rules

    Posted Thu March 16, 2023 03:24 PM

     

     

    I have noticed recently that after I update an app from the App Exchange that "Enable X-Force Threat Intelligence Feed" becomes disabled and I begin receiving the error "CRE failed to read rules" 

     

    You might check Admin tab > Systems Settings > "Enable X-Force Threat Intelligence Feed" and ensure it is enabled.

     






  • 5.  RE: CRE failed to read rules

    Posted Thu March 16, 2023 03:54 PM

    > "Enable X-Force Threat Intelligence Feed" becomes disabled and I begin receiving the error "CRE failed to read rules" 

    You might check Admin tab > Systems Settings > "Enable X-Force Threat Intelligence Feed" and ensure it is enabled.

    This looks like a known issue where a restart of tomcat will perform a check to see if X-Force data can be retrieved.  If that fails then QRadar will automatically change that setting to 'No'. After the next deploy, you will see that error if you have any Rules that use any of the X-Force tests.

    This behaviour has changed in 7.5.0 UP4 and should no longer cause this problem once you have upgraded.

    pfh



    ------------------------------
    Paul Ford-Hutchinson
    ------------------------------



  • 6.  RE: CRE failed to read rules

    Posted Thu March 16, 2023 02:29 PM
    Edited by Jonathan Pechta Thu March 16, 2023 02:30 PM

    There is a specific APAR logged against the rule "MULTIPLE LOGIN FAILURES FOR SINGLE USERNAME"  as it can cause a null pointer and then you see the behavior you reported. It might also be caused by a missing custom event property, but my guess is that you are hitting the APAR related to the multiple login failure rule.

    My guess is that the CRE is hitting a null pointer exception trying to read this rule change. for more info, see https://www.ibm.com/support/pages/apar/IJ42297">https://www.ibm.com/support/pages/apar/IJ42297">https://www.ibm.com/support/pages/apar/IJ42297.



    ------------------------------
    Jonathan Pechta
    QRadar Support Content Lead
    Support forums: ibm.biz/qradarforums
    jonathan.pechta1@ibm.com
    ------------------------------