Original Message:
Sent: Wed April 05, 2023 11:08 AM
From: Abraham Panicker
Subject: QRadar CE - IBM Security Verify integration issues.
Hello Jonathan,
Redeploying and Restarting it, did not help.
Here is the error message from the logs.
Apr 5 15:02:16 ::ffff:127.0.0.1 [ecs-ec-ingress.ecs-ec-ingress] [ae8171d3-26ff-45b0-a593-5323d4fbbd09/SequentialEventDispatcher] com.q1labs.semsources.sources.base.testing.ProtocolTestTask: [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -][ProtocolTestTask e690063f-3fe5-4dd8-b331-c0b88a30571e] logSourceIdentifier https://apanicker.verify.ibm.com, protocolId 90, params {allEvents=false, identifier=https://apanicker.verify.ibm.com, clientId=939d0499-f5ea-4e34-a9ae-223a0cb1998f, proxyServer=, proxyUsername=, advancedOptions=false, proxyPassword=, ssoEvent=true, advancedEventTypes=, useProxy=false, epsThrottle=100, authorizationEndPoint=https://apanicker.verify.ibm.com, recurrence=1M, maxEvents=5000, proxyPort=8080, apiVersion=1.0, clientSecret=2dvxqQVl1P, managementEvent=true, authenticationEvent=true, advancedEventTypesOption=false}
Apr 5 15:02:16 ::ffff:127.0.0.1 [ecs-ec-ingress.ecs-ec-ingress] [pool-1-thread-5] com.q1labs.semsources.sources.base.testing.ProtocolTestTask: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]An unhandled exception was thrown during the execution of task: 157
Apr 5 15:02:16 ::ffff:127.0.0.1 [ecs-ec-ingress.ecs-ec-ingress] [pool-1-thread-5] java.lang.NullPointerException
Apr 5 15:02:16 ::ffff:127.0.0.1 [ecs-ec-ingress.ecs-ec-ingress] [pool-1-thread-5] at com.q1labs.semsources.sources.base.testing.util.ProtocolSourceLoader.loadSource(ProtocolSourceLoader.java:69)
Apr 5 15:02:16 ::ffff:127.0.0.1 [ecs-ec-ingress.ecs-ec-ingress] [pool-1-thread-5] at com.q1labs.semsources.sources.base.testing.ProtocolTestJob.init(ProtocolTestJob.java:41)
Apr 5 15:02:16 ::ffff:127.0.0.1 [ecs-ec-ingress.ecs-ec-ingress] [pool-1-thread-5] at com.q1labs.semsources.sources.base.testing.ProtocolTestingManager.addTest(ProtocolTestingManager.java:66)
Apr 5 15:02:16 ::ffff:127.0.0.1 [ecs-ec-ingress.ecs-ec-ingress] [pool-1-thread-5] at com.q1labs.semsources.sources.base.testing.ProtocolTestTask.runTask(ProtocolTestTask.java:85)
Apr 5 15:02:16 ::ffff:127.0.0.1 [ecs-ec-ingress.ecs-ec-ingress] [pool-1-thread-5] at com.ibm.si.frameworks.taskmanagement.Task.run(Task.java:108)
Apr 5 15:02:16 ::ffff:127.0.0.1 [ecs-ec-ingress.ecs-ec-ingress] [pool-1-thread-5] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:522)
Apr 5 15:02:16 ::ffff:127.0.0.1 [ecs-ec-ingress.ecs-ec-ingress] [pool-1-thread-5] at java.util.concurrent.FutureTask.run(FutureTask.java:277)
Apr 5 15:02:16 ::ffff:127.0.0.1 [ecs-ec-ingress.ecs-ec-ingress] [pool-1-thread-5] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160)
Apr 5 15:02:16 ::ffff:127.0.0.1 [ecs-ec-ingress.ecs-ec-ingress] [pool-1-thread-5] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
Apr 5 15:02:16 ::ffff:127.0.0.1 [ecs-ec-ingress.ecs-ec-ingress] [pool-1-thread-5] at java.lang.Thread.run(Thread.java:812)
Apr 5 15:02:21 ::ffff:127.0.0.1 [tomcat.tomcat] [admin@73.9.220.115 (1793) /console/restapi/api/config/event_sources/log_source_management/log_source_tests/e690063f-3fe5-4dd8-b331-c0b88a30571e] com.ibm.si.console.taskmanagement.GlobalTaskManager: [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Sending Task Status update to local task manager
Apr 5 15:02:21 ::ffff:127.0.0.1 [ecs-ec-ingress.ecs-ec-ingress] [ae8171d3-26ff-45b0-a593-5323d4fbbd09/SequentialEventDispatcher] com.ibm.si.frameworks.taskmanagement.LocalTaskManager: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/- -]The LocalTaskManager does not contain a task for uuid: + 680af8f4-c1dc-474c-a1c7-52cb7c3425bc
------------------------------
Abraham Panicker
IAM Solution Engineer
IBM
IL
6306606970
Original Message:
Sent: Wed April 05, 2023 09:46 AM
From: Jonathan Pechta
Subject: QRadar CE - IBM Security Verify integration issues.
I would start by logging in to the Admin tab, doing a Full Deploy Configuration to ensure all service files are updated. Then click Admin > Advanced > Restart Event Collection Service. Manually installed protocols require a full deploy, plus service restart.
------------------------------
Jonathan Pechta
QRadar Support Content Lead
Support forums: ibm.biz/qradarforums
jonathan.pechta1@ibm.com
Original Message:
Sent: Fri March 31, 2023 09:49 AM
From: Abraham Panicker
Subject: QRadar CE - IBM Security Verify integration issues.
WRT : https://www.ibm.com/docs/en/dsm?topic=identity-configuring-qradar-pull-events-from-security-verify
Hi - I have new QRadar CE installation 7.3.3. I am trying to configure Event collection from IBM Security Verify SaaS. I doing the integration of Security Verify Product to QRadar CE as the per the documentation listed here. I installed the following RPMs as the documentation.
yum install PROTOCOL-Common-7.3-20220617181743.noarch.rpm
- IBM Security VerifyEvent Service Protocol RPM
yum install PROTOCOL-IBMCloudIdentityEventService-7.3-20210114140740.noarch.rpm
- IBM Security VerifyDSM RPM
yum install DSM-IBMCloudIdentity-7.3-20210118170437.noarch.rpm.
However when creating the log collector, I am not able to TEST the Collector after providing the Client ID, client Key and the correct Verify Tenant URL. There are no empty fields in the configuration.
I see the following error message in qradar.logs and qradar.error files.
Error message /var/log/qradar.log and /var/log/qradar.error
Mar 25 16:16:52 ::ffff:127.0.0.1 [ecs-ec-ingress.ecs-ec-ingress] [pool-1-thread-4] java.lang.NullPointerException
Mar 25 16:16:52 ::ffff:127.0.0.1 [ecs-ec-ingress.ecs-ec-ingress] [pool-1-thread-4] at com.q1labs.semsources.sources.base.testing.util.ProtocolSourceLoader.loadSource(ProtocolSourceLoader.java:69)
Mar 25 16:16:52 ::ffff:127.0.0.1 [ecs-ec-ingress.ecs-ec-ingress] [pool-1-thread-4] at com.q1labs.semsources.sources.base.testing.ProtocolTestJob.init(ProtocolTestJob.java:41)
Mar 25 16:16:52 ::ffff:127.0.0.1 [ecs-ec-ingress.ecs-ec-ingress] [pool-1-thread-4] at com.q1labs.semsources.sources.base.testing.ProtocolTestingManager.addTest(ProtocolTestingManager.java:66)
Mar 25 16:16:52 ::ffff:127.0.0.1 [ecs-ec-ingress.ecs-ec-ingress] [pool-1-thread-4] at com.q1labs.semsources.sources.base.testing.ProtocolTestTask.runTask(ProtocolTestTask.java:85)
Mar 25 16:16:52 ::ffff:127.0.0.1 [ecs-ec-ingress.ecs-ec-ingress] [pool-1-thread-4] at com.ibm.si.frameworks.taskmanagement.Task.run(Task.java:108)
Mar 25 16:16:52 ::ffff:127.0.0.1 [ecs-ec-ingress.ecs-ec-ingress] [pool-1-thread-4] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:522)
Mar 25 16:16:52 ::ffff:127.0.0.1 [ecs-ec-ingress.ecs-ec-ingress] [pool-1-thread-4] at java.util.concurrent.FutureTask.run(FutureTask.java:277)
Mar 25 16:16:52 ::ffff:127.0.0.1 [ecs-ec-ingress.ecs-ec-ingress] [pool-1-thread-4] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160)
Mar 25 16:16:52 ::ffff:127.0.0.1 [ecs-ec-ingress.ecs-ec-ingress] [pool-1-thread-4] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
Mar 25 16:16:52 ::ffff:127.0.0.1 [ecs-ec-ingress.ecs-ec-ingress] [pool-1-thread-4] at java.lang.Thread.run(Thread.java:812)
Mar 25 16:17:07 ::ffff:127.0.0.1 [ecs-ec-ingress.ecs-ec-ingress] [c83be296-7857-40ec-afe8-f4696b0b6972/SequentialEventDispatcher] com.ibm.si.frameworks.taskmanagement.LocalTaskManager: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/- -]The LocalTaskManager does not contain a task for uuid: + a5a90400-1c44-424f-97ef-1cd66132d262
Your help will be appreciated in resolving this.
Abraham P
------------------------------
Abraham Panicker
IAM Solution Engineer
IBM
IL
6306606970
------------------------------