Print
this page
Email this topic
Feedback
View PDF
Download EPUBKnown Restrictions and Limitations
- These error messages may appear in qradar.log for SIEM console
associated EVP and FAP:
Error processing configuration for database events
Feb 9 14:58:50 ::ffff:10.54.117.204 [ariel.ariel_proxy_server] [ariel_query_1:422ac1a2-5bca-4352-b298-d4da497862c5] java.lang.NullPointerException
Error processing configuration for database flows
Feb 9 14:58:50 ::ffff:10.54.117.204 [ariel.ariel_proxy_server] [ariel_query_1:422ac1a2-5bca-4352-b298-d4da497862c5]
java.lang.NullPointerException
- After reaching 300K assets, SIEM will not process/update additional
assets. The following benign error messages appear in qradar.log:
[ERROR] [NOT:0000003000][10.54.117.222/- -] [-/- -]UpdateResolutionWorker.run(): Unable to apply update 'AssetProfileUpdate FROM: IDENTITY - Interfaces: [Interface 00:01:03:97:01:1B: [Primary IP: 1.3.151.28 (17012508 ), Secondary IP: <None>]], Usernames: [Username: peap, Group: null, Type: OBSERVED], Properties: [Asset Property [Property Type: EXTENDED, Property Value: Switch: 10.54.25.252 SwitchPortId: ge.1.8]]]' to profile from source IDENTITY/215 ......
com.q1labs.assetprofile.updateresolution.AssetProfileCeilingException: Unable to create new asset profile because max number of profiles (300000) has been reached.
- After creating and deploying a user, the message below appears:
[WARN] Got output '/opt/qradar/init/prepare_io_scheduler: line 33 : echo: write error: Invalid argument' for /sys/block/sda/queue/max_sectors_kb
-
When logged into the SIEM Console, the follow message may display:
TypeError: Cannot read property ?appendChild‘ of null or
“Type Error: arg.parent is null”.
- The following warning message may appear in System Notification or
qradar.log:
Raid Controller Misconfiguration - Hardware Monitoring has determined that a virtual drive is misconfigured and local storage performance may be negatively impacted - WriteThrough cache policy detected on Adapter:0 Virtual Drive:0
The message may indicate that either the battery backup is dead or "Write Back" policy should be configured in the hardware RAID BIOS.
- The support contact info on the top right corner of the System Management/Administration still shows the old support email (support@enterasys.com). The new support email address is support@extremenetworks.com.
- Generating the Obsolete Environments report triggers the following
java exceptions in qradar.log:
[report_runner] [main] java.lang.IllegalStateException
Jan 29 13:54:36 ::ffff:10.54.117.203 [report_runner] [main] at com.q1labs.frameworks.session.JPASessionDelegate.checkTX(JPASessionDelegate.java:290)
Jan 29 13:54:36 ::ffff:10.54.117.203 [report_runner] [main] at com.q1labs.frameworks.session.JPASessionDelegate.checkTX(JPASessionDelegate.java:277)
Jan 29 13:54:36 ::ffff:10.54.117.203 [report_runner] [main] at com.q1labs.frameworks.session.JPASessionDelegate.connection(JPASessionDelegate.java:154)
Jan 29 13:54:36 ::ffff:10.54.117.203 [report_runner] [main] at com.q1labs.core.assetprofile.services.search.QuickSearchValidation.validateTsQuery(QuickSearchValidation.java:89)......
- For syslog events from Enterasys HiPath, you must add the Log Source manually. The received events are displayed as “Stored” status in the Low Level Category of Log Activity.
- Some error messages may appear in qradar.log when upgrading the
installed patch from 7.7.1.2 to SIEM 7.7.2.4 Patch 3:
For example:
Jan 28 12:37:21 lu11 []: WARNING: Unexpected error forwarding to login page
Jan 28 12:37:21 lu11 []: org.apache.jasper.JasperException: Failed to load or instantiate TagExtraInfo class: org.apache.struts.taglib.logic.IterateTeiJan 28 12:37:21 lu11 []: at org.apache.jasper.compiler.DefaultErrorHandler.jspError(DefaultErrorHandler.java:51)
Jan 28 12:37:21 lu11 []: at org.apache.jasper.compiler.ErrorDispatcher.dispatch(ErrorDispatcher.java:409)
Jan 28 12:37:21 lu11 []: at org.apache.jasper.compiler.ErrorDispatcher.jspError(ErrorDispatcher.java:281)
Jan 28 12:37:21 lu11 []: at org.apache.jasper.compiler.TagLibraryInfoImpl.createTagInfo(TagLibraryInfoImpl.java:434)
Jan 28 12:37:21 lu11 []: at org.apache.jasper.compiler.TagLibraryInfoImpl.parseTLD(TagLibraryInfoImpl.java:265
Jan 28 12:37:21 lu11 []: WARNING: Unexpected error forwarding to login page
Jan 28 12:37:21 lu11 []: org.apache.jasper.JasperException: org.apache.jasper.JasperException: Unable to load class for JSP
Jan 28 12:37:21 lu11 []: at org.apache.jasper.servlet.JspServletWrapper.getServlet(JspServletWrapper.java:161)
Jan 28 12:37:21 lu11 []: at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:340)
Jan 28 12:37:21 lu11 []: at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:313)
Jan 28 12:37:21 lu11 []: at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:260)
Jan 28 12:37:21 lu11 []: at javax.servlet.http.HttpServlet.service(HttpServlet.java:723)
Jan 28 12:37:21 lu11 []: at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
Jan 28 12:38:23 ::ffff:10.54.150.11 [ariel.ariel_proxy_server] [main] com.q1labs.frameworks.core.JMXHelper: [ERROR] [NOT:0000003000][10.54.150.11/- -] [-/- -]Failed to stop connection server: service:jmx:rmi://10.54.150.11:7782/jndi/rmi://10.54.150.11:7782/jmxrmi
Jan 28 12:38:23 ::ffff:10.54.150.11 [ariel.ariel_proxy_server] [main] java.lang.IllegalStateException: Request already cancelled Jan 28 12:38:23 ::ffff:10.54.150.11 [ariel.ariel_proxy_server] [main] at sun.misc.GC$LatencyRequest.cancel(GC.java:243)
Jan 28 12:44:02 lu11 []: Jan 28, 2015 12:44:02 PM org.apache.catalina.startup.ClassLoaderFactory validateFile
Jan 28 12:44:02 lu11 []: WARNING: Problem with directory [/opt/qradar/jars/jaxb2], exists: [false], isDirectory: [false], canRead: [false] ......
- Some events are displayed as “Stored” status in the Log Activity
window. For example:
A2/A4/B2/: (Same events type) Radius packet<189>DEC 17 16:19:13 20.1.0.4-1 USER_MGR[1]: 3856 %% Radius Session-Timeout period expired for user :admin
B3: SEC_LOG<190>Dec 17 15:45:50 20.1.2.1-1 SEC_LOG[1] User:escsu:su; Source:console; Action:"show logging default"; Status:OK
C2: dhcp packet<190>Dec 17 16:38:06 20.1.3.2-1 DHCP_SNP[205221584]: ds_main.c(584) 2109 %%dsPacketIntercept : creating a ds binding for vlan 4093 in interface 59
I3: SNTP packet<187>Dec 17 17:07:54 192.168.81.33-1 SNTP[151777376]: sntp_client.c(1241) 54128 %% SNTP Socket close -1
- In Log source from Enterasys or Extreme Networks products, the username field displays “N/A” and thesource and destination ports are displayed as “0”.
-
If you are using Firefox version above Firefox EST 24 for the SIEM Console, error messages such as Parse Error and Type Error appear occasionally. These errors are benign. The officially supported version of Firefox for SIEM 7.7.2.4 is FF 24 ESR.