Unable to find an active BlueCoat WSS Rest API query thread

search cancel

Unable to find an active BlueCoat WSS Rest API query thread

book

Article ID: 258666

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

The IBM Security QRadar SIEM is throwing an exception: Waiting for files to process - Unable to find an active BlueCoat WSS Rest API query thread.

Environment

Cloud SWG Rest API

IBM Security QRadar SIEM

Cause

Corrupted zip files, generated by Cloud Secure Web Gateway (SWG) API can result in events from any affected Log Sources not being ingested and therefore parsed by QRadar.

Resolution

A corrupted zip can occurred due to an internal problem with the Cloud SWG Rest API, however, the client (QRadar) needs to have the ability to recover from such events.

If the client cannot recover from these types of events automatically, the data feed needs to be restarted manually.

To restart the data feed, collect the logs from /var/log/qradar.log and open a case with IBM Security support.

Reference: IJ25140: BlueCoat Web Security Service logs can fail to be ingested and parsed by QRadar due to corrupted zip files.

Additional Information

IBM QRadar - Blue Coat Web Security Service

Configuring Blue Coat Web Security Service to communicate with QRadar

Blue Coat Web Security Service sample event message

Attachments

Feedback

thumb_up Yes

thumb_down No