Troubleshooting
Problem
The application is installed and is displayed on the QRadar® dashboard, but the application does not appear to be working.
Symptom
- 404 page not found error is displayed
- Tables in application fail to load
- Application might not display data
Diagnosing The Problem
Look for messages in /var/log/qradar-iptables.log on the appliance where applications are set to run similar to:
[docker_si] ERROR: iptables --wait -t nat -C DOCKER -p tcp -d 0/0 --dport 32769
-j DNAT --to-destination 169.254.3.3:5000 ! -i dockerApps. RC=1
[docker_si] ERROR: iptables --wait -t filter -C DOCKER ! -i dockerApps -o dockerApps
-p tcp -d 169.254.3.3 --dport 5000 -j ACCEPT. RC=1
[docker_si] ERROR: iptables --wait -t nat -C POSTROUTING -p tcp -s 169.254.3.3 -d
169.254.3.3 --dport 5000 -j MASQUERADE. RC=1
[docker_si] ERROR: iptables --wait -t nat -C OUTPUT -d 127.0.0.11 -j DOCKER_OUTPUT. RC=2
Note: Applications can run on either the Console or App Host.
Resolving The Problem
Applications depend on iptables loading correctly. If they are not loaded, then communication to the application might be affected. To verify that iptables are loaded correctly:
- Use SSH to log in to the Console.
- If the applications are running on an App Host, SSH from the Console to the App Host.
- Type the command:
iptables --list
- If iptables is loaded into the kernel, look for messages from Chain DOCKER similar to:
Chain DOCKER (2 references) target prot opt source destination ACCEPT tcp -- anywhere 169.254.3.2 tcp dpt:commplex-main ACCEPT tcp -- anywhere 169.254.3.8 tcp dpt:commplex-main ACCEPT tcp -- anywhere 169.254.3.5 tcp dpt:commplex-main ACCEPT tcp -- anywhere 169.254.3.6 tcp dpt:commplex-main ACCEPT tcp -- anywhere 169.254.3.7 tcp dpt:commplex-main ACCEPT tcp -- anywhere 169.254.3.3 tcp dpt:commplex-main ACCEPT tcp -- anywhere 169.254.3.10 tcp dpt:commplex-main
- If there are no destination IP addresses listed from step #4 on the appliance where applications are set to run, type the commands:
systemctl restart iptables
systemctl restart ip6tables
- Repeat steps #3 and #4.
Results
If the commands given do not result in a destination IP addresses in the output or the table rules are displaying an error in /var/log/qradar-iptables.log, your iptables might have an issue. Open a case with IBM QRadar support to investigate the issue.
If the commands given do not result in a destination IP addresses in the output or the table rules are displaying an error in /var/log/qradar-iptables.log, your iptables might have an issue. Open a case with IBM QRadar support to investigate the issue.
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000GnbvAAC","label":"QRadar->Apps"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3.2;7.3.3;7.4.0","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
28 May 2020
UID
ibm16212210