How To
Summary
Data Gateways (DG) configuration files might end up partially configured, affecting the addition to a QRadar on Cloud deployment (QRoC). This technote provides the steps to "clean" these configurations to avoid rebuilding the Data Gateway.
Environment
QRadar on Cloud Data Gateway appliances might experience this issue when:
- The Data Gateway was removed from the deployment in the QRadar on Cloud Console when the appliance was not reachable.
- A previous addition attempt failed, causing partially updated files in the DG.
- After a change of the network configuration in the DG.
Steps
Note: All of the following steps must be run in the conflicting DG before the next addition attempt.
- Removed the IP in the CONSOLE_PRIVATE_IP entry in the nva configuration files. If the IP is not present in the files, skip this step and proceed to step 2.
Example: grep CONSOLE_PRIVATE_IP /opt/qradar/conf/nva.conf CONSOLE_PRIVATE_IP=<Console Private IP> # <-- This IP must be removed CONSOLE_PRIVATE_IP= # <-- This is the result
- Backup files.
mkdir -p /store/IBM_Support cp -pfv /opt/qradar/conf/nva.conf /store/IBM_Support cp -pfv /opt/qradar/conf/nva.hostcontext.conf /store/IBM_Support cp -pfv /opt/qradar/conf/nva.qflow.qflow* /store/IBM_Support
- Remove the IP address in the CONSOLE_PRIVATE_IP entry.
sed -i 's/CONSOLE_PRIVATE_IP=.*/CONSOLE_PRIVATE_IP=/' /opt/qradar/conf/nva.conf sed -i 's/CONSOLE_PRIVATE_IP=.*/CONSOLE_PRIVATE_IP=/' /opt/qradar/conf/nva.hostcontext.conf sed -i 's/CONSOLE_PRIVATE_IP=.*/CONSOLE_PRIVATE_IP=/' /opt/qradar/conf/nva.qflow.qflow*conf
- Verify that the IP address is removed.
grep CONSOLE_PRIVATE_IP /opt/qradar/conf/nva.conf /opt/qradar/conf/nva.hostcontext.conf /opt/qradar/conf/nva.qflow.qflow*conf
- Backup files.
- Remove the OpenVPN configuration.
- Stop the openvpn@client service, type:
systemctl stop openvpn@client
- Backup existing OpenVPN directory.
cp -prv /etc/openvpn/ /store/IBM_Support/
- Move the OpenVPN files.
mv -v /etc/openvpn/* /storetmp/
- To clean the OpenVPN configuration, select one of the following options and type yes when prompted:
- For QRadar 7.5.x and later, type:
/opt/qradar/bin/vpntool.py clean
- For QRadar 7.4.x and earlier, type:
/opt/qradar/bin/vpntool clean
- For QRadar 7.5.x and later, type:
- Stop the openvpn@client service, type:
- Remove entries for the console in the /etc/hosts file.
Example: cat /etc/hosts 127.0.0.1 localhost.localdomain localhost 7f3182c78ceda96583d5.localdeployment <DG IP> DG_hostname 94d3b83aec8b86dc197c.localdeployment <Console IP> console-xxxxx.qradar.ibmcloud.com console-xxxxx console.localdeployment # <-- This entry if present must be removed.
- Back up the file.
cp -pfv /etc/hosts /store/IBM_Support
- Remove the entry.
sed -i '/console/d' /etc/hosts
- Verify that the entries are deleted.
grep -i console /etc/hosts
- Back up the file.
- Remove old PIDs for setup_qradar_host and qradar_netsetup.
- Check whether an old PID exists. If none is present, skip to step 5.
ls /var/run/ | grep -i pid
- Remove the existing PID.
rm -fv /var/run/qradar_netsetup.pid rm -fv /var/run/setup_qradar_host.pid
- Check whether an old PID exists. If none is present, skip to step 5.
- Verify or update the allowlist with the QRadar on Cloud Self Serve App Manage access to the Console.
- Generate a new token with the QRadar on Cloud Self Serve App Generating a new token for a data gateway.
- Log in to the QRadar on Cloud Console, click the Admin tab.
- Click Deploy Changes.
- Use the new token generated in Step 6 to add the Data Gateway with the mh_setup command:
/opt/qradar/bin/setup_qradar_host.py mh_setup interactive -r
Results
The Data Gateway is successfully added to the QRadar on Cloud Console. If you continue to experience issues with your Data Gateway appliance, contact IBM® QRadar® Support for assistance.
Related Information
Document Location
Worldwide
[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSKMKU","label":"IBM QRadar on Cloud"},"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]
Was this topic helpful?
Document Information
Modified date:
20 July 2023
UID
ibm16438077