IBM Support

QRadar: Remove existing configuration on Data Gateway preventing to add it to QRadar on Cloud.

How To


Summary

Data Gateways (DG) configuration files might end up partially configured, affecting the addition to a QRadar on Cloud deployment (QRoC). This technote provides the steps to "clean" these configurations to avoid rebuilding the Data Gateway.

Environment

QRadar on Cloud Data Gateway appliances might experience this issue when:
  1. The Data Gateway was removed from the deployment in the QRadar on Cloud Console when the appliance was not reachable.
  2. A previous addition attempt failed, causing partially updated files in the DG.
  3. After a change of the network configuration in the DG.

Steps

Note: All of the following steps must be run in the conflicting DG before the next addition attempt.
  1. Removed the IP in the CONSOLE_PRIVATE_IP entry in the nva configuration files. If the IP is not present in the files, skip this step and proceed to step 2. 
    Example:
grep CONSOLE_PRIVATE_IP /opt/qradar/conf/nva.conf
CONSOLE_PRIVATE_IP=<Console Private IP>    # <-- This IP must be removed
CONSOLE_PRIVATE_IP=                        # <-- This is the result
    1. Backup files. 
      mkdir -p /store/IBM_Support
cp -pfv /opt/qradar/conf/nva.conf /store/IBM_Support
cp -pfv /opt/qradar/conf/nva.hostcontext.conf /store/IBM_Support
cp -pfv /opt/qradar/conf/nva.qflow.qflow* /store/IBM_Support
    2. Remove the IP address in the CONSOLE_PRIVATE_IP entry. 
      sed -i 's/CONSOLE_PRIVATE_IP=.*/CONSOLE_PRIVATE_IP=/' /opt/qradar/conf/nva.conf
sed -i 's/CONSOLE_PRIVATE_IP=.*/CONSOLE_PRIVATE_IP=/' /opt/qradar/conf/nva.hostcontext.conf
sed -i 's/CONSOLE_PRIVATE_IP=.*/CONSOLE_PRIVATE_IP=/' /opt/qradar/conf/nva.qflow.qflow*conf
    3. Verify that the IP address is removed. 
      grep CONSOLE_PRIVATE_IP /opt/qradar/conf/nva.conf /opt/qradar/conf/nva.hostcontext.conf /opt/qradar/conf/nva.qflow.qflow*conf
  2. Remove the OpenVPN configuration. 
    1. Stop the openvpn@client service, type: 
      systemctl stop openvpn@client
    2. Backup existing OpenVPN directory. 
      cp -prv /etc/openvpn/ /store/IBM_Support/
    3. Move the OpenVPN files. 
      mv -v /etc/openvpn/* /storetmp/
    4. To clean the OpenVPN configuration, select one of the following options and type yes when prompted:
      • For QRadar 7.5.x and later, type: 
        /opt/qradar/bin/vpntool.py clean
      • For QRadar 7.4.x and earlier, type: 
        /opt/qradar/bin/vpntool clean
        Note: Both commands require you to answer Yes to proceed.
  3. Remove entries for the console in the /etc/hosts file. 
    Example:
cat /etc/hosts
127.0.0.1 localhost.localdomain localhost 7f3182c78ceda96583d5.localdeployment
<DG IP> DG_hostname 94d3b83aec8b86dc197c.localdeployment
<Console IP> console-xxxxx.qradar.ibmcloud.com console-xxxxx console.localdeployment  # <-- This entry if present must be removed.
    1. Back up the file. 
      cp -pfv /etc/hosts /store/IBM_Support
    2. Remove the entry. 
      sed -i '/console/d' /etc/hosts
    3. Verify that the entries are deleted. 
      grep -i console /etc/hosts
  4. Remove old PIDs for setup_qradar_host and qradar_netsetup.
    1. Check whether an old PID exists. If none is present, skip to step 5. 
      ls /var/run/ | grep -i pid
    2. Remove the existing PID. 
      rm -fv /var/run/qradar_netsetup.pid
rm -fv /var/run/setup_qradar_host.pid
  5. Verify or update the allowlist with the QRadar on Cloud Self Serve App Manage access to the Console.
  6. Generate a new token with the QRadar on Cloud Self Serve App Generating a new token for a data gateway.
  7. Log in to the QRadar on Cloud Console, click the Admin tab.
  8. Click Deploy Changes.
  9. Use the new token generated in Step 6 to add the Data Gateway with the mh_setup command: 
    /opt/qradar/bin/setup_qradar_host.py mh_setup interactive -r
    Results
    The Data Gateway is successfully added to the QRadar on Cloud Console. If you continue to experience issues with your Data Gateway appliance, contact IBM® QRadar® Support for assistance.

Document Location

Worldwide

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSKMKU","label":"IBM QRadar on Cloud"},"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
20 July 2023

UID

ibm16438077

Page Feedback