IBM Support

QRadar: Adding managed host fails with an error "Failed to add host. Add host timed out" due to low bandwidth

Troubleshooting


Problem

The procedure of adding a managed host in QRadar® has a timeout threshold. When a managed host addition process takes longer than this threshold, the process is interrupt, and the managed host is not added to the deployment. One of the most common reasons for the addition process to take longer is low bandwidth between the console and the managed host.

Symptom

When adding a managed host, the user-interface never passes the step 10 of the addition process.
Figure01
In /var/log/qradar.log, the following error is shown:
[tomcat.tomcat] [Thread-303] com.ibm.si.configservices.api.v3_0.deployment.DeploymentAPI:[ERROR]
 unable to add managed host: Failed to add host. Add host timed out.
[tomcat.tomcat] [Thread-303] com.q1labs.restapi_annotations.content.exceptions.endpointExceptions.ServerProcessingException:
 Failed to add host. Add host timed out.

Environment

QRadar deployments with less than 100Mbps between the console and managed host.

Diagnosing The Problem

To diagnose the problem, copy a file from the console to the managed host being added and compare the completion of the copy against the timeout threshold.
  1. Use SSH to log in to the QRadar console as the root user.
  2. Make a copy of a temporary file to the managed host and make note of the completion time.
    IMPORTANT: Replace <MH IP> with the actual IP. If the managed host prompts for a password use the root password of the managed host.
      
    ​fallocate -l 1G /storetmp/1G.file
echo "Transfer initiate = $(date +%T)";rsync -aP /storetmp/1G.file <MH IP>:/storetmp; echo "Transfer finished = $(date +%T)"
    Output example: 
    ​[root@console~]# fallocate -l 1G /storetmp/1G.file
​[root@console~]# echo "Transfer initiate = $(date +%T)";rsync -aP /storetmp/1G.file 10.11.12.13:/storetmp; echo "Transfer finished = $(date +%T)"

Transfer initiate = 15:35:03
sending incremental file list
1G.file
  1,073,741,824 100%  312KB/s    0:01:09 (xfr#1, to-chk=0/1)
Transfer finished = 16:35:13
    In the previous output, the transfer took 1 hour to complete.
  3. Compare the completion time of the transfer with the timeout value in /opt/qradar/conf/nva.configservices.conf. 
    grep ADD_HOST_TIMEOUT /opt/qradar/conf/nva.configservices.conf
    Output example: 
    grep ADD_HOST_TIMEOUT /opt/qradar/conf/nva.configservices.conf
ADD_HOST_TIMEOUT=1800000
    The ADD_HOST_TIMEOUT value is shown in milliseconds. By default QRadar configures 1800000 milliseconds which equivalents to 30 minutes.

    Result
    The completion time (1 hour) is longer than the timeout value (30 minutes) which means the managed host addition is going to time out. Remove the /storetmp/1G.file on the Managed Host before proceeding to the Resolving the Problem section.

Resolving The Problem

Administrators must engage their respective network team to address the bandwidth constraints to meet the QRadar bandwidth requirements of 100Mbps.
Alternatively, the ADD_HOST_TIMEOUT value can be increased to allow the console to wait more time until the process completes. QRadar on Cloud customers must open a case and request the following procedure to be made.
  1. Use SSH to log in to the QRadar console as the root user.
  2. Back up the current configuration file. 
    mkdir -p /store/IBM_Support/
cp -fv /opt/qradar/conf/nva.configservices.conf /store/IBM_Support/nva.configservices.conf-$(date +%F)
  3. Increase the timeout value in milliseconds. 
    sed -i 's/ADD_HOST_TIMEOUT=.*/ADD_HOST_TIMEOUT=<timeout>/' /opt/qradar/conf/nva.configservices.conf
    Replace <timeout> in milliseconds. For example, 1800000 = 30 mins. In the following output, the timeout is increased to 40 mins. 
    sed -i 's/ADD_HOST_TIMEOUT=.*/ADD_HOST_TIMEOUT=2500000/' /opt/qradar/conf/nva.configservices.conf
  4. Validate the new value is in place. 
    grep ADD_HOST /opt/qradar/conf/nva.configservices.conf
    Output example: 
    grep ADD_HOST /opt/qradar/conf/nva.configservices.conf
ADD_HOST_TIMEOUT=2500000

    Result
    The ADD_HOST_TIMEOUT value is increased, and the managed host addition succeeds. If the addition process fails before the timeout value is reached, restart the tomcat service and try again.

    IMPORTANT: When the tomcat service restarts, the QRadar user-interface is not available to all users. Administrators with strict outage policies are advised to complete the next step during a scheduled maintenance window for their organization. 
    systemctl restart tomcat
    If the managed host addition still times out after the Tomcat service is restarted, contact QRadar Support for assistance.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
15 December 2022

UID

ibm16847647

Page Feedback