IBM Support

QRadar: Upgrading QRadar or installing an Interim fix can remove the HOSTNAME property from /etc/sysconfig/network

How To


Summary

During a software update, the SFS installer can incorrectly remove or comment out the hostname property in /etc/sysconfig/network file. When the hostname value is missing, it can cause application issues. A quick test to confirm this issue is to run the recon tool to determine whether the error message 'endpoint not specified' is displayed. Administrators on QRadar 7.4.x or 7.5.x can experience this issue on either the Console or an App Host appliance. This technical note includes a procedure for administrators to temporarily resolve this issue.

Objective

Resolve an issue where apps do not start and recon can display an error due to a missing HOSTNAME value in /etc/sysconfig/network.

Steps

Before you begin

Before you start a workaround for this issue, you must confirm you experience the following error conditions:
  1. After an upgrade, apps are not running on either the Console or the App Host, if present in the deployment.
  2. When you run the recon ps command to verify the status of apps, an 'endpoint not specified' message is returned. The 'endpoint not specified' message indicates that there is no hostname property value set in /etc/sysconfig/network or the value is commented out. For example, 
    # /opt/qradar/support/recon ps
&ps.StatusResult{Check:(*ps.StatusCheck)(nil), Message:"endpoint not specified", Remediation:"", Value:1}

Examples of an 'endpoint not specified' message on a Console or App Host

The endpoint not specified error can appear on either the Console or the App Host when you attempt to run the recon tool.

  • Console recon ps error for an All-in-One (AIO) appliance that was recently updated.
    error-when-no-hostname-property-set-in-etc-sysconfig-network-aio
  • App Host recon ps error example.
    image-20230801081040-1

These errors indicate that a hostname property is missing or there is no value for the hostname property listed in /etc/sysconfig/network. When the hostname is missing, the /etc/sysconfig/network file is missing a hostname line in the file.

For example, the HOSTNAME entry is missing and recon generates "endpoint not specified" errors.

[root@host~]# cat /etc/sysconfig/network
# WARNING: Please use qchange_netsetup to make changes to this file
GATEWAY=192.168.1.1
IPV6_AUTOCONF=no
NETWORKING=yes
NETWORKING_IPV6=no
NOZEROCONF=yes

How to resolve this issue

When the "endpoint not specified" error is displayed, the administrator needs to confirm the file /etc/sysconfig/network contains the hostname property by running the grep command.

Procedure
  1. Use SSH to log in to the Console as the root user.
  2. To confirm if the hostname is missing or commented out of the /etc/sysconfig/network file, type: 
    grep HOSTNAME /etc/sysconfig/network
  3. Review the output of the command:
    • If no results are returned from the grep command, the endpoint error is being generated as the hostname is not configured.
    • If the hostname property is commented out with the '#' hash character. If it is commented out, it displays the output with a pound character at the beginning.
    • If a valid hostname is displayed, ensure that the value is correct. Administrators can also view your auto update history to verify that a recent auto update ran. QRadar bundles all support tool updates in the supportability-tools RPM file. 
      HOSTNAME=qradar-host.example.com
  4. To update the hostname value, download the attached support tool update-hostname-property.sh.
  5. Copy the file to the /root directory of the Console.
  6. To set permissions, type: 
    chmod +x update-hostname-property.sh
  7. Run the utility with the following command: 
    ./update-hostname-property.sh
    The output updates the hostname value and displays the value in the output. For examples, 
    Added HOSTNAME property: HOSTNAME=qradar-host.example.com
  8. To confirm the hostname is updated, type the following command to run recon: 
    /opt/qradar/support/recon ps
  9. Optional. If you have an App Host appliance, you can copy the file to the App Host, confirm the 'endpoint not specified' error, then run the update-hostname-property.sh tool.

    Results
    The output of recon ps is expected to display the application status without an error. If the applications are not running as expected, validate that they are started correctly by using /opt/qradar/support/qappmanager and follow the prompts to either stop or start the application. hostname-updated-on-apphost-in-etc-sysconfig-network If you upgrade your Console or App Host or apply an interim fix, you might need to repeat this procedure.


 

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtdAAA","label":"Upgrade"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
01 August 2023

UID

ibm17009307

Page Feedback