Troubleshooting
Problem
Some customers might see Keeperx service failing to load on Linux endpoints where the kernel is updated to a new major version.
Symptom
Customers might see that the linux endpoint is successfully registered to the QRadar EDR Dashboard but it shows an outdated version warning. The keeperx service fails to load with some generic error messages.
Cause
When the kernel is updated to a new major version, it can break the falco driver responsible to run the keeperx service.
Diagnosing The Problem
You can check the journalctl logs by the following command:
journalctl –xu keeperx
Check whether you can find the following errors:
* Trying to compile the eBPF probe (falco_ubuntu-generic_6.2.0-34-generic_34.o)
warning: the compiler differs from the one used to build the kernel
The kernel was built by: x86_64-linux-gnu-gcc-11 (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0
You are using: gcc-11 (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0
In file included from /usr/src/falco-3.0.1+driver/bpf/probe.c:23:
/usr/src/falco-3.0.1+driver/bpf/fillers.h:855:49: error: member reference base type 'struct percpu_counter[4]' is not a structure or union
bpf_probe_read(&val, sizeof(val), &mm->rss_stat.count[member]);
make[2]: *** [/usr/src/falco-3.0.1+driver/bpf/Makefile:53: /usr/src/falco-3.0.1+driver/bpf/probe.o] Error 1
make[1]: *** [Makefile:2026: /usr/src/falco-3.0.1+driver/bpf] Error 2
make: *** [Makefile:38: all] Error 2
mv: cannot stat '/usr/src/falco-3.0.1+driver/bpf/probe.o': No such file or directory
Unable to load the falco eBPF probe
Please consider upgrading your target system or using keeperx legacy mode.
keeperx.service: Main process exited, code=exited, status=7/NOTRUNNING
Note: The error can differ according to the Linux distribution you are using and the driver that fails to load due to dependencies.
Resolving The Problem
Agent is very much dependent on kernel changes, and when major kernel upgrade takes place, the drivers can be recompiled automatically assuming the kernel headers are already present. But if any dependencies are missing, it can break the driver.
The major version of a kernel represents architectural changes and new features. The minor version represents smaller updates, bug fixes, and potential feature improvements.
Linux kernel version numbers are in the format X.Y.Z:
- X: The major release number
- Y: The minor revision number
- Z: The patch number
So it is advised to use the base kernel version that is shipped with the distribution when you install the QRadar EDR agent for Linux.
If you are unable to identify the root cause of the Linux agent failure, contact the QRadar EDR support team.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSVOEH","label":"IBM Security ReaQta"},"ARM Category":[{"code":"a8m3p000000hBSZAA2","label":"Agent-\u003EInstallation-\u003ELinux"}],"ARM Case Number":"TS014414487","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]
Product Synonym
ReaQta
Was this topic helpful?
Document Information
Modified date:
24 October 2023
UID
ibm17055746