Troubleshooting
Problem
The procedure of adding a managed host in QRadar® has a timeout threshold. When a managed host addition process takes longer than this threshold, the process is interrupt, and the managed host is not added to the deployment. One of the most common reasons for the addition process to take longer is low bandwidth between the console and the managed host.
Symptom
When adding a managed host, the user-interface never passes the step 10 of the addition process.
![Figure01](/support/pages/system/files/inline-images/image_11250_0.png)
In /var/log/qradar.log, the following error is shown:
[tomcat.tomcat] [Thread-303] com.ibm.si.configservices.api.v3_0.deployment.DeploymentAPI:[ERROR]
unable to add managed host: Failed to add host. Add host timed out.
[tomcat.tomcat] [Thread-303] com.q1labs.restapi_annotations.content.exceptions.endpointExceptions.ServerProcessingException:
Failed to add host. Add host timed out.
Environment
QRadar deployments with less than 100Mbps between the console and managed host.
Diagnosing The Problem
To diagnose the problem, copy a file from the console to the managed host being added and compare the completion of the copy against the timeout threshold.
-
Use SSH to log in to the QRadar console as the root user.
-
Make a copy of a temporary file to the managed host and make note of the completion time.
IMPORTANT: Replace <MH IP> with the actual IP. If the managed host prompts for a password use the root password of the managed host.
fallocate -l 1G /storetmp/1G.file echo "Transfer initiate = $(date +%T)";rsync -aP /storetmp/1G.file <MH IP>:/storetmp; echo "Transfer finished = $(date +%T)"
[root@console~]# fallocate -l 1G /storetmp/1G.file [root@console~]# echo "Transfer initiate = $(date +%T)";rsync -aP /storetmp/1G.file 10.11.12.13:/storetmp; echo "Transfer finished = $(date +%T)" Transfer initiate = 15:35:03 sending incremental file list 1G.file 1,073,741,824 100% 312KB/s 0:01:09 (xfr#1, to-chk=0/1) Transfer finished = 16:35:13
-
Compare the completion time of the transfer with the timeout value in /opt/qradar/conf/nva.configservices.conf.
grep ADD_HOST_TIMEOUT /opt/qradar/conf/nva.configservices.conf
grep ADD_HOST_TIMEOUT /opt/qradar/conf/nva.configservices.conf ADD_HOST_TIMEOUT=1800000
The ADD_HOST_TIMEOUT value is shown in milliseconds. By default QRadar configures 1800000 milliseconds which equivalents to 30 minutes.
Result
The completion time (1 hour) is longer than the timeout value (30 minutes) which means the managed host addition is going to time out. Remove the /storetmp/1G.file on the Managed Host before proceeding to the Resolving the Problem section.
Resolving The Problem
Administrators must engage their respective network team to address the bandwidth constraints to meet the QRadar bandwidth requirements of 100Mbps.
Alternatively, the ADD_HOST_TIMEOUT value can be increased to allow the console to wait more time until the process completes. QRadar on Cloud customers must open a case and request the following procedure to be made.
- Use SSH to log in to the QRadar console as the root user.
- Back up the current configuration file.
mkdir -p /store/IBM_Support/ cp -fv /opt/qradar/conf/nva.configservices.conf /store/IBM_Support/nva.configservices.conf-$(date +%F)
- Increase the timeout value in milliseconds.
sed -i 's/ADD_HOST_TIMEOUT=.*/ADD_HOST_TIMEOUT=<timeout>/' /opt/qradar/conf/nva.configservices.conf
sed -i 's/ADD_HOST_TIMEOUT=.*/ADD_HOST_TIMEOUT=2500000/' /opt/qradar/conf/nva.configservices.conf
- Validate the new value is in place.
grep ADD_HOST /opt/qradar/conf/nva.configservices.conf
grep ADD_HOST /opt/qradar/conf/nva.configservices.conf ADD_HOST_TIMEOUT=2500000
Result
The ADD_HOST_TIMEOUT value is increased, and the managed host addition succeeds. If the addition process fails before the timeout value is reached, restart the tomcat service and try again.
IMPORTANT: When the tomcat service restarts, the QRadar user-interface is not available to all users. Administrators with strict outage policies are advised to complete the next step during a scheduled maintenance window for their organization.systemctl restart tomcat
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
15 December 2022
UID
ibm16847647