IBM Support

QRadar: Adding managed hosts and common issues

Question & Answer


Question

Adding managed hosts to a QRadar® deployment is an essential task on distributed deployments. How can an issue be identified when managed hosts are added?

Answer

The content in this technical note is divided in to the following categories:
  1. Stages Summary
  2. Log files
  3. Useful Commands
  4. Common causes
  5. Stages Breakdown

 
Stages Summary
The ten-step addition process can be summarized in the following stages:

image 11250
  1. The Console does prerequisite checks on the Managed host.
  2. The Console prepares and copies the configuration files to the Managed host.
  3. The Managed host uses the configuration files to configure itself and reports its "presence".
  4. The Managed host reports back to the Console that the configuration succeeded.
  5. The administrator deploys the changes with the new Managed Host's information.
Log files
The addition process is logged mainly in two files
  •  /var/log/qradar.log (Console and Managed host).
  • /var/log/setup-<latest version>/presence.log (Managed host only).
Useful Commands
 
The administrators can use the following commands to see the entire process on the Console and Managed host:
On the Console, before the addition the host for Stages one and two:
tailf /var/log/qradar.log | grep AddHost
On the Managed host for Stages three and four:
tail -f /var/log/setup-<latest version>/presence.log
On for Stage five for both the Console and Managed host: 
tail -f /var/log/qradar.log | grep -i deploy
Common causes
Managed hosts addition can fail due to various reasons. The most common are:
  1. Managed host prerequisites are not met.
  2. Connectivity issues between the Console and Managed host before and during the addition process. If this communication breaks, the addition process fails.
  3. A particular process fails to run. The Tomcat connection process is the most common.
Stages Breakdown
  1. The Console does prerequisite checks on the Managed Host.
    Failure common causes: Prerequisites not met. The administrators must ensure they meet the prerequisites.
    1. Connectivity granted (SSH and rest of the ports when unencrypted).
    2. Valid password.
      Note: The use of a temporary password without special characters can be done for troubleshooting.
    3. All Managed hosts being added must match the QRadar® version installed on the Console.
    4. Managed host appliance type. 
      [hostcontext.hostcontext] [/SequentialEventDispatcher] 
com.q1labs.hostcontext.core.executor.BaseHostExecutor: [INFO] [-/- -]Running add host script with 
[-private_ip, <Managed host IP>, -connection_ip, <Managed host IP>, -nat_id, 0, -is_tunneled, true, 
-is_compressed, false, -is_remote_tunnel_initiation, false, -console_ip, <Console IP>, -password, ********, -is_cli, false, -run_precheck, true]
[hostcontext.hostcontext] [/SequentialEventDispatcher]
com.q1labs.configservices.capabilities.AddHost: [INFO] [-/- -]Host <Managed host IP> version is 2020.3.2.20201112005343
[hostcontext.hostcontext] [/SequentialEventDispatcher] 
com.q1labs.configservices.capabilities.AddHost: [INFO] [-/- -]Build versions correctly match.
[hostcontext.hostcontext] [/SequentialEventDispatcher] 
com.q1labs.configservices.capabilities.AddHost: [INFO] [-/- -]Host <Managed host IP> appliance id is 1599
  2. The Console prepares and copies the configuration files to the Managed Host.
    Failure common causes: The network is not stable enough regarding bandwidth and latency. See Bandwidth considerations for managed hosts.

    Some of the processes involved in this stage are:
    1. IP Tables configuration.
    2. SSH keys exchange.
    3. Certificates.
    4. Token files. 
      [hostcontext.hostcontext] [/SequentialEventDispatcher] 
com.q1labs.configservices.capabilities.AddHost: [INFO] [-/- -]Adding iptable rules for new host being added to the deployment.<Managed host IP>
[hostcontext.hostcontext] [/SequentialEventDispatcher] 
com.q1labs.configservices.capabilities.AddHost: [INFO] [-/- -]Successfully created Authentication Keys on host <Managed host IP>
[hostcontext.hostcontext] [/SequentialEventDispatcher] 
com.q1labs.configservices.capabilities.AddHost: [INFO] [-/- -]Successfully pushed Authentication Keys to host <Managed host IP>
[hostcontext.hostcontext] [/SequentialEventDispatcher] 
com.q1labs.configservices.capabilities.AddHost: [INFO] [-/- -]Successfully pushed host token pNCM9Nvw7LuwioJFhm4Q045OOjhgdiBNLloPAag2/tto+ZxVk5nBpjzG6bMotvBd for host <Managed host IP>
[hostcontext.hostcontext] [/SequentialEventDispatcher] 
com.q1labs.configservices.capabilities.AddHost: [INFO] [-/- -]Successfully generated certificates from CSR on all the managed hosts
[hostcontext.hostcontext] [/SequentialEventDispatcher] 
com.q1labs.configservices.capabilities.AddHost: [INFO] [-/- -]Successfully created the default tunnels on console for host [<Managed host IP>]
[hostcontext.hostcontext] [/SequentialEventDispatcher] 
com.q1labs.configservices.capabilities.AddHost: [INFO] [-/- -]Successfully pushed files to host <Managed host IP>
  3. The Managed host uses the configuration files to configure itself and reports its "presence".
    Failure (most common) cause: Processes configuration failing. See Tomcat is not connected and Failed to start PostgreSQL 9.6 database server.
    1. The Console requests the Managed host to run the /opt/qradar/bin/presence.pl script. 
      [hostcontext.hostcontext] [/SequentialEventDispatcher] 
com.q1labs.configservices.capabilities.AddHost: [INFO] [-/- -]Executing presence on host <Managed host IP> using console ip <Console IP>
    2. The Managed host starts the task. 
      --- Output snipped ---
[presence.pl-20349]: run_and_log: /opt/qradar/bin/mks-rekey.sh --skip-configparams
Re-keying the system ... (OK)
[mks-rekey.sh] OK: MKS Re-Key Completed
--- Output snipped ---
[presence.pl-20349]: Update CA trust anchor to console host
[presence.pl-20349]: Syncing local time to console host
[presence.pl-20349]: Restarting hostservices to pick up time change
[presence.pl-20349]: Testing tomcat connection ...
[presence.pl-20349]: Reporting presence to Configuration Services
[presence.pl-20349]: Stopping HostContext
[presence.pl-20349]: hostcontext is already stopped, no need to stop the service.
[presence.pl-20349]: Retrieving and applying database dumps
[presence.pl-20349]: Starting HostContext
[presence.pl-20349]: hostcontext is not running. Attempting to start.
[presence.pl-20349]: Done Presence Script
  4. The Managed host reports back to the Console that the configuration succeeded. 
    [hostcontext.hostcontext] [/SequentialEventDispatcher] 
com.q1labs.configservices.capabilities.AddHost: [INFO] [-/- -]Successfully ran the presence script on host <Managed host IP>
[hostcontext.hostcontext] [/SequentialEventDispatcher] 
com.q1labs.configservices.capabilities.AddHost: [INFO] [-/- -]Successfully added host.
  5. The administrator deploys the changes with the new Managed Host's information.
    See Deploy Changes 101.

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
18 August 2021

UID

ibm16476902

Page Feedback