Troubleshooting
Problem
When Deploy Changes is running, the Console transfers the necessary files to the managed hosts. Low bandwidth causes delays in the transfer of these files.
Symptom
On the Console, administrators might see the following message:
In the Admin Tab, that managed host is pending to deploy.
Cause
Deploy Changes timing out is not an issue but an alert about a condition preventing the process from finishing within the threshold. The timeout value is a fixed threshold value from the Console.
QRoC Data Gateways require a minimum of 40 Mbps, regardless of the event rate to be forwarded. To allow internal processes to perform as expected, QRadar requires a minimum bandwidth of 100Mbps between the Console and Managed Hosts.
Appliances deployed on the cloud (including QRoC Data Gateways) are heavily impacted by this issue as the connection between the Console and the managed hosts are established throughout the internet.
Environment
On-prem appliances and Cloud deployments with low-bandwidth links between the Console and managed hosts.
Diagnosing The Problem
On the managed host, the following logs can be seen in /var/log/qradar.log.
Jun 7 12:59:24 [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] com.q1labs.hostcontext.configuration.ConfigChangeObserver: [INFO] Setting deployment status to In Progress
Jun 7 12:59:27 [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] com.q1labs.hostcontext.configuration.ConfigSetUpdater: [INFO] Deploy Global Set: Downloading new configuration set
Jun 7 12:59:27 [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] com.q1labs.hostcontext.configuration.ConfigSetUpdater: [INFO] Deploy Global Set: Downloading the globalset_list.xml file from Console...
Jun 7 12:59:33 [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] com.q1labs.hostcontext.configuration.ConfigSetUpdater: [INFO] Deploy Global Set: Downloaded the globalset_list.xml file.
Jun 7 12:59:52 [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] com.q1labs.hostcontext.configuration.ConfigSetUpdater: [INFO] Deploy Global Set: New deployment token is deployment_,2021-06-07 12:56:12,_00000179-e769-eb1b-0000-000000000000.
Jun 7 12:59:52 [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] com.q1labs.hostcontext.configuration.ConfigSetUpdater: [INFO] Deploy Global Set: Downloading the zipfile_GEN.zip file from Console...
Jun 7 13:19:55 [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] com.q1labs.hostcontext.configuration.ConfigSetUpdater: [INFO] Deploy Global Set: Downloaded the zipfile_GEN.zip file.
Jun 7 13:19:55 [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] com.q1labs.hostcontext.configuration.ConfigSetUpdater: [INFO] Deploy Local Transformation: Starting...
Note the time difference when the download of the zipfile_GEN.zip started and finished. In this example, the elapsed time is 20 minutes.
Resolving The Problem
Administrators can use the following suggestions to identify the issue and request help from the network team:
- On-prem and Cloud deployments can verify the bandwidth of the link and reach out to the respective network team to investigate the issue.
- QRadar® on Cloud (QRoC) customers cannot perform a bandwidth verification. Instead, the following steps can help to identify where the issue is:
- Transfer a large significant file (larger than 100MB) within the network of the DG or network-managed scope. This test discards issues where the DG is hosted.
- Download a large significant file (larger than 100MB) from an internet location. This test discards issues at the ISP (Internet Service Provider.)
Alternatively: The administrator can increase the timeout value expected by the Console as outlined in this technote. QRoC customers can request this change through a case with IBM Support.
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSKMKU","label":"IBM QRadar on Cloud"},"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtcAAA","label":"Hardware"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
31 March 2022
UID
ibm16467849