IBM Support

QRadar: How to change the time zone on multiple QRadar managed hosts

Troubleshooting


Problem

This technical note outlines how administrators can remove the localtime variable and update it with a new symbolic link to change the time zone value for one or more QRadar appliances.

Resolving The Problem


Quick links

Important: This guide needs the Tomcat server to be restarted. Restarting the Web Server logs out users, cancels event exports, and prevent scheduled reports from running while services restart. It is recommended you complete this procedure during scheduled maintenance or alert users before you take an action that restarts core services. For more information, see: QRadar: How to clear the Tomcat cache or contact QRadar Support.

 

Option 1: How to change the time zone for a single appliance

Before you begin

The procedures listed do not apply to HA pairs. The primary HA appliance is responsible for copying the time zone file to the HA secondary. To complete the procedure outlined, you must have root access to the QRadar Console.

  • Procedure
    To change the time zone on one appliance, administrators can replace the localtime value on the appliance with a symbolic link to a time zone or city.
    1. Use SSH to log in to the Console as the root user.
    2. Optional. Open an SSH session to the managed host to make a change on a non-Console appliance.
    3. Navigate to the /etc directory.
    4. To remove the existing localtime file, type 
      rm localtime
    5. Press Y when prompted to delete the existing localtime file.
    6. To list all-time zones, type the following command: ls /usr/share/zoneinfo/
      If you specify a country, you must also specify the time zone or city from the subdirectory.
      For example: 
      /usr/share/zoneinfo/Europe/London
/usr/share/zoneinfo/US/Pacific
/usr/share/zoneinfo/Eastern
/usr/share/zoneinfo/UTC
    7. To update the symlink and update the time zone, type:  
      ln -s /usr/share/zoneinfo/<new_timezone> localtime
    8. To ensure that changes are applied to the QRadar appliance, type: 
      /opt/qradar/init/hostcontext -q restart
    9. To restart the user interface on the Console, type: 
      systemctl restart tomcat
    10. To ensure that cron runs on the new time zone information, type: 
      systemctl restart crond

Results
After services are restarted, the appliance will use the same time zone as defined in /etc/localtime.

Option 2: How to change the time zone for several appliances in the deployment

Before you begin

The procedures listed do not apply to HA pairs. To complete the procedure outlined, you must have root access to the QRadar Console.

  • Procedure
    To change the time zone on specific managed hosts in the deployment, administrators can replace the localtime value on the appliance with a symbolic link to a time zone or city.
    1. Use SSH to log in to the Console as the root user.
    2. Optional. Open an SSH session to the managed host to make a change on a non-Console appliance.
    3. Navigate to the / directory.
    4. To list all-time zones, type the following command: ls /usr/share/zoneinfo/
      If you specify a country, you must also specify the time zone or city from the subdirectory.
      For example, 
      /usr/share/zoneinfo/Europe/London
/usr/share/zoneinfo/US/Pacific
/usr/share/zoneinfo/Eastern
/usr/share/zoneinfo/UTC
    5. To change the time zone on multiple appliances, you can use the following command to update QRadar managed hosts by IP address: 
      /opt/qradar/support/all_servers.sh -I <IP address>,<IP address>,<IP address> "cd /etc;rm -f localtime;ln -s /usr/share/zoneinfo/US/<new_timezone> localtime"
      This command uses a comma-separated list to define which appliances receive a time zone update.

      Alternately, you can use all_servers.sh to apply commands for hostnames of QRadar appliances. For example, the following command updates any appliances with a hostname that starts with SVRQRD-EP and updates the time zone on those appliances.

      For example, 
      /opt/qradar/support/all_servers.sh -a 'SVRQRD-EP%' "cd /etc;rm -f localtime;ln -s /usr/share/zoneinfo/<Country>/<new_timezone> localtime"
    6. To ensure that changes are applied to the QRadar appliance, type: 
      /opt/qradar/support/all_servers.sh -I <IP address>,<IP address>,<IP address> "/opt/qradar/init/hostcontext -q restart"
    7. To restart the user interface on the Console, type: 
      systemctl restart tomcat
    8. To ensure that cron runs on the new time zone information, type: 
      systemctl restart crond
Results
After services are restarted, all appliances in the network will use the same time zone as defined in /etc/localtime.

Option 3: How to change the time zone for every appliance in the deployment

Before you begin

The procedures listed do not apply to HA pairs. To complete the procedure outlined, you must have root access to the QRadar Console.

  • Procedure
    To change the time zone on your QRadar Console and all managed hosts by using the command-line interface. This procedure allows administrators to remove the existing time zone value and create a new symlink with the correct time zone that they want all appliances to use.
    1. Use SSH to log in to the Console as the root user.
    2. Navigate to the / directory.
    3. To list all possible time zone options, type the following command: ls /usr/share/zoneinfo/
      If you specify a country, you must also specify the time zone or city from the subdirectory.
      For example, 
      /usr/share/zoneinfo/Europe/London
/usr/share/zoneinfo/US/Pacific
/usr/share/zoneinfo/Eastern
/usr/share/zoneinfo/UTC
    4. Type the following command to update the time zone on all appliances in the deployment: 
      /opt/qradar/support/all_servers.sh "cd /etc;rm -f localtime;ln -s /usr/share/zoneinfo/<Country>/<new_timezone> localtime"
      For example, 
      /opt/qradar/support/all_servers.sh "cd /etc;rm -f localtime;ln -s /usr/share/zoneinfo/US/Pacific localtime" 
/opt/qradar/support/all_servers.sh "cd /etc;rm -f localtime;ln -s /usr/share/zoneinfo/Europe/London localtime" 
/opt/qradar/support/all_servers.sh "cd /etc;rm -f localtime;ln -s /usr/share/zoneinfo/GMT localtime"
      As the script runs, it outputs any changes or errors to the command-line interface for each appliance where the command is run.
    5. To ensure that changes are applied to the QRadar appliance, type: 
      /opt/qradar/support/all_servers.sh "/opt/qradar/init/hostcontext -q restart"
    6. To restart the user interface on the Console, type: 
      systemctl restart tomcat
    7. To ensure that cron runs on the new time zone information: 
      systemctl restart crond

Results
After services are restarted, all appliances in the network use the same time zone as defined in /etc/localtime.




 

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3.3;7.4.3;7.5.0"}]

Document Information

Modified date:
11 August 2022

UID

swg21988720

Page Feedback