IBM Support

QRadar: Recommended practices for hostname creation

Question & Answer


Question

What are the recommended practices to name a QRadar Appliance? 

Answer

In QRadar, a proper FQDN (Fully Qualified Domain Name) is mandatory.  The information in this article provides common questions and answers about this topic in QRadar.

The administrators can use this technote as general guidance to configure the FQDN at the installation phase and correct it when necessary.

What is the difference between FQDN, hostname, and domain?

The hostname is the actual server name. The following are valid examples of hostnames (NOTE: It is not recommended to include the word "qradar" in the hostname, as it can cause issues in some environments):
 
console01
qconsolexx
The domain is the zone to which a server belongs. It is often composed of a TLD (Top-Level Domain) and is placed after the hostname separated by a dot (.). The following are valid examples of domains:
 
.local
.companyname.com
The FQDN is the hostname plus the domain. The following are valid examples of FQDNs:
 
console01.local
qconsolexx.companyname.com

Can the FQDN be changed after the installation?

The FQDN in QRadar is created at the installation phase. However, the administrators can change the hostname after the installation by using the qchange_netsetup.

Note: For systems running QRadar 7.4.1 and older the qchange_netsetup might report an error.  For more details and remediations, refer to IJ31239: A CRITICAL ISSUE HAS BEEN IDENTIFIED IN /OPT/QRADAR/BIN/QCHANGE_NETSETUP.

Procedure

  1. To change the hostname or domain on an AIO (All In One) Console. Refer to  Changing the network settings in an all-in-one system.
  2. To change the hostname or domain on a multi-system deployment. Refer to  Changing the network settings of a QRadar Console in a multi-system deployment.
    1. To change it on the Console, all managed hosts must be removed before qchange_netsetup is run.
    2. To change it on the managed hosts, the managed hosts must be removed, then run qchange_netsetup on it.
  3. To change the hostname or domain on a High Availability (HA) multi-system deployment, Refer to Changing the network settings of a QRadar High Availability Cluster.

Is there any other alternative than qchange_netsetup to change the FQDN and hostname?

No. Although QRadar is based on RHEL the manual configuration of the /etc/hostname, the use of the hostnamectl command, or any other alternatives are discouraged and unsupported.

Can characters in lowercase and uppercase be mixed?

No. QRadar enforces the recommendations given by the RFC4343 and recommends all characters for the hostname and domain to be in lowercase for new appliance installations.

Note: The exception to this rule is hardware migrations. When migrating to new hardware, the hostname of the new Console must match the value of the old Console appliance you are replacing, including capitalization. If the hostname differs when you install the new appliances, you might experience issues with the deploy after you restore the configuration backup.

My server requires a long hostname, what is the maximum of characters allowed?

The maximum number of characters for an FQDN must be 64 characters. The administrator must be careful in dividing how many characters are required for the domain and hostname to be within this limit.

Note: Though we recommend hostnames to be in lower case, but the new appliance hostname must match the value of the old console appliance you are replacing, including capitalization. If the hostname differs when you install new appliances, you might experience issues with Deploy Changes after you perform the configuration restore.

My server requires a long hostname. Which special characters are allowed for separation?

Despite Linux accepting special characters in the hostname portion (except for the dot), QRadar recommends the use of hyphens (-) only to do separation in the hostname. Hostnames that do not confirm to standards are no longer supported in QRadar 7.3.X, 7.4.x, or 7.5.x and later. A valid hostname is a string up to 24 characters that include only [a-z][A-Z][0-9], minus sign (-), and period (.)'. See What is the difference between FQDN, hostname, and domain section in this technote for valid examples.

I'm creating a High Availability (HA) Cluster. Is there any special recommendation for HA?

The administrators must avoid the usage of -primary or -secondary in the hostname because it can cause issues when the HA cluster is created.

When an HA Cluster is created, the setup appends the -primary and -secondary to the required host. The administrators planning to create an HA Cluster must consider a maximum limit of 53 characters so that the maximum number of characters remains under 64.
For other HA-related questions. Refer to QRadar: High Availability FAQ.

Qchange_netsetup reports the domain is not valid, what can I do?

The administrators must ensure the following conditions:

  1. The hostname and the start of the domain are separated with a dot (.). See What is the difference between FQDN, hostname, and domain section in this technote for valid examples.
  2. The separation in the domain section must be done with dots (.)See What is the difference between FQDN, hostname, and domain section in this technote for valid examples.
  3. Ensure a valid TLD (Top-Level Domain) is used. The administrator must refer to the ICANN to get a list of valid domains (See RFC6762 and RFC2606) or whether the domain is colliding.

How to change your hostname

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
23 February 2024

UID

ibm16571187

Page Feedback