IBM Support

QRadar: Tunnel services in version 7.4.x

Question & Answer


Question

What tunnel services exist in QRadar® 7.4.x?

Answer

All the ports used by the QRadar® Console to communicate with managed hosts can be encrypted using tunnels. Tunneled connections between the Console and managed hosts are made over SSH, on TCP port 22. QRadar® allows administrators to use both encrypted and decrypted connections for a managed host that is connected to the Console. The settings to encrypt communication between a Console and managed hosts are found on the Admin tab > System and License Management > Deployment Actions > Edit Managed Host > Encrypt Host Connections menu option. As managed hosts are added or edited by using the Deployment Options, Administrators can choose the option to encrypt the connection based on the location of the appliance.
The tunnel_manager service was introduced in version 7.4.0. In prior versions, tunnels were managed by the hostcontext service directly. Due to this change, restarting the hostcontext service does not restart the tunnels. Instead, if the tunnels are to be reset, the tunnel_manager service needs to be restarted.
You can find the status of the tunnel_manager service by using the command:
[root@qr741-3199-3054 ~]# systemctl status tunnel_manager
● tunnel_manager.service - Tunnel Manager
   Loaded: loaded (/etc/systemd/system/tunnel_manager.service; static; vendor preset: disabled)
   Active: active (running) since Thu 2021-01-07 01:36:50 EST; 3h 52min ago
 Main PID: 18030 (tunnel_manager)
    Tasks: 13
   Memory: 26.6M
   CGroup: /system.slice/tunnel_manager.service
           └─18030 /opt/ibm/si/tunnel_manager/bin/tunnel_manager
Jan 07 01:36:50 qr741-3199-3054.cslab.iss.local tunnel_manager[18030]: level=info msg="success (start)" id=11317893732630386899
Jan 07 01:36:50 qr741-3199-3054.cslab.iss.local tunnel_manager[18030]: level=info msg="success (start)" id=6377771495063877890
Jan 07 01:36:50 qr741-3199-3054.cslab.iss.local tunnel_manager[18030]: level=info msg="success (start)" id=3307718584235530762
Jan 07 01:36:50 qr741-3199-3054.cslab.iss.local tunnel_manager[18030]: level=info msg="success (start)" id=11891005398504568582
Jan 07 01:36:50 qr741-3199-3054.cslab.iss.local tunnel_manager[18030]: level=info msg="success (start)" id=14455112692895557604
Jan 07 01:36:50 qr741-3199-3054.cslab.iss.local tunnel_manager[18030]: level=info msg="success (start)" id=12694322409791694933
Jan 07 04:19:28 qr741-3199-3054.cslab.iss.local systemd[1]: Reloading Tunnel Manager.
Jan 07 04:19:28 qr741-3199-3054.cslab.iss.local tunnel_manager[18030]: level=info msg="beginning reload"
Jan 07 04:19:28 qr741-3199-3054.cslab.iss.local systemd[1]: Reloaded Tunnel Manager.
Jan 07 04:19:28 qr741-3199-3054.cslab.iss.local tunnel_manager[18030]: level=info msg="finished reload"
In versions before 7.4.0, tunnel services were named tunnel@tunnel0.service, tunnel@tunnel1.service, and so on.
In version 7.4.0 and later, tunnel services are named in the format managed-tunnel@<ID>.service where ID is a long numeric string.

For example:
managed-tunnel@12321215653488078667.service
managed-tunnel@17205546797065233227.service
Use the following command to list all managed tunnel services:
[root@qr741-3199-3054 ~]# systemctl list-units --type=service | grep managed-tunnel
managed-tunnel@11317893732630386899.service loaded active running SSH tunnel created and managed by the Tunnel Manager service
managed-tunnel@11891005398504568582.service loaded active running SSH tunnel created and managed by the Tunnel Manager service
managed-tunnel@12694322409791694933.service loaded active running SSH tunnel created and managed by the Tunnel Manager service
managed-tunnel@14087601567789987458.service loaded active running SSH tunnel created and managed by the Tunnel Manager service
managed-tunnel@14455112692895557604.service loaded active running SSH tunnel created and managed by the Tunnel Manager service
managed-tunnel@3307718584235530762.service  loaded active running SSH tunnel created and managed by the Tunnel Manager service
managed-tunnel@6265840024936800006.service  loaded active running SSH tunnel created and managed by the Tunnel Manager service
managed-tunnel@6377771495063877890.service  loaded active running SSH tunnel created and managed by the Tunnel Manager service
You can execute the following command to check the status of a particular managed tunnel service:
[root@qr741-3199-3054 ~]# systemctl status managed-tunnel@11891005398504568582.service
● managed-tunnel@11891005398504568582.service - SSH tunnel created and managed by the Tunnel Manager service
   Loaded: loaded (/etc/systemd/system/managed-tunnel@.service; static; vendor preset: disabled)
   Active: active (running) since Thu 2021-01-07 01:36:50 EST; 3h 53min ago
 Main PID: 18485 (ssh)
   CGroup: /system.slice/system-managed\x2dtunnel.slice/managed-tunnel@11891005398504568582.service
           └─18485 /usr/bin/ssh -N -T -v -o StrictHostKeyChecking=no -o ServerAliveInterval=60 -o ExitOnForwardFailure=yes -o Compression=no -R localhost:5000:localh...
Jan 07 05:27:01 qr741-3199-3054.cslab.iss.local ssh[18485]: debug1: client_input_global_request: rtype keepalive@openssh.com want_reply 1
Jan 07 05:27:21 qr741-3199-3054.cslab.iss.local ssh[18485]: debug1: client_input_global_request: rtype keepalive@openssh.com want_reply 1
Jan 07 05:27:41 qr741-3199-3054.cslab.iss.local ssh[18485]: debug1: client_input_global_request: rtype keepalive@openssh.com want_reply 1
Jan 07 05:28:02 qr741-3199-3054.cslab.iss.local ssh[18485]: debug1: client_input_global_request: rtype keepalive@openssh.com want_reply 1
Jan 07 05:28:22 qr741-3199-3054.cslab.iss.local ssh[18485]: debug1: client_input_global_request: rtype keepalive@openssh.com want_reply 1
Jan 07 05:28:42 qr741-3199-3054.cslab.iss.local ssh[18485]: debug1: client_input_global_request: rtype keepalive@openssh.com want_reply 1
Jan 07 05:29:02 qr741-3199-3054.cslab.iss.local ssh[18485]: debug1: client_input_global_request: rtype keepalive@openssh.com want_reply 1
Jan 07 05:29:22 qr741-3199-3054.cslab.iss.local ssh[18485]: debug1: client_input_global_request: rtype keepalive@openssh.com want_reply 1
Jan 07 05:29:42 qr741-3199-3054.cslab.iss.local ssh[18485]: debug1: client_input_global_request: rtype keepalive@openssh.com want_reply 1
Jan 07 05:30:02 qr741-3199-3054.cslab.iss.local ssh[18485]: debug1: client_input_global_request: rtype keepalive@openssh.com want_reply 1

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"TS004519707","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.4.0;7.4.1;7.4.2"}]

Historical Number

TS004519707

Document Information

Modified date:
12 January 2021

UID

ibm16372904

Page Feedback