IBM Support

QRadar: Validate /etc/hosts file

Question & Answer


Question

How to verify whether the hosts file is accurate?

Cause

Over the life of your QRadar environment the /etc/hosts file can grow with:
  • Duplicate entries after hardware migrations
  • Duplicate or incorrect entries after host readds after an IP change or hostname change
  • Obsolete entries
  • Hardware rebuilds, or VM rebuilds, causing incorrect hashes

Answer

Validate /etc/hosts file and /etc/hosts.default on host:
  • Are there any duplicate IP addresses?
  • Is there any IP present that was decommissioned?
  • Is the host short name on the same line with the IP address?
  • Is the host fully qualified domain name (FQDN) on the same line with the IP address?
  • If high availability (HA) is in use, is the primary, secondary, and VIP present?
  • Are default values present, for loopback for example: 
    127.0.0.1     localhost.localdomain localhost localhost4.localdomain4 localhost4
::1           localhost6.localdomain6 localhost6 localhost.localdomain localhost
  • Is the hash present for the Console, usually at the end of the Console's VIP address: 
    0.0.0.0    conosle.local console a1a1aaaa1a11a111
    Note: If you see it missing or suspect it to be incorrect, validate the hash.

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwstAAA","label":"Accumulator"},{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"},{"code":"a8m0z000000cwt8AAA","label":"Ariel"},{"code":"a8m0z000000cwtIAAQ","label":"Dashboard"},{"code":"a8m0z000000cwtNAAQ","label":"Deployment"},{"code":"a8m0z000000cwtcAAA","label":"Hardware"},{"code":"a8m0z000000cwtXAAQ","label":"High Availability"},{"code":"a8m0z000000cwtiAAA","label":"Performance"},{"code":"a8m0z000000cwt3AAA","label":"QRadar Apps"},{"code":"a8m0z000000cwtdAAA","label":"Upgrade"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.5.0"}]

Document Information

Modified date:
23 June 2023

UID

ibm17006713

Page Feedback