IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

Action required: A QRadar deploy changes on 31 December 2020 can impact product functionality

  • 1.  Action required: A QRadar deploy changes on 31 December 2020 can impact product functionality

    Posted Fri January 01, 2021 09:44 AM
    Edited by Jonathan Pechta Fri January 01, 2021 09:51 AM

    QRadar development has recently identified a defect in the product licensing function, which may cause the deployment to stop functioning. An emergency fix is available for all supported QRadar versions to resolve this issue. The issue is related to the function that validates a license key and is not related to the reported SolarWinds security issue.

    A flash notice was issued to all users about the license error for services that report a "Waiting for license..." message in the logs. A recent update to the technical note includes a new single-line command that can be run on all QRadar versions at 7.2.8 and later. Even if you received an updated JAR file from QRadar Support, you must run the command on your QRadar Console. The command only needs to be run on the QRadar Console and it will update all remote appliances using the all_servers utility. It is important that administrators SSH to their Console appliances and run the one-line command to update all appliances in the deployment.

    Administrators at all QRadar versions must run the command in the flash notice: https://www.ibm.com/support/pages/node/6395080

    Note: The command must be run, even if you are on QRadar Community Edition. QRadar on Cloud users are received this update from their DevOps team already for your QRadar Console.



    ------------------------------
    Jonathan Pechta
    QRadar Support Content Lead
    jonathan.pechta1@ibm.com
    ------------------------------



  • 2.  RE: Action required: A QRadar deploy changes on 31 December 2020 can impact product functionality
    Best Answer

    Posted Fri January 01, 2021 08:45 PM
    Edited by Jonathan Pechta Fri January 01, 2021 08:45 PM

    UPDATE!

    A flash notice was issued to let administrators know that we created a special auto update for the "Waiting for license" error as it allows administrators without root access to the Console to apply the update or wait for the automation to run. For more information, see: https://www.ibm.com/support/pages/node/6395300

    The Auto update is available now for this issue and it allows administrators on QRadar 7.3.x or 7.4.x deployments to get the update without having to SSH in and run the one-line command. Be default, most QRadar systems get auto updates at 3AM Console/Hardware time. The update should run and install at 3am for users based on your timezone for your Console appliance. To get an update manually, click the Admin tab > Auto Update > Get New Updates.

    For the auto update, the same conditions apply as the one-line command. Five (5) minutes after the auto update has run, appliances should have the license/service update. No restarts or manual intervention is required as the change is picked up automatically. You can confirm appliances are sending events using the real-time streaming option in the Log Activity tab.

    What to know

    • If you are on QRadar 7.2.8 or have an air-gapped network, you must still run the one-line command to update your appliance as documented here: https://www.ibm.com/support/pages/node/6395300

    • If you have Disconnected Log Collectors, a new command is available to update your DLC installations. This technical note includes the procedure to update your Disconnected Log Collectors: https://www.ibm.com/support/pages/node/6395080#dlc

    • If you do nothing, the automatic update should run it's default scheduled update, which for most users in 3am Console time and update your 7.3.x and 7.4.x appliances.

    • The build for the new auto update that contains this one-line code is (build 1609491687). For users who manually download the autoupdate.tgz file from Fix Central, a file is also available. However, the download is 5.5GB for the auto update, so our instructions inform users to run the one-line command as it is faster.

    If you have questions or concerns, you can ask here or open a case with QRadar Support.



    ------------------------------
    Jonathan Pechta
    QRadar Support Content Lead
    Support forums: ibm.biz/qradarforums
    jonathan.pechta1@ibm.com
    ------------------------------

    Original Message


Related Content