Hey @Jonathan Pechta,
as promised, here is my feedback related on my investigation on this interesting side effect..
This setting you mentioned, was the solution: Auto Updates > Change settings > Configuration Updates > Auto Integrate.
For whatever reason, the setting was set to "Auto Update". After the customizsation, the multiple added custom entries were still in place :)
Thanks for your very useful hints and support!
Regards and have a nice week,
Ralph
------------------------------
Ralph Belfiore
Managing Consultant | Senior SIEM Expert
connecT SYSTEMHAUS AG
Siegen
+491726365525
------------------------------
Original Message:
Sent: Thu March 07, 2024 05:46 PM
From: Jonathan Pechta
Subject: QRadar Remote Networks custom entry disappears after daily auto update procedure update remotenet.conf
Hey Ralph,
A few questions here:
- What is the value of the Auto Update configuration? Can you confirm Auto Updates > Change settings > Configuration Updates > Auto Integrate. This is the default setting, but wanted to confirm the value.
- Can you confirm the ownership of remotenet.conf? It should be nobody:nobody, but if it is root:root, then we likely want to look in to this further or you should set the owner manually:
chown nobody:nobody /store/configservcies/staging/globalconfig/remotenet.conf
- You might want to confirm there are no errors in the qradar.log:
[tomcat.tomcat] [xxxx@x.x.x.x (7492) /console/restapi/api/staged_config/remote_networks/
If you grep through the logs for remote_networks and see if you spot any Tomcat service errors when you attempt to make a change? I'm wondering if the change is added in the UI, but Tomcat hits and issue and the API doesn't actually save the UI change. Do you see any UI errors or do the values just "disappear"?.
Replicating the issue
I tried this out on my 7.5.0 UP6 IF4 box and didn't have this issue. I added multiple values to each remote networks (bogons, smurf, etc) and then manually ran a weekly auto update. I waited until I got the deploy changes notice from the Admin tab and confirmed that remotenet.conf needed to be deployed. I ran the deploy and it worked as expected and all of CIDRs I added were in place still from where I added them in the UI.
I think you probably want to log this as a case, if you can replicate the issue. I'll need to upgrade my lab box to confirm if I can replicate the issue, but you mention and below and did not see the same issue that you did.
Not sure if my post really helped, but if you do log a case, we probably want to take a look and the autoupdate log and confirm what is going on and if there are any specific errors we need to debug.
------------------------------
Jonathan Pechta
IBM Security - Community of Practice Lead
jonathan.pechta1@ibm.com
Original Message:
Sent: Wed March 06, 2024 04:26 AM
From: Ralph Belfiore
Subject: QRadar Remote Networks custom entry disappears after daily auto update procedure update remotenet.conf
Hi community,
For some time now, I have observed the following effect: after a custom entry has been added under "admin -> remote networks", it automatically disappears after the next auto update when the remotenet.conf is updated. Currently also in Release 7.5.0 UP7 IF05 and below..
@IBM Support Is there a workaround so that the custom remote network entries continue to exist?
How can I get QRadar to take the custom remote network CIDR entries into account permanently during processing, as the "custom remote networks" are important context information for the SIEM process?
Thx in advance and regards,
Ralph
------------------------------
Ralph Belfiore
Managing Consultant | Senior SIEM Expert
connecT SYSTEMHAUS AG
Siegen
+491726365525
------------------------------