IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Unable to add Event Collector as Managed Host

    Posted Sun November 05, 2023 02:15 PM

    Hello,

    I am encountering the following errors while trying to add EventCollector as Managed Host.
    Please advise.

    Nov  2 17:58:59 ::ffff:127.0.0.1 [hostcontext.hostcontext] [00aa7eb6-a060-48ff-980a-c776065dd08b/SequentialEventDispatcher] com.q1labs.configservices.capabilities.AddHost: [ERROR] [NOT:0000003000][10.127.2.9/- -] [-/- -]Failed to read output from ssh connection on host 192.168.1.XXX

    Nov  2 17:58:59 ::ffff:127.0.0.1 [hostcontext.hostcontext] [00aa7eb6-a060-48ff-980a-c776065dd08b/SequentialEventDispatcher] com.q1labs.configservices.common.ConfigServicesException: Failed to read output from ssh connection on host 192.168.1.XXX

    Nov  2 17:58:59 ::ffff:127.0.0.1 [hostcontext.hostcontext] [00aa7eb6-a060-48ff-980a-c776065dd08b/SequentialEventDispatcher] com.q1labs.configservices.capabilities.AddHost: [ERROR] [NOT:0000003000][10.127.2.9/- -] [-/- -]SSH connection or SSH command execution failed. The ip of the host is: 192.168.1.XXX

    Nov  2 17:59:01 ::ffff:127.0.0.1 [tomcat.tomcat] [Thread-7895] com.q1labs.configservices.capabilities.CapabilitiesHandler: [ERROR] [NOT:0000003000][10.127.2.9/- -] [-/- -]Removing host 192.168.1.XXX from the deployment model, if present, due to add_host failure.

    Nov  2 17:59:01 ::ffff:127.0.0.1 [tomcat.tomcat] [Thread-7895] com.ibm.si.configservices.api.v15_0.deployment.DeploymentAPI: [ERROR] [NOT:0000003000][10.127.2.9/- -] [-/- -]unable to add managed host: SSH connection or SSH command execution failed.

    Nov  2 17:59:01 ::ffff:127.0.0.1 [tomcat.tomcat] [Thread-7895] com.q1labs.restapi_annotations.content.exceptions.endpointExceptions.ServerProcessingException: SSH connection or SSH command execution failed.

    Nov  2 17:59:01 :::ffff:127.0.0.1 [tomcat.tomcat] [Thread-46855] com.ibm.si.configservices.api.v15_0.deployment.DeploymentAPI: [ERROR] [NOT:0000003000][10.127.2.9/- -] [-/- -]unable to add managed host: SSH connection or SSH command execution failed.

    The MH is an EC;


    [root@collect ~]# cat /opt/qradar/conf/capabilities/hostcapabilities.xml
    <?xml version='1.0' encoding='UTF-8' standalone='yes'?>
    <HostCapabilities
    isConsole="false"
    IP="192.168.1.98"
    hostName="collect"
    qradarVersion="7.5.0"
    hardwareSerial="VMware-42 3c 62 32 23 e9 bc 0b-23 ed 2f 30 94 70 57 57"
    activationKey="2B7M2P-6P5U5X-4U6R6W-4N4W1X"
    managementInterface="ens192"
    disableDiskReplication="false"
    softwareType="102"
    xmlns="http://www.q1labs.com/products/qradar"" title="http://www.q1labs.com/products/qradar%22" href="http://www.q1labs.com/products/qradar%22" rel="noreferrer noopener" target="_blank" class="fui-Link ___10kug0w f3rmtva f1ewtqcl fyind8e f1k6fduh f1w7gpdv fk6fouc fjoy568 figsok6 f1hu3pq6 f11qmguv f19f4twv f1tyq0we f1g0x7ka fhxju0i f1qch9an f1cnd47f fqv5qza f1vmzxwi f1o700av f13mvf36 f1cmlufx f9n3di6 f1ids18y f1tx3yz7 f1deo86v f1eh06m1 f1iescvh fhgqx19 f1olyrje f1p93eir f1nev41a f1h8hb77 f1lqvz6u f10aw75t fsle3fq f17ae5zn">http://www.q1labs.com/products/qradar"
    />
    [root@collect ~]#

    We are able to TELNET from EC to Console and Console to EC.

    [root@collect ~]# ssh root@10.127.2.9
    Password: 
    Last login: Fri Nov  3 18:35:57 2023
    This server was upgraded to QRadar 7.5.0 UpdatePackage 4 (Build 20221129155237) on Tue Oct 24 12:24:33 UTC 2023.
    [root@frceazprdmccinfqc012 ~]#

    Thanks in advance.



    ------------------------------
    --
    Thanks and Best Regards,
    Siddarth
    ------------------------------


  • 2.  RE: Unable to add Event Collector as Managed Host

    Posted Mon November 06, 2023 04:48 PM

    This is an issue that is going to require a support case to confirm. If you are having an issue adding a managed host, there are several potential issues and we'd need the full logs to confirm what the problem is with adding the host. 

    Potential issues that this could be caused by:

    1. IMQ password issue. If this were the case, I'd expect something like this to be logged also: imqbrokerd[8127]: com.sun.messaging.jmq.auth.api.FailedLoginException: [B4051]: Forbidden qradar
    2. Bandwidth issue trying to add the host. For more information, see https://www.ibm.com/support/pages/node/957897
    3. Removed and readding the host is experiencing an issue. You could try running /opt/qradar/support/deployment_viewer.py -av on the managed host to see if deployment.xml is experiencing any issues, but this is advanced troubleshooting and you likely want to open a case for us to confirm the problem.


    ------------------------------
    Jonathan Pechta
    QRadar Support Content Lead
    Support forums: ibm.biz/qradarforums
    jonathan.pechta1@ibm.com
    ------------------------------

    Original Message


  • 3.  RE: Unable to add Event Collector as Managed Host

    Posted Tue November 07, 2023 09:12 AM
    Hi Siddarth,
    you can resolve this issue with network team because this will appear when network issue is out there in between your ec/ep and qradar console server.
     
    note: make sure you are able to make 30 ssh hub connection with your ec/ep server to qadar server
     
    you can check 30 ssh hub connection using below command from your console server.
     
    for i in `seq 1 30`;do ssh X.X.X.X uname -a;done;echo Total ssh count = $i      (you have to just give ec/ep server ip)
     
    once you are done with connection after that try to add your ec/ep with qradar
    after replicating given steps just let me know you are able to add or not.
    regards,
    Durgesh Gupta


    ------------------------------
    Durgesh Gupta
    ------------------------------

    Original Message