Key points covered in this Blog
- Why do we need to upgrade QRadar applications?
- How to check the QRadar App Base Image version
- Issues faced while updating the QRadar Apps
- Troubleshooting the QRadar Apps which are in the Deleting/Error State.
- How to delete apps through API
- Why Image deletion is necessary when an app has an issue in upgrade
- Important Docker commands to check the App container status.
Why do we need to upgrade QRadar applications?
Several QRadar versions have been identified with CVEs related to CentOS6 base images used in QRadar applications. Administrators are advised per the security bulletin to upgrade applications to mitigate the security issue.
How to check the QRadar App Base Image version
Initially, we need to check the QRadar App Base Image version: -
Procedure
- Use SSH to log in to the QRadar Console as the root user.
- Run the following command
# psql -U qradar -t -c "select id,name,image from installed_application;"
From the above output, you will be able to get the list of the application that still runs on the centos base image.
Update the app via QRadar Assistant
- Access the QRadar Assistant App
- Click on the Application Tab which will list the application where an update is available
- Select the Application that you want to update
- Click See Full Description
- Click Update
Issues faced while updating the QRadar Apps
Scenario 1: - If the update via the QRadar Assistant app fails, in most cases, the app would go to an ERROR state, and you will not be able to access/uninstall the application.
Follow the steps below to change the Application ID(DID) status and then try to remove or reinstall the app.
Procedure
- Execute the following command to change the APP ID (Definition ID) status to COMPLETED.
psql -U qradar -c "update installed_application set status = 'COMPLETED' where id=1204 ;"
- Change the APP ID (Definition ID) status to STOPPED
psql -U qradar -c "update installed_application set status = ‘STOPPED’ where id=1204 ;"
- Then change the APP ID (Definition ID) status to COMPLETED
psql -U qradar -c "update installed_application set status = ‘COMPLETED’ where id=1204 ;"
- App status will change to Running state and you will be able to access the application from the console.
Scenario 2: - App will go to DELETING state once you try to uninstall the app from the console and you will not be able to install the new version.
Follow steps 1 to 3 under scenario 1 and try to uninstall the app again from the Extension management and try to reinstall it.
Why Image deletion is necessary when an app has an issue in upgrade
Scenario 3: - There might be some rare cases where once you try to update the application it will not create a new docker image instead it will try to overwrite the existing docker image and in such cases, the update gets failed.
Follow the below steps in such scenarios.
First, you need to delete the application via API, for that you need to get the Application ID which you can get using the qappmanager utility
- SSH to the console
- Run the following command
# /opt/qradar/support/qappmanager
- Choose the Application ID from the above list
- You can get the Application ID from the QRadar API console as well
- Click on the Application Field ----->Try it out
- You will get the details of all the applications that we have installed in QRadar
- Choose the Application ID
- Click on {application_id}
- Click on Delete.
- Provide the Application ID under the Value Filed
- Click Try it out
Once you get the 204 status the app is deleted successfully.
Check if the Docker image associated with the app still exists; we may need to manually delete the docker image.
- SSH to the console
- Access the Apphost appliance
- Execute the following command to get the docker image details
# docker images
- Execute the following command to remove the docker image
# docker rmi <image id>
- Confirm the image is successfully removed by executing the docker images command
- Then confirm the app has been removed from the Admin--->Extension Management as well.
- Then Download the latest version of the app from the IBM Security App Exchange(https://exchange.xforce.ibmcloud.com/hub?br=QRadar)
- Install it via Extension Management
Find the below documentation links:- QRadar Documentation QRadar App Exchange
If you have any questions or any comments or want to discuss this further, feel free to get in touch with us and we would be more than happy to answer any of your queries:
Rahul K P - @Rahul K P
Anuj Shrivastava - @Anuj Shrivastava