IBM Security QRadar

 View Only
  • 1.  TOMCAT issues

    Posted Wed July 17, 2019 04:47 AM
    Hi everyone,

    I am doing another implementation and I got some strange logs in the collector and console when I am adding the host (collector) to the console.

    Collector logs:
    logs from flow collector
    stays here forever:

    Console logs:

    It looks like that is some problem related with tomcat service...


    Thanks


    ------------------------------
    Rafael Rodrigues
    ------------------------------


  • 2.  RE: TOMCAT issues

    Posted Wed July 17, 2019 09:31 AM
    Edited by Jonathan Pechta Wed July 17, 2019 09:32 AM

    NOTE: You should be careful when asking support-type questions in the Community forums as this forum is more for sales questions/advice and not troubleshooting. Neither support nor development monitors Community like we do our core support forum support as asking questions in our support forum feeds internal teams for visibility to questions and technical answers.  I just happened to catch your question and will answer below. The support forums can be found here: https://ibm.biz/qradarforums. 

    -----

    You didn't mention your version, but your issue is likely due to the Deploy Changes timing out and hitting the default add host timer limit and I'd guess you are on QRadar 7.3.1. There is a default Add_Host_timeout that allows 600 seconds/10 minutes to complete by default, which we are looking to increase the default or the support rep can do so via a case. This is likely due to some Tomcat issue that is preventing the deploy from completing in the timeframe allowed. You should open a case as you are likely experiencing this issue: APAR IJ10406 ATTEMPTING TO RE-ADD A MANAGED HOST (MH) THAT ORIGINALLY FAILED TO ADD DUE TO TIMEOUT CAN LEAVE THE MH IN A STUCK STATE


    You should get a case opened against this issue so we can validate if there is a Tomcat issue going on or if the deploy needs to be cleaned up or if we need to extend the timeout so the operation can complete properly. The support rep is likely going to remove the Managed Host, increase the timeout, restart tomcat, sleep the host presence check, then readd the managed host. This will resolve the state that is likely causing your issue to begin with. 

    Hope this helps, be aware that in the future always list your QRadar version and asking in the support forums will increase visibility to your issues and support/dev answers. 



    ------------------------------
    Jonathan Pechta
    QRadar Support Content Lead
    Support forums: ibm.biz/qradarforums
    jonathan.pechta1@ibm.com
    ------------------------------