IBM Security QRadar

 View Only
Expand all | Collapse all

Qradar 7.5.0 License expiration problem after deploying new eventflow processor

  • 1.  Qradar 7.5.0 License expiration problem after deploying new eventflow processor

    Posted Mon November 28, 2022 01:30 AM
    Hello, all.

    I installed another aditional event flow processor but license was not propagated from the main console to new node.

    There is only a temporary license until the 14th of December. 
    1. Can I see aditional info about license in Qradar from within?
    2. Do I need to contact ibm sales? 
    3. How can I ensure that after temporary license valid to date will gone, main console license will be propagated?

    ------------------------------
    Bohdan
    ------------------------------


  • 2.  RE: Qradar 7.5.0 License expiration problem after deploying new eventflow processor

    Posted Mon November 28, 2022 04:02 PM
    Edited by Jonathan Pechta Mon November 28, 2022 04:10 PM

    So, typically the way this works is that the Console appliance has a license with all of the EPS/FPM as a bundle, which then gets allocated to any new hosts. When EPS/FPM is allocated to the newly added host, it should remove the temporary license value and update that host with it's EPS/FPM. If the license is older, we've seen issues where the identity field of the license can be missing or if the host does not resolve due to a network issue and the change isn't properly applied.

    This problem is something that should be investigated by QRadar Support. We'll want to verify the Serverhost table has an entry for the new appliance you are adding and ensure that the ID for that new appliance displays in the license_allocation table. This is a technical issue that might be resolved by creating a new license, but support can confirm the issue and correct this error.

    The message you are experiencing is not expected.

    What to do

    1. Make sure you've allocated EPS/FPM to the new appliance. If you previously removed and re-added this appliance, make sure you list that in your case described.
    2. Gets logs for your Console and the managed host you added.
    3. Create a case and attach the logs as a reference. You can link over to this forum post too if you want as it might help expedite review for your issue.
      Note: For IBM Support, review PE-740/904 for initial troubleshooting.
    4. The support representative can review the Server host and license_allocation tables and help with the issue. This is not a change you should attempt to make yourself and support should review and create DB backups before manual changes applied to correct this problem.


    ------------------------------
    Jonathan Pechta
    QRadar Support Content Lead
    Support forums: ibm.biz/qradarforums
    jonathan.pechta1@ibm.com
    ------------------------------



  • 3.  RE: Qradar 7.5.0 License expiration problem after deploying new eventflow processor

    Posted Wed November 30, 2022 03:58 AM
    You're right. EFP was previously installed and then removed.

    I created a ticket TS011392373. But I can try to manually resolve this issue.
    Please tell me DB table and what should I need to look for

    ------------------------------
    Bohdan
    ------------------------------