IBM Security QRadar

I have Qradar CE 7.3.3, and after i changed the Ip from 192.168.1.211 to 192.168.0.211 i can't acces to the website, my machine has ping to the qradar and viceversa, i tried to look at the error logs, tomcat, hostcontext and network services are running, i don't know what else i have to check. Things to consider: my qradar has 2 interfaces, a bridge one and a internal net one, I have a page open from my pc to the IP from the bridge interface, and another page on a vm from the internal net open with the internal net IP. Before it worked fine from the two IP's.

These are the logs:

Feb 26 11:48:02 ::ffff:127.0.0.1 [hostcontext.hostcontext] [CapabilitiesReporter_thread]    at com.q1labs.hostcontext.capabilities.CapabilitiesReporter.reportHostCapabilities(CapabilitiesReporter.java:290)Feb 26 11:48:02 ::ffff:127.0.0.1 [hostcontext.hostcontext] [CapabilitiesReporter_thread]    at com.q1labs.hostcontext.capabilities.CapabilitiesReporter.buildAndReportHostCapabilities(CapabilitiesReporter.java:167)Feb 26 11:48:02 ::ffff:127.0.0.1 [hostcontext.hostcontext] [CapabilitiesReporter_thread]    at com.q1labs.hostcontext.HostContext$4.run(HostContext.java:815)Feb 26 11:48:02 ::ffff:127.0.0.1 [hostcontext.hostcontext] [CapabilitiesReporter_thread] Caused by:Feb 26 11:48:02 ::ffff:127.0.0.1 [hostcontext.hostcontext] [CapabilitiesReporter_thread] java.security.cert.CertificateException: Unable to initialize, java.io.IOException: Short read of DER lengthFeb 26 11:48:02 ::ffff:127.0.0.1 [hostcontext.hostcontext] [CapabilitiesReporter_thread]    at com.ibm.security.x509.X509CertImpl.<init>(X509CertImpl.java:268)Feb 26 11:48:02 ::ffff:127.0.0.1 [hostcontext.hostcontext] [CapabilitiesReporter_thread]    at com.ibm.crypto.provider.X509Factory.engineGenerateCertificate(Unknown Source)Feb 26 11:48:02 ::ffff:127.0.0.1 [hostcontext.hostcontext] [CapabilitiesReporter_thread]    at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:407)Feb 26 11:48:02 ::ffff:127.0.0.1 [hostcontext.hostcontext] [CapabilitiesReporter_thread]    at com.q1labs.configservices.core.ConfigServicesClient.importCertificateToKeyStore(ConfigServicesClient.java:470)Feb 26 11:48:02 ::ffff:127.0.0.1 [hostcontext.hostcontext] [CapabilitiesReporter_thread]    ... 8 moreFeb 26 11:48:02 ::ffff:127.0.0.1 [hostcontext.hostcontext] [CapabilitiesReporter_thread] com.q1labs.hostcontext.capabilities.CapabilitiesReporter: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Error connecting to the configservicesException while reporting the 192.168.0.211 host capabilities.Feb 26 11:48:02 ::ffff:127.0.0.1 [hostcontext.hostcontext] [CapabilitiesReporter_thread] com.q1labs.hostcontext.capabilities.CapabilitiesReporter: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/- -]Failed to report host capabilities... Maybe the Console's tomcat is not working.

Hello,

How did you change the IP? 

Was it a manual config change?

The recommended method to change IP is to use qchange_netsetup.

https://www.ibm.com/docs/en/qsip/7.5?topic=nsm-changing-network-settings-qradar-console-in-multi-system-deployment

I have noted this to work in some scenarios and fail in others. 

It may be quicker to flatten and reinstall your CE with the new IP. 

Regards,

I have Qradar CE 7.3.3, and after i changed the Ip from 192.168.1.211 to 192.168.0.211 i can't acces to the website, my machine has ping to the qradar and viceversa, i tried to look at the error logs, tomcat, hostcontext and network services are running, i don't know what else i have to check. Things to consider: my qradar has 2 interfaces, a bridge one and a internal net one, I have a page open from my pc to the IP from the bridge interface, and another page on a vm from the internal net open with the internal net IP. Before it worked fine from the two IP's.

These are the logs:

Feb 26 11:48:02 ::ffff:127.0.0.1 [hostcontext.hostcontext] [CapabilitiesReporter_thread]    at com.q1labs.hostcontext.capabilities.CapabilitiesReporter.reportHostCapabilities(CapabilitiesReporter.java:290)Feb 26 11:48:02 ::ffff:127.0.0.1 [hostcontext.hostcontext] [CapabilitiesReporter_thread]    at com.q1labs.hostcontext.capabilities.CapabilitiesReporter.buildAndReportHostCapabilities(CapabilitiesReporter.java:167)Feb 26 11:48:02 ::ffff:127.0.0.1 [hostcontext.hostcontext] [CapabilitiesReporter_thread]    at com.q1labs.hostcontext.HostContext$4.run(HostContext.java:815)Feb 26 11:48:02 ::ffff:127.0.0.1 [hostcontext.hostcontext] [CapabilitiesReporter_thread] Caused by:Feb 26 11:48:02 ::ffff:127.0.0.1 [hostcontext.hostcontext] [CapabilitiesReporter_thread] java.security.cert.CertificateException: Unable to initialize, java.io.IOException: Short read of DER lengthFeb 26 11:48:02 ::ffff:127.0.0.1 [hostcontext.hostcontext] [CapabilitiesReporter_thread]    at com.ibm.security.x509.X509CertImpl.<init>(X509CertImpl.java:268)Feb 26 11:48:02 ::ffff:127.0.0.1 [hostcontext.hostcontext] [CapabilitiesReporter_thread]    at com.ibm.crypto.provider.X509Factory.engineGenerateCertificate(Unknown Source)Feb 26 11:48:02 ::ffff:127.0.0.1 [hostcontext.hostcontext] [CapabilitiesReporter_thread]    at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:407)Feb 26 11:48:02 ::ffff:127.0.0.1 [hostcontext.hostcontext] [CapabilitiesReporter_thread]    at com.q1labs.configservices.core.ConfigServicesClient.importCertificateToKeyStore(ConfigServicesClient.java:470)Feb 26 11:48:02 ::ffff:127.0.0.1 [hostcontext.hostcontext] [CapabilitiesReporter_thread]    ... 8 moreFeb 26 11:48:02 ::ffff:127.0.0.1 [hostcontext.hostcontext] [CapabilitiesReporter_thread] com.q1labs.hostcontext.capabilities.CapabilitiesReporter: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Error connecting to the configservicesException while reporting the 192.168.0.211 host capabilities.Feb 26 11:48:02 ::ffff:127.0.0.1 [hostcontext.hostcontext] [CapabilitiesReporter_thread] com.q1labs.hostcontext.capabilities.CapabilitiesReporter: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/- -]Failed to report host capabilities... Maybe the Console's tomcat is not working.

I made it following the oficial website where it tells you that if you want to change the ip from the console you need to do the qchange_netsetup order.

Hello,

How did you change the IP? 

Was it a manual config change?

The recommended method to change IP is to use qchange_netsetup.

https://www.ibm.com/docs/en/qsip/7.5?topic=nsm-changing-network-settings-qradar-console-in-multi-system-deployment

I have noted this to work in some scenarios and fail in others. 

It may be quicker to flatten and reinstall your CE with the new IP. 

Regards,

I have Qradar CE 7.3.3, and after i changed the Ip from 192.168.1.211 to 192.168.0.211 i can't acces to the website, my machine has ping to the qradar and viceversa, i tried to look at the error logs, tomcat, hostcontext and network services are running, i don't know what else i have to check. Things to consider: my qradar has 2 interfaces, a bridge one and a internal net one, I have a page open from my pc to the IP from the bridge interface, and another page on a vm from the internal net open with the internal net IP. Before it worked fine from the two IP's.

These are the logs:

Feb 26 11:48:02 ::ffff:127.0.0.1 [hostcontext.hostcontext] [CapabilitiesReporter_thread]    at com.q1labs.hostcontext.capabilities.CapabilitiesReporter.reportHostCapabilities(CapabilitiesReporter.java:290)Feb 26 11:48:02 ::ffff:127.0.0.1 [hostcontext.hostcontext] [CapabilitiesReporter_thread]    at com.q1labs.hostcontext.capabilities.CapabilitiesReporter.buildAndReportHostCapabilities(CapabilitiesReporter.java:167)Feb 26 11:48:02 ::ffff:127.0.0.1 [hostcontext.hostcontext] [CapabilitiesReporter_thread]    at com.q1labs.hostcontext.HostContext$4.run(HostContext.java:815)Feb 26 11:48:02 ::ffff:127.0.0.1 [hostcontext.hostcontext] [CapabilitiesReporter_thread] Caused by:Feb 26 11:48:02 ::ffff:127.0.0.1 [hostcontext.hostcontext] [CapabilitiesReporter_thread] java.security.cert.CertificateException: Unable to initialize, java.io.IOException: Short read of DER lengthFeb 26 11:48:02 ::ffff:127.0.0.1 [hostcontext.hostcontext] [CapabilitiesReporter_thread]    at com.ibm.security.x509.X509CertImpl.<init>(X509CertImpl.java:268)Feb 26 11:48:02 ::ffff:127.0.0.1 [hostcontext.hostcontext] [CapabilitiesReporter_thread]    at com.ibm.crypto.provider.X509Factory.engineGenerateCertificate(Unknown Source)Feb 26 11:48:02 ::ffff:127.0.0.1 [hostcontext.hostcontext] [CapabilitiesReporter_thread]    at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:407)Feb 26 11:48:02 ::ffff:127.0.0.1 [hostcontext.hostcontext] [CapabilitiesReporter_thread]    at com.q1labs.configservices.core.ConfigServicesClient.importCertificateToKeyStore(ConfigServicesClient.java:470)Feb 26 11:48:02 ::ffff:127.0.0.1 [hostcontext.hostcontext] [CapabilitiesReporter_thread]    ... 8 moreFeb 26 11:48:02 ::ffff:127.0.0.1 [hostcontext.hostcontext] [CapabilitiesReporter_thread] com.q1labs.hostcontext.capabilities.CapabilitiesReporter: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Error connecting to the configservicesException while reporting the 192.168.0.211 host capabilities.Feb 26 11:48:02 ::ffff:127.0.0.1 [hostcontext.hostcontext] [CapabilitiesReporter_thread] com.q1labs.hostcontext.capabilities.CapabilitiesReporter: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/- -]Failed to report host capabilities... Maybe the Console's tomcat is not working.