IBM Security QRadar

 View Only
  • 1.  Web isn't working

    Posted Mon February 26, 2024 05:58 AM

    I have Qradar CE 7.3.3, and after i changed the Ip from 192.168.1.211 to 192.168.0.211 i can't acces to the website, my machine has ping to the qradar and viceversa, i tried to look at the error logs, tomcat, hostcontext and network services are running, i don't know what else i have to check. Things to consider: my qradar has 2 interfaces, a bridge one and a internal net one, I have a page open from my pc to the IP from the bridge interface, and another page on a vm from the internal net open with the internal net IP. Before it worked fine from the two IP's.

    These are the logs:

    Feb 26 11:48:02 ::ffff:127.0.0.1 [hostcontext.hostcontext] [CapabilitiesReporter_thread]    at com.q1labs.hostcontext.capabilities.CapabilitiesReporter.reportHostCapabilities(CapabilitiesReporter.java:290)
    Feb 26 11:48:02 ::ffff:127.0.0.1 [hostcontext.hostcontext] [CapabilitiesReporter_thread]    at com.q1labs.hostcontext.capabilities.CapabilitiesReporter.buildAndReportHostCapabilities(CapabilitiesReporter.java:167)
    Feb 26 11:48:02 ::ffff:127.0.0.1 [hostcontext.hostcontext] [CapabilitiesReporter_thread]    at com.q1labs.hostcontext.HostContext$4.run(HostContext.java:815)
    Feb 26 11:48:02 ::ffff:127.0.0.1 [hostcontext.hostcontext] [CapabilitiesReporter_thread] Caused by:
    Feb 26 11:48:02 ::ffff:127.0.0.1 [hostcontext.hostcontext] [CapabilitiesReporter_thread] java.security.cert.CertificateException: Unable to initialize, java.io.IOException: Short read of DER length
    Feb 26 11:48:02 ::ffff:127.0.0.1 [hostcontext.hostcontext] [CapabilitiesReporter_thread]    at com.ibm.security.x509.X509CertImpl.<init>(X509CertImpl.java:268)
    Feb 26 11:48:02 ::ffff:127.0.0.1 [hostcontext.hostcontext] [CapabilitiesReporter_thread]    at com.ibm.crypto.provider.X509Factory.engineGenerateCertificate(Unknown Source)
    Feb 26 11:48:02 ::ffff:127.0.0.1 [hostcontext.hostcontext] [CapabilitiesReporter_thread]    at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:407)
    Feb 26 11:48:02 ::ffff:127.0.0.1 [hostcontext.hostcontext] [CapabilitiesReporter_thread]    at com.q1labs.configservices.core.ConfigServicesClient.importCertificateToKeyStore(ConfigServicesClient.java:470)
    Feb 26 11:48:02 ::ffff:127.0.0.1 [hostcontext.hostcontext] [CapabilitiesReporter_thread]    ... 8 more
    Feb 26 11:48:02 ::ffff:127.0.0.1 [hostcontext.hostcontext] [CapabilitiesReporter_thread] com.q1labs.hostcontext.capabilities.CapabilitiesReporter: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Error connecting to the configservices
    Exception while reporting the 192.168.0.211 host capabilities.
    Feb 26 11:48:02 ::ffff:127.0.0.1 [hostcontext.hostcontext] [CapabilitiesReporter_thread] com.q1labs.hostcontext.capabilities.CapabilitiesReporter: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/- -]Failed to report host capabilities... Maybe the Console's tomcat is not working.
    


    ------------------------------
    Blanca Benavent
    ------------------------------


  • 2.  RE: Web isn't working

    Posted Mon February 26, 2024 04:36 PM

    Hello,

    How did you change the IP? 

    Was it a manual config change?

    The recommended method to change IP is to use qchange_netsetup.

    https://www.ibm.com/docs/en/qsip/7.5?topic=nsm-changing-network-settings-qradar-console-in-multi-system-deployment

    I have noted this to work in some scenarios and fail in others. 

    It may be quicker to flatten and reinstall your CE with the new IP. 

    Regards,



    ------------------------------
    Comghall Morgan
    QRadar Support Architect
    IBM
    ------------------------------



  • 3.  RE: Web isn't working

    Posted Tue February 27, 2024 03:09 AM

    I made it following the oficial website where it tells you that if you want to change the ip from the console you need to do the qchange_netsetup order.



    ------------------------------
    Blanca Benavent
    ------------------------------



  • 4.  RE: Web isn't working

    IBM Champion
    Posted Thu February 29, 2024 06:47 AM

    Hi Blanca, Comghall Morgan is absolutely right with his comments, especially regarding the flatten and reinstall tip. CE is limited as you know even so its kind of AiO. The IP address is stored in a thousand places inside postgres database. Your errorlog shows that tomcat and configservices are not working. When you double check managedhosts table inside database it should show the new IP. Presumably it doesnt.



    ------------------------------
    [Karl] [Jaeger] [#ibmchampion]
    [QRadar Specialist]
    [cnag]
    [Siegen] [Germany]
    ------------------------------