IBM QRadar

Hi guys,

I have lately faced a problem where I want to remove an unreachable managed host with "unknown" status. Did tons of Googling but none of the solutions worked for me. It does not seem to be an easy task after all but shouldn't it be other way around? Imagine one of the managed hosts suddenly collapsed and you need to remove it on the console site...?

Pardon me if there is actually an easy way out that I overlooked. Thank you in advance!

Best Regards,
Phil

Hi Phil,

If in doubt, I would open a support ticket..

Regards,
Ralph

------------------------------
Ralph Belfiore
SIEM Expert
pro4bizz GmbH
Karlsruhe
+4972190981727
------------------------------

Original Message:
Sent: Sat December 31, 2022 08:06 AM
From: Philip Ng
Subject: How to remove unreachable managed hosts with "unknown" status on QRadar SIEM

Hi guys,

I have lately faced a problem where I want to remove an unreachable managed host with "unknown" status. Did tons of Googling but none of the solutions worked for me. It does not seem to be an easy task after all but shouldn't it be other way around? Imagine one of the managed hosts suddenly collapsed and you need to remove it on the console site...?

Pardon me if there is actually an easy way out that I overlooked. Thank you in advance!

Best Regards,
Phil

Hi Ralph,

Thanks for the quick response. I am just wondering how the managed host could be removed on the console site in a way that when web GUI does not work. I know altering the database would potentially fix it if I could pinpoint which components to remove and which not to, as I would like to rebuild and add a new host back to the console to replace the broken managed host and hopefully console could recognize and resume all the old settings. 

Best Regards,
Philip

------------------------------
Philip Ng
------------------------------

Original Message:
Sent: Mon January 02, 2023 11:49 AM
From: Ralph Belfiore
Subject: How to remove unreachable managed hosts with "unknown" status on QRadar SIEM

Hi Phil,

If in doubt, I would open a support ticket..

Regards,
Ralph

------------------------------
Ralph Belfiore
SIEM Expert
pro4bizz GmbH
Karlsruhe
+4972190981727

Original Message:
Sent: Sat December 31, 2022 08:06 AM
From: Philip Ng
Subject: How to remove unreachable managed hosts with "unknown" status on QRadar SIEM

Hi guys,

I have lately faced a problem where I want to remove an unreachable managed host with "unknown" status. Did tons of Googling but none of the solutions worked for me. It does not seem to be an easy task after all but shouldn't it be other way around? Imagine one of the managed hosts suddenly collapsed and you need to remove it on the console site...?

Pardon me if there is actually an easy way out that I overlooked. Thank you in advance!

Best Regards,
Phil

Well, I am thinking about if the box is permanently unreachable? Is it decommissioned?  If not, a better way is to bring back the system online and then remove it from the deployment using UI.

You can always open up a support ticket to get the help but above would be a better approach.

Thank you.

------------------------------
Prabir Meher
------------------------------

Original Message:
Sent: Sat December 31, 2022 08:06 AM
From: Philip Ng
Subject: How to remove unreachable managed hosts with "unknown" status on QRadar SIEM

Hi guys,

I have lately faced a problem where I want to remove an unreachable managed host with "unknown" status. Did tons of Googling but none of the solutions worked for me. It does not seem to be an easy task after all but shouldn't it be other way around? Imagine one of the managed hosts suddenly collapsed and you need to remove it on the console site...?

Pardon me if there is actually an easy way out that I overlooked. Thank you in advance!

Best Regards,
Phil

Hi Prabir,

Thanks for your advice. I would like to proceed it the standard way if circumstances allow. Just wondering what I could do when the managed host is "dead" with its an unknown status. But yeah, maybe a direct support from the IBM team is the only way out... 

Best Regards,
Philip

------------------------------
Philip Ng
------------------------------

Original Message:
Sent: Tue January 03, 2023 01:18 AM
From: Prabir Meher
Subject: How to remove unreachable managed hosts with "unknown" status on QRadar SIEM

Well, I am thinking about if the box is permanently unreachable? Is it decommissioned?  If not, a better way is to bring back the system online and then remove it from the deployment using UI.

You can always open up a support ticket to get the help but above would be a better approach.

Thank you.

------------------------------
Prabir Meher

Original Message:
Sent: Sat December 31, 2022 08:06 AM
From: Philip Ng
Subject: How to remove unreachable managed hosts with "unknown" status on QRadar SIEM

Hi guys,

I have lately faced a problem where I want to remove an unreachable managed host with "unknown" status. Did tons of Googling but none of the solutions worked for me. It does not seem to be an easy task after all but shouldn't it be other way around? Imagine one of the managed hosts suddenly collapsed and you need to remove it on the console site...?

Pardon me if there is actually an easy way out that I overlooked. Thank you in advance!

Best Regards,
Phil

You should be able to remove it from the deployment even if it is offline.

------------------------------
Scott Searls
------------------------------

Original Message:
Sent: Wed January 04, 2023 09:13 AM
From: Philip Ng
Subject: How to remove unreachable managed hosts with "unknown" status on QRadar SIEM

Hi Prabir,

Thanks for your advice. I would like to proceed it the standard way if circumstances allow. Just wondering what I could do when the managed host is "dead" with its an unknown status. But yeah, maybe a direct support from the IBM team is the only way out... 

Best Regards,
Philip

------------------------------
Philip Ng

Original Message:
Sent: Tue January 03, 2023 01:18 AM
From: Prabir Meher
Subject: How to remove unreachable managed hosts with "unknown" status on QRadar SIEM

Well, I am thinking about if the box is permanently unreachable? Is it decommissioned?  If not, a better way is to bring back the system online and then remove it from the deployment using UI.

You can always open up a support ticket to get the help but above would be a better approach.

Thank you.

------------------------------
Prabir Meher

Original Message:
Sent: Sat December 31, 2022 08:06 AM
From: Philip Ng
Subject: How to remove unreachable managed hosts with "unknown" status on QRadar SIEM

Hi guys,

I have lately faced a problem where I want to remove an unreachable managed host with "unknown" status. Did tons of Googling but none of the solutions worked for me. It does not seem to be an easy task after all but shouldn't it be other way around? Imagine one of the managed hosts suddenly collapsed and you need to remove it on the console site...?

Pardon me if there is actually an easy way out that I overlooked. Thank you in advance!

Best Regards,
Phil

• What sort of Managed Host?
• What version of QRadar?
• Is HA involved?

In most cases you should just be able to select "Remove Host" from the "Deployment Actions" after selecting the host in the System View of "System and License Management" - even if the host is unreachable.

------------------------------
Paul Ford-Hutchinson
------------------------------

Original Message:
Sent: Sat December 31, 2022 08:06 AM
From: Philip Ng
Subject: How to remove unreachable managed hosts with "unknown" status on QRadar SIEM

Hi guys,

I have lately faced a problem where I want to remove an unreachable managed host with "unknown" status. Did tons of Googling but none of the solutions worked for me. It does not seem to be an easy task after all but shouldn't it be other way around? Imagine one of the managed hosts suddenly collapsed and you need to remove it on the console site...?

Pardon me if there is actually an easy way out that I overlooked. Thank you in advance!

Best Regards,
Phil