IBM QRadar

We have one Qradar Console VM, and two Qradar EP VMs.

Following the reboot of one of the EP VMs, the Qradar Console stopped showing new logs.

Searches for old logs that predate the EP reboot time do return results. But searches for any logs following the EP reboot time don't return anything.

All the 3 VMs have an "Active" status and are reachable. Logs do not show any apparent errors.

Any leads or ideas please ?

Hello,

There are multiple reasons why you may not see the new logs after reboot.

1> Checking services on the EP

a. ssh to the console and then to EP from which you do not see events.

b. Check the status of hostcontext and ecs-ec-ingress service :

systemctl status hostcontext

systemctl status ecs-ec-ingress

c. If they are inactive restart them.

systemctl restart hostcontext

systemctl restart ecs-ec-ingress

2 > You should check if there are any System Notifications related to EP on the QRadar Console GUI.

3> You should check the disk space on the EP and see if there are any errors reported for ecs-ec or ecs-ec-ingress in the /var/log/qradar.log file.

If you find any details let us know.

The best way would be to open a Support Case with QRadar Team so that they can analyze the EP logs and help you with this issue, as the solution depends on what error you are hitting.

Thanks,

Ashish

Thanks, this KB fixed it for me : https://www.ibm.com/support/pages/node/6395080

It is safe to run 'mmfsadm test readdescraw' - it's going to simplest study from the device. Nothing could be altered on disk for Cannabis page.