Known issues
IBM® QRadar® has required information for known issues.
After you upgrade to QRadar 7.5.0 Update Package 8 with SSH, CLI session is down temporarily
If you use SSH to upgrade to 7.5.0 Update Package 8, you will lose access to the CLI session for 20-30 minutes after the system reboot. You can use the Integrated Management Module (IMM), the Integrated Dell Remote Access controller (iDRAC), or a remote console, to monitor the upgrade.
Upgrading to RHEL V8.8 on systems with LUKS encrypted partitions is not supported
RHEL V8.8When you upgrade to 7.5.0 Update Package 8, the Leapp pretest fails if the tool detects any Network Interface Card (NIC) that uses kernel naming (eth) and multiple NICs existing on the same system. For more information, see https://access.redhat.com/solutions/4067471.
Hosts with EFI firmware and Secure Boot enabled may become unresponsive
To avoid this problem, you must import the IBM public key contained on the SFS into the system keyring before patching.
For more information, see Updating a Secure Boot enabled system.
HA host status does not update during the sync process
During the synchronization process, the host status does not reflect the sync status of the HA hosts and the remote host status remains in standby.
Leapp pretests do not verify sufficient disk space
RHEL V8.8Leapp pretests fail to ensure if the /storetmp directory has sufficient disk space to store the upgrade cache directory. You must ensure that all appliances have at minimum 10GB of space available in the /storetmp directory before you upgrade to 7.5.0 Update Package 8.
Leapp pretests are not supported on HA secondaries
RHEL V8.8When you install 7.5.0 Update Package 8, the --leapp-only installer option does not work with High Availability (HA) secondary nodes. For more information, see https://www.ibm.com/mysupport/s/defect/aCIKe00000000ED.
Leapp pretests are not supported on QRadar 7.5.0 Update Package 7 ISO installations
RHEL V8.8When you install 7.5.0 Update Package 8, the --leapp-only installer option does not work on managed hosts that are running new installs of 7.5.0 Update Package 7. For more information, see https://www.ibm.com/mysupport/s/defect/aCIKe00000000EI.
Leapp pretests fail due to multiple physical network interface configurations
RHEL V8.8You must ensure that your deployment does not include hosts with LUKS encrypted partitions to successfully upgrade your system. For more information, see Upgrading QRadar SIEM.
Leapp pretests are not supported on detached console HA
To run a Leapp pretest on a detached console HA that is not a removed HA from a existing deployment, complete the following steps.
-
Run the following command:
/opt/qradar/bin/ssh_key_generating
- Edit the /store/configservices/deployed/deployment.xml file to add the
missing
mhIp
tag to the console node by using only one of the following methods:-
Edit the file by adding the
mhIp
tag manually:<managedHost xmlns="" hostName="hostName of the system" console="true" offsite="false" changed="false" id="1" privateIP="IP of the system" mhIp="Same as privateIP" publicIP="" natId="0">
-
Edit the file by running the following command:
mhip=$(/opt/qradar/bin/myver -vi); sed -e "/mhIp=/ n; /console=\"true\"/s/>/ mhIp=\"$mhip\">/" /store/configservices/deployed/deployment.xml
-
Scaserver does not start after system reboot
RHEL V8.8After you upgrade to QRadar 7.5.0 Update Package 8, scaserver is unable to start after the system reboot.
Upgrade patch pretest fails on dual stack
RHEL V8.8After you upgrade to QRadar 7.5.0 Update Package 8, the RHEL V8.8 upgrade pretest fails after the system reboot.
Apps might go down during base image upgrade
After you install QRadar 7.5.0, your applications might go down temporarily while they are being upgraded to the latest base image.
Apps fail to restart after upgrade
/opt/qradar/support/qappmanager
For more
information, see About the qappmanager support utility.Cannot send udp syslog to QRADAR_CONSOLE_IP from app container on an AppHost
In QRadar 7.5.0 Update Package 8, you cannot send Syslog UDP to QRADAR_CONSOLE_IP from app container on an AppHost.
Duplicate app entries on Traefik when the QRadar Console is powered off and on again
If you power off your QRadar Console via VSphere and power it on again, duplicate entries of apps exist on the Traefik UI. To resolve this issue, restart the Traefik service.
Factory reinstall on 7.5.0 Update Package 8 ISO in the recovery partition fails on M5 hardware.
- Reinstall QRadar from media. For more information, see Reinstalling QRadar from media.
- Replace the factory reinstall image in the recovery partition with a previous version. For more information, see https://www.ibm.com/support/pages/node/6490659.
For more information, see https://www.ibm.com/mysupport/s/defect/aCIKe000000003o.
Managed WinCollect 7 agents cannot receive updates from encrypted QRadar Managed Hosts with 7.5.0 UP7 IF5 and later
In QRadar 7.5.0 Update Package 7 Interim Fix 5 and later, changes for managed WinCollect agents on V7.3.1 Patch 2 (7.3.1-28) do not complete as expected for encrypted managed hosts that attempt to connect to the Console. To resolve this issue, you must upgrade to WinCollect 7.3.1 P3. For more information, see https://www.ibm.com/mysupport/aCI3p000000Xr2j.
Error messages upon decapper startup in QRadar Network Insights
EAL: rte_mem_virt2phy(): cannot open /proc/self/pagemap: Permission denied EAL: Cannot use IOVA as 'PA' since physical addresses are not availableThis fallback is necessary when IOMMU and virtualization pass-through are not available and enabled in the virtual platform configuration. The decapper continues to function, possibly with lowered throughput.
Cert file /etc/httpd-qif/tls/httpd-qif.cert fails the key modulus check in QRadar 7.5.0 Update Package 8
After you upgrade to QRadar 7.5.0 Update Package 8, cert file /etc/httpd-qif/tls/httpd-qif.cert fails the key modulus check.
Admin password does not set correctly on auto-install
In some instances of QRadar installations that use the auto-install method, the Admin password is not being set properly. To resolve this issue, manually update the Admin password in the QRadar host CLI. For more information, see https://www.ibm.com/mysupport/aCI3p000000XqEj.
HA pairing on QRadar Console fails when Network File System (NFS) is configured on the QRadar 7.5.0 Update Package 8 install
To resolve this issue, add HA pairing before configuring NFS. For more information, see Configuring NFS backup on an existing HA cluster.
After upgrading to QRadar 7.5.0 Update Package 5, WinCollect 7.X agents can experience management or configuration change errors
Important: A flash notice exists for this issue. For the latest information, see https://www.ibm.com/support/pages/node/6953887.
Autoupdates (AU) issue after upgrade to QRadar 7.5.0 or later
It is possible for autoupdates to revert to a previous version of autoupdates after upgrading. This causes autoupdate to not work as intended. After you upgrade to QRadar 7.5.0 or later, type the following command to check your autoupdate version:
/opt/qradar/bin/UpdateConfs.pl -v
Review the issue and the resolution section for your auto update version on the following technical note, https://www.ibm.com/support/pages/node/6515880.
Issue adding Data Nodes to a cluster
When adding a Data Node to a cluster, they must either all be encrypted, or all be unencrypted. You cannot add both encrypted and unencrypted Data Nodes to the same cluster.