Troubleshooting
Problem
How can you monitor or check the status of Hostcontext processes? This article defines and provides steps for running the wait_for_start.sh script.
Cause
The wait_for_start.sh is a script to monitor and display the status of the Hostcontext processes. When starting services, patching, and upgrades, this script shows whether a process is running or stopped. This script runs on managed hosts or a primary host of any High Availability (HA) appliance. This script cannot run on secondary HA appliances, even if the secondary system is set to the active host.
Notes:
- Different subservices of Hostcontext run on the various managed hosts in QRadar.
- By default, this script refreshes every 10 seconds.
- By default, this script stops after 20 minutes whether or not all processes are running.
- The script ends once all processes are in the running status.
Services dependent on Hostcontext
- ECS (Event Correlation Service)
- ECS-EC (Event Correlation Service – Event Collector)
- ECS-EP (Event Correlation Service – Event Processor)
- ECS-Ingress (7.3.1+)
- Ariel
- Ariel Proxy Server
- Ariel Query Server
- Accumulator
- Accumulator Rollup
- Reporting Executor
- Report Runner
- Historical Correlation Engine
- Offline Forwarder
- ARC Builder
- VIS (Vulnerability Integration Service
Resolving The Problem
To run the script
- SSH in to the QRadar Console as the root user.
- To verify the status of services, enter the following command:
/opt/qradar/upgrade/util/setup/upgrades/wait_for_start.sh
Result
The following is an example of a healthy output from a QRadar console:PROCESSES = 'reporting_executor historical_correlation_server accumulator.accumulator ariel_proxy_server.ariel_proxy assetprofiler.assetprofiler qflow.qflow0 qvmprocessor.IBMVulnerabilityProcessor vis.vis0 ecs-ep ecs-ec ecs-ec-ingress arc_builder offline_forwarder' Removing classify, flowprocessor and updatedaemon from expected processes... new PROCESSES = 'reporting_executor historical_correlation_server accumulator.accumulator ariel_proxy_server.ariel_proxy assetprofiler.assetprofiler qflow.qflow0 qvmprocessor.IBMVulnerabilityProcessor vis.vis0 ecs-ep ecs-ec ecs-ec-ingress arc_builder offline_forwarder hostcontext ' The following progress checks are enabled: (1) "HostContext: Configuration Download" Thu Aug 10 14:53:22 EDT 2023: Waiting for processes 'reporting_executor historical_correlation_server accumulator.accumulator ariel_proxy_server.ariel_proxy assetprofiler.assetprofiler qflow.qflow0 qvmprocessor.IBMVulnerabilityProcessor vis.vis0 ecs-ep ecs-ec ecs-ec-ingress arc_builder offline_forwarder hostcontext ' to be running... +-----------------------------+-------+-------+ |Process |Seconds|Status | +-----------------------------+-------+-------+ |reporting_executor |1 |running| |historical_correlation_server|1 |running| |accumulator |2 |running| |ariel_proxy |2 |running| |assetprofiler |2 |running| |qflow0 |2 |running| |IBMVulnerabilityProcessor |2 |running| |vis0 |2 |running| |ecs-ep |3 |running| |ecs-ec |3 |running| |ecs-ec-ingress |3 |running| |arc_builder |3 |running| |offline_forwarder |3 |running| |hostcontext |4 |running| +-----------------------------+-------+-------+ All 14 managed processes are running. OK: All processes started after 4 seconds on qr750-3199-34603.
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"Support Tools","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
10 August 2023
UID
ibm11096894