Troubleshooting
Problem
This article discusses the systemctl command and some common uses in a QRadar environment.
Cause
The systemctl command is used in QRadar versions 7.5 and greater for many functions. This article discusses the systemctl command in QRadar, which is the central management tool for controlling the init system. An init system is the process that starts, stops, and schedules all other tasks in the operating system.
Resolving The Problem
The systemctl is one of the most used commands in QRadar. The following are some examples of common uses in QRadar.
Controlling services
To control services, type:
systemctl start|stop|restart|status <service name>
For example, the following command displays the status of the hostcontext service:
systemctl status hostcontext
Output:
● hostcontext.service - hostcontext daemon
Loaded: loaded (/usr/lib/systemd/system/hostcontext.service; enabled; vendor preset: disabled)
Drop-In: /etc/systemd/system/hostcontext.service.d
└─timeout.conf, ulimit.conf
Active: active (running) since Fri 2019-11-01 09:04:32 EDT; 6h ago
Main PID: 13484 (java)
Tasks: 226
Memory: 2.1G
CGroup: /system.slice/hostcontext.service
├─ 7764 /bin/sh /opt/qradar/bin/check_sar.sh 5 /store/tmp/sar_report.1572635155264
├─ 7768 sar -S -d -p -r -u -q -I SUM -n DEV -n EDEV 5 1
├─ 7769 grep -v drbd
├─ 7770 grep -E -v ^([0-9]{2}:[0-9]{2}:[0-9]{2})\s+(AM|PM)\s+(rhel|rootrhel|storerhel|docker)
├─ 7771 iostat -p -m -x -y 5 1
├─ 7772 grep -v -E ^dm-
├─ 7774 sadc 5 2 -z -S 768
├─ 7840 /bin/sh /opt/qradar/bin/check_sar.sh 5 /store/tmp/sar_report.1572635155264
├─ 7841 /usr/bin/python /usr/sbin/iotop -b -k -n 1
└─13484 /bin/java -Dapplication.name=hostcontext -Dapp_id=hostcontext -Djava.library.path=/opt/qradar/lib -Dapplication.baseURL=file:///opt/qradar/conf/ -D...
Nov 01 15:01:48 QRadar732Base.ibm.com replication[15000]: Preparing incremental database dump as transaction 0000000000000047935
Nov 01 15:01:51 QRadar732Base.ibm.com replication[15000]: Replication incremental transaction for 3 relations, 0 JMS messages: Duration: 2777 ms
Some common QRadar services that might apply are tomcat, hostservices, hostcontext, ecs-ep, ecs-ec, and ecs-ec-ingress, just to name a few.
Listing services
Using the systemctl command, you can list services to determine whether they are enabled or disabled. To see whether they are enabled or disable, use the command:
systemctl list-unit-files
. To create a more refined list where you look for a specific service or state the command, enter:
systemctl list-unit-files | grep (state | service)
Example:
systemctl list-unit-files | grep enabled
Output:
tomcat.service enabled
hostcontext.service enabled
hostservices.service enabled
napatech3.service enabled
syslog.service enabled
Another variation of this command is the following. The output lists all systemd units that use type service:
systemctl list-units --type=service
Output:
UNIT LOAD ACTIVE SUB DESCRIPTION
abrt-ccpp.service loaded active exited Install ABRT coredump hook
abrt-oops.service loaded active running ABRT kernel log watcher
abrtd.service loaded active running ABRT Automated Bug Reporting Tool
auditd.service loaded active running Security Auditing Service
blk-availability.service loaded active exited Availability of block devices
chronyd.service loaded active running NTP client/server
hostcontext.service loaded active running hostcontext daemon
hostservices.service loaded active exited hostservices alias script
Enabling or disabling services
Enabling a service means it starts automatically when the system starts. Some services are enabled when you install QRadar, such as tomcat, hostcontext, or hostservices. Others get enabled when you configure the appliance or a feature. For example, the ha_manager service is enabled when you add high availability to a host. There are some services that are disabled, as they are used for special cases, such as iSCSI or NFS attached to the QRadar appliance. In these cases, it becomes necessary to enable the service. Services that fall in this category are iscsi, iscsi-mount, and rpcbind.
Example:
Example:
systemctl enable iscsi
Verification that the service is enabled
To verify that a service is enabled, use the following command:
systemctl is-enabled iscsi
Output:
enabled
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.5.0"}]
Was this topic helpful?
Document Information
Modified date:
20 March 2023
UID
ibm11102161