IBM Support

QRadar: How to change the DNS IP address entries with the command-line interface for QRadar version 7.3.0

Question & Answer


Question

How do you change the DNS server IP address in a QRadar 7.3.0 environment with the command-line interface?

Cause

A common reason for the DNS server IP address to change is it was issued a new IP address. When this occurs, it is important that the QRadar environment is updated with the DNS server IP address.

Answer

Note: The DNS server IP address change can be done with qchange_netsetup. However, administrators should understand that the qchange_netsetup command requires the affected managed hosts to be removed from the deployment. So in larger deployments, this process can be time consuming to remove, update DNS settings, and re-add the managed host to the deployment. This procedure is for QRadar version 7.3.0 only.
To change the DNS entries in QRadar, use the command-line interface. This allows you to update the DNS settings without having to remove all managed hosts from the deployment.

Before you begin

  • Administrators with All-in-One appliances can follow the standard DNS update procedures outlined here: QRadar Network Settings Management.
  • Administrators with distributed deployments, so they do not have to unmanage their appliances, can use the command-line option to update DNS settings. 
  • Updates to DNS settings are completed on a per appliance basis, and root access is required for each appliance. If your DNS server IP address changes in your network, you need to repeat the procedure on each host that requires a DNS address update.
  • Administrators should only use this option if they are familiar with Linux/Unix and editing files in the command-line interface. If you are unsure of any steps in this procedure, QRadar Support can assist (http://ibm.biz/qradarsupport).
  • You cannot SSH directly to a QRadar managed host. All direct connections to a managed host are blocked by default. Administrators must SSH to the Console appliance, then open an SSH session to connect to a managed host.

Procedure for QRadar 7.3.0 appliances
To change the DNS settings from the command-line for a QRadar 7.3.0 appliance:
  1. Using SSH login to the Console as the root user.
  2. Optional. Open an SSH session to the managed host that needs a DNS update
  3. Type the following command to backup your existing resolv.conf file:
    cp /etc/resolv.conf.masq /root/resolv.conf.masq
  4. To edit the DNS values, type the following command:
    vim /etc/resolv.conf.masq
  5. Update the nameserver fields with the IP address of your primary or secondary DNS server.

    For example:
    nameserver 192.168.2.100 is your primary DNS server IP address.
    nameserver 192.168.2.200 is your secondary DNS server IP address.

  6. Press :wq to save the file and exit vim.
  7. To restart the dnsmasq service, type:
    systemctl restart dnsmasq

    Results
    After the services restart, the change is complete. The administrator can repeat this procedure for any additional managed hosts in the deployment that require a DNS settings update.
For further information about updating DNS settings in QRadar versions 7.3.1, 7.3.2, 7.3.3 see:
Article: 1282288: QRadar: How to change the DNS IP address entries for QRadar 7.3.1, 7.3.2, and 7.3.3


Where do you find more information?

[{"Business Unit":{"code":"BU008","label":"IBM Security"},"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Component":"Networking","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3.0","Edition":""}]

Product Synonym

QRadar SIEM;QRM;QVM

Document Information

Modified date:
23 January 2020

UID

swg21665982