Troubleshooting
Problem
When using the Master Console to monitor several deployments, one deployment displays the correct number of managed hosts. When viewing the details for that deployment, all the managed hosts show No Data Available.
Symptom
You use the master console to monitor several deployments. One deployment displays the correct number of managed hosts. When viewing the details for that deployment, all the managed hosts show no data available. The other deployments do display the details correctly on the master console. You can see successful API request messages in Log Activity on the deployments administrative console so the authorized service appears to be correct,
Resolving The Problem
- When was the last time you got data?
When a deployment is Disconnected or Connected but not receiving data, click the information icon on the deployment card to see when data was last received. Is this just a temporary outage or has it been several hours since you saw data last from the Console?
In most cases, a lack of data indicates an authorized service token issue. To verify that the Authorized services token exists go to the Admin tab > Authorized Services. Verify the Authorization token. If it exists it may need to be recreated.
- Try running the ariel query that QRadar does.
SELECT DATEFORMAT(startTime,'yyyy-MM-dd hh:mm') as starttime, metric_id, component_type, component_name, element, hostname, deployment_id, DATEFORMAT(devicetime,'yyyy-MM-dd hh:mm') as devicetime, value FROM events WHERE devicetype=368
This query can help prove that the master console is receiving the data and if the values such as deployment_id, hostname or metric_id show N/A, this can indicate a custom property issue or log source issue.
- Is this a time synchronization issue?
If time is off, then when the Master Console does its query for the events it will pull the events from the wrong time period and the graphs will display nothing or only partial data.
- Take a look at the Master Console logs.
The file /var/log/mc/masterconsole.log regularly logs the status of each polling interval. You will see messages like this:
2016:03:16-14:29:19,158 INFO [Thread-40036:com.qradar.mc.MetricPollerThread] Metric Poll Result: Retrieved: 173, Processed: 173, Failed: 0, Cleaned: 0
If the Retrieved and Processed Values do not match then there is likely something support needs to investigate further.
- Try making an API call.
You could also try making an API call to one of the remote Console appliances to confirm connectivity.
/opt/qradar/bin/api_client --hostname=<Master Console IP> --api=/system/servers --method=GET
You will then be prompted to enter the authorized service token. If you do not get data back, then this could confirm an authorized service token issue or an API/configuration issue.
- On the Console that is not reporting, verify that the Deployment ID custom property is enabled on the Console that is having issues.
Example: The Custom Event Property (CEP) will be something like this:
DeploymentID=(\S+)
If the CEP was not enabled you would have seen NA for that host when you ran the advanced search. To verify this, you can add GROUP BY deployment_id to the advanced search. If all of the deployment_id's show values, then it is likely a mismatch.
- If you have just that one host that is not responding to metrics request, this can be an issue
where the deployment_id is mismatched to what the Master Console database expects.
This is an issue for support.
Where do you find more information?
[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Admin Console","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21997230