IBM Support

QRadar: Modified /etc/hosts gets over written with old entries

Question & Answer


Why is /etc/hosts over written with entries that I removed the previous day?


/etc/hosts.default still has old information


There must be both an /etc/hosts and /etc/hosts.default file. Edit both /etc/hosts and
/etc/hosts.default and remove incorrect IP addresses to resolve the issue.

Without a valid /etc/hosts file the hostcontext service will not start properly.

Also do not remove the entry for loop back, it is required for internal services.

An Error will appear in the logs

ERROR BaseSyslogPortAppender::setSyslogHost::invalid syslog host:localhost

[{"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"General Information","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.1;7.2;7.3","Edition":"Enterprise","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
27 October 2022