IBM Support

QRadar: Modified /etc/hosts gets over written with old entries

Question & Answer


Question

Why is /etc/hosts over written with entries that I removed the previous day?

Cause

/etc/hosts.default still has old information

Answer

There must be both an /etc/hosts and /etc/hosts.default file. Edit both /etc/hosts and
/etc/hosts.default and remove incorrect IP addresses to resolve the issue.



Without a valid /etc/hosts file the hostcontext service will not start properly.

Also do not remove the entry for loop back 127.0.0.1, it is required for internal services.



An Error will appear in the logs


ERROR BaseSyslogPortAppender::setSyslogHost::invalid syslog host:localhost



[{"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"General Information","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.1;7.2;7.3","Edition":"Enterprise","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
27 October 2022

UID

swg21962427