IBM Support

QRadar: Restarting Hostcontext with the '-q' switch

Question & Answer


Question

What are the considerations of restarting hostcontext using the '-q' switch?

Answer

Restarting hostcontext should never be done unless advised by a QRadar support representative. Many of the underlying services get restarted on the QRadar appliance when you run a hostcontext restart.
 
  1. Impacted services include:
    • reporting_executor
    • accumulator
    • ariel_proxy_server
    • passive_vis.passive
    • qflow (flows)
    • vis (scanners)
    • ecs (event pipeline for event and flow data)  

       
  2. Hostcontext responsbilities:
    • Listening for deploy requests from the Console & reporting deployed status
    • Downloading configurations
    • Replication processes (each minute)
    • Report the status of the host and HA peer (if running in HA).

When you restart the host context, you affect impacted services and host context responsibilities. When you use hostcontext -q, you restart the host context itself, which impacts host context responsibilities.

There are only two reasons that hostcontext (or hostcontext -q) should be run, which is:

  • If you believe the host isn't responding to deploy requests.
  • You believe that there is a configservices issue in which the Console is unable to update the remote host with the latest configuration.

A lot of customers see support restarting hostcontext and think it is a magic bullet for fixing problems, but a support representative should never be using that command without telling you about the impact to your data. The restart is quick, but services are restarted, which impacts data collection and ECS.
 

Administrators with command line access should only restart hostcontext if they understand the root cause of their issue or unless advised by support. Restarting Hostcontext is not a universal solution for correcting issues on managed hosts.

[{"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Component":"Admin Console","Platform":[{"code":"PF016","label":"Linux"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
14 May 2024

UID

swg21989536