IBM Support

QRadar: Unable to add managed host due to hardware serial missing

Troubleshooting


Problem

When you are adding a managed host to your deployment, the add_host process can fail due to a missing hardware serial number.

Symptom

The following is an example message of the add_host process failing. Notice that the serial field is empty.

[hostcontext.hostcontext] [80248f10-17cb-41b1-8a94-d08054cf8587/SequentialEventDispatcher] com.q1labs.configservices.capabilities.AddHost: [INFO] [NOT:0000006000][XX.XX.XX.XX.XX/- -] [-/- -]Host XX.XX.XX.XX has a version number:7.3.3, appliance type:software., serial:

[hostcontext.hostcontext] [80248f10-17cb-41b1-8a94-d08054cf8587/SequentialEventDispatcher] com.q1labs.configservices.capabilities.AddHost: [ERROR] [NOT:0000003000][XX.XX.XX.XX/- -] [-/- -]Unable to add managed host. The ip of the host is: XX.XX.XX.XX

[tomcat.tomcat] [Thread-347198] com.q1labs.configservices.capabilities.CapabilitiesHandler: [ERROR] [NOT:0000003000][1XX.XX.XX.XX/- -] [-/- -]Removing host XX.XX.XX.XX from the deployment model, if present, due to add_host failure.

 

You might also see this message on qradar.log:

 

[hostcontext.hostcontext] [80248f10-17cb-41b1-8a94-d08054cf8587/SequentialEventDispatcher] java.lang.NullPointerException: hardware serial string must not be null.

Cause

This behavior was found on a software installation on third-party physical appliance. The DMI information doesn't contain the hardware serial information, which causes that the hostcapabilities.xml file to not build this field in the configuration.

Diagnosing The Problem

Verify the hardwareSerial field is populated in hostcapabilities.xml:
# cat /opt/qradar/conf/capabilities/hostcapabilities.xml
<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
<HostCapabilities
        isConsole="true"
        IP="XX.XX.XX.XX"
        applianceType="3199"
        hostName="Test"
        qradarVersion="7.3.2"
        hardwareSerial="VMware-XXXXXXX"
        activationKey="XXXXXXXXXXX"
        managementInterface="ens192"
        xmlns="http://www.q1labs.com/products/qradar"
/>
If the hardwareSerial is empty, run dmidecode -t 1 to verify whether the hardware serial was pulled from the operating system.
# dmidecode -t 1
# dmidecode 3.0
Getting SMBIOS data from sysfs.
SMBIOS 2.7 present.
Handle 0x0001, DMI type 1, 27 bytes
System Information
        Manufacturer: VMware, Inc.
        Product Name: VMware Virtual Platform
        Version: None
        Serial Number: VMware-XXXXXXXX
        UUID: XXXXXXXXX
        Wake-up Type: Power Switch
        SKU Number: Not Specified
        Family: Not Specified
Note: If the system is running on bare metal or KVM, see Scenario 3 in the Resolving the Problem section.

Resolving The Problem

Based on the output from Diagnosing the Problem section, use the following information to resolve the issue.
Scenario 1: 
The serial number is in dmidecode -t 1 output
  1. Copy the serial number from the dmidecode -t 1 output.
  2. Make a backup of the current hostcapabilities.xml file:
    1. Create the backup directory: mkdir -p /store/IBM_Support/
    2. Copy the current file into the backup location: cp -p /opt/qradar/conf/capabilities/hostcapabilies.xml /store/IBM_Support/hostcapabilities.xml.<date>
  3. Edit the hostcapabilities.xml file with a text editor: vi /opt/qradar/conf/capabilities/hostcapabilities.xml
  4. Add the hardwareSerial="<serial reported by dmidecode>" between qradarVersion and activationKey:
    • Example:       
      qradarVersion="7.3.2"
      hardwareSerial="VMware-XXXXXXX"
      activationKey="XXXXXXXXXXX"
  5. Save the changes and close the file:  :wq!
Results: The managed host can now be added to the deployment successfully.
 
Scenario 2:
The serial number is missing from dmidecode -t 1
  1. Restore the DMI information. Verify this procedure with the hardware manufacturer as the process changes based on the manufacturer.
  2. Once point 1 is addressed, verify that the serial now exists by using dmidecode -t -1.
  3. If the output is reporting the serial number, go to Scenario 1, and apply the workaround.
If the DMI restore does not work, the following must be performed:
  1. Flatten the OS installation.
  2. Verify dmidecode populates the serial by using dmidecode -t 1.
    • If dmidecode now reports the serial number:
      1. Install QRadar.
      2. Once the installation is complete, verify hostcapabilities.xml  populates the serial number properly. The managed host can now be added properly.
    • If dmidecode doesn't report serial number at this moment, contact Red Hat technical support for further guidance.
Scenario 3:
For bare metal or KVM systems, dmidecode might indicate that the serial is "Not Specified". This behavior is expected. The serial number still gets populated within hostcapabilities.xml by using the UUID of /store/tmp/.  If hostcapabilities.xml is populated with this serial (it starts with "VM-"), your managed hosts can be added to the deployment.

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000GneqAAC","label":"QRadar->Configuration->Add Remove Edit Host"}],"ARM Case Number":"TS003526818","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3.3","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
13 April 2020

UID

ibm16151863

Page Feedback