How To
Summary
How to verify what appliance type is installed on the Managed Host without QRadar GUI.
Objective
The easiest way would be to check the System & Licences in the Admin tab in QRadar GUI. However, it may happen that you do not have access to the QRadar GUI and you need to verify what appliance you have installed on Managed Host (MH).
Environment
Follow these steps to find out what appliance you have. You will also be able to see what QRadar components were installed on the MH during the installation.
1. Check for applianceType in hostcapabilities file:
cat /opt/qradar/conf/capabilities/hostcapabilities.xml
cat /opt/qradar/conf/capabilities/hostcapabilities.xml
<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
<HostCapabilities
isConsole="false"
IP="xxx.xxx.xxx.xxx"
hostName="hostname"
qradarVersion="7.3.3"
hardwareSerial="VMware-xx xx xx xx xx xx xx xx-xx xx xx "
activationKey="xxxxx-xxxxx-xxxxxx-xxxxx"
managementInterface="ens192"
softwareType="103"
xmlns="http://www.q1labs.com/products/qradar"
/>
The softwareType is "103" in this case.
2. Now we have to map it to an appliance XML file:
grep 103 /opt/qradar/conf/templates/deployments/deployment_mapping
103=1601.xml
We can see, that appliance type is mapped to a file 1601.xml, which is an Event Processor:
cat /opt/qradar/conf/templates/deployments/1601.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Deployment lastComponentId="100" deploymentId="0" lastHostId="1" lastNatId="0" deploymentName="default" xmlns="http://www.q1labs.com/products/qradar">
<managedHost hostName="" console="false" offsite="false" changed="false" id="1" privateIP="" publicIP="" natId="0" xmlns="">
<property name="minPortValue" value="32000"/>
<property name="maxPortValue" value="65535"/>
</managedHost>
<component changed="false" instanceName="hostcontext0" hostId="1" id="2" type="hostcontext" version="7.3.3" xmlns="">
<bounds x="320" y="20" width="130" height="90" viewName="HOST_IP"/>
<property name="DISK_MGMT_WARN_THRESHOLD" value="0.90"/>
<property name="DISK_MGMT_RECOVERY_THRESHOLD" value="0.92"/>
<property name="DISK_MGMT_SHUTDOWN_THRESHOLD" value="0.95"/>
<property name="DISK_MGMT_INTERVAL" value="60000"/>
<property name="DISK_MGMT_DEFAULT_PARTITIONS" value="/,/store,/transient,/storetmp,/opt,/var/log:p,/var/log/audit:p,/var:p,/tmp:p,/home:p"/>
<property name="MGMT_INTERFACE" value="eth0"/>
</component>
<component hostId="1" changed="false" id="18" instanceName="eventcollectoringress0" type="eventcollectoringress" version="7.3.3" xmlns="">
<bounds x="180" y="120" width="130" height="90" viewName="semView"/>
<bounds x="180" y="120" width="130" height="90" viewName="HOST_IP"/>
<property value="localhost:32015" name="EVENTCOLLECTOR"/>
<property value="true" name="AUTODETECTION_ENABLED"/>
</component>
<component hostId="1" changed="false" id="7" instanceName="eventcollector0" type="eventcollector" version="7.3.3" xmlns="">
<bounds x="180" y="120" width="130" height="90" viewName="semView"/>
<bounds x="180" y="120" width="130" height="90" viewName="HOST_IP"/>
<property value="" name="ASSET_PROFILER"/>
<property value="localhost:32005" name="EVENTPROCESSOR"/>
<property value="false" name="RECEIVE_FLOW_CONTEXT"/>
<property value="true" name="AUTODETECTION_ENABLED"/>
<property value="true" name="AUTODETECTION_GLOBAL_ENABLED"/>
<property value="32010" name="FLOW_LISTEN_PORT"/>
<property value="32015" name="INGRESS_LISTEN_PORT"/>
</component>
<component hostId="1" changed="false" id="8" instanceName="eventprocessor0" type="eventprocessor" version="7.3.3" xmlns="">
<bounds x="180" y="220" width="130" height="90" viewName="semView"/>
<bounds x="180" y="220" width="130" height="90" viewName="HOST_IP"/>
<property value="32005" name="SERVER_LISTEN_PORT"/>
<property value="/store/ariel/events" name="ARIEL_EVENT_PATH"/>
<property value="/store/ariel/payloads" name="ARIEL_PAYLOAD_PATH"/>
<property value="8" name="EP_ID"/>
<property value="10000" name="EVENT_THRESHOLD"/>
<property value="0" name="FLOW_THRESHOLD"/>
</component>
<component hostId="1" changed="false" instanceName="vis0" id="12" type="vis" version="7.3.3" xmlns="">
<bounds x="490" y="90" width="126" height="90" viewName="HOST_IP" />
<property name="REQUEST_DESTINATION" value="VisTopic"/>
</component>
<component changed="false" instanceName="accumulator" hostId="1" id="10" type="accumulator" version="7.3.3" xmlns="">
<bounds x="320" y="120" height="90" width="130" viewName="HOST_IP"/>
<property value="false" name="IS_CENTRAL_ACCUMULATOR"/>
</component>
<component hostId="1" changed="false" id="16" instanceName="ariel" type="ariel_query_server" version="7.3.3" xmlns="">
<property value="32006" name="SERVER_LISTEN_PORT"/>
</component>
<connection compression="false" invertSourceTarget="true" encryption="false" version="7.3.3" type="eventCxn" xmlns="">
<source port="-1" id="18"/>
<target port="32015" id="7"/>
</connection>
<connection compression="false" invertSourceTarget="true" encryption="false" version="7.3.3" type="eventCxn" xmlns="">
<source port="-1" id="7"/>
<target port="32005" id="8"/>
</connection>
</Deployment>
You can see that the file contains eventcollector and eventprocessor instances in it. The conclusion is that this MH is installed as Event Processor.
Related Information
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000Gnf4AAC","label":"QRadar->Deployment->Components"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
01 May 2020
UID
ibm16155523