Question & Answer
Question
What are the services responsible for the application framework functionality and how to check their status?
Answer
In QRadar V7.5.0 and later, the following services are responsible for the functionality of the application framework.
Service | Description | Runs on | Ports | Command |
---|---|---|---|---|
docker-distribution | A docker registry, which holds images and metadata associated with them like versions and size. | Console | 5000 | systemctl status docker-distribution |
docker | Docker creates containers, which are lightweight Unix applications, including all the required dependencies for the application. | Console and App Host | Ephemeral | systemctl status docker |
qradarca-monitor | Manages created certificates for QRadar services based on specification files provided by the services. Certificates are used for mutual authentication. | Console | - |
systemctl status qradarca-monitor
Runs hourly only, normal status is "inactive" |
qradarca-monitor.timer | Timer, which manages and starts up the qradarca-monitor service every hour | Console | - |
systemctl list-timers -all qradarca-monitor.timer
Verifies whether service is scheduled to run in the future (NEXT & LEFT columns displays a future date and time)
systemctl status qradarca-monitor.timer
Verifies whether timer service is running
|
conman
|
The main container manager. Conman uses an API server to accept requests with workloads and services, which define containers to be run on the system. | Console and App Host |
Nonencrypted
9000
Encrypted
26000
|
systemctl status conman |
traefik | Queries the docker engine directly to discover the paths to be published, so no other service to discover infrastructure is required. Allows tomcat to query the containers dynamically created in docker. | Console and App Host |
Nonencrypted
14433
Encrypted
26001
|
systemctl status traefik |
Note: Certain services are designed to work only on the Console while others run on both or only the App Host. Certain services do not run constantly, such as qradraca-monitor which is scheduled to start on an hourly basis by qradarca-monitor.timer.
Systemd container services
Conman, which is part of the app framework microservices, also creates systemd units in /etc/systemd/system. Each unit represents a container that can be started or stopped by using the systemctl command. The logs for the container can also be analyzed by using the journalctl command. Administrators can use the recon utility to confirm whether container Systemd units are started on the Console or App Host appliance. Administrators must never attempt to modify a unit file, unless directed by QRadar Support.
To view unit files on a QRadar Console or App Host appliance, type:
conman-support files | grep -i unit
The output returns each unit file and the related application container.
conman-support files | grep -i unit
apps > qapp-1253 > qapp-1253 > Unit File /etc/systemd/system/container@16863995116901164929.service
apps > qapp-1451 > qapp-1451 > Unit File /etc/systemd/system/container@7979499841534027139.service
apps > qapp-1258 > qapp-1258 > Unit File /etc/systemd/system/container@11820484457855077609.service
apps > qapp-1259 > qapp-1259 > Unit File /etc/systemd/system/container@10389100496898690578.service
apps > qapp-1256 > qapp-1256 > Unit File /etc/systemd/system/container@10866594320248106844.service
apps > qapp-1254 > qapp-1254 > Unit File /etc/systemd/system/container@1094987695637129443.service
apps > qapp-1351 > qapp-1351 > Unit File /etc/systemd/system/container@6610898142832491060.service
apps > qapp-1403 > qapp-1403 > Unit File /etc/systemd/system/container@4145209609592718969.service
apps > qapp-1402 > qapp-1402 > Unit File /etc/systemd/system/container@7959304112926050180.service
apps > qapp-1551 > qapp-1551 > Unit File /etc/systemd/system/container@16861894180048127764.service
Administrators can confirm the status of the container service with the systemctl command. In this example, the service is running as noted in the Active: active (running).
systemctl status container@16863995116901164929.service
● container@16863995116901164929.service - Container created and managed by the conman service
Loaded: loaded (/etc/systemd/system/container@.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2023-05-11 16:45:30 GMT; 54min ago
Process: 9437 ExecStartPre=/usr/bin/bash -c VP=$(if [ -e /etc/conman/dnc ]; then echo http; else echo https; fi); VIP=$(if [ -e /opt/qradar/bin/myver ]; then /opt/qradar/bin/myver -vh; else echo 127.0.0.1; fi); /usr/bin/systemctl set-environment VAULT_ADDR=$VP://$VIP:9393 (code=exited, status=0/SUCCESS)
Main PID: 9720 (conwrap)
CGroup: /system.slice/system-container.slice/container@13719764573200128895.service
├─ 9720 /usr/bin/conwrap -healthCheckPrefix=HEALTH_CHECK_ -portPrefix=PORT -volumePrefix=VOL -envPrefix=ENV -secretPrefix=SECRET
└─27219 /usr/bin/docker -H unix:///var/run/docker.sock inspect -f {{.State.Running}} qapp-1055-xOmXQ2VU
May 11 16:45:07 74apphost.isslab.usga.ibm.com systemd[1]: Starting Container created and managed by the conman service...
May 11 16:45:30 74apphost.isslab.usga.ibm.com systemd[1]: Started Container created and managed by the conman service.
May 11 16:45:30 74apphost.isslab.usga.ibm.com conwrap[9720]: time="2023-05-11T16:45:30Z" level=info msg="conwrap starting" container=qapp-1055-xOmXQ2VU ...55633780
May 11 16:46:18 74apphost.isslab.usga.ibm.com conwrap[9720]: time="2023-05-11T16:46:18Z" level=error msg="inspection interval value not an integer >=1, ... value=0
May 11 16:47:13 74apphost.isslab.usga.ibm.com conwrap[9720]: time="2023-05-11T16:47:13Z" level=info msg="Starting a watch on container."
May 11 16:47:43 74apphost.isslab.usga.ibm.com conwrap[9720]: time="2023-05-11T16:47:43Z" level=error msg="Received error communicating with container: G...refused"
Hint: Some lines were ellipsized, use -l to show in full.
Regarding more information on troubleshooting application services, see "Using the journalctl command to view log entries for application framework services".
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt3AAA","label":"QRadar Apps"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.5.0"}]
Was this topic helpful?
Document Information
Modified date:
13 October 2023
UID
ibm16190995