Question & Answer
Question
What are the services responsible for the application framework functionality and how to check their status?
Answer
In QRadar V7.3.2 and later, the following services are responsible for the functionality of the application framework:
| Service | Description | Runs on | Ports | Command |
|---|---|---|---|---|
| si-registry | A docker registry which holds images and metadata associated with them like versions and size. | Console | 5000 | systemctl status si-registry |
| docker | Docker creates containers, which are lightweight Unix applications, including all required dependencies for the application. | Console and App Host | Ephemeral | systemctl status docker |
| vault-qrd | Configures vault to run on the QRadar platform. Vault is used to hold secrets and allow secure access to them to services which have the correct vault token and privileges. | Console and App Host | 9393 | systemctl status vault-qrd |
| qradarca-monitor | Manages created certificates for QRadar services based on specification files provided by the services. Certificates are used for mutual authentication. | Console | - |
systemctl status qradarca-monitor
Runs hourly only, normal status is "inactive"
|
| conman | The main container manager. Conman uses an API server to accept requests with workloads and services which define containers to be run on the system. | Console and App Host | 9000 | systemctl status conman |
| traefik | Queries the docker engine directly to discover the paths to be published, so no other service discover infrastructure is required. Allows tomcat to query the containers dynamically created in docker. | Console and App Host | 14433 | systemctl status traefik |
Note: Certain services are designed to work only on the Console while others run on both or only App Host. Some certain services do not run constantly, such as qradraca-monitor, that is started hourly on a schedule.
Systemd container services
On top of the app framework microservices, the conman creates systemd units in /etc/systemd/system. Each unit represents a container that can be started or stopped using the systemctl command. The logs for the container can also be analyzed by using the journalctl command. Administrators can use the recon utility to confirm if container Systemd units are started on the Console or App Host appliance. Administrators must never attempt to modify a unit file, unless directed by QRadar Support.
To view unit files on a QRadar Console or App Host appliance, type:
[root@apphost]# conman-support files | grep -i unit
The output returns each unit file and the related application container.
[root@apphost]# conman-support files | grep -i unit
apps > qapp-1253 > qapp-1253 > Unit File /etc/systemd/system/container@16863995116901164929.service
apps > qapp-1451 > qapp-1451 > Unit File /etc/systemd/system/container@7979499841534027139.service
apps > qapp-1258 > qapp-1258 > Unit File /etc/systemd/system/container@11820484457855077609.service
apps > qapp-1259 > qapp-1259 > Unit File /etc/systemd/system/container@10389100496898690578.service
apps > qapp-1256 > qapp-1256 > Unit File /etc/systemd/system/container@10866594320248106844.service
apps > qapp-1254 > qapp-1254 > Unit File /etc/systemd/system/container@1094987695637129443.service
apps > qapp-1351 > qapp-1351 > Unit File /etc/systemd/system/container@6610898142832491060.service
apps > qapp-1403 > qapp-1403 > Unit File /etc/systemd/system/container@4145209609592718969.service
apps > qapp-1402 > qapp-1402 > Unit File /etc/systemd/system/container@7959304112926050180.service
apps > qapp-1551 > qapp-1551 > Unit File /etc/systemd/system/container@16861894180048127764.service
[root@apphost source]#
Administrators can confirm the status of the container service with the systemctl command. In this example, the service is running as noted in the Active: active (running).
[root@apphost]# systemctl status container@16863995116901164929.service
● container@16863995116901164929.service - Container created and managed by the conman service
Loaded: loaded (/etc/systemd/system/container@.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2020-05-11 16:45:30 GMT; 54min ago
Process: 9437 ExecStartPre=/usr/bin/bash -c VP=$(if [ -e /etc/conman/dnc ]; then echo http; else echo https; fi); VIP=$(if [ -e /opt/qradar/bin/myver ]; then /opt/qradar/bin/myver -vh; else echo 127.0.0.1; fi); /usr/bin/systemctl set-environment VAULT_ADDR=$VP://$VIP:9393 (code=exited, status=0/SUCCESS)
Main PID: 9720 (conwrap)
CGroup: /system.slice/system-container.slice/container@13719764573200128895.service
├─ 9720 /usr/bin/conwrap -healthCheckPrefix=HEALTH_CHECK_ -portPrefix=PORT -volumePrefix=VOL -envPrefix=ENV -secretPrefix=SECRET
└─27219 /usr/bin/docker -H unix:///var/run/docker.sock inspect -f {{.State.Running}} qapp-1055-xOmXQ2VU
May 11 16:45:07 74apphost.isslab.usga.ibm.com systemd[1]: Starting Container created and managed by the conman service...
May 11 16:45:30 74apphost.isslab.usga.ibm.com systemd[1]: Started Container created and managed by the conman service.
May 11 16:45:30 74apphost.isslab.usga.ibm.com conwrap[9720]: time="2020-05-11T16:45:30Z" level=info msg="conwrap starting" container=qapp-1055-xOmXQ2VU ...55633780
May 11 16:46:18 74apphost.isslab.usga.ibm.com conwrap[9720]: time="2020-05-11T16:46:18Z" level=error msg="inspection interval value not an integer >=1, ... value=0
May 11 16:47:13 74apphost.isslab.usga.ibm.com conwrap[9720]: time="2020-05-11T16:47:13Z" level=info msg="Starting a watch on container."
May 11 16:47:43 74apphost.isslab.usga.ibm.com conwrap[9720]: time="2020-05-11T16:47:43Z" level=error msg="Received error communicating with container: G...refused"
Hint: Some lines were ellipsized, use -l to show in full.
For more information on troubleshooting application services, see Using the journalctl command to view log entries for application framework services.
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000GnbbAAC","label":"QRadar"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3.2;7.3.3;7.4.0","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
28 May 2020
UID
ibm16190995