IBM Support

QRadar: Services responsible for the applications and application framework functionality

Question & Answer


Question

What are the services responsible for the application framework functionality and how to check their status?

Answer

In QRadar V7.3.2 and later, the following services are responsible for the functionality of the application framework:
Service  Description Runs on Ports Command
si-registry A docker registry which holds images and metadata associated with them like versions and size. Console 5000 systemctl status si-registry
docker Docker creates containers, which are lightweight Unix applications, including all required dependencies for the application. Console and App Host Ephemeral systemctl status docker
vault-qrd Configures vault to run on the QRadar platform. Vault is used to hold secrets and allow secure access to them to services which have the correct vault token and privileges. Console and App Host 9393 systemctl status vault-qrd
qradarca-monitor Manages created certificates for QRadar services based on specification files provided by the services. Certificates are used for mutual authentication. Console -
systemctl status qradarca-monitor
Runs hourly only, normal status is "inactive"
conman The main container manager. Conman uses an API server to accept requests with workloads and services which define containers to be run on the system.  Console and App Host 9000 systemctl status conman
traefik Queries the docker engine directly to discover the paths to be published, so no other service discover infrastructure is required. Allows tomcat to query the containers dynamically created in docker. Console and App Host 14433 systemctl status traefik
Note: Certain services are designed to work only on the Console while others run on both or only App Host. Some certain services do not run constantly, such as qradraca-monitor, that is started hourly on a schedule

Systemd container services
On top of the app framework microservices, the conman creates systemd units in /etc/systemd/system.  Each unit represents a container that can be started or stopped using the systemctl command. The logs for the container can also be analyzed by using the journalctl command. Administrators can use the recon utility to confirm if container Systemd units are started on the Console or App Host appliance. Administrators must never attempt to modify a unit file, unless directed by QRadar Support.
To view unit files on a QRadar Console or App Host appliance, type:
[root@apphost]# conman-support files | grep -i unit
The output returns each unit file and the related application container.
[root@apphost]# conman-support files | grep -i unit
apps > qapp-1253 > qapp-1253 > Unit File   /etc/systemd/system/container@16863995116901164929.service
apps > qapp-1451 > qapp-1451 > Unit File   /etc/systemd/system/container@7979499841534027139.service
apps > qapp-1258 > qapp-1258 > Unit File   /etc/systemd/system/container@11820484457855077609.service
apps > qapp-1259 > qapp-1259 > Unit File   /etc/systemd/system/container@10389100496898690578.service
apps > qapp-1256 > qapp-1256 > Unit File   /etc/systemd/system/container@10866594320248106844.service
apps > qapp-1254 > qapp-1254 > Unit File   /etc/systemd/system/container@1094987695637129443.service
apps > qapp-1351 > qapp-1351 > Unit File   /etc/systemd/system/container@6610898142832491060.service
apps > qapp-1403 > qapp-1403 > Unit File   /etc/systemd/system/container@4145209609592718969.service
apps > qapp-1402 > qapp-1402 > Unit File   /etc/systemd/system/container@7959304112926050180.service
apps > qapp-1551 > qapp-1551 > Unit File   /etc/systemd/system/container@16861894180048127764.service
[root@apphost source]#

Administrators can confirm the status of the container service with the systemctl command. In this example, the service is running as noted in the Active: active (running).
[root@apphost]# systemctl status container@16863995116901164929.service
● container@16863995116901164929.service - Container created and managed by the conman service
   Loaded: loaded (/etc/systemd/system/container@.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2020-05-11 16:45:30 GMT; 54min ago
  Process: 9437 ExecStartPre=/usr/bin/bash -c VP=$(if [ -e /etc/conman/dnc ]; then echo http; else echo https; fi); VIP=$(if [ -e /opt/qradar/bin/myver ]; then /opt/qradar/bin/myver -vh; else echo 127.0.0.1; fi); /usr/bin/systemctl set-environment VAULT_ADDR=$VP://$VIP:9393 (code=exited, status=0/SUCCESS)
 Main PID: 9720 (conwrap)
   CGroup: /system.slice/system-container.slice/container@13719764573200128895.service
           ├─ 9720 /usr/bin/conwrap -healthCheckPrefix=HEALTH_CHECK_ -portPrefix=PORT -volumePrefix=VOL -envPrefix=ENV -secretPrefix=SECRET
           └─27219 /usr/bin/docker -H unix:///var/run/docker.sock inspect -f {{.State.Running}} qapp-1055-xOmXQ2VU

May 11 16:45:07 74apphost.isslab.usga.ibm.com systemd[1]: Starting Container created and managed by the conman service...
May 11 16:45:30 74apphost.isslab.usga.ibm.com systemd[1]: Started Container created and managed by the conman service.
May 11 16:45:30 74apphost.isslab.usga.ibm.com conwrap[9720]: time="2020-05-11T16:45:30Z" level=info msg="conwrap starting" container=qapp-1055-xOmXQ2VU ...55633780
May 11 16:46:18 74apphost.isslab.usga.ibm.com conwrap[9720]: time="2020-05-11T16:46:18Z" level=error msg="inspection interval value not an integer >=1, ... value=0
May 11 16:47:13 74apphost.isslab.usga.ibm.com conwrap[9720]: time="2020-05-11T16:47:13Z" level=info msg="Starting a watch on container."
May 11 16:47:43 74apphost.isslab.usga.ibm.com conwrap[9720]: time="2020-05-11T16:47:43Z" level=error msg="Received error communicating with container: G...refused"
Hint: Some lines were ellipsized, use -l to show in full.
For more information on troubleshooting application services, see Using the journalctl command to view log entries for application framework services.

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000GnbbAAC","label":"QRadar"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3.2;7.3.3;7.4.0","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
28 May 2020

UID

ibm16190995