IBM Support

QRadar on Cloud: Support FAQ and common questions

Question & Answer


How do I work with QRadar® on Cloud (QRoC) and are there common processes I should be aware of?


For readability, the content in this technical note is divided in to categories. If you are unsure of a process or need clarification, QRadar on Cloud users can open a support case for more assistance. Expand each section to review the contents. For more information on support policies, see QRadar Support Assistance 101.

QRadar on Cloud Architecture

  • How QRadar on Cloud ensures business continuity
    QRadar on Cloud appliances vary between bare-metal servers and virtual machines, which lead to two scenarios:
    1. If the appliance is installed on a bare-metal, then QRadar High Availability (HA) is used.
    2. If the appliance is installed on a virtual machine, then the HA runs at infrastructure level.

    Contact your sales representative to discuss your use cases and entitlement for more information.
  • Is there a limited trial offered for QRadar on Cloud?
    No. IBM no longer offers a 14-day QRadar on Cloud trial. The 14-day QRadar trial is replaced with IBM Security QRadar Community Edition, which is a free, onprem offering of QRadar V7.3.3.

    For more information, see: QRadar Community Edition.
  • Backup and transmitted data encryption?
    All data in the IBM Cloud is encrypted-at-rest and in-transit data uses AES-256 encryption.
  • Disk space and performance degradation alerts

    Check on the support portal to confirm whether a case was created by QRadar on Cloud DevOps team on your behalf. If there is no case, submit a new case at IBM Support.

  • Events are exceeding the threshold too often
    1. Check that you are not exceeding the Data Gateway hardware capabilities. Optionally, administrators can troubleshoot peak EPS rates on your Data Gateway with Advanced Queries (AQL) from your QRadar on Cloud Dashboard.
    2. If you are exceeding the hardware capabilities:
      • Attempt to balance the incoming events across the Data Gateways.
      • Deploy extra Data Gateways to balance the events ingestion.
    3. If you are exceeding your software licensing, contact your sales representative for a license increase.
  • How Disaster recovery is ensured
  • Where is the physical equipment hosted?
    QRadar on Cloud devices are hosted within the IBM Cloud. Locations for these data centers include Canada, US, Brazil, UK, Germany, Australia, Tokyo, and India. The Console, Event Processors and Data Nodes are hosted there as well.
    Data Gateway appliances can be hosted in the cloud or as on-premise appliances at a client's location. 
  • How often do QRadar on Cloud instances get updated?

    QRadar on Cloud does not always install the latest version of QRadar. Instead, the development team tests new upcoming versions to ensure the latest QRadar version is cloud stable and secure. After testing is complete, the QRadar on Cloud DevOps team notifies clients to coordinate and agree on a maintenance window to upgrade your software. 

  • Licensing in QRadar on Cloud

    In a QRadar on Cloud deployment, Events per second (EPS), Flows Per Minute (FPM), and QRadar Vulnerability Manager are hosted on the Console. Contact your sales representative to get additional information about your entitlement or upgrading your license. Refer to the section on contacting your sales representative.


  • QRadar on Cloud active monitoring
    QRadar on Cloud is constantly monitored by automated systems and QRadar on Cloud DevOps personnel. When an incident occurs, IBM takes immediate action and notify all members of your team with your provided distribution list. The DevOps team contacts the distribution list to inform administrators of issues for both awareness and to alerts teams when intervention when required by DevOps, such as service restarts or configuration changes to ensure the product functions as expected. 

  • Types of incidents I receive notifications

    QRadar on Cloud DevOps teams issues notifications or emails for the following issues:

    • System maintenance, patches, or software upgrades.
    • Requests to schedule downtime to correct issues or apply changes that require service restarts.
    • High Availability (HA) fail over notifications.
    • Disk usage warning notices.
  • What action do I need to take once I receive a notification?

    The notifications direct administrators to required actions. If those actions do not resolve the issues, submit a new case at IBM support.

    An example of a notification would be:
    Client Action required: The Console is unable to communicate with your gateway. This indicates a networking problem. You can try rebooting the host to see if the VPN connection re-establishes. If not, you should check the infrastructure to which this host is connected. To see if the gateway has reconnected to the console, you can search for its IP in the Log Activity screen. You should see health metrics flowing in if the connection is functioning.

  • Why did I not receive an email?

    It is possible that your email account was not included in your provided distribution list. Contact your organization's technical representative responsible for your QRadar on Cloud account and request them to add your email to the distribution list. Each QRadar on Cloud instance has a primary technical contact in your organization that coordinates your companies account.

Data Gateway (DG) Administration

  • Installation and network requirements
    1. Administrators need to configure their firewall to allow outgoing and related traffic to the console at <HTTPS IP> and to IBMs VPN server at <VPN IP>, both on port 443.
    2. Your gateway must be behind a NAT firewall. Publicly routable IP addresses cause internal routing issues to the VPN server.
    3. There must be no URL blocking device, IPS, or deep-packet inspection methods blocking traffic to either the Console or IBMs VPN IP addresses.
    4. When you choose an internal IP for your Data Gateway, you cannot use an IP address in the range. If you use this subnet range, routing issues can occur. Supported static IP addresses are:
      CIDR IP address range
      10/8 -
      172.16/12 -
    5. To locate the ISO to install the Data Gateway
      1. Log in to the Console User Interface.
      2. Click Admin > Hosted QRadar.
      3. Download the ISO.
      4. Go to Fix Central and locate the Fix Pack or Update Package associated with your version of QRadar on Cloud. 
      5. Install the Fix Pack or Update Package on your Data Gateway.
    6. To locate the token for the Data Gateway.
      1. Click Admin > Hosted QRadar.
      2. Copy the token to use with the Data Gateway installation.
    7. You can install more than one Data Gateway, but they need to be done sequentially. After you complete the installation of each Data Gateway, run Deploy Changes from the Admin tab.
    8. When you create a root password, do not use special characters.
    9. Use a root password scheme based on your organizations security policy for each Data Gateway installation.
      Note: You might be prompted to add the root password more than once.
    10. Do not break the installation process at any time, even if an error is displayed. A typical installation might take more than 20 minutes after it connects to the console and begins the add process.
    11. When the installation is complete, the command prompt displays an installation status of success or error. 
    12. If the installation generates an error or installs with errors, open a case with QRadar support.
    13. The guide to getting started with QRadar on Cloud is available from IBM documentation teams. For the QRadar on Cloud documentation, see: Getting started with QRadar on Cloud.

  • How many Data Gateways can be installed?
    By default 10 Data Gateways can be installed. To add more Data Gateway appliances to your QRadar on Cloud deployment, contact your sales team.
  • What hardware resources are requirements for Data Gateways?
    Administrators who install QRadar Data Gateway appliances must ensure that the hardware specifications meet IBM's documentation. For system requirements on physical or virtual machines (VMs), see QRadar on Cloud: System requirements for Data Gateways.
  • Adding a Data Gateway to a QRadar on Cloud instance
    1. Download the QRadar ISO.
      1. Log in to the QRadar Console.
      2. Click Admin tab > Hosted QRadar.
      3. Download the ISO.
      4. Go to Fix Central and locate the Fix Pack or Update Package associated with your version of QRadar on Cloud. 
      5. Install the Fix Pack or Update Package on your Data Gateway.
    2. To install an Appliance type of 7000, select Appliance instal> Event Collector Gateway.
    3. Assign a private IP address.
      Note: The IP address must not be located in a 192.168.x.x/16 subnet.
    4. Configure NAT 1:1 within the private and public egress IP address.
    5. Add the Public egress IP to the allow list by using the Self-Serv app.
    6. Generate a token for the Data Gateway by using the Self-Serv app.
    7. Allow communication to the Console and VPN server on port 443 and establish and related traffic inbound.
    8. If the Console is at a newer version, patch the Data Gateway to match the Consoles version so it can be added to the deployment.
      For more information, refer to the QRadar on Cloud documentation.

  • Installation of a Data Gateway on a Cloud Provider

    Data Gateways can be installed on a VM hosted any place. QRadar on Cloud has guides on how to install the Data. Gateway on most Cloud providers such as Azure, Google Cloud, and AWS. Refer to QRadar documentation on how to install a Data Gateway on supported Cloud providers.

  • Do Data Gateways support high-availability?

    Data Gateways do not support high-availability (HA) clustering currently. Administrators who want resiliency for events can add a load balancer in front of their Data Gateway appliances.

  • Can a Load Balancer be used in front of Data Gateways to distribute events?

    A load balancer can be used for ease of administration and resiliency. The impact is mainly for UDP syslog-based Log Sources that push data. Administrators need to point their event sources to the load balancer IP address instead of the Data Gateway. Log Sources that use protocols that poll for data, such as APIs, JDBC, or the Log File Protocol are not impacted as these protocols establish outbound TCP sessions. 

    Load balancer requirements:

    • The load balancer must be on the same layer 2 network as the data gateway and act as the default gateway for the data gateway
    • Log Source management requires that the data gateway sees the source IP address of the Log Source. If the load balancer replaces Syslog header or injects new Syslog headers, the event data can appear to be generated by the load balancer and not the correct event source.
  • Can load balancers be used for flow ingestion?
    A load balancer cannot be used for flow ingestion. Since flow data is UDP, minute by minute rollups are tracked by the source IP address in the flow record. A load balancer that only routes at the packet level interrupts the associated process in QFlow.
  • Changing the IP Address of an attached Data Gateway

    Administrators who need to update their network configuration on the Data Gateway appliance, such as changing the IP address, hostname, or DNS server information must open a case with the DevOps team so that we can coordinate these changes with your team. The Data Gateway must first be removed from the QRadar on Cloud deployment before network changes can be made to the host.

    1. Create a QRadar on Cloud support ticket to have IBM remove the managed host from the QRadar on Cloud deployment.
    2. Note: When you open a support case refer to the knowledge center article, QRadar on Cloud support ticket.
    3. Using an Integrated Management Module (IMM) or direct connection to the Data Gateway appliance open a remote session.
    4. Type qchange_netsetup to change the network interface settings.
    5. Verify or update the allowlist from the Self Serve App - Manage access to the Console.
    6. Generate a new token by using the Self Serve App - Generating a new token for a data gateway.
    7. To add the Data Gateway back to the QRadar on Cloud deployment, type the command and enter your new token:
      /opt/qradar/bin/ mh_setup interactive -r
  • Can third-party software be installed on a Data Gateway?

    Third-party software installation is not supported on any Managed hosts including Data Gateways. QRadar has a built-in firewall and allows administration access only through a secure connection that requires encrypted and authenticated access and provides controlled upgrades and updates. QRadar data gateways do not require or support traditional anti-virus or malware agents or support the installation of third-party packages or programs.

    For more information, see: Third-party software on data gateways.

  • How do administrators monitor their environment?
    Administrators can configure the data gateway status notification rule to monitor their data gateways. QRadar on Cloud DevOps also monitor the environment with automated integrated systems. It is not recommended to install the QRadar Deployment Intelligence (QDI) app in QRadar on Cloud or any other Cloud environments where QRadar can be installed, such as Amazon or Google Cloud. The QRadar Deployment Intelligence (QDI) application was designed for on-premise deployments based on hardware appliances.
  • Network bandwidth required between the Data Gateway and a QRadar on Cloud Console connection

    The bandwidth allocation must take into consideration.

    • Your license for Events per second and Flows per minute.
    • Your internet dedicated bandwidth connection.
    QRadar on Cloud requires a minimum of 40 Mbps, regardless of the event rate to be forwarded. To allow internal processes to perform as expected, QRadar recommends at least 100 Mbps symmetrical. These bandwidth minimum requirements are intended to minimize issues and ensure the product functions properly when processing data, users run searches, database replication, deploy changes and other QRadar tasks. For more information, see the QRadar on Cloud documentation.
  • Can administrators access my QRadar on Cloud Console by SSH or CLI?

    QRadar Consoles do not allow clients to SSH to the Console appliance as QRadar on Cloud DevOps manages it. Clients can have access to Data Gateways to perform basic actions over any Console utility such as IMM, iLO, iDRAC, KVM, XCC or equivalent.

  • Can a Data Gateway be accessed by using SSH?

    To enable a Data Gateway so it can be accessed by using SSH, administrators need to perform these steps on the Data Gateway.

    1. Back up the file by using the command:
      cp /opt/qradar/conf/iptables.pre /storetmp 
    2. Use an editor and open /opt/qradar/conf/iptables.pre
      vi /opt/qradar/conf/iptables.pre
    3. Add a line to the file to allow an SSH connection to the Data Gateway, where <ipaddress> is the IP address needed to allow an SSH session to the Data Gateway.
       -A INPUT -p tcp -s <ipaddress> --dport 22 -j ACCEPT
    4. Save the changes to the file.
    5. Reload iptables by using the command
    For other examples of using iptables, refer to QRadar on Cloud documentation
  • What happens when a Data Gateway losses connectivity?

    The Log Source keeps sending events to the Data Gateway. If the connection is broken, it buffers these events until it reaches its /store partition capacity value. When the connection is restored, the events are forwarded. If the connection does not get restored, the events fill the /store partition causing QRadar to shut down services. Stopping services causes events to be dropped.

    Important: Stopping services causes an interruption in collecting events, reports, searches, and offense investigations. Administrators with strict outage policies are advised to schedule a maintenance window for their organization if services need to be stopped.

  • Adding extra collection interfaces (multi-home) on Data Gateways

    To enable extra interfaces on a Data Gateway for events and flows collection, the administrators must refer to QRadar on Cloud: How to configure extra collection interfaces on Data Gateways.

Self-Serve App

  • What is the Self-Serve App?
    The Self-Serv app allows clients to perform daily actions on their own. These actions include:
    • Generate tokens for Data Gateway appliances
    • Add allowlist IP addresses and subnets to access QRadar on Cloud instances. Subnet masks are supported within /24 to /32.
    • Perform User Management such as Adding, Editing, Deleting user roles on other administration functions.
    • Generate service authorized tokens for applications.
    For a full list of features, see the Self-Serv application documentation.

  • Actions that require support cases

    Administrators can open cases for questions or concerns about their QRadar on Cloud deployment. Some administrative actions must be performed by the DevOps team that manages your QRadar on Cloud instance. For a list of actions that require a support case or DevOps  to open tickets can be found the QRadar on Cloud production documentation.

  • How do administrators request a new feature for the Self-Serve App?

    New features can be requested from the IBM Ideas website. All requests for IBM application features can be logged and voted on if you make your request public.

    For more information about IBM Ideas, see the QRadar: Requesting new features on IBM Ideas.

Troubleshooting Authentication and GUI access

  • I cannot reach the QRadar on Cloud Console
    Use the procedure listed to troubleshoot connectivity:
    1. Ensure you have internet access and your DNS servers are resolving hostnames properly.
    2. Open a command terminal.
    3. Use the nslookup command to test your connection to your Console, where:
      <console_number> = The instance number or your QRadar on Cloud service.
      <dns_server_ip> = The internal DNS server IP or a public one such as Google (
      nslookup console-<console_number> <dns_server_ip>
      Note: If the step #3 is successful, proceed to step #4.
    4. Verify that the Public IP address is in the allowlist to access your QRadar on Cloud instance.
    5. Determine whether the IP address in the allowlist is being used by typing the URL in a browser 
      image 6939
    6. To verify that the IP address is being used in the allowlist, check the Self-Serv app. If the IP address is not in the allowlist, add it. Verification of the IP address in the allowlist can take 30 min to 2 hours.

  • I created a user and cannot log in to QRadar on Cloud.

    The user might not have an IBMid. You can create one at Create your IBM® account.

  • The user does have an IBMid but never passes authentication

    If the user is having problems authenticating with IBMid, the user needs to open a ticket with IBMid at the IBM® Account Page under Get Support.

  • I did not receive an email from IBMid?

    Check to see whether the information on your IBMid account email went to Junk or Spam. If the user is still having problems authenticating with their IBMid, they need to open a ticket with the IBMid team.

  • Access is granted, but the GUI keeps loading or is blank

    The cause might be related to the web browser cache. Here are steps to resolve that issue

    1. Clear the browser cache.
    2. Use the browsers incognito or private mode.
    3. Try a different browser.
  • The user can authenticate to the GUI, but cannot raise support cases

    Refer to our documentation on Administrator and user management.

Applications in QRadar on Cloud

  • Can applications be installed on QRadar on Cloud?
    Yes. For a list of QRadar on Cloud ready applications, see the IBM X-Force Exchange. The application in the description must display the message:
    image 8995

    QRadar Support recommends administrators use the QRadar Assistant application to install and update applications.

  • Does QRadar on Cloud support an App Host?

    QRadar on Cloud does not support App Host appliances. All applications are installed on the Console.

  • Installation errors or resources to install more applications

    QRadar on Cloud applications reside on the Console appliance. Administrators can install applications with the QRadar Assistant app, which can be accessed from the Shield icon (Assistant app icon) on the dashboard. The QRadar Assistant app can be configured to use your X-Force App Exchange account to single-click install or update applications. QRadar Support recommends users install and manage their applications from the QRadar Assistant App, which is included during installation. Optionally, administrators can use the Admin > Extension Management icon to download and manually upload applications. If you experience installation issues with an application or if you require more system resources, you can contact QRadar support to review the issue.

  • The tab or icon does not display or my application is blank

    A blank icon is typically an issue with the web browser cache:

    • Clear the web browser.
    • Try to access your QRadar on Cloud interface from an incognito or private tab.
    • Try a different browser.
    • Verify the user has permissions to see the App or section of the App by checking the user roles in the Self-Serv app. If none of the suggestions work, submit a new case to QRadar_support.


How does IBM migrate from QRadar on-premise to QRadar on Cloud?

As part of the service, clients are entitled to schedule an engagement with IBM Security Expert Labs to migrate their data and configuration over to QRadar on Cloud.


Miscellaneous post migration issues

  • My searches are taking too much time to complete since migrating to QRoC
    The slowness on searches can be caused by:
    1. Network
      When you do a search, click Current statistics > More details. The expected value is all of the managed host at 100% with the smaller time.
      • If a managed host displays zero, it can indicate the Console cannot connect to the Ariel service on the managed host.
      • If the managed host becomes hung, it might indicate higher latency on the link and the appliance system resources.

        Submit a new case to IBM Support to determine the reason and fix it.
    2. Inefficient searches
  • My Rules are not triggering nor firing email notifications

    It is possible that some rules do not match the exact same criteria as they were on premises.
    To resolve this issue make sure to review each rule criteria to match your current related data including building blocks, Regex, log source, email.

  • Reports are not being sent or received via email

    Reports are based on criteria. If one is not met the report is not triggered not the functions associated to it such as email delivery. 
    To resolve this issue, verify the criteria are correct for your report. 

    If the review of the criteria is correct, it is likely that other constraints such as report, size format limitations, and others are the cause.  If you are still having issues, submit a case to IBM Support.

  • How do I export my rules, building blocks, or regex expressions?

    A full configuration backup is completed daily through QRadar's configuration backup feature, which is managed by the DevOps team. The tools required to complete a manual content export is only accessible through QRadar's command line. To resolve this issue, submit a case with IBM Support to request a content export from your QRadar on Cloud Console appliance.

    Custom log source configurations
    In QRadar V7.3.3 and later, you can export your custom content that you create in the DSM Editor. Click the Export button in the DSM Editor to export your content from one QRadar deployment to another, or to external media.

API usage

  • Unable to query the API in QRadar on Cloud
    This issue is caused by a network block and/or by the use of a proxy to that connection. To resolve the issue, add the public IP address of the proxy or server to the allowlist from where the query is coming from by using the Self-Serv app.
  • How to test the connection to the API in QRadar on Cloud by using a proxy

    This can be tested by using the curl command. An example of a query to the log source API end point would be:

    curl -k -x http://<proxy_server_ip>:80 --proxy-user <proxyuser>:<proxypassword> -X GET -H 'SEC: API TOKEN' -H 'Range: items=0-49' -H 'Version: 11.0' -H 'Accept: application/json' 'https://<>/api/config/event_sources/log_source_management/log_sources' -vvv  

    <proxy_server_ip> is the IP address of your proxy server.
    <> is the URL for your QRadar on Cloud Console.

  • Without Admin access to how I create an admin token for API work?

    The generation of admin tokens to be used for API Calls is handled by QRadar on Cloud DevOps. Submit a new case to IBM Support.

  • Can I use Basic Authentication instead of a token for QRadar on Cloud API access?

    The RESTful API overview can be used for testing. For other access, authorized service tokens must be used.

Log source administration in QRadar on Cloud

  • What host should I configure for Target Event Collector

    In most scenarios, the Data Gateway appliance is your Target Event Collector.

    • Passive or Push protocols supply data streams that arrive at QRadar by themselves.
    • Active or Pull protocols create a connection from the Target Event Collector field defined in the log source configuration to obtain data. If you have multiple Data Gateway appliances or move a connection from one Data Gateway to another, you can update the Target Event Collector field using the Log Source Management application. 
  • How do I determine whether a log source is a push or pull type of Protocol

    Review the Protocol Configuration options page from the QRadar DSM Configuration guide for a group list of common examples.

  • I need to install a log source which uses certificates

    Installing a certificate varies based on the protocol. The location for certificates on your Data Gateway appliance is /opt/qradar/conf/trusted-certificates.

    • If the certificate needs to be installed on the Data Gateway, you can use SCP or similar protocol to transfer the certificate to the trusted-certificates directory. 
      Review the section on How can access over SSH be configured on Data Gateways from this FAQ.
    • If the certificate needs to be installed on the Console, you need QRadar on Cloud DevOps to install it for you.
      Submit a new case to IBM Support.

    For more information, see the QRadar DSM Configuration Guide.

  • The log source is configured, but not receiving event data

    Use the Log Source Management (LSM) app testing capability to start the troubleshooting. The Log Source Management (LSM) app has many Protocol tests available to test your installation configuration. The number of tests are increasing with each new QRadar release. If the Log Source with the issue uses a Protocol that includes a test, enable debug options for advanced testing before you click the test button.

  • The Log Source Management app test identified connectivity issues.

    For Syslog, SNMP, or protocols that push data to QRadar, there must be a connection between the log source sender and the Data Gateway. Administrators can review the following steps provided to test the connectivity:

    1. Ensure the log source is forwarding event data.
    2. Use tcpdump to confirm the Data Gateway is receiving the event data.

    For connections that pull data from the remote source, such as APIs, Log File protocol, or JDBC, the connection originates from the QRadar appliance. The connection must be able to connect and authenticate to the remote source. Administrators might be required to update firewalls rules in their networks to ensure that the Data Gateway appliance can establish connections to hosts that contain event data. To test connectivity:

    1. Use the Log Source Management app to test the log source configuration. Most protocols that establish connections from QRadar include tests for connectivity and other configuration parameters.
    2. Verify the device is on the network.
    3. Ensure the remote device does not include an access control list that might prevent a connection. 
    4. Confirm any firewalls or network devices that might block traffic between the Data Gateway appliance and your event source.
    5. Ensure QRadar is sending the request. If you are unsure, open a new case with IBM Support.
  • Troubleshooting advanced errors in the Log Source Management app

    Use the Log Source Management (LSM) app testing capability to start the troubleshooting. The Log Source Management app includes protocol tests that can confirm remote connections, credentials, certificates, file paths, and other configuration parameters. The number of tests are increasing with each new QRadar release. If the log source includes a test button, you can enable debug options before you test your log source configuration.

    To enable debug

    1. Click the step to Test Protocol Parameters
      image 6975
    2. Click the Gear.
    3. Click Show Debug Messages.
    4. Click Skip Test and Finish.
      image 6974

Contacting your sales representative

  • QRadar Support might not be able to discuss aspects of your QRadar on Cloud deployment that relate to license changes, cost, or subscription changes, or trials as these questions are handled by IBM Sales. If you need to contact IBM Sales, you can select one of the following methods:
  1. Contact IBM for general product inquiries or assistance: contact IBM
  2. Navigate to IBM Security website and click Lets Talk.

Feature requests on IBM Ideas

How do I submit a feature request for QRadar on Cloud
Users who want to submit features for QRadar on Cloud work the same was a QRadar on-premise or software installations. To create a, use the steps provided in the article: QRadar: Feature requests on IBM Ideas.

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSKMKU","label":"IBM QRadar on Cloud"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
14 December 2023