IBM Support

QRadar: App-framework fails due to an invalid rule in iptables.pre

Troubleshooting


Problem

The docker service will fail if a bad line is added into the /opt/qradar/conf/iptables.pre file. If the apps are running on the console, the containers fail to start, and all apps become inaccessible in the UI. Even if there is an app host deployed, this can cause issues with the app framework and tomcat.

Symptom

This can occur whenever services restart, such as a system reboot, QRadar® version upgrade, or a full deploy. It can also cause severe performance issues in tomcat.
For example, during a patch, the upgrade_application section never completes.

You can identify the errors in the /var/log/setup<version>/patches.log:

    Aug 31 12:56:22 2019: Aug 31 12:56:22 2019:[DEBUG](patchmode) 4 scripts ran for mode post_deploy.
    Aug 31 12:56:22 2019: Aug 31 12:56:22 2019:[DEBUG](patchmode) returning 0; $VAR1 = {
              'count' => 40,
              'patchName' => '2019.14.0.20191006204340-2019140_patchupdate-2019.14.0.20191006204340'
            };
    Aug 31 12:56:22 2019: Aug 31 12:56:22 2019:[DEBUG](patchmode) called post-post deploy scripts.
    Aug 31 12:56:22 2019: Aug 31 12:56:22 2019:[DEBUG](patchmode) Running: "/opt/qradar/bin/after_services_up.sh"
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
    ^M  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0^M100   266  100   266    0     0   1848
    A dependency job for si-registry.service failed. See 'journalctl -xe' for details.
    Aug 31 12:57:29 2019: Aug 31 12:57:29 2019:[ERROR](patchmode) Failed to run after_services_up.sh.

Document Location

Worldwide

[{"Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt3AAA","label":"QRadar Apps"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.3.0;7.3.1;7.3.2;7.3.3;7.4.0"}]

Log InLog in to view more of this document

This document has the abstract of a technical article that is available to authorized users once you have logged on. Please use Log in button above to access the full document. After log in, if you do not have the right authorization for this document, there will be instructions on what to do next.

Document Information

Modified date:
18 May 2021

UID

ibm16324709

Page Feedback