IBM Support

UPDATED: A QRadar deploy changes on 31 December 2020 can impact product functionality

News


Abstract

An update is available for administrators for to run a single-line command on the QRadar Console appliance to resolve this issue. All administrators are encouraged to complete the workaround documented in this technical note, even if you received an updated JAR file from QRadar Support. The all_servers utility allows the QRadar Console to apply this change to all appliances in the deployment. These instructions were recently updated to include a command apply a license fix to Disconnected Log Collector appliances.

Content

Change list



Urgency

IMPORTANT: QRadar development has recently identified a defect in the product licensing function, which may cause the deployment to stop functioning. Our QRadar development team is currently working on an emergency fix to resolve this issue. Administrators who have automatic updates configured to auto restart or automatically deploy changes after a download might experience service issues. The issue is related to the function that validates a license key and is not related to the reported SolarWinds security issue.

When this issue occurs, the following message might be displayed for specific services in /var/log/qradar.log:
[ecs-ec-ingress.ecs-ec-ingress] [main] com.eventgnosis.ecs: [INFO] [NOT:6000][X.X.X.X/- -] [-/- -]Waiting for valid license...
[ecs-ep.ecs-ep] [main] com.eventgnosis.ecs: [INFO] [NOT:6000][X.X.X.X/- -] [-/- -]Waiting for valid license...
[ecs-ec.ecs-ec] [main] com.eventgnosis.ecs: [INFO] [NOT:6000][X.X.X.X/- -] [-/- -]Waiting for valid license...
If you note repeated information messages in the logs or service issues, run the command documented in this technical note to resolve the issue.
 

Affected products

All QRadar versions are affected by this issue.
 
Note: If you upgrade to a QRadar version prior to the release of QRadar 7.3.3 Fix Pack 7 or 7.4.2 Fix Pack 1, you must reapply the workaround documented in this flash notice. For more information, see QRadar: 31 December License and event processing issue report (APAR IJ30161).

How to resolve the issue

QRadar Support is alerting all administrators to complete the provided single-line command work around on the QRadar Console. If you have received a JAR file from QRadar Support or already received assistance, you must still complete this procedure. After the command is run, administrators can wait for 5 minutes and verify that events are being sent from appliances.

Notice: If you are a QRadar on Cloud user, the DevOps team has already applied this update to your appliances. This procedure is not required if you are a QRadar on Cloud administrator.
Procedure
  1. Use SSH to log in to the QRadar Console as the root user.
  2. To update the license file, select one the following commands. You can double-click the command to highlight and copy the full text from this technical note.
    1. For QRadar Consoles. Note: The all_servers command allows the Console appliance to update all managed hosts.
      /opt/qradar/support/all_servers.sh -Ck 'if [ -f /opt/qradar/ecs/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/qradar/ecs/license.txt ; fi ; if [ -f /opt/ibm/si/services/ecs-ec-ingress/current/eventgnosis/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/ibm/si/services/ecs-ec-ingress/current/eventgnosis/license.txt ; fi ; if [ -f /opt/ibm/si/services/ecs-ep/current/eventgnosis/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/ibm/si/services/ecs-ep/current/eventgnosis/license.txt ; fi ; if [ -f /opt/ibm/si/services/ecs-ec/current/eventgnosis/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/ibm/si/services/ecs-ec/current/eventgnosis/license.txt ; fi ; if [ -f /usr/eventgnosis/ecs/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /usr/eventgnosis/ecs/license.txt ; fi ; if [ -f /opt/qradar/conf/templates/ecs_license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/qradar/conf/templates/ecs_license.txt ; fi'
    2. For QRadar Community Edition:
      if [ -f /opt/qradar/ecs/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/qradar/ecs/license.txt ; fi ; if [ -f /opt/ibm/si/services/ecs-ec-ingress/current/eventgnosis/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/ibm/si/services/ecs-ec-ingress/current/eventgnosis/license.txt ; fi ; if [ -f /opt/ibm/si/services/ecs-ep/current/eventgnosis/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/ibm/si/services/ecs-ep/current/eventgnosis/license.txt ; fi ; if [ -f /opt/ibm/si/services/ecs-ec/current/eventgnosis/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/ibm/si/services/ecs-ec/current/eventgnosis/license.txt ; fi ; if [ -f /usr/eventgnosis/ecs/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /usr/eventgnosis/ecs/license.txt ; fi ; if [ -f /opt/qradar/conf/templates/ecs_license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/qradar/conf/templates/ecs_license.txt ; fi
  3. Wait 5 minutes for the changes to complete.
    Note: Administrators are not required to restart any services for this change as the file loads automatically.
  4. Log in to the QRadar Console.
  5. Click the Log Activity tab.
  6. Verify events are received from remote appliance.

    Results
    The procedure is complete. If you upgrade your QRadar version prior to the release of 7.3.3 Fix Pack 7 or 7.4.2 Fix Pack 1 (released 12 January 2021), you must reapply the workaround to the QRadar Console. For more information, see QRadar: 31 December License and event processing issue report (APAR IJ30161). If you experience an issue with this command or continue to experience services or license messages in qradar.log, contact QRadar Support for assistance. After you apply the workaround for this issue, you can use QRadar normally and complete standard administrative tasks, such as deploy changes.

License update for Disconnected Log Collector (DLC) appliances


Important: Upon further investigation, QRadar Development has determined that the one-line license file update is not required for DLC installations. The procedure in this section is removed from the publication as it is no longer required.

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)"},{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSKMKU","label":"IBM QRadar on Cloud"},"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
09 February 2021

UID

ibm16395080