News
Abstract
An update is available for administrators to run a single-line command, on the QRadar Console appliance, to resolve this issue. All administrators are encouraged to complete the workaround documented in this technical note, even if you received an updated JAR file from QRadar Support. The all_servers utility allows the QRadar Console to apply this change to all appliances in the deployment. These instructions were recently updated to include a command to apply a license fix to Disconnected Log Collector appliances.
Content
Change list
- 9 February 2021: Updated the one-line command for administrators with QRadar Community Edition.
- 12 January 2021: The following software releases are available to resolve IJ30161:
- 7 January 2021: Released an issue report and FAQ for IJ30161. For more information, see QRadar: 31 December License and event processing issue report (APAR IJ30161).
- 6 January 2021: APAR IJ30161 is available for users to subscribe to this issue. Upon further code review, Disconnected Log Collectors no longer need to apply the one-line fix. This section was updated to remove the procedure from the flash notice for Disconnected Log Collector installs.
- 4 January 2021: Added a note that administrators who upgrade or patch their appliances must reapply the license fix after the software install is complete.
- 1 January 2021: Administrators have the option to run an auto update to resolve this issue. For more information, see:
- 1 January 2021: Added a new command and updated procedures for Disconnected Log Collector (DLC) appliances.
- 1 January 2021: Updated command for QRadar 7.2.8, 7.3.0, and 7.3.1 Consoles.
IMPORTANT: QRadar development has recently identified a defect in the product licensing function, which may cause the deployment to stop functioning. Our QRadar development team is currently working on an emergency fix to resolve this issue. Administrators who have automatic updates configured to auto restart or automatically deploy changes after a download might experience service issues. The issue is related to the function that validates a license key and is not related to the reported SolarWinds security issue.
When this issue occurs, the following message might be displayed for specific services in /var/log/qradar.log:
[ecs-ec-ingress.ecs-ec-ingress] [main] com.eventgnosis.ecs: [INFO] [NOT:6000][X.X.X.X/- -] [-/- -]Waiting for valid license...
[ecs-ep.ecs-ep] [main] com.eventgnosis.ecs: [INFO] [NOT:6000][X.X.X.X/- -] [-/- -]Waiting for valid license...
[ecs-ec.ecs-ec] [main] com.eventgnosis.ecs: [INFO] [NOT:6000][X.X.X.X/- -] [-/- -]Waiting for valid license...
If you note repeated information messages in the logs or service issues, run the command documented in this technical note to resolve the issue.Affected products
All QRadar versions are affected by this issue.
Note: If you upgrade to a QRadar version prior to the release of QRadar 7.3.3 Fix Pack 7 or 7.4.2 Fix Pack 1, you must reapply the workaround documented in this flash notice. For more information, see QRadar: 31 December License and event processing issue report (APAR IJ30161).
How to resolve the issue
QRadar Support is alerting all administrators to complete the provided single-line command work around on the QRadar Console. If you have received a JAR file from QRadar Support or already received assistance, you must still complete this procedure. After the command is run, administrators can wait for 5 minutes and verify that events are being sent from appliances.
Notice: If you are a QRadar on Cloud user, the DevOps team has already applied this update to your appliances. This procedure is not required if you are a QRadar on Cloud administrator.
Notice: If you are a QRadar on Cloud user, the DevOps team has already applied this update to your appliances. This procedure is not required if you are a QRadar on Cloud administrator.
Procedure
- Use SSH to log in to the QRadar Console as the root user.
- To update the license file, select one the following commands. You can double-click the command to highlight and copy the full text from this technical note.
- For QRadar Consoles. Note: The all_servers command allows the Console appliance to update all managed hosts.
/opt/qradar/support/all_servers.sh -Ck 'if [ -f /opt/qradar/ecs/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/qradar/ecs/license.txt ; fi ; if [ -f /opt/ibm/si/services/ecs-ec-ingress/current/eventgnosis/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/ibm/si/services/ecs-ec-ingress/current/eventgnosis/license.txt ; fi ; if [ -f /opt/ibm/si/services/ecs-ep/current/eventgnosis/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/ibm/si/services/ecs-ep/current/eventgnosis/license.txt ; fi ; if [ -f /opt/ibm/si/services/ecs-ec/current/eventgnosis/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/ibm/si/services/ecs-ec/current/eventgnosis/license.txt ; fi ; if [ -f /usr/eventgnosis/ecs/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /usr/eventgnosis/ecs/license.txt ; fi ; if [ -f /opt/qradar/conf/templates/ecs_license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/qradar/conf/templates/ecs_license.txt ; fi'
- For QRadar Community Edition:
if [ -f /opt/qradar/ecs/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/qradar/ecs/license.txt ; fi ; if [ -f /opt/ibm/si/services/ecs-ec-ingress/current/eventgnosis/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/ibm/si/services/ecs-ec-ingress/current/eventgnosis/license.txt ; fi ; if [ -f /opt/ibm/si/services/ecs-ep/current/eventgnosis/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/ibm/si/services/ecs-ep/current/eventgnosis/license.txt ; fi ; if [ -f /opt/ibm/si/services/ecs-ec/current/eventgnosis/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/ibm/si/services/ecs-ec/current/eventgnosis/license.txt ; fi ; if [ -f /usr/eventgnosis/ecs/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /usr/eventgnosis/ecs/license.txt ; fi ; if [ -f /opt/qradar/conf/templates/ecs_license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/qradar/conf/templates/ecs_license.txt ; fi
- For QRadar Consoles. Note: The all_servers command allows the Console appliance to update all managed hosts.
- Wait 5 minutes for the changes to complete.
Note: Administrators are not required to restart any services for this change as the file loads automatically. - Log in to the QRadar Console.
- Click the Log Activity tab.
- Verify events are received from remote appliance.
Results
The procedure is complete. If you upgrade your QRadar version prior to the release of 7.3.3 Fix Pack 7 or 7.4.2 Fix Pack 1 (released 12 January 2021), you must reapply the workaround to the QRadar Console. For more information, see QRadar: 31 December License and event processing issue report (APAR IJ30161). If you experience an issue with this command or continue to experience services or license messages in qradar.log, contact QRadar Support for assistance. After you apply the workaround for this issue, you can use QRadar normally and complete standard administrative tasks, such as deploy changes.
License update for Disconnected Log Collector (DLC) appliances
Important: Upon further investigation, QRadar Development has determined that the one-line license file update is not required for DLC installations. The procedure in this section is removed from the publication as it is no longer required.
[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)"},{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSKMKU","label":"IBM QRadar on Cloud"},"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]
Was this topic helpful?
Document Information
Modified date:
04 December 2023
UID
ibm16395080