IBM Support

QRadar: Auto update now available for the 31 December 2020 "Waiting for license" issue (build 1609491687)

News


Abstract

The QRadar® development team has issued a new auto update for all QRadar Consoles installed with V7.3.0 or later. The latest auto update bundle (build 1609491687) includes the one-line command for the 30 December 2020 "Waiting for license" and runs automatically on the QRadar Console during the auto update installation. Administrators can check for the latest auto update to have the license fix applied. This auto update release allows administrators without Console root access to apply the license fix to appliances with the 'Get New Updates' button in the user interface.

Content

This technical note includes two sets of instructions depending on your QRadar® Console version and your network configuration. Administrators with QRadar 7.3.x or 7.4.x Console versions can complete a weekly auto update to apply the license fix. Administrators at QRadar 7.2.8 can complete the steps in the section "QRadar 7.2.8 Console and air-gappped network instructions".

Select the instructions that apply to your QRadar version:

QRadar 7.3.x and 7.4.x auto update license instructions

Administrators who are on V7.3.0 or later can complete a QRadar auto update to apply the license update to the QRadar Console. A special auto update build was released on 1 January 2021 to the auto update server at https://auto-update.qradar.ibmcloud.com/ as build 1609491687 to resolve the "Waiting for license..." service issue. Administrators must confirm the Auto Deploy option is enabled to ensure that change can be distributed to appliances after the auto update installs.

Procedure
  1. Log in to the QRadar Console as an administrator.
  2. Click the Admin tab.
  3. In the System Configuration section, click Auto Update.
  4. Click Change Settings.
  5. Verify the Auto Deploy option is selected (checked).
    image 7661
  6. Click Save.
  7. If prompted with an Application Restart Required message, click Yes.
    image 7658
  8. To check for updates, click Get New Updates.
    image 7665
  9. Wait for the auto update to complete.
  10. Click View Log.
  11. Confirm the Last Update Status displays All updates completed successfully.
    Note: The build version that contains the license changes for the QRadar Console is 1609491687.
  12. After the auto update successfully installs, wait 5 minutes for appliances to load the changes.

    Note: If you upgrade (patch) your QRadar appliances, you must reapply the license fix on your Console appliance after the software upgrade is complete for your deployment. For more information on this one-line license fix, see: https://www.ibm.com/support/pages/node/6395080.

    Results
    The update is complete and the license change is deployed from the Console. Administrators can confirm that they are receiving events from appliances in the Log Activity tab. If your QRadar Console is on V7.2.8 or if your Console is in an air-gapped network, you cannot use an auto update to deploy the license change. For more information on updating your 7.2.8 Console with the license update, see the section "QRadar 7.2.8 Consoles and air-gapped network instructions". Administrators with Disconnected Log Collectors (DLC) appliances must update those appliances separately as they are not in the QRadar deployment. For information on updating DLC appliances, see: License update for Disconnected Log Collector appliances.
     

QRadar 7.2.8 Console and air-gappped network instructions

QRadar Consoles that are on V7.2.8 versions or are in air-gapped networks are unable to use a QRadar Auto Update. To update your appliances, you must run a one-line command manually on your QRadar Console.

Procedure
  1. Use SSH to log in to the QRadar Console as the root user.
  2. To update the license file, enter the following command on your QRadar Console. You can double-click the command to highlight the full text.
    /opt/qradar/support/all_servers.sh -Ck 'if [ -f /opt/qradar/ecs/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/qradar/ecs/license.txt ; fi ; if [ -f /opt/ibm/si/services/ecs-ec-ingress/current/eventgnosis/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/ibm/si/services/ecs-ec-ingress/current/eventgnosis/license.txt ; fi ; if [ -f /opt/ibm/si/services/ecs-ep/current/eventgnosis/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/ibm/si/services/ecs-ep/current/eventgnosis/license.txt ; fi ; if [ -f /opt/ibm/si/services/ecs-ec/current/eventgnosis/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/ibm/si/services/ecs-ec/current/eventgnosis/license.txt ; fi ; if [ -f /usr/eventgnosis/ecs/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /usr/eventgnosis/ecs/license.txt ; fi ; if [ -f /opt/qradar/conf/templates/ecs_license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/qradar/conf/templates/ecs_license.txt ; fi'
    Note: This command runs from the QRadar Console and the change is applied to all appliances by the all_servers utility. Administrators with Disconnected Log Collectors (DLC) appliances must update those appliances separately as they are not in the QRadar deployment. For information on updating DLC appliances, see: License update for Disconnected Log Collector appliances.
  3. Wait 5 minutes for the changes to complete.
    Note: Administrators are not required to restart any services for this change as the file loads automatically.
  4. Log in to the QRadar Console.
  5. Click the Log Activity tab.
  6. Verify events are received from remote appliance.

    Results
    The procedure is complete. If you experience an issue with this command or continue to experience services or license messages in qradar.log, contact QRadar Support for assistance. After you apply the workaround for this issue, you can use QRadar normally and complete standard administrative tasks, such as deploy changes.

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU008","label":"Security"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtDAAQ","label":"Auto Update"}],"Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)"}]

Document Information

Modified date:
04 January 2021

UID

ibm16395300