Troubleshooting
Problem
A managed host cannot be readed after successfully being removed while being offline or unreachable (UNKNOWN state). The addition process fails when the managed host tries to connect to Tomcat.
Symptom
On the Console WebUI, the addition process will fail with the following error:
The following error appears in /var/log/qradar.log:
[hostcontext.hostcontext] [2c3bfc3c-df07-4ea8-a156-cc0a6642c794/SequentialEventDispatcher] com.q1labs.configservices.capabilities.AddHost: [INFO] [NOT:0000006000][<IP of Console>/- -] [-/- -]Executing presence on host <IP of Managed Host> using console ip <IP of Console>
[hostcontext.hostcontext] [2c3bfc3c-df07-4ea8-a156-cc0a6642c794/SequentialEventDispatcher] com.q1labs.configservices.capabilities.AddHost: [ERROR] [NOT:0000003000][<IP of Console>/- -] [-/- -]Failed to read output from ssh connection on host <IP of Managed Host>
[hostcontext.hostcontext] [2c3bfc3c-df07-4ea8-a156-cc0a6642c794/SequentialEventDispatcher] com.q1labs.configservices.common.ConfigServicesException: Failed to read output from ssh connection on host <IP of Managed Host>
Cause
This issue occurs when the managed host is removed from the deployment when is not reachable from the Console.
Due to the unreachability, a portion of the removal process (scriptToRemoveMH.sh) is not run in the managed host. This causes the managed host to believe it's still part of the deployment.
Diagnosing The Problem
After the add host process fails, the following errors can be seen on the affected managed host:
On the /var/log/setup-xxxx-/presence.log:
[presence.pl-18815]: Update CA trust anchor to console host
[presence.pl-18815]: Syncing local time to console host
[presence.pl-18815]: Restarting hostservices to pick up time change
[presence.pl-18815]: Testing tomcat connection ...
[presence.pl-18815]: Tomcat is not connected. ERROR:100024
On the /var/log/qradar.log:
[test_tomcat_connection] [main] com.q1labs.core.shared.jsonrpc.RPC: [INFO] [NOT:0000006000][<IP of Managed Host>/- -] [-/- -]The console IP in the connect url is equal to the real console IP. Won't try again. Throw the original error.
[test_tomcat_connection] [main] com.q1labs.hostcontext.backup.core.BackupUtils: [ERROR] [NOT:0000003000][<IP of Managed Host>/- -] [-/- -]Exception occured while attempting to communicate with tomcat.
[test_tomcat_connection] [main] com.q1labs.hostcontext.backup.core.BackupUtils: [INFO] [NOT:0000006000][<IP of Managed Host>/- -] [-/- -]No connection to tomcat
Resolving The Problem
- Log in to the affected managed host.
- Stop the hostcontext service.
systemctl stop hostcontext - Backup and overwrite the /opt/qradar/conf/nva.conf with a template one.
- Create the backup directory:
mkdir -p /store/IBM_Support/ - Take a backup of the /opt/qradar/conf/nva.conf:
cp -av /opt/qradar/conf/nva.conf /store/IBM_Support/nva.conf.orig - Overwrite the file:
cp -av /opt/qradar/conf/templates/nva.conf /opt/qradar/conf/nva.conf
- Create the backup directory:
- Retry to add the managed host.
Document Location
Worldwide
[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"TS004662393","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)"}]
Was this topic helpful?
Document Information
Modified date:
29 May 2023
UID
ibm16408992