IBM Support

QRadar: Unable to retrieve/generate a Forensics recovery of a host... failed status

Troubleshooting


Problem

You are unable to retrieve/generate any forensics recovery of the hosts and the status shows message "Failed".
failed status

Symptom

The Forensics Recovery constantly failed and unable to retrieve and/or generate any forensics recovery of the hosts

 

Cause

 This problem can be related to a password synchronization between Network PCAP device and QRadar Incident Forensics.

Diagnosing The Problem

Resolving The Problem

- First check on QRADAR APARS 101. The QRadar Support team created this QRadar APARs 101 page to make APARs more searchable for users and administrators.
- If you cannot find anything related to this error on QRADAR APARS 101, then the problem could be related to password synchronization
- In order to confirm a password synchronization issue: 
1. Log in with the Admin user and password on the NPCAP device
2. Then, log in with the Admin user and password on QRadar and follow these steps:
    - Under SIEM console UI Click "Admin" tab
        - Click "System&License Management
          - Select QIF 600
             
              - Click "Edit Managed Host" > Component Management
edit host
 - Then you are prompted for the same admin credentials.
credentials
- Click Save to synchronize credentials
- Perform a full deployment from the QRadar Admin tab
- Then, perform a new Forensics recovery. This time you should be able to see a green "Success" status

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSUK44","label":"IBM Security QRadar Incident Forensics"},"ARM Category":[{"code":"a8m0z000000cwtIAAQ","label":"Dashboard"}],"ARM Case Number":"TS009228434","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
01 January 2024

UID

ibm16589695