Troubleshooting
Problem
QRadar Managed Host services check for the license entitlement when they start. The license values are included in the database copy that is transferred regularly to managed hosts from the Console by the replication process.
When a managed host is not able to retrieve the current values of the database, a mismatch occurs and causes the license check failures, services not starting, and the appliance functions are interrupted.
Symptom
The following symptoms can be seen when the issue occurs:
- The managed host state is shown as unknown in the Console's user interface.
- The system notification about license expired or invalid is received in the notifications menu.
- On the managed host's /var/log/qradar.log, the following error is displayed:
[hostcontext.hostcontext] com.q1labs.hostcontext.processmonitor.ProcessManager: [INFO] [NOT:0150114104][/- -] [-/- -]Invalid or expired license detected, stopping all processes.
Cause
The cause of this problem is a mismatch between the Console's database and the managed host's database local copy.
Diagnosing The Problem
Administrators can obtain the values of the conflicting managed host in the Console's database, and compare them against the managed hosts database local copy.
- Use SSH to log in to the Console as the root user.
- Obtain the conflicting managed host's information in the database.
Output Example:psql -U qradar -c "select id,ip,hostname from serverhost where ip='<Managed Host IP>'"
Make note of the id value. In the previous example, the id is 101.psql -U qradar -c "select id,ip,hostname from serverhost where ip='10.11.12.13'" id | ip | hostname -----+-------------+------------------------------------------- 101 | 10.11.12.13 | qradar-datanode01.test.local - Inspect the license entry associated with the conflicting host.
Output Example:psql -U qradar -c "select id, host_id from license_key"
In the previous example, the last entry in the host_id column matches the conflicting managed host's id 101.psql -U qradar -c "select id, host_id from license_key" id | host_id -----+--------- 55 | 51 54 | 51 53 | 51 52 | 51 102 | 101 (5 rows) - SSH to the conflicting managed host.
- Obtain the conflicting managed host's information in the database.
Output Example:psql -U qradar -c "select id, host_id from license_key"
In the managed host local copy, the conflicting managed host's id 101 entry missing.psql -U qradar -c "select id, host_id from license_key" id | host_id ----+--------- 55 | 51 54 | 51 53 | 51 52 | 51 (4 rows)
Resolving The Problem
To resolve this problem, administrators can force the conflicting managed host to obtain a new copy of the database.
- Log in to the Console as the root user.
- SSH to the conflicting managed host.
- Stop the hostcontext service manually.
systemctl stop hostcontext - Obtain a new copy of the database by running the following script.
Note: The script starts the hostcontext service automatically./opt/qradar/bin/replication.pl -rebuild - Wait 5 minutes after the script finishes.
- Verify the hostcontext service remains up.
systemctl status hostcontext
Result
The managed host database local copy is now synchronized with the Console. If hostcontext does not remain up, administrators can run a configuration deploy manually. If the issue persists, contact QRadar Support for assistance.
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.4.3"}]
Was this topic helpful?
Document Information
Modified date:
26 July 2022
UID
ibm16602519