IBM Support

QRadar: How to force the applications to run on the Console when the App Host is unrecoverable

How To


Summary

When the App Host is unrecoverable or the connectivity to the Console is broken to a point where the App Host cannot be reached again, the system does not allow administrators to remove the App Host.

To remove an App Host from a deployment, the applications must run on the Console.

This article instructs administrators how to force the applications to run on the Console to recover their functions and be able to remove the broken App Host from the managed host list.

Environment

QRadar multi-system deployment with App Host unrecoverable.

Steps

Administrators must change the state of the applications directly in the database and restart QRadar core services. Administrators are advised to schedule a maintenance window to run the steps in this article.
IMPORTANT: If you are not comfortable enough to run the commands that modify the tables in the database, contact QRadar Support for assistance.
  1. Log in to the QRadar Console as root user.
  2. Back up the application tables.
    1. Create the backup directory.
      mkdir -p /store/IBM_Support/
    2. To back up all the tables, type the following command:
      for table in installed_application installed_application_instance installed_application_host_type_property ; \
      do pg_dump -U qradar -t $table --inserts -f /store/IBM_Support/$table.sql-bck$(date +%F) ; done
  3. Manually mark all apps as STOPPED in the database.

    For QRadar 7.4 and 7.5 run:
    ​psql -U qradar -c "update installed_application_instance set status='STOPPED'"
    For QRadar 7.3 run:
    psql -U qradar -c "update installed_application set status='STOPPED'"
  4. Update the applications tables to match the Console's managed host ID.
    1. Obtain the Console's ID. The ID is usually 53.
      psql -U qradar -c "select id,isconsole from managedhost where isconsole = 't'"
      Output Example
       id | isconsole
      ----+-----------
       53 | t
      
    2. Update the managed_host_id column to match the Console's managed host ID. The ID is usually 53.
      For QRadar 7.5 run:
      psql -U qradar -c "update installed_application_host_type_property set value = <Console_MH_ID> where application_host_type_id = 1"
      For QRadar 7.4 run:
      psql -U qradar -c "update installed_application_instance set managed_host_id=<Console_MH_ID>"
      For QRadar 7.3 run:
       psql -U qradar -c "update installed_application set managed_host_id=<Console_MH_ID>"
  5. Update the /store/qapp/appdefaultserver.cache file to show the Console's managed host ID. The ID is usually 53.
    echo -n 53 > /store/qapp/appdefaultserver.cache 
  6. Restart the Tomcat and Hostcontext services on the Console and wait 5 minutes for the services to load.
    IMPORTANT: The restart of these services causes service interruption such as the QRadar UI is not available to all users. Administrators with strict outage policies are advised to complete the next step during a scheduled maintenance window for their organization. For more information about the overall impact, see QRadar: Core services and the impact of restarting services.

    To restart the services, type:
     
    systemctl stop hostcontext && systemctl restart tomcat && systemctl start hostcontext
  7. Wait 5 minutes, then start the applications.
    For QRadar 7.4 and later, use the qappmanager utility.
    For QRadar 7.3, use the API.
  8. Confirm the applications containers run on the Console.
    docker ps -a --format "{{.ID}} - {{.Names}} - {{.Status}}"
    Output Example
    [root@qradar-console01~]# docker ps -a --format "{{.ID}} - {{.Names}} - {{.Status}}"
    c1054eae860c - qapp-1001-iwGzKF0B - Up 1 min
    3bc8c3e8bdfd - qapp-1051-Y9c9bZHA - Up 1 min
    546b255f65a4 - qapp-1152-6mvvZ4lf - Up 1 min
  9. Clear the browser's cache memory before login to QRadar.
  10. Log in to the QRadar Console user interface as an admin user.
  11. Remove the App Host from the deployment.
  12. Optional. Restore the applications data.
    Note: The following procedure requires an application data backup to be available or the App Host still functional enough to extract the applications data. If the App Host is unrecoverable and inaccessible, it is not possible to restore the data, and there is no need to run the steps in this section.
    • If the applications data backup is available on external source, use the app-volume-backup.py to restore the data.
    • If the App Host is somehow still reachable, copy the data from the Console by using the secure copy command.
      scp <App Host IP>:/store/docker/volumes/* /store/docker/volumes/


      Result
      The applications now run on the Console and the App Host is removed. If the administrator continues to experience issues, contact QRadar Support for assistance.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt3AAA","label":"QRadar Apps"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
31 August 2022

UID

ibm16611385