IBM Support

QRadar: What services run on each appliance type

Question & Answer


Question

What services need to be running in each QRadar appliance?

Answer

IBM QRadar SIEM has three core services:

Tomcat service

The Tomcat service runs only on the Console and manages the HTTPd service to make the user interface available.

Hostcontext service

Hostcontext runs on each appliance in a deployment. It is responsible for starting, stopping, and verifying the status of each component within a deployment. The following table shows Appliances, Appliance type, and Hostcontext subservices.

Appliance Appliance type Hostcontext subservices
Console 31xx
  • accumulator
  • ariel_proxy_server
  • offline_forwarder
  • ecs-ec
  • ecs-ec-ingress
  • ecs-ep
  • vis
  • reporting_executor
  • report_runner
  • assetprofiler
  • arc_builder
  • qflow
  • historical_correlation
  • qvm_processor
Event Collector 15xx
  • ecs-ec
  • ecs-ec-ingress
  • vis
Event Processor 16xx
  • accumulator
  • ecs-ep
  • vis
  • ariel_query_server
  • arc_builder
  • offline_forwarder
  • ecs-ec
  • ecs-ec-ingress
  • vis
Flow Collector 12xx
  • vis
  • qflow
Flow Processor 17xx
  • accumulator
  • ecs-ep
  • vis
  • ariel_query_server
  • arc_builder
  • offline_forwarder
  • ecs-ec
  • ecs-ec-ingress
Event/Flow Processor 18xx
  • accumulator
  • ecs-ep
  • vis
  • ariel_query_server
  • arc_builder
  • offline_forwarder
  • ecs-ec
  • ecs-ec-ingress
  • qflow
Data Node 14xx
  • accumulator
  • ariel_query_server
  • dataNode
  • offline_forwarder
App Host 4000
N/A
Data Gateway 7000
  • qvm_scanner
  • vis
  • qflow
  • ecs-ec
  • ecs-ec-ingress
QRadar Risk Manager 700
  • ariel_query_server
  • tomcat-rm
  • ziptie-server
QRadar Vulnerability Manager Scanner 610
  • qvmscanner
  • vis
QRadar Vulnerability Manager Processor 600
vis
QRadar Incident Forensics 6000
forensicsnode
QRadar Network Insights 6500
forensics_realtime

Hostservices service

Hostservices runs on each appliance in a deployment. It is responsible for keeping track of base services such as PostgreSQL. The subservices managed by Hostservices include IMQ, Docker, and PostgreSQL.

Appliance Appliance type Subservices
Console 31xx
  • docker
  • imq
  • postgresql-qrd
  • postgresql-qvm
Event Collector 15xx
  • imq
  • postgresql-qrd
  • postgresql-qvm
Event Processor 16xx
  • imq
  • postgresql-qrd
  • postgresql-qvm
Flow Collector 12xx
  • imq
  • postgresql-qrd
  • postgresql-qvm
Flow Processor 17xx
  • imq
  • postgresql-qrd
  • postgresql-qvm
Event/Flow Processor 18xx
  • imq
  • postgresql-qrd
  • postgresql-qvm
Data Node 14xx
  • imq
  • postgresql-qrd
  • postgresql-qvm
App Host 4000
  • docker
  • imq
  • postgresql-qrd
  • postgresql-qvm
Data Gateway 7000
  • imq
  • postgresql-qrd
  • postgresql-qvm
QRadar Risk Manager 700
  • imq
  • postgresql-qrd
  • postgresql-qvm
  • postgresql-rm
QRadar Vulnerability Manager Scanner 610
  • imq
  • postgresql-qrd
  • postgresql-qvm
QRadar Vulnerability Manager Processor 600
  • imq
  • postgresql-qrd
  • postgresql-qvm
QRadar Incident Forensics 6000
  • imq
  • postgresql-qrd
  • postgresql-qvm
QRadar Network Insights 6500
  • imq
  • postgresql-qrd
  • postgresql-qvm

For administrators wondering about the impact of restarting services, see  QRadar: Core services and the impact of restarting services.

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
07 November 2022

UID

ibm16620577