IBM Support

QRadar: High Availability cluster creation fails with error "Secondary xxxx is not an HA standby system"

Troubleshooting


Problem

After a failed high-availability (HA) cluster creation attempt, subsequent creation attempts fail with error "Secondary xxxx is not an HA standby system", or "The secondary host is not a High Availability Host".

Symptom

The following error message appears in the HA Wizard after a failed attempt:

The secondary host is not a High Availability Host

Cause

During the HA cluster creation, the /opt/qradar/conf/capabilities/hostcapabilities.xml file gets copied from the primary to the secondary host. If the creation process fails midway, the secondary would get incorrect data introducing the error on consequent attempts.

Diagnosing The Problem

After the failed attempt, connect to the secondary host and review the contents of the /etc/.appliance_name, and /opt/qradar/conf/capabilities/hostcapabilities.xml file and confirm the appliance type is not 500.
  1. Use SSH to log in to the QRadar Console as the root user.
  2. SSH to the secondary host to be added.
  3. Check the appliance name is 500.
    cat /etc/.appliance_name
  4. Review the contents of the /opt/qradar/conf/capabilities/hostcapabilities.xml.
    cat /opt/qradar/conf/capabilities/hostcapabilities.xml
    Output Example:
    <?xml version='1.0' encoding='UTF-8' standalone='yes'?>
    <HostCapabilities
            isConsole="true"
            IP="<Secondary Host IP>"
            applianceType="3178"
            hostName="qradar-sec"
            qradarVersion="7.5.0"
            hardwareSerial="XXXX"
            activationKey="xxxd-4525-xxxxx-5#5o32C"
            managementInterface="eth0"
            xmlns="http://www.q1labs.com/products/qradar"
    />

    Result
    The previous output displays the parameter "applianceType" is 3178 (Console) and not 500 (High Availability host) and the "highAvailability" parameter is missing. This mismatch introduces the error.

Resolving The Problem

Administrators are encouraged to read the QRadar High Availability guide and QRadar: High Availability FAQ documentation to familiarize themselves with High Availability deployments.
To resolve the problem, restore the parameters of the /opt/qradar/conf/capabilities/hostcapabilities.xml in the secondary host. There are 2 methods to achieve it.
  • Restore from backup. Preferred method for most users.
  • Manual editing of the file. Suggested for users comfortable with Linux commands.
Method 1 - Restore from backup file
  1. Use SSH to log in to the QRadar Console as the root user.
  2. SSH to the secondary host to be added.
  3. Back up the current /opt/qradar/conf/capabilities/hostcapabilities.xml file.
    mkdir -p /store/IBM_Support/
    cp -p /opt/qradar/conf/capabilities/hostcapabilities.xml /store/IBM_Support/hostcapabilities.xml-bck$(date +%F)
  4. Extract the /opt/qradar/conf/capabilities/hostcapabilities.xml from the backup.
    cp -p /opt/qradar/ha/capabilities.back.tar.gz /store/IBM_Support/
    cd /store/IBM_Support/
    tar -xzvf capabilities.back.tar.gz
  5. Review the contents of the file.
    cat /store/IBM_Support/hostcapabilities.xml
    • The expected value of the parameter "isConsole" for secondary host for a Console HA Cluster is true.
    • The expected value of the parameter "isConsole" for secondary host for a Managed Host HA Cluster is false.
     
    <?xml version='1.0' encoding='UTF-8' standalone='yes'?>
    <HostCapabilities
            isConsole="true"
            IP="<Secondary Host IP>"
            applianceType="500"
            hostName="qradar-sec"
            qradarVersion="7.5.0"
            hardwareSerial="XXXX"
            activationKey="xxxd-4525-xxxxx-5#5o32C"
            managementInterface="eth0"
            xmlns="http://www.q1labs.com/products/qradar"
    />
  6. Overwrite the /opt/qradar/conf/capabilities/hostcapabilities.xml.
    cp -fv /store/IBM_Support/hostcapabilities.xml /opt/qradar/conf/capabilities/hostcapabilities.xml

    Result
    The /opt/qradar/conf/capabilities/hostcapabilities.xml file is properly restored from a backup, and consequent HA cluster creation attempts don't fail because of this error. If the cluster creation still fails with the same error, contact QRadar Support for assistance.
Method 2 - Edit manually the file
IMPORTANT: Administrators not comfortable with Linux file-editing commands
  1. Use SSH to log in to the QRadar Console as the root user.
  2. SSH to the secondary host to be added.
  3. Back up the current /opt/qradar/conf/capabilities/hostcapabilities.xml file.
  4. By using the vi command, edit the values of the "isConsole", "applianceType", and add the "highAvailability" parameters.
    vim /opt/qradar/conf/capabilities/hostcapabilities.xml
    1. Press i to edit the content.
    2. Modify the "isConsole" parameter.
      isConsole="true/false"
      • The expected value of the parameter "isConsole" for secondary host for a Console HA Cluster is true.
      • The expected value of the parameter "isConsole" for secondary host for a Managed Host HA Cluster is false.
         
    3. Modify the "applianceType" parameter. This value must be set to 500.
      applianceType="500"
    4. Add a line before the "xmlns" parameter and type highAvailability="true".
              highAvailability="true"
              xmlns="http://www.q1labs.com/products/qradar"
      />
    5. Save the changes by pressing ESC, then :wq.
  5. Review the contents of the file.
    cat /opt/qradar/conf/capabilities/hostcapabilities.xml
    Output Example of a Console HA host:
    <?xml version='1.0' encoding='UTF-8' standalone='yes'?>
    <HostCapabilities
            isConsole="true"
            IP="<Secondary Host IP>"
            applianceType="500"
            hostName="qradar-sec"
            qradarVersion="7.5.0"
            hardwareSerial="XXXX"
            activationKey="xxxd-4525-xxxxx-5#5o32C"
            managementInterface="eth0"
            highAvailability="true"
            xmlns="http://www.q1labs.com/products/qradar"
    />
    Result
    The /opt/qradar/conf/capabilities/hostcapabilities.xml file is corrected manually and consequent HA cluster creation attempts don't fail because of this error. If the cluster creation still fails with the same error, contact QRadar Support for assistance.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtXAAQ","label":"High Availability"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
22 November 2022

UID

ibm16839383