Troubleshooting
Problem
After a failed high-availability (HA) cluster creation attempt, subsequent creation attempts fail with error "Secondary xxxx is not an HA standby system", or "The secondary host is not a High Availability Host".
Cause
During the HA cluster creation, the
/opt/qradar/conf/capabilities/hostcapabilities.xml file gets copied from the primary to the secondary host. If the creation process fails midway, the secondary would get incorrect data introducing the error on consequent attempts.Diagnosing The Problem
After the failed attempt, connect to the secondary host and review the contents of the /etc/.appliance_name, and
/opt/qradar/conf/capabilities/hostcapabilities.xml file and confirm the appliance type is not 500.- Use SSH to log in to the QRadar Console as the root user.
- SSH to the secondary host to be added.
- Check the appliance name is 500.
cat /etc/.appliance_name - Review the contents of the /opt/qradar/conf/capabilities/hostcapabilities.xml.
cat /opt/qradar/conf/capabilities/hostcapabilities.xmlOutput Example:<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <HostCapabilities isConsole="true" IP="<Secondary Host IP>" applianceType="3178" hostName="qradar-sec" qradarVersion="7.5.0" hardwareSerial="XXXX" activationKey="xxxd-4525-xxxxx-5#5o32C" managementInterface="eth0" xmlns="http://www.q1labs.com/products/qradar" />
Result
The previous output displays the parameter "applianceType" is 3178 (Console) and not 500 (High Availability host) and the "highAvailability" parameter is missing. This mismatch introduces the error.
Resolving The Problem
Administrators are encouraged to read the QRadar High Availability guide and QRadar: High Availability FAQ documentation to familiarize themselves with High Availability deployments.
To resolve the problem, restore the parameters of the /opt/qradar/conf/capabilities/hostcapabilities.xml in the secondary host. There are 2 methods to achieve it.
- Restore from backup. Preferred method for most users.
- Manual editing of the file. Suggested for users comfortable with Linux commands.
Method 1 - Restore from backup file
- Use SSH to log in to the QRadar Console as the root user.
- SSH to the secondary host to be added.
- Back up the current /opt/qradar/conf/capabilities/hostcapabilities.xml file.
mkdir -p /store/IBM_Support/ cp -p /opt/qradar/conf/capabilities/hostcapabilities.xml /store/IBM_Support/hostcapabilities.xml-bck$(date +%F) - Extract the /opt/qradar/conf/capabilities/hostcapabilities.xml from the backup.
cp -p /opt/qradar/ha/capabilities.back.tar.gz /store/IBM_Support/ cd /store/IBM_Support/ tar -xzvf capabilities.back.tar.gz - Review the contents of the file.
cat /store/IBM_Support/hostcapabilities.xml- The expected value of the parameter "isConsole" for secondary host for a Console HA Cluster is true.
- The expected value of the parameter "isConsole" for secondary host for a Managed Host HA Cluster is false.
<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <HostCapabilities isConsole="true" IP="<Secondary Host IP>" applianceType="500" hostName="qradar-sec" qradarVersion="7.5.0" hardwareSerial="XXXX" activationKey="xxxd-4525-xxxxx-5#5o32C" managementInterface="eth0" xmlns="http://www.q1labs.com/products/qradar" /> - Overwrite the /opt/qradar/conf/capabilities/hostcapabilities.xml.
cp -fv /store/IBM_Support/hostcapabilities.xml /opt/qradar/conf/capabilities/hostcapabilities.xml
Result
The /opt/qradar/conf/capabilities/hostcapabilities.xml file is properly restored from a backup, and consequent HA cluster creation attempts don't fail because of this error. If the cluster creation still fails with the same error, contact QRadar Support for assistance.
Method 2 - Edit manually the file
IMPORTANT: Administrators not comfortable with Linux file-editing commands
- Use SSH to log in to the QRadar Console as the root user.
- SSH to the secondary host to be added.
- Back up the current /opt/qradar/conf/capabilities/hostcapabilities.xml file.
- By using the vi command, edit the values of the "isConsole", "applianceType", and add the "highAvailability" parameters.
vim /opt/qradar/conf/capabilities/hostcapabilities.xml- Press i to edit the content.
- Modify the "isConsole" parameter.
isConsole="true/false"- The expected value of the parameter "isConsole" for secondary host for a Console HA Cluster is true.
- The expected value of the parameter "isConsole" for secondary host for a Managed Host HA Cluster is false.
- Modify the "applianceType" parameter. This value must be set to 500.
applianceType="500" - Add a line before the "xmlns" parameter and type highAvailability="true".
highAvailability="true" xmlns="http://www.q1labs.com/products/qradar" /> - Save the changes by pressing ESC, then :wq.
- Review the contents of the file.
Output Example of a Console HA host:cat /opt/qradar/conf/capabilities/hostcapabilities.xml
Result<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <HostCapabilities isConsole="true" IP="<Secondary Host IP>" applianceType="500" hostName="qradar-sec" qradarVersion="7.5.0" hardwareSerial="XXXX" activationKey="xxxd-4525-xxxxx-5#5o32C" managementInterface="eth0" highAvailability="true" xmlns="http://www.q1labs.com/products/qradar" />
The /opt/qradar/conf/capabilities/hostcapabilities.xml file is corrected manually and consequent HA cluster creation attempts don't fail because of this error. If the cluster creation still fails with the same error, contact QRadar Support for assistance.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtXAAQ","label":"High Availability"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
22 November 2022
UID
ibm16839383