Troubleshooting
Problem
The managed host shows up in Unknown status in System and License Management tab.
Symptom
Unknown status of Managed host in System and License Management tab:
Cause
There can be various causes for this issue. This article covers the following causes:
- SSH connection from Console to Managed host is not password-less.
- Managed host is not able to SSH to itself.
- SSH to host fails with error "No ECDSA host key is known for <Managed host IP>.
- Services in restarting or in failed state.
Environment
QRadar 7.4.2 and later.
Diagnosing The Problem
Following are examples of error traces that administrators might get when the status of managed host in System and License management tab shows up as Unknown.
SSH from Console to Managed host requires password
root@managed_host's password:
Last failed login: Sun Mar 26 20:00:57 IST 2023 from console on ssh:notty
There was 2531 failed login attempt since the last successful login.
Last login: Sun Mar 26 19:45:27 2023 from console
Failed SSH from Console to Managed host
[root@console ~]# ssh <Managed Host IP>
No ECDSA host key is known for <Managed Host IP> and you have requested strict checking.
Host key verification failed.
Unknown status displayed in qradar.log
[root@managedhost ~]# tailf /var/log/qradar.log | grep -i serverhoststatus
Mar 26 20:03:49 ::ffff:xx.xx.xx.xx [hostcontext.hostcontext] [Server Host Status Processor] com.q1labs.configservices.controller.ServerHostStatusUpdater: [INFO] [NOT:0000006000][xx.xx.xx.xx/- -] [-/- -]Sent update status of host <Managed Host IP> to UNKNOWN
Services are down on Managed host
[root@managed_host ~]# systemctl status hostcontext
● hostcontext.service - hostcontext daemon
Loaded: loaded (/usr/lib/systemd/system/hostcontext.service; enabled; vendor preset: disabled)
Drop-In: /etc/systemd/system/hostcontext.service.d
└─timeout.conf, ulimit.conf
Active: failed (Result: exit-code) since Sun 2023-03-26 19:47:50 IST; 1hr ago
[root@managed_host ~]# systemctl status hostservices
● hostservices.service - hostservices alias script
Loaded: loaded (/usr/lib/systemd/system/hostservices.service; enabled; vendor preset: disabled)
Active: failed (Result: signal) since Sun 2023-03-26 20:15:05 IST; 1hr ago
Resolving The Problem
The issues of Unknown status of managed hosts can be resolved by following the steps mentioned in each section:
SSH from Console to Managed host requires password
- SSH to Console.
- Use command to add RSA entry of affected managed host on Console:
# ssh-copy-id <Managed Host IP> - SSH from Console to Managed host would again ask for password last time to add it.
- Subsequent SSH attempts from Console to Managed host would now be password less.
# ssh <Managed Host IP>
Failed SSH from Console to Managed host
- SSH to Console.
- SSH to the remote host disabling the strict checking. It adds the entry in the /root/.ssh/known_hosts file.
Note: This command is a one-time disabling of the strict check to allow for changes to the known_hosts file. Future attempts use strict checking.# ssh <Managed Host IP> -o StrictHostKeyChecking=no Warning: Permanently added '<Remove Host IP> (ECDSA) to the list of known hosts. root@<Managed Host IP> 's password: - SSH to the remote host and the connection is established.
# ssh <Managed Host IP>
Unknown status displayed in qradar.log
- SSH to affected managed host from Console
[root@console ~]# ssh <Managed Host IP> - SSH to affect managed host from itself
[root@Managed_host ~]# ssh <Managed Host IP> No ECDSA host key is known for <Managed Host IP> and you have requested strict checking. Host key verification failed.
If SSH fails, follow the steps mentioned in second scenario to resolve the issue.
Services are down on Managed host
Restart services in following order:
[root@Managed_host ~]# systemctl stop hostcontext
[root@Managed_host ~]# systemctl stop hostservices
[root@Managed_host ~]# systemctl start hostservices
[root@Managed_host ~]# systemctl start hostcontext
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
15 June 2023
UID
ibm16960499