IBM Support

QRadar: How is time synchronized in managed hosts?

Question & Answer


Question

How is time synchronized in QRadar managed hosts with encrypted and nonencrypted environments? How can I test the connection?

Answer

The time in all the QRadar appliances (nonconsole) is synchronized by using a script named time_sync.sh. This script runs every 10 minutes by a cron job and synchronizes the time with the QRadar console.
The time synchronization flow depends on whether the host is encrypted or not.

Time synchronization with an encrypted connection

By default, QRadar comes with all the connections encrypted, which means that QRadar uses SSH tunnels to connect the services in the deployment. This feature makes the time synchronization process easier since it requires fewer connections in the network.

To synchronize the time, a managed host executes the /opt/qradar/bin/time_sync.sh script every 10 minutes. This script connects to localhost by using the port TCP/12500, and the connection reaches the chrony daemon in the console to retrieve the time.

The following image is an overview of the QRadar time synchronization with encrypted connections:
time sync encrypted overview

A basic test to determine whether the time synchronization is occurring is to check whether the tunnel is running:

  1. Use SSH to log in to the QRadar Console as the root user.
  2. Use SSH to log in to the QRadar appliance for the test.
  3. Test the connectivity to localhost:12500
    nc -zv localhost 12500
    Output example:
    Ncat: Version 7.50 ( https://nmap.org/ncat )
    Ncat: Connected to ::1:12500.
    Ncat: 0 bytes sent, 0 bytes received in 0.01 seconds.
    
    Result
    Administrator confirmed that the managed host is able to connect to the time synchronization tunnel. If the test fails, contact QRadar Support for assistance.

Time synchronization with a nonencrypted connection

To synchronize the time in a nonencrypted environment, a managed host executes the /opt/qradar/bin/time_sync.sh script every 10 minutes. This script connects to the console's private IPv4 address by using the port UDP/123and the connection reaches the chrony daemon in the console to retrieve the time.

The following image is an overview of the QRadar time synchronization with nonencrypted connections:
time sync non-encrypted overview

A basic test to determine whether the time synchronization is occurring is to check that the managed host is able to connect to the console IPv4 by using port UDP/123:

  1. Use SSH to log in to the QRadar Console as the root user.
  2. Use SSH to log in to the QRadar appliance for the test.
  3. Test the connectivity to console_ip:123
    nc -zv -u <console_ip> 123
    Output example:
    Ncat: Version 7.50 ( https://nmap.org/ncat )
    Ncat: Connected to <console_ip>:123.
    Ncat: UDP packet sent successfully
    Ncat: 1 bytes sent, 0 bytes received in 2.01 seconds.
    
    Result
    Administrator confirmed that the managed host is able to connect to the chrony daemon running in the console. If the test fails, contact QRadar Support for assistance.

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"Hardware and Firmware","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
13 July 2023

UID

ibm17004713