IBM Support

QRadar: Full Deploys hang at In Progress or Initializing phase and eventually times out

Troubleshooting


Problem

In QRadar 7.2, a check was created in to determine if searches were running when a Full Deploy changes was started. The user would be prompted that the deploy will cancel these searches and asked if they want to continue. If the Query Server is too busy, this would cause a hang at the In Progress or Initializing phase while this check is done. Eventually this would lead to a Timeout.

Cause

Ariel Server is too busy to respond to the request to see whether there are any running searches.

Diagnosing The Problem

If you see a full deploy changes in a state where the Managed hosts never completes the In Progress or Initializing state like this one, it could mean a search is running.

Look in /var/log/qradar.log for a message similar to this one


Aug 18 14:54:47 ::ffff:192.168.0.75 [ariel.ariel_proxy_server] [q1labs_worker_1] com.q1labs.ariel.searches.AccessManager: [INFO] [NOT:0000006000][192.168.0.75/- -] [-/- -]+++> Ariel Server is running 32 queries <+++

Resolving The Problem

If this number of queries is large, then it is best to wait till the searches complete. If you need to deploy changes here are some steps to try.
  1. Log in to the QRadar user interface.
  2. Click Log Activity.
  3. Click Search > Manage Search Results.
  4. Click on the search you need to cancel

  5. Make a list with the User associated with the search, the search name, time started and duration. This is so you can contact that user to restart their search or you can restart it when the deploy completes.
  6. Click Cancel on all the searches you need to stop.
  7. Once you have enough searches canceled click Admin tab > Deploy Changes.
  8. Restart all the stopped searches.

Results:

You now have completed the Deploy Changes and have restarted all the searches. Alternately you have the information to notify the user of the search to restart their searches.


Where do you find more information?



[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"Admin Console","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2.8","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
19 February 2019

UID

swg22007474