Troubleshooting
Problem
The QRadar Dashboard displays repeated System Notification messages:
"Time Synchronization to a primary host or Console has failed".
"Time Synchronization to a primary host or Console has failed".
Symptom
- QRadar logs report a chrony error in /var/log/qradar.log.
- Administrators see offenses created with an end time that occurs in the future.
- Search results that are erroneous or do not return results from the managed host when you know the event exists.
Cause
When the time synchronization is running in a QRadar managed host, the chrony tunnels that are meant to run between the console and the managed host in question do not come up, due to leftover parameters in a configuration file which disables the chrony tunnels. If the time synchronization fails to run, the cause of failure might stem from multiple possibilities, such as the following:
- Erroneous components in a configuration file that disables the chrony tunnels
- The "chronyd-socat" service is inactive or not running on the Console
- Other networking issues that impact time synchronization
Diagnosing The Problem
Administrators who receive multiple system notifications related to time synchronization can review the firewall port, or look for errors on managed host to determine whether errors are reported in the logs.
If the system notification does not list the IP address of the affected managed host, administrators can review /var/log/qradar.log on the managed hosts for error messages. For example,
HOSTNAME [time_sync]: [ERROR] [NOT:0150003100][IPADDRESS]
Time Synchronization to Console has failed - chrony error
To identify managed hosts with time synchronization issues:
- Use SSH to log in to the Console as root user.
- Type the command:
For example, error messages from managed host display any chrony errors from /var/log/qradar.log:/opt/qradar/support/all_servers.sh -k 'grep -i chrony /var/log/qradar.log'/opt/qradar/support/all_servers.sh -k 'grep -i chrony /var/log/qradar.log' (..) (..) [time_sync]: [ERROR] (..) Time Synchronization to Console has failed - chrony error
Resolving The Problem
Ensure that the chronyd-socat service is running on the Console, and that the chronyd tunnels are running from the console to the managed hosts by doing the following:
- Use SSH to log in to the QRadar Console as the root user.
- Run the following command on the Console:
systemctl status chronyd-socatThe Expected output should be active and running:
If the status of chronyd-socat does not show that it is "active (running)", run the following command:systemctl restart chronyd-socat - Run the following script from the Console to ensure that the chrony tunnels are enabled across all managed hosts:
/opt/qradar/chrony/enable-chronyd-tunnels.sh - Perform a restart of hostcontext:
systemctl restart hostcontext - Deploy Full Configuration from the Admin tab.
WARNING: Deploys effect event ingestion and may need to be processed during a scheduled maintenance window. - Verify that time synchronization is now working on all hosts by running the following from the Console:
/opt/qradar/support/all_servers -k "/opt/qradar/bin/time_sync.sh"If the time sync is successful, the system clock offset is displayed for each host:2020-05-27T15:55:46Z chronyd version 3.2 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SECHASH +SIGND +ASYNCDNS +IPV6 +DEBUG) 2020-05-27T15:55:50Z System clock wrong by -0.005335 seconds (step) 2020-05-27T15:55:50Z chronyd exiting
Result
Time synchronization now occurs successfully every 10 minutes on the managed hosts, and there are no longer any alerts for time synchronization failure that would appear as notifications on the console.
If the time synchronization process fails with a different error, contact QRadar Support for assistance.
Time synchronization now occurs successfully every 10 minutes on the managed hosts, and there are no longer any alerts for time synchronization failure that would appear as notifications on the console.
If the time synchronization process fails with a different error, contact QRadar Support for assistance.
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"TS011331881","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.5.0"}]
Was this topic helpful?
Document Information
Modified date:
21 February 2024
UID
ibm17122483