IBM Support

QRadar: How to change the time zone in QRadar 7.5.0

Troubleshooting


Problem

This technical note outlines the changes made in 7.5.0 to the procedures administrators must use to modify the time zones on Qradar appliances.

Cause

In prior versions, the time zone could be changed with a symbolic link to any time zone within the /usr/share/zoneinfo/ subdirectory. In 7.5.0, eligible time zones are restricted to those returned by 'timedatectl list-timezones' command.

Resolving The Problem

Important: This process requires a restart of QRadar Core Services, including the the Tomcat server. Restarting the Web Server logs out users, cancels event exports, and prevent scheduled reports from running while services restart. It is recommended you complete this procedure during scheduled maintenance or alert users before you take an action that restarts core services. For more information, see: QRadar: How to clear the Tomcat cache or contact QRadar Support.
 


Before you begin

  • The procedures listed do not apply to HA pairs. The primary HA appliance is responsible for copying the time zone file to the HA secondary. To complete the procedure outlined, you must have root access to the QRadar Console.
  • These procedures listed are only applicable on QRadar version 7.5.0 and above. 

  • Procedure
    In 7.5.0, administrators utilize the 'timedatectl set-timezone' command to change the time zone on an appliance to an eligible new timezone. 
    1. Use SSH to log in to the Console as the root user.
    2. Optional. Open an SSH session to the managed host to make a change on a non-Console appliance.
    3. Type the following to list the eligible new timezones:  
      timedatectl list-timezones
      Utilize grep to target the results
      Example:  
      [root@csd35 etc]# timedatectl list-timezones | grep -i York
America/New_York
    4. Set the new time zone with the following command: 
      timedatectl set-timezone <new_timezone>
      Example:  
      timedatectl set-timezone America/New_York
    5. Once the new timezone has been set, type the following to update postgres:  
      /opt/qradar/hooks/timezone.d/sync_timezone.sh && /opt/qradar/hooks/timezone.d/update_postgresql_timezone.sh
      Example:  
       [root@csd35 etc]#/opt/qradar/hooks/timezone.d/sync_timezone.sh && /opt/qradar/hooks/timezone.d/update_postgresql_timezone.sh
 done.
Thu Feb 22 06:08:24 EST 2024 [update_postgresql_timezone] Updating timezone to 'America/New_York' in postgresql conf files
Thu Feb 22 06:08:24 EST 2024 [update_postgresql_timezone] Processing 'postgresql-qrd' instance of postgresql.
Thu Feb 22 06:08:24 EST 2024 [update_postgresql_timezone] OK: Set timezone in /opt/qradar/db/conf/postgresql.conf to 'America/New_York'
Thu Feb 22 06:08:24 EST 2024 [update_postgresql_timezone] OK: Set timezone in /store/postgres/data/postgresql.conf to 'America/New_York'
Thu Feb 22 06:08:24 EST 2024 [update_postgresql_timezone] Service postgresql-qrd is running.
Thu Feb 22 06:08:24 EST 2024 [update_postgresql_timezone] Not restarting postgresql-qrd because --restart-if-running flag not passed.
Thu Feb 22 06:08:24 EST 2024 [update_postgresql_timezone] Processing 'postgresql-qvm' instance of postgresql.
Thu Feb 22 06:08:24 EST 2024 [update_postgresql_timezone] OK: Set timezone in /opt/qvm/db/conf/postgresql.conf to 'America/New_York'
Thu Feb 22 06:08:24 EST 2024 [update_postgresql_timezone] OK: Set timezone in /store/postgres-qvm/data/postgresql.conf to 'America/New_York'
Thu Feb 22 06:08:24 EST 2024 [update_postgresql_timezone] Service postgresql-qvm is running.
Thu Feb 22 06:08:24 EST 2024 [update_postgresql_timezone] Not restarting postgresql-qvm because --restart-if-running flag not passed.
Thu Feb 22 06:08:24 EST 2024 [update_postgresql_timezone] Processing 'postgresql-rm' instance of postgresql.
Thu Feb 22 06:08:24 EST 2024 [update_postgresql_timezone] OK: Set timezone in /opt/qradar/conf/templates/rm-postgresql.conf to 'America/New_York'
Thu Feb 22 06:08:24 EST 2024 [update_postgresql_timezone] OK: Set timezone in /store/postgres-rm/data/postgresql.conf to 'America/New_York'
Thu Feb 22 06:08:24 EST 2024 [update_postgresql_timezone] Service postgresql-rm is not running.
Thu Feb 22 06:08:24 EST 2024 [update_postgresql_timezone] Processing 'postgresql-qf' instance of postgresql.
Thu Feb 22 06:08:24 EST 2024 [update_postgresql_timezone] OK: Set timezone in /opt/qradar/forensics/db/conf/postgresql-qf.conf to 'America/New_York'
Thu Feb 22 06:08:24 EST 2024 [update_postgresql_timezone] OK: Set timezone in /store/postgres-qf/data/postgresql.conf to 'America/New_York'
Thu Feb 22 06:08:24 EST 2024 [update_postgresql_timezone] Service postgresql-qf is not running.
    6. Type the following to ensure the required services are restarted in the correct sequence:  
      /usr/bin/perl -I/opt/qradar/lib/perl -e "use qradar_lib; set_log('/var/log/qradar.log'); restart_services_for_time_change()"
      Example:  
       [root@csd35 etc]# /usr/bin/perl -I/opt/qradar/lib/perl -e "use qradar_lib; set_log('/var/log/qradar.log'); restart_services_for_time_change()"
<br>
Stopping hostcontext service...<br>
Stopping httpd service...<br>
Stopping tomcat service...<br>
Stopping hostservices service...<br>
Restarting hostservices service...<br>
Restarting tomcat service...<br>
Restarting httpd service...<br>
    7. To ensure that changes are applied to the QRadar appliance, type: 
      timedatectl
      Example:  
       [root@csd35 etc]#  timedatectl
      Local time: Thu 2024-02-22 06:14:29 EST
  Universal time: Thu 2024-02-22 11:14:29 UTC
        RTC time: Thu 2024-02-22 11:14:29
       Time zone: America/New_York (EST, -0500)
     NTP enabled: yes
NTP synchronized: Yes
 RTC in local TZ: no
      DST active: no
 Last DST change: DST ended at
                  Sun 2023-11-05 01:59:59 EDT
                  Sun 2023-11-05 01:00:00 EST
 Next DST change: DST begins (the clock jumps one hour forward) at
                  Sun 2024-03-10 01:59:59 EST
                  Sun 2024-03-10 03:00:00 EDT

Results
After services are restarted, the appliance will use the new time zone as defined in Step 4. 

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.5.0"}]

Document Information

Modified date:
29 February 2024

UID

ibm17127803

Page Feedback