IBM Support

QRadar: Custom Action Script cannot resolve Host Name when fired from a Managed Host

Troubleshooting


Problem

In QRadar, The Custom Action Script fails when the script references a external host name.

Symptom

The Custom Action Script works correctly when:
•  The Event that triggers the Rule that fires the Custom Action is received on the QRadar Console.
     OR
•  The Script that is being used by the Custom Action is attempting to communicate to an IP address instead of the Host Name.

The Custom Action Script Fails when both of the following are true:
•  The Event that triggers the Rule that fires the Custom Action is received on a QRadar Managed Host.
     AND
•  The Script being used by the Custom Action is attempting to communicate to a Host Name.

 

Cause

Custom Actions are executed by the customactionuser, which runs in a jail shell.

  • The QRadar Console uses /etc/resolv.conf.masq for DNS Lookup. /etc/resolv.conf.masq works for the customactionuser.
  • The QRadar Managed Hosts use /etc/resolv.conf for DNS Lookup, which does not work for the customactionuser
  •  /opt/qradar/bin/ca_jail/etc/resolv.conf must be updated on the Managed Host with DNS servers that can be used to resolve Host Names in the Custom Action Script.


 

Diagnosing The Problem

  1. Modify the Script file and replace the Host Name with the IP Address of the external source.
  2. Re-upload the Script to the Custom Action to replace the old Script that used the Host Name.
  3. Open the Admin settings:   
    1. In IBM Security QRadar V7.3.1, click the navigation menu ☰ , and then click Admin to open the Admin tab.
    2. In IBM Security QRadar V7.3.0 or earlier, click the Admin tab.
  4. Scroll down to Custom Actions > Click  Define Actions
  5. Highlight your Custom Action Script > click Edit.
  6. Browse to the updated Script file > click Open.
  7. Click Save.
  8. Click Deploy Changes.
  9. To verify the script runs successfully, examine the Events received on a Managed Host that triggers the Custom Action rule.


 

Resolving The Problem

If you have verified the Script works when using an IP address instead of a Host Name, modify the /opt/qradar/bin/ca_jail/etc/resolv.conf to match /etc/resolv.conf on the Managed Host and add any additional DNS servers as needed using this procedure.

  1.  Using an SSH Session log in to the Console as root user.
  2. SSH from the Console to the Managed Host that is receiving the Events that are triggering the Custom Action Rule.
  3. Backup the jail shell resolv.conf file: using the command:
        cp /opt/qradar/bin/ca_jail/etc/resolv.conf /root/resolv.conf.bak
  4. Copy the /etc/resolv.conf to the jail shell using the command:
       cp /etc/resolv.conf /opt/qradar/bin/ca_jail/etc/resolv.conf


Results: Custom Action Scripts that are run from the updated Managed Host should be able to resolve Host Names correctly now.


 


Where do you find more information?


[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
18 January 2019

UID

ibm10717175

Page Feedback