IBM Support

QRadar: Tlsdate and forcing time synchronization in QRadar 7.3.0 and 7.3.1

Troubleshooting


Problem

In QRadar 7.2.x versions, rdate was used to synchronize time on QRadar Manged Hosts to the Console. As of 7.3.0 and later, QRadar uses tlsdate to synchronize time instead of rdate. This article instructs users how to force the Console to time synchronize in that latest QRadar versions.

Diagnosing The Problem

If the time or date of a Managed Host somehow changed in QRadar 7.3.x, you can review the error logs (/var/log/qradar.error) of the QRadar managed host appliance and look for synchronization messages like the following:

[hostcontext.hostcontext]: [ERROR] [NOT:0150003100] Time Synchronization to Console 
has failed - tlsdate error 

Resolving The Problem

QRadar 7.3.0 uses tlsdate instead of rdate to synchronize time between managed hosts and the console. It makes an https request to Apache on the console by using port 443 and uses that response to set the time. Syncing between the secondary and the primary is done by using ssh (port 22). It is not normal that administrators need to manually synchronize time with the QRadar Console. This activity occurs every 10 minutes by default as a cron job as time_sync.sh and a correction was added to QRadar 7.3.1 to update time_sync.sh with the -w parameter when this utility runs. Time synchronization is critical in QRadar as it defines search parameters. This can cause strange data to be displayed in the user interface, for example offenses that are generated with an end time that occurs in the future.

If you see "[ERROR] [NOT:0150003100] Time Synchronization to Console has failed - tlsdate error” in the managed host logs, try running the following command from any managed host that's encountering the issue:

To force a time synchronization in QRadar 7.3.x

  • QRadar Version 7.3.1 type the command:
    /usr/bin/tlsdate -P sslv23 -s -V -v -H <console_ip> -w
     
  • QRadar Version 7.3.0 type the command:
      /usr/bin/tlsdate -P sslv23 -s -V -v -H <console_ip>

There is typically no danger in manually syncing time with the QRadar Console, but if you run the command without a -w flag on QRadar Versions 7.3.1, it causes ecs-ec-ingress to experience issues starting properly.


Where do you find more information?



[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3.0;7.3.1","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
13 November 2019

UID

ibm10725933