As of version 7.3.0, QRadar uses tlsdate to synchronize time. This article overviews how time is synchronized and how to force time synchronization when the console reports the incorrect time.
Diagnosing The Problem
If the time or date of a Managed Host changed unexpectedly, you can review the error logs at /var/log/qradar.error of the QRadar managed host appliance and look for synchronization messages like the following:
[hostcontext.hostcontext]: [ERROR] [NOT:0150003100] Time Synchronization to Console
has failed - tlsdate error
Resolving The Problem
How time synchronization works
QRadar uses tlsdate to synchronize time between managed hosts and the console. It makes an HTTPS request to Apache on the console by using port 443 and uses that response to set the time. Syncing between the secondary and the primary is done by using SSH over port 22. This activity occurs every 10 minutes by default as a cron job as
time_sync.sh. Time synchronization is critical in QRadar as it defines search parameters.
- SSH into the QRadar console
- Enter the following command to force time synchronization:
/usr/bin/tlsdate -P sslv23 -s -V -v -H <console_ip> -wImportant: If you run the command without a -w flag on QRadar Versions 7.3.1+, it causes ecs-ec-ingress to experience issues starting.
The console displays the correct time. If you continue to experience issues contact support.
Was this topic helpful?
08 February 2023