Troubleshooting
Problem
Administrators who attempt to install the latest version of DNS Analyzer on QRadar 7.3.2 or later might experience an issue where the app fails to install after several minutes. The Extension Management interface displays the DNS Analyzer application with a status of 'Install Failed' and repeated attempts to install the app continue to fail.
Symptom
After several minutes of waiting for the app to install, the following error is displayed in the user interface:
The logs for the QRadar Console or App Host appliance might also provide an error message indicating the number of connection attempts made by the framework to contact the application. For example, administrators can review /var/log/qradar.log for the following error message:
Health check could not reach app 2268 after 20 attempts over 300 seconds.
Health check could not reach app 2268 after 20 attempts over 300 seconds.
Diagnosing The Problem
- Use SSH to log in to the QRadar Console as the root user.
- Type the command:
grep -i HealthCheck /var/log/qradar.error | less - Review the logs for error messages that might indicate a health check failed for the application installation task:
Oct 25 13:54:00 ::ffff:xx.xxx.xx.x [tomcat.tomcat] [pool-1-thread-1] com.q1labs.uiframeworks.application.api.service.builders. shared.AsyncBuildStageTask: [ERROR] [NOT:0000003000][xx.xxx.xx.x/- -] [-/- -]An exception occurred while building app asynchronously. Triggering rollback.
Oct 25 13:54:00 ::ffff:xx.xxx.xx.x [tomcat.tomcat] [pool-1-thread-1] com.q1labs.uiframeworks.application.api. exception.AppHealthCheckException: Health check could not reach app 2403 after 20 attempts over 300 seconds
Oct 25 13:54:00 ::ffff:xx.xxx.xx.x [tomcat.tomcat] [pool-1-thread-1] at com.q1labs.uiframeworks.application.api. service.builders.shared.InstallHealthCheck.performHealthCheck (InstallHealthCheck.java:274)
Resolving The Problem
To help get around these timeouts, we can increase the timeout and retry thresholds in the nva.conf file.
- Use SSH to log in to QRadar as the root user.
IMPORTANT: Administrators must backup your existing nva.conf before attempting to make any changes - Make a directory to backup nva.conf
- Backup your nva.conf file by using the command:
cp -p /opt/qradar/conf/nva.conf /store/IBM_Support/nva.conf - Navigate to /store/configservices/staging/globalconfig/ by using the command:
cd /store/configservices/staging/globalconfig/ - Use an editor to open and change the following parameters in /store/configservices/staging/globalconfig/nva.conf:
APPFW_HEALTH_CHECK_RETRY_LIMIT=20 to APPFW_HEALTH_CHECK_RETRY_LIMIT=40APPS_HEALTH_DEFAULT_FAILURE_THRESHOLD=10 to APPS_HEALTH_DEFAULT_FAILURE_THRESHOLD=20
Note: Do not extend these values beyond two times the original value.DOCKER_UTILS_TASK_TIMEOUT_SECONDS=300 to DOCKER_UTILS_TASK_TIMEOUT_SECONDS=600 - Save the changes to nva.conf.
- Log in to the QRadar Console user interface as an administrator and try to install the app again
- Click the Admin tab.
Important: Deploy Full Configuration results in services being restarted on all appliances. The service restart does not interrupt event collection on appliances, but the data cannot be processed by the event pipeline until all services are running. Searches, vulnerability assessment scan imports, or scheduled reports that are in-progress might need to be manually restarted by users. Administrators with strict outage policies are advised to complete the next step during a scheduled maintenance window for their organization. - Click Advanced > Deploy Full Configuration.
- After the Deploy Full Configuration completes, reinstall the DNS Analyzer app.
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
05 November 2020
UID
ibm10872588