Question & Answer
Question
Answer
The hostcontext is the primary service that runs on each managed host and controls core QRadar processes. To verify the status of the hostcontext service, type:
systemctl status hostcontext
What is hostcontext
Hostcontext is responsible for listening for deployment requests from the QRadar Console, reporting deployed status, downloading configurations replication processes (every 60 seconds), reporting host status, and High Availability (HA) host status. Administrators should be aware that hostcontext is the manager of other core QRadar services. A restart of hostcontext starts and stops the following services:
- Accumulator
- Ariel_query_server (Managed hosts)
- ECS (event pipeline for event and flow data)
- ECS-EC (Protocols, license Throttling, Routing, DSM Parsing, Traffic analysis, Coalescing, Forwarding)
- ECS-EP (Event Throttling, CRE, Magistrate, Event Storage, Offense Analyzer, Host Profiler, Event Streaming)
- Historical Correlation server
- Ha_manager
- Offline Forwarder
- Scaserver (X-Force URL and IP reputation updates)
- QFlow (Flows / Network Activity data)
- VIS (scanners)
- Reporting executor (Console)
- Asset Profiler (Console)
- Tunnel Services (Console)
- Ariel_proxy_server (Console)
Restarting hostcontext
Hostcontext does NOT restart ecs-ec-ingress. When required the ecs-ec-ingress service can be restarted independent of hostcontext. Due to these features, administrators can restart hostcontext without impacting event collection. Performing a Deploy Change restarts the hostcontext, which can affect the services that are running on appliances. Restarting hostcontext might cause an interruption in these services listed here:
- Accumulator
- Ariel_query_server (Managed hosts)
- Historical Correlation server
- Offline Forwarder
- Scaserver (X-Force URL and IP reputation updates)
- QFlow (Flows / Network Activity data)
- VIS (scanners)
- Reporting executor (Console)
- Asset Profiler (Console)
- Tunnel Services (Console)
- Ariel_proxy_server (Console)
Note: As of 7.4.0 Tunnel Services are managed by tunnel_manager.
You might see IBM Support restarting hostcontext, which is not a magic bullet for fixing problems. The restart is quick, but services are restarted, which impacts Searches, Reports Tunnel Services, Asset Profiler, and others. These services resume once hostcontext restarts.
Restart hostcontext only, if you understand the root cause of the issue or advised by IBM Support. Restarting hostcontext is not a universal solution for correcting issues on managed hosts.
Restarting hostcontext without interrupting low level (sub) services
IMPORTANT: This procedure is only intended for QRadar managed hosts. Do Not complete this procedure on a Console appliance.
- Use SSH, log in to QRadar as the root user.
- Use SSH to log in to the QRadar managed host.
- Type the following command to create a zero-byte
"hostcontext.NOSTOPPROCESSES"
file:touch /opt/qradar/conf/hostcontext.NOSTOPPROCESSES
- Restart hostcontext on the managed host:
systemctl restart hostcontext
- Wait for the hostcontext service to restart.
- Required. After hostcontext completes the restart, delete the
hostcontext.NOSTOPPROCESSES
file, type:rm /opt/qradar/conf/hostcontext.NOSTOPPROCESSES
- Press Y to delete the file.
Results
Hostcontext is restarted without impacting low level (sub) services. It is critical that administrators delete thehostcontext.NOSTOPPROCESSES
before they close the SSH session to the QRadar managed host. If at any time you require guidance for a command-line issue, you can open a case with the QRadar Support team for assistance.
Related Information
Was this topic helpful?
Document Information
Modified date:
26 April 2023
UID
ibm10960161