IBM Support

QRadar: Hostcontext service and the impact of a service restart

Question & Answer


Question

What is the hostcontext service? What is the impact on QRadar if hostcontext is restarted?

Answer

The hostcontext is the primary service that runs on each managed host and controls core QRadar processes. To verify the status of the hostcontext service, type:

systemctl status hostcontext

What is hostcontext

Hostcontext is responsible for listening for deployment requests from the QRadar Console, reporting deployed status, downloading configurations replication processes (every 60 seconds), reporting host status, and High Availability (HA) host status. Administrators should be aware that hostcontext is the manager of other core QRadar services. A restart of hostcontext starts and stops the following services:

 
  • Accumulator
  • Ariel_query_server (Managed hosts)
  • ECS (event pipeline for event and flow data)
    • ecs-ec (Protocols, license Throttling, Routing, DSM Parsing, Traffic analysis, Coalescing, Forwarding)
    • ecs-ep (Event Throttling, CRE, Magistrate, Event Storage, Offense Analyzer, Host Profiler, Event Streaming)
       Note: QRadar 7.3.1 added the service ecs-ec-ingress to QRadar to allow event collection outside of service restarts.
 
  • Historical Correlation server
  • Ha_manager
  • Offline Forwarder
  • Scaserver (X-Force URL and IP reputation updates)
  • QFlow (Flows / Network Activity data)
  • VIS (scanners)
  • Reporting executor (Console)
  • Asset Profiler (Console)
  • Tunnel Services (Console)
  • Ariel_proxy_server (Console)

 
 

Restarting hostcontext

Hostcontext does NOT restart ecs-ec-ingress. When required the ecs-ec-ingress service can be restarted independent of hostcontext. Due to these features, administrators can restart hostcontext without impacting event collection. Performing a Deploy Change restarts the hostcontext, which can affect services running on appliances. Restarting hostcontext might cause an interruption in these services listed here:

  • Accumulator
  • Ariel_query_server (Managed hosts)
  • Historical Correlation server
  • Offline Forwarder
  • Scaserver (X-Force URL and IP reputation updates)
  • QFlow (Flows / Network Activity data)
  • VIS (scanners)
  • Reporting executor (Console)
  • Asset Profiler (Console)
  • Tunnel Services (Console)
  • Ariel_proxy_server (Console)

    Note: As of 7.4.0 Tunnel Services are managed by tunnel_manager.

You might see IBM Support restarting hostcontext, this is not a magic bullet for fixing problems. The restart is quick, but services are restarted, which impacts Searches, Reports Tunnel Services, Asset Profiler, and others. These services resume once hostcontext restarts. 

Only restart hostcontext, if you understand the root cause of the issue or advised by IBM Support. Restarting hostcontext is not a universal solution for correcting issues on managed hosts.

 

Restarting hostcontext without interrupting lower level (sub) services
 

Administrators with root access can restart hostcontext without impacting subservices. Allowing administrators to restart hostcontext itself only in situations where a long-running search is in progress on a managed host or when a scan import is in progress.

IMPORTANT: This procedure is only intended for QRadar managed hosts. Do Not complete this procedure on a Console appliance.
  1. Use SSH, log in to QRadar as the root user.
  2. Use SSH to log in to the QRadar managed host.
  3. Type the following command to create a zero-byte "hostcontext.NOSTOPPROCESSES" file:
    touch /opt/qradar/conf/hostcontext.NOSTOPPROCESSES
  4. Restart hostcontext on the managed host:
    systemctl restart hostcontext
  5. Wait for the hostcontext service to restart.
  6. Required. After hostcontext completes the restart, delete the hostcontext.NOSTOPPROCESSES file, type:
    rm /opt/qradar/conf/hostcontext.NOSTOPPROCESSES
  7. Press Y to delete the file.


    Results
    Hostcontext is restarted without impacting lower level (sub) services. It is critical that administrators delete the hostcontext.NOSTOPPROCESSES before they close the SSH session to the QRadar managed host. If at any time you require guidance for a command line issue, you can open a case with the QRadar Support team for assistance.

[{"Business Unit":{"code":"BU008","label":"Security"},"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Component":"Deploy;Hostcontext;Core services","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
05 June 2020

UID

ibm10960161