IBM Support

QRadar: How to monitor the status of a deployment changes

Troubleshooting


Problem

This article informs administrators how to monitor the status of a deployment changes in QRadar.

Cause

This article provides several ways to determine or monitor the status of a deployment change. There are two types of deploys administrators can complete in the user interface:

  • Admin tab > Deploy Changes - An incremental deploy sends administrative changes to the managed hosts in the QRadar deployment and does not impact core services.

  • Admin tab > Advanced > Deploy Full Configuration - This user interface option rebuilds the full configuration and restarts services on each managed host.

Environment

QRadar version 7.4 and 7.5

Diagnosing The Problem

As administrators make changes to QRadar, the user interface defines whether the change requires a deployment changes (incremental) update or a Deploy Full Configuration. In most cases, you are required to deploy changes within the QRadar, but you might be required to issue a Deploy Change or Full Deploy command. As the deployment starts, a window displays the status of the deployment changes for all appliances.
Example:
p1

 


 

Resolving The Problem

The best method to validate the status of a deployment changes is to use the QRadar API. There is an API endpoint to receive updates about deployments, such as the user, status, percentage complete, type, and more. QRadar support has a Deploy Changes 101 page that lists common errors around deployment changes.
 
To verify the status of a deployment changes from the QRadar API, follow these steps:
  1. Log in to QRadar Console user interface as an administrator.

  2. On the navigation menu, click Interactive API for Developers.

  3. From the list, select the /staged_config/deploy_status endpoint.

  4. Verify you are on the GET tab.

  5. Click Try it Out.
    p2


    Results
    The API is queried for the current deployment changes status. The details are displayed to administrators in the Response Body when the query completes. The following information is available to administrators about the status of the deployment:

    p4
  • initiated_by - String - The name of the user who initiated the deployment.
  • initiated_from - String - The hostname from where the deployment was initiated.
  • type - String - The type of deployment: FULL or INCREMENTAL.
  • status - String - The status of the deployment: UNKNOWN, START, DONE.
  • hosts - Map of < String, List of String > - A map of status states and a list of hosts.
  • error_message - String - The deployment error message.
  • has_errors - Boolean - True if the deployment encountered an error.
  • percent_complete - Integer - The percentage of completion of the deployment. (0-100)
(Optional) Command-line verification
Non-administrators can watch the status of a deployment that is on-going from the QRadar command line for those users who have root access to the QRadar Console.
The watch command can be used to monitor the logs in QRadar to view the status of a deployment.
  1. Using SSH, log in to the QRadar console as the root user. 
  2. To view the status of a deployment changes in progress or the status of the deployment, type:
    watch -n2 'grep -i "" /store/tmp/status/deployment.*'

    Results
    The command line displays the status from hosts as they report status.
    Example:
    /store/tmp/status/deployment.X.X.X:Success
    /store/tmp/status/deployment.X.X.X:Success
    This information is also available in the QRadar logs. Users with root access can always review /var/log/qradar.log and /var/log/qradar.error for messages for deployment or successful deployment by using the command:
    cat /var/log/qradar.error | grep -i deploy

     Example:   
    ::ffff:X.X.X.X [tomcat.tomcat] [configservices@IPADDRESS (3367) /console/JSON-RPC System.setDeploymentStatus] com.q1labs.rpcservices.DeploymentServices: [INFO] [NOT:0000006000][X.X.X.X/- -] [-/- -]Host IPADDRESS sets the deploy status to Initiating Deployment
    ::ffff:X.X.X.X [hostcontext.hostcontext] [9baac345-711d-49b3-9607-145759a828e4/SequentialEventDispatcher] com.q1labs.hostcontext.configuration.ConfigChangeObserver: [INFO] [NOT:0000006000][X.X.X.X/- -] [-/- -]Setting deployment status to In Progress
    ::ffff:X.X.X.X [tomcat.tomcat] [[email protected] (7073) /console/JSON-RPC System.setDeploymentStatus] com.q1labs.rpcservices.DeploymentServices: [INFO] [NOT:0000006000][X.X.X.X/- -] [-/- -]Host X.X.X.X sets the deploy status to Success

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
05 January 2023

UID

ibm10960878