IBM Support

QRadar: All hosts in your deployment must be at the same version

Troubleshooting


Problem

The QRadar console and all managed hosts in your deployment must be on the same software version to avoid replication issues, deployment issues, and many other negative side effects. You can experience "version mismatch" errors and "Failed to download and process global set" errors when the console deploys.

Symptom

You might find that deployments and replication are failing due to a managed host being at a different software version than the console. If so, similar messages are displayed in the qradar.log file on the QRadar Console, indicating that replication is failing:
hostname-con replication[17372]: Version mismatch.  Console is at version 2021.6.5.20230301133107 and managedhost is at version 2021.6.0.20211220195207.
hostname-con replication[17372]: Not providing dumps for host xxx.xxx.xxx.xxx.
Similar message to the following are displayed in the qradar.log file when the deployment times out:
[hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] com.q1labs.hostcontext.configuration.ConfigSetUpdater: [ERROR] [NOT:0000003000][xxx.xxx.xxx.xxx/- -] [-/- -]Failed to download and process global set 
[hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] com.q1labs.hostcontext.exception.HostContextConfigException: Failed to download new configuration set

Cause

The QRadar console is responsible for replicating its database and also pushing deployment configuration (through the Deploy Changes) to the managed hosts in the deployment. When QRadar versions change, there can be configuration template changes and database schema changes. As a result, deployments and database replication fail, due to the various changes between versions.

Diagnosing The Problem

There are a couple of easy ways to verify that all hosts in the deployment are at the same level. The first tool is the deployment_info.sh script. The only pitfall with using the deployment_info.sh script is that if you have many HA hosts in your deployment, it queries the active nodes. If you want to see all the hosts in the deployment, including secondary hosts that are in standby, you can use the all_servers.sh script (use -C to include the console and -k to include all standby systems) with the myver utility.
Using deployment_info.sh
  1. SSH into the QRadar console.
  2. Run the deployment_info.sh script with the -OH flags to get an output showing the Build version.
    /opt/qradar/support/deployment_info.sh -OH
    Result
    Example of the output:
    INFO: Gathering deployment information. This may take a while...
    
    Hostname              IP               HA Status  Appliance   Hardware                 Build                                                                CPUs                                          Disks
    hostname-apphost      xxx.xxx.xxx.xxx  N/A        4000        VMware Virtual Platform  2021.6.5.20230301133107  
    hostname-con-primary  xxx.xxx.xxx.xxx  active     3199        VMware Virtual Platform  2021.6.5.20230301133107  
    hostname-ep-primary   xxx.xxx.xxx.xxx  active     1699        VMware Virtual Platform  2021.6.0.20211220195207  
    Here you can easily see that the console is running version 2021.6.5.20230301133107, while the EP is running 2021.6.0.20211220195207, which is an older 7.5.0 version without any Update Packages installed.
 

Using all_servers.sh

  1. SSH into the QRadar console.
  2. Enter the following command:
    /opt/qradar/support/all_servers.sh -Ck "/opt/qradar/bin/myver -tf"
    Result
    Example of this output:
    xxx.xxx.xxx.xxx -> hostname-con-primary.example.com
    Appliance Type: 3199 Product Version: 2021.6.5.20230301133107
    14:45:52 up 2 days, 15:48,  1 user,  load average: 1.49, 1.13, 1.00
    ------------------------------------------------------------------------
    2021.6.5.20230301133107
    
    xxx.xxx.xxx.xxx -> hostname-con-secondary.example.com
    Appliance Type: 500 Product Version: 2021.6.5.20230301133107
    14:45:52 up 2 days, 15:49,  0 users,  load average: 0.08, 0.18, 0.18
    ------------------------------------------------------------------------
    2021.6.5.20230301133107
    
    xxx.xxx.xxx.xxx -> hostname-apphost.example.com
    Appliance Type: 4000 Product Version: 2021.6.5.20230301133107
    14:45:53 up 1 day,  2:25,  0 users,  load average: 0.52, 0.62, 0.60
    ------------------------------------------------------------------------
    2021.6.5.20230301133107
    
    xxx.xxx.xxx.xxx -> hostname-ep-primary.example.com
    Appliance Type: 1699 Product Version: 2021.6.0.20211220195207
    14:45:53 up 22:31,  0 users,  load average: 1.45, 0.94, 0.60
    ------------------------------------------------------------------------
    2021.6.0.20211220195207
    
    xxx.xxx.xxx.xxx -> hostname-ep-secondary.example.com
    Appliance Type: 500 Product Version: 2021.6.0.20211220195207
    14:45:53 up 23:19,  0 users,  load average: 0.03, 0.10, 0.10
    ------------------------------------------------------------------------
    2021.6.0.20211220195207
    From this output, you can see the first three hosts are on version 2021.6.5.20230301133107 and the last two are on 2021.6.0.20211220195207.

Resolving The Problem

Important: Running mixed software versions in your deployment is unsupported and can have adverse effects to the environment.
You must have all hosts in your deployment at the same software version and patch level. Use the utilities under Diagnosing the Problem to help identify any hosts running a different version, and ensure you get the host patched to the same version as the console.
  • See the Upgrade documentation for instructions on how to manually upgrade a host.
  • See the Auto Update documentation for instructions on how to manually install an Auto Update file to a host.

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"Deployment","Platform":[{"code":"PF043","label":"Red Hat"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
21 March 2023

UID

ibm10960936