Troubleshooting
Problem
A QRadar App Host is a managed host that is dedicated to running apps. As any other managed host in the deployment, QRadar App Hosts require connectivity to the required services and ports running on the Console.
When a connection to a required port is needed by an application, and the connection fails, it can affect the application load.
Symptom
The administrator can verify whether an app is not working in the user interface (showing 404 page not found).
Cause
Certain applications require connection to service port such as ariel queries (port 32006). When the App Host is not encrypted, it requires the firewall to allow all the required ports needed by all the applications. If a required connection is not allowed in the firewall, the application traffic never connects to wanted service port.
Environment
QRadar deployments with App Host.
Diagnosing The Problem
To identify this issue, administrators can check the /var/log/qradar.log and search for "Connection aborted" error message.
- Log in to the QRadar Console as the root user.
- Run the grep command and search for the error message in /var/log/qradar.log.
grep 'Connection Aborted' /var/log/qradar.log
[APP_ID/1203][INFO] Error in getting Ariel Port:('Connection aborted.', error(111, 'Connection refused'))
Alternatively, administrators can check whether the App Host connection is encrypted in the user interface.
- Log in to the QRadar Console user interface as an administrator user.
- Click the Admin tab.
- Click the System and license Management.
- On the System and license Management window, select the App Host and then click Deployment actions.
- Verify the App Host has the "Encryption Host Connections" checkbox not selected.
Resolving The Problem
To resolve this issue, administrators can encrypt the App Host so that the connections are tunneled by using SSH.
- Log in to the QRadar Console user interface as the administrator user.
- Click the Admin tab.
- Click the System and license Management.
- On the System and license Management window, select the App Host and then click Deployment Actions.
- Click Edit Host and select Encrypt Host Connections checkbox.
- Click Save.
- Click the Admin tab and deploy the configuration changes.
- Clear the browser cache.
Note: Refer to the browser product documentation for the procedure.
Results
The applications now load successfully. If the applications still don't load after the steps in this technote are run, contact QRadar Support for assistance.
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt3AAA","label":"QRadar Apps"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
01 July 2022
UID
ibm16596143