The QRadar® development team has issued a new auto update for all QRadar Consoles installed with V7.3.0 or later. The latest auto update bundle (build 1609491687) includes the one-line command for the 30 December 2020 "Waiting for license" and runs automatically on the QRadar Console during the auto update installation. Administrators can check for the latest auto update to have the license fix applied. This auto update release allows administrators without Console root access to apply the license fix to appliances with the 'Get New Updates' button in the user interface.
This technical note includes two sets of instructions depending on your QRadar® Console version and your network configuration. Administrators with QRadar 7.3.x or 7.4.x Console versions can complete a weekly auto update to apply the license fix. Administrators at QRadar 7.2.8 can complete the steps in the section "QRadar 7.2.8 Console and air-gappped network instructions".
Select the instructions that apply to your QRadar version:
QRadar 7.3.x and 7.4.x auto update license instructions
- Log in to the QRadar Console as an administrator.
- Click the Admin tab.
- In the System Configuration section, click Auto Update.
- Click Change Settings.
- Verify the Auto Deploy option is selected (checked).
- Click Save.
- If prompted with an Application Restart Required message, click Yes.
- To check for updates, click Get New Updates.
- Wait for the auto update to complete.
- Click View Log.
- Confirm the Last Update Status displays All updates completed successfully.
Note: The build version that contains the license changes for the QRadar Console is 1609491687.
- After the auto update successfully installs, wait 5 minutes for appliances to load the changes.
Note: If you upgrade (patch) your QRadar appliances, you must reapply the license fix on your Console appliance after the software upgrade is complete for your deployment. For more information on this one-line license fix, see: https://www.ibm.com/support/pages/node/6395080.
The update is complete and the license change is deployed from the Console. Administrators can confirm that they are receiving events from appliances in the Log Activity tab. If your QRadar Console is on V7.2.8 or if your Console is in an air-gapped network, you cannot use an auto update to deploy the license change. For more information on updating your 7.2.8 Console with the license update, see the section "QRadar 7.2.8 Consoles and air-gapped network instructions". Administrators with Disconnected Log Collectors (DLC) appliances must update those appliances separately as they are not in the QRadar deployment. For information on updating DLC appliances, see: License update for Disconnected Log Collector appliances.
QRadar 7.2.8 Console and air-gappped network instructions
QRadar Consoles that are on V7.2.8 versions or are in air-gapped networks are unable to use a QRadar Auto Update. To update your appliances, you must run a one-line command manually on your QRadar Console.Procedure
- Use SSH to log in to the QRadar Console as the root user.
- To update the license file, enter the following command on your QRadar Console. You can double-click the command to highlight the full text.
/opt/qradar/support/all_servers.sh -Ck 'if [ -f /opt/qradar/ecs/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/qradar/ecs/license.txt ; fi ; if [ -f /opt/ibm/si/services/ecs-ec-ingress/current/eventgnosis/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/ibm/si/services/ecs-ec-ingress/current/eventgnosis/license.txt ; fi ; if [ -f /opt/ibm/si/services/ecs-ep/current/eventgnosis/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/ibm/si/services/ecs-ep/current/eventgnosis/license.txt ; fi ; if [ -f /opt/ibm/si/services/ecs-ec/current/eventgnosis/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/ibm/si/services/ecs-ec/current/eventgnosis/license.txt ; fi ; if [ -f /usr/eventgnosis/ecs/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /usr/eventgnosis/ecs/license.txt ; fi ; if [ -f /opt/qradar/conf/templates/ecs_license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/qradar/conf/templates/ecs_license.txt ; fi'
- Wait 5 minutes for the changes to complete.
Note: Administrators are not required to restart any services for this change as the file loads automatically.
- Log in to the QRadar Console.
- Click the Log Activity tab.
- Verify events are received from remote appliance.
The procedure is complete. If you experience an issue with this command or continue to experience services or license messages in qradar.log, contact QRadar Support for assistance. After you apply the workaround for this issue, you can use QRadar normally and complete standard administrative tasks, such as deploy changes.
04 January 2021