Question & Answer
Question
How can you configure NTP settings for your QRadar appliance?
Cause
NTP stands for Network Time Protocol, and it is an Internet protocol that is used to synchronize the clocks of computers to some time reference. The QRadar Console when configured with NTP, will get the most current time from the time reference source and then push updates hourly to all the Managed Hosts in the Deployment.
Answer
Before you begin: Administrators should complete these procedures during scheduled maintenance. Updating the time server setting in QRadar restarts services. This will log off users and interrupt event and flow collection until services restart.
Results: Time is now be synchronized between the QRadar Console and the managed hosts.
For QRadar 7.3.0 and up
- Log in to the QRadar User Interface
- Click Admin tab > System and License Management
- Click Display Systems > click Appliance Type Console > click View and Manage System
- Click System Time tab
- Click NTP servers > Add More
- Enter the NTP servers
- Click Save
For QRadar 7.2.6 to 7.2.8
Important: Administrators should complete these procedures during scheduled maintenance. Updating the time server setting in QRadar restarts services. This will log off users and interrupt event and flow collection until services restart.- Using SSH, log in to the QRadar Console as the root user.
- To edit the ntp.conf file, type the following command:
vi /etc/ntp.conf
- In the server section of the ntp.conf file, leave the existing server entries or replace them with your own internal
Network Time Protocol (NTP) server.
Server entries in the ntp.conf file begin withserver
.
You can use public NTP servers from the NTP project
A list of public NTP servers are displayed here:
server 0.rhel.pool.ntp.org iburst
server 1.rhel.pool.ntp.org iburst
server 2.rhel.pool.ntp.org iburst
server 3.rhel.pool.ntp.org iburst
If you use public NTP servers, check that your firewall allows outbound NTP requests. - Save the changes and close the file.
- Enable the ntpd service to run level 3.
chkconfig --level 3 ntpd on
- Verify that the ntpd service is enabled to run at restart.
chkconfig --list ntpd
Verify that3:on
displays in the output
ntpd 0:off 1:off 2:off 3:on 4:off 5:off 6:off
- To prevent data collection errors when you change the system time, stop QRadar services.
service hostcontext stop
service tomcat stop
service hostservices stop - Synchronize the time with your NTP server.
ntpdate
ntp.server.ipaddress
- Start the ntpd service.
service ntpd start
- Restart QRadar services
service hostservices start
service tomcat start
service hostcontext start - Synchronize the time on all managed hosts with your QRadar Console:
/opt/qradar/support/all_servers.sh /opt/qradar/bin/time_sync.sh
- On the Admin tab, click Advanced > Deploy Full Configuration to restart services on all QRadar managed hosts.
Results: Time is now be synchronized between the QRadar Console and the managed hosts.
Related Information
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"Admin Console","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2;7.3","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
28 January 2021
UID
swg21690779