IBM Support

QRadar: Configuring NTP settings for a QRadar appliance

Question & Answer


Question

How can you configure NTP settings for your QRadar appliance?

Cause

NTP stands for Network Time Protocol, and it is an Internet protocol that is used to synchronize the clocks of computers to some time reference. The QRadar Console when configured with NTP, will get the most current time from the time reference source and then push updates hourly to all the Managed Hosts in the Deployment.

Answer

Before you begin: Administrators should complete these procedures during scheduled maintenance. Updating the time server setting in QRadar restarts services. This will log off users and interrupt event and flow collection until services restart.

For QRadar 7.3.0 and up

  1. Log in to the QRadar User Interface
  2. Click Admin tab > System and License Management
  3. Click Display Systems > click Appliance Type Console > click View and Manage System
  4. Click System Time tab
  5. Click NTP servers > Add More
  6. Enter the NTP servers
  7. Click Save

 

For QRadar 7.2.6 to 7.2.8

Important: Administrators should complete these procedures during scheduled maintenance. Updating the time server setting in QRadar restarts services. This will log off users and interrupt event and flow collection until services restart.
  1. Using SSH, log in to the QRadar Console as the root user.
  2. To edit the ntp.conf file, type the following command: vi /etc/ntp.conf
  3. In the server section of the ntp.conf file, leave the existing server entries or replace them with your own internal
    Network Time Protocol (NTP) server.
    Server entries in the ntp.conf file begin with server.
    You can use public NTP servers from the NTP project
    A list of public NTP servers are displayed here:
    server 0.rhel.pool.ntp.org iburst
    server 1.rhel.pool.ntp.org iburst
    server 2.rhel.pool.ntp.org iburst
    server 3.rhel.pool.ntp.org iburst

    If you use public NTP servers, check that your firewall allows outbound NTP requests.
  4. Save the changes and close the file.
  5. Enable the ntpd service to run level 3.
    chkconfig --level 3 ntpd on
  6. Verify that the ntpd service is enabled to run at restart.
    chkconfig --list ntpd
    Verify that 3:on displays in the output
    ntpd 0:off 1:off 2:off 3:on 4:off 5:off 6:off
  7. To prevent data collection errors when you change the system time, stop QRadar services.
    service hostcontext stop
    service tomcat stop
    service hostservices stop
  8. Synchronize the time with your NTP server.
    ntpdate ntp.server.ipaddress
  9. Start the ntpd service.
    service ntpd start
  10. Restart QRadar services
    service hostservices start
    service tomcat start
    service hostcontext start
  11. Synchronize the time on all managed hosts with your QRadar Console:
    /opt/qradar/support/all_servers.sh /opt/qradar/bin/time_sync.sh
  12. On the Admin tab, click Advanced > Deploy Full Configuration to restart services on all QRadar managed hosts.


Results: Time is now be synchronized between the QRadar Console and the managed hosts.



[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"Admin Console","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2;7.3","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
28 January 2021

UID

swg21690779