IBM Support

QRadar Core Services and the Impact when Restarted

Question & Answer


What is the impact when restarting certain services from the command line interface (CLI) on the QRadar SIEM ?


Note: This guide is a reference to the impact when services are restarted. Restarting services can have consequential issues. Do not restart a service unless requested by support.
Service Purpose Runs on
accumulator Responsible for counting. In order to generate the time series graphs in the QRadar UI in a reasonable time, the accumulator creates by-minute, by-hour and by-day counts of data within the system for quickly populating these time series graphs.
Managed Hosts
Aggregate Data, Reports, Searches
arc_builder Aggregates flows and events into bundles based on a set of known CIDR and service ports. QVM (related)
The ariel proxy server is responsible for proxying search requests from different processes to the various ariel query servers.  Once the results are returned from the query servers, ariel proxy can transform and aggregate data into various orderings and store into server-side cursors for later processing and retrieval.
Console Only
All requests to managed host for data from searches would stop until this service restarts.
Ariel query server is responsible for reading the ariel database on the Managed hosts and sends the data matching the request back to the proxy server for further processing.
Managed Hosts All searches of the Ariel Data base would stop on the managed hosts.
asset_profiler Responsible for persisting the assets and identity models into the database. Console Assets would not be added or updated until this service came back online.
ecs-ec-ingress Event Correlation Service - Event Collector Ingress: collects the events in a buffer while ecs-ec and ecs-ep are being restarted. Then it spools the data back to ecs-ec and ecs-ep Console
Managed Hosts
This service when stopped would not allow events to collected in a buffer and spooled to the other ecs services.
Event Correlation Service - Event Collector: parse, normalize and coalesce the events.
Managed Hosts
Impacts Parsing and normalizing events and flows would stop
ecs-ep Event Correlation Service - Event Processor: correlates events (Custom Rule Engine), stores events in the Ariel database and forwards events matching rules within CRE to the Magistrate component. Console
Managed Hosts
Impacts Correlation. parsing and event storage
historical_correlation_server Provides the ability to create offense based on historical data. E.g. Bulk loading data, one-time rule testing, etc. Console
Managed Hosts
Impacts historical searches on Offense data.
hostcontext Runs on each appliance in a deployment. Runs the "ProcessManager" component that is responsible for starting, stopping and verifying status for each component within the deployment. It is responsible for the packaging (console) and the download/apply (MH) of our DB replication bundles. Responsible for requesting, downloading, unpacking, and notifying other components within an appliance of updated configuration files. Responsible for monitoring postgresql transactions and restarting any process that exceeds the pre-determined time limit. This portion is referred to as "TxSentry". Responsible for disk maintenance routines for disk cleanup. Also responsible for starting tunnels, ecs, accumulator, Ariel_proxy, Ariel_query, Qflow, reporting, Asset_profiler. Console
Managed Hosts
Hostcontext is the manager for all the other services except ecs-ingress. All services controlled by hostcontext would be inactive till they restarted.
hostservices Runs as an on-going daemon. It keeps track of 2 other running processes, Message Queues (IMQ), which opens up communication ports between QRadar Components and PostgreSQL.
Managed Hosts
The data base stops working as well as IMQ. This also impacts Hostcontext and Tomcat.
qflow Collects and 'creates' flow information from multiple sources.
Managed Hosts
Flow data would not be available until restarted.
reporting_executor Runs the scheduler for reporting. Console All running reports would be canceled and would need to be restarted. New scheduled reports would not run till this service starts.
tomcat Web container used to hold our UI and webservices/RPC calls. Console UI would not be available.
vis The engine that drives scanner modules.
Managed Hosts
Scans would not work and if running would need to be restated.

Where do you find more information?

[{"Business Unit":{"code":"BU008","label":"Security"},"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Component":"","Platform":[{"code":"PF043","label":"Red Hat"}],"Version":"7.3.1","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
18 March 2019