Troubleshooting
Problem
QRadar server does not restart correctly after an upgrade, this technical note covers one of the reasons this issue might occur, a customized fstab configuration.
Symptom
After the QRadar software is upgraded to a newer version, the server restarts but displays a "Login Error" message on the console window, administrators are unable to log in to the QRadar server.
Cause
The QRadar server is unable to restart correctly due to modifications saved to the fstab, as per the QRadar: Software update checklist for administrators page, all external storage, which is not /store/ariel or /store are required not to be mounted during the upgrade procedure.
Resolving The Problem
Administrators are advised to follow the QRadar: Software update checklist for administrators before starting the upgrade process.
Administrators should pay attention to the step "Unmount all external storage, which is not /store/ariel or /store".
To resolve this issue administrators are required to access the fstab on the Operating System, comment out custom added entries and restart the QRadar server to accomplish this the server must be restarted with the 'Factory re-install' option.
- Restart the QRadar server.
- At the first GRUB menu, press the down arrow key to stop the 5 second timer and highlight the option, Factory re-install.
Normal System Factory re-install [QRadar 7.5.0 GA (Build 20211220195207)]
- Press the 'e' key to edit the entry.
- Scroll down to find the line that starts with "linux (loop)/isolinux/vmlinuz".
linux (loop)/isolinux/vmlinuz ks-hd:UUID b-7fd28281c800:202160/ks.cfg action=reinstall root1vm=
- Edit the line and insert the string “rd.break” between “vmlinuz” and “ks=”.
linux (loop)/isolinux/vmlinuz rd.break ks=...linux (loop)/isolinux/vmlinuz rd.break ks-hd:UUID b-7fd28281c800:202160/ks.cfg action=reinstall root1vm=
- Press CTRL-x to reboot the server.
- When the server restarts, you are dropped at a command prompt.
Entering emergency mode. Exit the shell to continue. Type "journalctl" to view system logs. You might want to save "/run/initramfs/rdsosreport.txt" to a USB stick or /boot after mounting them and attach it to a bug report. switch_root:/#
- From the switch_root prompt, run the following command to scan for physical volume groups.
lvm vgscan
switch_root:/# lvm vgscan Reading all physical volumes. This may take a while... Found volume group "rootrhel" using metadata type lvm2 Found volume group "storerhel" using metadata type lvm2 switch_root:/#
- When the physical volumes are found, run the following command to activiate the volume groups.
lvm vgchange -ay
switch_root:/# lvm vgchange -ay 8 logical volume(s) in volume group "rootrhel" now active 2 logical volume(s) in volume group "storerhel" now active switch_root:/#
- Verify that the LVM volumes are visible in the /dev/mapper/ directory.
ls /dev/mapper/
switch_root:/# ls /dev/mapper/ control rootrhel-home rootrhel-storetmp rootrhel-varlog storerhel-transient live-base rootrhel-opt rootrhel-tmp rootrhel-varlogaudit live-rw rootrhel-root rootrhel-var storerhel-store switch_root:/#
- Create a temporary directory.
mkdir -pv /tmp/root
switch_root:/# mkdir -pv /tmp/root mkdir: created directory '/tmp/root' switch_root:/#
- Mount the Operating Systems root partition to the newly created temporary directory.
mount /dev/mapper/rootrhel-root /tmp/root
switch_root:/# mount /dev/mapper/rootrhel-root /tmp/root/ [ 685.4192471 XFS (dm-2): Mounting V5 Filesystem [ 685.562542] XFS (dm-2): Ending clean mount switch_root:/#
- Change into the /tmp/root/etc directory.
cd /tmp/root/etc
switch_root:/# cd /tmp/root/etc/ switch_root:/tmp/root/etc#
-
Edit the fstab.
vi fstab
-
Change into Insert Mode by pressing 'i'. Place a '#' at the start of any customised or any customer added entries.
For this example, I added a line.
# Test Line# # /etc/fstab # Created by anaconda on Tue Jan 4 17:38:47 2022 # Test Line #
-
To save your changes to the fstab, click Esc to enter command mode then type the following command to save and exit.
:wq
-
Reboot the QRadar Server.
reboot
Let the server restart with the normal procedure.
Results
The server restarts correctly. You can log in with your root userid and the associated password.
Confirm that the changes were applied to the fstab file by viewing the file.
cat /etc/fstab
#
# /etc/fstab
# Created by anaconda on Tue Jan 4 17:38:47 2022
# Test Line
#
Note: The changes that were made earlier adding the 'rd.break' entry to the line that starts with "linux (loop)/isolinux/vmlinuz" is automatically removed upon the restart of the server.
Note: When the QRadar server is restarting correctly, all custom entries in the /etc/fstab file should be mounted one at a time.
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtdAAA","label":"Upgrade"}],"ARM Case Number":"TS010711561","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
08 June 2023
UID
ibm16959589