IBM Support

QRadar: Using the systemctl command in QRadar

Troubleshooting


Problem

This article discusses the systemctl command and some common uses in a QRadar environment.

Cause

The systemctl command is used in QRadar versions 7.5 and greater for many functions. This article discusses the systemctl command in QRadar, which is the central management tool for controlling the init system. An init system is the process that starts, stops, and schedules all other tasks in the operating system.

Resolving The Problem

The systemctl is one of the most used commands in QRadar. The following are some examples of common uses in QRadar.

Controlling services

To control services, type: 
systemctl start|stop|restart|status <service name>
For example, the following command displays the status of the hostcontext service: 
systemctl status hostcontext
Output:
● hostcontext.service - hostcontext daemon
   Loaded: loaded (/usr/lib/systemd/system/hostcontext.service; enabled; vendor preset: disabled)
  Drop-In: /etc/systemd/system/hostcontext.service.d
           └─timeout.conf, ulimit.conf
   Active: active (running) since Fri 2019-11-01 09:04:32 EDT; 6h ago
 Main PID: 13484 (java)
    Tasks: 226
   Memory: 2.1G
   CGroup: /system.slice/hostcontext.service
           ├─ 7764 /bin/sh /opt/qradar/bin/check_sar.sh 5 /store/tmp/sar_report.1572635155264
           ├─ 7768 sar -S -d -p -r -u -q -I SUM -n DEV -n EDEV 5 1
           ├─ 7769 grep -v drbd
           ├─ 7770 grep -E -v ^([0-9]{2}:[0-9]{2}:[0-9]{2})\s+(AM|PM)\s+(rhel|rootrhel|storerhel|docker)
           ├─ 7771 iostat -p -m -x -y 5 1
           ├─ 7772 grep -v -E ^dm-
           ├─ 7774 sadc 5 2 -z -S 768
           ├─ 7840 /bin/sh /opt/qradar/bin/check_sar.sh 5 /store/tmp/sar_report.1572635155264
           ├─ 7841 /usr/bin/python /usr/sbin/iotop -b -k -n 1
           └─13484 /bin/java -Dapplication.name=hostcontext -Dapp_id=hostcontext -Djava.library.path=/opt/qradar/lib -Dapplication.baseURL=file:///opt/qradar/conf/ -D...
Nov 01 15:01:48 QRadar732Base.ibm.com replication[15000]: Preparing incremental database dump as transaction 0000000000000047935
Nov 01 15:01:51 QRadar732Base.ibm.com replication[15000]: Replication incremental transaction for 3 relations, 0 JMS messages: Duration: 2777 ms
Some common QRadar services that might apply are tomcat, hostservices, hostcontext, ecs-ep, ecs-ec, and ecs-ec-ingress, just to name a few.

 

Listing services

Using the systemctl command, you can list services to determine whether they are enabled or disabled. To see whether they are enabled or disable, use the command: systemctl list-unit-files. To create a more refined list where you look for a specific service or state the command, enter:  
systemctl list-unit-files | grep (state | service)
Example:
systemctl list-unit-files | grep enabled
Output: 
tomcat.service                             enabled
hostcontext.service                        enabled
hostservices.service                       enabled
napatech3.service                          enabled
syslog.service                             enabled
Another variation of this command is the following. The output lists all systemd units that use type service: 
systemctl list-units --type=service
 Output: 
UNIT                                         LOAD   ACTIVE     SUB           DESCRIPTION
abrt-ccpp.service                            loaded active     exited        Install ABRT coredump hook
abrt-oops.service                            loaded active     running       ABRT kernel log watcher
abrtd.service                                loaded active     running       ABRT Automated Bug Reporting Tool
auditd.service                               loaded active     running       Security Auditing Service
blk-availability.service                     loaded active     exited        Availability of block devices
chronyd.service                              loaded active     running       NTP client/server
hostcontext.service                          loaded active     running       hostcontext daemon
hostservices.service                         loaded active     exited        hostservices alias script

Enabling or disabling services

Enabling a service means it starts automatically when the system starts. Some services are enabled when you install QRadar, such as tomcat, hostcontext, or hostservices. Others get enabled when you configure the appliance or a feature. For example, the ha_manager service is enabled when you add high availability to a host. There are some services that are disabled, as they are used for special cases, such as iSCSI or NFS attached to the QRadar appliance. In these cases, it becomes necessary to enable the service. Services that fall in this category are iscsi, iscsi-mount, and rpcbind.

Example: 
systemctl enable iscsi

Verification that the service is enabled

To verify that a service is enabled, use the following command:
systemctl is-enabled iscsi
Output: 
enabled

Related Information

Systemd Cheat Sheet

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.5.0"}]

Document Information

Modified date:
20 March 2023

UID

ibm11102161

Page Feedback