Question & Answer
Question
What are the considerations of restarting hostcontext using the '-q' switch?
Answer
Restarting hostcontext should never be done unless advised by a QRadar support representative. Many of the underlying services get restarted on the QRadar appliance when you run a hostcontext restart.
A lot of customers see support restarting hostcontext and think it is a magic bullet for fixing problems, but a support representative should never be using that command without telling you about the impact to your data. The restart is quick, but services are restarted which impact data collection and ECS.
Where do you find more information?
- Impacted services include:
- reporting_executor
- accumulator
- ariel_proxy_server
- passive_vis.passive
- qflow (flows)
- vis (scanners)
- ecs (event pipeline for event and flow data)
- Hostcontext responsbilities:
- Listening for deploy requests from the Console & reporting deployed status
- Downloading configurations
- Replication processes (each minute)
- Report the status of the host and HA peer (if running in HA).
When you restart hostcontext, you will affect impacted services and hostcontext responsibilities. When you use hostcontext -q, you are restarting hostcontext itself, which impacts hostcontext responsibilities.
There are only two reasons that hostcontext (or hostcontext -q) should be run, which is:
- If you believe the host isn't responding to deploy requests.
- You believe that there is a configservices issue where the Console is not able to update the remote host with the latest configuration.
A lot of customers see support restarting hostcontext and think it is a magic bullet for fixing problems, but a support representative should never be using that command without telling you about the impact to your data. The restart is quick, but services are restarted which impact data collection and ECS.
Administrators with command line access should only restart hostcontext if you understand the root cause of your issue or unless advised by support. Restarting Hostcontext is not a universal solution for correcting issues on managed hosts.
Where do you find more information?
[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Admin Console","Platform":[{"code":"PF016","label":"Linux"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
09 April 2019
UID
swg21989536