Most of QRadar administrators are familiar with the command issued in the backend, which restarts services (systemctl restart hostcontext). You should know what kind of services are available and responsible for in the system.

If you are not familiar, then please read this article first https://www.robertrojek.pl/2015/10/22/qradar-services/

In this short article, I would like to mention about one technique (manual.sh), which can be useful if you need to stop service for longer. Normally, the hostcontext service is trying to have all the services running, therefore as long as hostcontext lives, the other services, which are managed by the hostcontext, will be restarted. If nothing is corrupted in the system, then shortly after stopping any hostcontext dependent service, it will be running again due to the hostcontext nature. It does not apply to ecs-ec-ingress or tomcat, though. Ingress is not dependent on hostcontext because when we do a full deploy logs collection would be interrupted (it was like this in the pre-ingress era). Ingress is restarting itself, after stopping it with systemctl stop command.

So, how to stop the service for good? For this purpose you can use the script included in QRadar installation in folder /opt/qradar/systemd/bin/ called manual.sh

Use the following syntax, if you would like to stop the service for the good and avoid accidentally running any of them during some serious changes in the system.

/opt/qradar/systemd/bin/manual.sh hostcontext enable

systemctl stop hostcontext

/opt/qradar/systemd/bin/manual.sh hostcontext disable

systemctl start hostcontext

I believe that this kind of tasks which need a manual stop of services will be conducted only with support, so I don’t advise you to do it yourself for anything else than testing. On other hand, sometimes, when you see that after each attempt restart of service, it is going down again and again then it is worth to check for manual script token.

/store/tmp/${APP_NAME}.${APP_ID}.manually_stopped

After enabling manual.sh script it generates the token with the syntax as above. Disabling manual.sh script should remove the mentioned token, but it happens sometimes that it stays there. Having this file in the system interfere with proper running of the service. If you find it there and you want restart the service, then simply remove the token from the location in storetmp and at the next time restart of service should be successful.

Leave a Reply

Your email address will not be published. Required fields are marked *