qchange_netsetup

There is a common problem with how to add new DNS servers to QRadar if you need to change them. Normally, you should run the qchange_netsetup script, which is looking after this change. Nevertheless, the problem appears when there is more than one appliance in the deployment. In order to run the qchange_netsetup script, you would need to remove each of Managed Host from the deployment, then change DNS servers and finally re-add it. It can be a serious problem in the distributed deployments, where you have more than one or two hosts. It was confirmed that there is a quick method to change these details without running the mentioned script. Using SSH, log in to your Console as the root user. If you need to use sudo then run sudo -i (but never just sudo su)

From the Console, you can quickly ssh to the Managed Host, which needs a DNS change. Go to /etc/sysconfig/network-scripts/ location and using any text editor amend the management interface configuration file for DNS servers details. The management interface configuration file name starts with ifcfg-<Management_interface>. Please note, that if there would be DNS3= line in that file, you can safely remove or leave it empty, because QRadar is using only DNS1= and DNS2= lines.

As you can see below, in the comments section, Adam (thanks for the hint!) is suggesting checking the management interface first to avoid any confusion.

3 thoughts on “Add new DNS servers to QRadar”
  1. You could update the article to tell reader how to determine which network interface on the machine is the management interface is. The following command will output what the management interface is:
    # cat /etc/management_interface

  2. Hi,
    First of all I would like to thank you for your incredible work, which has on many occasions helped me to address issues with the platform.
    I was wondering if you can dedicate some time to talk about QRadar Data Store which can be utilised as a mechanism to reduce customer’s expenses, as events will be parsed and will be available to be queried from the log activity, but will not contributing to the offence generation, hence not impacting the EPS license.
    Unfortunately, QRadar has minimum documentation about it and some Jose Bravo videos on youtube describe it on a very high level.
    If you have previous experience with it that you can share it would be highly appreciated.
    I’ve wrapped up some of my questions / unknown aspects below:
    – How many events can be sent to the Data Store; Is there a limit?
    – Where does the segregation between events going to Data Store vs those contributing to the EPS takes place? Is it on the EC or the EP?
    – What happens if events are being queued? Are they handle by the same buffer? And is that the EC or the EP buffer?
    – Can you forward events which are saved in the Data Store?
    – Is there some kind of event retention for the Data Store events?
    Regardless on whether you are able to conduct and compose such a deep dived article, the work that you’ve been sharing is amazing and I hope you keep it up!
    Kind Regards

    1. Hey Niko,

      Thank you for your nice words. Personally, I have never dig any subject related to Data Store. I can try to answer your question only based on the common knowledge I have. I don’t think there is any limit because I don’t know how it could be implemented, if you have configured some routing for the event then there is no way that it can be stopped by the system as long as you don’t do this yourself. So, the sky is the only limit or your Data Store disk space 🙂 Segregation must be done in the ecs-ec module for sure as this will bypass correlation therefore the whole ecs-ep module. In the case of events being queued before the segregation occurs, then I believe the events will be dropped randomly regardless of destination. I am not sure about the last two questions but I believe if the Data Store is part of QRadar deployment thus retention should be configurable for this device in the same way as for the other appliances in the QRadar family. Not sure about forwarding events though. If these are kept in /store/ariel then there should not be an issue with this process.

Leave a Reply

Your email address will not be published. Required fields are marked *