Please note, its very important to follow the correct order of steps and stop hostcontext and tomcat first, before you restart of hostservices. If you are restarting services on ANYTHING OTHER than the console, you can skip “tomcat” (since tomcat is running only on the console).
- systemctl stop hostcontext
- systemctl stop tomcat
- systemctl stop hostservices
- systemctl start hostservices
- systemctl start tomcat
- systemctl start hostcontext
The hostcontext process is the first process you restart. It is the primary process that runs on the console and on each managed host, and controls all the core QRadar processes.
If you can’t deploy changes to one of components, check if hostcontext is running on it. You can use the following command to check hostcontext on each component at once:
- /opt/qradar/support/all_servers.sh -C “systemctl status hostcontext”
If you restart hostcontext – you also restart all other services dependent on hostcontext:
- Event Correlation Service
- ecs-ec (Event Correlation Service – Event Collector)
- ecs-ep (Event Correlation Service – Event Processor)
- Accumulator
- Accumlator_rollup
- Ariel Database
- ariel_proxy_server (running only on Console, and not on EP)
- ariel_query_server (running only on Managed Hosts, and not on Console)
- reporting_executor
- report_runner
- arc_builder (QVM only)
- Historical Correlation Processor
- QFlow
- VIS (vulnerability Integration Services)
- Asset Profiler
- Offline Forwarder
- Tunnels
Depends on your configuration and number of Managed Hosts, each deployment can have different set of hostcontext’s component processes running. You can find this using this command:
- grep COMPONENT /opt/qradar/conf/nva.hostcontext.conf
The tomcat process is the next one when you restart QRadar services. It is responsible for running the graphical user interface (GUI). These specifications are developed under the Java Community Process. Tomcat serves up our JSP webpages, as well as RPC and API calls. Restarting Tomcat also restarts httpd service, but in many cases restart of httpd can be enough to resolve issues.
The hostservices is a java process, that runs as an on-going daemon. It keeps track of 2 other running processes, IMQ and Postgresql. Postgres database stores the configuration and reference data about log sources, the deployment, assets, offense data and more.