No events are seen in the event viewer on the log activity tab even though all services are running properly.
When this issue occurs, the following message might be displayed for specific services in
/var/log/qradar.log:
[ecs-ec-ingress.ecs-ec-ingress] [main] com.eventgnosis.ecs: [INFO] [NOT:6000][X.X.X.X/- -] [-/- -]Waiting for valid license...
[ecs-ep.ecs-ep] [main] com.eventgnosis.ecs: [INFO] [NOT:6000][X.X.X.X/- -] [-/- -]Waiting for valid license...
[ecs-ec.ecs-ec] [main] com.eventgnosis.ecs: [INFO] [NOT:6000][X.X.X.X/- -] [-/- -]Waiting for valid license...
Development has recently identified a defect in the product licensing function, which may cause the deployment to stop functioning. Our Juniper Secure Analytics (JSA) development team is currently working on an emergency fix to resolve this issue. Administrators who have automatic updates configured to auto restart or automatically deploy changes after a download might experience service issues. The issue is related to the function that validates a license key.
All JSA appliance versions are affected by this issue. Please complete the following steps to fix the issue:
- Use SSH to log in to the console as the root user.
- To update the license file, enter the following command on your console. Note: You can double-click the command to highlight the full text.
/opt/qradar/support/all_servers.sh -Ck 'if [ -f /opt/qradar/ecs/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/qradar/ecs/license.txt ; fi ; if [ -f /opt/ibm/si/services/ecs-ec-ingress/current/eventgnosis/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/ibm/si/services/ecs-ec-ingress/current/eventgnosis/license.txt ; fi ; if [ -f /opt/ibm/si/services/ecs-ep/current/eventgnosis/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/ibm/si/services/ecs-ep/current/eventgnosis/license.txt ; fi ; if [ -f /opt/ibm/si/services/ecs-ec/current/eventgnosis/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/ibm/si/services/ecs-ec/current/eventgnosis/license.txt ; fi ; if [ -f /usr/eventgnosis/ecs/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /usr/eventgnosis/ecs/license.txt ; fi ; if [ -f /opt/qradar/conf/templates/ecs_license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/qradar/conf/templates/ecs_license.txt ; fi'
Note: This command runs from the console and the change is applied to all appliances by the all_servers utility.
- Wait 5 minutes for the changes to complete.
Note: Administrators are not required to restart any services for this change as the file loads automatically.
- Log in to the console.
- Click the Log Activity tab.
- Verify events are received from remote appliance.
Results
The procedure is complete. If you upgrade (patch) your JSA appliances, you must reapply the license fix on your console appliance after the software upgrade is complete for your deployment. If you experience an issue with this command or continue to experience services or license messages in qradar.log, open a case with Juniper Support for assistance. After you apply the workaround for this issue, you can use JSA normally and complete standard administrative tasks, such as deploy changes. This fix will be included in autoupdates soon.