Admin Architecture

How to change a forgotten password in QRadar

QRadar has multiple ways to authenticate users. Apart from the default System Authentication based on data kept in the Postgres database, you can configure external Authentication using RADIUS, TACACS, LDAP or SAML methods.

In the screenshot above you can also see Active Directory option, which has been recently removed from the allowed methods of authentication (in QRadar 7.4.1 fix pack 1 and later or QRadar 7.3.3 fix pack 5 and later). Active Directory library component is no longer supported so whoever was using that method need to transition to the Lightweight Directory Access Protocol (LDAP) to authenticate to QRadar.

All these methods allow Administrators to save passwords for fall back use in case their primary source of Authentication fails. Should an administrator have issues with login there is a way to change a forgotten password in QRadar.

Simply using an SSH session login to the Console as the root user. From the command line type the following command with the chosen option. List of options is available after choosing -h option (as for help)

forgotten password in qradar
/opt/qradar/support/ -option

Type the above command with the option -a to change the Admin password. The -u  option is to change an administrator or user password and you will be prompted to enter user, password and confirm.

3 replies on “How to change a forgotten password in QRadar”

Hey Robert,

Thanks a lot for this great content that you published, I have a question related to change passwords, I want to change the password for the data collectors but I don’t know how to do it, could you give an explanation for that? that would be great for me!

Thanks a lot and take care…

Hi Eduardo,
Thank you for nice words. If you are trying to login directly to the Collector using SSH and password – don’t do this. By default this option is blocked. You need to login to the console and then you can transfer your session to the collector without any password, because QRadar has generated public-private keypair, when you added your collector to the deployment. If you are talking about any collector which is detached from deployment then you need to reset root password on that appliance with collector following the steps described for example here recover a root password. After that you can add the collector to your deployment.

Thanks a lot for your answer Robert, it helped me a lot!
Keep up this excellent work that you do…

Leave a Reply

Your email address will not be published. Required fields are marked *