Support Tools 101 is intended for administrators and IT Professionals who are responsible for troubleshooting and working with QRadar Support to maintain their QRadar environment. This page contains scripts and commands used to gather information on appliances, troubleshoot specific features, and assist in technical resolutions.
We advise administrators to not use tools if you are unfamiliar with their functionality or with a documented option flag. If you have a question regarding functionality, how-to questions, or if the tool does not work as designed, submit the question in our forums using the link at the top of the page. Support cases for these scripts are out of scope.
| Category | Name | Description and Examples |
|---|---|---|
| System | myver | The script provides the current version, patch, and other system information for a QRadar system. /opt/qradar/bin/myver -v |
| System | deployment_info.sh | This tool collects all information about all systems in the deployment, including disk space used, hardware, appliance type, and serial number within a CSV file.
/opt/qradar/support/deployment_info.sh -OS |
| Services | validate_ecs_services.sh | This tool can be used to check the connections to all managed hosts and verify the versions of ECS and ECS-Ingress services after an upgrade. /opt/qradar/support/validate_ecs_services.sh |
| Services | wait_for_start.sh | The script monitors and displays the status of the hostcontext processes, whether they are running or stopped on a QRadar system. /opt/qradar/upgrade/util/setup/upgrades/wait_for_start.sh |
| Troubleshooting | all_servers.sh | The all_servers.sh command is a powerful tool that can issue commands to all QRadar appliances within your deployment. /opt/qradar/support/all_servers.sh -h |
| Administration | changePasswd.sh | The change password tools allows you to change the admin account password using the CLI in an incorrect password recovery scenario./opt/qradar/support/changePasswd.sh -a |
| Health | cliniq | Cliniq is a tool that runs health checks before major events, such as upgrades, to determine whether any issues need to be addressed first. You can also run Cliniq
routinely to
monitor the health of your system. /opt/qradar/support/cliniq -h |
| Reports | collectGvStats.sh | The collectGvStats.sh tool allows you to troubleshoot accumulator issues. Accumulated Data is an aggregate data view used to draw a Time Series graphs or run
Scheduled
Reports,
when you create a search that groups by one or more properties./opt/qradar/support/collectGvStats.sh -s |
| High Availability (HA) | cstate | This tool displays the HA cluster status and roles to assist with troubleshooting. /opt/qradar/ha/bin/ha help |
| Troubleshooting | defect-inspector | The Defect Inspector is a script that leverages a set of fingerprints to detect defects in a log file and display the APAR or defect name. This script helps in
quickly
checking
whether a QRadar system is experiencing an already known issue./opt/qradar/support/defect-inspector -h |
| Performance | findExpensiveCustomRules.sh | If it is not tuned properly, custom rules can cause performance issues. This tool allows you to troubleshoot if a rule causes performance issues. /opt/qradar/support/findExpensiveCustomRules.sh -d /root |
| Logs | get_logs.sh | Collect QRadar logs from a system via the command line interface with the get_logs script. /opt/qradar/support/get_logs.sh -h |
| Logs | scrub.pl | Do not use. The scrub.pl script is deprecated from QRadar. See log_scrubber.py script for sanitizing logs. |
| Application framework | qapp_utils_730.py | Do not use. The qapp_utils_730.py script is deprecated from QRadar. See recon for app container management. |
| Network | qchange_netsetup | The qchange_netsetup command will assist you in changing the IP address, hostname or DNS server in a Qradar system. qchange_netsetup |
| High Availability (HA) | qradar_nettune.pl | This script will assist you in testing the HA crossover connection. /opt/qradar/ha/bin/qradar_nettune.pl crossover |
| Application framework | recon | Recon is a tool designed to aid the troubleshooting of containers and container management on the QRadar Console or App Host. It can allow you to access the command
line of your
installed applications by using the app container ID. /opt/qradar/support/recon ps |
| Troubleshooting | replicationVerify.pl | This tool allows to validate if the QRadar configuration database is synchronized across the environment and if is the same on all the managed hosts./opt/qradar/support/replicationVerify.pl -h |
| Logs | log_scrubber.py | To sanitize logs before opening a support case, use the log_scrubber.py utility. This script allows customers to sanitize IP addresses, usernames, hostnames, and
domains from
logs due to security concerns. The log_scrubber.py script replaces the scrub.pl tool, which is deprecated by support. Updates to log_scrubber.py script are delivered
through QRadar
automatic updates in the Supportability Tools RPM file. /opt/qradar/support/log_scrubber.py -h |
| Performance | threadTop.sh | The ThreadTop script can detemine which QRadar process is consuming the most resources. This tool monitors QRadar processes and can give an indication of
performance
issues.
/opt/qradar/support/threadTop.sh |
| Administration | yum | Yum is a software package install manager. Yum can be used in QRadar to manually install RPM files and view detailed version information for installed files, such
as
DSM,
protocols, scanners, and more.yum info DSM-Cisco* yum -y install package_filename.rpm |
| Services | journalctl | journalctl is a logging service similar to a syslog. The command journalctl can be used to display failures or errors from specific services.journalctl -u hostcontext |
| Network | tcpdump | tcpdump is a common packet analyzer that runs under the command line. It allows the user to display TCP/IP and other packets being transmitted or received over a
network.tcpdump -nnAs0 -i eth0 port 514 -c 4 tcpdump -s 0 -A host 192.168.1.1 and udp port 514 |
| Disk space & partitions | df | df is a standard Unix command used to display the amount of available disk space for file systems.df -hT |
| Network | telnet | The telnet command is used for interactive communication with another host using the TELNET protocol.telnet 192.168.1.1 22 |
| Network | ifconfig | ifconfig is a system administration utility for network interfaces configuration.ifconfig -a |
| Administration | rpm | Do not use. RPM commands are deprecated from QRadar for installation purposes. See yum for package management and version information. |
| Health | systemctl | The systemctl is one of the most used commands in QRadar. See the linked tech note for more examples. systemctl start|stop|restart|status |
| Administration | wget | Do not use wget to download files from Fix Central because files can arrive corrupted if network speeds are not suitable. For direct downloads, use SFTP
instead. |
| Administration | sftp | Use SFTP to download update packages (SFS), installation files (ISO), and auto updates from Fix Central directly to your devices without using an intermediary
host.sftp -o StrictHostKeyChecking=no USER_ID@SFTP_SERVER |
| Logs | mod_log4j.pl | mod_log4j.pl is a CLI and menu driven script that assists users in enabling and disabling debug loggers in /opt/qradar/conf/log4j.xml./opt/qradar/support/mod_log4j.pl -h |
| High Availability (HA) | ha_diagnosis | ha_diagnosis is a summary utility that completes a series of tests to output a summary of high availability appliance checks to the administrator./opt/qradar/ha/bin/ha_diagnosis -h |
| Troubleshooting | iteam_support.sh | iteam_support.sh is a script that can assist users in general troubleshooting. It can confirm hashes of downloaded DSMs and protocols, troubleshoot performance
degradation in the
event pipeline, and identify what log source type generated an event based on a QID./opt/qradar/support/iteam_support.sh |
| Health | WinCollectHealthCheck.sh | WinCollectHealthCheck.sh runs through a series of tests and automated checks to help validate managed WinCollect deployments./opt/qradar/support/WinCollectHealthCheck.sh -h |
| Health | validate_deployment.sh | The validate_deployment.sh script reports when the deployment configuration of the environment is inconsistent, typically meaning the deployment.xml and databases
do
not have the
same entries./opt/qradar/support/validate_deployment.sh -h |
Explore QRadar 101
Return to the QRadar 101 homepage
Learn about QRadar apps
Learn about deploying changes to QRadar
Learn about managing QRadar disk space
Browse a directory of our technical notes
Download software for QRadar
Read our support policies
Learn about WinCollect 7 and 10
Learn about installing and upgrading QRadar
See current and fixed issues with QRadar