page-brochureware.php

Support Tools 101


QRadar Support tools and commands for use in the administration and troubleshooting of a QRadar system.


About

Support Tools 101 is intended for administrators and IT Professionals who are responsible for troubleshooting and working with QRadar Support to maintain their QRadar environment. This page contains scripts and commands used to gather information on appliances, troubleshoot specific features, and assist in technical resolutions.

Important

Most of the tools listed here are non-descrtructive, but we advise administrators to not use tools if you are unfamiliar with their functionality or with a documented option flag. If you have a question regarding functionality, how-to questions, or if the tool does not work as designed, submit the question in our forums using the link at the top of the page.


Category Name Description and Examples
System myver The script provides the current version, patch, and other system information for a QRadar system.

/opt/qradar/bin/myver -v
System deployment_info.sh This tool collects all information about all systems in the deployment, including disk space used, hardware, appliance type, and serial number within a CSV file.

/opt/qradar/support/deployment_info.sh -OS
Services validate_ecs_services.sh This tool can be used to check the connections to all managed hosts and verify the versions of ECS and ECS-Ingress services after an upgrade.

/opt/qradar/support/validate_ecs_services.sh
Services wait_for_start.sh The script monitors and displays the status of the hostcontext processes, whether they are running or stopped on a QRadar system.

/opt/qradar/upgrade/util/setup/upgrades/wait_for_start.sh
High Availability (HA) ha_diagnosis.sh The script script can be a useful tool for understanding the current HA state and identifying potential issues causing the HA failure.

/opt/qradar/support/ha_diagnosis.sh
Disk space & partitions partitionDiagnostic The partitionDiagnostic utility has been released to assist with space issues in the /opt partition.

/opt/qradar/support/partitionDiagnostic -n
Troubleshooting all_servers.sh The all_servers.sh command is a powerful tool that can issue commands to all QRadar appliances within your deployment.

/opt/qradar/support/all_servers.sh -h
Administration changePasswd.sh The change password tools allows you to change the admin account password using the CLI in an incorrect password recovery scenario.

/opt/qradar/support/changePasswd.sh -a
Health cliniq Cliniq is a tool that runs health checks before major events, such as upgrades, to determine whether any issues need to be addressed first. You can also run Cliniq routinely to monitor the health of your system.

/opt/qradar/support/cliniq -h
Reports collectGvStats.sh The collectGvStats.sh tool allows you to troubleshoot accumulator issues. Accumulated Data is an aggregate data view used to draw a Time Series graphs or run Scheduled Reports, when you create a search that groups by one or more properties.

/opt/qradar/support/collectGvStats.sh -s
High Availability (HA) cstate This tool displays the HA cluster status and roles to assist with troubleshooting.

/opt/qradar/ha/bin/ha help
Troubleshooting defect-inspector The Defect Inspector is a script that leverages a set of fingerprints to detect defects in a log file and display the APAR or defect name. This script helps in quickly checking whether a QRadar system is experiencing an already known issue.

/opt/qradar/support/defect-inspector
Performance findExpensiveCustomRules.sh If it is not tuned properly, custom rules can cause performance issues. This tool allows you to troubleshoot if a rule causes performance issues.

/opt/qradar/support/findExpensiveCustomRules.sh -d /root
Logs get_logs.sh Collect QRadar logs from a system via the command line interface with the get_logs script.

/opt/qradar/support/get_logs.sh -h
Application framework qapp_utils_730.py This script allows you to access the command line of your installed applications by using the app container ID.

/opt/qradar/support/qapp_utils_730.py ps
Network qchange_netsetup The qchange_netsetup command will assist you in changing the IP address, hostname or DNS server in a Qradar system.

qchange_netsetup
High Availability (HA) qradar_nettune.pl This script will assist you in testing the HA crossover connection.

/opt/qradar/ha/bin/qradar_nettune.pl crossover
Application framework recon Recon is a tool designed to aid the troubleshooting of containers and container management on the QRadar Console or App Host.

/opt/qradar/support/recon ps
Troubleshooting replicationVerify.pl This tool allows to validate if the QRadar configuration database is synchronized across the environment and if is the same on all the managed hosts.

/opt/qradar/support/replicationVerify.pl
Logs scrub.pl To sanitize logs before opening a support ticket, use the scrub.pl script. This script is an option for customers who cannot run and submit get_logs.sh output due to security concerns.

/opt/qradar/bin/scrub.pl /var/log/qradar.error /tmp/scrubbedqradar.log
Performance threadTop.sh The ThreadTop script can detemine which QRadar process is consuming the most resources. This tool monitors QRadar processes and can give an indication of performance issues.

/opt/qradar/support/threadTop.sh
Administration Yum is a software package install manager. Yum can be used in QRadar to manually install RPM files and view detailed version information for installed files, such as DSM, protocols, scanners, and more.

yum info DSM-Cisco*

yum -y install package_filename.rpm
Services journalctl journalctl is a logging service similar to a syslog. The command journalctl can be used to display failures or errors from specific services.

journalctl -u hostcontext
Network tcpdump tcpdump is a common packet analyzer that runs under the command line. It allows the user to display TCP/IP and other packets being transmitted or received over a network.

tcpdump -nnAs0 -i eth0 port 514 -c 4

tcpdump -s 0 -A host 192.168.1.1 and udp port 514
Disk space & partitions df df is a standard Unix command used to display the amount of available disk space for file systems.

df -hT
Network telnet The telnet command is used for interactive communication with another host using the TELNET protocol.

telnet 192.168.1.1 22
Network ifconfig ifconfig is a system administration utility for network interfaces configuration.

ifconfig -a
Administration Do not use. RPM commands are deprecated from QRadar for installation purposes. See yum for package management and version information.

Legend (table icons description):

  • The describes a QRadar tool. A “support tool” or a “tool” is a script located in /opt/qradar/support or some another directory. Most tools support the -h (help) option and it was designed for general use to accomplish a specific task.

  • The describes a command. A command, is a Linux command that is used in these examples to accomplish a specific QRadar task. We recommend to review the Linux man pages before using a command.

  • The describes a deprecated command. Administrators should avoid using deprecated commands as they can cause issues in QRadar systems.

Explore some of our other 101 pages. For a complete list, navigate from the top “101 Pages” menu.

IBM prides itself on delivering world class software support with highly skilled, customer-focused people. QRadar Support is available 24×7 for all high severity issues. For QRadar resources, technical help, guidance, and information, see our QRadar Support 101 pages.