Viewing the QRadar Risk Manager log file
Audit logs, which are stored in plain text, are archived and compressed when the audit log file reaches a size of 200 MB.
About this task
The current log file is named audit.log. If the audit log file reaches a size of 200 MB a second time, the file is compressed and the old audit log is renamed as audit.1.gz. The file number increments each time a log file is archived. IBM QRadar Risk Manager can store up to 50 archived log files.
The maximum size of any audit message (not including date, time, and hostname) is 1024 characters.
Each entry in the log file displays by using the following
format.
<date_time> <host name> <user>@<IP address>
(thread ID) [<category>] [<sub-category>]
[<action>] <payload>
The following table describes the parameters that are used in the log file.
| Parameter | Description |
|---|---|
| <date_time> | The date and time of the activity in the format: Month Date HH:MM:SS. |
| <host name> | The hostname of the Console where this activity was logged. |
| <user> | The name of the user that completed the action. |
| <IP address> | The IP address of the user that completed the action. |
| (thread ID) | The identifier of the Java™ thread that logged this activity. |
| <category> | The high-level category of this activity. |
| <sub-category> | The low-level category of this activity. |
| <action> | The activity that occurred. |
| <payload> | The complete record that changed, if any. |
Procedure
- Using SSH, log in to your IBM QRadar SIEM Console as the root user.
- Using SSH from the IBM QRadar SIEM Console, log in to the QRadar Risk Manager appliance as a root user.
- Go to the following directory: /var/log/audit.
- Open your audit log file.