Changing QRadar EDR logging levels

To get more detailed information on how IBM® Security QRadar® EDR is working, change the logging levels on the various components on the system. IBM Support might request this information to help them diagnose potential issues.

Before you begin

Install the command-line interface (CLI) cpctl utility from the cp-serviceability pod. For more information, see Installing the cpctl utility to access support actions.

QRadar EDR comprises different components, and depending on the underlying implementation that is used in the components, getting and setting logging levels might be handled differently.

Getting logging levels

You can fetch logging levels for specific deployments and then set them with specific values.

About this task

Set the logging levels for following deployments:

  • reaqta-hive-claudio
  • reaqta-hive-graph-similarity
  • reaqta-hive-graph-similarity-gui
  • reaqta-hive-maia
  • reaqta-hive-policycompiler
  • reaqta-hive-yogi

Procedure

  1. To fetch the current logging levels for all deployments, run the following command.
    cpctl -n <qradar_edr_namespace> diagnostics get_logging_levels --token="$(oc whoami -t)" --application=reaqta-hive

    The following message is an example of the output.

    Executing playbook get_logging_levels.yaml
    
    - localhost on hosts: localhost -
    Gathering Facts...
      localhost ok
    [Login] Validate...
    [Login] Token...
      localhost done | stdout:
    [INFO] Logging in via token...
    prepare...
      localhost ok
    datalake logging...
    datalake logging completed...
    check soar logging level...
    soar logging completed...
    xdrcc logging...
    datalake logging completed...
    reaqta logging...
    reaqta logging completed...
    cp4s deployment log levels for the group...
      localhost done | stdout: Get log levels for CP4S deployments:
    reaqta-hive-claudio: level=info
    reaqta-hive-event-hive: level=info
    reaqta-hive-event-hive-feeds-api: level=info
    reaqta-hive-graph-similarity: level=info
    reaqta-hive-graph-similarity-gui: level=info
    reaqta-hive-maia: level=info
    reaqta-hive-policycompiler: level=info
    reaqta-hive-yogi: level=info
    cp4s deployment log levels for the deployment...
    
    - Play recap -
      localhost                  : ok=4    changed=2    unreachable=0    failed=0    rescued=0    ignored=0
    
  2. To fetch logging levels for specific deployments, run the following command, and replace <DEPLOYMENT NAME> with the deployment name, such as reaqta-hive-maia.
    cpctl -n <qradar_edr_namespace> diagnostics get_logging_levels --token="$(oc whoami -t)" --application=reaqta-hive --deployment=<DEPLOYMENT NAME>

    The following message is an example of the output.

    Executing playbook get_logging_levels.yaml
    
    - localhost on hosts: localhost -
    Gathering Facts...
      localhost ok
    [Login] Validate...
    [Login] Token...
      localhost done | stdout:
    [INFO] Logging in via token...
    prepare...
      localhost ok
    datalake logging...
    datalake logging completed...
    check soar logging level...
    soar logging completed...
    xdrcc logging...
    datalake logging completed...
    reaqta logging...
    reaqta logging completed...
    cp4s deployment log levels for the group...
    cp4s deployment log levels for the deployment...
      localhost done | stdout: Get log levels for CP4S deployments:
    reaqta-hive-maia: level=info
    
    - Play recap -
      localhost                  : ok=4    changed=2    unreachable=0    failed=0    rescued=0    ignored=0
    
  3. To get logging levels for the reaqta-hive-event-hive component, run the following command.
    Note: QRadar EDR deploys the reaqta-hive-event-hive component that runs in a Java™ virtual machine (JVM). Logging levels can be set at the class and package levels.
    cpctl -n <qradar_edr_namespace> diagnostics get_logging_levels --token="$(oc whoami -t)" --application=reaqta

    The following message is an example of the output.

    Executing playbook get_logging_levels.yaml
    
    - localhost on hosts: localhost -
    Gathering Facts...
      localhost ok
    [Login] Validate...
    [Login] Token...
      localhost done | stdout:
    [INFO] Logging in via token...
    prepare...
      localhost ok
    datalake logging...
    datalake logging completed...
    check soar logging level...
    soar logging completed...
    xdrcc logging...
    datalake logging completed...
    reaqta logging...
      localhost ok
    DataLake logging...
    Xdrcc logging...
    ReaQta logging...
      localhost ok
    included: /etc/ansible/roles/common/get_logging_levels/tasks/reaqta.yml for localhost
    set_fact...
      localhost ok
    Look up all services that support logging...
      localhost ok
    Output Results...
    Deployment Name:  reaqta-hive-event-hive-config
    Namespace:        cp4s
    PACKAGES                                        LOGGING LEVELS
    com.reaqta                                      ${env:LOG_LEVEL_REAQTA:-INFO}
    akka                                            ${env:LOG_LEVEL_AKKA:-INFO}
    akka.http                                       ${env:LOG_LEVEL_AKKA_HTTP:-INFO}
    kamon                                           INFO
    
      localhost ok
    reaqta logging completed...
      localhost ok
    cp4s deployment log levels for the group...
    cp4s deployment log levels for the deployment...
    
    - Play recap -
      localhost                  : ok=8    changed=1    unreachable=0    failed=0    rescued=0    ignored=0
    

Setting logging levels

You can set logging levels to ERROR, WARN, INFO, or DEBUG.

About this task

Set logging levels for specific deployments, such as:

  • reaqta-hive-claudio
  • reaqta-hive-graph-similarity
  • reaqta-hive-graph-similarity-gui
  • reaqta-hive-maia
  • reaqta-hive-policycompiler
  • reaqta-hive-yogi

Procedure

  1. To set the logging level for a service, run the following command and replace the deployment and level arguments with the relevant values.
    cpctl -n <qradar_edr_namespace> diagnostics set_logging_levels --token="$(oc whoami -t)" --application=reaqta-hive --deployment=<DEPLOYMENT NAME> --level=<LEVEL> 
    Replace <LEVEL> with one of the following values:
    • error
    • warn
    • info
    • debug
    Important: Running this command causes the component to restart.
    For example, for the reaqta-hive-maia component, the following message is an example of the command:
    cpctl -n <qradar-edr-namespace> diagnostics set_logging_levels --token="$(oc whoami -t)" --application=reaqta-hive --deployment=reaqta-hive-maia --level=warn
    The following message is an example of the output.
    Executing playbook set_logging_levels.yaml
     
    - localhost on hosts: localhost -
    Gathering Facts...
      localhost ok
    assert...
      localhost ok: {
        "changed": false,
        "msg": "Log level validation passed"
    }
    [Login] Validate...
    [Login] Token...
      localhost done | stdout: 
    [INFO] Logging in via token...
    prepare...
      localhost ok
    datalake logging...
    completed check for datalake logging...
    set soar logging level...
    completed check for soar logging...
    set logging for given deployment...
      localhost done | stdout: Update CP4S log levels:
    Updating reaqta-hive-maia
    configmap/reaqta-hive-maia patched
    deployment.apps/reaqta-hive-maia patched
    set logging for given deployment...
     
    - Play recap -
      localhost                  : ok=5    changed=2    unreachable=0    failed=0    rescued=0    ignored=0   
    
  2. Optional: To set the class and package level for the reaqta-hive-event-hive service, run the following command and replace the deployment and level arguments with the relevant values.
    CAUTION:
    This option requires internal knowedge of the software; follow this step only if advised by IBM Support.
    cpctl -n <qradar_edr_namespace>  diagnostics set_logging_levels --application=reaqta --package=<PACKAGE OR CLASS NAME> --level=<LEVEL> --token=$(oc whoami -t)
    Replace <LEVEL> with one of the following values:
    • error
    • warn
    • info
    • debug
    The following command is an example with the debug level.
    cpctl -n <qradar_edr_namespace>  diagnostics set_logging_levels --application=reaqta --package=com.reaqta.eventhive.Routes --level=DEBUG  --token=$(oc whoami -t)

    The following message is an example of the output.

    Executing playbook set_logging_levels.yaml
    
    - localhost on hosts: localhost -
    Gathering Facts...
      localhost ok
    assert...
      localhost ok: {
        "changed": false,
        "msg": "Log level validation passed"
    }
    [Login] Validate...
    [Login] Token...
      localhost done | stdout:
    [INFO] Logging in via token...
    prepare...
      localhost ok
    datalake logging...
    completed check for datalake logging...
    reaqta logging...
      localhost ok
    DataLake logging...
    XDRCC logging...
    ReaQta logging...
      localhost ok
    included: /etc/ansible/roles/common/set_logging_levels/tasks/reaqta.yml for localhost
    set_fact...
      localhost ok
    Look up loggers in configmap reaqta-hive-event-hive-config...
      localhost ok
    Update Resource Data...
    Setting deployment: reaqta-hive-event-hive-config in namespace: cp4s with group: com.reaqta.eventhive.Routes to: DEBUG
      localhost done
    Apply new logging config...
      localhost done | item: reaqta-hive-event-hive-config, cp4s
      localhost done
    completed check for reaqta logging...
      localhost ok
    set soar logging level...
    completed check for soar logging...
    datalake logging...
    completed check for datalake logging...
    set logging for given deployment...
    set logging for given deployment...
    
    - Play recap -
      localhost                  : ok=10   changed=3    unreachable=0    failed=0    rescued=0    ignored=0