IBM Support

QRadar: Using the journalctl command to view logs of QRadar services

Troubleshooting


Problem

journalctl is a logging service similar to a syslog. The command journalctl can be used to display failures or errors from specific services.

Resolving The Problem

Logs collected by systemd can be viewed by using journalctl. The journal is implemented with the journald daemon and it retrieves messages from the kernel, systemd services, and other sources. These logs are gathered in a central location, which makes it easy to review. The log records in the journal are structured and indexed. As a result, journalctl is able to present your log information in various useful formats.
 
journalctl commands:
  • To view boot messages: journalctl -b
  • To view services logs: journalctl -u <service>
  • To view logs with a date range: journalctl --since "2019-10-29 14:10:10"  --until  "2019-10-30 14:10:10"
  • You can view logs by service within a date range: journalctl -u <service> --since "2019-10-29 14:10:10"  --until  "2019-10-30 14:10:10"
  • To view a  journalctl service log, use the command: journalctl -u <service name>:
 
Example:
journalctl -u hostcontext
Jun 16 17:50:13QRadar-primary.example replication[25653]: Parameter 'nva_conf.rep_rpc_call_timeout' is invalid or not set. Using default value: 3600 sec.
Jun 16 17:50:13QRadar-primary.example replication[25653]: Could not open replication storage directory:
Jun 16 17:50:13QRadar-primary.example bandwidthManager.pl[25859]: [WARN] No configuration files found
Jun 16 17:50:13QRadar-primary.example bandwidthManager.pl[25859]: [WARN] No configuration files found
Jun 16 17:50:14QRadar-primary.example replication[25850]: Using 10.x.x.x as our local IP.
Jun 16 17:50:14QRadar-primary.example replication[25850]: Parameter 'nva_conf.rep_rpc_call_timeout' is invalid or not set. Using default value: 3600 sec.
Jun 16 17:50:14QRadar-primary.example replication[25850]: Could not open replication storage directory:
Jun 16 17:50:16QRadar-primary.example hostcontext[23142]: java.lang.NumberFormatException: null
Jun 16 17:50:16QRadar-primary.example hostcontext[23142]: at java.lang.Long.parseLong(Long.java:564)
Jun 16 17:50:16QRadar-primary.example hostcontext[23142]: at java.lang.Long.parseLong(Long.java:643)
Jun 16 17:50:16QRadar-primary.example hostcontext[23142]: at com.q1labs.hostcontext.HostContext.start0(HostContext.java:735)
Jun 16 17:50:16QRadar-primary.example hostcontext[23142]: at com.q1labs.hostcontext.HostContext.access$700(HostContext.java:97)
Jun 16 17:50:16QRadar-primary.example hostcontext[23142]: at com.q1labs.hostcontext.HostContext$5.run(HostContext.java:912)
Jun 16 17:50:18QRadar-primary.example systemd[1]: hostcontext.service: main process exited, code=exited, status=1/FAILURE
Jun 16 17:50:18QRadar-primary.example systemd[1]: Unit hostcontext.service entered failed state.
Jun 16 17:50:18QRadar-primary.example systemd[1]: hostcontext.service failed.


Note: If you run the journalctl - u <services name> soon after a restart, the service you are monitoring might show as failed. Allow several minutes for the service to fully start.
The result of using journalctl is that you can look at logs of specific QRadar services or events. This can simplify searching for issues and isolating problems.

Related Information

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"Support tools","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"7.3","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
07 January 2021

UID

ibm11075089