Troubleshooting
Problem
journalctl is a logging service similar to a syslog. The command journalctl can be used to display failures or errors from specific services.Resolving The Problem
Logs collected by systemd can be viewed by using
journalctl. The journal is implemented with the journald daemon and it retrieves messages from the kernel, systemd services, and other sources. These logs are gathered in a central location, which makes it easy to review. The log records in the journal are structured and indexed. As a result, journalctl is able to present your log information in various useful formats.journalctl commands:
- To view boot messages:
journalctl -b - To view services logs:
journalctl -u <service>
- To view logs with a date range:
journalctl --since "2019-10-29 14:10:10" --until "2019-10-30 14:10:10" - You can view logs by service within a date range:
journalctl -u <service> --since "2019-10-29 14:10:10" --until "2019-10-30 14:10:10" - To view a journalctl service log, use the command:
journalctl -u <service name>:
Example:
journalctl -u hostcontext Jun 16 17:50:13QRadar-primary.example replication[25653]: Parameter 'nva_conf.rep_rpc_call_timeout' is invalid or not set. Using default value: 3600 sec.
Jun 16 17:50:13QRadar-primary.example replication[25653]: Could not open replication storage directory:
Jun 16 17:50:13QRadar-primary.example bandwidthManager.pl[25859]: [WARN] No configuration files found
Jun 16 17:50:13QRadar-primary.example bandwidthManager.pl[25859]: [WARN] No configuration files found
Jun 16 17:50:14QRadar-primary.example replication[25850]: Using 10.x.x.x as our local IP.
Jun 16 17:50:14QRadar-primary.example replication[25850]: Parameter 'nva_conf.rep_rpc_call_timeout' is invalid or not set. Using default value: 3600 sec.
Jun 16 17:50:14QRadar-primary.example replication[25850]: Could not open replication storage directory:
Jun 16 17:50:16QRadar-primary.example hostcontext[23142]: java.lang.NumberFormatException: null
Jun 16 17:50:16QRadar-primary.example hostcontext[23142]: at java.lang.Long.parseLong(Long.java:564)
Jun 16 17:50:16QRadar-primary.example hostcontext[23142]: at java.lang.Long.parseLong(Long.java:643)
Jun 16 17:50:16QRadar-primary.example hostcontext[23142]: at com.q1labs.hostcontext.HostContext.start0(HostContext.java:735)
Jun 16 17:50:16QRadar-primary.example hostcontext[23142]: at com.q1labs.hostcontext.HostContext.access$700(HostContext.java:97)
Jun 16 17:50:16QRadar-primary.example hostcontext[23142]: at com.q1labs.hostcontext.HostContext$5.run(HostContext.java:912)
Jun 16 17:50:18QRadar-primary.example systemd[1]: hostcontext.service: main process exited, code=exited, status=1/FAILURE
Jun 16 17:50:18QRadar-primary.example systemd[1]: Unit hostcontext.service entered failed state.
Jun 16 17:50:18QRadar-primary.example systemd[1]: hostcontext.service failed.Note: If you run the
journalctl - u <services name> soon after a restart, the service you are monitoring might show as failed. Allow several minutes for the service to fully start.The result of using
journalctl is that you can look at logs of specific QRadar services or events. This can simplify searching for issues and isolating problems.Related Information
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"Support tools","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"7.3","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
07 January 2021
UID
ibm11075089