IBM Support

QRadar: How to use Recon to troubleshoot QRadar applications

Troubleshooting


Problem

How do you use Recon to view logs for QRadar applications?

Environment

In QRadar V7.3.2 and V7.3.3, the support tool for application troubleshooting is named recon. Recon replaces the QRadar V7.3.1 and earlier troubleshooting application named qapp_utils730.py. 

Resolving The Problem

Recon is a tool designed to aid the troubleshooting of containers and container management on the QRadar Console or App Host. Recon features multiple commands for this purpose. Similar to tools like ps and docker ps, recon ps allows you to see an overview of what containers are currently running on the system and available properties for them. Recon uses integration with the DrQ tool to diagnose problems that can occur and show a brief chart. This command also lists possible remediation for each potential error found. Due to API limitations, Recon does not know what managed host it's being run on. Recon lists what apps should exist according to the QRadar API, and also what containers are currently running on the current host. These might not be the same set. When given an app ID, or a combination of workload, service, and container, recon connect allows you to run a specific command inside of a specific container.

Procedure
  1. Using SSH, log in to the QRadar Console as the root user.
    Note: The following commands should be run on the host where the Apps are running. If you are running an App Host, you need to SSH to it to run commands.   
     
  2. To locate the application ID for your app, type: /opt/qradar/support/recon ps
    A list of installed applications and their App-ID values are output to the screen. The App-ID is a unique numeric value. Administrators can use the numeric App-ID value to connect to the container for a specific application.

    If no issues are detected, the recon command output might look like the following example:
     
    /opt/qradar/support/recon ps
    
    App-ID  Name              Managed Host ID  Workload ID  Service Name  AB  Container Name  CDEGH  Port  IJKL
    1001    QRadar Assistant  53               apps         qapp-1001     ++  qapp-1001       +++++  5000  ++++
    
    Legend:
    
    Symbols:
    n - Not Applicable
    - - Failure
    * - Warning
    + - Success
    
    Checks:
    Service:
    A - Service exists in the workload file
    B - Service is set to started
    
    Container:
    C - Container is in ConMan workload file
    D - Container environment file exists
    E - Container image is in si-registry
    G - Container Systemd Units are started
    H - Container exists and is running in Docker
    
    Port:
    I - Container IP are in firewall main filter rules
    J - Container IP and port is in iptables NAT filter rules
    K - Container port has routes through Traefik
    L - Container port is responsive on debug path

    If a failure is detected, remediation steps are displayed.

  3. To connect to the app container, type: /opt/qradar/support/recon connect 1005
    A shell is opened to the application's container. Administrators can browse this directory to review files, logs, or configurations for the application.
     
  4. To review app.log for connection errors, type: less /store/docker/volumes/qapp-<appID>/log/app.log

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000GndXAAS","label":"QRadar->Apps->Apps"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3.2;7.3.3","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
29 July 2020

UID

ibm11079655