IBM Support

QRadar: How to use the defect inspector to identify reported issues?

Troubleshooting


Problem

How can administrators review the logs for reported issues in their QRadar version?

Environment

NOTE: The Defect Inspector uses stack traces to assist with the identification of potential known issues on a QRadar appliance. It does not automatically diagnose and resolve the current issues. Administrators can use this tool to identify a reported issue associated to an APAR and work with QRadar Support on a resolution or workaround. For example, the tool might report an APAR related to an app or service not loading as expected. A support case would be required in most circumstances to resolve the app or service issue. Issues identified by the Defect Inspector do not indicate that your QRadar system is not operating correctly as the issue might be attributed to features or configurations not enabled in your deployment.

Resolving The Problem

The Defect Inspector is a support utility that leverages stack traces from error logs to detect known issues by the APAR or issue name. This script helps administrator quickly identify whether a QRadar system is experiencing a previously reported issue. Logs are scanned and matched by the script against a database of known problems. If the logs contain messages characteristic of a defect from the database, the issue is reported to the user.
The simplest way to use the Defect Inspector is to run /opt/qradar/support/defect-inspector. By default, the Defect Inspector searches through the /var/log/qradar.error file, displaying the APAR number and the defect name.
Note:  If you want to scan another log rather than qradar.error, you can add it at the end of the command. The log file can be .log .error . txt .gzip .bzip2 .tar or an uncompressed folder that contains these types of files. To scan multiple logs, type space or ":" between logs, "A B C" or " A:B:C".
  1. Using SSH, log in to the QRadar Console as the root user.
  2. To run the defect inspector in verbose mode, type: /opt/qradar/support/defect-inspector
  3. Review any associated APARs to determine if a workaround is available or if support assistance is required.
    For example:
    image-20191209130618-5Figure 1: For example, after the script completes any known issues are displayed on screen and an output.txt file is written to the working directory.

 
How to use the Defect Inspector in Verbose Mode
The Defect Inspector can be run with a verbose option that posts the exception stack trace from the logs on the defects found.
  1. Using SSH, log in to the QRadar Console as the root user.
  2. To run the defect inspector in verbose mode, type: /opt/qradar/support/defect-inspector -verbose
  3. Review any associated APARs to determine if a workaround is available or if support assistance is required.
    For example:
    image-20191209141713-2
    Figure 2: The verbose mode displays any known issues on screen, the matching stack trace, and writes an output.txt file to the working directory.

 

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"Troubleshooting","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
07 January 2021

UID

ibm11085481