IBM Support

Getting Help: What information should be submitted with a QRadar service request?

Question & Answer


Question

The purpose of basic information should be collected when logging a Service Request with IBM Security QRadar Support?

Answer


1. What information should I submit to QRadar support for software issues?

The following information should be submitted with customer service requests when reporting software issues in QRadar.

  • A detailed description of the issue, including the steps taken or changes made before the issue occurred.
  • A screen captures showing the issue or on-screen error message.
  • The steps taken by the user or administrator to try to resolve the problem.
  • An export from get logs in QRadar.
  • Product version and build number. This information is available from the user interface. To view your QRadar version, from the Dashboard tab, select Help > About.
    image 8677

     
1a. How to collect log files for QRadar support from the user interface
 
Procedure
  1. Click the Admin tab.
  2. Click the System & License Management icon.
  3. Select the QRadar appliances that you want to collect logs from in the user interface.
    Note: You can use Shift + click or Ctrl + click to get logs from multiple appliances. If you do not select any appliance, the default action is to collect logs from the QRadar Console.
  4. Select Actions > Collect Log Files.
  5. In most cases, unless you are experiencing application or extension issues, the default options can be used.


    Advanced Options
    • Unless advised by QRadar Support, there is no need to enable the Include Debug Logs check box.
    • If you are having issues with a QRadar extension or installing an application, select the Include Application Extension Logs check box.
    • If you recently upgraded your appliance, installed software updates, or are having issues with managed hosts, select the Include Setup Logs (Current Version) check box.
    • Most administrators can leave the Collect Logs for this Many Days field blank. However, if you are collecting logs from multiple hosts, then choosing a known timeframe and limit the size and time it takes to collect logs files.
    • Encryption of log files now prompts for a user defined password. If this option is selected the password must be passed onto IBM Support to facilitate decryption of the log files.
  6. Click Collect Log Files.

    The log collection process starts and the status bar updates when log collection is complete.
  7. Click Download and save the file.
  8. Attach the log to your support ticket.
Results
Support will contact you using your preferred method of communication. If you have issues downloading the file from the user interface, you can attempt to download the file by using WinSCP or another secure copy utility to move the backup from the /var/log directory. Root access is required for the appliance to use the get_logs.sh utility.

1b. How to collect log files for QRadar from the command-line interface (get_logs.sh)

To collect logs from the command-line, root access is required. The get_logs.sh utility is available on every version of QRadar and can be run on each appliance individually to collect logs. If you are having user interface issues, use this utility as a backup when the QRadar Console to submit logs for your appliance.
Procedure
  1. Using SSH, log in to the Console appliance as the root user.
  2. Type the following command: /opt/qradar/support/get_logs.sh
    The script informs you that the log was created and provides the name and the location, which is always the /var/log/ directory. For administrators having application or extension issues, use the -a option to collect application logs with your Console log information. For a list of commands that can be run, type: /opt/qradar/support/get_logs.sh -h
  3. Copy the tar.bz2 file to a system that has access to an external network to upload your log file.
  4. Open a case with QRadar Support (sign-in required).
  5. Fill in the product and describe your issue.
  6. Attach the log file and provide an explanation of which events appear to be parsing incorrectly in your ticket.
Results
Support will contact you using your preferred method of contact.

2. What information should I submit for DSM parsing issues?

To receive support for DSM parsing issues, we typically request that customers submit the following information:


2a. How to verify what DSM is version installed

  • The name of the appliance or software that generated the unknown, stored event, or incorrectly categorized event.
  • A screen capture of the log source configuration. Double-click the log source to open the edit screen and take a screen capture.
  • A screen capture of the incorrect event. Double-click an event in the Log Activity tab to view the Event Summary and submit a screen capture.
  • The version of the software that is generating the events. If multiple appliances versions are in your network, list all versions.
  • The DSM version installed on the customer's QRadar Console (see the following instructions).
  • A Full XML export from the Log Activity tab on the Console (see the following instructions).
Procedure
  1. Using SSH, log in to the QRadar Console as the root user.
  2. To find the installed version, type: yum info| grep -i nameofDSM
  3. This version information can be compared to what is posted on IBM Fix Central, but included it in your support request.

2b. How to export events for review by support

Procedure
  1. Click the Log Activity tab.
  2. Click Add Filter.
  3. Select Log Source > Equals > Name of the log source with the parsing issue.
    Note: If your log source is not assigned to a group yet, select Other, which displays all ungrouped log sources.
  4. Click Add Filter
    You are returned you to the Log Activity tab, which displays events filtered by the log source you selected.
  5. Click the View drop-down and select a time interval. For example, 7 hours.
  6. Review the filtered events to ensure that it contains your issue or concern.
  7. From the navigation menu, select Actions > Export to XML > Full Export (All Columns).
    Note: XML is the preferred format for event reviews.
Results
Attach the XML event export and provide an explanation of the events that appear to be parsing incorrectly in the description of your service request.

3. What information should I submit to QRadar support for hardware issues?

3a. How to determine if an appliance is IBM xSeries or Dell?

Some administrators have a mix of appliance types in their network. When hardware issues occur, it is helpful to understand what type of appliance you are working with to determine whether you need to provide QRadar Support with a DSA file (xSeries hardware).  Dell hardware might not display a result.

To verify your hardware manufacturer:
  1. Using SSH or from the terminal for the appliance login as the root user.
  2. To determine the hardware manufacturer, type the following command: dmidecode -t system
  3. Review the output on screen for the manufacturer information.

    Sample output:
    # dmidecode 2.12
    # SMBIOS entry point at 0x7f6be000
    SMBIOS 2.5 present.

    Handle 0x0030, DMI type 1, 27 bytes
    System Information
    Manufacturer: IBM
    Product Name: System x3650 M3 -[7945AC1]-
    Version: 00
    Serial Number: KQ35RWH
    UUID: 09E10B2B-16C9-3B91-888B-73C34F82FC1D
    Wake-up Type: Other
    SKU Number:
    Family: System x

3b. IBM xSeries appliances: How to run a Dynamic System Analysis (DSA) report
Administrators who experience hardware issues on xSeries appliances should run the DSA utility and submit a report with the hardware support request.


Before you begin: The QRadar Appliance ships with the DSA utility installed. If you see a message "This system is not supported by this version of DSA" an updated build of the DSA might be required for your appliance. Refer to this link for the correct update of the DSA utility for your Appliance.

Versions of the DSA utility required for my QRadar Appliance
 
Procedure
  1. Using SSH, log in to the remote QRadar appliance that is experiencing the hardware error.
    Note: You must first SSH to the Console, then open another SSH session to a managed host in the deployment.
  2. To change directory to the support folder, type: cd /opt/qradar/support
  3. To verify the permissions on the DSA utility, type: ls -l *dsa*
    If permissions are "rw-r-r-", then you must change the permissions to be able to run the DSA utility.
  4. To change permissions, type: chmod 755 <DSA_build>_x86-64.bin
  5. To run a DSA report for your appliance, type: ./<DSA_build>_x86-64.bin
  6. The DSA utility creates a .gz file in /var/log/IBM_Support with the machine type, serial number, and date.xml.gz.
    For example: /var/log/IBM_Support/7944AC1_KQ97NYC_20150927-163515.xml.gz
  7. Copy this file from the remote host.
  8. Click the following URL to open a service request: https://ibm.com/mysupport.
  9. Click New service request and sign in to your IBM ID, if required.
  10. Select I am having a problem with Software.
    Note: QRadar software team reviews all requests, even hardware-related issues as verification. All QRadar tickets should be opened as software issues.
  11. Attach the log file and provide an explanation your issue.
  12. Support will contact you using your preferred method of communication.
Note: If your system will not boot, follow the instructions in the next section (3c) for non-booting appliances.

3c. How to run a Dynamic System Analysis (DSA) report for a non-booting appliance


Administrators who experience hardware issues on xSeries appliances should run the DSA utility and submit a report with the hardware support request. The following procedure outlines how an administrator can collect a hardware report for an appliance that does not boot properly. This hardware report is required and must be submitted with the service request. This procedure can be followed for appliances that are suspended or frozen due to a hardware or software issue.
 
Procedure
  1. Restart the QRadar Appliance.
  2. Select F2 to enter diagnostics.
  3. Hit ESC to stop memory test if it starts.
  4. After a menu appears, arrow over to Quit, then select Quit to DSA.
  5. Choose command-line option: CMD.
  6. Insert a Fat 32 formatted USB flash drive. The output file is typically under 1 MB.
  7. Choose to collect DSA with no other options needed. Choose option 1 to collect DSA diagnostics.
  8. After 2 passes complete, exit back to the previous menu.
  9. Choose the option copy to local media.
  10. If USB flash drive is not seen, reseat and try again. If the USB flash drive is still not seen, try a different USB device.
Note: The DSA can sometimes take a long time to start and run, which might appear to administrators that the DSA program is not functioning. However, do not interrupt this process as it can take up to 5 minutes between steps to collect the information and complete the report before writing this to the USB flash drive.

Results
After the data is collected on the appliance, the files are saved to the USB flash device. The process of writing the files to the USB drive takes a few seconds.



3d. How to run a Dynamic System Analysis (DSA) report for a non-booting appliance

Administrators who experience non-hard disk hardware issues on xSeries appliances should run the Download Service option from the IMMDSA utility and submit a report with the hardware support request in addition to the DSA For this procedure, refer to the following Lenovo link:  Download service data option.


3e. Dell appliances: How to open a Dell Hardware Case and Generate logs by using the iDRAC.

Administrators who experience hardware issues on Dell appliances use the integrated Dell Remote Access Controller (iDRAC) card to generate a system report. The administrator can submit the system report to QRadar Support for review. The following content is required in your case for QRadar Support to review a Dell hardware issue.
  1. A description of the hardware issue.
  2. A screen cap or provide the text of the error message.
A support representative will contact you using your preferred method of contact. If you are not available when you open your ticket, the support representative will leave a message or you can include a secondary contact in your case description. If we require logs or additional information, your ticket will be updated to include further details and the status will change to *Awaiting your Feedback*. If you have questions about this procedure, you can always ask in our forums: ibm.biz/qradarforums.
To generate logs by using the integrated Dell Remote Access Controller (iDRAC) refer to these Dell links:

4. What information should I submit for WinCollect agent issues?

Administrators who experience issues with WinCollect agents should submit the following information with the support ticket.
 
Providing a problem description
  1. A description of the issue, Windows operating systems, and any hostnames or IP addresses that are affected.

    For example:
  • I'm having an issue collecting events from 4 Hyper-V computers with Windows Server 2008 R2. The WinCollect agent name is _____ and the hostnames I'm trying to collect events from are hostA (198.51.100.1), hostB (198.51.100.2), hostC (198.51.100.3), and hostD (198.51.100.4). These Windows systems are in our DMZ.
  • I added 250 log sources by using the log source bulk add feature with WinCollect, and they recently stopped sending events. The last event time is The WinCollect agent name is ____ and the log sources that I want investigated are hostA (198.51.100.1), hostB (198.51.100.2), hostC (198.51.100.3), and hostD (198.51.100.4). Here is a screen capture of the log source configuration.
  • I installed a new WinCollect agent on hostnameX with the command prompt installer, but it did not work. I tried several more times, but the WinCollect agent does not automatically create my log source. Attached is a text file with the installation command I used, see WC_install.txt.
  1. A .zip file that contains the /config and /logs directory for the WinCollect agent.
Procedure
  1. Log in to the Windows operating system that hosts the WinCollect agent.
  2. Click Start > All Programs > Administrative tools > Services.
  3. Select the WinCollect service.
  4. Click Stop.
  5. Click Start > All Programs > Accessories > Windows Explorer.
  6. Navigate to the WinCollect installation directory. The default path is C:\Program Files\IBM\WinCollect
  7. To select multiple folders, press Ctrl and select the config and logs folders.
  8. Right-click on one of the selected folders and select Send to > Compressed (zipped) folder.
  9. Click the following URL to open a service request: https://ibm.com/mysupport.
  10. Click New service request and sign in to your IBM ID, if required.
  11. Select I am having a problem with Software.
    Note: QRadar software team reviews all requests, even hardware-related issues as verification. All QRadar tickets should be opened as software issues.
  12. Attach the log files and provide an explanation of your issue.
  13. Support will contact you using your preferred method of communication.

5. What information should I submit for Event Pipeline agent issues?

Run both:

  /opt/qradar/support/findExpensiveCustomProperties.sh  
/opt/qradar/support/findExpensiveCustomRules.sh

Output will be in the directory you ran it from in the format Custom(Properties|Rules)-{date}-(..).tar.gz. Upload it to the case with the getlogs.

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU008","label":"Security"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)"},{"Product":{"code":"SSBQNH","label":"IBM QRadar Log Manager"},"Business Unit":{"code":"BU008","label":"Security"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
09 March 2021

UID

swg21626887