IBM Support

QRadar: How to run a Dynamic System Analysis (DSA) report on a PCAP Appliance



The DSA utility is not installed natively on QRadar® PCAP appliances, so PCAP Administrators who experience hardware issues on their PCAP Lenovo Hardware appliances need to download and install the DSA utility in order to gather the DSA logs and submit a report with the hardware support request.


  • For QRadar M4 and M5 appliances, the Lenovo DSA 10.5 utility can be used to collect DSA logs.
  • For QRadar M6 and newer appliances the Lenovo OneCLI utility can be used to collect DSA logs.

Resolving The Problem

  1. Download the software based on your appliance version.
  2. Using PuTTY or equivalent tool, open an SSH session to the PCAP appliance on port 4477.
  3. Run the command:
    mkdir -p /opt/qradar/support
  4. Using WinSCP or equivalent tool and by using port 4477, upload the utility to the PCAP appliance.
    • The DSA bin you downloaded must be uploaded to /opt/qradar/support.
    • The OneCLI rpm file can be uploaded to /tmp.
  5. For M4 or M5 appliances, to install and run the DSA utility:
    • To change to the upload directory, type:
      cd /opt/qradar/support
    • To set permissions on the file, type:
      chmod 755 lnvgy_utl_dsa_dsala7k-10.5_portable_rhel7_x86-64.bin
    • To collect the DSA logs, type:
    • The utility creates a file in /var/log/Lenovo_Support with the machine type, example 7944AC1, Serial Number, and date.xml.gz. For example,  7944AC1_KQ6X8X8_20120927-163515.xml.gz
  6. Install and run the OneCLI utility on an M6 or newer:
    • To install OneCLI, type:
      yum -y install /tmp/lnvgy_utl_lxcer_onecli-<version>_rhel_x86-64.rpm  
      Where <version> is the version number of the OneCLI utility you downloaded.
    • To collect the DSA logs, type:
    • The utility creates a file in /var/log/Lenovo_Support with the machine type, serial number, and a timestamp as an XML file. For example,
  7. Using WinSCP or equivalent tool move the collected log file to your desktop.
  8. Attach the hardware report to your QRadar Support case.

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSMU35","label":"IBM QRadar Network Packet Capture Software"},"ARM Category":[{"code":"a8m0z000000cwtcAAA","label":"Hardware"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.3.0;and future releases"}]

Document Information

Modified date:
31 August 2022