IBM Support

QRadar: Sanitizing logs before opening a support ticket with scrub.pl script

Question & Answer


Question

We protect our IP addresses and am concerned about submitting QRadar logs. Can I sanitize QRadar logs before submitting them for review to IBM?

Answer

Yes, QRadar has a script that administrators can run to help sanitize some information from their log files. Scrub.pl is an option for customers who cannot run and submit get_logs.sh output due to security concerns.

If an administrator cannot run get_logs.sh, then QRadar Support will request that they scrub and submit the following files for troubleshooting purposes:

  • /var/log/qradar.log
  • /var/log/qradar.error
  • /var/log/messages
  • /var/log/qradar-sql.log
 

What information can be scrubbed from log submissions?

The scrub.pl script is located in the /opt/qradar/bin/ directory and is capable of removing the following information from QRadar log files:

  • Usernames
  • IP addresses
  • Domain names
  • Group names
 

How do I use scrub.pl?

To scrub logs for sensitive information, administrators need to run the script, then review it before submitting it with their support ticket to ensure that the information has been properly scrubbed from the log files.

Procedure

  1. Using SSH, log in to the Console as the root user.
  2. Optional. If the issue is related to a managed host, you should SSH to that appliance from the Console.
  3. Navigate to the /opt/qradar/bin directory.
  4. To scrub the QRadar log file, administrators can type the following command: ./scrub.pl /var/log/qradar.error /tmp/scrubbedqradar.log

    Where the first directory path is the file to be scrubbed. The second directory path is the name of the output file that has been scrubbed to remove usernames, IP addresses, domain names, and group names.

    When the file has been scrubbed, the following message is displayed: The log file was successfully scrubbed - /tmp/scrubbedqradar.log.
     
  5. Repeat step 4 and scrub the other log files (error.log, messages, qradar-sql.log) and provide new output file name.
  6. Open a web browser to open a ticket and attach the scrubbed logs to your ticket: https://ibm.biz/qradarsupport
     
  7. A QRadar support representative will contact you about your support ticket.
 


Where do you find more information?



[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"General Information","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2;7.3","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
08 October 2019

UID

swg21676850