Question & Answer
If an administrator cannot run get_logs.sh, then QRadar Support will request that they scrub and submit the following files for troubleshooting purposes:
What information can be scrubbed from log submissions?
The scrub.pl script is located in the /opt/qradar/bin/ directory and is capable of removing the following information from QRadar log files:
- IP addresses
- Domain names
- Group names
How do I use scrub.pl?
To scrub logs for sensitive information, administrators need to run the script, then review it before submitting it with their support ticket to ensure that the information has been properly scrubbed from the log files.
- Using SSH, log in to the Console as the root user.
- Optional. If the issue is related to a managed host, you should SSH to that appliance from the Console.
- Navigate to the /opt/qradar/bin directory.
- To scrub the QRadar log file, administrators can type the following command: ./scrub.pl /var/log/qradar.error /tmp/scrubbedqradar.log
Where the first directory path is the file to be scrubbed. The second directory path is the name of the output file that has been scrubbed to remove usernames, IP addresses, domain names, and group names.
When the file has been scrubbed, the following message is displayed: The log file was successfully scrubbed - /tmp/scrubbedqradar.log.
- Repeat step 4 and scrub the other log files (error.log, messages, qradar-sql.log) and provide new output file name.
- Open a web browser to open a ticket and attach the scrubbed logs to your ticket: https://ibm.biz/qradarsupport
- A QRadar support representative will contact you about your support ticket.
Where do you find more information?
Was this topic helpful?
08 October 2019