IBM Support

QRadar: Collecting get_logs from the command line interface (get_logs.sh)

Question & Answer


Question

How can you collect logs from the command line interface (get_logs.sh)?

Answer

To collect logs from the command line, root access is required. The get_logs.sh utility is available on every version of QRadar and is provided on every QRadar appliance. If you are having issues with a managed host, his utility should be used as a backup when the QRadar user interface is not available.

Steps for generating and collecting get_logs:

  1. Using SSH, log in to the Console appliance (or All-in-One) as the root user.
     
  2. Type the following command:

    /opt/qradar/support/get_logs.sh

    Notes: The script informs you that the log was created and provides the name and the location, which is always the /store/LOGS/ directory.



    For administrators having application or extension issues, use the -a option to collect application logs with your Console log information. For a list of commands that can be run, type:

    /opt/qradar/support/get_logs.sh -h
     
  3. Copy the tar.bz2 file to a system that has access to an external network to upload your log file.
     
  4. Log in to the support portal to make a service request - IBM Security QRadar SIEM.
     
  5. Click Open a new service request - sign in.
     
  6. Attach the get_log file to the service request ticket for review.


 



 

[{"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"General Information","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.0;7.1;7.2","Edition":""}]

Document Information

Modified date:
13 November 2018

UID

swg21990777