IBM Support

QRadar: What information should be submitted with an application issue service request

Question & Answer


Question

 What information is needed when logging a Service Request for an application issue with IBM Security QRadar® Support?

Answer

In order for QRadar® Support to troubleshoot an app issue, an initial set of logs and information should be submitted with your case:
  1. A detailed description of the issue, include a screen capture or any error messages displayed.
  2. A summary of the actions that lead to the error message. QRadar Support uses these steps to attempt and recreate the scenario that generated the issue. For example:
    • After an upgrade from QRadar 7.3.2 to 7.4.0, the application will not start.
    • Moved all applications from the Console to a newly installed App Host appliance.
    • Restored a configuration backup and all applications do not function as expected.
  3. Any troubleshooting steps taken by the administrator to resolve the problem. For example:
    • Restarted the application in the QRadar Assistant App and continue to experience issues.
    • Checked the status of all application services and all report action (running).
    • Rebooted the App Host appliance and applications do not display as expected.
  4. Attach the output of the docker containers status using the command:
      docker ps > docker_output.txt
    For additional information on this command, see How to verify the app docker images are installed and running.
  5. Attach logs from the Console and from the App Host system. For more information, see: user interface instructions or command line interface instructions.

Collect logs from the users interface (UI) for your support case

  1. Log in to the QRadar Console as an administrator.
  2. Click the Admin tab.
  3. Click the System & License Management icon.
  4. Select all QRadar® appliances that require log collection for your support case. For application cases, select the App Host and the Console as these are the only appliances that run applications.

    select_system
  5. Select Actions > Collect Log Files.
  6. Select the Include Application Extension Logs check box and the number of days that would cover the issue.
    collect_logs
  7. Click Collect Log Files.
  8. Wait for the Console to collect log files from the selected appliances. It might take several minutes for logs to be collected from appliances.
  9. Download the logs from the QRadar Console.
  10. Attach the log file to your support case.

Collect logs from the command line (CLI) for your support case

  1. Use SSH to log in to the QRadar Console as the root user.
  2. Optional. If the problem exists with a managed host, open an SSH session to the non-Console appliance.
  3. To collect logs, type:
      /opt/qradar/support/get_logs.sh -a
    Note: Administrators can use the -h  flag to display a help screen with more options.
  4. After the log file is generated, the path and name of the log file is displayed. For example:
      The file /store/LOGS/logs_hostname_date_bc609784.tar.gz (64M) has been created to send to support
  5. Download the file from the QRadar appliance.
  6. Repeat this procedure for other appliances that need logs collected.
  7. Attach the log file from the appliance to your QRadar Support Case.
     

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000GnbbAAC","label":"QRadar"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
29 May 2020

UID

ibm16190905