IBM Support

QRadar: Verify whether an application is installed and the application framework docker container state

Question & Answer


Question

QRadar: How to verify the application framework docker images are installed and running?

Cause

The QRadar® applications live in docker containers, and one of the first troubleshooting steps is to determine whether the docker image is installed and its status. 

Answer

If the applications are running on the Console, you see the installed applications containers and the app framework containers, si-registry or centos-base in QRadar 7.4.x, 7.3.3 or 7.3.2. More framework containers are listed for QRadar 7.3.1 and earlier versions, such as qoauth, mesos-consul, and nginx-consul.
If you have an App Host in the deployment, run the commands on both, on the Console, to get the application framework containers status, and the App Host, to get the installed applications container status.

To see the installed docker images

Example 7.4.x (Console):
 
docker images
REPOSITORY                                 TAG                 IMAGE ID            CREATED             SIZE
registry                                   2.6.2               d1fd7d86a825        2 years ago         33.3MB
console.localdeployment:5000/centos-base   6.9.10              0cde497470ba        9 months ago        326MB
Note: If there is no App Host in the deployment, you see on the Console all containers (apps and framework).
Example 7.4.x (App Host):
 
# docker images
REPOSITORY                               TAG                    IMAGE ID            CREATED             SIZE
console.localdeployment:5000/qapp/1054   2.1.2-20200404154856   0c2ae57ee761        3 weeks ago         473MB
console.localdeployment:5000/qapp/1251   5.0.1-20200404154351   02391967b258        3 weeks ago         395MB
console.localdeployment:5000/qapp/1302   2.2.1-20200404154058   a14464adbfb0        3 weeks ago         551MB
console.localdeployment:5000/qapp/1055   1.1.2-20200404151957   14a1f92759e1        3 weeks ago         401MB

To see the containers status

Example 7.4.x (Console):
 
# docker ps
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS               NAMES
957a95f2af78        registry:2.6.2      "/entrypoint.sh /con…"   3 weeks ago         Up 3 weeks                              si-registry

Example 7.4.x (App Host):
 
# docker ps
CONTAINER ID        IMAGE                                                         COMMAND                  CREATED             STATUS              PORTS                     NAMES
d53fca478ec0        console.localdeployment:5000/qapp/1055:1.1.2-20200404151957   "sh /start_container…"   2 weeks ago         Up 2 weeks          0.0.0.0:32782->5000/tcp   qapp-1055-wcttZ599
4f19574aa3d8        console.localdeployment:5000/qapp/1302:2.2.1-20200404154058   "sh /start_container…"   3 weeks ago         Up 3 weeks          0.0.0.0:32780->5000/tcp   qapp-1302-FodNmXW1
3a8f7dbc8001        console.localdeployment:5000/qapp/1055:1.1.2-20200404151957   "sh /start_container…"   3 weeks ago         Up 3 weeks          0.0.0.0:32775->5000/tcp   qapp-1055-J46bN0Gw
16bb4abfd25c        console.localdeployment:5000/qapp/1251:5.0.1-20200404154351   "sh /start_container…"   3 weeks ago         Up 3 weeks          0.0.0.0:32772->5000/tcp   qapp-1251-i2TSuM8H
a96c72998be9        console.localdeployment:5000/qapp/1054:2.1.2-20200404154856   "sh /start_container…"   3 weeks ago         Up 3 weeks          0.0.0.0:32770->5000/tcp   qapp-1054-i7HQA9QY

To manage the state of a container

In certain situations, you might want to stop, start or restart just one container. To restart a container you must know the name of container, which is found using the docker ps command. To change the status of a container, use the docker command. For example, docker [stop|start|restart] <container_name>.
Procedure
  1. Use SSH to log in to the QRadar Console as the root user.
  2. If your apps run on an App Host appliance, open an SSH session to the App Host.
  3. Run the command to stop, start, or restart the container:
    
    
    # docker stop qapp-1055-wcttZ599
    # qapp-1055-wcttZ599
    
    # docker start qapp-1055-wcttZ599
    # qapp-1055-wcttZ599
    
    # docker restart qapp-1055-wcttZ599
    # qapp-1055-wcttZ599
  4. To display the running processes of a container:
     
    # docker top si-registry
    UID                 PID                 PPID                C                   STIME               TTY                 TIME                CMD
    root                5420                5363                0                   18:31               ?                   00:00:00            registry serve /config/config.yaml
To troubleshoot an application container, see this document: QRadar: How to use recon to troubleshoot QRadar applications.

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt3AAA","label":"QRadar Apps"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
03 November 2021

UID

ibm16191187