IBM Support

QRadar: Verify whether an application is installed and the application framework docker container state

Question & Answer


QRadar: How to verify the application framework docker images are installed and running?


The QRadar® applications live in docker containers, and one of the first troubleshooting steps is to determine whether the docker image is installed and its status. 


If the applications are running on the Console, you can see the installed applications containers and the app framework containers in QRadar 7.5.x. 
If you have an App Host in the deployment and that is where the apps are running, run the commands on the App Host to get the installed applications container status.

To see the installed docker images

Example 7.5.x (Console):
# docker images
REPOSITORY                                      TAG                     IMAGE ID            CREATED             SIZ
console.localdeployment:5000/qradar-app-base   2.1.8                   7376168d463b        20 months ago       369MB
Note: If there is no App Host in the deployment, you see on the Console all containers (apps and framework).
Example 7.5.x (App Host):
# docker images
REPOSITORY                               TAG                    IMAGE ID            CREATED             SIZE
console.localdeployment:5000/qapp/1054   2.1.2-20200404154856   0c2ae57ee761        3 weeks ago         473MB
console.localdeployment:5000/qapp/1251   5.0.1-20200404154351   02391967b258        3 weeks ago         395MB
console.localdeployment:5000/qapp/1302   2.2.1-20200404154058   a14464adbfb0        3 weeks ago         551MB
console.localdeployment:5000/qapp/1055   1.1.2-20200404151957   14a1f92759e1        3 weeks ago         401MB

To see the containers status

Example 7.5.x (Console):

# docker ps
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS               NAMES
c98f591f5ab8        console.localdeployment:5000/qapp/3053:1.3.0-20240123053643    "sh /opt/app-root/bi…"   10 minutes ago      Up 10 minutes>5000/tcp   qapp-3053-qardFrNy

Example 7.5.x (App Host):
# docker ps
CONTAINER ID        IMAGE                                                         COMMAND                  CREATED             STATUS              PORTS                     NAMES

6d0dc553f54b   console.localdeployment:5000/qapp/5101:4.1.14-20231207103959   "sh /opt/app-root/bi…"   About an hour ago   Up About an hour>5000/tcp, :::49155->5000/tcp   qapp-5305-yB2r1ynG
fb61d865b518   console.localdeployment:5000/qapp/5102:4.1.14-20231207105036   "sh /opt/app-root/bi…"   About an hour ago   Up About an hour>5000/tcp, :::49154->5000/tcp   qapp-5154-RvzLQ6mN
e79c22b7e20a   console.localdeployment:5000/qapp/5151:2.0.0-20231027075949    "sh /opt/app-root/bi…"   About an hour ago   Up About an hour>5000/tcp, :::49153->5000/tcp   qapp-5201-UEkR5POK

To further troubleshoot with Recon, see this document: QRadar: How to use recon to troubleshoot QRadar applications.

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt3AAA","label":"QRadar Apps"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
11 March 2024