IBM Support

QRadar®: How to enable Debug logging for WinCollect on the QRadar managed host

How To


Summary

Enabling debug logging on QRadar for Wincollect.

Objective

This document helps you troubleshoot Wincollect issues by enabling more granular Debug logging on your QRadar managed host. Debug logging is useful for issues with:
  • Agent registration
  • Log source creation (during the installation of the agent)
  • Agent configuration
  • Log source updating
  • Agent upgrading (Managed mode)

Steps

  1. Log in to your QRadar Console.
  2. Optional: SSH to the managed host you defined as the configurationServer for the Wincollect agent.
  3. There are three classpaths that need to be set in DEBUG logging. These classpaths normally exist on any QRadar host - if your Wincollect version on QRadar is a old version, you have to add these classpaths manually; see further down in the article.
    • com.q1labs.aleremotemanagement
    • com.q1labs.sem.semsources.wincollectconfigserver
    • com.q1labs.core.ui.servlet.WinCollect
  4. The script to enable DEBUG logging for any classpath is: /opt/qradar/support/mod_log4j.pl
    If you are not familiar with all the attributes (-h for help), you can run this command, and it shows you whether the classpaths are already available or not: 
    /opt/qradar/support/mod_log4j.pl -l | egrep "com.q1labs.aleremotemanagement|com.q1labs.sem.semsources.wincollectconfigserver|com.q1labs.core.ui.servlet.WinCollect"
    Sample output:
    10   INFO      SyslogPortAppender,SyslogPortAppenderNotification  com.q1labs.aleremotemanagement
    17   INFO      SyslogPortAppender,SyslogPortAppenderNotification  com.q1labs.core.ui.servlet.WinCollect
    28   INFO      SyslogPortAppender,SyslogPortAppenderNotification  com.q1labs.sem.semsources.wincollectconfigserver
  5. To change "INFO" to "DEBUG", we use the attribute -ml (modify logger). Note the number value at the beginning of each line in the above output. That value is used in the next command. The last value (3) is the value for DEBUG. To set a timer on the debug, we use the -duration attribute.
    This command changes the first classpath from "INFO" to "DEBUG": 
    /opt/qradar/support/mod_log4j.pl -who yourName -ml 10 3 -duration 30min
    To change all three classpaths at once, you can chain these commands: 
    /opt/qradar/support/mod_log4j.pl -who yourName -ml 10 3 -duration 30min;/opt/qradar/support/mod_log4j.pl -who yourName -ml 17 3 -duration 30min;/opt/qradar/support/mod_log4j.pl -who yourName -ml 28 3 -duration 30min
  6. OPTIONAL: If you have an old version (for example 7.2.7 and older) of Wincollect, and the three classpaths don't exist, you can add them like this: 
    /opt/qradar/support/mod_log4j.pl -who yourName -al com.q1labs.aleremotemanagement; /opt/qradar/support/mod_log4j.pl -who yourName -al com.q1labs.core.ui.servlet.WinCollect; /opt/qradar/support/mod_log4j.pl -who yourName -al com.q1labs.sem.semsources.wincollectconfigserver
  7. Reload the config server protocol once: 
     touch /opt/ibm/si/services/ecs-ec-ingress/eventgnosis/lib/q1labs/q1labs_semsources_protocol_WinCollectConfigServerProtocol.jar
  8. The debug output is in /var/log/qradar.java.debug
  9. To manually revert logging to default: 
    /opt/qradar/support/mod_log4j.pl -who yourName -r

Document Location

Worldwide

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtwAAA","label":"WinCollect"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
06 May 2021

UID

ibm16426883

Page Feedback