Question & Answer
Question
What information does IBM Support require to effectively diagnose app issues in QRadar?
Answer
IBM QRadar support requires the following information to investigate QRadar apps-related issues. The information required depends on whether your system is installed with or without an AppHost.
If you do not have AppHost installed, follow only the instructions in the section named '1. No AppHost'
If you have an AppHost installed, follow only the set of instructions in the section named '2. AppHost Installed'
If you have an AppHost installed, follow only the set of instructions in the section named '2. AppHost Installed'
NO APPHOST
Run the following on the CONSOLE and attach the archive generated, to this case.
/opt/qradar/support/get_logs.sh -a -s -q 5
Also, run the following commands on the CONSOLE and save the output in text file(s) and send to IBM Support for review:
/opt/qradar/support/qappmanager
curl https://console.localdeployment:5000/v2/_catalog --key /etc/docker/tls/registry/docker-client-registry.key --cert /etc/docker/tls/registry/docker-client-registry.cert
conman-support files |grep -i "config"
/opt/qradar/support/recon ps
openssl x509 -in /etc/httpd/conf/certs/cert.cert -text -noout
for i in $(/opt/qradar/ca/bin/si-qradarca list -print | awk -F, '{print $4}' | sort | uniq); do echo $i; openssl verify -CAfile /etc/pki/tls/cert.pem $i; done
systemctl status docker
systemctl status conman
APPHOST INSTALLED
With the help of following command, collect get_logs from QRadar Console
/opt/qradar/support/get_logs.sh -a -s -q 5
a. Perform the following commands on the CONSOLE and save the output in text file(s) and send to IBM Support for review:
clear; echo '===============================';date; hostname -s; hostname -i; /opt/qradar/bin/myver; echo '===============================';docker images; echo ''; docker ps; echo '';
for i in $(/opt/qradar/ca/bin/si-qradarca list -print | awk -F, '{print $4}' | sort | uniq); do echo $i; openssl verify -CAfile /etc/pki/tls/cert.pem $i; done
systemctl status docker
systemctl status conman
b. Execute the following commands on the AppHost and send through the output generated, as a text file named 'apphost-output.txt'.
clear; echo '===============================';date; hostname -s; hostname -i; /opt/qradar/bin/myver; echo '===============================';docker images; echo ''; docker ps; echo '';
conman-support files |grep -i "config"
/opt/qradar/support/recon ps
for i in $(/opt/qradar/ca/bin/si-qradarca list -print | awk -F, '{print $4}' | sort | uniq); do echo $i; openssl verify -CAfile /etc/pki/tls/cert.pem $i; done
systemctl status conman
systemctl status docker
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt3AAA","label":"QRadar Apps"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
08 June 2023
UID
ibm16618687