IBM Support

QRadar: Enabling debug logging on a Disconnected Log Collector

How To


How to enable debug logging on a Disconnected Log Collector (DLC).


More granular log messages are often helpful while troubleshooting. This guide helps you enable debug logging output, which is helpful in case you need to raise a support case with IBM.


Before you begin
Note: debug logging produces more messages into the dlc.log file. Therefore, we recommend that you check partition space, as a full disk might cause the DLC service to stop. Also, we don't recommend leaving debug logging enabled for more than 10 - 15 minutes, unless the system is being actively monitored.
  1. Log in on your DLC with ssh.
  2. Take a backup of /opt/ibm/si/services/dlc/conf/log4j2.xml.
    cp -vp /opt/ibm/si/services/dlc/conf/log4j2.xml /opt/ibm/si/services/dlc/conf/log4j2.xml.BAK
    ‘/opt/ibm/si/services/dlc/conf/log4j2.xml’ -> ‘/opt/ibm/si/services/dlc/conf/log4j2.xml.BAK’
    v is for Verbose, an output is displayed on the screen showing what is happening.
    p is for Preserve, this preserves the mode, ownership and timestamps.
    The backup file will have the same ownership, permissions and timestamp as the original file.
    -rw-r-----. 1 root dlc  4409 Mar 28 15:33 log4j2.xml
    -rw-r-----. 1 root dlc  4409 Mar 28 15:33 log4j2.xml.BAK
  3. Edit the file /opt/ibm/si/services/dlc/conf/log4j2.xml.
    vim /opt/ibm/si/services/dlc/conf/log4j2.xml
  4. Find this snippet in the code: 
    <RollingFile name="InfoFileAppender" fileName="${APP_LOG_ROOT}/dlc.log" filePattern="${APP_LOG_ROOT}/archive/dlc-%d{MM-dd-yyyy}-%i.log.gz">
               <ThresholdFilter level="INFO" onMatch="ACCEPT" onMismatch="DENY"/>
               <RegexFilter regex=".* Health Agent .*" onMatch="DENY" onMismatch="ACCEPT"/>
  5. Change level="INFO" to level="DEBUG".
  6. Also, find this section in the same file:
    <logger name="" level="INFO" additivity="false">
           <AppenderRef ref="InfoFileAppender" />
           <AppenderRef ref="ErrorFileAppender" />
  7. Change level="INFO" to level="DEBUG".
  8. Save the changes and exit the editor.
    Press escape (Esc) followed by :x to save the file.
  9. Restart the DLC service.
    systemctl restart dlc
To revert to original level of logging:
  1. Copy the backup file overwriting the current file.
    cp -vp /opt/ibm/si/services/dlc/conf/log4j2.xml.BAK /opt/ibm/si/services/dlc/conf/log4j2.xml
    cp: overwrite ‘/opt/ibm/si/services/dlc/conf/log4j2.xml’? y
    ‘/opt/ibm/si/services/dlc/conf/log4j2.xml.BAK’ -> ‘/opt/ibm/si/services/dlc/conf/log4j2.xml’
    You will be prompted to answer Yes to confirm that you want to overwrite the file. Type Y and press Enter.
  2. Restart the DLC service again and verify.
    systemctl restart dlc

Document Location


[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt9AAA","label":"DLC"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
27 October 2022