IBM Support

QRadar: Collect thread status before restarting services

How To


Summary

Users can use the following commands to quickly record the status of service threads before restarting them.

Objective

When users encounter errors in their system, they can attempt restarting services such as ecs-ec-ingress or ecs-ec to attempt to resolve the problem, but the restart resets the thread counts of these services and deletes information that can be useful for support. If users cannot wait to contact support or run get_logs.sh, they can use threadTop.sh to quickly record the thread information to share with support later.

Steps

Use thread top to record thread information to a series of files.
  1. SSH into your QRadar console.
  2. (Optional) SSH into the EC or EP you intend to restart.
  3. Run the command for each service you intend to restart
    1. For ecs-ec-ingress:
      MYDATE=$(date +'%Y%m%d_%H%M'); for i in {1..20}; do 
      /opt/qradar/support/threadTop.sh -p 7787 --full >> /root/ecs-ec-ingress_threads.$MYDATE; 
      done
    2. For ecs-ec statistics:
      MYDATE=$(date +'%Y%m%d_%H%M'); for i in {1..20}; do 
      /opt/qradar/support/threadTop.sh -p 7777 --full >> /root/ecs-ec_threads.$MYDATE; 
      done
    3. For ecs-ep:
      MYDATE=$(date +'%Y%m%d_%H%M'); for i in {1..20}; do 
      /opt/qradar/support/threadTop.sh -p 7799 --full >> /root/ecs-ep_threads.$MYDATE; 
      done
      
    4. For Ariel query or proxy thread information:
      MYDATE=$(date +'%Y%m%d_%H%M'); for i in {1..20}; do 
      /opt/qradar/support/threadTop.sh -p 7782 --full >> /root/ariel_threads.$MYDATE; 
      done
      
  4. Use ls to confirm the files were created. Example output:
    [root@XXX ~]# ls /root
    ecs-ec-ingress_threads.20220928_1544
    ecs-ec-ingress_threads.20220928_1545
    ecs-ec-ingress_threads.20220928_1546
    ecs-ec-ingress_threads.20220928_1547
    ecs-ec-ingress_threads.20220928_1548
    ecs-ec-ingress_threads.20220928_1549
    

    Result
    Restart the services with systemctl restart. These files are not intended to be analyzed by administrators, but to be shared with support. Remember to move or delete these files when they are no longer needed.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtiAAA","label":"Performance"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
30 September 2022

UID

ibm16824899