How To
Summary
iteam_support.sh is a script that can assist users in general troubleshooting. You can confirm hashes of downloaded DSMs and protocols, troubleshoot performance degradation in the event pipeline, and identify what log source type generated an event based on a QID.
Steps
- SSH into your QRadar console.
- Optional. SSH into the managed host you want to troubleshoot.
- Run the iteam_support.sh utility
/opt/qradar/support/iteam_support.sh
- Observe the menu.
Result
Select the option you want to run.
Example Uses
The following are some example use-cases for the utility.Check whether managed hosts have a copy of DSMs and protocols
If the Log Source Management app does not display a DSM or protocol, it might be because the Event Processor or Event Collector does not have a copy or the DSM or protocol because the copies differ or because the copy is saved in the incorrect directory.
- Open the iteam_support.sh utility on the QRadar console.
- Get the detailed information. For DSMs, select option 2, 2, then 2. For protocols, select option 2, 3, then 2. Enter the DSM or protocol name.
Example output. Observe the Release, and the hash and file location on the last line:Enter DSM RPM Name: DSM-EMCVMWare Name : DSM-EMCVMWare Version : 7.5 Release : 20220825173409 Architecture: noarch Install Date: Wed 09 Nov 2022 03:27:05 PM EST Group : Development/Tools Size : 4681450 License : Proprietary. Signature : RSA/SHA256, Fri 26 Aug 2022 12:44:03 AM EDT, Key ID f5de79167c677b19 Source RPM : DSM-EMCVMWare-7.5-20220825173409.src.rpm Build Date : Fri 26 Aug 2022 12:44:01 AM EDT Build Host : 8c000fe812fa Relocations : (not relocatable) Summary : DSM EMC VMWare Install Description : This program installs a EMC VMWare DSM plugin. e7e0062e525632b4fcb7b5478743393e33bb5499 /opt/qradar/jars/plugins/q1labs_sem_dsm_vmware.jar
- Next, view the detailed information from a single managed host. For DSMs, select option 2, 2, then 3. For Protocols, select option 2, 3, then 3. Enter the DSM or protocol name, the IP of the managed host, and the password for that host.
Result
Compare the detailed information. The release must be the same, as well as the hash and file location recorded on the last line. If the release version is different, update the out-of-date item (the one with a lower number) with yum. If the hash or file locations are different, contact support.
Troubleshoot performance degradation in the event pipeline
[ecs-ec.ecs-ec] [[type=com.eventgnosis.system.ThreadedEventProcessor][parent=emsp02.xxx.com:ecs-ec/EC/Parsing/DSM_Normalize]] com.q1labs.semsources.filters.normalize.DSMFilter: [WARN]
[NOT:0080004101][x.x.x.x/- -] [-/- -]Device Parsing has sent a total of 7159998 event(s) directly to storage. 108482 event(s) have been sent in the last 60 seconds. Queue is at 100 percent capacity.
The script generates the ecs-mbeans.tgz file in the current directory with information on events parsed, events unrecognized, etc listed in dsm.txt. This file can be provided in a support case to allow support to identify if a particular DSM is reducing overall performance.
Identify what log source type generates an event based on a QID
After you open the iteam_support.sh utility, select option 2, 1, then 1 and provide the QID. The script returns the event and source device information for the event.
All menu options
This list contains all the scripts functions organized as they appear in the menu
- 1) QidMap Menu
- 1) Search An Event Based On QID
- 2) Find An Event Based On EventID
- 3) Search An Event From A Single Managed Host Based On QID
- 4) Find An Event From All Managed Hosts Based On QID
- 5) Search An Event From A Single Managed Host Based On EventID
- 6) Find An Event From All Managed Hosts Based On EventID
- 2) DSM Menu
- 1) Search DSM
- 2) Show DSM Detail Information
- 3) View DSM Detail Information From A Single Managed Host
- 4) Show DSM Detail information From All Hosts
- 3) Protocol Menu
- 1) Search Protocol
- 2) Show PROTOCOL Detail Information
- 3) View PROTOCOL Detail Information From A Single Managed Host
- 4) Show PROTOCOL Detail Information From All Managed Hosts
- 4) Scanner Menu
- 1) Search Scanner
- 2) Show Scanner Detail Information
- 1) Search A Log Source
- 2) Log Source Status
- 3) Log Source Protocol Status
- 4) Log Source Protocol Status From A Single Managed Host
- 1) Collect DSM Performance Data
- 2) Collect Getlog Data
- 3) Enable/Disable Debug
6) Quit
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
14 November 2022
UID
ibm16828839