IBM Support

QRadar: Why qradar.error log file spans a short period of time?

How To


If a qradar.error log file has a life span less than 24 hours it could be a strong indication, that one of the QRadar components is generating enormous number of errors. Resulting in a logrotate issue or an inability to collect the system logs for a longer time period. Extremely severe conditions are when the qradar.error time span covers only a few minutes. Many QRadar administrators are not aware that a persistent issue might be running on their system, concurrently with other problems that they are currently investigating.


To validate the length of the qradar.error time span.


  1. SSH onto the QRadar Console as the root user.
  2. From the command line on the QRadar Console, SSH to the managed host where you want to compute the qradar.error log file time span.
  3. Calculate the qradar.error time span by running the following command.
    QE=/var/log/qradar.error;startDate=$(head -n 1 $QE | awk '{print $1,$2,$3}');epochStart=$(date -d "${startDate}" +"%s");endDate=$(tail -n 1 $QE | awk '{print $1,$2,$3}');epochEnd=$(date -d "${endDate}" +"%s");timeRange=$(echo $startDate '-' $endDate);time_diff=$((epochEnd-epochStart));one_day=86400;year=31556926;if [[ $time_diff -lt 0 ]];then time_diff=${time_diff#-};time_diff=$((year-time_diff));fi
  4. Run the following command to print the result.
    clear;printf "\n";printf "%-40s | %-60s |\n" '     qradar.error time span:' $(date --date="${startDate}" +%B-%d--%H:%M:%S)\ ' : '\ $(date --date="${endDate}" +%B-%d--%H:%M:%S);printf "%-40s | %-60s |\n" ' ' $(($time_diff / 86400 ))\ days\ $((($time_diff % 86400)/3600))\ hours\ $((($time_diff % 3600) / 60))\ minutes\ $(($time_diff % 60))\ seconds;printf "\n\n\n"
  5. The result is presented as follows:
         qradar.error time span:             | November-04--20:01:48  :  February-23--07:00:16                    |
                                             | 110 days 17 hours 47 minutes 14 seconds                            |
    [root@tysm-qr750-3199-27238 ~]#
    If a time span is less than 24 hours, administrators can investigate the contents of the qradar.error log file to determine which component is generating the highest number of errors.

Document Location


[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSV4BL","label":"IBM QRadar"},"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.3.0;7.4.0;7.5.0"}]

Document Information

Modified date:
03 April 2023