IBM Support

QRadar: How to use IMM to run a preboot Dynamic System Analysis for non-booting appliances (Updated)

Troubleshooting


Problem

My QRadar appliance does not boot. Can I use the IMM to run the Dynamic System Analysis (DSA) utility during the boot phase to collect hardware information for my QRadar appliance?

Cause

A non-booting appliance may be the result of a hardware failure or firmware issue. The Dynamic System Analysis (DSA) utility can create a report for QRadar support to help identify the root cause of the appliance issue. This article includes instructions for both QRadar on-premise appliances and remote appliances.

Environment

 

Resolving The Problem

IBM/Lenovo System X appliances include a built-in system analysis utility that can collect data on the state of the hardware, even if the QRadar system is not able to boot. This feature is known as preboot DSA. To be able to access the preboot DSA feature, you need to be able to interact with your appliance while it is booting. This either requires physical access to the system or if IMM or IMM2 has been configured on the appliance and remote access is available, then a preboot DSA report can be collected from the remote appliance. For more information on configuring IMM, see Technote 1974628: QRadar: Managing QRadar Appliances with IMM.


Procedure
Administrators can use these instructions by physically attaching a crash cart to your appliance or by accessing the remote appliance using an IMM Remote Control session.

  1. Restart the QRadar appliance.
  2. Select F2 to enter diagnostics.
  3. Press ESC to stop memory test if it starts.
  4. After a menu appears, use the arrow keys to select Quit to DSA.
  5. Choose command line option: CMD
  6. Use the relevant option below to attach removable media to the appliance for an output file that is typically under 1MB. The flash drive should be formatted as fat32.
    • Physical Appliance Access: Insert a Fat 32 formatted USB flash drive into a USB port on the appliance.
    • IMM Remote Control: When working from a remote location, the steps below will enable to use Virtual Media feature to mount a USB attached to your own work station:
      1. Insert USB flash drive to your own work station.
      2. In the IMM remote control session, open the Virtual Media settings.
      3. Select the mount option based on your IMM version:

        - For IMM: Select Tools > Launch Virtual Media > Click on the Map check box for the Removable Disk, then click Mount Selected

        - For IMM2: Select Tools > Active > Select Devices to Mount > Click on the Mapped check box for Removable Disk, then click Mount Selected.
      4. Choose Data collection with no other options needed.
      5. Choose NO when prompted to run DSA diagnostics.
      6. After 2 passes complete, exit back to the previous menu.

        Note: The DSA report can sometimes take a long time to start and run, which might appear to administrators that the DSA program is not functioning. However, do not interrupt this process as it can take up to 5 minutes between steps to collect the information and complete the report before writing this to the USB flash drive.
      7. Choose the option copy to local media.
      8. If USB flash drive is not seen, reinsert the USB drive and try again. If the USB flash drive is still not seen by the appliance, try a different USB device.

        Results
        An analysis file for the non-booting appliance is saved to the USB flash device as a {fiename}.xml.gz file. The process of writing the analysis file to the USB drive might take several minutes to complete. The administrator can open a QRadar Support Case to have the preboot log file reviewed. You must attach the analysis file to your case. The preboot analysis file is typically between 500KB and 1MB in size. If your appliance is non-functioning (down), make sure to indicate that your case is opened as Severity 1 or System Down which routes your ticket to the appropriate response team.


 

 

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"Hardware","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
19 March 2021

UID

swg21975380

Page Feedback