IBM Support

QRadar: Collecting get_logs and other information that is required to resolve application issues.

Question & Answer


Question

QRadar support cases often require logs to investigate and resolve issues. This technical note explains how users can collect and submit information for IBM support cases for applications.

Answer

 

Note: for general Qradar cases (not dealing with Qradar application issues), reference the following guide:

Getting Help: What information should be submitted with a QRadar service request?

How to collect log files from the user interface?

Procedure:
  1. Log in to your QRadar console as an admin.
  2. Click the Admin tab.
  3. Click System and license Management.
  4. Select the QRadar Console and App host appliances to collect logs from the user interface.
    Note: You can use Shift + click or Ctrl + click to get logs from multiple appliances. 

  5. Select Actions > Collect log files

    image-20251003114359-2

  6. Open the Advanced Options and select the Include Application Extension Logs, Include Debug Logs, Include Setup Logs (Current Version) checkbox, and set Collect Logs for this Many Days to 5. 

    image-20251006121853-2

  7. Copy the file tar.gzwhich is stored in the /store/LOGS/ directory, to a system that has access to an external network to upload your log file.

 

How to collect log files from the command line interface (get_logs.sh)?

To collect logs from the command line, root access is required. The get_logs.sh utility is available on every version of QRadar and can be run on each appliance individually to collect logs. If you are having user interface issues, use this utility as a backup when the QRadar Console to submit logs for your appliance.

Procedure
  1. SSH to the Console appliance as the root user.

  2. Type the following command:

    /opt/qradar/support/get_logs.sh -Das -q 5

    The script informs you that the log was created and provides the name and the location, which is always the /store/LOGS/ directory. 

    INFO: Gathering install information...
INFO: Collecting DrQ output...
INFO: Collecting system files...
INFO: Collecting old files...
INFO: Collecting Cert metadata...
INFO: Collecting thread dumps from running java processes...
INFO: Collecting database information...
...
INFO: Compressing collected files...
The file /store/LOGS/logs_apphost_20230713_d290fd0a.tar.gz (16M) has been created to send to support

    For a list of options that can be run, enter the following command. 

    /opt/qradar/support/get_logs.sh -h
  • Copy the tar.gz file to a system that has access to an external network to upload your log file.

 
How to collect the additional required CLI commands output?
 

ALL-IN-ONE ENVIRONMENT

Enter the following commands on your Console and save the output to a text file.

  1. qappmanager output 

    • Enter the following command on your Console and save the output to a text file.

      /opt/qradar/support/qappmanager

      Note:

      • This command places you in a menu. To exit the qappmanager menu and return to the normal command prompt, enter 0.

      • This command includes a menu output that is not necessary to send to support. Ensure that you include all information listed in the APP DEFINITIONS and the APP INSTANCES sections:

        APP DEFINITIONS (SIO=Single Instance Only, MTS=Multi-tenancy Safe):
 ID   | Name                         | Version | Status    | Installed        | Memory | Instances | SIO | MTS | Errors
------------------------------------------------------------------------------------------------------------------------
 1102 | QRadar Assistant             | 3.5.2   | COMPLETED | 2023-04-27 16:38 |    600 |         1 | t   | t   |
 1103 | QRadar Use Case Manager      | 3.7.0   | COMPLETED | 2023-04-27 16:50 |    500 |         1 | f   | f   |
 1151 | QRadar Log Source Management | 7.0.7   | COMPLETED | 2023-05-15 11:56 |    100 |         1 | t   | t   |
APP INSTANCES (IID=Instance ID, DID=Definition ID, MHN=Managed Host Name, AHT=Application Host Type, SP=Security Profile):
 IID  | DID  | Name                         | Status   | Task Status | Installed        | MHN                     | AHT   | Memory | SP | Errors
-------------------------------------------------------------------------------------------------------------------------------------------------
 1102 | 1102 | QRadar Assistant             | RUNNING  | COMPLETED   | 2023-04-27 16:38 | qradar-qr750-3199-29271 | LOCAL |    600 |    |
 1103 | 1103 | QRadar Use Case Manager      | RUNNING  | COMPLETED   | 2023-04-27 16:50 | qradar-qr750-3199-29271 | LOCAL |    500 |    |
 1151 | 1151 | QRadar Log Source Management | RUNNING  | COMPLETED   | 2023-05-15 11:56 | qradar-qr750-3199-29271 | LOCAL |    100 |    |
Total memory used by LOCAL app instances: 1200MB
  2. Registry catalog output

    • For Qradar 7.4.2+, run the following command on the console. 

      curl https://console.localdeployment:5000/v2/_catalog --key /etc/docker/tls/registry/docker-client-registry.key --cert /etc/docker/tls/registry/docker-client-registry.cert

    • For Qradar 7.5.0 UP8+, run the following command on the console. 

      curl -v https://console.localdeployment:5000/v2/_catalog --key /etc/podman/tls/registry/podman-client-registry.key --cert /etc/podman/tls/registry/podman-client-registry.cert
  3. Certificate verification output.

    • For Qradar 7.4.2+, run the following command on the console. 

      for i in $(/opt/qradar/ca/bin/si-qradarca list -print | grep -v /etc/httpd-qif/tls//httpd-qif.cert | grep -v  /etc/ziptie-server/tls/certs/ziptie-server.cert | awk -F, '{print $4}' | sort | uniq); do echo $i; openssl verify -CAfile /etc/pki/tls/cert.pem $i; done

    • For Qradar 7.5.0 UP8+, run the following command on the console. 

      for i in $(/opt/qradar/ca/bin/si-qradarca list -print | grep -v /etc/ziptie-server/tls/certs/ziptie-server.cert | grep -v /etc/httpd-qrm/tls/cert.cert | awk -F, '{print $4}' | sort | uniq); do echo $i; openssl verify -CAfile /etc/pki/tls/cert.pem $i; done
  4. Certificate keystore verification output.

    • Enter the following command on your Console and save the output to a text file. 

      /opt/qradar/support/app_keystore_cert_validator.sh 
 

APPHOST ENVIRONMENT

Enter the following commands on your Console and save the output to a text file.

  1. qappmanager output 

    • Enter the following command on your Console and save the output to a text file.

      /opt/qradar/support/qappmanager

      Note:

      • This command places you in a menu. To exit the qappmanager menu and return to the normal command prompt, enter 0.

      • This command includes a menu output that is not necessary to send to support. Ensure that you include all information listed in the APP DEFINITIONS and the APP INSTANCES sections:

        APP DEFINITIONS (SIO=Single Instance Only, MTS=Multi-tenancy Safe):
 ID   | Name                         | Version | Status    | Installed        | Memory | Instances | SIO | MTS | Errors
------------------------------------------------------------------------------------------------------------------------
 1102 | QRadar Assistant             | 3.5.2   | COMPLETED | 2023-04-27 16:38 |    600 |         1 | t   | t   |
 1103 | QRadar Use Case Manager      | 3.7.0   | COMPLETED | 2023-04-27 16:50 |    500 |         1 | f   | f   |
 1151 | QRadar Log Source Management | 7.0.7   | COMPLETED | 2023-05-15 11:56 |    100 |         1 | t   | t   |
APP INSTANCES (IID=Instance ID, DID=Definition ID, MHN=Managed Host Name, AHT=Application Host Type, SP=Security Profile):
 IID  | DID  | Name                         | Status   | Task Status | Installed        | MHN                     | AHT   | Memory | SP | Errors
-------------------------------------------------------------------------------------------------------------------------------------------------
 1102 | 1102 | QRadar Assistant             | RUNNING  | COMPLETED   | 2023-04-27 16:38 | qradar-qr750-3199-29271 | LOCAL |    600 |    |
 1103 | 1103 | QRadar Use Case Manager      | RUNNING  | COMPLETED   | 2023-04-27 16:50 | qradar-qr750-3199-29271 | LOCAL |    500 |    |
 1151 | 1151 | QRadar Log Source Management | RUNNING  | COMPLETED   | 2023-05-15 11:56 | qradar-qr750-3199-29271 | LOCAL |    100 |    |
Total memory used by LOCAL app instances: 1200MB
  2. Registry catalog output

    • For Qradar 7.4.2+, run the following command on the console. 

      curl https://console.localdeployment:5000/v2/_catalog --key /etc/docker/tls/registry/docker-client-registry.key --cert /etc/docker/tls/registry/docker-client-registry.cert

    • For Qradar 7.5.0 UP8+, run the following command on the console. 

      curl -v https://console.localdeployment:5000/v2/_catalog --key /etc/podman/tls/registry/podman-client-registry.key --cert /etc/podman/tls/registry/podman-client-registry.cert
  3. Certificate verification output.

    • For Qradar 7.4.2+, run the following command on the console. 

      for i in $(/opt/qradar/ca/bin/si-qradarca list -print | grep -v /etc/httpd-qif/tls//httpd-qif.cert | grep -v  /etc/ziptie-server/tls/certs/ziptie-server.cert | awk -F, '{print $4}' | sort | uniq); do echo $i; openssl verify -CAfile /etc/pki/tls/cert.pem $i; done

    • For Qradar 7.5.0 UP8+, run the following command on the console. 

      for i in $(/opt/qradar/ca/bin/si-qradarca list -print | grep -v /etc/ziptie-server/tls/certs/ziptie-server.cert | grep -v /etc/httpd-qrm/tls/cert.cert | awk -F, '{print $4}' | sort | uniq); do echo $i; openssl verify -CAfile /etc/pki/tls/cert.pem $i; done
  4. Certificate keystore verification output.

    • Enter the following command on your Console and save the output to a text file. 

      /opt/qradar/support/app_keystore_cert_validator.sh 

 

Enter the following commands on your app host and save the output to a text file.

  1. Registry catalog output

    • For Qradar 7.4.2+, run the following command on the app host. 

      curl https://console.localdeployment:5000/v2/_catalog --key /etc/docker/tls/registry/docker-client-registry.key --cert /etc/docker/tls/registry/docker-client-registry.cert

    • For Qradar 7.5.0 UP8+, run the following command on the app host. 

      curl -v https://console.localdeployment:5000/v2/_catalog --key /etc/podman/tls/registry/podman-client-registry.key --cert /etc/podman/tls/registry/podman-client-registry.cert
  2. Certificate verification output

    • For Qradar 7.4.2+, run the following command on the app host. 

      for i in $(find /etc/conman/tls /etc/traefik/tls /etc/docker/tls /etc/httpd/conf/certs /etc/pki/ca-trust/source/anchors -type f \( -name "*.cert" -o -name "*.pem" -o -name "*.crt" ! -name si-registry_ca.crt \));do echo $i; openssl verify -CAfile /etc/pki/tls/cert.pem $i; done

    • For Qradar 7.5.0 UP8+, run the following command on the app host. 

      for i in $(/opt/qradar/ca/bin/si-qradarca list -print | grep -v /etc/ziptie-server/tls/certs/ziptie-server.cert | grep -v /etc/httpd-qrm/tls/cert.cert | grep -v /opt/qradar/conf/SAMLAuthentication/SP/QRadarSAML.crt | grep -v /opt/qradar/conf/SAMLAuthentication/SP/QRadarSAML_ca.crt | awk -F, '{print $4}' | sort | uniq); do echo $i; openssl verify -CAfile /etc/pki/tls/cert.pem $i; done

 

Contact support to open a case. In the case, include a description of the issue (what is happening and when did it start). Attach the get_logs file and the text files that contain the command outputs for docker/podman and qappmanager to the case for review.

Results: You successfully created a support case with IBM QRadar Support, populated the case with the relevant details and provided a copy of the most recent log files.

 

[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt3AAA","label":"QRadar Apps"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.4.0;7.4.1;7.4.3;7.5.0"}]

Document Information

Modified date:
08 September 2023

UID

ibm10740335

Page Feedback