IBM Support

QRadar: Collecting get_logs and other information required to resolve a QRadar app case

Question & Answer


Question

What information needs to be submitted specifically with a QRadar app case?

Answer

To collect logs from the command line, root access is required. The get_logs.sh utility is available on every version of QRadar and is provided on every QRadar appliance. A further utility, qappmanager, provides additional information specific to the apps installed in the environment.

Steps for generating and collecting the logs:

  1. Use SSH to log in to the Console appliance (or All-in-One) as the root user.
  2. Enter the following command to generate a get_logs file:
    /opt/qradar/support/get_logs.sh -a

    Notes:
    • For administrators having application or extension issues, use the -a option to collect application logs on your Console and App Host (if one exists). The logs from both hosts are saved under the Console's get_logs output, so only the Console's get_logs output file needs to be uploaded.
    • For a list of options that can be run, enter: /opt/qradar/support/get_logs.sh -h
    • The script informs you that the log was created and provides the name and the location, which is always the /store/LOGS/ directory.

    Example output

    image 12844
  3. Copy the tar.gz file to a system that has access to an external network to upload your log file.
  4. Enter the following command on your App Host and save the output to a text file:
    docker ps

    Note: If there is not an App Host installed, enter the command on your Console.

    Example output

    image 12845
  5. Enter the following command on your Console and save the output to a text file:

    /opt/qradar/support/qappmanager

    Notes:
    • This command places you in a menu. To exit the qappmanager menu and return to the normal command prompt, enter 0.
    • This command includes menu output that is not necessary to send to support. Ensure that you include all information indicated by the red box: image 12847
  6. Contact support to open a case.
  7. In the case, include a description of the issue (what is happening, when did it start, etc). Attach the get_logs file and the text files containing the command outputs for docker and qappmanager to the case for review.

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt3AAA","label":"QRadar Apps"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.4.0;7.4.1;7.4.3;7.5.0"}]

Document Information

Modified date:
15 November 2022

UID

ibm10740335