IBM Support

QRadar: Basic App Troubleshooting Before Opening a QRadar Support Ticket

Troubleshooting


Problem

The procedure in this document outline how administrators can verify the application ID to delete the application from the QRadar API, then reinstall the application in QRadar. These steps are useful when applications cannot be installed or are installed in an error state.

Resolving The Problem


This page outlines important information about the how to Restart, Delete and Reinstall Applications

 

Part 1: How to restart QRadar applications

  1. Log in to QRadar.
  2. From the menu, click Interactive API for developers. The interactive API is displayed. QRadar ships with several API versions, with the latest version being indicated by the highest version number. QRadar Support always recommends using the most recent API vesion  (highest number).
  3. Select the /gui_app_framework endpoint.
  4. Click /applications:
    image-20180710121147-2
  5. Scroll to bottom, click the Try It Out button. The GET command returns the application_id for the application. Optionally, you can use the command line and /opt/qradar/support/qapp_utils730.py to retrieve the application ID.
    image-20180710122002-1
  6. Click /{application_id} that is located under /applications:
    image-20180710133248-4
  7. Click the POST tab.
  8. In the application_id field, type the application id number.
  9. To stop or start your application, type one of the following options:
    1. STOPPED - this value stops the application after you click the Try it Out button.
    2. RUNNING - this value starts the application after you click the Try it Out button.
  10. Verify the response field returned for the command displays 200 (OK).  The response code returned allows you to verify that the command was successfully sent to the QRadar API. This status can be confirmed using the /opt/qradar/support/qapp_utils730.py utility.

    Results
    If you continue to have issues attempting to stop and restart a specific application, you can delete and reinstall the application to determine if this resolves your issue.

 

Part 2. How to delete and reinstall QRadar applications

  1. Log in to QRadar.
  2. From the menu, click Interactive API for developers. The interactive API is displayed. QRadar ships with several API versions, with the latest version being indicated by the highest version number. QRadar Support always recommends using the most recent API vesion  (highest number).
  3. Select the /gui_app_framework endpoint.
  4. Click /applications:
    image-20180710122756-3
  5. Scroll to bottom, click Try It Out! and get the application_id:
    image-20180710122958-5
  6. Click /{application_id} that is located under /applications:
    image-20180710123911-1
  7. Use the DELETE endpoint to delete the app, enter the application_id you retrieved in step 4 and click on try it now.
  8. Go to Admin > Extensions Management on your QRadar UI and delete the APP if it is still there.
  9. Using SSH, log in to your QRadar Console and verify the the /store/qapp directory exists.
  10. If the directory does not exist, create the directory by running the following commands:
          To create the directory, type: mkdir /store/qapp
  11. To set the proper permissions on the directory, type: chown nobody:nobody /store/qapp/
  12. Reinstall the latest version of the application using the Admin tab > Extension Management.
  13. Clear your browser cache and cookies. Attempt to open the application.
    WARNING: The next step outlines the procedure to complete a full deploy, which restart services on all hosts in the QRadar deployment and cause an outage in event and flow collections until services restart. Administrators should consider completing the next step during a scheduled maintenance window.
  14. If the application does not start, administrators can restart services Admin tab > Advanced > Deploy Full Configuration.

 

Results
If the issue wasn't resolved by restarting services, administrators can open a support ticket with IBM QRadar Support. IBM QRadar Support troubleshoots and resolves issues related to the QRadar application framework and issues related to IBM developed applications. For non-IBM applications, see the X-Force App Exchange website to identify the support representative for your specific application. Administrators can also ask questions using the QRadar Customer forums at: https://ibm.biz/qradarforums.

[{"Business Unit":{"code":"BU008","label":"Security"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
10 July 2018

UID

ibm10716891