IBM Support

QRadar: Collecting get_logs from the command line interface (

Question & Answer


How can you collect logs from the command line interface (


To collect logs from the command line, root access is required. The utility is available on every version of QRadar and is provided on every QRadar appliance. If you are having issues with a managed host, his utility should be used as a backup when the QRadar user interface is not available.

Steps for generating and collecting get_logs:

  1. Using SSH, log in to the Console appliance (or All-in-One) as the root user.
  2. Type the following command:


    Notes: The script informs you that the log was created and provides the name and the location, which is always the /store/LOGS/ directory.

    For administrators having application or extension issues, use the -a option to collect application logs with your Console log information. For a list of commands that can be run, type:

    /opt/qradar/support/ -h
  3. Copy the tar.bz2 file to a system that has access to an external network to upload your log file.
  4. Log in to the support portal to make a service request - IBM Security QRadar SIEM.
  5. Click Open a new service request - sign in.
  6. Attach the get_log file to the service request ticket for review.



[{"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"General Information","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.0;7.1;7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
13 November 2018