QRadar: How to enable the debug log for the QRadar Protocols

Steps

Pre-Debug Verification

Before enabling debug logging, it's important to check if a debug file already exists and manage it appropriately.

Step 1: Check for Existing Debug File

SSH to the QRadar system where the log source is configured and check if the debug file exists:

ls -lh /var/log/qradar.java.debug

Expected Output (if file exists):

-rw-r--r-- 1 root root 245M May 07 14:23 /var/log/qradar.java.debug

Expected Output (if file does not exist):

ls: cannot access /var/log/qradar.java.debug: No such file or directory

Step 2: Clear the Debug File

Clear the existing debug file to ensure you're capturing only new debug information:

echo " " > /var/log/qradar.java.debug

Verify the file is cleared:

ls -lh /var/log/qradar.java.debug

Expected Output:

-rw-r--r-- 1 root root 2 May 07 14:26 /var/log/qradar.java.debug

Enable Debug Steps

1. Identify the logger class

Before enabling debug, confirm the Java class or logger that needs to be debugged.

Example for HTTP Receiver:

com.q1labs.semsources.sources.httpreceiver

2. Disable the affected Log Source

Before enabling debug logging, disable the log source from the QRadar Admin Console:

1. Log in to the QRadar Console
2. Navigate to Admin → Data Sources → Log Sources
3. Locate the affected log source
4. Click the Actions menu (three dots) → Disable
5. Confirm the action

Why disable first? Disabling the log source ensures that when you re-enable it after activating debug mode, all new activity will be captured with debug logging enabled. This provides a clean start for troubleshooting.

3. Enable debug logging using mod_log4j.pl

SSH to the QRadar appliance and run the mod_log4j.pl command with the appropriate class name:

Syntax:

/opt/qradar/support/mod_log4j.pl -al <class_name> -w <workspace_name>

Example for HTTP Receiver:

/opt/qradar/support/mod_log4j.pl -al com.q1labs.semsources.sources.httpreceiver -w support

4. Validate that the debug file is generated

Go to /var/log and check whether the debug file was created or updated:

cd /var/log
ls -l qradar.java.debug

You can monitor the file using:

tail -f /var/log/qradar.java.debug

5. Enable the Log Source again and run the test.

Return to the QRadar Admin Console and re-enable the log source:

1. Navigate to Admin → Data Sources → Log Sources
2. Locate the disabled log source
3. Click the Actions menu → Enable
4. Confirm the action
5. Run the test

The log source will now start processing events with debug logging enabled.

After collecting sufficient debug information, follow these steps to disable debug logging and preserve the data.

6. Disable debug logging after collecting data

After the required logs are collected, remove the debug configuration:

/opt/qradar/support/mod_log4j.pl -w L2_support -r

This removes the temporary debug logger configuration.

Note: It is suggested to disable the debug logging to avoid filling the partition. 

Result:
If you experience issues enabling/disabling the debug logging, please contact QRadar Support for assistance.