Troubleshooting
Problem
The following instructions provide steps to review app logs. Also, you might be asked to provide specific logs to IBM QRadar Support.
Note: When searching a log for an event or issue, there are a few things you can do to help find what you are looking for:
- Know the date and time an incident happened. You can search the timestamps in the logs.
- Search the pop-up error message if one was provided. For example,
Response Code Response message Possible cause 200, 201 Success Your application was created, retrieved, or updated successfully.
204 Success Your application was deleted successfully.
A successful application delete returns response code 204 and no content.
404 NOT_FOUND - Could not find the resource requested The application does not exist or was deleted.
The application ID might be incorrect.
500 SERVER_ERROR - Unexpected internal server error The application cannot be installed or updated. The application is stopped but cannot be removed.
To troubleshoot this issue:
- Check that the container is running.
- Check that your application has all the necessary files and that they are valid.
- Check that the application runs successfully when you use the SDK.
- Search a log by keywords like a warning, failed, error, ERROR, service name, hostname, IP address, or app_framework.
Resolving The Problem
QRadar apps run in a docker container, each app has its own set of logs, which can be accessed in two ways:
- Connecting to the docker container can be done by leveraging an existing QRadar support script called recon. The following link provides detailed information about recon.
- Using SSH, log in to the QRadar Console as the root user.
Note: The following commands run on the host where the apps are running. If you are running an App Host, you need to SSH to it to run commands. - List all running apps and the four-digit app ID (Run from the Console or the AppHost, if installed).
# /opt/qradar/support/recon ps - Connect to the app docker container.
# /opt/qradar/support/recon connect <app_id > - Navigate to the logs directory inside the container.
# cd store/log/ sh-4.1# ls app.log app.log.1 celery.log celerybeat.log gunicorn.log startup.log supervisord.log
- Using SSH, log in to the QRadar Console as the root user.
- Access the app log’s mount point on the console or app host (if installed) directly.
- Using SSH, log in to the QRadar Console as the root user.
Note: The following commands run on the host where the apps are running. If you are running an App Host, you need to SSH to it to run commands. - List all running apps and the four-digit app ID (Run from the Console or the AppHost, if installed)
# /opt/qradar/support/recon ps - Navigate to the app log’s mounted directory
# cd /store/docker/volumes/qapp-<app_id>
- Using SSH, log in to the QRadar Console as the root user.
App logs are different from one another, depending on app functionality and what services(packages) being leveraged, however here are some common app logs that can be found in most apps:
app.log
It contains logs for when users are doing actions on the UI or live on the app. It can be used to debug problems with the UI like when trying to click a button.
# less /store/docker/volumes/qapp-<app_id>/log/app.log
startup.log
Log for when the app starts up. It would show errors if rpms or python modules failed to install.
# tail /store/docker/volumes/qapp-<app_id>/log/startup.log
poll.log
Log for background processes, useful for when background processes have issues.
# more /store/docker/volumes/qapp-<app_id>/log/poll.log
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000GnbvAAC","label":"QRadar->Apps"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3.0","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
18 May 2020
UID
ibm16189903