IBM Support

QRadar Support: Recommended commands to inspect compressed log files for errors

Troubleshooting


Problem

When investigating log files, decompressing rotated logs in QRadar® might result in the logs taking up important disk space.  In this article, we discuss how to use QRadars® installed command line utilities to investigate logs for errors without decompressing them.

Resolving The Problem

When viewing compressed log files, it is best to examine the logs without decompressing them. The result is saved disk space and reduced chances of logs becoming corrupted if logrotate attempts to compress them while you are viewing the decompressed log. Command line utilities are installed in QRadar® to view compressed logs, which include:
  • zless
  • zgrep
  • zcat
  • zdiff
  • zmore
Using commands with the z prefix is similar to using the same command without the z prefix. For example searching a log with zless is similar to that with the less command.  Provided are examples of how to use these command line utilities.  
Note
You need to use SSH and log in the appliance as root user to view logs.
zless
Zless is a filter which allows examination of compressed or plain text files one screen at a time. Unlike less, zless does not work with compressed files that are piped to it.
 
  1. Use SSH to log in to the appliance.
  2. Navigate to the directory where logs require inspection or use the full file path with the command.
  3. Type:  zless <compressed_file>
    # zless qradar.log.1.gz
    May  5 11:30:36 ::ffff:192.168.0.95 [assetprofiler.assetprofiler] [AssetProfilerLogTimer] 
    com.q1labs.assetprofile.changelistener.impl.assetnotifications.AssetCacheUpdateNotification
    Listener:[INFO] [NOT:0000006000][192.168.0.95/- -] [-/- -]Asset Name UI Cache Listener: 
    Last 60 seconds:1 Update messages sent ( New IPs/Asset Names: 0, Updated IPs/Asset names: 
    1, Deleted IPs/Asset Names: 0 ( 4 IP/Asset Name events processed since startup ).
    May  5 11:30:37 ::ffff:192.168.0.95 [assetprofiler.assetprofiler] [pool-4-thread-1] 
    com.q1labs.assetprofile.qvm.erule.QvmScanCompleteHandler: [INFO] [NOT:0000006000]
    [192.168.0.95/- -] [-/- -]QVM Scan Complete Handler scheduled command run
    
    
zgrep
The zgrep command is used to search for patterns from a given file even if its compressed or a gzipped file. All options that are used with grep apply with zgrep. This command works best when piped to the commands more or less so one page can be viewed at a time. For grep options to use with zgrep, at the command prompt type: man grep
  1. Use SSH to log in to the appliance.
  2. Navigate to the directory where logs require inspection or use the full file path with the command.
  3. Type: zgrep <grep_option> <pattern> <compressed_file> | less
    # zgrep -i ERROR qradar.log.1.gz | less
    May  5 11:34:28 ::ffff:192.168.0.95 [tomcat.tomcat] [SYSTEM@192.168.0.161 (3113)
     /console/logon.jsp] org.apache.jsp.logon_jsp: [ERROR] [NOT:0000003000][192.168.0.95
    /- -] [-/- -]An error occurred in the _jspService method for org.apache.jsp.logon_jsp: 
    getAttribute: Session a lready invalidated
    May  5 11:34:28 ::ffff:192.168.0.95 [tomcat.tomcat] [SYSTEM@192.168.0.161 (3113) 
    /console/logon.jsp]    at com.q1labs.uiframeworks.valve.ErrorReportValve.invoke
    (ErrorReportValve.java:47)
    May  5 11:38:12 ::ffff:192.168.0.95 [tomcat.tomcat] [admin@192.168.0.161 (835) /console
    /login] com.q1labs.uiframeworks.auth.LoginEndpoint: [ERROR] [NOT:0000003000][192.168.0.95
    /- -] [-/- -]Problem in LoginEndpoint
    
zcat
The zcat command  is used for viewing the contents of a compressed file without decompressing it. It expands a compressed file to standard output allowing the contents to be viewed. This command works best when piped to the commands more or less so one page can be viewed at a time.
  1. Use SSH to log in to the appliance.
  2. Navigate to the directory where logs require inspection or use the full file path with the command.
  3. Type: zcat <compressed_file> | less -i
    # zcat qradar.log.1.gz | less -i
    May  5 11:30:36 ::ffff:192.168.0.95 [assetprofiler.assetprofiler] [AssetProfilerLogTimer]
    com.q1labs.assetprofile.changelistener.impl.assetnotifications.AssetCacheUpdateNotification
    Listener: [INFO][NOT:0000006000][192.168.0.95/- -] [-/- -]Asset Name UI Cache Listener: 
    Last 60 seconds: 1 Update messages sent ( New IPs/Asset Names: 0, Updated IPs/Asset names:
    1, Deleted IPs/Asset Names: 0 ( 4 IP/Asset Name events processed since startup ).
    May  5 11:30:37 ::ffff:192.168.0.95 [assetprofiler.assetprofiler] [pool-4-thread-1]
    com.q1labs.assetprofile.qvm.erule.QvmScanCompleteHandler: [INFO] [NOT:0000006000]
    [192.168.0.95/- -] [-/- -]QVM Scan Complete Handler scheduled command run
    
zdiff
The zdiff command is used to compare differences in one compressed file to another. All options that are used with diff apply with zdiff. This command works best when piped to the commands more or less so one page can be viewed at a time. For diff options to use with zdiff, at the command prompt type: man diff
  1. Use SSH to log in to the appliance.
  2. Navigate to the directory where logs require inspection or use the full file path with the command.
  3. Type: zdiff <zdiff_options> <compressed_file 1> <compressed_file 2> | less
    # zdiff qradar.log.1.gz qradar.log.2.gz | less
    1,208350d0
    < May  5 11:30:36 ::ffff:192.168.0.95 [assetprofiler.assetprofiler] [AssetProfilerLogTimer]
     com.q1labs.assetprofile.changelistener.impl.assetnotifications.AssetCacheUpdateNotification
    Listener: [INFO] [NOT:0000006000][192.168.0.95/- -] [-/- -]Asset Name UI Cache Listener: 
    Last 60 seconds: 1 Update messages sent ( New IPs/Asset Names: 0, Updated IPs/Asset names:
    1, Deleted IPs/Asset Names: 0 ( 4 IP/Asset Name events processed since startup ).
    < May  5 11:30:37 ::ffff:192.168.0.95 [assetprofiler.assetprofiler] [pool-4-thread-1]
    com.q1labs.assetprofile.qvm.erule.QvmScanCompleteHandler: [INFO] [NOT:0000006000]
    [192.168.0.95/- -] [-/- -]QVM Scan Complete Handler scheduled command run
    < May  5 11:30:37 ::ffff:192.168.0.95 [ecs-ec-ingress.ecs-ec-ingress] [TcpSyslog(0.0.0.0/514)
     Protocol Provider Thread: class com.q1labs.semsources.sources.tcpsyslog.TcpSyslogProvider0] 
      com.q1labs.semsources.sources.tcpsyslog.TcpSyslogProvider: [INFO] [NOT:0000006000][192.168.0.95
    /- -] [-/- -]TcpSyslog(0.0.0.0/514) read failed, connection reset from 192.168.0.95
zmore
The zmore utility allow you to view a compressed file similar to the more command.
  1. Use SSH to log in to the appliance.
  2. Navigate to the directory where logs require inspection or use the full file path with the command.
  3. Type: zmore <compressed_file>
    # zmore qradar.log.1.gz
    ------> qradar.log.1.gz <------
    May  5 11:30:36 ::ffff:192.168.0.95 [assetprofiler.assetprofiler] [AssetProfilerLogTimer] 
    com.q1labs.assetprofile.changelistener.impl.ass etnotifications.AssetCacheUpdate
    NotificationListener: [INFO] [NOT:0000006000][192.168.0.95/- -] [-/- -]Asset Name UI 
    Cache Listener: Last  60 seconds: 1 Update messages sent ( New IPs/Asset Names: 0, 
    Updated IPs/Asset names: 1, Deleted IPs/Asset Names: 0 ( 4 IP/Asset Name events 
    processed since startup ).
    May  5 11:30:37 ::ffff:192.168.0.95 [assetprofiler.assetprofiler] [pool-4-thread-1] com.
    q1labs.assetprofile.qvm.erule.QvmScanCompleteHandler: [INFO] [NOT:0000006000]
    [192.168.0.95/- -] [-/- -]QVM Scan Complete Handlerscheduled command run
    May  5 11:30:37 ::ffff:192.168.0.95 [ecs-ec-ingress.ecs-ec-ingress] [TcpSyslog(0.0.0.0/514)
     Protocol Provider Thread: class com.q1labs.semsources.sources.tcpsyslog.
    TcpSyslogProvider0] com.q1labs.semsources.sources.tcpsyslog.TcpSyslogProvider: [INFO]
     [NOT:0000006000][192.168.0.95/- -] [-/- -]TcpSyslog(0.0.0.0/514) read failed, connection 
    reset from 192.168.0.95
    

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000GnbgAAC","label":"QRadar->Administration"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
27 May 2020

UID

ibm16204037