Troubleshooting
Problem
When investigating log files, decompressing rotated logs in QRadar® might result in the logs taking up important disk space. In this article, we discuss how to use QRadars® installed command line utilities to investigate logs for errors without decompressing them.
Resolving The Problem
When viewing compressed log files, it is best to examine the logs without decompressing them. The result is saved disk space and reduced chances of logs becoming corrupted if logrotate attempts to compress them while you are viewing the decompressed log. Command line utilities are installed in QRadar® to view compressed logs, which include:
- zless
- zgrep
- zcat
- zdiff
- zmore
Using commands with the z prefix is similar to using the same command without the z prefix. For example searching a log with zless is similar to that with the less command. Provided are examples of how to use these command line utilities.
Note
You need to use SSH and log in the appliance as root user to view logs.
Note
You need to use SSH and log in the appliance as root user to view logs.
zless
Zless is a filter which allows examination of compressed or plain text files one screen at a time. Unlike less, zless does not work with compressed files that are piped to it.
Zless is a filter which allows examination of compressed or plain text files one screen at a time. Unlike less, zless does not work with compressed files that are piped to it.
- Use SSH to log in to the appliance.
- Navigate to the directory where logs require inspection or use the full file path with the command.
- Type: zless <compressed_file>
# zless qradar.log.1.gz May 5 11:30:36 ::ffff:192.168.0.95 [assetprofiler.assetprofiler] [AssetProfilerLogTimer] com.q1labs.assetprofile.changelistener.impl.assetnotifications.AssetCacheUpdateNotification Listener:[INFO] [NOT:0000006000][192.168.0.95/- -] [-/- -]Asset Name UI Cache Listener: Last 60 seconds:1 Update messages sent ( New IPs/Asset Names: 0, Updated IPs/Asset names: 1, Deleted IPs/Asset Names: 0 ( 4 IP/Asset Name events processed since startup ). May 5 11:30:37 ::ffff:192.168.0.95 [assetprofiler.assetprofiler] [pool-4-thread-1] com.q1labs.assetprofile.qvm.erule.QvmScanCompleteHandler: [INFO] [NOT:0000006000] [192.168.0.95/- -] [-/- -]QVM Scan Complete Handler scheduled command run
zgrep
The zgrep command is used to search for patterns from a given file even if its compressed or a gzipped file. All options that are used with grep apply with zgrep. This command works best when piped to the commands more or less so one page can be viewed at a time. For grep options to use with zgrep, at the command prompt type: man grep
The zgrep command is used to search for patterns from a given file even if its compressed or a gzipped file. All options that are used with grep apply with zgrep. This command works best when piped to the commands more or less so one page can be viewed at a time. For grep options to use with zgrep, at the command prompt type: man grep
- Use SSH to log in to the appliance.
- Navigate to the directory where logs require inspection or use the full file path with the command.
- Type: zgrep <grep_option> <pattern> <compressed_file> | less
# zgrep -i ERROR qradar.log.1.gz | less May 5 11:34:28 ::ffff:192.168.0.95 [tomcat.tomcat] [SYSTEM@192.168.0.161 (3113) /console/logon.jsp] org.apache.jsp.logon_jsp: [ERROR] [NOT:0000003000][192.168.0.95 /- -] [-/- -]An error occurred in the _jspService method for org.apache.jsp.logon_jsp: getAttribute: Session a lready invalidated May 5 11:34:28 ::ffff:192.168.0.95 [tomcat.tomcat] [SYSTEM@192.168.0.161 (3113) /console/logon.jsp] at com.q1labs.uiframeworks.valve.ErrorReportValve.invoke (ErrorReportValve.java:47) May 5 11:38:12 ::ffff:192.168.0.95 [tomcat.tomcat] [admin@192.168.0.161 (835) /console /login] com.q1labs.uiframeworks.auth.LoginEndpoint: [ERROR] [NOT:0000003000][192.168.0.95 /- -] [-/- -]Problem in LoginEndpoint
zcat
The zcat command is used for viewing the contents of a compressed file without decompressing it. It expands a compressed file to standard output allowing the contents to be viewed. This command works best when piped to the commands more or less so one page can be viewed at a time.
- Use SSH to log in to the appliance.
- Navigate to the directory where logs require inspection or use the full file path with the command.
- Type: zcat <compressed_file> | less -i
# zcat qradar.log.1.gz | less -i May 5 11:30:36 ::ffff:192.168.0.95 [assetprofiler.assetprofiler] [AssetProfilerLogTimer] com.q1labs.assetprofile.changelistener.impl.assetnotifications.AssetCacheUpdateNotification Listener: [INFO][NOT:0000006000][192.168.0.95/- -] [-/- -]Asset Name UI Cache Listener: Last 60 seconds: 1 Update messages sent ( New IPs/Asset Names: 0, Updated IPs/Asset names: 1, Deleted IPs/Asset Names: 0 ( 4 IP/Asset Name events processed since startup ). May 5 11:30:37 ::ffff:192.168.0.95 [assetprofiler.assetprofiler] [pool-4-thread-1] com.q1labs.assetprofile.qvm.erule.QvmScanCompleteHandler: [INFO] [NOT:0000006000] [192.168.0.95/- -] [-/- -]QVM Scan Complete Handler scheduled command run
zdiff
The zdiff command is used to compare differences in one compressed file to another. All options that are used with diff apply with zdiff. This command works best when piped to the commands more or less so one page can be viewed at a time. For diff options to use with zdiff, at the command prompt type: man diff
The zdiff command is used to compare differences in one compressed file to another. All options that are used with diff apply with zdiff. This command works best when piped to the commands more or less so one page can be viewed at a time. For diff options to use with zdiff, at the command prompt type: man diff
- Use SSH to log in to the appliance.
- Navigate to the directory where logs require inspection or use the full file path with the command.
- Type: zdiff <zdiff_options> <compressed_file 1> <compressed_file 2> | less
# zdiff qradar.log.1.gz qradar.log.2.gz | less 1,208350d0 < May 5 11:30:36 ::ffff:192.168.0.95 [assetprofiler.assetprofiler] [AssetProfilerLogTimer] com.q1labs.assetprofile.changelistener.impl.assetnotifications.AssetCacheUpdateNotification Listener: [INFO] [NOT:0000006000][192.168.0.95/- -] [-/- -]Asset Name UI Cache Listener: Last 60 seconds: 1 Update messages sent ( New IPs/Asset Names: 0, Updated IPs/Asset names: 1, Deleted IPs/Asset Names: 0 ( 4 IP/Asset Name events processed since startup ). < May 5 11:30:37 ::ffff:192.168.0.95 [assetprofiler.assetprofiler] [pool-4-thread-1] com.q1labs.assetprofile.qvm.erule.QvmScanCompleteHandler: [INFO] [NOT:0000006000] [192.168.0.95/- -] [-/- -]QVM Scan Complete Handler scheduled command run < May 5 11:30:37 ::ffff:192.168.0.95 [ecs-ec-ingress.ecs-ec-ingress] [TcpSyslog(0.0.0.0/514) Protocol Provider Thread: class com.q1labs.semsources.sources.tcpsyslog.TcpSyslogProvider0] com.q1labs.semsources.sources.tcpsyslog.TcpSyslogProvider: [INFO] [NOT:0000006000][192.168.0.95 /- -] [-/- -]TcpSyslog(0.0.0.0/514) read failed, connection reset from 192.168.0.95
zmore
The zmore utility allow you to view a compressed file similar to the more command.
- Use SSH to log in to the appliance.
- Navigate to the directory where logs require inspection or use the full file path with the command.
- Type: zmore <compressed_file>
# zmore qradar.log.1.gz ------> qradar.log.1.gz <------ May 5 11:30:36 ::ffff:192.168.0.95 [assetprofiler.assetprofiler] [AssetProfilerLogTimer] com.q1labs.assetprofile.changelistener.impl.ass etnotifications.AssetCacheUpdate NotificationListener: [INFO] [NOT:0000006000][192.168.0.95/- -] [-/- -]Asset Name UI Cache Listener: Last 60 seconds: 1 Update messages sent ( New IPs/Asset Names: 0, Updated IPs/Asset names: 1, Deleted IPs/Asset Names: 0 ( 4 IP/Asset Name events processed since startup ). May 5 11:30:37 ::ffff:192.168.0.95 [assetprofiler.assetprofiler] [pool-4-thread-1] com. q1labs.assetprofile.qvm.erule.QvmScanCompleteHandler: [INFO] [NOT:0000006000] [192.168.0.95/- -] [-/- -]QVM Scan Complete Handlerscheduled command run May 5 11:30:37 ::ffff:192.168.0.95 [ecs-ec-ingress.ecs-ec-ingress] [TcpSyslog(0.0.0.0/514) Protocol Provider Thread: class com.q1labs.semsources.sources.tcpsyslog. TcpSyslogProvider0] com.q1labs.semsources.sources.tcpsyslog.TcpSyslogProvider: [INFO] [NOT:0000006000][192.168.0.95/- -] [-/- -]TcpSyslog(0.0.0.0/514) read failed, connection reset from 192.168.0.95
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000GnbgAAC","label":"QRadar->Administration"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
27 May 2020
UID
ibm16204037