Running the recon tool
Use the recon tool to help find and fix IBM® QRadar® app issues, ranging from deployment problems to the container environment and networking issues. Because it has access to potentially modify your system, the tool requires root access to run.
The recon tool is not available for IBM QRadar on Cloud.
The recon tool is available in QRadar V7.4.0 and later.
Before you begin
- Download the latest auto updates bundle from Fix Central (https://www.ibm.com/support/fixcentral/).
- Install the auto updates bundle by following the instructions in QRadar: How to Manually Install the QRadar Weekly Auto Update Bundle (https://www.ibm.com/support/docview.wss?uid=swg22003034).
About this task
Run the recon tool on the computer where your apps are running, either on the QRadar Console or App Host.
Procedure
/opt/qradar/support/recon psApp-ID Name Managed Host ID Workload ID Service Name AB Container Name CDEGH Port IJKL 1001 QRadar Assistant 53 apps qapp-1001 ++ qapp-1001 +++++ 5000 ++++ Legend: Symbols: n - Not Applicable - - Failure * - Warning + - Success Checks: Service: A - Service exists in the workload file B - Service is set to started Container: C - Container is in ConMan workload file D - Container environment file exists E - Container image is in si-registry G - Container Systemd Units are started H - Container exists and is running in Docker Port: I - Container IP are in firewall main filter rules J - Container IP and port is in iptables NAT filter rules K - Container port has routes through Traefik L - Container port is responsive on debug path
If a failure is detected, remediation steps are displayed.
Results
If the results of the recon command show that an app is not started, you must ensure that the app is set to RUNNING in the API.
You can use the qappmanager support utility. For more information, see https://www.ibm.com/support/pages/qradar-about-qappmanager-support-utility.