Troubleshooting
Problem
journalctl is a logging service similar to a syslog. The command journalctl can be used to display failures or errors from specific services.
Resolving The Problem
Logs collected by systemd can be viewed by using journalctl. The journal is implemented with the journald daemon and it retrieves messages from the kernel, systemd services, and other sources. These logs are gathered in a central location, which makes it easy to review. The log records in the journal are structured and indexed. As a result, journalctl is able to present your log information in various useful formats.
journalctl commands:
- To view boot messages:
journalctl -b - To view services logs:
journalctl -u <service>
- To view logs with a date range:
journalctl --since "2022-10-29 14:10:10" --until "2022-10-30 14:10:10" - You can view logs by service within a date range:
journalctl -u <service> --since "2022-10-29 14:10:10" --until "2022-10-30 14:10:10" - To view a journalctl service log, use the command:
journalctl -u <service name>:
Example:
- SSH to the QRadar console and login as the root user.
- Run the following command.
journalctl -u hostcontext
Example Output.QRadar-primary.example replication[25653]: Parameter 'nva_conf.rep_rpc_call_timeout' is invalid or not set. Using default value: 3600 sec. QRadar-primary.example replication[25653]: Could not open replication storage directory: QRadar-primary.example bandwidthManager.pl[25859]: [WARN] No configuration files found QRadar-primary.example bandwidthManager.pl[25859]: [WARN] No configuration files found QRadar-primary.example replication[25850]: Using 10.x.x.x as our local IP. QRadar-primary.example replication[25850]: Parameter 'nva_conf.rep_rpc_call_timeout' is invalid or not set. Using default value: 3600 sec. QRadar-primary.example replication[25850]: Could not open replication storage directory: QRadar-primary.example hostcontext[23142]: java.lang.NumberFormatException: null QRadar-primary.example hostcontext[23142]: at java.lang.Long.parseLong(Long.java:564) QRadar-primary.example hostcontext[23142]: at java.lang.Long.parseLong(Long.java:643) QRadar-primary.example hostcontext[23142]: at com.q1labs.hostcontext.HostContext.start0(HostContext.java:735) QRadar-primary.example hostcontext[23142]: at com.q1labs.hostcontext.HostContext.access$700(HostContext.java:97) QRadar-primary.example hostcontext[23142]: at com.q1labs.hostcontext.HostContext$5.run(HostContext.java:912) QRadar-primary.example systemd[1]: hostcontext.service: main process exited, code=exited, status=1/FAILURE QRadar-primary.example systemd[1]: Unit hostcontext.service entered failed state. QRadar-primary.example systemd[1]: hostcontext.service failed.
Note: If you run the
journalctl - u <services name> soon after a restart, the service you are monitoring might show as failed. Allow several minutes for the service to fully start.The result of using
journalctl is that you can look at logs of specific QRadar services or events. This process can simplify searching for issues and isolating problems.Related Information
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"Support tools","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"7.3","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
13 July 2023
UID
ibm11075089