How To
Summary
How to retrieve logs and enable debug logging on IBM SOAR QRadar plug-in
Steps
To troubleshoot IBM QRadar SOAR and IBM QRadar integration issues, IBM Support requires the logs generated by the IBM SOAR QRadar plug-in. The plug-in runs within a Docker container on the IBM QRadar instance.
Enable debug logging in the IBM SOAR QRadar plug-in
Enabling debug requires a number of steps depending on the version of the plug-in installed. Versions other than 5 require more steps to enable debug while with 5.x, debug can be enabled, and the logs downloaded from within the plug-in UI.
Versions 3.x and 4.x
- Determine the app ID
- Enter the container
- Enable debug
- Restart the plug-in
- Reproduce the problem
Determining the app ID
There are a few ways to determine the app ID.
- Use the qappmanager support utility (/opt/qradar/support/qappmanager)
- Use the recon support utility (/opt/qradar/support/recon ps)
- Open the SOAR app from the IBM QRadar console - Admin page and take note of the app ID in the URL
Entering the container
Once you know where the plug-in is installed and you have the app ID you can enter the container.
1. Log on to the IBM QRadar appliance as root by using SSH.
2. Use the recon utility
/opt/qradar/support/recon connect <app-ID>
Version 3.x and 4.x are different. The steps to enable debug differ slightly depending on the version installed.
- Change the app.config
- Restart the plug-in
- Edit the file /store/app.config
vi /store/app.config
- Change
loglevel=INFO
Tologlevel=DEBUG
- Save and close
:wq
- Restart the plug-in
pkill -9 -f "python run_circuits.py"
- Edit the file /store/app.config
vi /opt/app-root/store/app.config
- Change
loglevel=INFO
Tologlevel=DEBUG
- Save and close
:wq
- Restart the plug-in
pkill -9 -f "python /opt/app-root/container/conf/run_circuits.py"
- In the plug-in, check "Enable loglevel DEBUG." See Configuring the QRadar SOAR Plug-in app for further information.
With DEBUG enabled, circuits.log are rotated quickly. Reproduce the problem and gather the logs quickly.
Retrieve logs from IBM SOAR QRadar plug-in
There are a various ways to get the logs.
- Download the logs from System and License Management available in the console
- Request a log bundle for your QRadar on Cloud instance
- Collect log files for QRadar from the command-line interface (get_logs.sh)
- Tar the files from the OS
- Downloading IBM QRadar SOAR Plug-in app log and configuration files for v5
If you choose to use this method, ensure you click Advanced Options, and select check the box Include Application Extension Logs.
Request a log bundle for your QRadar on Cloud instance
To include application extension logs in the log bundle, select the Include App Logs checkbox.
Collect log files for QRadar from the command-line interface (get_logs.sh)
/opt/qradar/support/get_logs.sh -a -S -q 10
Tar the files from the OS
Use the app ID to run a command from the console or App Host, depending on where it is installed.
tar -zcvf /tmp/plug-in_logs.tar.gz /store/docker/volumes/qapp-<app-id>/log/*
Replace <app-id> with the actual four-digit ID.
Downloading IBM QRadar SOAR Plug-in app log and configuration files for v5
Related Information
Getting Help: What information should be submitted with a QRadar service reque…
How to collect log files for QRadar support from the user interface
Requesting a log bundle for your QRadar on Cloud instance
How to collect log files for QRadar from the command-line interface (get_logs.s…
QRadar: About the qappmanager support utility
QRadar: How to use Recon to troubleshoot QRadar applications
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
17 April 2023
UID
ibm11160758