IBM Support

MustGather: How to retrieve logs and enable debug logging on IBM SOAR QRadar plug-in

How To


Summary

How to retrieve logs and enable debug logging on IBM SOAR QRadar plug-in

Steps

To troubleshoot IBM QRadar SOAR and IBM QRadar integration issues, IBM Support requires the logs generated by the IBM SOAR QRadar plug-in. The plug-in runs within a Docker container on the IBM QRadar instance.

Enable debug logging in the IBM SOAR QRadar plug-in

Enabling debug requires a number of steps depending on the version of the plug-in installed. Versions other than 5 require more steps to enable debug while with 5.x, debug can be enabled, and the logs downloaded from within the plug-in UI.

Versions 3.x and 4.x

  1. Determine the app ID
  2. Enter the container
  3. Enable debug
  4. Restart the plug-in
  5. Reproduce the problem

Determining the app ID

There are a few ways to determine the app ID.

  1. Use the qappmanager support utility (/opt/qradar/support/qappmanager)
  2. Use the recon support utility (/opt/qradar/support/recon ps)
  3. Open the SOAR app from the IBM QRadar console - Admin page and take note of the app ID in the URL

Entering the container

Once you know where the plug-in is installed and you have the app ID you can enter the container.

1. Log on to the IBM QRadar appliance as root by using SSH.

2. Use the recon utility

 /opt/qradar/support/recon connect <app-ID>
Enabling debug

Version 3.x and 4.x are different. The steps to enable debug differ slightly depending on the version installed.

  1. Change the app.config
  2. Restart the plug-in
Version 3.x
  1. Edit the file /store/app.config 
    vi /store/app.config
  2. Change 
    loglevel=INFO
    To 
    loglevel=DEBUG
  3. Save and close  
    :wq
  4. Restart the plug-in 
    pkill -9 -f "python run_circuits.py"
Version 4.x
  1. Edit the file /store/app.config 
    vi /opt/app-root/store/app.config
  2. Change 
    loglevel=INFO
    To 
    loglevel=DEBUG
  3. Save and close  
    :wq
  4. Restart the plug-in 
    pkill -9 -f "python /opt/app-root/container/conf/run_circuits.py"
Version 5.x
  1. In the plug-in, check "Enable loglevel DEBUG." See Configuring the QRadar SOAR Plug-in app for further information.

With DEBUG enabled, circuits.log are rotated quickly. Reproduce the problem and gather the logs quickly.

Retrieve logs from IBM SOAR QRadar plug-in

There are a various ways to get the logs.

  1. Download the logs from System and License Management available in the console
  2. Request a log bundle for your QRadar on Cloud instance
  3. Collect log files for QRadar from the command-line interface (get_logs.sh)
  4. Tar the files from the OS
  5. Downloading IBM QRadar SOAR Plug-in app log and configuration files for v5

If you choose to use this method, ensure you click Advanced Options, and select check the box Include Application Extension Logs.

Request a log bundle for your QRadar on Cloud instance

To include application extension logs in the log bundle, select the Include App Logs checkbox.

Collect log files for QRadar from the command-line interface (get_logs.sh)

/opt/qradar/support/get_logs.sh -a -S -q 10

Tar the files from the OS

Use the app ID to run a command from the console or App Host, depending on where it is installed.

tar -zcvf /tmp/plug-in_logs.tar.gz /store/docker/volumes/qapp-<app-id>/log/*

Replace <app-id> with the actual four-digit ID.

Downloading IBM QRadar SOAR Plug-in app log and configuration files for v5

  1. On the navigation menu (), click Admin.
  2. In the IBM QRadar SOAR Plug-in section, click Configuration.
  3. On the Status tab, under Download Logs and Config Files, click Download. The download starts automatically.
  4. The compressed file (Logs_and_Config_files_<date_time>.zip) is available in the download location on your computer.
The v5 plug-in logs can be retrieved by using any other of these approaches. Downloading from the plug-in itself is likely to be the most convenient but it does not include the QRadar server logs such as qradar.log.

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSIP9Q","label":"IBM Security SOAR"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}},{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSA230","label":"IBM Security QRadar SOAR"},"ARM Category":[{"code":"a8m0z0000001gyGAAQ","label":"Integrations-\u003EQRadar app"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEGM63","label":"IBM Security QRadar SOAR on Cloud"},"ARM Category":[{"code":"a8m0z0000001gyGAAQ","label":"Integrations-\u003EQRadar app"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTDPP","label":"IBM Cloud Pak for Security"},"ARM Category":[{"code":"a8m0z0000001h8pAAA","label":"Cases"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
17 April 2023

UID

ibm11160758

Page Feedback