IBM Support

MustGather: Collecting logs for IBM Security QRadar SOAR Disaster Recovery (DR)

Troubleshooting


Problem

Use this document to collect logs for IBM Security QRadar SOAR Disaster Recovery (DR).

Resolving The Problem

You can collect all the log files required by the support team to troubleshoot problems with IBM Security SOAR DR by using MustGather: Collecting logs for IBM Security SOAR and gathering the following information.
Collect the following files and run the following commands:
  • Run sudo resPackageLogs to gather the Resilient logs
  • The FQHN of both the master and receiver servers
  • The IP address of both the master and receiver servers
  • Decrypt the following files:
  • /usr/share/resilient-dr/ansible/files/ssl_certs_vault_a.yml
  • /usr/share/resilient-dr/ansible/files/ssl_certs_vault_b.yml
  • /usr/share/resilient-dr/ansible/group_vars/all/vault
  • Gather the following files from both the master and receiver:
  • /usr/share/resilient-dr/ansible/files/ssh_vault.yml
  • /usr/share/resilient-dr/ansible/files/ssl_certs_vault_a.yml
  • /usr/share/resilient-dr/ansible/files/ssl_certs_vault_b.yml
  • /usr/share/resilient-dr/ansible/group_vars/all/vault
  • /usr/share/resilient-dr/ansible/inventories/resilient_hosts_master_a.yml
  • /usr/share/resilient-dr/ansible/inventories/resilient_hosts_master_b.yml
  • Postgres logs
    • /var/lib/pgsql/9.6/data/pg_log/postgresql-XXX.log if running v42 or older
    • /var/lib/pgsql/12/data/log/postgresql-XXX.log if running v43 to v50
    • /var/lib/pgsql/14/data/log/postgresql-XXX.log if running v51 or newer
  • Gather the following file from the server where you initiated the playbook from:
  • /usr/share/resilient-dr/ansible/files/logs/resilient-dr-ansible.log
The name of the files can be different depending on choices you made during the configuration process.
When gathering the files, add them to separate directories, or add "master" or "receiver" so that it is identifiable as to which server they are from.
Debug
Debug can be enabled by appending "-vvv" to any of the playbook commands you run, for example, ansible-playbook -i inventories/<resilient_hosts_master_machine_a.yml> enable_dr.yml -vvv
If you have a particular problem with one of the Ansible tasks, you can enable debug for that task.
TASK [fs_receiver : load ssh keys from vault] **************************************************************************
ok: [resilient-secondary.domain.com]
For the "load ssh keys from vault" task, comment out "no_log" in /usr/share/resilient-dr/ansible/roles/fs_receiver/tasks/main.yml for the task "load ssh keys from vault" and run the playbook again. The debug output is written to /usr/share/resilient-dr/ansible/files/logs/resilient-dr-ansible.log.
Passwords might be written in the clear.
The IBM support team might require additional information depending on the problem.
Ensure that the files on both servers are the same and DNS is populated or the hosts file is set correctly so that hostnames resolve as expected.

Document Location

Worldwide

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSIP9Q","label":"IBM Security SOAR"},"Component":"Resilient DR","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}},{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSA230","label":"IBM Security QRadar SOAR"},"ARM Category":[{"code":"a8m0z000000cvfMAAQ","label":"Resilient Core-\u003EDisaster Recovery"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
10 April 2024

UID

ibm16090970

Page Feedback