How To
Summary
How to enable debug logging on a Disconnected Log Collector (DLC).
Objective
More granular log messages are often helpful while troubleshooting. This guide helps you enable debug logging output, which is helpful in case you need to raise a support case with IBM.
Steps
Before you begin
Note: debug logging produces more messages into the dlc.log file. Therefore, we recommend that you check partition space, as a full disk might cause the DLC service to stop. Also, we don't recommend leaving debug logging enabled for more than 10 - 15 minutes, unless the system is being actively monitored.
Steps:
- Log in on your DLC with ssh.
- Take a backup of /opt/ibm/si/services/dlc/conf/log4j2.xml.
cp -vp /opt/ibm/si/services/dlc/conf/log4j2.xml /opt/ibm/si/services/dlc/conf/log4j2.xml.BAK ‘/opt/ibm/si/services/dlc/conf/log4j2.xml’ -> ‘/opt/ibm/si/services/dlc/conf/log4j2.xml.BAK’
v is for Verbose, an output is displayed on the screen showing what is happening.
p is for Preserve, this preserves the mode, ownership and timestamps.
The backup file will have the same ownership, permissions and timestamp as the original file.
Example:-rw-r-----. 1 root dlc 4409 Mar 28 15:33 log4j2.xml -rw-r-----. 1 root dlc 4409 Mar 28 15:33 log4j2.xml.BAK
- Edit the file /opt/ibm/si/services/dlc/conf/log4j2.xml.
vim /opt/ibm/si/services/dlc/conf/log4j2.xml
- Find this snippet in the code:
<RollingFile name="InfoFileAppender" fileName="${APP_LOG_ROOT}/dlc.log" filePattern="${APP_LOG_ROOT}/archive/dlc-%d{MM-dd-yyyy}-%i.log.gz"> <Filters> <ThresholdFilter level="INFO" onMatch="ACCEPT" onMismatch="DENY"/> <RegexFilter regex=".* Health Agent .*" onMatch="DENY" onMismatch="ACCEPT"/> </Filters>
- Change level="INFO" to level="DEBUG".
- Also, find this section in the same file:
<logger name="com.ibm.si" level="INFO" additivity="false"> <AppenderRef ref="InfoFileAppender" /> <AppenderRef ref="ErrorFileAppender" /> </logger>
- Change level="INFO" to level="DEBUG".
- Save the changes and exit the editor.
Press escape (Esc) followed by :x to save the file.
- Restart the DLC service.
systemctl restart dlc
To revert to original level of logging:
- Copy the backup file overwriting the current file.
cp -vp /opt/ibm/si/services/dlc/conf/log4j2.xml.BAK /opt/ibm/si/services/dlc/conf/log4j2.xml cp: overwrite ‘/opt/ibm/si/services/dlc/conf/log4j2.xml’? y ‘/opt/ibm/si/services/dlc/conf/log4j2.xml.BAK’ -> ‘/opt/ibm/si/services/dlc/conf/log4j2.xml’
You will be prompted to answer Yes to confirm that you want to overwrite the file. Type Y and press Enter. - Restart the DLC service again and verify.
systemctl restart dlc
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt9AAA","label":"DLC"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
27 October 2022
UID
ibm16619379