QRadar: In my case, do I need to submit logs from multiple hosts when an error occurs?

Issues in QRadar are not always confined to one host (Console or Managed Host) and support representatives might request logs from multiple hosts in the deployment for certain issues. This technical note covers common situations where logs from multiple hosts in the deployment.

Events or flows

When you experience issues receiving events or flows and you have multiple Event Processors, and Event Collectors you might need to submit logs from both appliances.
 

Are you not receiving any events or flows on an appliance or is the issue related to a specific log source?

• If you are not receiving any events at all on an appliance, then you need to submit Console Logs, your Event Processor or Flow Processor, and any Event Collectors or Flow Collectors.
• If you are seeing some events and flows, then you need to see what log sources and flow sources are not receiving data. For log sources, do the events all belong to the same Event Collector? If yes, then you can submit logs from the Event Collector and the Event Processor that processes event data, along with The Console logs.

Apps

As applications are hosts on two appliance types, logs are required from either the Console or an App Host. Do you have an App Host in your QRadar deployment?
 

• If yes, then you need to submit logs from both the Console and the App Host. Do not forget to go to advanced options and check the box for Application Extension Logs when you collect logs from the user interface.
• If no, then only Console logs are required to troubleshoot the application error. Do not forget to go to advanced options and check the box for Application Extension Logs. It is often helpful when users include information on what you attempted and if all applications are down or just a specific application is experiencing issues.

Hosts status issues in System and License Management

When a host displays a status of 'Unknown' in the Systems and License Management interface, support requires logs from the Console and whichever host is in the unknown state. Console logs are collected from the user interface. If you want to use the command line, you can use the get_logs utility to create a log bundle for the host.

For more information, see QRadar: Managed hosts intermittently display a status of Unknown.
 

Deploy Changes errors

When a deploy fails on an individual host, logs are typically required from the Console, and the host the deploy failed on to properly troubleshoot an issue.

High Availability

If a fail-over occurred and the issue requires an investigation by QRadar Support, administrators need to submit logs from both the primary and the secondary appliances, if possible.

Upgrades

If you are upgrading your systems and the patch fails on a host other then the Console, you need to send in logs from both the Console and the host that failed to upgrade. If you experience a "Failed to install" message or your host does not function as expected after a "Success with errors" message during the upgrade, you might need to submit logs from multiple hosts.

Data Nodes

If you believe that there might be a problem with rebalancing, you need to provide in logs from the Data Node appliance and the Event Processor (16xx), Combination Event and Flow Processor (18xx), or Console (31xx) appliance. All Data Node appliances must be assigned to another appliance that has an ecs-ep service. For more information, see Data Nodes and data storage.