Question & Answer
Question
What information needs to be submitted specifically with a QRadar application case?
Answer
To collect logs from the command line, root access is required. The get_logs.sh utility is available on every version of QRadar and is provided on every QRadar appliance. A further utility, qappmanager, provides additional information specific to the apps installed in the environment.
Note: for general Qradar cases (not dealing with Qradar application issues), reference the following guide:
Getting Help: What information should be submitted with a QRadar service request?
Steps for generating and collecting the logs:
- Use SSH to log in to the Console appliance (or All-in-One) as the root user.
- Enter the following command to generate a get_logs file:
Note:/opt/qradar/support/get_logs.sh -a- For administrators who have application or extension issues, use the -a option to collect application logs on your Console and App Host (if one exists). The logs from both hosts are saved under the Console's get_logs output, so only the Console's get_logs output file needs to be uploaded.
- For a list of options that can be run, enter the following command.
/opt/qradar/support/get_logs.sh -h - The script informs you that the log was created and provides the name and the location, which is always the
/store/LOGS/directory.
Example output
/opt/qradar/support/get_logs.sh -a -------------------------------------------------------------------------------------- get_logs.sh v6.4 - qradar-qr750-3199-29271.cslab.iss.local -------------------------------------------------------------------------------------- INFO: Gathering install information... INFO: Collecting DrQ output... INFO: Collecting system files... INFO: Collecting old files... INFO: Collecting Cert metadata... INFO: Collecting accumulator information with collectGvStats.sh v1.8... INFO: Collecting deployment info with deployment_info.sh v0.7... INFO: Collecting thread dumps from running java processes... INFO: Collecting database information... INFO: Collecting rpm version information... INFO: Collecting QVM files... INFO: Fetching Salesforce information... INFO: Collecting additional qflow information... INFO: Collecting app-framework logs and configuration... INFO: Fetching app logs... INFO: Running get_logs.sh -a on app host to pull all app logs... INFO: Running: /opt/qradar/support/all_servers.sh -a '40 %' /opt/qradar/support/get_logs.sh -a u d290fd0a .12 -> bravo-apphost. Appliance Type: 4000 Product Version: 2022.6.4.20220829221022 12:26:45 up 22 days, 21:21, 0 users, load average: 1.04, 0.55, 0.44 -------------------------------------------------------------------------------------- -------------------------------------------------------------------------------------- get_logs.sh v6.4 apphost. -------------------------------------------------------------------------------------- INFO: Gathering install information... INFO: Collecting DrQ output... INFO: Collecting system files... INFO: Collecting old files... INFO: Collecting Cert metadata... INFO: Collecting thread dumps from running java processes... INFO: Collecting database information... INFO: Collecting QVM files... INFO: Fetching Salesforce information... Can't open connection to service service: jmx:rmi:///jndi/rmi://localhost:7782/jmxrmi: Failed to retrieve RMIServer stub: javax.naming. Service Unavailable Exception [Root exception is java.rmi.ConnectException: Connection refused to host: localhost; nested exception is: java.net.ConnectException: Connection refused (Connection refused)] INFO: Collecting additional qflow information... INFO: Collecting app-framework logs and configuration... INFO: Fetching app logs... INFO: Cannot capture recon ps. We are not on the console INFO: running extractRules.py... INFO: Gathering extract rules and adding to get_logs... INFO: Compressing collected files... The file /store/LOGS/logs_apphost_20230713_d290fd0a.tar.gz (16M) has been created to send to support INFO: Fetching logs from App Host... INFO: Copying file back to the console... 100% 16MB 87.0MB/s 00:00 logs_apphost_20230713_d290fd0a.tar.gz INFO: running extractRules.py... INFO: Gathering extract rules and adding to get_logs... INFO: Compressing collected files... The file /store/LOGS/logs_qradar-qr750-3199-29271.cslab.iss.local_20230713_d290fd0a.tar.gz (51M) has been created to send to support - Copy the tar.gz file to a system that has access to an external network to upload your log file.
- Enter the following command on your App Host and save the output to a text file.
Note: If there is not an App Host installed, enter the following command on your Console.docker psExample output
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES e99ebdca106c console.localdeployment:5000/qapp/1151:7.0.7-20230623153041 "sh /opt/app-root/bi…" 6 hours ago Up 6 hours 0.0.0.0:49155->5000/tcp, :::49155->5000/tcp qapp-1151-BYpt9S0C 57dbf3eff783 console.localdeployment:5000/qapp/1102:3.5.2-20230623153444 "sh /opt/app-root/bi…" 6 hours ago Up 6 hours 0.0.0.0:49154->5000/tcp, :::49154->5000/tcp qapp-1102-6CaNPtHx fdf131098eac console.localdeployment:5000/qapp/1103:3.7.0-20230623153840 "sh /opt/app-root/bi…" 6 hours ago Up 6 hours 0.0.0.0:49153->5000/tcp, :::49153->5000/tcp qapp-1103-OOiOneaG - Enter the following command on your Console and save the output to a text file
.
Note:/opt/qradar/support/qappmanager- This command places you in a menu. To exit the qappmanager menu and return to the normal command prompt, enter 0.
- This command includes a menu output that is not necessary to send to support. Ensure that you include all information listed in the APP DEFINITIONS and the APP INSTANCES sections:
APP DEFINITIONS (SIO=Single Instance Only, MTS=Multi-tenancy Safe): ID | Name | Version | Status | Installed | Memory | Instances | SIO | MTS | Errors ------------------------------------------------------------------------------------------------------------------------ 1102 | QRadar Assistant | 3.5.2 | COMPLETED | 2023-04-27 16:38 | 600 | 1 | t | t | 1103 | QRadar Use Case Manager | 3.7.0 | COMPLETED | 2023-04-27 16:50 | 500 | 1 | f | f | 1151 | QRadar Log Source Management | 7.0.7 | COMPLETED | 2023-05-15 11:56 | 100 | 1 | t | t | APP INSTANCES (IID=Instance ID, DID=Definition ID, MHN=Managed Host Name, AHT=Application Host Type, SP=Security Profile): IID | DID | Name | Status | Task Status | Installed | MHN | AHT | Memory | SP | Errors ------------------------------------------------------------------------------------------------------------------------------------------------- 1102 | 1102 | QRadar Assistant | RUNNING | COMPLETED | 2023-04-27 16:38 | qradar-qr750-3199-29271 | LOCAL | 600 | | 1103 | 1103 | QRadar Use Case Manager | RUNNING | COMPLETED | 2023-04-27 16:50 | qradar-qr750-3199-29271 | LOCAL | 500 | | 1151 | 1151 | QRadar Log Source Management | RUNNING | COMPLETED | 2023-05-15 11:56 | qradar-qr750-3199-29271 | LOCAL | 100 | | Total memory used by LOCAL app instances: 1200MB OPTIONS: 0) Quit 1) Help 10) App definition - list all 11) App definition - list authorized 12) App definition - show manifest 13) App definition - cancel install 14) App definition - delete 20) App instance - list all 21) App instance - list authorized 22) App instance - create 23) App instance - start 24) App instance - stop 25) App instance - authorize 26) App instance - change authorized user 27) App instance - change security profile 28) App instance - change memory allocation 29) App instance - cancel install 30) App instance - delete 40) Augmented security profiles - list 41) Admin user - add augmented security profile 42) Admin user - remove augmented security profile 50) App containers - list Choose option:
- Contact support to open a case.
- In the case, include a description of the issue (what is happening, when did it start, and so on). Attach the get_logs file and the text files that contain the command outputs for docker and qappmanager to the case for review.
Results.
You successfully created a support case with IBM QRadar Support, populated the case with the relevant details and provided a copy of the most recent log files.
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt3AAA","label":"QRadar Apps"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.4.0;7.4.1;7.4.3;7.5.0"}]
Was this topic helpful?
Document Information
Modified date:
08 September 2023
UID
ibm10740335