IBM Support

QRadar: How to Collect System Dumps for cases where components are running out of memory

How To


Summary

How to collect the System dump files for QRadar components that are running out of memory, when requested by IBM Support.

Objective

In some IBM Support cases involving a QRadar component running out of memory, IBM Support might request you provide a copy of the *.dmp (dump) files for the component that is failing. If IBM Support requests these files, the following steps act as a guide on the location of these dump files and provide some tips on collection.

Steps

  1. Use SSH to connect to the affected host, such as the Console or a Manager Host.
  2. Use cd /store/jheap to navigate to the jheap folder where the dumps are stored.
  3. (Optional) Use df -h * to view the size of each folder in human readable format.
  4. Navigate to the folder of the component that is running out of memory. For example, for ecs-ec use the cd ecs-ec.ecs-ec command.
  5. There should be two files, named <Component>.<Component>-system.dmp, and <Component>.<Component>-javacore.dmp. Check the are relatively recent in their creation by using the ls -l command. If they are old, they can be safely deleted and will regenerate next time the component crashes.
  6. (Recommended) In order to save space for transferring the files, the <Component>.<Component>-system.dmp it is recommended to compress the file by using gzip or similar. Despite its large size, it compresses heavily; often to 10-20% of its original size.
  7. Use the SCP command or similar, transfer the files from the host to your own jump host or personal machine
  8. Transfer the files from where you saved the case, by using any of the methods outlined here: Enhanced Customer Data Repository (ECuRep) - Send data

Additional Information

The <Component>.<Component>-system.dmp file is the file typically needed by IBM Support unless implicitly stated. The files are large, often several gigabytes in size; however they compress to a far smaller size that can make transfer easier.
For example, accumulator.accumulator-system.dmp with a size of 4GiB can compress to 250MiB using
gzip accumulator.accumulator-system.dmp
Note The files in the <Component>.<Component> folder could be old. It might be best to delete older files and allowing the component to crash again in order to generate a new, relevant version of the dump file when it crashes again.

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"memory","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3.x","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
14 May 2020

UID

ibm12979081

Page Feedback