IBM Support

QRadar: How to use iteam_support.sh for general troubleshooting

How To


Summary

iteam_support.sh is a script that can assist users in general troubleshooting. You can confirm hashes of downloaded DSMs and protocols, troubleshoot performance degradation in the event pipeline, and identify what log source type generated an event based on a QID.

Steps

Access the iteam_support.sh menu.
  1. SSH into your QRadar console.
  2. Optional. SSH into the managed host you want to troubleshoot.
  3. Run the iteam_support.sh utility 
    /opt/qradar/support/iteam_support.sh
  4. Observe the menu.
    menu

    Result
    Select the option you want to run.

Example Uses

The following are some example use-cases for the utility.
 

Check whether managed hosts have a copy of DSMs and protocols

If the Log Source Management app does not display a DSM or protocol, it might be because the Event Processor or Event Collector does not have a copy or the DSM or protocol because the copies differ or because the copy is saved in the incorrect directory.

  1. Open the iteam_support.sh utility on the QRadar console.
  2. Get the detailed information. For DSMs, select option 2, 2, then 2. For protocols, select option 2, 3, then 2. Enter the DSM or protocol name.
    Example output. Observe the Release, and the hash and file location on the last line: 
     Enter DSM RPM Name: DSM-EMCVMWare
Name        : DSM-EMCVMWare
Version     : 7.5
Release     : 20220825173409
Architecture: noarch
Install Date: Wed 09 Nov 2022 03:27:05 PM EST
Group       : Development/Tools
Size        : 4681450
License     : Proprietary.
Signature   : RSA/SHA256, Fri 26 Aug 2022 12:44:03 AM EDT, Key ID f5de79167c677b19
Source RPM  : DSM-EMCVMWare-7.5-20220825173409.src.rpm
Build Date  : Fri 26 Aug 2022 12:44:01 AM EDT
Build Host  : 8c000fe812fa
Relocations : (not relocatable)
Summary     : DSM EMC VMWare Install
Description :
This program installs a EMC VMWare DSM plugin.

e7e0062e525632b4fcb7b5478743393e33bb5499  /opt/qradar/jars/plugins/q1labs_sem_dsm_vmware.jar
  3. Next, view the detailed information from a single managed host. For DSMs, select option 2, 2, then 3. For Protocols, select option 2, 3, then 3. Enter the DSM or protocol name, the IP of the managed host, and the password for that host.

    Result
    Compare the detailed information. The release must be the same, as well as the hash and file location recorded on the last line. If the release version is different, update the out-of-date item (the one with a lower number) with yum. If the hash or file locations are different, contact support.

Troubleshoot performance degradation in the event pipeline

If you see a "Queue is at 100 percent capacity" error in the logs similar to the following, you can collect DSM performance information and provide in a support case case to identify if a specific DSM is causing the issue. 
[ecs-ec.ecs-ec] [[type=com.eventgnosis.system.ThreadedEventProcessor][parent=emsp02.xxx.com:ecs-ec/EC/Parsing/DSM_Normalize]] com.q1labs.semsources.filters.normalize.DSMFilter: [WARN]
[NOT:0080004101][x.x.x.x/- -] [-/- -]Device Parsing has sent a total of 7159998 event(s) directly to storage. 108482 event(s) have been sent in the last 60 seconds.  Queue is at 100 percent capacity.
After you open the iteam_support.sh utility, select option 4, then 1.

The script generates the ecs-mbeans.tgz file in the current directory with information on events parsed, events unrecognized, etc listed in dsm.txt. This file can be provided in a support case to allow support to identify if a particular DSM is reducing overall performance.

Identify what log source type generates an event based on a QID

After you open the iteam_support.sh utility, select option 2, 1, then 1 and provide the QID. The script returns the event and source device information for the event.

All menu options

This list contains all the scripts functions organized as they appear in the menu

1) Find Managed Host Information
2) QidMap / DSM / Protocol / Scanner Menu
  • 1) QidMap Menu
    • 1) Search An Event Based On QID
    • 2) Find An Event Based On EventID
    • 3) Search An Event From A Single Managed Host Based On QID
    • 4) Find An Event From All Managed Hosts Based On QID
    • 5) Search An Event From A Single Managed Host Based On EventID
    • 6) Find An Event From All Managed Hosts Based On EventID
  • 2) DSM Menu
    • 1) Search DSM
    • 2) Show DSM Detail Information
    • 3) View DSM Detail Information From A Single Managed Host
    • 4) Show DSM Detail information From All Hosts
  • 3) Protocol Menu
    • 1) Search Protocol
    • 2) Show PROTOCOL Detail Information
    • 3) View PROTOCOL Detail Information From A Single Managed Host
    • 4) Show PROTOCOL Detail Information From All Managed Hosts
  • 4) Scanner Menu
    • 1) Search Scanner
    • 2) Show Scanner Detail Information
3) Log Source Menu
  • 1) Search A Log Source
  • 2) Log Source Status
  • 3) Log Source Protocol Status
  • 4) Log Source Protocol Status From A Single Managed Host
4) Advanced Menu
  • 1) Collect DSM Performance Data
  • 2) Collect Getlog Data
  • 3) Enable/Disable Debug
5) Clear Screen
6) Quit

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
14 November 2022

UID

ibm16828839

Page Feedback