IBM Support

Getting Help: What information should be submitted with a QRadar service request?

Question & Answer


Question

The purpose of basic information should be collected when logging a Service Request with IBM Security QRadar Support ?

Cause


Quick links

  1. What information should I submit to QRadar support for software issues?
  2. What information should I submit for event parsing issues?
  3. What information should I submit to QRadar support for hardware issues?
  4. What information should I submit for WinCollect agent issues?

Answer


1. What information should I submit to QRadar support for software issues?


The following information should be submitted with customer service requests when reporting software issues in QRadar.

  • 1a. How to collect log files for QRadar support from the user interface for QRadar 7.2.5 and later

    • A detailed description of the issue, including the steps taken or changes made before the issue occurred.
    • A screen captures showing the issue or on-screen error message.
    • The steps taken by the user or administrator to try to resolve the problem.
    • An export from get logs in QRadar.
    • Product version and build number. This information is available from the user interface. To view your QRadar version, from the Dashboard tab, select Help > About .


      Depending on your QRadar version, there are two methods of collecting logs from QRadar.



    • Collect logs was added to the System and License Management user interface in QRadar v7.2.5 or later. If you are not on QRadar 7.2.5 or later or you are having user interface issues, then you can use the command line version of this utility, which is get_logs.sh. The video below will demonstrate how to collect log files when preparing to open a service request with QRadar Support.
      YouTube Video
      Collect get_logs from QRadar 7.2.5 and later (00:02:20)
       
      • Procedure
        1. Click the Admin tab.
        2. Click the System & License Management icon.
        3. Select the QRadar appliances that you want to collect logs from in the user interface.

          Note: You can use Shift + click or Ctrl + click to get logs from multiple appliances. If you do not select any appliance, the default action is to collect logs from the QRadar Console.
           
        4. Select Actions > Collect Log Files.
        5. In most cases, unless customers are experiencing application/extension issues, the default options can be used.


          Advanced Options
          - Unless advised by QRadar Support, there is no need to enable the Include Debug Logs check box.
          - If you are having issues with a QRadar extension or installing an application, select the Include Application Extension Logs check box.
          - If you have recently upgraded your appliance, installed software updates, or are having issues with managed hosts, select the Include Setup Logs (Current Version) check box.
          - Most administrators can leave the Collect Logs for this Many Days field blank. However, if you are collecting logs from multiple hosts, then choosing a known time frame and limit the size and time it takes to collect logs files.
           
        6. Click Collect Log Files.

          The log collection process starts and the status bar will update when log collection is complete.
        7. Click Download and save the file.
        8. Attach the log to your support ticket.

          Results
          Support will contact you using your preferred method of communication. If you have issues downloading the file from the user interface, you can attempt to download the file using WinSCP or another secure copy utility to move the backup from the /var/log directory. Root access is required for the appliance to use the get_logs.sh utility.
           

      1b. How to collect log files for QRadar from the command line interface (get_logs.sh) for QRadar 7.2.4 and earlier


      To collect logs from the command line, root access is required. The get_logs.sh utility is available on every version of QRadar and is provided on every QRadar appliance. If you are having issues with a managed host, you This utility should be used as a backup when the QRadar user interface is not available.

      • Procedure
        1. Using SSH, log in to the Console appliance (or All-in-One) as the root user.
        2. Type the following command: /opt/qradar/support/get_logs.sh
          The script informs you that the log was created and provides the name and the location, which is always the /var/log/ directory. For administrators having application or extension issues, use the -a option to collect application logs with your Console log information. For a list of commands that can be run, type: /opt/qradar/support/get_logs.sh -h
        3. Copy the tar.bz2 file to a system that has access to an external network to upload your log file.
        4. Click the following URL to open a service request: http://ibm.biz/qradarsupport .
        5. Click New service request and sign in to your IBM ID, if required.
        6. Select I am having a problem with Software.
        7. Attach the log file and provide an explanation of which events appear to be parsing incorrectly in your ticket.

          Results
          Support will contact you using your preferred method of contact.


2. What information should I submit for DSM parsing issues?


To receive support for DSM parsing issues, we typically request that customers submit the following information:


  • 2a. How to verify what DSM is version installed

    • The name of the appliance or software that generated the unknown, stored event, or incorrectly categorized event.
    • A screen capture of the log source configuration. Double-click the log source to open the edit screen and take a screen capture.
    • A screen capture of the incorrect event. Double-click an event in the Log Activity tab to view the Event Summary and submit a screen capture.
    • The version of the software that is generating the events. If multiple appliances versions are in your network, list all versions.
    • The DSM version installed on the customer's QRadar Console (see instructions below).
    • A Full XML export from the Log Activity tab on the Console (see instructions below).
    • Procedure
      1. Using SSH, log in to the QRadar Console as the root user.
      2. To find the installed version, type: rpm -qa | grep -i nameofDSM
        For example:
      3. This version information can be compared to what is posted on IBM Fix Central , but should also be included in your support request.
         

      2b. How to export events for review by support

      Procedure
      1. Click the Log Activity tab.
      2. Click Add Filter.
      3. Select Log Source > Equals > Name of the log source with the parsing issue.
        Note: If your log source is not assigned to a group yet, select Other, which will display all ungrouped log sources.
      4. Click Add Filter
        You are returned you to the Log Activity tab, which displays events filtered by the log source you selected.
      5. Click the View drop-down and select a time interval. For example, 7 hours.
      6. Review the filtered events to ensure that it contains your issue or concern.
      7. From the navigation menu, select Actions > Export to XML > Full Export (All Columns).
        Note: XML is the preferred format for event reviews.

        Results
        Attach the XML event export and provide an explanation of the events that appear to be parsing incorrectly in the description of your service request..


3. What information should I submit to QRadar support for hardware issues?


3a. How to determine if an appliance is IBM X-Series or Dell?


  • Some administrators have a mix of appliance types in their network. When hardware issues occur, it is helpful to understand what type of appliance you are working with to determine if you need to provide QRadar Support with a DSA file (X-Series hardware).  Dell hardware may not display a result.

    To verify your hardware manufacturer:
    1. Using SSH or from the terminal for the appliance log in as the root user.
    2. To determine the hardware manufacturer, type the following command: dmidecode -t system
    3. Review the output on screen for the manufacturer information.

      Sample output:
      # dmidecode 2.12
      # SMBIOS entry point at 0x7f6be000
      SMBIOS 2.5 present.

      Handle 0x0030, DMI type 1, 27 bytes
      System Information

      Manufacturer: IBM
      Product Name: System x3650 M3 -[7945AC1]-
      Version: 00
      Serial Number: KQ35RWH
      UUID: 09E10B2B-16C9-3B91-888B-73C34F82FC1D
      Wake-up Type: Other
      SKU Number:
      Family: System x

3b. IBM xSeries appliances: How to run a Dynamic System Analysis (DSA) report
 

  • Administrators who experience hardware issues on xSeries appliances should run the DSA utility and submit a report with the hardware support request.

    Before you begin: The QRadar Appliance ships with the DSA utility installed. Should you see a message "This system is not supported by this version of DSA" an updated build of the DSA may be required for your appliance. Refer to this link for the correct update of the DSA utility for your Appliance.

    Versions of the DSA utility required for my QRadar Appliance
     
    • Procedure
        1. Using SSH, log in to the remote QRadar appliance that is experiencing the hardware error.
          Note: You must first SSH to the Console, then open another SSH session to a managed host in the deployment.
        2. To change directory to the support folder, type: cd /opt/qradar/support
        3. To verify the permissions on the DSA utility, type: ls -l *dsa*
          If permissions are "rw-r- r -", then you must change the permissions to be able to run the DSA utility.
        4. To change permissions, type: chmod 755 <DSA_build>_x86-64.bin
        5. To run a DSA report for your appliance, type: ./<DSA_build>_x86-64.bin
        6. The DSA utility will create a .gz file in /var/log/IBM_Support with the machine type, serial number, and date.xml.gz.
          For example: /var/log/IBM_Support/7944AC1_KQ97NYC_20150927-163515.xml.gz
        7. Copy this file from the remote host.
        8. Click the following URL to open a service request: http://ibm.biz/qradarsupport .
        9. Click New service request and sign in to your IBM ID, if required.
        10. Select I am having a problem with Software.
          NOTE: QRadar software team reviews all requests, even hardware related issues as verification. All QRadar tickets should be opened as software issues.
        11. Attach the log file and provide an explanation your issue.
        12. Support will contact you using your preferred method of communication.














      •  
      • Note: If your system will not boot, follow the instructions in the next section for non-booting appliances.



    3c. How to run a Dynamic System Analysis (DSA) report for a non-booting appliance


    Administrators who experience hardware issues on xSeries appliances should run the DSA utility and submit a report with the hardware support request. The procedure below outlines how an administrator can collect a hardware report for an appliance that does not boot properly. This hardware report is required and must be submitted with the service request. This procedure can be followed for appliances that are suspended or frozen due to a hardware or software issue.
     
    • Procedure
      1. Restart the QRadar Appliance.
      2. Select F2 to enter diagnostics.
      3. Hit ESC to stop memory test if it starts.
      4. After a menu appears, arrow over to Quit, then select Quit to DSA.
      5. Choose command line option: CMD.
      6. Insert a Fat 32 formatted USB flash drive. The output file is typically under 1MB.
      7. Choose to collect DSA with no other options needed. Choose option 1 to collect DSA diagnostics.
      8. After 2 passes complete, exit back to the previous menu.
      9. Choose the option copy to local media.
      10. If USB flash drive is not seen, reseat and try again. If the USB flash drive is still not seen, try a different USB device.
         
      Note: The DSA can sometimes take a long time to start and run, which might appear to administrators that the DSA program is not functioning. However, do not interrupt this process as it can take up to 5 minutes between steps to collect the information and complete the report before writing this to the USB flash drive.

      Results
      After the data is collected on the appliance, the files are saved to the USB flash device. The process of writing the files to the USB drive only takes a few seconds.



3d. How to run a Dynamic System Analysis (DSA) report for a non-booting appliance


Administrators who experience Non Hard Drive hardware issues on xSeries appliances should run the Download Service option from the IMMDSA utility and submit a report with the hardware support request in addition to the DSA For the proceedure refer to this Lenovo link below  



3e. Dell appliances: How to open a Dell Hardware Case and Generate logs by using the iDRAC.

  • Administrators who experience hardware issues on Dell appliances should use the integrated Dell Remote Access Controller (iDRAC) card to generate a system report. The administrator can submit the system report to QRadar Support for review. The following content is required in your case for QRadar Support to review a Dell hardware issue.
    1. A description of the hardware issue.
    2. A screen cap or provide the text of the error message.

    A support representative will contact you using your preferred method of contact. If you are not available when you open your ticket, the support representative will leave a message or you can include a secondary contact in your case description. If we require logs or additional information, your ticket will be updated to include further details and the status will change to *Awaiting your Feedback*. If you have questions about this procedure, you can always ask in our forums: ibm.biz/qradarforums .

    To generate logs by using the integrated Dell Remote Access Controller (iDRAC) refer to these Dell links:



















  •  

4. What information should I submit for WinCollect agent issues?

  • Administrators who experience issues with WinCollect agents should submit the following information with the support ticket.
    Providing a problem description
    1. A description of the issue, Windows operating systems, and any hostnames or IP addresses that are affected.

      For example:
      • I'm having an issue collecting events from 4 Hyper-V computers with Windows Server 2008 R2. The WinCollect agent name is _____ and the hostnames I'm trying to collect events from are hostA (1.1.1.1), hostB (1.1.1.2), hostC (1.1.1.3), and hostD (1.1.1.4). These Windows systems are in our DMZ.
      • I added 250 log sources using the log source bulk add feature with WinCollect, and they recently stopped sending events. The last event time is The WinCollect agent name is ____ and the log sources that I want investigated are hostA (1.1.1.1), hostB (1.1.1.2), hostC (1.1.1.3), and hostD (1.1.1.4). Here is a screen capture of the log source configuration.
      • In installed a new WinCollect agent on hostnameX using the command-line installer, but it did not work. I tried several more times, but the WinCollect agent does not automatically create my log source. I've attached a text file with the installation command I used, see WC_install.txt.
    2. A zip file that contains the /config and /logs directory for the WinCollect agent.

      Procedure
        1. Log in to the Windows operating system that hosts the WinCollect agent.
        2. Click Start > All Programs > Administrative tools > Services.
        3. Select the WinCollect service.
        4. Click Stop.
        5. Click Start > All Programs > Accessories > Windows Explorer.
        6. Navigate to the WinCollect installation directory. The default path is C:\Program Files\IBM\WinCollect
        7. To select multiple folders, press Ctrl and select the config and logs folders.
        8. Right-click on one of the selected folders and select Send to > Compressed (zipped) folder.

        9. Click the following URL to open a service request: http://ibm.biz/qradarsupport .
        10. Click New service request and sign in to your IBM ID, if required.
        11. Select I am having a problem with Software.
          NOTE: QRadar software team reviews all requests, even hardware related issues as verification. All QRadar tickets should be opened as software issues.
        12. Attach the log files and provide an explanation of your issue.
        13. Support will contact you using your preferred method of communication.
           


-----

Where do you find more information?



 


Cross reference information
Product Component Platform Version Edition
IBM QRadar Log Manager

Document information

More support for: IBM QRadar SIEM

Component: General Information

Software version: 7.2, 7.3

Operating system(s): Linux, Windows

Software edition: All Editions

Reference #: 1626887

Modified date: 16 August 2019