Fetching Logs for a QRadar App

Facing issues with a QRadar app?

Did you know that you can fetch the application logs? This will allow you to investigate and see if there were any errors encountered while running the application.

The steps to fetch the application logs are as follows:

SSH into the QRadar server

ssh root@<qradar-server-ip-address>

List the app containers on the server

The command to do this is docker ps
This will return a list of app containers that are running:

CONTAINER ID        IMAGE                                                         COMMAND                  CREATED             STATUS              PORTS                     NAMES
f6159fb680e5        console.localdeployment:5000/qapp/1002:2.5.2-20200923134217   "sh /start_container…"   27 minutes ago      Up 27 minutes       0.0.0.0:32771->5000/tcp   qapp-1052-PmbKpt5j
37b9eead2f62        console.localdeployment:5000/qapp/1001:5.0.1-20200923133744   "sh /start_container…"   27 minutes ago      Up 27 minutes       0.0.0.0:32770->5000/tcp   qapp-1051-JI5Q6yyn
dd23c96237d2        console.localdeployment:5000/qapp/1005:2.0.0-20200923135340   "sh /start_container…"   27 minutes ago      Up 27 minutes       0.0.0.0:32769->5000/tcp   qapp-1055-meawtxWa

Find the application ID of your app

If you already know the application id of your application, you can skip this step. If you do not know it, click on the QRadar sidebar on the left, then click on Interactive API for Developers.
Once there, click on gui_app_framework, then applications, and finally, the Try it out button towards the bottom.

View logs in the container

Find the container ID corresponding to your app id. Use the following command to log in to the Docker container:
docker exec -it <container_id> /bin/bash

Once inside the container, the logs are available in /store/log. You can view them with a command like less /store/log/startup.log.

Make a note of all the log files created by the application.

Copy logs to the QRadar server

If you want to send the app logs to the app developer, you will have to copy them to the QRadar server. To do this,

  1. Log out of the app container if you are inside it.
  2. From the QRadar server, copy the logs from the container with the command
    docker cp <container_id>:/store/log/<logfilename> ./
  3. Once you have all the logs on your QRadar server, you can scp them to your local machine.

There you have it. These steps should have been able to help you troubleshoot your application. However, if you or your team is still running into issues, feel free to contact us at connect@metronlabs.com. Our team may be able to help.