QRadar is IBM's premier enterprise security information and event management (SIEM) product. As a network security management platform, it collects data from your network devices, host activities, operating systems (OS), integrated applications, and more. It primarily serves to provide situation awareness within your ecosystem and provide compliance support and vulnerability assessment.

In the post below, we detail two different methods of extracting your log files from the platform.

First Method: How to Fetch QRadar logs from the user interface (UI)

The simplest and most user-friendly way of fetching your log files is to do so through the platform's robust UI.

To begin:

1) Click on the Admin tab and then Select the System & Licence Management Icon.

2) Select the QRadar installation that you want to fetch your logs from. If you have multiple applications be sure to double-check that it is the correct installation.

Note: You can retrieve logs from multiple applications if you so choose. You can do this by using Shift + click or Ctrl + click. The default, if no apps are selected, is to pull them from the QRadar console.

3) Next, go to the Actions drop-down and select the option for "Collect Log Files".

4) In the prompt, you can then click the "Collect Log Files" button.

Note: If you are experiencing issues with your application, you can select some of the options here. These can include the Debug Logs and the Setup Logs, among other options. Normally, doing so is only necessary when advised by the QRadar support team when you are in the midst of troubleshooting.

5) After the application is done collecting your log files, the message will change, giving you the prompt to download them. Click on the "click here to download file" hyperlink to complete the process.

Second Method: How to collect your QRadar logs from the command line interface

Your logs can also be collected through the command line access. However, root access is required. In any event, the command line access should be considered a backup method for fetching your logs when the UI is not available or if you are experiencing issues with it.

To begin:

1) Log into the Console application as the root user using SSH.

2) Enter the following command:

/opt/qradar/support/get_logs.sh

Note: After you enter the command above, you will be notified that the log was created along with its name and location - with the location always being in the /store/LOGS/ directory.

3) Copy the tar.bz2 file to any system that has external network access in order to upload your log file where it is needed.

Metron has experience integrating QRadar with multiple security platforms. If you are considering any custom solution, please send a note to connect@metronlabs.com.