IBM QRadar SOAR (formerly known as Resilient) is IBM's primary security response and orchestration platform. Logs can be retrieved for troubleshooting as needed and outlined in the steps below.
Resilient
To collect log files to help with troubleshooting at the request of the support team, you can rely on the following command:
resPackageLogs
This is a general-purpose script used for gathering together and ultimately package the necessary logs that were pulled for your troubleshooting efforts.
By default, logs are pulled and stored in a single file in:
/root/res-logs-<date>_<time>.tar.gz
When running the script, you can make use of several arguments which are entirely optional:
Note: some of these options are not compatible with the earlier versions of IBM Resilient. When running Linux, you can use the command sudo resPackageLogs -h to view a full list of possible options.
App host
Logs from CLI
Login into the AppHotst by using ssh appadmin@<<AppHost IP Address>>
Navigate to the log folder by using command cd /var/log/
Check the container folder by using the command ls
To collect the integration log navigate to the containers folder by using command
cd containers/ .
The files with no specific file name will be the application logs as highlighted in the image below:
Logs from UI
The app specific logs can be fetched from the app configuration page. This page can be accessed from the app list for the installed apps. The image below highlights the option to download the app logs.
Logs for Performance Issues
Resilient
When your team experiences performance issues with the IBM Security QRadar SOAR app, you can use these options to gather more details:
sudo resPackageLogs -n 6 -d 5
This command effectively pulls 6 thread dumps, each 5 seconds apart (for a total of 25 seconds). If an action takes more than 35 seconds to complete, you can alter the values to increase the length of time by modifying -n # - where # is the larger value desired.
For instance, adjusting to -n 10 would take 45 seconds to complete.
IBM QRadar SOAR (formerly known as Resilient) is IBM's primary security response and orchestration platform.
Metron has experience integrating QRadar with multiple security platforms. If you are considering any custom solution, please send a note to friends@metronlabs.com.