How to Fetch Logs in Your IBM Security QRadar SOAR Platform

IBM QRadar SOAR (formerly known as Resilient) is IBM's primary security response and orchestration platform. Logs can be retrieved for troubleshooting as needed and outlined in the steps below.

Resilient

To collect log files to help with troubleshooting at the request of the support team, you can rely on the following command:

resPackageLogs

This is a general-purpose script used for gathering and ultimately packaging the necessary logs that were pulled for your troubleshooting efforts.

By default, logs are pulled and stored in a single file in:

/root/res-logs-<date>_<time>.tar.gz

When running the script, you can make use of several arguments which are entirely optional:

Option Result Affected
-n, –num-thread-dumps The number of thread dumps pulled.
-d, thread-dump-delay The number of seconds between each dump being created.
-s, stats Stats. You can run rstats.sh to gather more database info.
-l, num-daily-logs Decides how many of the most recently archived daily log files can be retrieved.
-r, restart-service Restarts the app after the collecting process is completed.
-v, verbose See progress about the collecting process so far.
-t, target-directory Choose the target directory where files will be saved. If the directory does not exist, it will be created. Left alone, the default value is the location of the home directory.

Note: Some of these options are incompatible with the earlier versions of IBM Resilient. When running Linux, you can use the command sudo resPackageLogs -h to view a full list of possible options.

App host

Logs from CLI

Login into the AppHotst by using: ssh appadmin@<<AppHost IP Address>>

Navigate to the log folder by using the command: cd /var/log/

Check the container folder by using the command: ls

To collect the integration log, navigate to the containers folder by using the command:

cd containers/ .

The files with no specific file name will be the application logs as highlighted in the image below:

Logs from UI

The app-specific logs can be fetched from the app configuration page. This page can be accessed from the app list for the installed apps. The image below highlights the option to download the app logs.

Logs for Performance Issues

Resilient

When your team experiences performance issues with the IBM Security QRadar SOAR app, you can use these options to gather more details:

sudo resPackageLogs -n 6 -d 5

This command effectively pulls 6 thread dumps, each 5 seconds apart (for a total of 25 seconds). If an action takes more than 35 seconds to complete, you can alter the values to increase the length of time by modifying -n # - where # is the larger value desired.

For instance, adjusting to -n 10 would take 45 seconds to complete.

IBM QRadar SOAR (formerly known as Resilient) is IBM's primary security response and orchestration platform.

Metron has experience integrating QRadar with multiple security platforms. If you are considering any custom solution, please send a note to connect@metronlabs.com.