IBM Security QRadar

 View Only

QRadar App Management - support utilities, CLI, API - need-to-know

By Ralph Belfiore posted Mon December 28, 2020 08:18 PM

  

During the course of my troubleshooting experience i had to be aware of some “utility changes” regarding to app extension management and monitoring.
According to the applied Release of QRadar and deployment scenario (AiO / Apphost as a managed host), you’ll have to keep in mind some improvements/changes of available “support utilities” or CLI commands.

For those who haven’t yet found a summary list or have been updated already their bookmarks with helpful links regarding to this subject, here an offer of consolidated information, helpful support links, commands and “utility changes” just in case..

In case of investigation a status of an app, starting/stopping an app, updating an app there a some details to consider. For example, in Release 7.3.x you needed to remember the following psql command with many options in CLI to display app id, name, status, version and more context of the applied apps running on the CONSOLE:

psql command to show status and context of applied apps

Starting with the Qradar Assistant App Release 3.0 (current release is 3.2.1) as an admin you can use also the assistant app to comfortable handle and maintain apps over the UI using the "Manage" Button:

Overview - how to manage apps with assistant app


Further information about the assistant app will be found here:
Assistant App Features

To investigate the status of apps on an APPHOST with Release 7.3.x you could use so far the following cli command to get the following output displayed:

- /opt/qradar/support/recon ps

recon ps disapeared with 7.4.1FP2

The recon ps command disappeared for example with 7.4.1FP2! At the latest from this release you’ll have to be aware about the qappmanager support utility (details stated below). Similar context will be called for example in Release 7.4.1FP2 by the following commands:

- docker images
- docker ps

docker ps and docker images context information

The qappmanager utility was introduced with QRadar Release 7.4.0. The current status and helpful context of applied apps now can be shown with the new support tool.
It has to be executed from the CONSOLE and provides many options to maintain, start, stop, delete or create new instances of apps:

- /opt/qradar/support/qappmanager

qappmanager utility introduced with Release 7.4.0

Further support information about the qappmanager support utility will be found here:
qappmanager utility

Finaly in rare cases, in cases of scripting or integration with other systems you can use the API as well. It's well documented and for example straight forward to start or stop an app using the API:

RUNNING or STOPPED App using API

Using the "Try Button":

Try it out button


So concluding for me, it’s exiting to chase the continuous enhancements of QRadar and specifically the app management stuff. The support utilities to manage apps are more and more easily operated supporting app extension management.



#Highlights
#Highlights-home
#QRadar
0 comments
1778 views

Permalink