IBM Security QRadar

 View Only

  • 1.  Logs not visible in Qradar Community Edition

    Posted Tue January 05, 2021 08:29 AM
    Hi Everyone,

    I have installed Qradar Community edition V7.3.3 and not able to see any logs in the Log Activity tab. Even not able to see Qradar internal logs and while I generate sample logs through logrun.pl it is running in cli but not able to see anything in Log Activity tab. Kindly suggest me.

    Thanks,
    Panendar Rao.C

    ------------------------------
    PHANENDRA RAO CHAVANA
    ------------------------------


  • 2.  RE: Logs not visible in Qradar Community Edition

    Posted Wed January 06, 2021 09:03 AM
    Hi,
    Have you applied the command in flash notice? Action Required: QRadar Community Edition adminstrators must apply the command documented in this flash notice.
    (https://www.ibm.com/support/pages/node/6395080)
    Regards.
    Sree

    ------------------------------
    SREE ANANTHASAYANAM
    ------------------------------

    Original Message


  • 3.  RE: Logs not visible in Qradar Community Edition

    Posted Wed January 06, 2021 10:39 PM
    HI,

    Yesterday, I have installed Qradar V7.4.2 in my testing lab, then I have started generating sample logs using logrun.pl. Am not getting any real time logs in Log activity, More over If I do query for last 5 minutes or 1 hour, getting below error. Please help me.


    Thanks,
    Panendar Rao.C


    ------------------------------
    PHANENDRA RAO CHAVANA
    ------------------------------

    Original Message


  • 4.  RE: Logs not visible in Qradar Community Edition

    IBM Champion
    Posted Thu January 07, 2021 05:19 AM
    PHANENDRA,
    looks like your backend CMS is not working. Trouble shooting steps 101:
    • restart ecs process from admin GUI
    • restart webserver from admin GUI
    • systemctl status hostcontext - should be active
    • systemctl restart hostcontext - check again for error message
    • tail -f /var/log/qradar.log while running logrun.pl in 2nd shell - check for error messages
    • tail -f /var/log/qradar.error while running logrun.pl in 2nd shell - check for error messages
    • reboot (yes - sometimes it can help)
    BR
    Karl

    ------------------------------
    [Karl] [Jaeger] [Business Partner]
    [QRadar Specialist]
    [pro4bizz]
    [Karlsruhe] [Germany]
    [4972190981722]
    ------------------------------

    Original Message


  • 5.  RE: Logs not visible in Qradar Community Edition

    Posted Mon January 25, 2021 09:58 AM
    Hi,

    I have the same problem as the original poster.

    I've donwloaded and installed QRadar CE 7.3.3 (ref. https://www.ibm.com/community/qradar/ce/) by following the instructions shown in the video from Jose Bravo (ref. https://www.youtube.com/watch?v=_fltNyDIkq4).
    When the installation is finished, I don't see any logs (including the internal ones) on the "Log Activity" tab of the web console.
    I've already rebooted the server and the problem is still there.
    I've applied the command in the flash notice and the problem is still there.

    I've downloaded the QRADAR_CORE_SW_7.4.2HELML.iso file and installed an "all-in-one" VM.
    And I don't see any internal logs either after the installation is finished.

    Is there a parameter or a configuration that I need to modify, after a fresh new installation, to be able to view the internal logs ?

    Regards,

    Ngoc-Thong Nguyen

    ------------------------------
    Ngoc-Thong Nguyen
    ------------------------------

    Original Message


  • 6.  RE: Logs not visible in Qradar Community Edition

    IBM Champion
    Posted Mon January 25, 2021 10:43 AM
    Hi,
    there is no silver-bullet to be able to view internal logs. If you cant see them, there is something wrong inside your QRadar setup. Most probably a microservice is missing or in error or communication is broken between components cause of SSL key exchange issues.

    Before you install any sfs or iso files on top of your CE installation, pls run thru the trouble shooting steps I have outlined above. If your CE 7.3.3 install was in error it will stay there, whatever sfs patch level you install. If the 7.4.2. SW image does help I dont know but my guess is it wont.

    So once again pls make sure your basic install does work and has the license fix applied. However there are 100s of errors that might occur in your basic CE install. So pls make sure that CE works before applying SW images.
    BR
    Karl

    ------------------------------
    [Karl] [Jaeger] [Business Partner]
    [QRadar Specialist]
    [pro4bizz]
    [Karlsruhe] [Germany]
    [4972190981722]
    ------------------------------

    Original Message


  • 7.  RE: Logs not visible in Qradar Community Edition

    Posted Tue January 26, 2021 01:42 PM
    I have already gone through the troubleshooting steps without success.
    The hostcontext process is active.
    My QRadar CE deployment seems to be Ok (see attached image).


    In the qradar.error log, I have a bunch of these messages that are repeating:



    ------------------------------
    Ngoc-Thong Nguyen
    ------------------------------

    Original Message


  • 8.  RE: Logs not visible in Qradar Community Edition

    Posted Tue January 26, 2021 02:43 PM
    Ok. I've re-applied the patch from https://www.ibm.com/support/pages/node/6395080


    Now, I can see the internal logs from the "Log Activity" tab.
    However, I don't see the "Pulse" tab anymore. I have to uninstall and re-install the Pulse app.

    ------------------------------
    Ngoc-Thong Nguyen
    ------------------------------

    Original Message