IBM Security QRadar

Hi,

We have integrated SentinelOne recently but it is not reporting to QRadar, so the team asking few log details but I am not able find the exact directory of the file and logs.

Please help me to get those details.

Thanks

Need the below log details

Application Log File Details

supervisord.log

• startup.log

• app.log

• connector-main.log

• connector.log

5. Run docker exec -it <CONTAINER ID> bash to connect to the container. The container stores the log files.

6. Change directories to: /opt/app-root/store/log.

7. Read the log files in real time or the current version.

tail -f <logname>.log

cat <logname>.log

8. Copy the files to the host: docker cp <CONTAINER ID>:<src-path> <local-dest-path>

Run the `recon ps` command found on the following technote to get the SentinelOne App ID.

https://www.ibm.com/support/pages/node/6189903

Example, Let's assume your SentinelOne App ID is 1204.

Then, verify if you see all the logs by listing out the log directory. (On console or on apphost you have one)

You should see all the longs in the above directory. Go ahead and create a tarball out of it.

something like that. Hope it helps.

Hi Mprabir,

Thanks for the assistance.

I am getting the below remediation for all the app IDs.

"Confirm the host ID for this app is the same as the host ID for this host. If it is, do a deploy."

Deploy also done, but getting the same error. What is the issue and how to resolve this?

Thanks

Hi,

I could not find the below files in the apphost for the specific sentinelone container folder.

connector-main.log

connector.log

Any idea about this?

Thanks