AppHost Utilities

#ibm #working #troubleshooting #siem #apphost

Determining the app ID

There are a few ways to determine the app ID.

  1. Use the qappmanager support utility (/opt/qradar/support/qappmanager)
  2. Use the recon support utility (/opt/qradar/support/recon ps)
  3. Open the SOAR app from the IBM QRadar console - Admin page and take note of the app ID in the URL

Entering the container

Once you know where the plug-in is installed and you have the app ID you can enter the container.

  1. Log on to the IBM QRadar appliance as root by using SSH.
  2. Use the recon utility
 /opt/qradar/support/recon connect <app-ID>

Enabling debug

Version 3.x and 4.x are different. The steps to enable debug differ slightly depending on the version installed.

  1. Change the app.config
  2. Restart the plug-in

Version 3.x

  1. Edit the file /store/app.config
    vi /store/app.config

  1. Change

    loglevel=INFO

    to

    loglevel=DEBUG

  2. Save and close

    :wq

  3. Restart the plug-in

    pkill -9 -f "python run_circuits.py"

Version 4.x

  1. Edit the file /store/app.config

    vi /opt/app-root/store/app.config

  2. Change

    loglevel=INFO

    To

    loglevel=DEBUG

  3. Save and close

    :wq

  4. Restart the plug-in

    pkill -9 -f "python /opt/app-root/container/conf/run_circuits.py"

Version 5.x

  1. In the plug-in, check "Enable loglevel DEBUG." See Configuring the QRadar SOAR Plug-in app for further information.

With DEBUG enabled, circuits.log are rotated quickly. Reproduce the problem and gather the logs quickly.