Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: How to fetch logs for CBC Qradar app 2.0

Carbon Black Cloud: How to fetch logs for CBC Qradar app 2.0

Environment

  • Carbon Black Cloud Web Console: All Versions
  • IBM QRadar: 7.3.3 patch level 6 and later
  • VMware Carbon Black Cloud App for IBM QRadar: 2.x

Objective

Retrieve app logs in QRadar while troubleshooting an issue with VMware Carbon Black Cloud App for IBM Qradar

Resolution

For logs specific to the CBC Qradar app, the app lives in a docker container and has its own logs separate from the QRadar logs
  1. Identify the correct app container
    1. Access the Qradar appliance via SSH
    2. Run the command:
      /opt/qradar/support/recon ps
    3. A list of installed apps will appear. Locate the App-ID for the plug-in "Name" for "VMware Carbon Black Cloud" (ex: qapp-1101)
    4. Run the command:
      docker ps
    5. Locate the container ID (alphanumeric value) at the beginning of the line that has the "Names" field that contains the "App-ID" from step 3 (ex: qapp-1101-asdfghjk)
  2. Gather all logs in the docker container: /opt/app-root/store/log
    1. Run the command to enter the container:
      docker exec -it <container_id> /bin/bash
    2. Browse to this location:
      cd /opt/app-root/store/log
    3. Download all logs and provide to Support

Additional Notes

This article is for general reference purposes
If any difficulties arise while gathering QRadar logs, please contact IBM QRadar for additional support

Related Content


Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎12-03-2021
Views:
1287
Contributors