This page is for giving an overview of ways in which you can troubleshoot your app if it is not working as expected.

Review the App Logs


The apps live in docker containers, and have their own logs separate from the QRadar logs. The QRadar logs only contain messages and errors around container infrastructure, so if you cannot install, or cannot run the apps for example. For specific app issues (can’t connect, specific app broken etc), you can log into the shell for each app container and look at the logs. For most of the apps we actually have very decent logging that should give more insight as to what is wrong, and what to do next:

/opt/qradar/support/qapp_utils.py ls
Get the app_id
/opt/qradar/support/qapp_utils.py connect <app_id>
 
Once in the container, the logs are in /store/log/
/store/log/app.log is the main log for the app, which mostly logs 'live' 
calls (so when you open the UI, post a config etc)
/store/log/poll.log is the log for the poll, or background process which many apps 
contain to run searches/API calls etc in the background like a cron job.
  
You can also enable DEBUG level logs for apps once in the container.
  
For the main app UI, you can enable debug logs by doing the following (app.log).  
This would be for issues when clicking things on the UI and acting with the app:
vi /run.py
Edit the app.run parameters to have:  debug=True
After this the flask web server needs to restart:
ps aux | grep run.py
kill -9 the pid for that run.py process
After this, the flask server should automatically come up.
If not, you can log out of the shell (exit)  and do a 'service qdocker restart' to 
restart all the app containers (and therefore flask web server)
  
For the background process (poll.log) there is a different process to enable debug logs. 
This would be if the app has no data for example or doesn't appear to be running its 
collection in the background:
vi /src_deps/init/poll.sh
Edit the line:
nohup python /app/core/poll.py -l INFO > /store/log/poll.log 2>&1
and change it to:
nohup python /app/core/poll.py -l DEBUG > /store/log/poll.log 2>&1
  
ENSURE TO DISABLE DEBUG LOGS AFTER YOU GET WHAT YOU NEED, THEY CAN BE VERY 
VERBOSE (print every API call response etc.)

Default Troubleshooting (can’t install, app does’t work etc)


These steps are useful when apps seem to be installed in an error state, are not appearing. Also if cannot be created/installed.

  1. Use the api_doc endpoint, use the GET gui_appframework to get the app_id, see if any others are running.
  2. Have user log into https://consoleIP, next goto: https://consoleIP/api_doc
  3. Open 5.1, find /gui_apframework, click on it, click on /applications
  4. scroll to bottom, click on try it now. Get the app’s ID#
  5. Click on /{application_id}
  6. Use the DELETE endpoint to delete the appp, enter the app ID#, click on try it now
  7. Check and see if there are any entries in installed_application still in psql: psql -U qradar -c “select * from installed_application;”
  8. Check for app in extension management window, delete from there if it is (just using the UI)
  9. Check and see if /store/qapp exists. If it does not create the directory and set chown nobody:nobody on it
  10. Service qdocker restart
  11. Install application again through Extension Management window.
  12. Clear browser cache.
  13. Now try and open/use the app

Tools


/opt/qradar/support/qapp_utils.py

Support tool for trouble-shooting app extensions. Can use it to troubleshoot the docker containers, can navigate around the docker container and execute bash commands.

qapp_utils.py <ps/ls/connect/run> <app id> <arguments>
Commands:
    ps | ls             ::    List all active applications and appIDs.
    connect <appID>         ::    Connect to bash shell of given appID. 'exit' to quit shell.
    run <appID> <command>    ::    Run command in container shell for given appID.

 

/opt/qradar/support/get_logs.sh -a

We have a new parameter “-a” that gets all app-framework related logs. This is for delivering a full diagnostic to QRadar support.