Carbon Black Cloud: How to fetch logs for CBC Qradar app 2.0
Article ID: 291928
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
Retrieve app logs in QRadar while troubleshooting an issue with VMware Carbon Black Cloud App for IBM Qradar
Environment
- Carbon Black Cloud Web Console: All Versions
- IBM QRadar: 7.3.3 patch level 6 and later
- VMware Carbon Black Cloud App for IBM QRadar: 2.x
Resolution
For logs specific to the CBC Qradar app, the app lives in a docker container and has its own logs separate from the QRadar logs
- Identify the correct app container
- Access the Qradar appliance via SSH
- Run the command:
/opt/qradar/support/recon ps
- A list of installed apps will appear. Locate the App-ID for the plug-in "Name" for "VMware Carbon Black Cloud" (ex: qapp-1101)
- Run the command:
docker ps
- Locate the container ID (alphanumeric value) at the beginning of the line that has the "Names" field that contains the "App-ID" from step 3 (ex: qapp-1101-asdfghjk)
- Gather all logs in the docker container: /opt/app-root/store/log
- Run the command to enter the container:
docker exec -it <container_id> /bin/bash
- Browse to this location:
cd /opt/app-root/store/log
- Download all logs and provide to Support
- Run the command to enter the container:
Additional Information
This article is for general reference purposes
If any difficulties arise while gathering QRadar logs, please contact IBM QRadar for additional support
If any difficulties arise while gathering QRadar logs, please contact IBM QRadar for additional support
Feedback
Yes
No
Powered by
