Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Troubleshooting QRadar Pulse

 

To isolate and resolve problems with QRadar Pulse, use the troubleshooting and support information.

Recovering from a Failed QRadar Pulse Upgrade

After you, as an administrator, upgrade to the latest version of QRadar Pulse, if you see the following error message when you open the Pulse tab: "The database version is incompatible with the application version.", you must back up and restore the data for the threat globe and for the other dashboards. QRadar Pulse is an extension that contains two apps ( Pulse - Dashboard and Pulse - Threat Globe ).

After you, as an administrator, upgrade to the latest version of QRadar Pulse, if you see the following error message when you open the Pulse tab: "The database version is incompatible with the application version.", you must back up and restore the data for the threat globe and for the other dashboards. QRadar Pulse is an extension that contains two apps ( Pulse - Dashboard and Pulse - Threat Globe ).

  1. Use SSH to log in to your QRadar Console or the QRadar app host as the root user.
  2. To back up the Pulse - Dashboard app, follow these steps:
    1. Identify the app_id of the Pulse - Dashboard app by typing the following command:

      psql -U qradar -c "select id, name from installed_application where name ilike '%pulse.full_name%'"

    2. To create a backup of the persistent storage directory of the Pulse - Dashboard app, in the following command, replace <pulse_dashboard_app_id> with the app_id from the previous step. Ensure that you include the dot (.) at the end of the command.

      tar -cvzf pulse-dashboard-backup-$(date +%s).tar.gz -C /store/docker/volumes/qapp- .

      The command creates a pulse-dashboard-backup-<epoch_timestamp>.tar.gz file in the current directory. The <epoch_timestamp> section of the name is a time stamp in epoch format.

  3. To back up the Pulse - Threat Globe app, follow these steps:
    1. Identify the app_id of the Pulse - Threat Globe app by typing the following command:

      psql -U qradar -c "select id, name from installed_application where name ilike '%Pulse - Threat Globe%'"

    2. To create a backup of the persistent storage directory of the Pulse - Threat Globe app, in the following command, replace the <pulse_threat_globe_app_id> variable with the app_id from the previous step. Ensure that you include the dot (.) at the end of the command.

      tar -cvzf pulse-dashboard-backup-$(date +%s).tar.gz -C /store/docker/volumes/qapp- .

      The command creates a pulse-threat-globe-backup-<epoch_timestamp>.tar.gz file in the current directory. The <epoch_timestamp> section of the name is a time stamp in epoch format.

  4. Keep your SSH session open.
  5. In a web browser, log in to QRadar as an administrator.
  6. Go to Admin >Extensions Management, uninstall QRadar Pulse, and then reinstall the version that you tried to upgrade.
  7. To restore the backup of the Pulse - Dashboard app, follow these steps:
    1. In the SSH session, type the following command to identify the new app_id of the Pulse - Dashboard app.

      psql -U qradar -c "select id, name from installed_application where name ilike '%pulse.full_name%'"

      The app_id changes when the app is uninstalled and reinstalled.

    2. Confirm that the ./pulse-dashboard-backup-<epoch_timestamp>.tar.gz file is the name of the backup file that you created in Step 2 (b).

    3. Replace <epoch_timestamp> with the time stamp on the file name and replace <new_pulse_dashboard_app_id> with the new app_id that you identified in Step 7 (a), and then run the command:

      tar -xvzf ./pulse-dashboard-backup-.tar.gz -C /store/docker/volumes/qapp-

    4. Replace <new_pulse_dashboard_app_id> with the app_id from (a), and then identify the docker container_id of the Pulse - Dashboard app by running the following command:

      docker ps -a --format "{{.ID}},{{.Image}}" | grep 'qapp/:' | cut -d , -f1

    5. Restart the Pulse - Dashboard app server by replacing the <pulse_dashboard_container_id> with the container_id that you identified in Step 7 (d) in the following command:

      docker exec bash -c 'supervisorctl restart nodejs'

  8. Restore the backup of the Pulse - Threat Globe app by following these steps.
    1. Identify the new app_id of the Pulse - Threat Globe by running the following command.

      psql -U qradar -c "select id, name from installed_application where name ilike '%Pulse - Threat Globe%'"

      The app_id changes when the app is uninstalled and reinstalled.

    2. Confirm that the ./pulse-threat-globe-backup-<epoch_timestamp>.tar.gz file is the name of the backup file that you created in Step 3 (b).

    3. Replace <epoch_timestamp> with the time stamp on the file name and replace <new_pulse_threat_globe_app_id with the new app_id that you identified in Step 8 (a), and then run the following command:

      tar -xvzf ./pulse-threat-globe-backup-.tar.gz -C /store/docker/volumes/qapp-

    4. Replace <new_pulse_threat_globe_app_id> with the app_id you identified in Step 8 (a), and then identify the docker container_id of the Pulse - Threat Globe app by running the following command:

      docker ps -a --format "{{.ID}},{{.Image}}" | grep 'qapp/:' | cut -d , -f1

    5. Stop the docker container for Pulse - Threat Globe by replacing with the container_id you identified in Step 8 (d) in the following command:

      docker stop

      A new docker container is created automatically.

  9. Go back to QRadar, refresh the page, and verify that QRadar Pulse is working.

The following code shows an example SSH session. The highlighted sections indicate the commands that are used in the procedure.

[root@hostname]# id | name ------+----------------- 1103 | pulse.full_name (1 row) [root@hostname]# ./ ./log/ ./log/startup.log ./log/supervisord.log ./log/error.log ./log/access.log ./log/apiserver.log ./log/dbMigrations.log ./log/nginx_error.log ./app.db ./search.db ./appConfig.json ./results.db [root@hostname]# id | name ------+---------------------- 1104 | Pulse - Threat Globe (1 row) [root@hostname]# ./ ./log/ ./log/startup.log ./log/supervisord.log ./log/app.log ./config.p ./GeoLite2-City.mmdb [root@hostname]# ls #UNINSTALL AND RE-INSTALL PULSE AT THIS POINT [root@hostname]# id | name ------+----------------- 1105 | pulse.full_name (1 row) [root@hostname]# ./ ./log/ ./log/startup.log ./log/supervisord.log ./log/error.log ./log/access.log ./log/apiserver.log ./log/dbMigrations.log ./log/nginx_error.log ./app.db ./search.db ./appConfig.json ./results.db [root@hostname]# 9f182e798d7d [root@hostname]# nodejs: stopped nodejs: started [root@hostname]# id | name ------+---------------------- 1106 | Pulse - Threat Globe (1 row) [root@hostname]# ./ ./log/ ./log/startup.log ./log/supervisord.log ./log/app.log ./config.p ./GeoLite2-City.mmdb [root@hostname]# 08f054b05295 [root@hostname]# 08f054b05295

How do I Get the Log Files to Analyze?

Specific diagnostic logs are stored in the store/docker/volumes/qapp-[id] directory.

The store/docker/volumes/qapp-[id] directory contains the following files:

Log file

Description

access.log

Logs all API calls and their return status.

apiserver.log

The main file that logs information and error messages.

nginx_error.log

Logs on the Nginx server for QRadar Pulse.

startup.log

Logs messages when it runs the deployment script (install/upgrade) of the app. Also displays the configuration settings.

supervisord.log

Logs written by the supervisor that tracks QRadar Pulse processes.

dbMigrations.log

Is only present if you upgraded from a QRadar Pulse version older than V2.1.3. It logs when the database is upgraded from a previous version to the installed version.

  1. On the Admin tab, click System and License Management.
  2. Select Systems from the Display list, and then select the relevant QRadar Console or App Host.
  3. Click Actions >Collect Log Files.
  4. On the Log File Collection page, click Advanced Options, and then select the Include Application Extension Logs check box.
  5. Choose the number of days to collect the logs, and click Collect Log Files.
  6. Download the log files when they're ready by clicking the link in the message that displays in the System and License Management page.

Can't See Data in Dashboard Items

Depending on the type of chart, you can try several options to troubleshoot the problem.

  1. To troubleshoot items that use AQL as the data source, try the following suggestions:
    1. Make sure that your AQL statements work properly.

    2. Dashboard items on the Event and flow metrics dashboard use parameters that must contain values to properly display data. Add values to the parameters or replace the placeholders for IP addresses for the console and managed host.

    3. The Ariel server might be temporarily unavailable or offline. Wait for it to come back online and run the AQL queries again.

    4. Go to the Log Activity or Network Activity tabs and run an AQL search to get the auto-completion and messaging. If you're satisfied with the results you see, copy and paste the statement into the Query section in QRadar Pulse.

    5. Make sure you're using the current version of the templates. For information about how to download templates, see Installing the QRadar Pulse App.

    6. If your AQL query contains a string comparison similar to the following example, the Log Activity tab doesn't return any data, because QRadar Pulse sets the AQL string to lowercase, which breaks the comparison.

      select logsourceid, logsourcename(logsourceid), category, categoryname(category) from events where logsourcename(logsourceid) = '<a log source on you system>' last 15 minutes

      As a workaround, use the ILIKE operator instead of =. Another workaround is to edit the AQL query in the Log Activity or Network Activity tabs.

  2. To troubleshoot items that use offenses as the data source, go to the Offenses tab and make sure that QRadar is receiving offenses from your network.

DNS Analyzer Dashboard Doesn't Appear in QRadar Pulse

To see the QRadar DNS Analyzer dashboard displayed in QRadar Pulse, both apps must be installed on the same Console. Update your QRadar Pulse templates so that the QRadar DNS Analyzer dashboard template appears.

  1. From the dashboard, expand the dashboard list and click New Dashboard >Templates.
  2. On the Browse Templates page, click Update for the QRadar DNS Analyzer dashboard template.
  3. Click Back to Dashboard and refresh the browser.

Can't See External IPs on the Threat Globe Dashboard

You can't see external IPs on the Threat Globe dashboard, but you can see events that are sourced from the default location defined within the QRadar Pulse app.

Internal IPs are displayed at the default location defined in the Threat Globe Configuration page. If you can’t see events sourced from external IPs, you must decompress the MaxMind city database before you upload it to the QRadar Pulse app. Decompress the tar.gz file, and then browse to its location to upload the *.mmdb file to QRadar Pulse. The database maps IP addresses to geographic locations.

For more information, see Configuring the Threat Globe dashboard.

Offenses Don't Appear on the Threat Globe Dashboard

By default, there is a 10-minute (600 seconds) delay from when QRadar collects an offense to when it is displayed in the Threat Globe dashboard.

The Threat Globe dashboard's filtering is not based on whether an offense is active or inactive. Instead, it shows open offenses with events that fall within an approximate 15-minute time frame after a real-time delay of approximately 10 minutes. You can customize the length of time of the real-time activity on the Threat Globe Configuration page. For more information, see Configuring the Threat Globe dashboard.