Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[JSA/STRM] Logs to collect before opening a support case with JTAC

0

0

Article ID: KB14166 KB Last Updated: 17 Aug 2021Version: 13.0
Summary:

This article provides information about the logs that are recommended to be collected before opening a JSA/STRM case with Juniper Technical Assistance Center (JTAC).

Symptoms:

What information is needed to troubleshoot JSA/STRM issues?

Solution:
 

A. Collecting log files from the CLI of JSA console

Depending on the current working directory and the version running, there are three ways to execute the script: 

  1. # /opt/qradar/support/get_logs.sh
  2. # sh /opt/qradar/support/get_logs.sh  
  3. # cd /opt/qradar/support/ and execute the script ./get_logs

If you get any errors after running the script, you can download the 6.1 version of the script and run it with the full path from any directory on any supported version of JSA. Place the tar file in /opt/qradar/support, and then follow the instructions below to decompress and run the script.

# tar zxvf get_log.tgz
# /opt/qradar/support/get_logs.sh

The get_logs.sh script gathers all the logs and data needed for review and saves a log file in one of these locations depending on the current version running:

/var/log/logs_<hostname>_<YYYMMDD>.tar.bz2 or /store/LOGS/logs_<hostname>_<YYYMMDD>_random-number.tar.bz2

To encrypt this log file, run the script with the "-e" option:

Example:

/opt/qradar/support/get_logs.sh -e

This saves the log file in encrypted format: /store/LOGS/logs_jsa_20190915_b7ae85e4.tar.bz2.enc

To decrypt this file, copy it to a Linux host and run:

# openssl enc -d -blowfish -in filename -out logs.tgz -pass pass:[file_date]

Example:

# openssl enc -d -blowfish -in /store/LOGS/logs_jsa_20190915_b7ae85e4.tar.bz2.enc -out logs.tgz -pass pass:20190915

Provide the tar.bz2.enc file when opening a JTAC case.

 

B. Collecting logs from the JSA web page:

Starting from JSA 7.2.8 and later, you can collect troubleshooting logs from the JSA web page:

  1. Navigate to Admin > in the System Configuration section. Click System and License Management > in the Display list. Then select Systems.

  2. If you have an HA-setup, click the HA host Actions > Collect Log Files.

  3. Click Advanced Options and select the options for the log file collection.

  4. Encrypted log file collections can be decrypted only by Support. If you want access to the log file collection, do not encrypt the file.

  5. Click Collect Log Files.

  6. Under System Support Activities Messages, a message indicates the status of the collection process. 

  7. To download the log file collection, wait for the "Log file collection completed successfully" notification, and click Click here to download files.


In addition to the get_logs script log file, provide the following information as well, depending on the issue:

  • For HA issues:

/opt/qradar/ha/ha.log
/opt/qradar/ha/ha.conf
  • For WebUI/Tomcat issues:

/opt/imq/var/instances/imqbroker/log/log.txt
/var/log/qradar-sql.log
/opt/tomcat5/logs/catalina.out
/opt/tomcat6/logs/catalina.out
/var/log/tomcat.log
  • For Setup issues, add the -s flag to the get_logs command:

/opt/qradar/support/get_logs.sh -s
  • For Flow issues:

/var/log/qflow.debug (for qflow related issue)
  • For DSM/VIS issue:

# rpm -qa | egrep -i dsm (if related to a DSM/Event issue) & XML export of the events in question (KB21646)
# rpm -qa | egrep -i vis (if related to a scanner issue)
  • For Hardware issues:

/var/log/messages/
tar of /store/LOGS folder

Output from the following:

# dmesg
# dmidecode
  • For License issues:

/opt/qradar/conf/license.key
  • For User Permission issues:

/opt/qradar/conf/user*.conf

Modification History:

2021: Included additional information about running the script depending on the current working directory and the version running, and what to do if there are errors 

2019-09-20: Removed commands that were applicable to older (EOL/EOS) versions of STRM

2019-07-06: Added method to collect logs from JSA webpage for versions 7.2.8 and later

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search