IBM QRadar FAQ

Updated 1 day ago by Elvis Hovor

This document explains how to manually install the TruSTAR App for IBM QRadar, update the app, or uninstall it. The document also covers troubleshooting and known issues. 

Manually Installing the TruSTAR App

To download the latest version (v1.0.1) of the TruSTAR App for QRadar, use this link

  1. Navigate to the QRadar Admin tab.
  2. Click Extension Management.
  3. Click Add and select the TruSTAR App bundle from the location you downloaded it to. 
  4. Click Install Immediately, then click OK to begin the installation. 

You now see the TruSTAR App settings on the QRadar Admin page and GUI buttons for TruSTAR actions you can take.  

Updating the TruSTAR App 

  1. Navigate to the Admin Tab
  2. Click Extension Management.
  3. Click Add and select the TruSTAR App bundle application.
  4. Click Install Immediately.
  5. Click OK.

Uninstalling the TruSTAR App

To uninstall the TruSTAR App, follow these steps:

  1. Go to the QRadar Admin Page
  2. Click Extension Management.
  3. Select the TruSTAR App for QRadar application
  4. Click Uninstall.

Troubleshooting

Q. Why don’t I see an offense in TruSTAR reporting?

A. There are two reasons why you may not see an offense:

  • If you configured the Offense Exclusion Filter with specific values and the offense matches one of those values, then that offense will not be submitted to TruSTAR. 
  • If you configured the Event Exclusion Filter and all the events associated with that offense match one of those filters, then the offense will not be submitted to TruSTAR.

Q. Why is the submitted offense missing some events in TruSTAR?

A. If you configured the Event Exclusion Filter and some of the events associated with that offense match one of those filters, then those events will not be submitted to TruSTAR.

Q. Why are some events not being submitted to TruSTAR?

A. If you configured the Event Exclusion Filter and the event matches one of those filters, then that events will not be submitted to TruSTAR.

Q. Can I check the event submission logs? 

A. You can check event submission logs from the QRadar console. Search in the Log Activity Quick Filter using this format:

APP_ID/<app_id of TruSTAR app>  where the <app_id of TruSTAR app> is the TruSTAR application ID. In the graphic below, the APP_ID is 1051.

You can then read through the list to check whether the event has been submitted.

Q. I’m getting the following error message. What should I do now?

A. Work with a QRadar Admin user to execute the following procedure on the QRadar instance where the error occurred. 

Note: Rebuilding configuration file sets stops all processes that collect and process QRadar data so this may affect other applications installed on the affected QRadar instance. 
  1. Go to Admin->Advanced. 
  2. Click Deploy Full Configuration. This action sends a request to rebuild all configuration file sets. Each QRadar instance contains its own configuration files which then restarts services to ensure that the new configuration is loaded.

Q. How do I locate my TruSTAR log files and configuration files?

The TruSTAR App for QRadar runs in a Docker container that is alive from the time of the TruSTAR App installation. (QRadar automatically launches this container every time the QRadar main application is restarted.) Your log files and config file are located inside that container in the /store/ directory. However, since you may be running multiple Docker containers, you will need to search for the TruSTAR container by listing all the Docker containers and then searching each container individually.

Listing the Docker Containers
  1. SSH into the QRadar host (your linux user account needs sudo permission).
  2. List the running containers using this command:
sudo docker ps
Searching the Docker Containers

You must search each container to find the one with the TruSTAR files.

  1. To do this, use this command to open a shell script in the first container:
sudo docker exec -it [container ID] /bin/bash
  1. Navigate to that container's /store/log/ directory and then look for files that contain "trustar" in the filenames.
  2. If the container doesn't have any "trustar" files, you can exit that container and return to the list of containers.
  3. Choose the next container on the list, then repeat the search in that container.
  4. Continue the search procedure until you locate the container with the TruSTAR files.
Make note the name of the Docker container that holds TruSTAR files for future reference.

Q. My issue isn’t listed here. How do I collect data to work with TruSTAR support?

A. To begin the process of filing a support issue with TruSTAR< first download the workflow app logs using this procedure: 

  1. Click System and License Management in the QRadar Admin Panel.
  2. Select the host on which the TruSTAR workflow app is installed
  3. Click Actions in the top panel and select the Collect Log Files option. This opens the Log File Collection popup window. 
  4. Click Advanced Options
  5. Select these checkboxes:
  • Include Debug Logs
  • Include Application Extension Logs
  • Include Setup Logs (Current Version)
  1. Specify the number of days in the Collect Logs for This Many Days field. 
  2. Click Collect Log Files.
  3. Click Click here to download files. This will download all the log files into a single zip on your local machine.

You can then contact TruSTAR support to create a support case. 

Known Issues

If the submitted event contains certain special characters, the event may not be submitted to TruSTAR. You can view the event submission log to check if an event has been submitted. 


How Did We Do?