Health check IBM QRadar v7.5

This cheat sheet provides a reference for performing health checks on IBM QRadar SIEM version 7.5. It covers when and why to run checks (e.g. before upgrades or when issues arise) and outlines the node scope (Console, App Host, Event Processors, etc.), noting any unspecified IPs.

All health checks

Run all health checks on the current host (Console or App Host) using the drq command:

drq

The command output provides failures and suggests remediation actions.

Run a comprehensive config/validate on all appliances using:

/opt/qradar/support/all_servers.sh -CV

• -C -> run command on all hosts
• -V -> validate configuration

This checks all nodes and prints availability + load + version.

You can also execute drq on all nodes in the deployment:

/opt/qradar/support/all_servers.sh -C drq

Service problems

QRadar uses Tomcat as the UI server. Check status and restart if needed:

systemctl status tomcat
systemctl restart tomcat

There are also important services like hostcontext, hostservices, qflow, podman, ecs-ec-ingress, ecs-ec, ecs-ep. All of them should be active. Check status:

systemctl status hostcontext hostservices ecs-ec-ingress ecs-ec ecs-ep qflow podman --no-pager

Logs check

Use /opt/qradar/support/defect-inspector.sh to scan log files for known issues, APARs, or defects. By default it scans /var/log/qradar.error.

Applications problem

Show the status of installed applications:

psql -U qradar -c "select id,name,status,task_status from installed_application_instance;"

Disk space and CPU issues

Use:

free -h
df -h
top

Deployment validation

Validate the deployment:

/opt/qradar/support/validate_deployment

WinCollect health is also matter!

IBM provides ready to use script to validate WinCollect health.

/opt/qradar/support/WinCollectHealthCheck

Common problems

1. /var partition is full.

   find /var -xdev -type f -size +100M | ls -lh
   df -h / /store /var/log

2. HA problems.

   /opt/qradar/support/ha_diagnosis.sh

3. UI problems.

   /opt/qradar/support/all_servers.sh -CVA
   systemctl restart tomcat
   systemctl restart traefik
   systemctl restart hostcontext
   systemctl restart hostservices

4. Applications issues.

   /opt/qradar/support/qappmanager

Suggested troubleshooting flow

1. Run drq to identify issues.
2. Check services status.
3. Verify disk and memory usage.
4. Validate deployment.
5. Investigate logs.

Logs locations

• QRadar system logs: /var/log/qradar.log, /var/log/qradar.error
• Tomcat logs: /var/log/tomcat/ (e.g. catalina.out, qradar.log under webapps)
• Setup/installation logs: /var/log/setup/ (fix pack or ISO install logs)
• Deployment config: /opt/qradar/conf/deployment.xml
• UI files: /opt/tomcat/webapps/console directory and console.war

Summary

🧾 Commands Summary