IBM QRadar: Principais Comandos e Arquivos

From Wiki
Revision as of 18:13, 25 March 2025 by Ebasso (talk | contribs) (→‎Principais arquivos)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Principais arquivos

A instalação padrão fica no diretório: 

/opt/qradar/
|- bin/
|  |- ariel_query                     -> Run a Ariel query from command line.
|  |- apply_appliance_tunings.pl      -> Apply Appliance Tunings settings
|  |- logrun.pl                       -> Send logs to qradar
|  |- qchange_netsetup                -> Realiza a troca de IP, DNS, ...
|- conf/
|  |- nva.conf                        -> Um dos principais arquivos e configuração do QRadar 
|- support
|  |- deployment_info.sh -FO          -> identify your firmware version
|  |- get_logs.sh -S                  -> Get application logs. Add -S to get setup logs
|  |- qappmanager                     -> verify status of all apps
|  |- recon                           -> Conecta ao container rodando a aplicação "recon connect <id>"
|  |- threadTop.sh                    -> thread like Top command, para aplicativos do QRadar
|  |- validate_deployment.sh          -> Pretests/review before you start a QRadar software update
|- upgrade
|  |- util                     
|  |  |- setup
|  |  |  |- upgrades
|  |  |  |  |- do_deploy.pl           -> deploy events for 
|- conf
/store                                -> is used as directory for DB, Config. deployment files, and all stored events and flows data.

Commands

Run a command in all QRadar servers

/opt/qradar/support/all_servers.sh -k df -h /root /var/log | tee diskcheck.txt

ariel_query

Run a aql directly from command line 

ariel_query --no-verify -u admin --output table --query "select QIDNAME(QID) from EVENTS limit 10"

System Notifications

  • 38750033 / 38750035 - Unable to execute a backup request notifications
  • 38750055 / 38750004 - Memory notifications
  • 38750056 - TX Sentry long transaction notifications
  • 38750058 / 38750043 - Process stopped notifications
  • 38750060 / 38750061 - Performance or event pipeline degradation notifications
  • 38750080 / 38750081 - HA active or HA standby failure system notifications
  • 38750085 - Data replication experiencing difficulty notifications
  • 38750092 - Disk Sentry notices for unavailable storage partitions
  • 38750098 - Backup notifications
  • 38750110 / 38750111 - Disk failure system notifications
  • 38750129 - Time synchronization system notifications
  • 38750140 - RAID controller misconfiguration notifications

Ver também

Retrieved from "https://ebasso.net/wiki/index.php?title=IBM_QRadar:_Principais_Comandos_e_Arquivos&oldid=9297"