How to DO QRadar!


Note: All below commands need you to have access to Qradar through SSH (putty) OR direct screen and keyboard or KVM
  • How to capture traffic/complete communications taking place on a particular interface of QRadar. Mostly or always the main interface of QRadar is named as eth0 and you have the option to change it if it is required (this will be discussed later)

tcpdump -i eth0  


  • How to capture data arriving to QRadar on particular interface plus using port number e.g. syslog port 514 so it will filter all other traffic and just dump what is coming through 514
tcpdump -i eth0 port 514
  • How to capture data arriving to QRadar box from a specific IP address

tcpdump -n src host x.x.x.x


  • How to combine the captured data arriving to QRadar with a particular IP and Port at the same time 

tcpdump -A -s 0 -| eth0 -n port 514 and host x.x.x.x


  • How to get/capture a verbose traffic going or coming from a specified host IP

tcpdump-n -A -s 0 src host x.x.x.x
  • How capture everything coming to QRadar from a particular host on particular interface (I use this mostly before adding a log source to QRadar I just run the command and start working on the log source till i get the result from this command) 

tcpdump -npi eth0 src host x.x.x.x


  • How to get the EPS of your box from the command line

login to Qradar and 
cd var/log
tail -f qradar.log | grep 'Events per second'
  • How to generates a report on the dropped events/flows in the pipeline 

login to QRadar
cd/opt/qradar/bin
./dumpMBeanSummary.sh


  • How to get real time errors of QRadar

tail -f /var/log/qradar.error


  • How to change your QRadar IP/gateway/dns/email server IP ..etc sittings 

this cannot be done through SSH 
connect a scree and keyboard directly to your box 
login with root credintials
/opt/qradar/bin/qchange_netsetup


  • How to examine or get the current license of your box
cat /opt/qradar/conf/license


  • How to display the serial number of the system
/opt/qradar/bin/getserial  OR  dmidecode | grep serial 


  • How to get all the info of your QRadar e.g. Appliance type, Core version of the system, Patch number, Is the QRM enabled, What’s the IP address, Is the appliance you ran this command is a console, What’s the kernel architecture, Information about CPU, Operating System and if this is HA host or not.

 /opt/qradar/bin/myver -v
  • How to monitor/check disk size of QRadar and get the result into txt file specially when it is in distributed model or having different managed host 
if it is in stand alone you may use
df -h
if it has other managed hosts use 
/opt/qradar/support/all_servers.sh 'df -h' > /root/disksize.txt

How to restart Qradar services

This here would be the most important as well ignored aspect of Qradar operations.  The right Order, in real-world I have seen whole bunch of horrible things happening when the right order or sequences for start/stopping services are not used. Those bad-evil things at worst-case scenario, has even lead to rebuilding of entire system.

So for console the order is  
service tomcat stop
service hostcontext stop
service hostservices stop

To start (in reverse)
service hostservices start
service hostcontext start
service tomcat start

Brief desc about these services:-
  1. Host Context - Monitors all QRadar components to ensure that each component is operating as expected.
  2. Tomcat - frontend web-server responsible for all UI interactions.








16 comments:

  1. xixi14 October 2014 at 20:37

    wow this is great info, thanks!

    ReplyDelete
  2. Anonymous10 December 2014 at 19:55

    Thank you and great information for people who use/manage Qradar day to day.

    ReplyDelete
  3. Anonymous6 August 2015 at 12:18

    thank you very much for sharing this pretty useful info!!

    :D

    ReplyDelete
  4. Talha17 September 2015 at 17:33

    qchange_netsetup can be done using ssh if you put -y in the end of it.. it becomes

    qchange_netsetup -y

    ReplyDelete
  5. Anonymous20 September 2015 at 21:32

    this is great info thanks...

    ReplyDelete
  6. CyResilience31 May 2016 at 10:28

    very helpful

    ReplyDelete
  7. Unknown8 September 2016 at 09:47

    Thank you for this simplified info...

    ReplyDelete
  8. Anonymous7 February 2017 at 21:14

    Just want to check how to transfer the config backup on SFTP

    ReplyDelete
  9. Nik Alleyne, MSc | CISSP | GC|IA|IH|REM|PEN15 March 2017 at 07:19

    Good stuff!

    ReplyDelete
  10. Unknown6 October 2017 at 06:28

    Bookmark ... very helpful

    ReplyDelete
  11. Unknown1 December 2017 at 00:45

    Thanks for the wiki....

    ReplyDelete
  12. Anonymous12 April 2018 at 00:45

    /opt/qradar/support/all_servers.sh 'df -h' > /root/disksize.txt doesn't work. Output shows df-h comand not found....on all managed hosts

    ReplyDelete
  13. Anonymous4 May 2018 at 00:30

    Data node is generating mail traffic on port 25 to remote ip's wat could be the root of this?

    ReplyDelete
    Replies
    1. Robin19 July 2019 at 23:00

      check sendmail or postfix service, if running stop it.

      Delete
  14. Unknown5 September 2020 at 12:39

    Hi,

    I'm looking for instructions on how to wipe all the data from a Datanode remotely. Currently the datanode I'm trying to wipe the data from is switched off. I cannot SSH into it. What are the steps I need to perform to achieve this task? I have already found this article but its not much clear to me. https://www.ibm.com/support/pages/qradar-decomissioning-qradar-appliance

    ReplyDelete
  15. Unknown23 February 2021 at 14:28

    SIEM security develops a safe and secure environment for the information log in the system and ensures that it is managed and ensure that it is secure and safe from multiple attacks that occur within the system.

    ReplyDelete

Subscribe to: Posts (Atom)