How to DO QRadar!


Note: All below commands need you to have access to Qradar through SSH (putty) OR direct screen and keyboard or KVM


  • How to capture traffic/complete communications taking place on a particular interface of QRadar. Mostly or always the main interface of QRadar is named as eth0 and you have the option to change it if it is required (this will be discussed later)

tcpdump -i eth0  


  • How to capture data arriving to QRadar on particular interface plus using port number e.g. syslog port 514 so it will filter all other traffic and just dump what is coming through 514
tcpdump -i eth0 port 514


  • How to capture data arriving to QRadar box from a specific IP address

tcpdump -n src host x.x.x.x


  • How to combine the captured data arriving to QRadar with a particular IP and Port at the same time 

tcpdump -A -s 0 -| eth0 -n port 514 and host x.x.x.x


  • How to get/capture a verbose traffic going or coming from a specified host IP

tcpdump-n -A -s 0 src host x.x.x.x


  • How capture everything coming to QRadar from a particular host on particular interface (I use this mostly before adding a log source to QRadar I just run the command and start working on the log source till i get the result from this command) 

tcpdump -npi eth0 src host x.x.x.x


  • How to get the EPS of your box from the command line

login to Qradar and 
cd var/log
tail -f qradar.log | grep 'Events per second'


  • How to generates a report on the dropped events/flows in the pipeline 

login to QRadar
cd/opt/qradar/bin
./dumpMBeanSummary.sh


  • How to get real time errors of QRadar

tail -f /var/log/qradar.error


  • How to change your QRadar IP/gateway/dns/email server IP ..etc sittings 

this cannot be done through SSH 
connect a scree and keyboard directly to your box 
login with root credintials
/opt/qradar/bin/qchange_netsetup


  • How to examine or get the current license of your box
cat /opt/qradar/conf/license


  • How to display the serial number of the system
/opt/qradar/bin/getserial  OR  dmidecode | grep serial 


  • How to get all the info of your QRadar e.g. Appliance type, Core version of the system, Patch number, Is the QRM enabled, What’s the IP address, Is the appliance you ran this command is a console, What’s the kernel architecture, Information about CPU, Operating System and if this is HA host or not.

 /opt/qradar/bin/myver -v


  • How to monitor/check disk size of QRadar and get the result into txt file specially when it is in distributed model or having different managed host 
if it is in stand alone you may use
df -h
if it has other managed hosts use 
/opt/qradar/support/all_servers.sh 'df -h' > /root/disksize.txt

How to restart Qradar services

This here would be the most important as well ignored aspect of Qradar operations.  The right Order, in real-world I have seen whole bunch of horrible things happening when the right order or sequences for start/stopping services are not used. Those bad-evil things at worst-case scenario, has even lead to rebuilding of entire system.

So for console the order is  
service tomcat stop
service hostcontext stop
service hostservices stop

To start (in reverse)
service hostservices start
service hostcontext start
service tomcat start

Brief desc about these services:-
  1. Host Context - Monitors all QRadar components to ensure that each component is operating as expected.
  2. Tomcat - frontend web-server responsible for all UI interactions.








16 comments:

  1. wow this is great info, thanks!

    ReplyDelete
  2. Thank you and great information for people who use/manage Qradar day to day.

    ReplyDelete
  3. thank you very much for sharing this pretty useful info!!

    :D

    ReplyDelete
  4. qchange_netsetup can be done using ssh if you put -y in the end of it.. it becomes

    qchange_netsetup -y

    ReplyDelete
  5. this is great info thanks...

    ReplyDelete
  6. Thank you for this simplified info...

    ReplyDelete
  7. Just want to check how to transfer the config backup on SFTP

    ReplyDelete
  8. /opt/qradar/support/all_servers.sh 'df -h' > /root/disksize.txt doesn't work. Output shows df-h comand not found....on all managed hosts

    ReplyDelete
  9. Data node is generating mail traffic on port 25 to remote ip's wat could be the root of this?

    ReplyDelete
    Replies
    1. check sendmail or postfix service, if running stop it.

      Delete
  10. Hi,

    I'm looking for instructions on how to wipe all the data from a Datanode remotely. Currently the datanode I'm trying to wipe the data from is switched off. I cannot SSH into it. What are the steps I need to perform to achieve this task? I have already found this article but its not much clear to me. https://www.ibm.com/support/pages/qradar-decomissioning-qradar-appliance

    ReplyDelete
  11. SIEM security develops a safe and secure environment for the information log in the system and ensures that it is managed and ensure that it is secure and safe from multiple attacks that occur within the system.

    ReplyDelete