Skip to content
- Deploy changes – /opt/qradar/upgrade/util/setup/upgrades/do_deploy.pl
- See if there is a deploy running – watch -n2 ‘grep -i “” /store/tmp/status/deployment.*’
- Check the persistent queue – du -h /store/persistent_queue/
- Check the spillover queue – du -h /store/transient/spillover/
- Check All Folders Size – df -Th
- View all custom rules – /opt/qradar/bin/contentManagement.pl –action search –content-type 3 –id all –regex “\w”
- Import rules – /opt/qradar/bin/contentManagement.pl –action import –file MyExport.zip
- View all installed applications – psql -U qradar -c “select id, name, status from installed_application;” | less
- View All Hosts – cat /etc/hosts
- View specific host – grep -i NAME /etc/hosts | awk ‘{print $1}’
- View live events – tcpdump -nnAs0 -i any host <HOST> and port <PORT>
- Connect to specific app – /opt/qradar/support/recon connect
- Toggle Root Login – /opt/qradar/sudoers/bin/toggle_root_login.sh
- Add Sudo User – /opt/qradar/sudoers/bin/add_sudo_user.sh
- Run AQL inside the console – /opt/qradar/bin/ariel_query –ask_login –output table –query “AQL_HERE”
- Check if events are being streamed to the EP – tcpdump -nnAs0 -i any port 514
- Copy File From Docker Container – docker cp <containerID>:<path> <destinationPath>
- Check Event Rate (via event processor) – watch -n 1 “/opt/qradar/support/jmx.sh -p 7777 -b ‘com.q1labs.sem:application=ecs-ec.ecs-ec,type=sources,name=Source Monitor'”
- Test connection to auto-updates server – /opt/qradar/bin/UpdateConfs.pl -testConnect 1 0
- Validate certificates in QRadar – /opt/qradar/support/validate_cert.sh
- Find expensive global views – /opt/qradar/support/collectGvStats.sh -s | less
- What search is affected from expensive GV? – /opt/qradar/support/collectGvStats.sh -m
- Check status of services – /opt/qradar/upgrade/util/setup/upgrades/wait_for_start.sh
- WinCollect Agent Review – /opt/qradar/support/WinCollectHealthCheck.sh
- Check Deployment for issues – /opt/qradar/support/validate_deployment.sh
- Locate Known Issues – /opt/qradar/support/defect-inspector -verbose
- Clear tomcat cache – rm -rf /opt/tomcat/work/Catalina/localhost/console/org/apache/jsp/ (stop tomcat first, run command, start tomcat)
- Delete a rule from the console – psql -U qradar -c “delete from custom_rule where id=XXX”;
Like this:
Like Loading...