Useful Commands

  • Deploy changes – /opt/qradar/upgrade/util/setup/upgrades/do_deploy.pl
  • See if there is a deploy running – watch -n2 ‘grep -i “” /store/tmp/status/deployment.*’
  • Check the persistent queue – du -h /store/persistent_queue/
  • Check the spillover queue – du -h /store/transient/spillover/
  • Check All Folders Size – df -Th
  • View all custom rules – /opt/qradar/bin/contentManagement.pl –action search –content-type 3 –id all –regex “\w”
  • Import rules – /opt/qradar/bin/contentManagement.pl –action import –file MyExport.zip
  • View all installed applications – psql -U qradar -c “select id, name, status from installed_application;” | less
  • View All Hosts – cat /etc/hosts
  • View specific host – grep -i NAME /etc/hosts | awk ‘{print $1}’
  • View live events – tcpdump -nnAs0 -i any host <HOST> and port <PORT>
  • Connect to specific app – /opt/qradar/support/recon connect
  • Toggle Root Login – /opt/qradar/sudoers/bin/toggle_root_login.sh
  • Add Sudo User – /opt/qradar/sudoers/bin/add_sudo_user.sh
  • Run AQL inside the console – /opt/qradar/bin/ariel_query –ask_login –output table –query “AQL_HERE”
  • Check if events are being streamed to the EP – tcpdump -nnAs0 -i any port 514
  • Copy File From Docker Container – docker cp <containerID>:<path> <destinationPath>
  • Check Event Rate (via event processor) – watch -n 1 “/opt/qradar/support/jmx.sh -p 7777 -b ‘com.q1labs.sem:application=ecs-ec.ecs-ec,type=sources,name=Source Monitor'”
  • Test connection to auto-updates server – /opt/qradar/bin/UpdateConfs.pl -testConnect 1 0
  • Validate certificates in QRadar – /opt/qradar/support/validate_cert.sh
  • Find expensive global views – /opt/qradar/support/collectGvStats.sh -s | less
  • What search is affected from expensive GV? – /opt/qradar/support/collectGvStats.sh -m
  • Check status of services – /opt/qradar/upgrade/util/setup/upgrades/wait_for_start.sh
  • WinCollect Agent Review – /opt/qradar/support/WinCollectHealthCheck.sh
  • Check Deployment for issues – /opt/qradar/support/validate_deployment.sh
  • Locate Known Issues – /opt/qradar/support/defect-inspector -verbose
  • Clear tomcat cache – rm -rf /opt/tomcat/work/Catalina/localhost/console/org/apache/jsp/ (stop tomcat first, run command, start tomcat)
  • Delete a rule from the console – psql -U qradar -c “delete from custom_rule where id=XXX”;