Skip to main content

Commandes

Monitorer la QUEUE

/opt/qradar/support/queueMonitor.sh

Monitorer les règles gourmandes

/opt/qradar/support/findExpensiveCustomRules.sh

Monitorer le nombre de Sockets TCP Syslog pour la collecte (peut etre autre chose)

netstat -a | grep ESTABLISHED | grep PYAF23.inetpsa.co:shell | wc -l

Fichiers volumineux

df -h

all hosts at once:

/opt/qradar/support/all_servers.sh -C "df -Th"

1-level folders by size

du -Pshx /* 2>/dev/null

Liste les fichiers les plus volumineux

find /partition/with_space_issues/ -xdev -type f -ls | sort -k 7 -r -n | head -20

Fichier incriminé 

3Go /opt/qradar/conf/iptables.d/nat.post/appfw_nat

Resolution : purge du fichier

zgrep -i \"not currently accessible\" /var/log/qradar.old/qradar.log.*

Quand /opt devient trop gros, tous les services s'arrêtent. IMQ aussi (et créé un fichier de lock).
Une fois l'espace libéré, supprimer /opt/openmq/mq/var/instances/imqbroker/lock

Sources de logs via TCP ou UDP ?

netstat -a | grep -i -P '<EP_HOSTNAME>\S+[\t\s]+\d+' | awk -F ' ' '{print $1 ":" $5 ":" $6}' | awk -F ':' '{print $1 "\t" $2 "\t" $3 "\t" $4}' > /root/dump-collect.csv

Nombre d'interfaces physiques (reseau)

ls -l /sys/class/net/ | grep -v virtual

Thread Timings

/opt/qradar/support/threadTop.sh -p 7777

DSM Version

rpm -qa | grep DSM | grep -i <Ex: Linux>

Start a command when line is seen in logs

( tail -f -n0 /var/log/qradar.error & ) | grep -q "to storage"
/opt/qradar/support/findExpensiveCustomRules.sh

List admin actions

zcat /var/log/audit/audit.log.* | grep "coalesceEvents"

List files size

find /transient -xdev -type f -size +100M -exec ls -lh {} \;

Add a debug point to Java Class (reports here)

Maybe try enable report debug using:

/opt/qradar/support/mod_log4j.sh -who IBML2 -r
/opt/qradar/support/mod_log4j.sh -who IBML2 -al com.q1labs.reporting

Run the report (or try)
Check contents of newly created/written

/var/log/qradar.java.debug

Check Accumulator issues (EP)

/opt/qradar/support/collectGvStats.sh -s | less
/opt/qradar/support/collectGvStats.sh -m <GV_ID>

Investigate in logs
TMPSRCH="<search term>" ; TMPGREPWIDE=3 ; TMPNAME="$( echo -e "$TMPSRCH" | tr -c 'a-zA-Z0-9_\-' '-' )" ; NOW=$(date +"%d%m%Y") ; echo "$NOW - $HOSTNAME - Looking for: $TMPSRCH" >> /root/$NOW-export-$HOSTNAME-$TMPNAME.log ; zgrep -i -A $TMPGREPWIDE -B $TMPGREPWIDE "$TMPSRCH" /var/log/qradar.old/qradar.* >> /root/$NOW-export-$HOSTNAME-$TMPNAME.log ; grep -li "$TMPSRCH" /var/log/qradar.error >> /root/$NOW-export-$HOSTNAME-$TMPNAME.log ; grep -i -A $TMPGREPWIDE -B $TMPGREPWIDE "$TMPSRCH" /var/log/qradar.error >> /root/$NOW-export-$HOSTNAME-$TMPNAME.log ; echo "Export file: /root/$NOW-export-$HOSTNAME-$TMPNAME.log"
Autodiscover log sources DSM

 /opt/qradar/support/autodetection_config.py -a

Check avg event payload / record size

/opt/qradar/support/jmx.sh -p 7799 -b "com.q1labs.ariel:application=ecs-ep.ecs-ep,type=Database writer,a1=events-2"

Check CRE Queue

/opt/qradar/support/jmx.sh -p 7799 -b com.q1labs.sem:application=ecs-ep.ecs-ep,type=filters,name=CRE

Check Apps on AppHost/AppNode

/opt/qradar/support/qapp_utils_730.py ps

 

 

Back to top