Skip to main content

LINUX- Qradar EPS Report by Log Source BASH Script by and Log Source Groups

______________________________________________________________________________________________________

Script examples written by Travis Hutchings

thutch901@gmail.com

971.226.6732

_______________________________________________________

Bash shell script examples for eps by log source as csv:


#Version: 1.5

#Owner: TravisH Corporation

#Document Purpose: EPS storage metric script

clientName="TravisH"

emailFrom="qradar.activ@travishcorp.com"

emailTo="Travis.H@travishcorp.com"

listFile="/store/scripts/eps_storage_raw.csv"

bodyFile="/store/scripts/eps_storage.csv

cd /store/scripts/results/

/opt/qradar/support/deployment_info.sh -A

echo "" >> $listFile

echo "" >> $listFile

echo "Log Source:" >> $listFile

psql -A -F"," -U qradar -c "select sensordevice.hostname as LogSource, peakeps60s as EPS, to_timestamp(round(sensordevice.creationdate/1000)) as created, to_timestamp(sensordevice.timestamp_last_seen/1000)as LastReportdate, managedhost.hostname as QradarServer from sensordevice, deployed_component, managedhost where deployed_component.id = sensordevice.eccomponentid and deployed_component.managed_host_id = managedhost.id and deviceenabled='t' and to_timestamp(round(sensordevice.creationdate/1000)) > now() - interval '52 week' order by QradarServer" >> /store/scripts/results/csvlistFile.txt

psql -A -F"," -U qradar -c "select sensordevicetype.devicetypedescription as DeviceDescription, count(*) from sensordevicetype, sensordevice where sensordevice.deviceenabled = 't' and sensordevicetype.id = sensordevice.devicetypeid group by sensordevicetype.devicetypedescription order by count(*) desc" >> $listFile

echo -n "" >> $listFile

echo -n "EPS Report Version 1.5" >> $listFile

echo -n "" >> $listFile


date >> $bodyFile

cat qradar_deployment_info-*.csv >>$bodyFile

cat /store/scripts/results/csvlistFile.txt >>$bodyFile

cat  $listFile >> $bodyFile


/bin/mail -s " EPS Log Source-CSV" -r "$emailFrom" -a "$bodyFile" $emailTo < /store/scripts/eps_.csv

rm /store/scripts/eps_storage_raw.csv

rm /store/scripts/eps_storage.csv

rm /store/scripts/results/csvlistFile.txt

rm /store/scripts/results/qradar_deployment_info-*.csv



Comments

Post a Comment

Popular posts from this blog

Qradar Scripts and Results Part 1. Disk Space and Qradar Persistent Queue

______________________________________________________________________________________________________ Script examples written by Travis Hutchings thutch901@gmail.com 971.226.6732 _______________________________________________________ Disk Space and Alerting Results specific to Qradar servers and environments. General Linux script concepts can also be applied to system administration concepts. This disk space script utilizes a few Qradar support functions. 1. Disk Space Alerting and results in /store volume List disk space for all Qradar servers: df- h /opt/qradar/support/all_servers.sh -a '15%' 'df -h /store' >> $listFile List the top of the directory to see file dates and times to determine if Persistent Queue is processing: /opt/qradar/support/all_servers.sh -a '15%' 'ls -l /store/persistent_queue/ecs-ec-ingress.ecs-ec-ingress | head -6' >> $listFile Bottom of the Persistent Queue and seeing if results are processing: /opt/qradar/suppor...
Post a Comment
Read more

Qradar- PSQL Report Development for EPS by log source result

EPS by logsource with QRADAR PSQL query tests and research By Travis Hutchings thutch901@gmail.com 971.226.6732  psql -A -F"," -U qradar -c "select sensordevice.id, sensordevice.hostname, sensordevice.devicename, sensordevicetype.devicetypename, to_timestamp(sensordevice.timestamp_last_seen/1000) from sensordevice, sensordevicetype where sensordevice.devicetypeid = sensordevicetype.id and sensordevice.deviceenabled = 't' and sensordevice.devicename not ilike '%wincollect%' and to_timestamp(sensordevice.timestamp_last_seen/1000) > now() - interval '30 days' order by to_timestamp(timestamp_last_seen/1000) desc" psql -A -F"," -U qradar -c "select sensordevice.id, sensordevice.hostname, sensordevice.devicename, sensordevicetype.devicetypename, to_timestamp(sensordevice.timestamp_last_seen/1000), to_timestamp(round(sensordevice.creationdate/1000) from sensordevice, sensordevicetype where sensordevice.devicetypeid = sensordevicety...
Post a Comment
Read more

Splunk Log Forwarding Configuration Steps

Splunk Log Forwarding Configuration Steps: There are multiple ways to send linux logs to splunk like using splunk linux app, splunk universal forwarder or syslog. Best and performance reliable way is to install splunk universal forwarder on linux machines for which you wish to forward data.Splunk universal forwarder will act as agent for log collection.It will collect logs and will forward to indexer.We can  also use syslog for log collection and then install splunk forwarder on it and then forward data from syslog server to splunk indexer.Below we have provided steps for most reliable method to add linux logs to splunk For syslog installation and configuration follow steps give at below link: Refer below steps to add linux logs to splunk Step 1: On Splunk server (receiver) Download/install Splunk TA for Unix and Linux to the Splunk server (receiver) and enabled it by going to Manager|Apps|Enable Step 2: On host you want to collect data from (sender) Download and install the Splu...
Post a Comment
Read more