Skip to main content

LINUX- Qradar EPS Report by Log Source BASH Script by and Log Source Groups

______________________________________________________________________________________________________

Script examples written by Travis Hutchings

thutch901@gmail.com

865.405.8830

_______________________________________________________

Bash shell script examples for eps by log source as csv:


#Version: 1.5

#Owner: TravisH Corporation

#Document Purpose: EPS storage metric script

clientName="TravisH"

emailFrom="qradar.activ@travishcorp.com"

emailTo="Travis.H@travishcorp.com"

listFile="/store/scripts/eps_storage_raw.csv"

bodyFile="/store/scripts/eps_storage.csv

cd /store/scripts/results/

/opt/qradar/support/deployment_info.sh -A

echo "" >> $listFile

echo "" >> $listFile

echo "Log Source:" >> $listFile

psql -A -F"," -U qradar -c "select sensordevice.hostname as LogSource, peakeps60s as EPS, to_timestamp(round(sensordevice.creationdate/1000)) as created, to_timestamp(sensordevice.timestamp_last_seen/1000)as LastReportdate, managedhost.hostname as QradarServer from sensordevice, deployed_component, managedhost where deployed_component.id = sensordevice.eccomponentid and deployed_component.managed_host_id = managedhost.id and deviceenabled='t' and to_timestamp(round(sensordevice.creationdate/1000)) > now() - interval '52 week' order by QradarServer" >> /store/scripts/results/csvlistFile.txt

psql -A -F"," -U qradar -c "select sensordevicetype.devicetypedescription as DeviceDescription, count(*) from sensordevicetype, sensordevice where sensordevice.deviceenabled = 't' and sensordevicetype.id = sensordevice.devicetypeid group by sensordevicetype.devicetypedescription order by count(*) desc" >> $listFile

echo -n "" >> $listFile

echo -n "EPS Report Version 1.5" >> $listFile

echo -n "" >> $listFile


date >> $bodyFile

cat qradar_deployment_info-*.csv >>$bodyFile

cat /store/scripts/results/csvlistFile.txt >>$bodyFile

cat  $listFile >> $bodyFile


/bin/mail -s " EPS Log Source-CSV" -r "$emailFrom" -a "$bodyFile" $emailTo < /store/scripts/eps_.csv

rm /store/scripts/eps_storage_raw.csv

rm /store/scripts/eps_storage.csv

rm /store/scripts/results/csvlistFile.txt

rm /store/scripts/results/qradar_deployment_info-*.csv



Comments

Post a Comment

Popular posts from this blog

Qradar Scripts and Results Part 1. Disk Space and Qradar Persistent Queue

______________________________________________________________________________________________________ Script examples written by Travis Hutchings thutch901@gmail.com 865.405.8830 _______________________________________________________ Disk Space and Alerting Results specific to Qradar servers and environments. General Linux script concepts can also be applied to system administration concepts. This disk space script utilizes a few Qradar support functions. 1. Disk Space Alerting and results in /store volume List disk space for all Qradar servers: df- h /opt/qradar/support/all_servers.sh -a '15%' 'df -h /store' >> $listFile List the top of the directory to see file dates and times to determine if Persistent Queue is processing: /opt/qradar/support/all_servers.sh -a '15%' 'ls -l /store/persistent_queue/ecs-ec-ingress.ecs-ec-ingress | head -6' >> $listFile Bottom of the Persistent Queue and seeing if results are processing: /opt/qradar/suppor...
Post a Comment
Read more

Qradar- PSQL Report Development for EPS by log source result

EPS by logsource with QRADAR PSQL query tests and research By Travis Hutchings thutch901@gmail.com 971.226.6732  psql -A -F"," -U qradar -c "select sensordevice.id, sensordevice.hostname, sensordevice.devicename, sensordevicetype.devicetypename, to_timestamp(sensordevice.timestamp_last_seen/1000) from sensordevice, sensordevicetype where sensordevice.devicetypeid = sensordevicetype.id and sensordevice.deviceenabled = 't' and sensordevice.devicename not ilike '%wincollect%' and to_timestamp(sensordevice.timestamp_last_seen/1000) > now() - interval '30 days' order by to_timestamp(timestamp_last_seen/1000) desc" psql -A -F"," -U qradar -c "select sensordevice.id, sensordevice.hostname, sensordevice.devicename, sensordevicetype.devicetypename, to_timestamp(sensordevice.timestamp_last_seen/1000), to_timestamp(round(sensordevice.creationdate/1000) from sensordevice, sensordevicetype where sensordevice.devicetypeid = sensordevicety...
Post a Comment
Read more

Technology Resource Implementation and Resource Links:

 Travis Hutchings Technology Resource Implementation and Resource Links Monitoring Scripts and Resources Linux Projects and Scripts      - GrayLog Server process flow and installation notes:                                 GrayLog Server process flow and installation notes      - Qradar Scripts and Articles:                  Qradar Disk Space Alert and Persistent Queue                  Qradar EPS by Log Source Script                 Postgres Research for EPS report by logsource Syslog-NG Resources and Links Syslog-ng. conf manipulation and changes     -Linux Scripts Windows Projects and Scripts Seterus Active Directory Project proposal Active Directory Migrations Microsoft Azure Resources and Links: Azure KQL Resources and Commands Arti...
Post a Comment
Read more