Skip to main content

Qradar Scripts and Results Part 1. Disk Space and Qradar Persistent Queue

______________________________________________________________________________________________________

Script examples written by Travis Hutchings

thutch901@gmail.com

971.226.6732

_______________________________________________________

Disk Space and Alerting Results specific to Qradar servers and environments.
General Linux script concepts can also be applied to system administration concepts. This disk space script utilizes a few Qradar support functions.

1. Disk Space Alerting and results in /store volume

List disk space for all Qradar servers:
df- h

/opt/qradar/support/all_servers.sh -a '15%' 'df -h /store' >> $listFile

List the top of the directory to see file dates and times to determine if Persistent Queue is processing:

/opt/qradar/support/all_servers.sh -a '15%' 'ls -l /store/persistent_queue/ecs-ec-ingress.ecs-ec-ingress | head -6' >> $listFile

Bottom of the Persistent Queue and seeing if results are processing:

/opt/qradar/support/all_servers.sh -a '15%' 'ls -l /store/persistent_queue/ecs-ec-ingress.ecs-ec-ingress | tail -6' >> $listFile

Here is an example of the /store/persistent_queue output:

ls -l | head -4
total 447209637
-rw-r--r-- 1 root root 104857079 May 3 14:42 ecs-ec-ingress_EC_Ingress_TCP_TO_ECParse_47406.dat
-rw-r--r-- 1 root root 104856825 May 3 14:42 ecs-ec-ingress_EC_Ingress_TCP_TO_ECParse_47407.dat
-rw-r--r-- 1 root root 104856754 May 3 14:42 ecs-ec-ingress_EC_Ingress_TCP_TO_ECParse_47408.dat

 ls -l | tail -4
-rw-r--r-- 1 root root 104857276 May 3 22:00 ecs-ec-ingress_EC_Ingress_TCP_TO_ECParse_51776.dat
-rw-r--r-- 1 root root 104857459 May 3 22:00 ecs-ec-ingress_EC_Ingress_TCP_TO_ECParse_51777.dat
-rw-r--r-- 1 root root 104857600 May 3 22:01 ecs-ec-ingress_EC_Ingress_TCP_TO_ECParse_51778.dat
-rw-r--r-- 1 root root     4096 May 3 22:01 ecs-ec-ingress_EC_Ingress_TCP_TO_ECParse.cfg


2. 
BASH Script Persistent Queue Length along with disk space of /store volume. Example of header and foot I typically use for cron automated jobs.

#!/bin/bash
#Version: 1.2
#Document Purpose: Pull list of all active log sources in the last week and email them to appropriate recipients

clientName="Your Company"
emailFrom="qradar.as@yourco.com"
emailTo="systemadmins@yourco.com"
listFile="/store/scripts/activestore_length.csv"
bodyFile="/store/scripts/activestore_length.txt"

Echo "Persistent Queue Length Status" >> $listFile
/opt/qradar/support/all_servers.sh -a '15%' 'ls -l /store/persistent_queue/ecs-ec-ingress.ecs-ec-ingress | head -6' >> $listFile

/opt/qradar/support/all_servers.sh -a '15%' 'ls -l /store/persistent_queue/ecs-ec-ingress.ecs-ec-ingress | tail -6' >> $listFile

cat  $listFile >> $bodyFile

/bin/mail -s "Qradar Store DiskSpace and Persistent Queue Length" -r "$emailFrom" -a "$listFile" $emailTo < /store/scripts/activestore_length.txt








Comments

Post a Comment

Popular posts from this blog

Qradar- PSQL Report Development for EPS by log source result

EPS by logsource with QRADAR PSQL query tests and research By Travis Hutchings thutch901@gmail.com 971.226.6732  psql -A -F"," -U qradar -c "select sensordevice.id, sensordevice.hostname, sensordevice.devicename, sensordevicetype.devicetypename, to_timestamp(sensordevice.timestamp_last_seen/1000) from sensordevice, sensordevicetype where sensordevice.devicetypeid = sensordevicetype.id and sensordevice.deviceenabled = 't' and sensordevice.devicename not ilike '%wincollect%' and to_timestamp(sensordevice.timestamp_last_seen/1000) > now() - interval '30 days' order by to_timestamp(timestamp_last_seen/1000) desc" psql -A -F"," -U qradar -c "select sensordevice.id, sensordevice.hostname, sensordevice.devicename, sensordevicetype.devicetypename, to_timestamp(sensordevice.timestamp_last_seen/1000), to_timestamp(round(sensordevice.creationdate/1000) from sensordevice, sensordevicetype where sensordevice.devicetypeid = sensordevicety...
Post a Comment
Read more

Splunk Log Forwarding Configuration Steps

Splunk Log Forwarding Configuration Steps: There are multiple ways to send linux logs to splunk like using splunk linux app, splunk universal forwarder or syslog. Best and performance reliable way is to install splunk universal forwarder on linux machines for which you wish to forward data.Splunk universal forwarder will act as agent for log collection.It will collect logs and will forward to indexer.We can  also use syslog for log collection and then install splunk forwarder on it and then forward data from syslog server to splunk indexer.Below we have provided steps for most reliable method to add linux logs to splunk For syslog installation and configuration follow steps give at below link: Refer below steps to add linux logs to splunk Step 1: On Splunk server (receiver) Download/install Splunk TA for Unix and Linux to the Splunk server (receiver) and enabled it by going to Manager|Apps|Enable Step 2: On host you want to collect data from (sender) Download and install the Splu...
Post a Comment
Read more