Skip to main content

Qradar Scripts and Results Part 1. Disk Space and Qradar Persistent Queue

______________________________________________________________________________________________________

Script examples written by Travis Hutchings

thutch901@gmail.com

865.405.8830_______________________________________________________

Disk Space and Alerting Results specific to Qradar servers and environments.
General Linux script concepts can also be applied to system administration concepts. This disk space script utilizes a few Qradar support functions.

1. Disk Space Alerting and results in /store volume

List disk space for all Qradar servers:
df- h

/opt/qradar/support/all_servers.sh -a '15%' 'df -h /store' >> $listFile

List the top of the directory to see file dates and times to determine if Persistent Queue is processing:

/opt/qradar/support/all_servers.sh -a '15%' 'ls -l /store/persistent_queue/ecs-ec-ingress.ecs-ec-ingress | head -6' >> $listFile

Bottom of the Persistent Queue and seeing if results are processing:

/opt/qradar/support/all_servers.sh -a '15%' 'ls -l /store/persistent_queue/ecs-ec-ingress.ecs-ec-ingress | tail -6' >> $listFile

Here is an example of the /store/persistent_queue output:

ls -l | head -4
total 447209637
-rw-r--r-- 1 root root 104857079 May 3 14:42 ecs-ec-ingress_EC_Ingress_TCP_TO_ECParse_47406.dat
-rw-r--r-- 1 root root 104856825 May 3 14:42 ecs-ec-ingress_EC_Ingress_TCP_TO_ECParse_47407.dat
-rw-r--r-- 1 root root 104856754 May 3 14:42 ecs-ec-ingress_EC_Ingress_TCP_TO_ECParse_47408.dat

 ls -l | tail -4
-rw-r--r-- 1 root root 104857276 May 3 22:00 ecs-ec-ingress_EC_Ingress_TCP_TO_ECParse_51776.dat
-rw-r--r-- 1 root root 104857459 May 3 22:00 ecs-ec-ingress_EC_Ingress_TCP_TO_ECParse_51777.dat
-rw-r--r-- 1 root root 104857600 May 3 22:01 ecs-ec-ingress_EC_Ingress_TCP_TO_ECParse_51778.dat
-rw-r--r-- 1 root root     4096 May 3 22:01 ecs-ec-ingress_EC_Ingress_TCP_TO_ECParse.cfg


2. 
BASH Script Persistent Queue Length along with disk space of /store volume. Example of header and foot I typically use for cron automated jobs.

#!/bin/bash
#Version: 1.2
#Document Purpose: Pull list of all active log sources in the last week and email them to appropriate recipients

clientName="Your Company"
emailFrom="qradar.as@yourco.com"
emailTo="systemadmins@yourco.com"
listFile="/store/scripts/activestore_length.csv"
bodyFile="/store/scripts/activestore_length.txt"

Echo "Persistent Queue Length Status" >> $listFile
/opt/qradar/support/all_servers.sh -a '15%' 'ls -l /store/persistent_queue/ecs-ec-ingress.ecs-ec-ingress | head -6' >> $listFile

/opt/qradar/support/all_servers.sh -a '15%' 'ls -l /store/persistent_queue/ecs-ec-ingress.ecs-ec-ingress | tail -6' >> $listFile

cat  $listFile >> $bodyFile

/bin/mail -s "Qradar Store DiskSpace and Persistent Queue Length" -r "$emailFrom" -a "$listFile" $emailTo < /store/scripts/activestore_length.txt








Comments

Post a Comment

Popular posts from this blog

Qradar- PSQL Report Development for EPS by log source result

EPS by logsource with QRADAR PSQL query tests and research By Travis Hutchings thutch901@gmail.com 971.226.6732  psql -A -F"," -U qradar -c "select sensordevice.id, sensordevice.hostname, sensordevice.devicename, sensordevicetype.devicetypename, to_timestamp(sensordevice.timestamp_last_seen/1000) from sensordevice, sensordevicetype where sensordevice.devicetypeid = sensordevicetype.id and sensordevice.deviceenabled = 't' and sensordevice.devicename not ilike '%wincollect%' and to_timestamp(sensordevice.timestamp_last_seen/1000) > now() - interval '30 days' order by to_timestamp(timestamp_last_seen/1000) desc" psql -A -F"," -U qradar -c "select sensordevice.id, sensordevice.hostname, sensordevice.devicename, sensordevicetype.devicetypename, to_timestamp(sensordevice.timestamp_last_seen/1000), to_timestamp(round(sensordevice.creationdate/1000) from sensordevice, sensordevicetype where sensordevice.devicetypeid = sensordevicety...
Post a Comment
Read more

Technology Resource Implementation and Resource Links:

 Travis Hutchings Technology Resource Implementation and Resource Links Monitoring Scripts and Resources Linux Projects and Scripts      - GrayLog Server process flow and installation notes:                                 GrayLog Server process flow and installation notes      - Qradar Scripts and Articles:                  Qradar Disk Space Alert and Persistent Queue                  Qradar EPS by Log Source Script                 Postgres Research for EPS report by logsource Syslog-NG Resources and Links Syslog-ng. conf manipulation and changes     -Linux Scripts Windows Projects and Scripts Seterus Active Directory Project proposal Active Directory Migrations Microsoft Azure Resources and Links: Azure KQL Resources and Commands Arti...
Post a Comment
Read more