IBM Support

QRadar: Using the all_servers.sh command

Question & Answer


Question

What is the all_servers.sh utility in /opt/qradar/support and how do administrators use it?

Answer

Warning: Using all_servers.sh as a file manipulation tool can be destructive and could have consequential results. Use extra caution you use this tool for file manipulation. When in doubt, contact Customer Support for guidance.

The all_servers.sh command is a powerful tool that can issue commands to all QRadar appliances within your deployment.
  • To display all help options for the all_servers.sh script, enter: 
    /opt/qradar/support/all_servers.sh -h
  • To move a file to the /storetmp on all appliances in the deployment, enter: 
    /opt/qradar/support/all_servers.sh -p <file>
    With the -r option, you can choose an alternative remote directory.
    /opt/qradar/support/all_servers.sh -p <file> -r <remote_directory>
    NOTE: The -p option provides a file check for disk space. If the available space is over 85% on a Console or 95% on a Managed Host, an error is returned. If disk space is unavailable, the copy function is halted before the file transfer begins. A file cannot be copied to a specific host due to space issues, use scp to transfer the file to any hosts where all_serves.sh provides an error message.
  • To copy a remote file from all appliances, enter the following command. This option can be used for getting copies of files or logs from all appliances. 
    /opt/qradar/support/all_servers.sh -g
  • To check disk space and redirect the output to a file called DiskSpace.txt, enter: 
    /opt/qradar/support/all_servers.sh -C "df -h" > DiskSpace.txt
    Example DiskSpace.txt: 
    	x.x.x.x -> QRadar728.ibm.com

	Appliance Type: 3100 Product Version: 7.2.8.20171213225424
	13:41:07 up 2:36, 1 user, load average: 7.01, 6.98, 6.44
	------------------------------------------------------------------------
	Filesystem    Size   Used   Avail  Use%   Mounted on
	/dev/sda7     20G    16G    3.2G   83%    /
	tmpfs         31G    0      31G    0%     /dev/shm
	/dev/sda1     93M    47M    42M    54%    /boot
	/dev/sda8     145G   20G    126G   14%    /store
	/dev/sda6     9.7G   1.5G   7.8G   16%    /store/tmp
	/dev/sda9     38G    36M    38G    1%     /store/transient
	/dev/sda5     9.8G   1.3G   8.0G   14%    /var/log
	/dev/sda3     6.0G   3.5G   2.2G   62%    /recovery
  • To locate a specific string within the /var/log/qradar.log file on all QRadar appliances, a command like the following can be used. In this example, we are searching for the word deploy: 
    /opt/qradar/support/all_servers.sh -C 'grep -i "deploy" /var/log/qradar.log | tail -n 10'
    This command will provide the last 10 entries in the /var/log/qradar.log file, on all appliances, displaying logged deployed changes.

     

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)"}]

Document Information

Modified date:
14 November 2022

UID

swg21978283

Page Feedback