Updating content by using the content management script

Use the update action to update existing IBM QRadar content or add new content to the system.

Before you begin

If you want to update content with content that was exported from another QRadar system, ensure that the exported file is on the target system. For more information about exporting content, see Content type identifiers for exporting custom content.

When you import content that has log sources, confirm that DSM and protocol RPMs are installed and current on the target system.

You can export content from an earlier version of QRadar and import into a later version. However, you cannot import content from a later version into an earlier version.

You do not have to export content in a specific order. However, do not start multiple imports on the same system at the same time. The imports will fail due to conflicts with shared resources.

Procedure

  1. Use SSH to log in to QRadar as the root user.
  2. To update content, type the following command: 
    /opt/qradar/bin/contentManagement.pl -a update -f [source_file]
    Parameters:
    Table 1. contentManagement.pl script parameters for updating custom content
    Parameter Description
    -f [source_file]

    or

    --file [source_file]

    		 Specifies the file that contains the content items to update.

    Valid file types are zip, targz, and xml.

    The filename and path are case-sensitive.

    -u [user]

    or

    --user [user]

    		 Specifies the user that replaces the current owner when you import user-specific data.

    The user must exist on the target system before you import the content.
    Example:
    • To update based on the content in the fgroup-ContentExport-20120418163707.zip file, type the following command:
      /opt/qradar/bin/contentManagement.pl --action update 
-f fgroup-ContentExport-20120418163707.zip