IBM Support

QRadar: Directory Structure for /store/ariel on QRadar appliances

Question & Answer


Question

What are the directories in /store/ariel on my QRadar appliance and what is the purpose of each directory?

Answer

The purpose of this article is to provide a list and brief description of each directory contains within /store/ariel/.

Note: In the tree structure, the notation <YEAR-xxxN> represents a four-digit number indicating the year field of dates ariel entries were generated. Similarly, <MONTH-n> are one or two digit numbers representing the month ariel entries were generated, <DAY-n> is a one or two digit number representing the day field of the date and <HOUR-n> represents the hour field.


+-- cv = contains accumulated data
+-- events = Events top-level directory
¦ +-- md = created when encryption is enabled and contains hash values.
¦ +-- payloads = contains event payloads
¦ ¦ +--<YEAR-xxx1>
¦ ¦ ¦ +--<MONTH-1>
¦ ¦ ¦ ¦ +--<DAY-1>
¦ ¦ ¦ ¦ ¦ +--<HOUR-1>
¦ ¦ ¦ ¦ ¦ +--<HOUR-2>
¦ ¦ ¦ ¦ ¦ +-- .
¦ ¦ ¦ ¦ ¦ +--<HOUR-24>
¦ ¦ ¦ ¦ +--<DAY-2>
¦ ¦ ¦ ¦ +-- .
¦ ¦ ¦ ¦ +--<DAY-31>
¦ ¦ ¦ +--<MONTH-2>
¦ ¦ ¦ +-- .
¦ ¦ ¦ +--<MONTH-12>
¦ ¦ +-- .
¦ ¦ +--<YEAR-xxxN>
¦ +-- records = contains event records
¦ ¦ +--<YEAR-xxx1>
¦ ¦ ¦ +--<MONTH-1>
¦ ¦ ¦ ¦ +--<DAY-1>
¦ ¦ ¦ ¦ ¦ +--<HOUR-1>
¦ ¦ +-- .
¦ ¦ +-- .
¦ ¦ +--<YEAR-xxxN>
¦ +-- uncompressedCache = pointers to compressed files
+-- flows = flows top-level directory
¦ +-- payloads = contains flow payloads
¦ ¦ ¦ +--<MONTH-1>
¦ ¦ ¦ ¦ +--<DAY-1>
¦ ¦ ¦ ¦ ¦ +--<HOUR-1>
¦ ¦ +-- .
¦ ¦ +-- .
¦ ¦ +--<YEAR-xxxN>
¦ +-- records = contains flow records
¦ ¦ ¦ +--<MONTH-1>
¦ ¦ ¦ ¦ +--<DAY-1>
¦ ¦ ¦ ¦ ¦ +--<HOUR-1>
¦ ¦ +-- .
¦ ¦ +-- .
¦ ¦ +--<YEAR-xxxN>
¦ +-- uncompressedCache = pointers to compressed files
+-- gv = global views top-level directory
¦ +-- definitions = global view definitions
¦ +-- records = global view records
+-- hprof = host profiles top-level directory
¦ +-- uncompressedCache = cursors for searches
+-- persistent_data = pointer to compressed files
¦ +-- ariel.ariel_proxy_server = saved search results and searches done in the last 24 hours
+-- simarc = QRadar Risk Manager connection data
+-- simevent = QRadar Risk Manager event data
+-- statistics = statistics


 

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Historical Number

94070;499;000

Document Information

Modified date:
28 October 2022

UID

swg21685751