Question & Answer
Question
Zgrep is a Linux command that is used to search the contents of a compressed file without uncompressing it. This command can be used with other options to extract data from the file, such as wildcards.
Answer
The zgrep functions are exactly like grep, but it is used to search through compressed logs without having to individually decompress them with gunzip.
Command syntax:
zgrep -i ‘<search criteria>’ <file path><file.gz> | less
The zgrep command allows to use the same options as grep. Zgrep can be combined with grep and substitute wildcards for the file name. All of the logs can be searched in a directory at once. For example, the administrator can simultaneously search on /var/log/, /var/log/audit and /var/log/qradar.old for content at the same time.
To search more efficiently, follow these steps.
- SSH to the QRadar Console.
- Determine which files contain the string the admin is looking for by including the -c switch. The -c switch gives the count of occurrences of the string.
cd /var/log zgrep -ci '<search string>' $(ls /var/log/ | grep "qradar\.error\..*\gz")cd /var/log/qradar.old zgrep -ci '<search string>' $(ls /var/log/qradar.old/ | grep "qradar\.log\..*\gz")
As an example to search for occurrences of the user "example_user" and how many entries per file:cd /var/log/audit zgrep -ci '<search string>' $(ls /var/log/audit/ | grep ".*\.*\..*\gz")[root@qr_example tmp]# cd /var/log/audit [root@qr_example audit]# zgrep -ci 'example_user' $(ls /var/log/audit/ | grep "audit\.*\..*\gz") audit-healthconsole.log:0 audit-healthconsole.log.1.gz:0 audit.log:1 audit.log.1.gz:44 audit.log.2.gz:0 audit.log.3.gz:0 audit.log.4.gz:52 - The administrator can review the file counts from using the -c switch to determine how to view those entries. The administrator can either:
- For limited number of entries (100 entries), remove the -c switch and add | less at the end:
cd /var/log zgrep -i 'example_user' $(ls /var/log/ | grep ".*\.*\..*\gz") | less - If the count returns several thousand entries, The administrator can view them on one file at a time:
zgrep -i ‘<search string>' <full path to file> | less - To add the entries to a file to review later or add to a support ticket, do the following:
zgrep -i 'example_user' $(ls /var/log/ | grep ".*\.*\..*\gz") > /tmp/example_user.txt
ResultThe administrator can now easily review compressed log entries without decompressing it
- For limited number of entries (100 entries), remove the -c switch and add | less at the end:
Related Information
[{"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"General Information","Platform":[{"code":"PF016","label":"Linux"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
01 December 2022
UID
swg21996814