IBM Support

QRadar: Audit users initiating Deploy Changes or Deploy Full Configuration actions

Question & Answer


Question

How do you find out when and who performed deploy actions in QRadar?

Cause

This can be caused by a user deploying changes.

Answer

There are two methods to locate if a deploy has been performed and who initiated it.

From the QRadar UI

  1. Click the Log Activity tab
  2. Create a Log Activity search using filters as follows:
    1. For Deploy changes:
      QID Equals 28250146 Log Source Equals Sim Audit-2



    2. For Deploy Full Configuration:
      QID Equals 28250147 Log Source Equals Sim Audit-2



  3. Adjust the Time Range as appropriate to see who performed a deploy action on a specific day.

From Console command line:
    Connect to the Console by using an SSH session.
    1. For Deploy changes:
      grep 'QRadar.scheduleDeployment' /var/log/audit/audit.log | grep DeployChanges | grep -v grep | grep '<date>'


    2. For Deploy Full Configuration:
      grep 'QRadar.scheduleDeployment' /var/log/audit/audit.log | grep DeployFullConfiguration | grep -v grep | grep '<date>'

Result: You now can audit deploy activities and users who initiated them.


Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"Admin Console","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg21991404