IBM Support

QRadar: Audit users initiating Deploy Changes or Deploy Full Configuration actions

Question & Answer


How do you find out when and who performed deploy actions in QRadar?


This can be caused by a user deploying changes.


There are two methods to locate if a deploy has been performed and who initiated it.

From the QRadar UI

  1. Click the Log Activity tab
  2. Create a Log Activity search using filters as follows:
    1. For Deploy changes:
      QID Equals 28250146 Log Source Equals Sim Audit-2

    2. For Deploy Full Configuration:
      QID Equals 28250147 Log Source Equals Sim Audit-2

  3. Adjust the Time Range as appropriate to see who performed a deploy action on a specific day.

From Console command line:
    Connect to the Console by using an SSH session.
    1. For Deploy changes:
      grep 'QRadar.scheduleDeployment' /var/log/audit/audit.log | grep DeployChanges | grep -v grep | grep '<date>'

    2. For Deploy Full Configuration:
      grep 'QRadar.scheduleDeployment' /var/log/audit/audit.log | grep DeployFullConfiguration | grep -v grep | grep '<date>'

Result: You now can audit deploy activities and users who initiated them.

Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Admin Console","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018