IBM Support

QRadar: User Management: Users who have not logged in to QRadar within a specified period.

Question & Answer


Question

How do you generate a report on all users who have not logged in to the QRadar® console within a specified period?

Cause

In User Management, you can view the Last Login for each user when selected.  However, there is no reporting function to satisfy this requirement.

Answer

You can compile such a report by using the QRadar® CLI and running a PSQL query on the 'login_attempts' table.
Procedure:
  1. SSH to the QRadar® console's CLI.
  2. Run the following command to set the required specified period in the days variable:
    DAYS=<number_of_days>
  3. Run the following command, which produces an output file detailing all users who have not logged in to the QRadar® console within the specified period, along with their last login attempt:
    psql -U qradar -c "select distinct on (user_id) login_attempts.*, users.username from login_attempts inner join users on login_attempts.user_id=users.id where user_id not in (select user_id from login_attempts where attempt_time > 'now'::date - '$DAYS days'::interval) order by user_id, attempt_time desc;" > /tmp/users_not_logged_in_within_"$DAYS"_days.out
  4. The output file can be found at:
    /tmp/users_not_logged_in_within_<number_of_days>_days.out

Related Information

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"TS004434766","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)"}]

Document Information

Modified date:
14 December 2020

UID

ibm16380756