Question & Answer
Question
How do you generate a report on all users who have not logged in to the QRadar® console within a specified period?
Cause
In User Management, you can view the Last Login for each user when selected. However, there is no reporting function to satisfy this requirement.
Answer
You can compile such a report by using the QRadar® CLI and running a PSQL query on the 'login_attempts' table.
Procedure:
- SSH to the QRadar® console's CLI.
- Run the following command to set the required specified period in the days variable:
DAYS=<number_of_days>
- Run the following command, which produces an output file detailing all users who have not logged in to the QRadar® console within the specified period, along with their last login attempt:
psql -U qradar -c "select distinct on (user_id) login_attempts.*, users.username from login_attempts inner join users on login_attempts.user_id=users.id where user_id not in (select user_id from login_attempts where attempt_time > 'now'::date - '$DAYS days'::interval) order by user_id, attempt_time desc;" > /tmp/users_not_logged_in_within_"$DAYS"_days.out
- The output file can be found at:
/tmp/users_not_logged_in_within_<number_of_days>_days.out
Related Information
[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"TS004434766","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)"}]
Was this topic helpful?
Document Information
Modified date:
14 December 2020
UID
ibm16380756