Some customers configure QRadar to generate offenses frequently, while the other installations are highly tuned and might generate a few offenses per day. This technical note discusses methods to quickly confirm that the system is healthy and is active updating offenses with new event or flow information.
- Offense rules - Generates offenses for events based on rules defined within QRadar
- Offense Management - Updates offenses as new events come in that match previously created offenses
- Offense Storage - Stores the offenses within the Postgres offense table.
How to confirm offenses update in the user interface
- Click the Offense tab.
- Click the Last Event/Flow column to sort offenses by the latest update.
- Newly added events or flows indicate that the system is healthy and updating active offenses.
How to use the command line to confirm offense updates
- Log in to the QRadar Console as the root user.
- Navigate to the /var/log directory.
- Select one of the following commands to view information about recent offenses:
grep MPC qradar.log | grep Processed| tail -n1
grep MPC qradar.log | grep Scheduling| tail -n1
If offenses are being active generated, messages post every minute to qradar.log with details from the MPC of processed or scheduled offenses to be created. Be aware, the output can display nonzero results for the offense. The values are updated as the offense receives more information from an event or flow.
Was this topic helpful?
31 March 2022