IBM Support

QRadar: QRadar アプライアンスにおける /store/ariel のディレクトリー構造

Question & Answer


Question

QRadar アプライアンスの /store/ariel/  にはどのようなディレクトリーがあり、それぞれのディレクトリーはどのような目的で使用されていますか?

Answer

この技術書の目的は、 /store/ariel/  内に含まれる各ディレクトリーのリストと簡単な説明を提供することです。

注: ツリー構造では、<YEAR-xxxN> という表記は、ariel エントリーが生成された日付の年フィールドを示す 4 桁の数字を表します。 同様に、<MONTH-n> は ariel エントリーが生成された月を表す 1 桁または 2 桁の数字、<DAY-n> は日付の日フィールドを表す 1 桁または 2 桁の数字、<HOUR-n> は時間フィールドを表します。


+-- cv = contains accumulated data
+-- events = Events top-level directory
¦ +-- md = created when encryption is enabled and contains hash values.
¦ +-- payloads = contains event payloads
¦ ¦ +--<YEAR-xxx1>
¦ ¦ ¦ +--<MONTH-1>
¦ ¦ ¦ ¦ +--<DAY-1>
¦ ¦ ¦ ¦ ¦ +--<HOUR-1>
¦ ¦ ¦ ¦ ¦ +--<HOUR-2>
¦ ¦ ¦ ¦ ¦ +-- .
¦ ¦ ¦ ¦ ¦ +--<HOUR-24>
¦ ¦ ¦ ¦ +--<DAY-2>
¦ ¦ ¦ ¦ +-- .
¦ ¦ ¦ ¦ +--<DAY-31>
¦ ¦ ¦ +--<MONTH-2>
¦ ¦ ¦ +-- .
¦ ¦ ¦ +--<MONTH-12>
¦ ¦ +-- .
¦ ¦ +--<YEAR-xxxN>
¦ +-- records = contains event records
¦ ¦ +--<YEAR-xxx1>
¦ ¦ ¦ +--<MONTH-1>
¦ ¦ ¦ ¦ +--<DAY-1>
¦ ¦ ¦ ¦ ¦ +--<HOUR-1>
¦ ¦ +-- .
¦ ¦ +-- .
¦ ¦ +--<YEAR-xxxN>
¦ +-- uncompressedCache = pointers to compressed files
+-- flows = flows top-level directory
¦ +-- payloads = contains flow payloads
¦ ¦ ¦ +--<MONTH-1>
¦ ¦ ¦ ¦ +--<DAY-1>
¦ ¦ ¦ ¦ ¦ +--<HOUR-1>
¦ ¦ +-- .
¦ ¦ +-- .
¦ ¦ +--<YEAR-xxxN>
¦ +-- records = contains flow records
¦ ¦ ¦ +--<MONTH-1>
¦ ¦ ¦ ¦ +--<DAY-1>
¦ ¦ ¦ ¦ ¦ +--<HOUR-1>
¦ ¦ +-- .
¦ ¦ +-- .
¦ ¦ +--<YEAR-xxxN>
¦ +-- uncompressedCache = pointers to compressed files
+-- gv = global views top-level directory
¦ +-- definitions = global view definitions
¦ +-- records = global view records
+-- hprof = host profiles top-level directory
¦ +-- uncompressedCache = cursors for searches
+-- persistent_data = pointer to compressed files
¦ +-- ariel.ariel_proxy_server = saved search results and searches done in the last 24 hours
+-- simarc = QRadar Risk Manager connection data
+-- simevent = QRadar Risk Manager event data
+-- statistics = statistics

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Historical Number

94070;499;000

Document Information

Modified date:
27 December 2022

UID

ibm16840899

Page Feedback