This article contains a step by step of how to review all properties on the system for all log source types by using the command line. This process is useful if the administrator wants to check or event export the Custom Event Property (CEP) information from the QRadar information
- SSH to the QRadar console as a root user.
- Run the following command to create the path and folder where to save the information:
mkdir -p /store/IBM_Support/
- Run the next command to copy the Event Property information to a file:
psql -U qradar -c "\COPY (select propertyname Property_Name,regex Regex,devicetypedescription Log_Source_Type, CASE WHEN enabled ='t' THEN 'Enabled' ELSE 'Disabled' END as Enabled from ariel_property_view) TO '/store/IBM_Support/Property_Export-$(date +%F).csv' WITH DELIMITER '|' CSV HEADER;"
- psql -U qradar -c: This section runs a Postgres query from outside of the Data Base by using of the command line.
- \COPY: this section invokes COPY FROM STDIN or COPY TO STDOUT, and then fetches or stores the data in a file accessible to the user by running the command.
- TO 'store/IBM_Support/Property_Export-$(date +%F).csv': This section sends the output to a file called Property_Export-<date>.csv located in the path /store/IBM_Support/.
- WITH DELIMITER '|' CSV HEADER: this section establishes that the output file is a CSV file where every column is delimited with pipes.
- Check the output file stored in /store/IBM_Support/. The file has pipe-separated fields, where the first value is the Property name.
The second one is the regex that is used by the property, the third one is the Log Source Type and the fourth one shows whether the property is enabled:
ResultAdministrators have a list of properties that are running on the system. The file can be downloaded and parsed with any text editor or spreadsheet program.
Was this topic helpful?
11 May 2023