IBM Support

QRadar: How to check enabled or disabled properties by using the CLI

How To


Summary

This article contains a step by step of how to review all properties on the system for all log source types by using the command line. This process is useful if the administrator wants to check or event export the Custom Event Property (CEP) information from the QRadar information

Steps

  1. SSH to the QRadar console as a root user.
  2. Run the following command to create the path and folder where to save the information: 
    mkdir -p /store/IBM_Support/
  3. Run the next command to copy the Event Property information to a file: 
    psql -U qradar -c "\COPY (select propertyname Property_Name,regex Regex,devicetypedescription Log_Source_Type, CASE WHEN enabled ='t' THEN 'Enabled' ELSE 'Disabled' END as Enabled from ariel_property_view) TO '/store/IBM_Support/Property_Export-$(date +%F).csv' WITH DELIMITER '|' CSV HEADER;"
    • psql -U qradar -c: This section runs a Postgres query from outside of the Data Base by using of the command line.
    • \COPY: this section invokes COPY FROM STDIN or COPY TO STDOUT, and then fetches or stores the data in a file accessible to the user by running the command.
    • TO 'store/IBM_Support/Property_Export-$(date +%F).csv': This section sends the output to a file called Property_Export-<date>.csv located in the path /store/IBM_Support/.
    • WITH DELIMITER '|' CSV HEADER: this section establishes that the output file is a CSV file where every column is delimited with pipes.
  4. Check the output file stored in /store/IBM_Support/. The file has pipe-separated fields, where the first value is the Property name.
    The second one is the regex that is used by the property, the third one is the Log Source Type and the fourth one shows whether the property is enabled:Results

    Result
    Administrators have a list of properties that are running on the system. The file can be downloaded and parsed with any text editor or spreadsheet program.

Related Information

Custom event and flow properties

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
11 May 2023

UID

ibm16987839

Page Feedback