Question & Answer
Question
How do you find out when and who performed deploy actions in QRadar?
Cause
This can be caused by a user deploying changes.
Answer
There are two methods to locate if a deploy has been performed and who initiated it.
From the QRadar UI
- Click the Log Activity tab
- Create a Log Activity search using filters as follows:
- For Deploy changes:
QID Equals 28250146 Log Source Equals Sim Audit-2
- For Deploy Full Configuration:
QID Equals 28250147 Log Source Equals Sim Audit-2
- Adjust the Time Range as appropriate to see who performed a deploy action on a specific day.
From Console command line:
- Connect to the Console by using an SSH session.
- For Deploy changes:
grep 'QRadar.scheduleDeployment' /var/log/audit/audit.log | grep DeployChanges | grep -v grep | grep '<date>'
- For Deploy Full Configuration:
grep 'QRadar.scheduleDeployment' /var/log/audit/audit.log | grep DeployFullConfiguration | grep -v grep | grep '<date>'
Where do you find more information?
[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Admin Console","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21991404