IBM Support

QRadar: Using the all_servers.sh command

Question & Answer


Question

What is the all_servers.sh utility in /opt/qradar/support and how do administrators use it?

Answer

Warning: Using all_servers.sh as a file manipulation tool can be destructive and could have consequential results. Use extra caution when using this tool for file manipulation. When in doubt, contact Customer Support for guidance.

The all_servers.sh command is a powerful tool that can issue commands to all QRadar appliances within your deployment.
  • To display all help options for the all_servers.sh script, type: /opt/qradar/support/all_servers.sh -h
     
  • To move a file to all appliances in the deployment, type: /opt/qradar/support/all_servers.sh -p <file>

    NOTE: This options will copy files to /tmp in QRadar 7.2.8. In QRadar 7.3 Versions, all_servers.sh copies the file to /storetmp. In QRadar 7.3 the -p option also provides a file check for disk space. If the available space is over 85% on a Console or 95% on a Managed Host an error is returned. If disk space is unavailable, the copy function is halted before the file transfer begins. A file cannot be copied to a specific host due to space issues, use scp to transfer the file to any hosts where all_serves.sh provides an error message.
     
  • When used with the -p option for QRadar 7.3 versions the -r allows you to choose an alternative remote directory.
    Example: /opt/qradar/support/all_servers.sh -p <file> -r <remote_directory>
    Note: This feature is only available in QRadar 7.3.x script versions.
     
  • The command /opt/qradar/support/all_servers.sh -g will copy a remote file from all appliances. This option can be used for getting copies of files or logs from all appliances.
     
  • To check disk space and have the output that is redirected to a file, use the following command:
    /opt/qradar/support/all_servers.sh -C "df -h" > DiskSpace.txt
     
    	192.168.0.75 -> QRadar728.ibm.com
    
    	Appliance Type: 3100 Product Version: 7.2.8.20171213225424
    	13:41:07 up 2:36, 1 user, load average: 7.01, 6.98, 6.44
    	------------------------------------------------------------------------
    	Filesystem    Size   Used   Avail  Use%   Mounted on
    	/dev/sda7     20G    16G    3.2G   83%    /
    	tmpfs         31G    0      31G    0%     /dev/shm
    	/dev/sda1     93M    47M    42M    54%    /boot
    	/dev/sda8     145G   20G    126G   14%    /store
    	/dev/sda6     9.7G   1.5G   7.8G   16%    /store/tmp
    	/dev/sda9     38G    36M    38G    1%     /store/transient
    	/dev/sda5     9.8G   1.3G   8.0G   14%    /var/log
    	/dev/sda3     6.0G   3.5G   2.2G   62%    /recovery
    
    
  • To locate a specific string within the /var/log/qradar.log file on all QRadar appliances, a command like the following can be used. In this example, we are searching for the word deploy:

    /opt/qradar/support/all_servers.sh -C 'grep -i "deploy" /var/log/qradar.log | tail -n 10'

    The command above will provide the last 10 entries in the /var/log/qradar.log file, on all appliances, displaying logged deployed changes.


[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)"}]

Document Information

Modified date:
02 April 2021

UID

swg21978283