IBM Support

QRadar: Using the command

Question & Answer


What is the utility in /opt/qradar/support and how do administrators use it?


Warning: Using as a file manipulation tool can be destructive and could have consequential results. Use extra caution when using this tool for file manipulation. When in doubt, contact Customer Support for guidance.

The command is a powerful tool that can issue commands to all QRadar appliances within your deployment.
  • To display all help options for the script, type: /opt/qradar/support/ -h
  • To move a file to all appliances in the deployment, type: /opt/qradar/support/ -p <file>

    NOTE: This options will copy files to /tmp in QRadar 7.2.8. In QRadar 7.3 Versions, copies the file to /storetmp. In QRadar 7.3 the -p option also provides a file check for disk space. If the available space is over 85% on a Console or 95% on a Managed Host an error is returned. If disk space is unavailable, the copy function is halted before the file transfer begins. A file cannot be copied to a specific host due to space issues, use scp to transfer the file to any hosts where provides an error message.
  • When used with the -p option for QRadar 7.3 versions the -r allows you to choose an alternative remote directory.
    Example: /opt/qradar/support/ -p <file> -r <remote_directory>
    Note: This feature is only available in QRadar 7.3.x script versions.
  • The command /opt/qradar/support/ -g will copy a remote file from all appliances. This option can be used for getting copies of files or logs from all appliances.
  • To check disk space and have the output that is redirected to a file, use the following command:
    /opt/qradar/support/ -C "df -h" > DiskSpace.txt
    	Appliance Type: 3100 Product Version:
    	13:41:07 up 2:36, 1 user, load average: 7.01, 6.98, 6.44
    	Filesystem    Size   Used   Avail  Use%   Mounted on
    	/dev/sda7     20G    16G    3.2G   83%    /
    	tmpfs         31G    0      31G    0%     /dev/shm
    	/dev/sda1     93M    47M    42M    54%    /boot
    	/dev/sda8     145G   20G    126G   14%    /store
    	/dev/sda6     9.7G   1.5G   7.8G   16%    /store/tmp
    	/dev/sda9     38G    36M    38G    1%     /store/transient
    	/dev/sda5     9.8G   1.3G   8.0G   14%    /var/log
    	/dev/sda3     6.0G   3.5G   2.2G   62%    /recovery
  • To locate a specific string within the /var/log/qradar.log file on all QRadar appliances, a command like the following can be used. In this example, we are searching for the word deploy:

    /opt/qradar/support/ -C 'grep -i "deploy" /var/log/qradar.log | tail -n 10'

    The command above will provide the last 10 entries in the /var/log/qradar.log file, on all appliances, displaying logged deployed changes.

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)"}]

Document Information

Modified date:
02 April 2021