To return expected results, you can:
Reduce the number of search terms.
Each term you use focuses the search further.
Check your spelling.
A single misspelled or incorrectly typed term can change your result.
Try substituting synonyms for your original terms.
For example, instead of searching for "java classes", try "java training"
Did you search for an IBM acquired or sold product ?
If so, follow the appropriate link below to find the content you need.
The
zgrep
command allows to use the same options as
grep
.
Zgrep
can be combined with
grep
and substitute wildcards for the file name. All of the logs can be searched in a directory at once. For example, the administrator can simultaneously search on
/var/log/
,
/
var/log/audit
and
/var/log/qradar.old
for content at the same time.
To search more efficiently, follow these steps.
SSH to the QRadar Console.
Determine which files contain the string the admin is looking for by including the
-c
switch. The
-c
switch gives the count of occurrences of the string.
cd /var/log
zgrep -ci '<search string>' $(ls /var/log/ | grep "qradar\.error\..*\gz")
cd /var/log/qradar.old
zgrep -ci '<search string>' $(ls /var/log/qradar.old/ | grep "qradar\.log\..*\gz")
cd /var/log/audit
zgrep -ci '<search string>' $(ls /var/log/audit/ | grep ".*\.*\..*\gz")
As an example to search for occurrences of the user "example_user" and how many entries per file:
[root@qr_example tmp]# cd /var/log/audit
[root@qr_example audit]# zgrep -ci 'example_user' $(ls /var/log/audit/ | grep "audit\.*\..*\gz")
audit-healthconsole.log:0
audit-healthconsole.log.1.gz:0
audit.log:1
audit.log.1.gz:44
audit.log.2.gz:0
audit.log.3.gz:0
audit.log.4.gz:52
The administrator can review the file counts from using the
-c
switch to determine how to view those entries. The administrator can either:
For limited number of entries (100 entries), remove the
-c
switch and add
|
less
at the end:
cd /var/log
zgrep -i 'example_user' $(ls /var/log/ | grep ".*\.*\..*\gz") | less
If the count returns several thousand entries, The administrator can view them on one file at a time:
zgrep -i ‘<search string>' <full path to file> | less
To add the entries to a file to review later or add to a support ticket, do the following:
zgrep -i 'example_user' $(ls /var/log/ | grep ".*\.*\..*\gz") > /tmp/example_user.txt
Result
The administrator can now easily review compressed log entries without decompressing it
[{"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"General Information","Platform":[{"code":"PF016","label":"Linux"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]