QRadar: How to use the zgrep to search logs contents of a compressed file without uncompressing it

link之家

链接快照平台

输入网页链接，自动生成快照
标签化管理网页链接

相关文章推荐

帅呆的小马驹 · 最新披露！“唐山烧烤店打人案”保护伞马爱军获 ...· 1 周前 ·

私奔的炒饭 · 亚盛医药「奥雷巴替尼」治疗SDH缺陷型GIS ...· 2 月前 ·

豪爽的生菜 · 苹果手机和Windows之间互传文件 - ...· 2 月前 ·

重情义的蟠桃 · 汉、唐“冠军版”来了，价格定了！比亚迪官宣： ...· 1 年前 ·

旅途中的柿子 · 《再见，我的灵魂伴侣》解析2：为什么男友跟闺 ...· 1 年前 ·

To return expected results, you can:

Reduce the number of search terms. Each term you use focuses the search further.

Check your spelling. A single misspelled or incorrectly typed term can change your result.

Try substituting synonyms for your original terms. For example, instead of searching for "java classes", try "java training"

Did you search for an IBM acquired or sold product ? If so, follow the appropriate link below to find the content you need.

The zgrep command allows to use the same options as grep . Zgrep can be combined with grep and substitute wildcards for the file name. All of the logs can be searched in a directory at once. For example, the administrator can simultaneously search on /var/log/ , / var/log/audit and /var/log/qradar.old for content at the same time.
To search more efficiently, follow these steps.

SSH to the QRadar Console.

Determine which files contain the string the admin is looking for by including the -c switch. The -c switch gives the count of occurrences of the string.


    cd /var/log
zgrep -ci '<search string>' $(ls /var/log/ | grep "qradar\.error\..*\gz")


    cd /var/log/qradar.old
zgrep -ci '<search string>' $(ls /var/log/qradar.old/ | grep "qradar\.log\..*\gz")


    cd /var/log/audit
zgrep -ci '<search string>' $(ls /var/log/audit/ | grep ".*\.*\..*\gz")

As an example to search for occurrences of the user "example_user" and how many entries per file:


    [root@qr_example tmp]# cd /var/log/audit
[root@qr_example audit]# zgrep -ci 'example_user' $(ls /var/log/audit/ | grep "audit\.*\..*\gz")
audit-healthconsole.log:0
audit-healthconsole.log.1.gz:0
audit.log:1
audit.log.1.gz:44
audit.log.2.gz:0
audit.log.3.gz:0
audit.log.4.gz:52

The administrator can review the file counts from using the -c switch to determine how to view those entries. The administrator can either:

For limited number of entries (100 entries), remove the -c switch and add | less at the end:


    cd /var/log
zgrep -i 'example_user' $(ls /var/log/ | grep ".*\.*\..*\gz") | less


    If the count returns several thousand entries, The administrator can view them on one file at a time:
    
     zgrep -i ‘<search string>' <full path to file> | less


    To add the entries to a file to review later or add to a support ticket, do the following:
    
     zgrep -i 'example_user' $(ls /var/log/ | grep ".*\.*\..*\gz") > /tmp/example_user.txt
    
    
     Result
    
    
     The administrator can now easily review compressed log entries without decompressing it
    
    [{"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"General Information","Platform":[{"code":"PF016","label":"Linux"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]