Qradar Backup Restore İşlemleri
radar üzerinde tüm konfigürasyon yerine sadece log source backup alma gereksiniminiz ya da ihtiyacınız olabilir. Bu durumda aşağıdaki tabloyu kullanabiliriz.Tablodaki TextIdentifier sütununda bulunan tanımlamaları aşağıdaki komutta kırmızı ile işaretlediğim kısma yazmanız yeterli olacaktır.
./contentManagement.pl –action export –content-type sensordevice
–id all
|
Custom content type |
Text identifier |
Numeric identifier |
|
Dashboards |
dashboard |
4 |
|
Reports |
report |
10 |
|
Saved searches |
search |
1 |
|
FGroups 1 |
fgroup |
12 |
|
FGroup types |
fgrouptype |
13 |
|
Custom rules |
customrule |
3 |
|
Custom properties |
customproperty |
6 |
|
Log sources |
sensordevice |
17 |
|
Log source types |
sensordevicetype |
24 |
|
Log source categories |
sensordevicecategory |
18 |
|
Log source extensions |
deviceextension |
16 |
|
Reference data collections |
referencedata |
28 |
|
Custom QID map entries |
qidmap |
27 |
|
Historical correlation profiles |
historicalsearch |
25 |
|
Custom functions |
custom_function |
77 |
|
Custom actions |
custom_action |
78 |
|
Applications |
installed_application |
100 |
|
DSM event mapping |
dsmevent |
41 |
[[email protected]~]# cd /opt/qradar/bin/
[[email protected] bin]# ./contentManagement.pl –action export –content-type sensordevice –id all
[INFO] Initializing Content Management Tool…
[INFO] (ContentManagementCLI) Start Time: 2018-12-18 19:48:59
[INFO] Starting export process
[INFO] Processing Export: content-type sensordevice id all
[INFO] Exporting content of type [sensordevice] with id [all]
[INFO] Export Summary:
[INFO] Content Type – [Number of items exported]
[INFO] – sensorprotocolstatus – [5]
[INFO] – sensordevicetype – [35]
[INFO] – sensorprotocolconfigparameters – [466]
[INFO] – sensorprotocolconfig – [22]
[INFO] – sensorprotocol – [7]
[INFO] – sensordeviceprotocols – [75]
[INFO] – sensordevicecategory – [5]
[INFO] – sensordevice – [201]
[INFO] – device_ext – [1]
[INFO] SUCCESS: Compressed exported bundle can be found here /opt/qradar/bin/sensordevice-ContentExport-20181218194900.zip
[[email protected] bin]# ./contentManagement.pl –action export –content-type sensordevicetype –id all
[INFO] Initializing Content Management Tool…
[INFO] (ContentManagementCLI) Start Time: 2018-12-18 19:50:33
[INFO] Starting export process
[INFO] Processing Export: content-type sensordevicetype id all
[INFO] Exporting content of type [sensordevicetype] with id [all]
[INFO] Export Summary:
[INFO] Content Type – [Number of items exported]
[INFO] – sensorprotocolstatus – [18]
[INFO] – sensordevicetype – [356]
[INFO] – sensorprotocolconfigparameters – [715]
[INFO] – sensorprotocolconfig – [41]
[INFO] – sensorprotocol – [64]
[INFO] – sensordeviceprotocols – [1039]
[INFO] – sensordevicecategory – [6]
[INFO] – sensordevice – [201]
[INFO] – device_ext – [1]
[INFO] – ariel_property_expression – [581]
[INFO] – ariel_regex_property – [273]
[INFO] SUCCESS: Compressed exported bundle can be found here /opt/qradar/bin/sensordevicetype-ContentExport-20181218195034.zip
[[email protected] bin]# ./contentManagement.pl –action export –content-type customrule –id all
[INFO] Initializing Content Management Tool…
[INFO] (ContentManagementCLI) Start Time: 2018-12-18 20:01:15
[INFO] Starting export process
[INFO] Processing Export: content-type customrule id all
[INFO] Exporting content of type [custom_rule] with id [all]
[INFO] Export Summary:
[INFO] Content Type – [Number of items exported]
[INFO] – sensorprotocolstatus – [6]
[INFO] – ade_custom_rule_view – [1]
[INFO] – qidmap – [304]
[INFO] – reference_data_rules – [97]
[INFO] – sensordevicetype – [50]
[INFO] – sensorprotocolconfigparameters – [206]
[INFO] – sensorprotocolconfig – [10]
[INFO] – sensorprotocol – [4]
[INFO] – sensordeviceprotocols – [68]
[INFO] – sensordevicecategory – [4]
[INFO] – sensordevice – [16]
[INFO] – device_ext – [1]
[INFO] – fgroup_type – [1]
[INFO] – fgroup – [4]
[INFO] – fgroup_link – [196]
[INFO] – ariel_property_expression – [79]
[INFO] – ariel_regex_property – [22]
[INFO] – reference_data – [77]
[INFO] – offense_type – [13]
[INFO] – custom_rule – [740]
[INFO] – customviewparams – [1]
[INFO] SUCCESS: Compressed exported bundle can be found here /opt/qradar/bin/custom_rule-ContentExport-20181218200115.zip
[[email protected] bin]# ./contentManagement.pl –action import -f sensordevice-ContentExport-20181218194900.xml
[INFO] Initializing Content Management Tool…
[INFO] (ContentManagementCLI) Start Time: 2018-12-18 20:18:11
[INFO] Starting import process
[INFO] Summary of content found in bundle:
[INFO] Content Type – [Number of items]
[INFO] – sensordevice – [201]
[INFO] – sensordeviceprotocols – [75]
[INFO] – sensorprotocolconfigparameters – [466]
[INFO] – sensorprotocolconfig – [22]
[INFO] – sensorprotocolstatus – [5]
[INFO] – sensorprotocol – [7]
[INFO] – sensordevicetype – [35]
[INFO] – device_ext – [1]
[INFO] Summary of import/update operation:
[INFO] Content Type – [Number of items]
[INFO] Imported/Updated Content Summary –
[INFO] – sensorprotocolconfigparameters – [32]
[INFO] – sensorprotocolstatus – [5]
[INFO] – sensordevice – [3]
[INFO] – sensorprotocolconfig – [3]
[INFO] Skipped Content Summary –
[INFO] – sensorprotocolconfigparameters – [419]
[INFO] – sensorprotocol – [7]
[INFO] – sensordevicetype – [35]
[INFO] – sensordevice – [197]
[INFO] – device_ext – [1]
[INFO] – sensorprotocolconfig – [18]
[INFO] – sensordeviceprotocols – [75]
[INFO] Failed Content Summary –
[INFO] – sensorprotocolconfigparameters – [15]
[INFO] – sensordevice – [1]
[INFO] – sensorprotocolconfig – [1]
[INFO] Reloading sytem components, please wait
[INFO] Sending component reload notification
[INFO] FINISHED: The import process is completed. Please check the summary for status and allow several minutes for components to finish reloading.
[[email protected] bin]#
Tüm içeriği Update Etme
Daha önceden import ettiğimiz bir içeriği ya da mevcut içeriği update etmek için aşağıdaki komut kullanılır.
[[email protected] bin]# ./contentManagement.pl –action update -f all-ContentExport-20190319194014.zip
[INFO] Initializing Content Management Tool…
[INFO] (ContentManagementCLI) Start Time: 2018-12-19 21:02:42
[INFO] Starting update process
[INFO] Compression Type: Zip
[INFO] Extracting compressed archive [/opt/qradar/bin/all-ContentExport-20181219194014.zip] to:[/store/tmp/cmt/out/all-ContentExport-20181219194014]
[INFO] Summary of content found in bundle:
[INFO] Content Type – [Number of items]
[INFO] – dsmevent – [14]
[INFO] – installed_application – [11]
[INFO] – custom_function – [3]
[INFO] – historical_search – [1]
[INFO] – fgroup_link – [1196]
[INFO] – dashboard – [52]
[INFO] – accumulator_references – [160]
[INFO] – reference_data_rules – [97]
[INFO] – retention – [22]
[INFO] – ade_custom_rule_view – [1]
[INFO] – customviewparams – [163]
[INFO] – assetpropertytype – [34]
[INFO] – saved_search – [9]
[INFO] – custom_rule – [740]
[INFO] – fgroup – [78]
[INFO] – dsm_version – [354]
[INFO] – ariel_property_expression – [596]
[INFO] – sensordevice – [201]
[INFO] – sensordeviceprotocols – [1039]
[INFO] – sourcepayloadclassmapping – [61]
[INFO] – sensorprotocolconfigparameters – [716]
[INFO] – sensorprotocolconfig – [42]
[INFO] – sensorprotocolstatus – [21]
[INFO] – sensorprotocol – [65]
[INFO] – fgroup_type – [13]
[INFO] – reference_data – [93]
[INFO] – offense_type – [28]
[INFO] – ariel_calculated_property – [1]
[INFO] – ariel_regex_property – [288]
[INFO] – qidmap – [584]
[INFO] – sensordevicetype – [356]
[INFO] – device_ext – [1]
[INFO] – application_zip – [10]
[INFO] – report – [128]
