Qradar üzerinde tüm konfigürasyon yerine sadece log source backup alma gereksiniminiz ya da ihtiyacınız olabilir. Bu durumda aşağıdaki tabloyu kullanabiliriz.Tablodaki TextIdentifier sütununda bulunan tanımlamaları aşağıdaki komutta kırmızı ile işaretlediğim kısma yazmanız yeterli olacaktır.

./contentManagement.pl –action export –content-type sensordevice
–id all

 

Custom content type

Text identifier

Numeric identifier

Dashboards

dashboard

4

Reports

report

10

Saved searches

search

1

FGroups 1

fgroup

12

FGroup types

fgrouptype

13

Custom rules

customrule

3

Custom properties

customproperty

6

Log sources

sensordevice

17

Log source types

sensordevicetype

24

Log source categories

sensordevicecategory

18

Log source extensions

deviceextension

16

Reference data collections

referencedata

28

Custom QID map entries

qidmap

27

Historical correlation profiles

historicalsearch

25

Custom functions

custom_function

77

Custom actions

custom_action

78

Applications

installed_application

100

DSM event mapping

dsmevent

41

 

[root@qradar~]# cd /opt/qradar/bin/

[root@qradar bin]# ./contentManagement.pl –action export –content-type sensordevice –id all

[INFO] Initializing Content Management Tool…

[INFO] (ContentManagementCLI) Start Time: 2018-12-18 19:48:59

[INFO] Starting export process

[INFO] Processing Export: content-type sensordevice id all

[INFO] Exporting content of type [sensordevice] with id [all]

[INFO] Export Summary:

[INFO] Content Type – [Number of items exported]

[INFO] – sensorprotocolstatus – [5]

[INFO] – sensordevicetype – [35]

[INFO] – sensorprotocolconfigparameters – [466]

[INFO] – sensorprotocolconfig – [22]

[INFO] – sensorprotocol – [7]

[INFO] – sensordeviceprotocols – [75]

[INFO] – sensordevicecategory – [5]

[INFO] – sensordevice – [201]

[INFO] – device_ext – [1]

[INFO] SUCCESS: Compressed exported bundle can be found here /opt/qradar/bin/sensordevice-ContentExport-20181218194900.zip

 

[root@qradar bin]# ./contentManagement.pl –action export –content-type sensordevicetype –id all

[INFO] Initializing Content Management Tool…

[INFO] (ContentManagementCLI) Start Time: 2018-12-18 19:50:33

[INFO] Starting export process

[INFO] Processing Export: content-type sensordevicetype id all

[INFO] Exporting content of type [sensordevicetype] with id [all]

[INFO] Export Summary:

[INFO] Content Type – [Number of items exported]

[INFO] – sensorprotocolstatus – [18]

[INFO] – sensordevicetype – [356]

[INFO] – sensorprotocolconfigparameters – [715]

[INFO] – sensorprotocolconfig – [41]

[INFO] – sensorprotocol – [64]

[INFO] – sensordeviceprotocols – [1039]

[INFO] – sensordevicecategory – [6]

[INFO] – sensordevice – [201]

[INFO] – device_ext – [1]

[INFO] – ariel_property_expression – [581]

[INFO] – ariel_regex_property – [273]

[INFO] SUCCESS: Compressed exported bundle can be found here /opt/qradar/bin/sensordevicetype-ContentExport-20181218195034.zip

 

[root@qradar bin]# ./contentManagement.pl –action export –content-type customrule –id all

[INFO] Initializing Content Management Tool…

[INFO] (ContentManagementCLI) Start Time: 2018-12-18 20:01:15

[INFO] Starting export process

[INFO] Processing Export: content-type customrule id all

[INFO] Exporting content of type [custom_rule] with id [all]

[INFO] Export Summary:

[INFO] Content Type – [Number of items exported]

[INFO] – sensorprotocolstatus – [6]

[INFO] – ade_custom_rule_view – [1]

[INFO] – qidmap – [304]

[INFO] – reference_data_rules – [97]

[INFO] – sensordevicetype – [50]

[INFO] – sensorprotocolconfigparameters – [206]

[INFO] – sensorprotocolconfig – [10]

[INFO] – sensorprotocol – [4]

[INFO] – sensordeviceprotocols – [68]

[INFO] – sensordevicecategory – [4]

[INFO] – sensordevice – [16]

[INFO] – device_ext – [1]

[INFO] – fgroup_type – [1]

[INFO] – fgroup – [4]

[INFO] – fgroup_link – [196]

[INFO] – ariel_property_expression – [79]

[INFO] – ariel_regex_property – [22]

[INFO] – reference_data – [77]

[INFO] – offense_type – [13]

[INFO] – custom_rule – [740]

[INFO] – customviewparams – [1]

[INFO] SUCCESS: Compressed exported bundle can be found here /opt/qradar/bin/custom_rule-ContentExport-20181218200115.zip

 

 

[root@qradar bin]# ./contentManagement.pl –action import -f sensordevice-ContentExport-20181218194900.xml

[INFO] Initializing Content Management Tool…

[INFO] (ContentManagementCLI) Start Time: 2018-12-18 20:18:11

[INFO] Starting import process

[INFO] Summary of content found in bundle:

[INFO] Content Type – [Number of items]

[INFO] – sensordevice – [201]

[INFO] – sensordeviceprotocols – [75]

[INFO] – sensorprotocolconfigparameters – [466]

[INFO] – sensorprotocolconfig – [22]

[INFO] – sensorprotocolstatus – [5]

[INFO] – sensorprotocol – [7]

[INFO] – sensordevicetype – [35]

[INFO] – device_ext – [1]

[INFO] Summary of import/update operation:

[INFO] Content Type – [Number of items]

[INFO] Imported/Updated Content Summary –

[INFO] – sensorprotocolconfigparameters – [32]

[INFO] – sensorprotocolstatus – [5]

[INFO] – sensordevice – [3]

[INFO] – sensorprotocolconfig – [3]

[INFO] Skipped Content Summary –

[INFO] – sensorprotocolconfigparameters – [419]

[INFO] – sensorprotocol – [7]

[INFO] – sensordevicetype – [35]

[INFO] – sensordevice – [197]

[INFO] – device_ext – [1]

[INFO] – sensorprotocolconfig – [18]

[INFO] – sensordeviceprotocols – [75]

[INFO] Failed Content Summary –

[INFO] – sensorprotocolconfigparameters – [15]

[INFO] – sensordevice – [1]

[INFO] – sensorprotocolconfig – [1]

[INFO] Reloading sytem components, please wait

[INFO] Sending component reload notification

[INFO] FINISHED: The import process is completed. Please check the summary for status and allow several minutes for components to finish reloading.

[root@qradar bin]#

 

 

Tüm içeriği Update Etme

Daha önceden import ettiğimiz bir içeriği ya da mevcut içeriği update etmek için aşağıdaki komut kullanılır.

 

[root@qradar bin]# ./contentManagement.pl –action update -f all-ContentExport-20190319194014.zip

[INFO] Initializing Content Management Tool…

[INFO] (ContentManagementCLI) Start Time: 2018-12-19 21:02:42

[INFO] Starting update process

[INFO] Compression Type: Zip

[INFO] Extracting compressed archive [/opt/qradar/bin/all-ContentExport-20181219194014.zip] to:[/store/tmp/cmt/out/all-ContentExport-20181219194014]

[INFO] Summary of content found in bundle:

[INFO] Content Type – [Number of items]

[INFO] – dsmevent – [14]

[INFO] – installed_application – [11]

[INFO] – custom_function – [3]

[INFO] – historical_search – [1]

[INFO] – fgroup_link – [1196]

[INFO] – dashboard – [52]

[INFO] – accumulator_references – [160]

[INFO] – reference_data_rules – [97]

[INFO] – retention – [22]

[INFO] – ade_custom_rule_view – [1]

[INFO] – customviewparams – [163]

[INFO] – assetpropertytype – [34]

[INFO] – saved_search – [9]

[INFO] – custom_rule – [740]

[INFO] – fgroup – [78]

[INFO] – dsm_version – [354]

[INFO] – ariel_property_expression – [596]

[INFO] – sensordevice – [201]

[INFO] – sensordeviceprotocols – [1039]

[INFO] – sourcepayloadclassmapping – [61]

[INFO] – sensorprotocolconfigparameters – [716]

[INFO] – sensorprotocolconfig – [42]

[INFO] – sensorprotocolstatus – [21]

[INFO] – sensorprotocol – [65]

[INFO] – fgroup_type – [13]

[INFO] – reference_data – [93]

[INFO] – offense_type – [28]

[INFO] – ariel_calculated_property – [1]

[INFO] – ariel_regex_property – [288]

[INFO] – qidmap – [584]

[INFO] – sensordevicetype – [356]

[INFO] – device_ext – [1]

[INFO] – application_zip – [10]

[INFO] – report – [128]