IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Query on Raw log retrieval

    Posted Sat February 24, 2024 02:33 AM
    Edited by Cyber SOC Engineering Sat February 24, 2024 02:33 AM

    Dear All,

    Hope you are doing good !!

    We have a complex queries raised by our customer in QRadar Multi-tenant Model. Request your help and assistance.

    Query 1 : We are managing Customer A , Customer B , Customer C in QRadar Multitenant, the default online storage is configured as 3 months and 9 months offline storage. Due to some reason, Customer B wants to move from QRadar. Is it possible to offboard and handover only customer B raw logs (3+9) months from QRadar ?

    Query 2: Same customer count as above with (3+9) log retention period. For some audit purpose Customer C want to extract and showcase the raw log only for 5th month. Is it possible ?





  • 2.  RE: Query on Raw log retrieval

    Posted Mon February 26, 2024 02:24 AM

    Hi,

    Yes this is possiile, data is stored per tenant in Qradar in the following structure

    • Events: /store/ariel/events/records/aux/tenantID#/Year/Month/Day/Hour/Minute
    • Flows: /store/ariel/flows/records/aux/tenandID#/Year/Month/Day/Hour/Minute

    The following link outlines the folder structure for the ariel data

    https://www.ibm.com/support/pages/qradar-tenant-data-event-retention-or-flow-retention-faq

    Thanks



    ------------------------------
    John Dawson
    Qradar Support Architect
    IBM
    ------------------------------

    Original Message


  • 3.  RE: Query on Raw log retrieval

    Posted Mon February 26, 2024 03:21 AM

    This is true - but it doesn't really help answer the original question which is about the extraction of Raw Logs.

    To extract Raw Log data (i.e. the original event payloads etc), you need to use ariel in some way to process the files indicated by John.

    I suggest you engage your local IBM Expert Labs team to help you understand how to approach this, as the solution will vary depending on a number of factors.

    • volume of data (for large customers, this can take a long time - months possibly)
    • information required (Raw Events on their own are pretty useless, you will need _some_ meta data
    • target format/structure/location
    • processing environment
    • data security requirements (e.g. PII)
    • timeframes and availability of the original QRadar system

    Paul



    ------------------------------
    Paul Ford-Hutchinson
    ------------------------------

    Original Message


  • 4.  RE: Query on Raw log retrieval

    Posted Wed February 28, 2024 04:21 AM

    Hi the only problem for your queries is to make sure that your data cover the 5 months you are looking for. An tenant can be separately queried that's the whole idea of tenant support right?

    You just export the query raw data or normalized which is much better for a CSV based export which can be used by any app including MS excel. Don't forget to add payload data.



    ------------------------------
    [Karl] [Jaeger] [#ibmchampion]
    [QRadar Specialist]
    [cnag]
    [Siegen] [Germany]
    ------------------------------

    Original Message


Related Content