IBM Security QRadar

Hi Team,

        We have an incident in last year, so we want to check last year logs. we identified the log path (/store/ariel/events/payloads/2018/5/20/18/payload_events~0_0~32599595cf0d4434~b5d1528c14e484b3~0) but we cannot read the file..

         can anyone to help the solve issue...

------------------------------
Muruga Selvam B
------------------------------

Hi, Muruga - 

It looks like you are trying to access data directly from Ariel storage.  Are you able to search for the relevant event data through the GUI?   Has it been retained?  Is something preventing a search?

Thank you,
Shannon

------------------------------
Shannon Tompkins
------------------------------

Original Message:
Sent: Mon May 27, 2019 08:14 AM
From: Muruga Selvam B
Subject: How read Binary Logs in Qradar SIEM (/store/ariel/events/payloads/....)


Hi Team,

        We have an incident in last year, so we want to check last year logs. we identified the log path (/store/ariel/events/payloads/2018/5/20/18/payload_events~0_0~32599595cf0d4434~b5d1528c14e484b3~0) but we cannot read the file..

         can anyone to help the solve issue...

------------------------------
Muruga Selvam B
------------------------------

Hi Sir,

      Thanks for your support sir,
       Actually we are new to Qradar, now we seen the old event data in GUI using search option.

       we have doubt sir
                           1.  There is any way to read the ariel database event logs in backend.
                           2.  what is coalesced logs in qradar ?
                                 for calculating EPS count based on coalesced logs or raw logs ?      

      Thank You 
      Murugaselvam

------------------------------
Muruga Selvam B
------------------------------

Original Message:
Sent: Wed May 29, 2019 11:44 AM
From: SHANNON TOMPKINS
Subject: How read Binary Logs in Qradar SIEM (/store/ariel/events/payloads/....)

Hi, Muruga - 

It looks like you are trying to access data directly from Ariel storage.  Are you able to search for the relevant event data through the GUI?   Has it been retained?  Is something preventing a search?

Thank you,
Shannon

------------------------------
Shannon Tompkins

Original Message:
Sent: Mon May 27, 2019 08:14 AM
From: Muruga Selvam B
Subject: How read Binary Logs in Qradar SIEM (/store/ariel/events/payloads/....)


Hi Team,

        We have an incident in last year, so we want to check last year logs. we identified the log path (/store/ariel/events/payloads/2018/5/20/18/payload_events~0_0~32599595cf0d4434~b5d1528c14e484b3~0) but we cannot read the file..

         can anyone to help the solve issue...

------------------------------
Muruga Selvam B
------------------------------

Look at the following command;

/opt/qradar/bin/ariel_query

It invokes the api from the command line to perform searches.

e.g. 
/opt/qradar/bin/ariel_query -f /root/token -q "select CATEGORYNAME(category), QIDNAME(QID), LogSourceName(logSourceId), eventCount, DATEFORMAT(starttime, 'YYYY-MM-DD HH:mm:ss'), sourceip, sourceport, destinationip, destinationport from events WHERE ((destinationip = 'x.x.x.x') and (eventdirection = 'R2L')) START '2018-03-14 17:30' STOP '2018-03-14 19:30" > /store/case12345

------------------------------
Scott Searls
------------------------------

Original Message:
Sent: Thu May 30, 2019 02:39 AM
From: Muruga Selvam B
Subject: How read Binary Logs in Qradar SIEM (/store/ariel/events/payloads/....)

Hi Sir,

      Thanks for your support sir,
       Actually we are new to Qradar, now we seen the old event data in GUI using search option.

       we have doubt sir
                           1.  There is any way to read the ariel database event logs in backend.
                           2.  what is coalesced logs in qradar ?
                                 for calculating EPS count based on coalesced logs or raw logs ?      

      Thank You 
      Murugaselvam

------------------------------
Muruga Selvam B

Original Message:
Sent: Wed May 29, 2019 11:44 AM
From: SHANNON TOMPKINS
Subject: How read Binary Logs in Qradar SIEM (/store/ariel/events/payloads/....)

Hi, Muruga - 

It looks like you are trying to access data directly from Ariel storage.  Are you able to search for the relevant event data through the GUI?   Has it been retained?  Is something preventing a search?

Thank you,
Shannon

------------------------------
Shannon Tompkins

Original Message:
Sent: Mon May 27, 2019 08:14 AM
From: Muruga Selvam B
Subject: How read Binary Logs in Qradar SIEM (/store/ariel/events/payloads/....)


Hi Team,

        We have an incident in last year, so we want to check last year logs. we identified the log path (/store/ariel/events/payloads/2018/5/20/18/payload_events~0_0~32599595cf0d4434~b5d1528c14e484b3~0) but we cannot read the file..

         can anyone to help the solve issue...

------------------------------
Muruga Selvam B
------------------------------

1. Is there any way to read the ariel database event logs in the backend.
No, no way. This is java compiled file and you can't extract full payload from the content.

2. what are coalesced logs in qradar?
for calculating EPS count based on coalesced logs or raw logs?

Coalescing is a process designed for saving resources (but you can always disable it for any Log Source). Coalescing is merging incoming similar events into one single event (but after license counter). Once at least a few events coalesced into one and events counter added to it, then again no way to split them back, because all similar events are saved as one event into the binary file.

------------------------------
ROBERT ROJEK
------------------------------

Original Message:
Sent: Thu May 30, 2019 02:39 AM
From: Muruga Selvam B
Subject: How read Binary Logs in Qradar SIEM (/store/ariel/events/payloads/....)

Hi Sir,

      Thanks for your support sir,
       Actually we are new to Qradar, now we seen the old event data in GUI using search option.

       we have doubt sir
                           1.  There is any way to read the ariel database event logs in backend.
                           2.  what is coalesced logs in qradar ?
                                 for calculating EPS count based on coalesced logs or raw logs ?      

      Thank You 
      Murugaselvam

------------------------------
Muruga Selvam B

Original Message:
Sent: Wed May 29, 2019 11:44 AM
From: SHANNON TOMPKINS
Subject: How read Binary Logs in Qradar SIEM (/store/ariel/events/payloads/....)

Hi, Muruga - 

It looks like you are trying to access data directly from Ariel storage.  Are you able to search for the relevant event data through the GUI?   Has it been retained?  Is something preventing a search?

Thank you,
Shannon

------------------------------
Shannon Tompkins

Original Message:
Sent: Mon May 27, 2019 08:14 AM
From: Muruga Selvam B
Subject: How read Binary Logs in Qradar SIEM (/store/ariel/events/payloads/....)


Hi Team,

        We have an incident in last year, so we want to check last year logs. we identified the log path (/store/ariel/events/payloads/2018/5/20/18/payload_events~0_0~32599595cf0d4434~b5d1528c14e484b3~0) but we cannot read the file..

         can anyone to help the solve issue...

------------------------------
Muruga Selvam B
------------------------------