Look at the following command;
/opt/qradar/bin/ariel_query
It invokes the api from the command line to perform searches.
e.g.
/opt/qradar/bin/ariel_query -f /root/token -q "select CATEGORYNAME(category), QIDNAME(QID), LogSourceName(logSourceId), eventCount, DATEFORMAT(starttime, 'YYYY-MM-DD HH:mm:ss'), sourceip, sourceport, destinationip, destinationport from events WHERE ((destinationip = 'x.x.x.x') and (eventdirection = 'R2L')) START '2018-03-14 17:30' STOP '2018-03-14 19:30" > /store/case12345
------------------------------
Scott Searls
------------------------------
Original Message:
Sent: Thu May 30, 2019 02:39 AM
From: Muruga Selvam B
Subject: How read Binary Logs in Qradar SIEM (/store/ariel/events/payloads/....)
Hi Sir,
Thanks for your support sir,
Actually we are new to Qradar, now we seen the old event data in GUI using search option.
we have doubt sir
1. There is any way to read the ariel database event logs in backend.
2. what is coalesced logs in qradar ?
for calculating EPS count based on coalesced logs or raw logs ?
Thank You
Murugaselvam
------------------------------
Muruga Selvam B
Original Message:
Sent: Wed May 29, 2019 11:44 AM
From: SHANNON TOMPKINS
Subject: How read Binary Logs in Qradar SIEM (/store/ariel/events/payloads/....)
Hi, Muruga -
It looks like you are trying to access data directly from Ariel storage. Are you able to search for the relevant event data through the GUI? Has it been retained? Is something preventing a search?
Thank you,
Shannon
------------------------------
Shannon Tompkins
Original Message:
Sent: Mon May 27, 2019 08:14 AM
From: Muruga Selvam B
Subject: How read Binary Logs in Qradar SIEM (/store/ariel/events/payloads/....)
Hi Team,
We have an incident in last year, so we want to check last year logs. we identified the log path (/store/ariel/events/payloads/2018/5/20/18/payload_events~0_0~32599595cf0d4434~b5d1528c14e484b3~0) but we cannot read the file..
can anyone to help the solve issue...
------------------------------
Muruga Selvam B
------------------------------