Typically, support will recommend that you use the QRadar API, instead of the UI at minimum, but the most user friendly method of getting data out of QRadar is to use the Event and Flow Exporter app.
- Best - Event and Flow Exporter app.
This app does essentially the same thing as the CLI article I linked, but it allows you to create a schedule or email the results or convert the data to different types more easily than using the CLI.
- Next best - API and get data directly.
We have a support technical note on this process, which I'll link to below.
- 3rd best - User interface.
As the QRadar user interface Export functions are single-threaded, they are significantly slower than using the API. The UI is easy and good for exporting small sets of data, but is not the best option for bulk exporting of data.
Links for App (best option)
Links (API, next best option)
Hope this helps, if you have follow-up questions let us know. I'd start with the Event/Flow Exporter app and try out the functionality.
------------------------------
Jonathan Pechta
QRadar Support Content Lead
Support forums: ibm.biz/qradarforums
jonathan.pechta1@ibm.com------------------------------
Original Message:
Sent: Thu November 16, 2023 11:49 AM
From: Davide Salardi
Subject: Export Customer Event Logs in Readable Format
Hello,
we want to export the full database of event logs saved on an event processor to make them available for our customer outside QRadar.
Exporting them in XML or CSV file from log search tab would be quite painful since we need to export 6 months of logs for a customer which is generating on average 3K EPS or sometimes even more, this will result in a file too large to be handled easily.
Is there another way to make them available, for example forwarding them to an external log server? This should also work for data that has already been written to the disk, customer has asked us to have the logs from last 6 months in the raw format.
B Regards,
Davide
------------------------------
Davide Salardi
------------------------------