Distributed Scripting
Easy way to copy a file to all managed hosts
Hi guys, today I’d like to present you another very useful command which you can use on a daily basics. Sometimes there is a need of coping a file to your all managed hosts. There is a very easy way to do this by using:
/opt/qradar/support/all_servers.sh -p file
… this will copy the “file” to the /tmp directory of all appliances.
After the file transfer, you can use the tips on this post to run commands all across your environment regarding with the new files.
One example of using this command, is transferring your security policies to all the environment and after deploying the configuration using the all_servers script.
Do you have any use cases for this feature? Drop us a line in the comments!
Running commands across the environment – Part 2
Continuing the post about running commands across the environment, today we’d like to present you another very useful and powerful command. Gathering information about the appliances and servers can be a painful task, but QRadar can provide us with some good scripts to make this task easy and automated. For example, if you execute on your QRadar Console:
[root@MY_RADAR]# /opt/qradar/bin/myver -v
…you’ll get a lot of information about you appliance like :
- Appliance type,
- Core version of the system,
- Patch number,
- Is the QRM enabled,
- Is the appliance you ran this command is a console,
- What’s the IP address,
- What’s the kernel architecture,
- Information about CPU, Operating System and if this is HA host or not.
And here’s the tricky part: to get this information from all your QRadar servers and appliances, you can combine it with the “/opt/qradar/support/all_servers.sh” command, presented in the another post, and gather this valuable information from all your managed hosts. For example, we can run this command across all the servers and input the result in a text file:
[root@MY_RADAR]# /opt/qradar/support/all_servers.sh “/opt/qradar/bin/myver -v” > /root/info.txt
As you can see, with just one line we can gather information of all our servers and generate a raw report of our QRadar environment. Simple, isn’t it?
Running commands across the environment
The daily maintenance across a small environments can be an easy job, but when our environment grows to a point where we have several appliances it can be a though job. For example, in case we need to monitor the Disk Space in a environment of just one appliance, we can simple connect through SSH to the QRadar and run a Linux command such as ‘df -h‘, but in a large environment with several appliances this practice would take a lot of time.
In the QRadar distributed environments, the console acts like a central management console to all the another appliances. In our example of monitoring disk, wouldn’t be easier if we could run a command in the main console to get information about all the environment? It’s exactly what the script ‘all_servers.sh‘ does. The script is located at:
/opt/qradar/support/all_servers.sh
To run the command, you can use the following syntax:
[root@MY_RADAR]# ./opt/qradar/support/all_servers.sh ‘COMMAND’
(Where COMMAND is what you want to run in the appliances)
In our example of monitoring the disk size, we could use:
[root@MY_RADAR]# ./opt/qradar/support/all_servers.sh ‘df -h’ > /root/drive_space.txt
And it would write the result of the script on all the servers in the following file: /root/drive_space.txt
The script can be used for several different purposes: Monitoring disk space, Monitoring CPU, Viewing network configurations, checking logs, etc. Can you imagine how it could help in your environment?! Had good ideas of how to integrate it with your monitoring systems?! Let us know in the comments!
— This post was suggested and written by our new collaborator, Tomasz Stankiewicz.
QRadar Insights 