Importing content by using the content management script

You can import custom content that you exported from another IBM® QRadar® system.

Before you begin

If you want to import content from another QRadar system, you must first export the content and copy it to the target system. For more information about exporting content, see Content type identifiers for exporting custom content.

When you import content that has log sources, confirm that DSM and protocol RPMs are installed and current on the target system.

Restriction:

If the log sources have passwords configured, the passwords are not decrypted and are cleared on the target deployment.

Note: If the content contains overridden system rules, use the update action instead of the import action to ensure that the rules are imported correctly.

You can export content from an earlier version of QRadar and import into a later version. However, you cannot import content from a later version into an earlier version.

You do not have to export content in a specific order. However, do not start multiple imports on the same system at the same time. The imports fail due to conflicts with shared resources.

Procedure

  1. Use SSH to log in to QRadar as the root user.
  2. Go to the directory where the export content file is located.
  3. Type this command to import the content: 
    /opt/qradar/bin/contentManagement.pl -a import -f [source_file] -u [user]
    Parameters:
    Table 1. contentManagement.pl script parameters for importing custom content
    Parameter Description
    -f [source_file]

    or

    --file [source_file]

    		 Specifies the file that contains the content items to import.

    Valid file types are zip, targz, and xml.

    The file name and path are case-sensitive.
    -u [user]

    or

    --user [user]

    		 Specifies the user that replaces the current owner when you import user-specific data. The user must exist on the target system before you import the content.
    Examples:
    • To import content from the fgroup-ContentExport-20120418163707.tar.gz file in the current directory, type the following command:
      /opt/qradar/bin/contentManagement.pl --action import 
-f fgroup-ContentExport-20120418163707.tar.gz
    • To import content from the fgroup-ContentExport-20120418163707.tar.gz file in the current directory and make the admin user the owner of all sensitive data in the import, type the following command:
      /opt/qradar/bin/contentManagement.pl --action import 
--file fgroup-ContentExport-20120418163707.tar.gz --user admin
    The import script displays the following message when reference data is actively collected while it is being exported: Foreign key constraint violation. To avoid this issue, run the export process when no reference data is being collected.