You can import custom content that you exported from another IBM®
QRadar® system.
Before you begin
If you want to import content from another QRadar system, you must first
export the content and copy it to the target system. For more information about exporting content,
see Content type identifiers for exporting custom content.
When you import content that has log sources, confirm that DSM and protocol RPMs are installed
and current on the target system.
Restriction:
If the log sources have passwords configured, the passwords are not decrypted and are cleared on
the target deployment.
Note: If the content contains overridden system rules, use the update
action
instead of the import
action to ensure that the rules are imported
correctly.
You can export content from an earlier version of QRadar and import into a later
version. However, you cannot import content from a later version into an earlier version.
You do not have to export content in a specific order. However, do not start multiple imports on
the same system at the same time. The imports fail due to conflicts with shared resources.
Procedure
-
Use SSH to log in to QRadar as the root user.
-
Go to the directory where the export content file is located.
-
Type this command to import the content:
/opt/qradar/bin/contentManagement.pl -a import -f [source_file] -u [user]
Parameters:
Table 1. contentManagement.pl script parameters for importing custom
content
Parameter |
Description |
-f
[source_file] or
--file
[source_file]
|
Specifies the file that contains the content items to import. Valid
file types are zip, targz, and
xml.
The file name and path are case-sensitive.
|
-u
[user] or
--user
[user]
|
Specifies the user that replaces the current owner when you import
user-specific data. The user must exist on the target system before you import the content. |
Examples:
- To import content from the fgroup-ContentExport-20120418163707.tar.gz file
in the current directory, type the following
command:
/opt/qradar/bin/contentManagement.pl --action import
-f fgroup-ContentExport-20120418163707.tar.gz
- To import content from the fgroup-ContentExport-20120418163707.tar.gz file
in the current directory and make the admin user the owner of all sensitive data in the import, type
the following
command:
/opt/qradar/bin/contentManagement.pl --action import
--file fgroup-ContentExport-20120418163707.tar.gz --user admin
The import script displays the following message when reference data is actively
collected while it is being exported: Foreign key constraint violation. To avoid this
issue, run the export process when no reference data is being collected.