Troubleshooting
Problem
How to determine the changes made after a deployment change has been run?
Environment
Qradar version 7.4 and 7.5
Resolving The Problem
Important: This procedure works with text files only.
This procedure will help determine the changes to a configuration file within the QRadar Console. For this article, the nva.conf file is used for demonstration purposes only. For example, you might have, a remote.conf, or xforce_feed.txt file that you want to review the changes on. This procedure does not work with every file that is being deployed. Some files including .rpm's does not work with this procedure.
This procedure will help determine the changes to a configuration file within the QRadar Console. For this article, the nva.conf file is used for demonstration purposes only. For example, you might have, a remote.conf, or xforce_feed.txt file that you want to review the changes on. This procedure does not work with every file that is being deployed. Some files including .rpm's does not work with this procedure.
Before you begin
Make sure you have the latest configuration backup in place before committing any deployment change.
Make sure you have the latest configuration backup in place before committing any deployment change.
- Log in to the QRadar UI.
- Click Admin tab.
- Expand the undeployed changes window by clicking View Details.
- Expand the drop-down menu, you see the directory of any files to be updated during the deployment change.
- Review the components that need to be changed. You should find this information in the (yellow) warning message.
Note: In this example, the file being changed is nva.conf.
- Note: Most of the original files before a deployment are located in /opt/qradar/conf
- Use an SSH session log in to the QRadar console by using the root account.
- Type the command locate <File Name> | grep /opt/qradar/conf
Output:locate nva.conf | grep /opt/qradar/conf/opt/qradar/conf/nva.conf /opt/qradar/conf/nva.conf.bak /opt/qradar/conf/nva.configservices.conf/opt/qradar/conf/templates/db_update_7264.nva.confrepl.sql /opt/qradar/conf/templates/nva.conf /opt/qradar/conf/templates/nva.configservices.conf /opt/qradar/patches/backups/7.2.5/opt/qradar/conf/nva.conf.orig /opt/qradar/patches/backups/7.2.5/opt/qradar/conf/templates/nva.configservices.conf /store/backup/tmp/opt/qradar/conf/nva.configservices.conf - Create a backup directory by using:
mkdir -p /store/IBMSupport/ - Copy the noted files from /opt/qradar/conf/<File> to /store/IBMSupport/
cp -p /opt/qradar/conf/nva.conf /store/IBMSupport/ - Click Deploy Changes.
- Wait for the deployment to complete. Files that are updated by the deployment with the latest timestamp under directory /store/configservices/staging/globalconfig/
- Compare the files by using the diff command:
diff /store/configservices/staging/globalconfig/nva.conf /store/IBMSupport/nva.conf
Results
The diff command provides the difference between the two files, showing what was changed.
The diff command provides the difference between the two files, showing what was changed.
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
03 January 2023
UID
ibm10886691