QRadar App Management - Highlights
von Ralph Belfiore
Support utilities, CLI, API - need-to-know
During the course of my troubleshooting experience i had to be aware of some “utility changes” regarding to app extension management and monitoring.
According to the applied Release of QRadar and deployment scenario (AiO / Apphost as a managed host), you’ll have to keep in mind some improvements/changes of available “support utilities” or CLI commands.
For those who haven’t yet found a summary list or have been updated already their bookmarks with helpful links regarding to this subject, here an offer of consolidated information, helpful support links, commands and “utility changes” just in case..
In case of investigation a status of an app, starting/stopping an app, updating an app there a some details to consider. For example, in Release 7.3.x you needed to remember the following psql command with many options in CLI to display app id, name, status, version and more context of the applied apps running on the CONSOLE.
Starting with the Qradar Assistant App Release 3.0 (current release is 3.2.1) as an admin you can use also the assistant app to comfortable handle and maintain apps over the UI using the "Manage" Button.
Further information about the assistant app will be found here:
Assistant App Features
QRadar 7.3.x - recon ps
To investigate the status of apps on an APPHOST with Release 7.3.x you could use so far the following cli command to get the following output displayed:
- /opt/qradar/support/recon ps
The recon ps command disappeared for example with 7.4.1FP2! At the latest from this release you’ll have to be aware about the qappmanager support utility (details stated below).
QRadar 7.4.1FP2 - recon ps disappeared
Similar context will be called for example in Release 7.4.1FP2 by the following commands:
- docker images
- docker ps
The qappmanager utility was introduced with QRadar Release 7.4.0. The current status and helpful context of applied apps now can be shown with the new support tool.
Introduced with QRadar 7.4.0 - qappmanager utility
It has to be executed from the CONSOLE and provides many options to maintain, start, stop, delete or create new instances of apps:
Further support information about the qappmanager support utility will be found here:
QRadar API - App Framework
Finaly in rare cases, in cases of scripting or integration with other systems you can use the API as well.
QRadar API - try it out!
It's well documented and for example straight forward to start or stop an app using the API.
Using the "Try Button".
So concluding for me, it’s exiting to chase the continuous enhancements of QRadar and specifically the app management stuff. The support utilities to manage apps are more and more easily operated supporting app extension management.
#qradar #highlights #app-framework #maintining-apps