- play_arrow What's New for Administrators
- play_arrow Overview of JSA Administration
- play_arrow User Management
- play_arrow License Management
- play_arrow System Management
- System Management
- System Health Information
- JSA Component Types
- Data Nodes
- Network Interface Management
- JSA System Time
- NAT-Enabled Networks
- Off-site Hosts Management
- Managed Hosts
- Configuration Changes in your JSA Environment
- Deploying Changes
- Restarting the Event Collection Service
- Shutting Down a System
- Restarting a System
- Collecting Log Files
- Changing the Root Password on Your JSA Console
- Resetting SIM
- play_arrow JSA Set Up Tasks
- JSA Set Up Tasks
- Network Hierarchy
- Automatic Updates
- Manual Updates
- Configuring System settings
- IF-MAP Server Certificates
- SSL Certificates
- IPv6 Addressing in JSA Deployments
- Advanced Iptables Rules Examples
- Data Retention
- System Notifications
- Custom Offense Close Reasons
- Configuring a Custom Asset Property
- Index Management
- Restrictions to Prevent Resource-intensive Searches
- App Hosts
- Checking the Integrity Of Event and Flow Logs
- Adding Custom Actions
- Managing Aggregated Data Views
- Accessing a GLOBALVIEW Database
- play_arrow Event Data Processing in JSA
- Event Data Processing in JSA
- DSM Editor Overview
- Properties in the DSM Editor
- Property Configuration in the DSM Editor
- Opening the DSM Editor
- Configuring a Log Source Type
- Configuring Property Autodetection for Log Source Types
- Configuring Log Source Autodetection for Log Source Types
- Configuring DSM Parameters for Log Source Types
- Custom Log Source Types
- Custom Property Definitions in the DSM Editor
- Event Mapping
- Exporting Contents from the DSM Editor
- play_arrow Using Reference Data in JSA
- play_arrow User Information Source Configuration
- play_arrow Juniper Networks X-Force Integration
- play_arrow Managing Authorized Services
- play_arrow Backup and Recovery
- play_arrow Flow Sources Management
- play_arrow Remote Networks and Services Configuration
- play_arrow Server Discovery
- play_arrow Domain Segmentation
- play_arrow Multitenant Management
- Multitenant Management
- User Roles in a Multitenant Environment
- Domains and Log Sources in Multitenant Environments
- Provisioning a New Tenant
- Monitoring License Usage in Multitenant Deployments
- Rules Management in Multitenant Deployments
- Network Hierarchy Updates in a Multitenant Deployment
- Retention Policies for Tenants
- play_arrow Asset Management
- play_arrow Configuring JSA to Forward Data to Other Systems
- Forward Data to Other Systems
- Adding Forwarding Destinations
- Configuring Forwarding Profiles
- Configuring Routing Rules to Forward Data
- Using Custom Rules and Rule Responses to Forward Data
- Configuring Routing Rules to Use the JSA Data Store
- Viewing Forwarding Destinations
- Viewing and Managing Forwarding Destinations
- Viewing and Managing Routing Rules
- play_arrow Event Store and Forward
- play_arrow SNMP Trap Configuration
- play_arrow Protect Sensitive Data
- play_arrow Log Files
- play_arrow Event Categories
- play_arrow Common Ports and Servers Used by JSA
- play_arrow RESTful API
ON THIS PAGE
Methods Of Importing and Exporting Content
You can use the following tools to import and export content in your JSA deployment.
Extensions Management Tool
Use the Extensions Management tool to add extensions to your JSA deployment. When you import content using the Extensions Management tool, you can view the content before it is installed. If the content items exist in your system, you can specify whether to replace the content item or skip the update.
You cannot use the Extensions Management tool to export content.
Content Management Script
Use the content management script to export custom content from your JSA deployment into an external, portable format. You can then use the script to import the custom content into another JSA deployment. The script is useful when you want to automate moving content between your JSA deployments.
The contentManagement.pl script is in the /opt/qradar/bin directory.
You must use the content management script to export content from the JSA source deployment. You can use either the content management script or the Extensions Management tool to import the content to the target deployment.
DSM Editor
In JSA 7.3.3 and later, you can export your custom content that you create in the DSM Editor. Click the Export button in the DSM Editor to export your content from one JSA deployment to another, or to external media.
You can export content from an earlier release of JSA and import into a later release. However, you cannot import content from a later release into an earlier release.
If you move overridden rules from one JSA deployment to another, use the Replace Existing Content Items option to ensure that the rules are imported correctly.
Exporting All Custom Content
You use the contentManagement.pl script to export all custom content in your JSA deployment.
Use SSH to log in to JSA as the root user.
Go to
/opt/qradar/bin
directory, and type the command to export all of the custom content:./contentManagement.pl -a export -c all
Examples:
To include accumulated data in the export, type the following command:
content_copy zoom_out_map./contentManagement.pl --action export --content-type all -g
To specify the directory for the exported file and change the compression format, type the following command:
content_copy zoom_out_map./contentManagement.pl -a export -c all -o [filepath] -t [compression_type]
The content is exported to a compressed file, for example, all-ContentExport-20151022101803.zip. You can manually change the file name to a name that is more descriptive. The exported file might contain more content items than expected because all dependencies are exported with the specified content items. For example, if you export a report, the saved search that the report uses is also exported.
Exporting All Custom Content Of a Specific Type
You can export all custom content of a specific type in one action.
The content management script uses text identifiers or numeric identifiers to specify the type of content that you want to export.
Custom content type | Text identifier | Numeric identifier |
---|---|---|
Dashboards | dashboard | 4 |
Reports | report | 10 |
Saved searches | search | 1 |
FGroups 1 | fgroup | 12 |
FGroup types | fgrouptype | 13 |
Custom rules | customrule | 3 |
Custom properties | customproperty | 6 |
Log sources | sensordevice | 17 |
Log source types | sensordevicetype | 24 |
Log source categories | sensordevicecategory | 18 |
Log source extensions | deviceextension | 16 |
Reference data collections | referencedata | 28 |
Custom QID map entries | qidmap | 27 |
Historical correlation profiles | historicalsearch | 25 |
Custom functions | custom_function | 77 |
Custom actions | custom_action | 78 |
Applications | installed_application | 100 |
DSM event mapping | dsmevent | 41 |
1An FGroup represents a group of content, such as a log source group, reporting group, or search group. |
Use SSH to log in to JSA as the root user.
Go to the
/opt/qradar/bin
directory and type the command to export all content of the specified type:./contentManagement.pl -a export --content-type [content_type] --id all
Parameters:
Table 2: contentManagement.pl Script Parameters for exporting Custom Content of a Specific Type Parameter
Description
-c [content_type] or --content-type [content_type]
Specifies the type of content.
You can type the corresponding text or numeric identifier to specify the content type.
Note:If you choose to export data of a specific content type, additional data from related content of any content type might be exported.
-e or --include-reference-data-elements
Set this flag to include reference data keys and elements in the export.
Reference data keys and reference data elements are applicable to the referencedata content type. This parameter is applicable only when you export reference data, or content items that are dependent on reference data.
-g or --global-view
Includes accumulated data in the export.
-i [content_identifier] or --id [content_identifier]
Specifies the identifier of a specific instance of custom content such as a single report or a single reference set.
You can specify all to export all content of the specified type.
-o [filepath] or --output-directory [filepath]
Specifies the full path to the directory where the export file is written.
If no output directory is specified, the content is exported to the current directory. If the specified output directory does not exist, it is created.
-t [compression_type] or --compression-type [compression_type]
Specifies the compression type of the export file.
Valid options are ZIP and TARGZ (case sensitive). If you do not specify a compression type, the default compression type is ZIP.
Examples:
To export all custom searches, type the following command:
content_copy zoom_out_map./contentManagement.pl --action export --content-type search --id all
To export all reports and include accumulated data, type the following command:
content_copy zoom_out_map./contentManagement.pl -a export -c 10 --id all --global-view
The content is exported to a compressed file, for example, reports-ContentExport-20151022101803.zip. You can manually change the file name to a name that is more descriptive. The exported file might contain more content items than expected because all dependencies are exported with the specified content items. For example, if you export a report, the saved search that the report uses is also exported.
Searching for Specific Content Items to Export
You use the content management script to search for specific content in your JSA deployment. After you find the content, you can use the unique identifier to export the content item.
The following table lists the identifiers to use when you want to search for specific types of content.
Custom content type | Text identifier | Numeric identifier |
---|---|---|
Dashboards | dashboard | 4 |
Reports | report | 10 |
Saved searches | search | 1 |
FGroups 1 | fgroup | 12 |
FGroup types | fgrouptype | 13 |
Custom rules | customrule | 3 |
Custom properties | customproperty | 6 |
Log sources | sensordevice | 17 |
Log source types | sensordevicetype | 24 |
Log source categories | sensordevicecategory | 18 |
Log source extensions | deviceextension | 16 |
Reference data collections | referencedata | 28 |
Custom QID map entries | qidmap | 27 |
Historical correlation profiles | historicalsearch | 25 |
Custom functions | custom_function | 77 |
Custom actions | custom_action | 78 |
Applications | installed_application | 100 |
1An FGroup represents a group of content, such as a log source group, reporting group, or search group. |
Use SSH to log in to JSA as the root user.
Go to the
/opt/qradar/bin
directory and type the following command to search for custom content that matches a regular expression:./contentManagement.pl -a search -c [content_type] -r [regex]
Parameters:
Table 4: contentManagement.pl Script Parameters for Searching Content Items Parameter
Description
-c [content_type] or --content-type [content_type]
Specifies the type of content to search for.
You must specify the type of content to search for. You cannot use -c package or -c all with the search action.
-r [regex] or --regex [regex]
Specifies the content to search for.
All content that matches the expression is displayed.
Examples:
To search for all reports that includes Overview in the description, type the following command:
content_copy zoom_out_map/opt/qradar/bin/contentManagement.pl --action search --content-type report --regex "Overview"
To list all log sources, type the following command:
content_copy zoom_out_map/opt/qradar/bin/contentManagement.pl -a search -c 17 -r "\w"
The search results list details, including the unique ID, for the content items that are found.
[INFO] Search results: [INFO] - [ID] - [Name] - [Description] [INFO] - [67] - [Asset Profiler-2 :: hostname] - [Asset Profiler] [INFO] - [62] - [SIM Generic Log DSM-7 :: hostname] - [SIM Generic Log DSM] [INFO] - [63] - [Custom Rule Engine-8 :: hostname] - [Custom Rule Engine] [INFO] - [71] - [Pix @ apophis] - [Pix device] [INFO] - [70] - [Snort @ wolverine] - [Snort device] [INFO] - [64] - [SIM Audit-2 :: hostname] - [SIM Audit] [INFO] - [69] - [Health Metrics-2 :: hostname] - [Health Metrics]
Use the unique identifier to export specific content items from JSA. For more information, see Content Management Script Parameters.
Exporting a Single Custom Content Item
Export a single custom content item, such as a custom rule or a saved search, from JSA.
You must know the unique identifier for the custom content item that you want to export.
Us SSH to log in to JSA as the root user.
Go to the
/opt/qradar/bin
directory and type the command to export the content:./contentManagement.pl -a export -c [content_type] -i [content_identifier]
Parameters:
Table 5: contentManagement.pl Script Parameters for Exporting a Single Content Item Parameter
Description
-c [content_type] or --content-type [content_type]
Specifies the type of content to export.
Type the corresponding text identifier or numeric identifier for specific content types.
-e or --include-reference-data-elements
Set this flag to include reference data keys and elements in the export.
Reference data keys and reference data elements are applicable to the referencedata content type. This parameter is applicable only when you export reference data, or content items that are dependent on reference data.
-g or --global-view
Includes accumulated data in the export.
-i [content_identifier] or --id [content_identifier]
Specifies the identifier of a specific instance of custom content such as a single report or a single reference set.
-o [filepath] or --output-directory [filepath]
Specifies the full path to the directory where the export file is written.
If no output directory is specified, the content is exported to the current directory. If the specified output directory does not exist, it is created.
-t [compression_type] or --compression-type [compression_type]
Used with the export action.
Specifies the compression type of the export file. Valid options are ZIP and TARGZ (case sensitive). If you do not specify a compression type, the default compression type is ZIP.
Examples:
To export the dashboard that has ID 7 into the current directory, type the following command:
content_copy zoom_out_map./contentManagement.pl -a export -c dashboard -i 7
To export the log source that has ID 70, including accumulated data, into the /store/cmt/exports directory, type the following command:
content_copy zoom_out_map./contentManagement.pl -a export -c sensordevice -i 70 -o /store/cmt/exports -g
The content is exported to a compressed .zip file. The exported file might contain more content items than expected because all dependencies are exported with the specified content items. For example, if you export a report, the saved search that the report uses is also exported. You can manually change the file name to a name that is more descriptive.
Exporting Custom Content Items Of Different Types
Export multiple custom content items from JSA, such as custom rules, or dashboards and reports, by using the content management script.
You must know the unique identifiers for each custom content item that you want to export.
Use SSH to log in to JSA as the root user.
Create a text file that lists the content that you want to export.
Each line must include the custom content type followed by a comma-separated list of unique IDs for that type.
Example: To export two dashboards that have ID 5 and ID 7, all custom rules, and a group, create a text file that has the following entries:
content_copy zoom_out_mapdashboard, 5,7 customrule, all fgroup, 77
Go to
/opt/qradar/bin
and type the command to export the content:./contentManagement.pl -a export -c package -f [source_file]
Parameters:
Table 6: contentManagement.pl Script Parameters for Exporting Different Types of Content Item Parameter
Description
-c [content_type] or --content-type [content_type]
Specifies the type of content.
Specifies the type of content. You can specify -c package, or you can type the corresponding text or numeric identifier for specific content types. When you use -c package, you must specify the --file or --name parameters.
-e or --include-reference-data-elements
Set this flag to include reference data keys and elements in the export.
Reference data keys and reference data elements are applicable to the referencedata content type. This parameter is applicable only when you export reference data, or content items that are dependent on reference data.
-f [source_file] or --file [source_file]
Specifies the path and file name of the text file that contains the list of custom content items that you want to export.
The first time you use the --file parameter, a package template file is written to the /store/cmt/packages directory so that you can reuse it.
The filename and path are case-sensitive.
-g or --global-view
Includes accumulated data in the export.
-n [name] or --name [name]
Specifies the name of the package template file that contains the list of custom content to export.
The package template file is created the first time that you use the --file parameter. By default, the --name parameter assumes that the text file is in the /store/cmt/packages directory.
You must specify the --file or --name parameter when --content-type package is used.
-o [filepath] or --output-directory [filepath]
Specifies the full path to the directory where the export file is written.
If no output directory is specified, the content is exported to the current directory. If the specified output directory does not exist, it is created.
-t [compression_type] or --compression-type [compression_type]
Specifies the compression type of the export file.
Valid compression types are ZIP and TARGZ (case sensitive). If you do not specify a compression type, the default compression type is ZIP.
Examples:
To export all items in the exportlist.txt file in the jsa directory, and save the exported file in the current directory, type the following command:
content_copy zoom_out_map./contentManagement.pl -a export -c package -f /qradar/exportlist.txt
To export all items in the exportlist.txt file in the jsa directory, including accumulated data, and save the output in the /store/cmt/exports directory, type the following command:
content_copy zoom_out_map./contentManagement.pl -a export -c package --file /qradar/exportlist.txt -o /store/cmt/exports -
When you use the --file parameter, a package template file is automatically generated in /store/cmt/packages. To use the package template file, specify the filename as the value for the --name parameter.
The content is exported to a compressed .zip file. The exported file might contain more content items than expected because all dependencies are exported with the specified content items. For example, if you export a report, the saved search that the report uses is also exported. You can manually change the file name to a name that is more descriptive.
Installing Extensions by Using Extensions Management
Use the Extensions Management tool to add security extensions to JSA. The Extensions Management tool allows you to view the content items in the extension and specify the method of handling content updates before you install the extension.
Extensions must be on your local computer before you install them in JSA.
An extension is a bundle of JSA functions. An extension can include content such as rules, reports, searches, reference sets, and dashboards. It can also include applications that enhance JSA functions.
On the navigation menu (), click Admin.
In the System Configuration section, click Extensions Management.
To upload a new extension to the JSA console, follow these steps:
Click Add.
Click Browse and navigate to find the extension.
Click Install immediately to install the extension without viewing the contents. See 5.b.
Click Add.
To view the contents of the extension, select it from the extensions list and click More Details.
To install the extension, follow these steps:
Select the extension from the list and click Install.
To assign a user to the app, select the User Selection menu, and select a user. For example, you might want to associate the app with a specified user that is listed in the User Selection menu who has the defined permissions.
Note:This screen appears only if any of the apps in the extension that you are installing are configured to request authentication for background processes.
If the extension does not include a digital signature, or it is signed but the signature is not associated with the JSA Security Certificate Authority (CA), you must confirm that you still want to install it. Click Install to proceed with the installation.
Review the changes that the installation makes to the system.
Select Overwrite or Keep existing data to specify how to handle existing content items.
Note:If the extension contains overridden system rules, select Replace Existing Items to ensure that the rules are imported correctly.
Click Install.
Review the installation summary and click OK.
Uninstalling a Content Extension
Remove a content extension that isn't useful anymore or that adversely impacts the system. You can remove rules, custom properties, reference data, and saved searches. You might not be able to remove some content if another content item depends on it.
When you uninstall a content extension, any rules, custom properties, and reference data that were installed by the content extension are removed or reverted to their previous state. Saved searches can't be reverted. They can only be removed.
For example, if you've edited custom rules in an app that you now want to uninstall, you can preserve the changes you made for each customized rule. If the custom rule previously existed on the system, you can revert the rule to its previous state. If the custom rule didn't previously exist, you can remove it.
If you have introduced an outside dependency on a content extension that is installed by the app, JSA doesn't remove that piece of content when you uninstall the app. For example, if you create a custom rule that uses one of the app's custom properties, that custom property isn't removed when you uninstall the app.
On the navigation menu (), click Admin.
In the System Configuration section, click Extensions Management.
Select the extension that you want to uninstall and click Uninstall.
JSA checks for any applications, rules, custom properties, reference data, and saved searches that are installed by the content extension that can be removed.
If you have manually altered any rules, custom properties, or reference data after you installed the app, choose whether to Preserve or Remove/Revert that content extension.
Click Uninstall, and then click OK.
Importing Content by Using the Content Management Script
You can import custom content that you exported from another JSA system.
If you want to import content from another JSA system, you must first export the content and copy it to the target system. For more information about exporting content, see Content Type Identifiers for Exporting Custom Content.
When you import content that has log sources, confirm that DSM and protocol RPMs are installed and current on the target system.
If the content contains overridden system rules, use the update action instead of the import action to ensure that the rules are imported correctly.
You can export content from an earlier release of JSA and import into a later release. However, you cannot import content from a later release into an earlier release.
You do not have to export content in a specific order. However, do not start multiple imports on the same system at the same time. The imports fail due to conflicts with shared resources.
Use SSH to log in to JSA as the root user.
Go to the directory where the export content file is located.
Type this command to import the content:
/opt/qradar/bin/contentManagement.pl -a import -f [source_file] -u [user]
Parameters:
Table 7: contentManagement.pl Script Parameters for Importing Custom Content Parameter
Description
-f [source_file] or --file [source_file]
Specifies the file that contains the content items to import.
Valid file types are zip, targz, and xml.
The file name and path are case-sensitive.
-u [user] or --user [user]
Specifies the user that replaces the current owner when you import user-specific data. The user must exist on the target system before you import the content.
Examples:
To import content from the fgroup-ContentExport-20120418163707.tar.gz file in the current directory, type the following command:
content_copy zoom_out_map/opt/qradar/bin/contentManagement.pl --action import -f fgroup-ContentExport-20120418163707.tar.gz
To import content from the fgroup-ContentExport-20120418163707.tar.gz file in the current directory and make the admin user the owner of all sensitive data in the import, type the following command:
content_copy zoom_out_map/opt/qradar/bin/contentManagement.pl --action import --file fgroup-ContentExport-20120418163707.tar.gz --user admin
The import script displays the following message when reference data is actively collected while it is being exported:
Foreign key constraint violation
. To avoid this issue, run the export process when no reference data is being collected.
Updating Content by Using the Content Management Script
Use the update action to update existing JSA content or add new content to the system.
If you want to update content with content that was exported from another JSA system, ensure that the exported file is on the target system. For more information about exporting content, see Content Type Identifiers for Exporting Custom Content.
When you import content that has log sources, confirm that DSM and protocol RPMs are installed and current on the target system.
You can export content from an earlier release of JSA and import into a later release. However, you cannot import content from a later release into an earlier release.
You do not have to export content in a specific order. However, do not start multiple imports on the same system at the same time. The imports will fail due to conflicts with shared resources.
Use SSH to log in to JSA as the root user.
To update content, type the following command:
/opt/qradar/bin/contentManagement.pl -a update -f [source_file]
Parameters:
Table 8: contentManagement.pl Script Parameters for Updating Custom Content Parameter
Description
-f [source_file] or --file [source_file]
Specifies the file that contains the content items to update.
Valid file types are zip, targz, and xml.
The filename and path are case-sensitive.
-u [user] or --user [user]
Specifies the user that replaces the current owner when you import user-specific data.
The user must exist on the target system before you import the content.
Example:
To update based on the content in the fgroup-ContentExport- 20120418163707.zip file, type the following command:
content_copy zoom_out_map/opt/qradar/bin/contentManagement.pl --action update -f fgroup-ContentExport-20120418163707.zip