Running the SIEM agent from crontab results in the following error:
Log_Exporter_Client-ERROR-Config.json does not exist or it is not present in the same directory in which qradar_agent.py is present. Exiting!
The config.json needs to be in the location the Python command is running from, not the location of the SIEM agent .py file.
The cron command looks like the following:
*/10 * * * * python /home/admin/SIEM agent/qradar_agent.py --severity all
or */10 * * * * python /home/admin/SIEM agent/qradar_agent.py --severity all if you are running the Splunk SIEM agent
Place the config.json file in the location where the python command is running from. The default for cron is the home directory of the use running the job. If it is root, then place the config.json in /root. For other users it will be /home/<username>
Alternatively, you can manually specify the config.json file location in the qradar_agent.py (or splunk_agent.py if you are using the Splunk SIEM agent):