Unable to run SIEM agent as a Cron job from crontab
search cancel

Unable to run SIEM agent as a Cron job from crontab

book

Article ID: 202973

calendar_today

Updated On:

Products

CASB Audit CASB Security Advanced CASB Security Premium CASB Security Standard

Issue/Introduction

Running the SIEM agent from crontab results in the following error:  

Log_Exporter_Client-ERROR-Config.json does not exist or it is not present in the same directory in which qradar_agent.py is present. Exiting!

Cause

The config.json needs to be in the location the Python command is running from, not the location of the SIEM agent .py file.

The cron command looks like the following:

*/10 * * * * python /home/admin/SIEM agent/qradar_agent.py --severity all

or */10 * * * * python /home/admin/SIEM agent/qradar_agent.py --severity all if you are running the Splunk SIEM agent

Resolution

Place the config.json file in the location where the python command is running from.  The default for cron is the home directory of the use running the job.  If it is root, then place the config.json in /root.  For other users it will be /home/<username>

Alternatively, you can manually specify the config.json file location in the qradar_agent.py (or splunk_agent.py if you are using the Splunk SIEM agent):

  1. navigate to the qradar_agent folder
  2. use cp qradar_agent.py qradar_agent.py_backup to make a backup of the script
  3. use vi qradar_agent.py to modify the script
  4. use ESC then i to go to INSERT mode
  5. put the full path for line 939 and 948 as shown below
  6. use ESC then :wq to make the change to the script. 
  7. then run the crontab again and the agent should be able to poll the logs.