Changes that impact event collection
Events come into QRadar® through the
ecs-ec-ingress event collection service. Starting in QRadar
V7.3.1, the service is managed separately
from other QRadar services. To
minimize interruptions in collecting event data, the service does not automatically restart when the
hostcontext service restarts.
- Rebooting an appliance that collects events.
- Adding an HA managed host.
- During HA failover.
- Restoring a configuration backup.
- Adding or removing an off-site source connection
- Whenever a partition's disk usage exceeds the maximum threshold.
When you deploy changes after you restore a configuration backup, you can restart the event collection service now or later. When you choose to restart the service later, QRadar deploys all changes that don't depend on the event collection service, and continues to collect events while the other services restart. The deployment banner continues to show undeployed changes, and the Event collection service must be restarted message is shown when you view the details.