Events routed directly to storage

Explanation

To prevent queues from filling, and to prevent the system from dropping events, the event collection system (ECS) routes data to storage. Incoming events and flows are not categorized. However, raw event and flow data is collected and searchable.

User response

Review the following options:

• Verify the incoming event and flow rates. If the event pipeline is queuing events, expand your license to hold more data. To determine how close you are to your EPS/FPM license limit, monitor the Event Rate (Events Per Second Raw) graph on the System Monitoring dashboard. The graph shows you the current data rate. Compare the data rate to the per-appliance license configuration in your deployment.

  For more information about EPS/FPM license limits, see QRadar: About EPS & FPM Limits (https://www.ibm.com/support/pages/qradar-about-eps-fpm-limits).

• Review recent changes to rules or custom properties. Rule or custom property changes might cause sudden changes to your event or flow rates. Changes might affect performance or cause the system to route events to storage.
• DSM parsing issues can cause the event data to route to storage. To verify whether the log source is officially supported, see the DSM Configuration Guide.
• SAR notifications might indicate that queued events and flows are in the event pipeline.
• Tune the system to reduce the volume of events and flows that enter the event pipeline. Events must be tuned at the source, not in the product. You can set coalescing on and configure your retention buckets to limit the number of stored events. License throttling monitors the number of incoming events to the system to manage input queues and licensing. For more information about retention buckets, see the Administration Guide.