IBM Support

IJ44637: DOMAIN PERMISSION CHECKS CAN IMPACT PERFORMANCE IN THE CRE AND MIGHT SEND EVENTS TO STORE

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • When domains are configured through the QRadar Console, the
system creates tests to ensure users are allowed to view the
rules within the domain based on their security profile. The
domain permission test is part of every rule, but not visible in
the user interface and allows QRadar to display information to
the correct members of the domain. Administrators have reported
that busy systems at peak load can experience issues where the
user permission test can negatively impact performance and take
more execution time than required to complete. QRadar
development is reviewing the performance impact of the
UserDomainPermission_Test.

When this issue occurs, busy systems can route events to
'Store', bypassing correlation and write a message in
/var/log/qradar.log:

[ecs-ep.ecs-ep] [[type=com.eventgnosis.system.ThreadedEventPro
cessor][parent=HOSTNAME:ecs-ep/EP/Processor2]]com.q1labs.semsour
-] [-/- -]Custom Rule Engine has sent a total of 15564 event(s)
directly to storage. 15564 event(s) were sent in the last 60
seconds. Queue is at 100 percent capacity.
HOSTNAME ecs-ep-post-tuning[24788]: Setting scheduler on thread
"11058" ("CRE Test Rule") to SCHED_RR 10
[ecs-ep.ecs-ep] [[type=com.eventgnosis.system.ThreadedEventProc
essor][parent=HOSTNAME:ecs-ep/EP/Processor2]]com.q1labs.semsourc
-] [-/- -]Custom Rule Engine has sent a total of 29508 event(s)
directly to storage. 139440 event(s) were sent in the last 60
seconds. Queue is at 100 percent capacity.

Local fix

  • No workaround available. APARs identified as 'No workaround
available' require a software delivery to resolve.
Administrators can subscribe to the APAR to receive updates when
software releases are published for this issue.

Problem summary

  • This issue has been resolved in QRadar 7.5.0 Update Package 6.

Problem conclusion

  • This issue has been resolved in QRadar 7.5.0 Update Package 6.

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IJ44637
    • 

  • Reported component name
    QRADAR SOFTWARE
    • 

  • Reported component ID
    5725QRDSW
    • 

  • Reported release
    750
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2022-12-15
    • 

  • Closed date
    2023-06-26
    • 

  • Last modified date
    2023-06-26
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    QRADAR SOFTWARE
    • 

  • Fixed component ID
    5725QRDSW
    • 



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"750","Line of Business":{"code":"LOB24","label":"Security Software"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            26 June 2023
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback