APAR status
Closed as program error.
Error description
Users upgrading to QRadar 7.5.0 Update Package 5 reported performance issues related to Geographic data use. An investigation of the issue determined that 'Geographic' indexes enabled can lead to the Custom Rules Engine (CRE) routing events to storage or higher than expected ArielWriter activity as the system attempts to write event and flow data to disk. This issue affects mainly the following areas of QRadar: 1. Indexes causing performance slowness in writing data to disk. Users might notice multiple hosts reporting disk space notifications. 2. Rules that leverage geographic data tests can generate 'Events routed to storage for performance' system notifications. 3. Reports or Dashboard related to geographic data might take longer to return data or experience issues as the accumulator attempts to render visualizations. Geographic indexes, if enabled need to be reviewed: - Flows: Geographic Country/Region - Events: Destination Geographic Country/Region - Events: Source Geographic Country/Region Administrators who experience events routing to storage can review existing geographic data rules. For example, - and when the event matches 'Source Geographic Country/Region' is 'your_region' An example of tuning a rule could be to add a specific rule test to filter the data, by adding a log source or IP filtering check before the geographic data rule test runs. For example, - and when events were detected by one or more of LinuxServer @ hostname - and when the Source IP is one of the following x.x.x.x, y.y.y.y, z.z.z.z - and when the event matches 'Source Geographic Country/Region' is not 'your_region' To confirm this issue, administrators can check any Event Processor to confirm if Ariel Writer is experiencing high loads: 1. Confirm Geographic indexes are enabled in Admin > Index Management. 2. Log in to the QRadar Console as the root user. 3. Open an SSH session to any Event Processor. 4. Type the following command to confirm if Ariel Writer is the experiencing excessive load: /opt/qradar/support/threadTop.sh -p 7799 5. If Ariel Writer appears at the top of the output, you are experiencing a performance issue. 6. Disable geographic indexes in QRadar. Note: This issue is related to APAR IJ46357: GEOGRAPHIC DATA RULES CAUSE SEARCH AND EVENT PIPELINE ISSUES WHEN THE LOCATION CACHE EXCEEDS THE SPILLOVER THRESHOLD.
Local fix
Administrators can review and disable geographic data indexes as a temporary workaround for this issue. Optionally, specific geographic rules or building blocks can be tuned in an attempt to reduce load on the Custom Rules Engine (CRE). If you continue to experience performance issues related to geographic data indexes, contact QRadar Support for further assistance.
Problem summary
This issue has been resolved in QRadar 7.5.0 Update Package 6.
Problem conclusion
This issue has been resolved in QRadar 7.5.0 Update Package 6.
Temporary fix
Comments
APAR Information
APAR number
IJ46619
Reported component name
QRADAR SOFTWARE
Reported component ID
5725QRDSW
Reported release
750
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2023-04-28
Closed date
2023-06-23
Last modified date
2023-06-23
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
QRADAR SOFTWARE
Fixed component ID
5725QRDSW
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"750","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Document Information
Modified date:
23 June 2023