Troubleshooting
Problem
This technical note informs administrators how to review the potential change to search performance in QRadar 7.3.1 Patch 4 when CVE-2017-5754 (Variant 3/Meltdown) is enabled on QRadar appliances.
Symptom
Administrators who install QRadar 7.3.1 Patch 4 and enable CVE-2017-5754 (Variant 3/Meltdown) can expect performance degradation after they enable the remediation for the vulnerability. A performance assessment summary is available in the QRadar 7.3.1 Patch 4 release notes.
Environment
QRadar 7.3.1 Patch 4 appliances where the mitigation for CVE-2017-5754 (Variant 3/Meltdown) is enabled.
Resolving The Problem
Administrators who upgrade to QRadar 7.3.1 Patch 4 have the option to enable CVE-2017-575 (Variant 3/Meltdown) in their deployment during installation or as a post-installation procedure. To assess the change in performance, administrators can run common searches before they install QRadar 7.3.1 Patch 4 to establish a baseline of common search durations. The baseline search durations can be compared to the results when the remediation for CVE-2017-5754 (Variant 3/Meltdown) is enabled.
Before you complete the upgrade to QRadar 7.3.1 Patch 4, log in to the QRadar Console.
Where do I find more information?
Procedure
Before you complete the upgrade to QRadar 7.3.1 Patch 4, log in to the QRadar Console.
- Click the Log Activity tab.
- Run a search.
- When the search completes the Duration field defines how long the search took to complete. To view the duration for each appliance in the deployment, click More Details.
- Record these values or take a screen capture of the Managed Search Results interface as it includes the overall search duration.
- Log Activity > Search > Managed Search Results.
- Network Activity > Search > Managed Search Results.
- Install QRadar 7.3.1 Patch 4 and enable the mitigation for CVE-2017-5754 Variant 3/Meltdown. For full instructions, see the QRadar 7.3.1 Patch 4 release notes.
- Click the Log Activity tab.
- Before you run your search, select one of the following options to ensure you are not using cached search results:
- Select Search > Managed Search Results and delete the saved search result.
- Alter your search time frame by one minute or more.
- Compare the Duration field of the completed search the with the mitigation for CVE-2017-5754 (Variant 3/Meltdown) enabled. To view the duration for each appliance in the deployment, click More Details.
For information on how to install QRadar 7.3.1 Patch 4, enable or disable the mitigation for CVE-2017-5754 Variant 3/Meltdown, or review the performance assessment summary, see the QRadar 7.3.1 Patch 4 release notes.
Where do I find more information?
[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Log Activity","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3.1","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
03 July 2019
UID
swg22014058