IBM Support

QRadar: Impact of Deploy Full Configuration on events, flows, and offenses

Question & Answer


What is the impact of initiating a Deploy Full Configuration on QRadar systems?


There are occasions when the Console requests that you Deploy Full configuration.


As of QRadar 7.3.1, event and flow collection is handled by the ecs-ec-ingress service, which is not restarted as part of a Deploy Full Configuration action. Ecs-ec-ingress stores data in a buffer, so event and flow collection continues through the Full Deploy action. Full processing of new incoming events and flows occurs after the ecs-ec and ecs-ep services restart where the buffer is handled.

After initiating a Deploy Full Configuration action in QRadar 7.3.0 and earlier versions, the system stops logging events and flows. It also stops firing offenses. This is because the Deploy Full Configuration action involves restarting the ECS service on all systems.

The ECS is made up of two processes: ecs-ec and ecs-ep

  • The ecs-ec process is responsible for event and flow collection. This includes event parsing, traffic analysis, coalescing, and event forwarding. The ecs-ec process can exist on Consoles, Event Processors, Flow Processors, Event Collectors, and Flow Collectors.
  • The ecs-ep process is responsible for the Custom Rules Engine (CRE), event and flow streaming, and storage. The ecs-ep process can exist on Consoles, Event Processors, and Flow Processors, but does not exist on Flow Collectors. The Magistrate is also part of the ecs-ep process and exists on the Console only. The Magistrate is responsible for offense rules, offense management, and offense storage.

While these processes are restarting, you are not able to log events or flows, forward events, real-time steam, or search. Consideration must be taken anytime a Deploy Full Configuration is initiated, as ECS service restarts cause an impact to QRadar functions.

For other considerations on changes that impact Event Collection, refer to this IBM Documentation Article,

Changes that Impact Event Collection

[{"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"General Information","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2;7.3","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
17 January 2023