Troubleshooting
Problem
When you have many Offenses in QRadar, some Dashboards, reports, or searches can restart Tomcat.
Symptom
In /var/log/qradar.log:Will return content similar to:grep -i txsentry /var/log/qradar.error | less +G
com.q1labs.hostcontext.tx.TxSentry: (..) Found a process on host {CONSOLE}: tomcat, pid={PID}, TX age={t} secs TX on host {CONSOLE}: pid={PID} age={T} IP={loopback} port={port} locks={N} query='SELECT DISTINCT t0.id, t0.attackerCount, (..)
Cause
TXSentry is a feature of stopping a service that is taking too long on a task is working as designed to protect the overall system.
Diagnosing The Problem
psql -U qradar -c "select * from q_table_size;"
If you see "offense_attacker_target_link" over 1 GB, you are hitting this issue. In addition, anything over 1 GB needs to be cleaned up for performance issues but tables such as Reference Sets might not be related depending on the tables indicated in the error.
Resolving The Problem
Cleaning up tables, decreasing time to live, or decreasing retention periods are an option for some environments, but the simplest option is to increase the default timeout:
- Log in to the Web Console.
- Click Admin tab.
- Select System Settings.
- Select: Advanced.
- Search for Transaction Max Time Limit and set it to 30 minutes.
Important: QRadar continues to collect events when you deploy the full configuration. When the event collection service must restart, QRadar does not restart it automatically. Administrators with strict outage policies are advised to complete the next step during a scheduled maintenance window for their organization. - From the Admin tab, click Advanced > Deploy Full Configuration after making this change.
Document Location
Worldwide
[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"TS004076797","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3.2;7.3.3;7.4.0;7.4.1"}]
Was this topic helpful?
Document Information
Modified date:
08 December 2020
UID
ibm16324601