IBM Support

QRadar: Events are assigned incorrectly to Default Domain when seeing performance degradation

Troubleshooting


Problem

Events that match filters for a custom Domain instead show up in the Default Domain.

Symptom

Events show up with a Low-Level Category of Stored, and in the Default Domain around the same time that Events routed directly to storage notifications are seen.

Errors such as the following are present in qradar.error on the Event Collector where the event was received.
com.ibm.si.ec.filters.normalize.DSMFilter: [WARN] [NOT:0080004101][xxx.xxx.xxx.xxx/- -] [-/- -]Device Parsing has sent a total of 18603 event(s) directly to storage. 18603 event(s) have been sent in the last 60 seconds.  Queue is at 99 percent capacity.

Cause

Events are assigned to a Domain in the Device Parsing stage of the event pipeline.
If this stage of the pipeline is backed up or running slowly, events are "routed directly to storage" to avoid further backup in the pipeline.
When events are "routed directly to storage", events completely bypass the Device Parsing stage, and are not assigned to a custom domain.

Resolving The Problem

Having events assigned to the Default Domain when they bypass Device Parsing is expected behavior because QRadar® does use parsed field information to assign Domain information to events.

To prevent or minimize further instances of events bypassing the Device Parsing stage of the event pipeline, you should research and address the causes of the underlying performance degradation.
For further suggestions for troubleshooting performance degradation see Events routed directly to storage.

Document Location

Worldwide

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtEAAQ","label":"Log Activity"},{"code":"a8m0z000000cwtiAAA","label":"Performance"}],"ARM Case Number":"TS004116309","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
17 September 2020

UID

ibm16333105