QRadar® 7.4.0 and later includes a performance change to prevent Event Collector (15xx) and Data Gateway (7000) appliances from becoming overwhelmed by incoming event data. A new throttle was introduced to protect appliances based on the available CPUs and threads of the hardware. Administrators who find themselves constantly falling behind or dropping events, might need to increase their hardware capabilities or tune the software parameters on their Event Collectors or Data Gateways.
|Appliance type||CPU cores||Suggested RAM||Overall EPS|
|Event Collector (15xx)||4||16 GB||1000|
|Event Collector (15xx)||8||16 GB||7000|
|Event Collector (15xx)||16||16 GB||7,500 - 17,000|
|Data Gateway (7000)||8||16 GB
(32 GB with QRadar Vulnerability Manger)
|Data Gateway (7000)||16||16||7,500 - 17,000|
Administrators can view the number of CPU cores for the appliance with the following command:
- Update your hardware or virtual machine cores.
- Use SSH to log in to the QRadar Console as the root user.
- Open an SSH session to the Data Gateway or Event Collector.
- To restart the appliance, type: reboot now
- Wait for the appliance to restart.
After the appliance restarts, use lscpu to verify the number of cores is updated. Administrators can monitor their EPS to verify the additional cores are resolving the issue.
[root@743EventProcessor ~]# lscpu Architecture: x86_64 CPU op-mode(s): 32-bit, 64-bit Byte Order: Little Endian CPU(s): 40 On-line CPU(s) list: 0-39 Thread(s) per core: 2 Core(s) per socket: 10 Socket(s): 2 NUMA node(s): 2 Vendor ID: GenuineIntel CPU family: 6 Model: 85 Model name: Intel(R) Xeon(R) Silver 4210 CPU @ 2.20GHz Stepping: 7 CPU MHz: 2200.000 BogoMIPS: 4400.00 Virtualization: VT-x L1d cache: 32K L1i cache: 32K L2 cache: 1024K L3 cache: 14080K NUMA node0 CPU(s): 0-9,20-29 NUMA node1 CPU(s): 10-19,30-39 Flags: fpu vme de pse tsc msr
Was this topic helpful?
07 October 2021