IBM Support

QRadar: Data Gateway and Event Collector Hardware Capabilities EPS/FPM Threshold enforcement

News


Abstract

QRadar® 7.4.0 and later includes a performance change to prevent Event Collector (15xx) and Data Gateway (7000) appliances from becoming overwhelmed by incoming event data. A new throttle was introduced to protect appliances based on the available CPUs and threads of the hardware. Administrators who find themselves constantly falling behind or dropping events, might need to increase their hardware capabilities or tune the software parameters on their Event Collectors or Data Gateways.

Content

The Event processors (EP) usually have much higher hardware capabilities, which allow handling higher license rates. An Event Collector (EC) inherits the licensing limits from the EP, but due to its hardware being less capable than the EP, the event rate is usually higher than what an EC can handle, which exposes EC to performance issues. 
The new threshold enforcement for 15xx and 7000 appliances introduces a calculated EC capability based on the number of CPUs available and the number of Parsing threads allocated.
Appliance type CPU cores Suggested RAM Overall EPS
Event Collector (15xx) 4 16 GB 1000
Event Collector (15xx) 8 16 GB 7000
Event Collector (15xx) 16 16 GB 7,500 - 17,000
Data Gateway (7000) 8 16 GB
(32 GB with QRadar Vulnerability Manger)
7,000
Data Gateway (7000) 16 16 7,500 - 17,000
Table 1: Overall EPS capacity might be lower than the license capacity without adding CPUs/cores to your virtual machine or updating your hardware.

 
How do I determine cores on my appliance
Administrators can view the number of CPU cores for the appliance with the following command:
lscpu
 
Important notice
The parsing threads number is configured by the QRadar® tuning scripts. Depending on the number of CPU cores, the value increases. 
The manual change in those values is not supported and can cause performance issues on these appliances. In virtual environments, the administrator must ensure the hardware requirements are meet to the EPS rate.
For QRadar® Event Collectors: System Requirements for virtual appliances
For QRoC Data Gateways: System requirements for data gateways
On the Gateway or Event Collector
  1. Update your hardware or virtual machine cores.
  2. Use SSH to log in to the QRadar Console as the root user.
  3. Open an SSH session to the Data Gateway or Event Collector.
  4. To restart the appliance, type: reboot now
  5. Wait for the appliance to restart.

    Results
    After the appliance restarts, use lscpu to verify the number of cores is updated. Administrators can monitor their EPS to verify the additional cores are resolving the issue.
    [root@743EventProcessor ~]# lscpu
    Architecture:          x86_64
    CPU op-mode(s):        32-bit, 64-bit
    Byte Order:            Little Endian
    CPU(s):                40
    On-line CPU(s) list:   0-39
    Thread(s) per core:    2
    Core(s) per socket:    10
    Socket(s):             2
    NUMA node(s):          2
    Vendor ID:             GenuineIntel
    CPU family:            6
    Model:                 85
    Model name:            Intel(R) Xeon(R) Silver 4210 CPU @ 2.20GHz
    Stepping:              7
    CPU MHz:               2200.000
    BogoMIPS:              4400.00
    Virtualization:        VT-x
    L1d cache:             32K
    L1i cache:             32K
    L2 cache:              1024K
    L3 cache:              14080K
    NUMA node0 CPU(s):     0-9,20-29
    NUMA node1 CPU(s):     10-19,30-39
    Flags:                 fpu vme de pse tsc msr 

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtiAAA","label":"Performance"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.4.0;7.4.1;7.4.2"}]

Document Information

Modified date:
07 October 2021

UID

ibm16356285