IBM Support

QRadar: MSRPC protocol can increase CPU utilization on Microsoft Windows Servers (APAR IJ29923)

News


Abstract

Administrators with the latest version of the MSRPC protocol from 9 December 2020 weekly auto update can experience increased CPU utilization for the EventLog service under svchosts.exe on their Windows Servers. Over time, this issue can lead to instability as reported in APAR IJ29923. QRadar Support recommends administrators install an updated Microsoft Security Event Log over MSRPC protocol (PROTOCOL-WindowsEventRPC) version to avoid this reported issue.

Content


Important: This flash notice includes updated instructions to install a new version of the Microsoft Windows Security Event Log over MSRPC protocol. Administrators no longer need to downgrade the RPM versions as new RPMs are available on IBM Fix Central to resolve the reported CPU utilization issue. This technical note includes direct links to the updated RPM files.

About

IBM® is alerting QRadar® administrators who use the Microsoft Windows Security Event Log over MSRPC protocol of a reported increase in CPU utilization on their Windows systems. The QRadar weekly auto update for 9 December 2020 contains an updated MSRPC protocol that can cause CPU usage to grow over time and lead to instability of the remote Windows host. Administrators who use the MSRPC protocol to collect events can update their MSRPC protocol version. 

Urgency

IMPORTANT: Administrators who use the MSRPC protocol can install the latest version of the Microsoft Windows Security Event Log over MSRPC protocol to avoid this issue. The RPM is installed on the Console appliance and a full deploy delivers the update to all appliances in the deployment.

If you do not collect events with the Microsoft Windows Security Event Log over MSRPC protocol, you can ignore this notice. 

Affected products

The following RPMs can cause high CPU usage on Microsoft Windows systems:
  • PROTOCOL-WindowsEventRPC-7.3-20201110190432.noarch.rpm
  • PROTOCOL-WindowsEventRPC-7.4-20201110190414.noarch.rpm

How to resolve the issue

Administrators can install the latest version of the Microsoft Windows Security Event Log over MSRPC protocol RPM on the QRadar Console to resolve this issue. After the protocol is installed, you must complete a full deploy to ensure all appliances are updated. The updated files to resolve this issue are only available on IBM Fix Central.

Procedure
  1. Download the updated Microsoft Windows Security Event Log over MSRPC protocol from IBM Fix Central:
  2. Copy the file to your QRadar Console.
  3. Use SSH to log in to QRadar Console as the root user.
  4. To install the updated MSRPC protocol, type one of the following commands:
    • yum -y install PROTOCOL-WindowsEventRPC-7.3-20201215160627.noarch.rpm
    • yum -y install PROTOCOL-WindowsEventRPC-7.4-20201215160616.noarch.rpm
  5. Log in to the QRadar® Console as an administrator.
  6. Click the Admin tab.
  7. Click Advanced > Deploy Full Configuration.

    Results
    After services restart, the installation is complete. If you experience CPU issues with the Microsoft Security Event Log over MSRPC protocol, open a case with QRadar Support.
 
 

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU008","label":"Security"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtiAAA","label":"Performance"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)"},{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU008","label":"Security"},"Product":{"code":"SSKMKU","label":"IBM Security Intelligence on Cloud"},"ARM Category":[{"code":"a8m0z000000cwtiAAA","label":"Performance"}],"Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)"}]

Document Information

Modified date:
15 December 2020

UID

ibm16382106