Administrators with the latest version of the MSRPC protocol from 9 December 2020 weekly auto update can experience increased CPU utilization for the EventLog service under svchosts.exe on their Windows Servers. Over time, this issue can lead to instability as reported in APAR IJ29923. QRadar Support recommends administrators install an updated Microsoft Security Event Log over MSRPC protocol (PROTOCOL-WindowsEventRPC) version to avoid this reported issue.
If you do not collect events with the Microsoft Windows Security Event Log over MSRPC protocol, you can ignore this notice.
How to resolve the issue
- Download the updated Microsoft Windows Security Event Log over MSRPC protocol from IBM Fix Central:
- For QRadar 7.3.x: PROTOCOL-WindowsEventRPC-7.3-20201215160627.noarch.rpm
- For QRadar 7.4.x: PROTOCOL-WindowsEventRPC-7.4-20201215160616.noarch.rpm
- Copy the file to your QRadar Console.
- Use SSH to log in to QRadar Console as the root user.
- To install the updated MSRPC protocol, type one of the following commands:
yum -y install PROTOCOL-WindowsEventRPC-7.3-20201215160627.noarch.rpm
yum -y install PROTOCOL-WindowsEventRPC-7.4-20201215160616.noarch.rpm
- Log in to the QRadar® Console as an administrator.
- Click the Admin tab.
- Click Advanced > Deploy Full Configuration.
After services restart, the installation is complete. If you experience CPU issues with the Microsoft Security Event Log over MSRPC protocol, open a case with QRadar Support.
15 December 2020