IBM Support

QRadar EDR (formerly ReaQta): Troubleshooting Linux OS agent performance

How To


Summary

This article covers the troubleshooting performance issues for the Linux OS QRadar EDR (formerly ReaQta) agent.

Steps

Performance Issues

In order to classify performance issues in your Linux host, assess the following questions:
  • Is it a system-wide performance issue, an issue with a specific application, or a group of applications?
  • Are there any specific processes, applications, or features impacted?
  • Is the performance issue constant or intermittent?
  • If it's not a constant issue, can you describe the events leading to the issue or provide a timeframe when it happened?
If you suspect the ReaQta agent is impacting system performance, you can try the following steps:
  • Monitor the system resource utilization with the available tools on the system.  Some examples:
    • top, iotop, iostat, vmstat, free
    • Here is an example, running top and iotop every 20 seconds, saving the output to a file: 
       watch -n 20 ' date >> /tmp/reaqta_perfmon.txt && top -bn 1 -o +%CPU >> /tmp/reaqta_perfmon.txt && iotop -bn 1 >> /tmp/reaqta_perfmon.txt && echo "###############################" >> /tmp/reaqta_perfmon.txt '
    • Check for indications of abnormal resource utilization involving the ReaQta processes
      • keeperx - Primary process for the ReaQta agent that performs monitoring, analysis, and communication to the ReaQta Hive
      • polkitd - Agent policy processing
  • Stop the keeperx service and confirm if the problem is affected 
    systemctl stop keeperx
  • Stop the top, iotop, or performance monitoring command
  • Contact ReaQta Support, if stopping the keeperx service resolves the performance issue.  Include the following:
    •  The responses to the questions regarding problem scope
    • The results from the performance monitoring
    • The system information requested in the 'System and Agent information required' section of this technote

Agent Function Issues or Failure

If the ReaQta agent is Offline, or there are problems with the agent functionality, first asses the following questions:
  • Have you installed any significant or major updates to the Linux host?
  • Was this agent working previously, or is this agent a new installation?
  • If this was previously working, when did the performance issue begin?
  • What is the 'Registration Date' and the 'Last Seen Date' for the endpoint in the ReaQta dashboard?
  • What is the full installation string used to install and register the agent?
To gather more data for investigation, try the following steps:
  • If tcpdump is available on the Linux agent, start a packet capture for traffic involving the ReaQta Hive server: 
    tcpdump -i <interfacename> -nn host x.x.x.x -w /tmp/reaqtahive.pcap
  • Confirm the status of the keeperx service: 
    systemctl status keeperx
  • Stop (if running) and then start the keeperx service: 
    systemctl stop keeperx

systemctl start keeperx
    • If any errors are presented, capture the errors
  • Manually run the keeperx service: 
    /etc/reaqtahive.d/keeperx
    • Allow that to run for a few minutes
    • Stop with Control-C and copy the output
    • Gather the following:
      • Packet capture of the ReaQta communication with the Hive server (if applicable)
      • Output from manual keeperx execution
      • The journalctl logs 
        journalctl -S -60min | grep -iE "keeperx|polkit|reaqta" > /tmp/journalctl_reaqtalogs.log
        • NOTE: The example is for the last 60 minutes of logs.  If the issue occurred at a different time, adjust or remove the -S option from the command

System and Agent information required for a support case

  • Linux OS version (Distribution and kernel version)
    • Typical commands: 
      cat /proc/version
cat /etc/os-release
lsb_release -a
    • Confirm whether the endpoint is a virtual or physical host
      • Confirm the type and version of the underlying hypervisor (if possible), if this agent is installed on a virtual host
    • ReaQta Hive Server Version
      • You can find the 'Server Version' on the Administration > License page of the ReaQta Dashboard UI
    • Agent Distribution version
      • You can find the agent distribution and keeperx version on the Endpoint Details page for this endpoint in the ReaQta Dashboard UI
        image-20220412172252-1
      • Endpoint Name or EndpointID 
        • 'ReaQta as a Service' customers can provide the URL to the 'View Endpoint' details page from the ReaQta Dashboard

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSVOEH","label":"IBM Security ReaQta"},"ARM Category":[{"code":"a8m3p000000hBSLAA2","label":"Agent-\u003EPerformance"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Product Synonym

ReaQta

Document Information

Modified date:
17 May 2023

UID

ibm16571365

Page Feedback