IBM Support

QRadar: Upgrades to V7.5.0 UP2 can reduce available SCA search threads (IJ40606)

Troubleshooting


Problem

A reported performance issue exists in QRadar 7.5.0 Upgrade Pack 2 where threads for X-Force for rules and searches might be reduced. When this issue occurs, the scaserver threads can be incorrectly reduced to 15 after the administrator installs or upgrades to QRadar 7.5.0 Upgrade Pack 2. This technical note explains the workaround for administrators affected by APAR IJ40606

Cause

The scaserver.ini has the number of SCA_THREADS reduced to 15, instead of being calculated by the number of CPUs available on the appliance.

Environment

QRadar 7.5.0 Upgrade Pack 2 (Build 20220527130137).

Resolving The Problem

Note: This issue has been fixed in 7.5.0 UP3. The following workaround is for systems still at 7.5.0 UP2 only.
  1. Use SSH to log in to the Console as the root user.
  2. Create a new file named IJ40606.sh with the command: 
    touch /root/IJ40606.sh
  3. Using an editor such as vi add the following to the IJ40606.sh file: 
    #!/bin/bash
SERVER_CPUS=$(lscpu | grep "^CPU(s)" | sed "s/.* //")
if [[ $SERVER_CPUS == +([0-9]) ]] 
  then 
  SCA_THREADS=$(((299 + 22*SERVER_CPUS) / 30)) 
  SERVER_INI=/store/dca/server.ini
  sed -i "/\[threads\]/{n;s/.*/$SCA_THREADS/}" $SERVER_INI
  grep -A1 "\[threads\]" $SERVER_INI
  if systemctl -q is-active scaserver
  then 
    systemctl restart scaserver
  fi 
fi
  4. Make the script executable with the command: 
    chmod +x /root/IJ40606.sh
  5. Transfer the script to all managed hosts with the command: 
    /opt/qradar/support/all_servers.sh -C -p /root/IJ40606.sh
  6. run the script on all hosts with the command (this will restart the scaserver service on all hosts): 
    /opt/qradar/support/all_servers.sh -C "/storetmp/IJ40606.sh; rm -f /storetmp/IJ40606.sh"
  7. Wait for the command prompt to return.

    Results
    All appliances in the deployment are updated with new values. To verify the SCA server thread value is updated, administrators can SSH to an appliance and type the following command to confirm the value shows greater than 15 assigned threads: 
    cat /store/dca/server.ini
    If you are unsure of any steps outlined in this technical note or need assistance with the workaround, contact QRadar Support.

Document Location

Worldwide

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwszAAA","label":"Install"},{"code":"a8m0z000000cwtdAAA","label":"Upgrade"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.5.0","Type":"MASTER"}]

Document Information

Modified date:
27 September 2023

UID

ibm16593537

Page Feedback