Troubleshooting
Problem
A reported performance issue exists in QRadar 7.5.0 Upgrade Pack 2 where threads for X-Force for rules and searches might be reduced. When this issue occurs, the scaserver threads can be incorrectly reduced to 15 after the administrator installs or upgrades to QRadar 7.5.0 Upgrade Pack 2. This technical note explains the workaround for administrators affected by APAR IJ40606.
Cause
The scaserver.ini has the number of SCA_THREADS reduced to 15, instead of being calculated by the number of CPUs available on the appliance.
Environment
QRadar 7.5.0 Upgrade Pack 2 (Build 20220527130137).
Resolving The Problem
- Use SSH to log in to the Console as the root user.
- Type the following command to update your scaserver threads:
/opt/qradar/support/all_servers.sh -C 'SERVER_CPUS=$(lscpu | grep "^CPU(s)" | sed "s/.* //" ); if [[ $SERVER_CPUS == +([0-9]) ]] ; then SCA_THREADS=$(((299 + 22*SERVER_CPUS) / 30)) ; SERVER_INI=/store/dca/server.ini ; sed -i "/\[threads\]/{n;s/.*/$SCA_THREADS/}" $SERVER_INI; grep -A1 "\[threads\]" $SERVER_INI; if systemctl -q is-active scaserver ; then systemctl restart scaserver; fi ; fi' - Wait for the command prompt to return.
Results
All appliances in the deployment are updated with new values. To verify the SCA server thread value is updated, administrators can SSH to an appliance and type the following command to confirm the value shows greater than 15 assigned threads:
Administrators can subscribe to APAR IJ40606 to determine when the issue is resolved in a software update. If you are unsure of any steps outlined in this technical note or need assistance with the workaround, contact QRadar Support.cat /store/dca/server.ini
Case instructions for QRadar on Cloud administrators
QRadar on Cloud administrators must open a case with QRadar Support to get this procedure done.
To request protocol installation for your QRadar Console:
- Open a new case with QRadar Support.
- Request the support team to follow this guide.
- If you have your Console URL, include it in the QRoC hostname field. For example,
console-<console_number>.qradar.ibmcloud.com - In the Case Description field, request the support team to follow this guide.
- Wait for QRadar Support to follow the guide and confirm that it was applied correctly.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwszAAA","label":"Install"},{"code":"a8m0z000000cwtdAAA","label":"Upgrade"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.5.0"},{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSKMKU","label":"IBM QRadar on Cloud"},"ARM Category":[{"code":"a8m0z000000cwszAAA","label":"Install"},{"code":"a8m0z000000cwtdAAA","label":"Upgrade"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
13 June 2022
UID
ibm16593537