IBM Support

QRadar: Upgrades to V7.5.0 UP2 can reduce available SCA search threads (IJ40606)

Troubleshooting


Problem

A reported performance issue exists in QRadar 7.5.0 Upgrade Pack 2 where threads for X-Force for rules and searches might be reduced. When this issue occurs, the scaserver threads can be incorrectly reduced to 15 after the administrator installs or upgrades to QRadar 7.5.0 Upgrade Pack 2. This technical note explains the workaround for administrators affected by APAR IJ40606.

Cause

The scaserver.ini has the number of SCA_THREADS reduced to 15, instead of being calculated by the number of CPUs available on the appliance.

Environment

QRadar 7.5.0 Upgrade Pack 2 (Build 20220527130137).

Resolving The Problem

  1. Use SSH to log in to the Console as the root user.
  2. Type the following command to update your scaserver threads:
    /opt/qradar/support/all_servers.sh -C 'SERVER_CPUS=$(lscpu | grep "^CPU(s)" | sed "s/.* //" ); if [[ $SERVER_CPUS == +([0-9]) ]] ; then SCA_THREADS=$(((299 + 22*SERVER_CPUS) / 30)) ; SERVER_INI=/store/dca/server.ini ; sed -i "/\[threads\]/{n;s/.*/$SCA_THREADS/}" $SERVER_INI; grep -A1 "\[threads\]" $SERVER_INI; if systemctl -q is-active scaserver ; then systemctl restart scaserver; fi ; fi'
  3. Wait for the command prompt to return.

    Results
    All appliances in the deployment are updated with new values. To verify the SCA server thread value is updated, administrators can SSH to an appliance and type the following command to confirm the value shows greater than 15 assigned threads:
    cat /store/dca/server.ini
    Administrators can subscribe to APAR IJ40606 to determine when the issue is resolved in a software update. If you are unsure of any steps outlined in this technical note or need assistance with the workaround, contact QRadar Support.
 
 

Case instructions for QRadar on Cloud administrators

QRadar on Cloud administrators must open a case with QRadar Support to get this procedure done.

To request protocol installation for your QRadar Console:

  1. Open a new case with QRadar Support.
  2. Request the support team to follow this guide.
    1
  3. If you have your Console URL, include it in the QRoC hostname field. For example,
    console-<console_number>.qradar.ibmcloud.com
  4. In the Case Description field, request the support team to follow this guide.
  5. Wait for QRadar Support to follow the guide and confirm that it was applied correctly.
     

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwszAAA","label":"Install"},{"code":"a8m0z000000cwtdAAA","label":"Upgrade"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.5.0"},{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSKMKU","label":"IBM QRadar on Cloud"},"ARM Category":[{"code":"a8m0z000000cwszAAA","label":"Install"},{"code":"a8m0z000000cwtdAAA","label":"Upgrade"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
13 June 2022

UID

ibm16593537