Troubleshooting
Problem
Need to determine incoming raw event rate to assess whether the hardware specifications are exceeded.
Diagnosing The Problem
Administrators need to be able to identify the appliance to be investigated.
- Identify the appliance type:
- To determine what appliance type is in the deployment, administrators can see this article How to determine the appliance type for each host in a distributed deployment
- Administrators can confirm that the Appliance Type is 'Software' by referring to the article, How to identify a 'Software' installation by appliance function.
- Use SSH to log in to the appliance.
- Run this command to find the product version type on hardware appliances:
dmidecode | grep -i product
- Run this command to find the number of CPUs on software appliances:
nproc
- Run this command to find the product version type on hardware appliances:
- To determine the average EPS that the appliance is receiving, see this article, How to troubleshoot peak Events Per Second.
Results
After you identified what type of appliance you have in your deployment, and what the Event Per second capabilities are you can use that information to determine how to manage your deployment.
Resolving The Problem
Before you begin
Compare the average EPS received by that appliance to the maximum EPS listed in the supporting documentation:
- For physical appliances, see QRadar M6 appliance overview, QRadar M5 appliance overview, QRadar M4 appliance overview
- For software appliances, see System requirements for virtual appliances
- For data gateways, see System requirements for data gateways
Examples
- Software Appliance
- The appliance that is being investigated is confirmed to be a 3199 Console.
- Confirm the number of CPUs that appliance is by using typing the nproc command:
# nproc 24
- Find the average incoming event rate for the appliance by using the query:
SELECT "Hostname" AS 'Hostname (custom)', AVG("Value") AS 'Value (custom) (Average)', COUNT(*) AS 'Count' from events where ( "Metric ID"='EventRate' AND "deviceType"='368' ) GROUP BY "Hostname" order by "Count" desc
- With both outputs, we can compare it to the benchmarks in the System requirements for virtual appliances documentation, which shows that it falls under this category:
These numbers are based on QRadar maximum EPS certification methodology
Results
From the documentation, it is confirmed that the incoming event rate is within the bounds of the hardware limitations.
- The appliance that is being investigated is confirmed to be a 3199 Console.
- Hardware Appliance
- The appliance is identified as an All-In-One Console 3148. Verifying its appliance type shows that it is an M5:
# dmidecode | grep -i product Product Name: System x3650 M5: -[8871AC1]-
- By using the M5 appliance overview under the QRadar M5 xx48 documentation, it states that the appliance can handle 30,000 EPS.
- Use SSH to log in to the appliance you are investigating the event rate as root user.
- Find the incoming event rate for the appliance through the CLI:
# grep -i 'ecs-ec-ingress\].*SourceMonitor.*event' /var/log/qradar.log | sed -n 's/^\(.\{15\} \).*\((60s: [0-9\.]\{1,\} eps)\).*\(Peak.*60s: [0-9\.]\{1,\} eps\).*\(Appliance Threshold.*$\)$/\1 \2 \3 \4 /p' | tail -n 5
Nov 25 13:35:08 (60s: 211.80 eps) Peak in the last 60s: 289.20 eps Appliance Threshold: 502.00 Nov 25 13:36:08 (60s: 218.17 eps) Peak in the last 60s: 301.00 eps Appliance Threshold: 502.00 Nov 25 13:37:08 (60s: 209.00 eps) Peak in the last 60s: 295.80 eps Appliance Threshold: 502.00 Nov 25 13:38:08 (60s: 206.30 eps) Peak in the last 60s: 305.20 eps Appliance Threshold: 502.00 Nov 25 13:39:08 (60s: 211.23 eps) Peak in the last 60s: 295.00 eps Appliance Threshold: 502.00
Results
From the documentation, it is confirmed that the incoming event rate is within the bounds of the hardware limitations.
- The appliance is identified as an All-In-One Console 3148. Verifying its appliance type shows that it is an M5:
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtcAAA","label":"Hardware"},{"code":"a8m0z000000cwtiAAA","label":"Performance"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
01 December 2022
UID
ibm16607615