IBM Support

QRadar: Duplicate Events showing up on multiple hosts



In the QRadar SIEM Log Activity page, duplicate events are observed, either as duplicates only, or that events from specific log source, but the additional events are associated to the Console.


Duplicate events are observed in Log Activity, and the user confirmed by using TCPDump that only single events are visible.

For more information about reviewing incoming logs by using TCPDump, see QRadar: Using tcpdump to troubleshoot IBM Security QRadar SIEM


A possible cause for this issue is that the events are being created from a Global rule, which applies its actions to events both on the Event processor, and for the Console simultaneously.


IBM QRadar 7.X

Diagnosing The Problem

If duplicate events are spotted in Log Activity, and the user confirmed that they are not duplicate incoming events, one way to diagnose if this issue is a cause is to review the rule matches for each event.

For example, if there is a Global Rule to create a new event based on some criteria, and an Event processor sees an event, it creates two events based on the rule. One from the Event processor, the other from the Console, as the rule is Global.


Resolving The Problem

Review the rules that interact with the events and make changes to stop duplication. These changes might be, but are not limited to:
  • Setting a Global Rule to a Local Rule
  • Filtering that rule to not affect the event by some criteria
  • Adjusting the actions of the rule to not generate new events.
In the Log Activity page, no duplicate events are found. If the issue persists, contact QRadar Support.

Document Location


[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtrAAA","label":"Rules"}],"ARM Case Number":"TS006523224","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
28 October 2022