IBM Support

QRadar: Understanding PIPELINE STATUS messages

Troubleshooting


Problem

This article explains how to understand PIPELINE STATUS messages in QRadar application logs.
The PIPELINE STATUS messages in the /var/log/qradar.log file indicate the state of the queues of the pipeline, and provides insight into portions of the pipeline that require attention.
[ecs-ep.ecs-ep] [[type=com.eventgnosis.system.ThreadedEventProcessor][parent=<hostname>:ecs-ep/EP/Processor2]] 
com.q1labs.sem.monitors.PipelineStatusMonitor: [INFO]  ---- PIPELINE STATUS -- Initiated From: EPCRE

Symptom

The symptoms can vary, typically dropped events or events sent to storage.
Example logs for dropped events:
[ecs-ep.ecs-ep] [5bbe913a-55e2-494e-b712-4a0ecf0ec78e/SequentialEventDispatcher] com.q1labs.sem.monitors.ECSQueueMonitor: [WARN] [NOT:0060005100][x.x.x.x/- -] [-/- -]ECS Queue Monitor has detected a total of 10228 dropped event(s).  1252 event(s) were dropped in the last 60 seconds. EP Queues: 1252 dropped event(s). MPC Queues: 0 dropped event(s).
Example logs for stored events:
[ecs-ep.ecs-ep] [[type=com.eventgnosis.system.ThreadedEventProcessor][parent=<hostname>:ecs-ep/EP/Processor2]] com.q1labs.semsources.cre.CRE: [WARN] [NOT:0080004101][x.x.x.x/- -] [-/- -]Custom Rule Engine has sent a total of 787911838 event(s) directly to storage. 99125 event(s) were sent in the last 60 seconds.  Queue is at 100 percent capacity.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtiAAA","label":"Performance"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Log InLog in to view more of this document

This document has the abstract of a technical article that is available to authorized users once you have logged on. Please use Log in button above to access the full document. After log in, if you do not have the right authorization for this document, there will be instructions on what to do next.

Document Information

Modified date:
20 December 2022

UID

ibm16848869

Page Feedback