Troubleshooting
Problem
For communication to work properly, the network link speed between a Console and the managed host needs to be greater than 100 Mbps regularly. Where a managed host does not meet bandwidth requirements, the number of a managed host normal system operations are impacted. Replication Download is a mandatory activity for every Managed Host. Replication Download Time (RDT) values recorded in the /var/log/qradar.log file can provide a reliable indication of a possible bandwidth issue before the actual bandwidth test that involves an active data transfer is scheduled.
Symptom
- Backup creation issues
- Deploy issues
- Disk space issues (persistent queue directory size fluctuation)
- Intermittent "Unknown" Managed Host status seen in the GUI
- Event data gaps
Diagnosing The Problem
- SSH in to the QRadar Console as the root user.
- From the command line on the QRadar Console, SSH to the managed host where you want to perform a passive bandwidth test.
- Run the following commands needed for calculating the percentage of the bad RDT values:
QL=${LOG_DIRECTORY}/var/log/qradar.log;total_replication=$(cat $QL | grep -i 'Replication download timing' | awk '{print $10}'| wc -l);ideal_replication=$(cat $QL | grep -i 'Replication download timing' | awk '$10 < 3000' | wc -l);normal_replication=$(cat $QL | grep -i 'Replication download timing' | awk '$10 > 3000' | awk '$10 < 5000' | wc -l);bad_replication=$(cat $QL | grep -i 'Replication download timing' | awk '$10 > 5000' | wc -l);pct_bad=$((100*$bad_replication/total_replication));pct_normal=$((100*$normal_replication/total_replication));pct_ideal=$((100*$ideal_replication/total_replication)) - Next, run the following command to print the result.
clear;printf "\n";printf "%-30s | %-110s |\n" ' Total RDT values found' $total_replication;printf "%-30s | %-110s |\n" ' Ideal RDTs (3000ms <)' $ideal_replication\ out\ of\ $total_replication\ ' | '\ $pct_ideal\ '%';printf "%-30s | %-110s |\n" ' Normal RDTs (3000ms<>5000ms)' $normal_replication\ out\ of\ $total_replication\ ' | '\ $pct_normal\ '%';printf "%-30s | %-110s |\n" ' Bad RDTs (>5000ms)' $bad_replication\ out\ of\ $total_replication\ ' | '\ $pct_bad\ '%';printf "\n\n\n" - The result is presented as follows:
Resolving The Problem
In cases where a high percentage of bad RDT values is seen, you can:
- Attempt to perform an active bandwidth test described in the article:
QRadar: Replication bandwidth requirements and verifying speed between console and managed host (ibm.com) - Involve your network team to investigate the bandwidth issue.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSV4BL","label":"IBM QRadar"},"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
16 March 2023
UID
ibm16955015