Question & Answer
Question
Why do we receive notification “Performance degradation was detected in the event pipeline. Expensive DSM or DSM extensions were found " for the DSMs/Log source that are neither configured nor receiving events for those log sources?
Cause
If number of unparsed events are large, we can get notification about expensive DSMs, which shows DSM(s) that are not configured on the system.
Answer
We might receive system notifications such as Expensive DSM found for the DSMs that are not configured on IBM QRadar SIEM. When checked further, there might be no events received for that log source type.
Even if we disable the ‘Auto Detection’ for specific log source type of DSM, we might still receive the system notification.
To check the cause of receiving this type of notification, we need to check whether we have any unparsed events in the system by adding below search filters in the log-activity tab.
Events are unparsed is true
If the search results show unparsed events, then we must check the payload and other event information to determine which log source is sending those events to QRadar and tune them.
The main reason behind getting the notification even when the log source type is disabled or even if auto detection is disabled for that log source type, is the Traffic Analysis function in QRadar.
The event rate at which the log source type is receiving is irrelevant to this system notification. This message describes the rate a DSM can handle (avgParseTime) based on how long it takes to parse any events observed in the previous interval. For example, if it took 1 millisecond to parse one event, the system notification list 1000 EPS for that log source type, even if it only saw one event, because it’s an expression of how fast it is, rather than what is processed.
Sometimes you see the Expensive DSM notification for DSMs that barely get any events. The reason why you can see it for DSMs that don’t have a log source instance configured is because of TrafficAnalysis - this gives DSMs that have no log sources a shot at parsing events, and if they take a long time to do so, they can show up in the notification. The message is accurate and describes the DSMs in the past interval that took a long time to process an event. But all the listed DSMs does not mean there is a problem in the grand scheme of things. Since, SIM Generic is a catch-all for events going through the pipeline, and traffic analysis cannot determine the event type and it ends up in the list of expensive DSMs (events end up in SIM Generic when they do not match any log source types).
If you see a DSM listed in Expensive DSM notification, where you have log sources of that type configured in QRadar that receives a high event rate, you need to get them reviewed by support or examine the parsing in the DSM Editor.
To understand how the traffic analysis (device auto-discovery) configuration works, refer to QRadar: Understanding Traffic Analysis and Log Source Auto Detection.
In this case, we are not getting events for that DSM but still we get it as expensive even after we disable auto-detection.
Note: If we disable Auto-Detection for specific log source type, then it does not create log source automatically, but Traffic Analysis still tries to match the events to that DSM.
When we receive a new event that doesn’t have an existing log source, the Traffic Analysis component tries to identify the log source which could have sent this event. Each event is tested against suitable DSMs (including the DSMs, which do not have a logsource yet) to see whether it can be recognized as an event of that type. If it fails to match, it might sometimes report DSMs, which have been tested (but failed to match) as expensive based on how long it took to parse event in previous interval.
If such an issue occurs in the environment, take the following corrective actions:
- Find and analyze the unparsed events coming to QRadar to identify the device that is sending those events. Further, evaluate if this device(s) should be sending events to QRadar or not. Any devices that are unsupported by QRadar must be stopped from sending events to QRadar. If the device type is supported by QRadar, then further check if QRadar has latest RPMs installed for DSMs or protocols required by this device.
- Perform troubleshooting as per User response section mentioned in Expensive DSM extensions were found.
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtKAAQ","label":"QRadar Risk and Vulnerability Manager"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
30 March 2023
UID
ibm16959559