IBM Support

QRadar: How to exclude an appliance from a search when an IO error appears

How To


Summary

When an IO error appears, it can prevent the searches from finishing unless the host with errors is excluded from the search.

Objective

Exclude a host with issues from a search to avoid IO errors.

Steps

Before we begin
Use the following steps to determine which host is causing the IO error:
  1. Log in to the QRadar Console as an administrator.
  2. Open the Log Activity tab and take note of the port reported in the IO error:
    Log Activity IO error
    Take note of the reported port, for this example, 32006.
  3. Use SSH to log in to the QRadar Console as the root user.
  4. Use the following command to determine which host is causing the IO error message:
    Note: Replace <PORT_REPORTED> with the port shown in the IO error message.
    egrep "Component|RemoteHost" $(grep "SourcePort = <PORT_REPORTED>" /etc/tunnel_manager/tunnels/* | awk -F: '{print $1}')
    Output example:
    Component = "ariel_proxy--ariel--Tunnel"
    RemoteHost = "X.X.X.X"
    Result
    The Administrator knows which host is causing the IO error and is now ready to exclude the host from searches.
  

Exclude the host from searches by using Add Filter

Administrators who want to exclude a host from searches by using the Add Filter option run the following steps:

Note: This method requires selecting all of the working hosts and leaving the affected one. For large deployments, it is recommended to use AQL to exclude the affected host.
  1. Log in to the QRadar Console as an administrator.
  2. Open the Log Activity tab.
  3. Click Add Filter:
    Add Filter button
  4. In the Parameter field, type Event Processor and click the option that prompts.
    Filter by Event Processor
  5. In the Operator field, select Equals any of:
    Filter Equals any of
  6. In the Value field, select the host to include in the search and then click the + button to include the host. Repeat this process until all the hosts are included but the affected host.
    Select Hosts
  7. Once ready, click the Add Filter button:
    Saving filters

Exclude the host from searches by using Ariel Query Language (AQL)

Administrators who want to exclude the host by using AQL use the EXCLUDESERVERS parameter.

This parameter is used to exclude a specific server from a search, for example, to exclude the event processor with IP
192.0.2.0 administrators use: PARAMETERS EXCLUDESERVERS='192.0.2.0:32006'

The following query is an example:
SELECT processorid,PROCESSORNAME(processorid),
LOGSOURCENAME(logsourceid) 
from events 
GROUP BY logsourceid 
PARAMETERS EXCLUDESERVERS='192.0.2.0:32006'
For more information about the exclude servers query, see AQL data retrieval functions - PARAMETERS EXCLUDESERVERS.
 
Result
The administrator excluded the host from the search and the IO error is not interrupting the search. For more information about IO errors, see QRadar: Understanding IO Errors while searching.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
29 June 2023

UID

ibm16995901