IBM Support

QRadar: "ECS Queue Monitor has detected a total of xxx dropped event(s)" error

Troubleshooting


Problem

The following error can appear in the Event processor error logs: "ECS Queue Monitor has detected a total of xxx dropped event(s)". The error indicates that reference responses are not processed due to a queue that is full or the threshold is crossed.

Symptom

Errors similar to the following appear in the qradar.error log on the affected event processor:
[ecs-ep.ecs-ep] com.q1labs.sem.monitors.ECSQueueMonitor: [WARN] [NOT:0060005100][IPADDRESS/- -] [-/- -]ECS Queue Monitor has detected a total of 33397 dropped event(s). 923 event(s) were dropped in the last 60 seconds. EP Queues: 923 dropped event(s). MPC Queues: 0 dropped event(s). 

[ecs-ep.ecs-ep] com.q1labs.sem.monitors.ECSQueueMonitor: [WARN] [NOT:0000004000][IPADDRESS/- -] [-/- -]EP Queue [RefDataDestination] has detected 930 dropped event(s) in the last 60 seconds and is at 0 percent capacity

Cause

Due to many rules that are updating the reference data, there could be congestion while the elements are updated in the reference sets, which results in new response requests being dropped. However, the error does not indicate that there are events dropped but that the responses sent to the reference sets are being dropped.

Resolving The Problem

To resolve the problem, we need to pull out a list of rules that are writing to reference sets.
  1. SSH in to the QRadar console.
  2. Run the following command
    psql -Uqradar -c "select (xpath('//referenseSetResponse/@name',rule_data::text::xml))[1]::text as \"Add To Set\", (xpath('//removeFromReferenseSetResponse/@name',rule_data::text::xml))[1]::text as \"Remove from Set\", string_agg((xpath('/rule/name/text()',rule_data::text::xml))[1]::text,',') as \"Rules\" from custom_rule where rule_data::text ~* 'referenseSetresponse' group by (xpath('//referenseSetResponse/@name',rule_data::text::xml))[1]::text, (xpath('//removeFromReferenseSetResponse/@name',rule_data::text::xml))[1]::text ;" | less
    
  3. Examine the output. You must determine which rules need a Response Limiter. See the following example output:
                   Add To Set               |      Remove from Set       |                                                                      Rules
    ----------------------------------------+----------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------
     Compromised Hosts                      |                            | Encoded Command Malicious Usage in a Programming Environment
     Critical Temptation Target             | High Temptation Target     | New Critical Temptation Target Detected
     High Priority Target                   |                            | New High Priority Target Detected
     High Temptation Target                 | Critical Temptation Target | New High Temptation Target Detected
     URL Access Watchlist                   |                            | Restricted URL Access Watchlist George
                                            | Critical Temptation Target | Critical Temptation Target Changed to Lower Temptation
                                            | High Priority Target       | High Priority Target Changed to Low Priority
                                            | High Temptation Target     | High Temptation Target Changed to Lower Temptation
  4. Add a response limiter to the rule:
    Rule limiter

    Result
    The limiter prevents the rule from making so many changes that it causes response request congestion. Requests are no longer dropped and the error does not appear.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtrAAA","label":"Rules"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
01 May 2024

UID

ibm17005987