How To
Summary
This article explains how to turn off notifications for Average Time in Milliseconds for I/O Requests on the device sdX and for the system load average.
Environment
The SAR Sentinel notification engine runs every five minutes, collecting data for sixty seconds and checking it against System Notification Thresholds.
It creates events to trigger notifications and runs in the host context JVM. The systemStabMon tool operates on a twenty-three-second cycle, collecting data for about twenty seconds, with logs saved in /var/log/systemStabMon/yyyy/mm/dd/.
Steps
Managing SAR Sentinel Notifications: How to Configure Thresholds
Sometimes, you may want to adjust SAR Sentinel notification thresholds for better monitoring. These values are set during installation and stored in the system. If you are changing the core specifications of the virtual appliance, such as increasing the CPU or upgrading the drive, you can also consider adjusting these values accordingly.
If notifications are too frequent, you can set a higher threshold or disable alerts by changing the setting from 1 (enabled) to 0 (disabled).
These notifications are informational only and do not impact the hardware used or QRadar operations.
-
While you can disable SAR notifications for Average Time in Milliseconds for I/O Requests on device sdX and system load average, it's important to consider the potential consequences.
Disabling these notifications might mean missing critical insights and overlooking performance issues or system problems. Use caution, and evaluate the overall impact on system monitoring and stability before proceeding.
You might need a maintenance window to complete the steps since a restart of the hostcontext service is required. For more information about the impact of restarting a service, refer to QRadar: Core services and the impact of restarting services.
- SSH to the QRadar console as the root user.
- Run the following command to create a backup directory:
mkdir -p /store/IBM_Support - Run the following three commands to create the backups of the file hostcontext.sar_thresholds.conf.
cp -p /opt/qradar/conf/hostcontext.sar_thresholds.conf /store/IBM_Support/ cp -p /store/configservices/deployed/globalconfig/hostcontext.sar_thresholds.conf /store/IBM_Support/deployed_hostcontext.sar_thresholds.conf cp -p /store/configservices/staging/globalconfig/hostcontext.sar_thresholds.conf /store/ibm_support/staging_hostcontext.sar_thresholds.conf - Edit the file hostcontext.sar_thresholds.conf, where you can disable alerts permanently or reduce the threshold of the alerts being generated.
In this file, the first four lines contain the configuration for system load over 1, 5 and 15 minutes and the average time in ms for I/O requests:- LOADAVERAGE1
- LOADAVERAGE5
- LOADAVERAGE15
- AWAIT
- Run the following command to enter the file hostcontext.sar_thresholds.conf to edit:
vi /opt/qradar/conf/hostcontext.sar_thresholds.conf - The fourth column marked with a red box indicates the CPU values of the appliance determined during QRadar installation (12 CPU in the example), where:
- LOADAVERAGE1 GT (num_cpus * 0.9) - (12 * 0.9 = 10.8)
- LOADAVERAGE5 GT (num_cpus * 0.75) - (12 * 0.75 = 9 )
- LOADAVERAGE15 GT (num_cpus * 0.65) - (12 * 0.65 = 7.8)
- Alternatively, you can disable these notifications permanently. With 1 indicating enabled and 0 indicating disabled, you can disable the alerts by changing 1 to 0 in the following column marked with a red box:
- After saving the edited file above, run the following command to restart the hostcontext:
To confirm the status of the hostcontext, run the following command; the output should say "active (running)":systemctl restart hostcontextsystemctl status hostcontext
Result
The required alerts are disabled, or the frequency of the notifications is reduced.
Additional Information
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
17 May 2024
UID
ibm17101749