IBM Support

QRadar: Apps and memory resource limitation

Troubleshooting


Problem

This article discusses app issues due to memory limitations and solutions to address these limits.

Symptom

Common symptoms that point to an app memory issue:

  • An application cannot be installed.
  • The application tab displays "404 page not found".
  • The contents of the tab for the application is blank in the user interface.
  • The tab for the application s missing from the Console user interface.

       

Cause

Apps and Resource Limitation

When an app gets installed in QRadar, a dedicated docker container gets created for this app. You can think of a docker container as a small sandboxed VM that runs within QRadar. To plan ahead and ensure that QRadar has the sufficient resources needed for these apps, it is important to understand how these resources are calculated and the possible limitations we can run into.
 

Limitations

Locations where apps are installed Memory Threshold %
Console 10%
App Node 100%
App Host 80%

Example: You have a console that has 100 GB of memory, apps can use up tp 10 GB of the 100 GB of memory.


When installing apps on the Console (not the App Node or App Host), it is important to keep in mind that the apps are limited to using only 10% of the available physical memory. If you attempt to install applications after you have reached the 10% threshold the installation is likely to fail.

Environment

If you have an App Node installed for versions 7.3.0 and 7.3.1, apps are capable of using up to 100% of the available memory. App Nodes are only available in QRadar 7.3.1 or earlier versions as the appliance type was replaced by App Hosts in QRadar 7.3.2. Administrators are encouraged to upgrade to QRadar 7.3.2 or later to use App Hosts, instead of installing QRadar App Nodes. For App Node minimum requirements and documentation, see: App Node Requirements documentation

If you have an App Host installed for version 7.3.2, apps are capable of using up to 80% of the available memory. Since App Hosts are part of the QRadar deployment as a managed host, the remaining 20% of memory is reserved for replication and QRadar processes.

When you download any app through the App Exchange, the required memory the app needs should be listed, to help ensure that sufficient resources are available.

image-20190522112958-1Figure 1: Memory requirements for each application are listed on the IBM X-Force App Exchange.

Diagnosing The Problem

How do I check how much memory is currently being used by apps?
The process for users to check the memory allocations for an application depends on your QRadar version.

  • For QRadar 7.4.0 and later, use the qappmanager utility to verify memory, status, and image information. For more information about qappmanager, see: https://www.ibm.com/support/pages/node/6210362.
  • For QRadar 7.3.3 or earlier, enter the following Postgres query on the QRadar Console:
    psql -U qradar -c "select id, name, status, task_status, image_repo, memory from installed_application union select NULL as id, '' as name, '' as status, '' as task_status, '' as image_repo, sum(memory) from installed_application ORDER BY id;"
    
    For example:
    https://www.ibm.com/support/pages/system/files/inline-images/image-20190522113116-3.png

    Figure 2: Output from the psql command to view application information and memory.

    The command queries the installed_application table in the database for installed apps. Regardless of whether the apps are installed on the Console or on an App Host or App Node, the query must be run on the Console. The output includes the app ID, name, status, version (image_repo), and allocated for the application memory. The last line of the output provides a sum of the memory column, which represents how much memory is currently being used by the apps in megabytes (MB).

    If the apps were installed on a Console with 24 GB of memory, from the example output above, you can identify how close you are to the 10% memory threshold. If you attempt to install any new apps will likely fail on this Console.

Managing individual App Memory

Another method of managing app memory is to modify the memory allowance for each app individually. This change can be done by using the qappmanager utility tool ran on the console.

Run the qappmanager tool on the console:

# /opt/qradar/support/qappmanager

Select Option 28 to manage app memory usage

28) App instance - change memory allocation

You will then be prompted to enter a full Admin Admin Authorized Service ID to ensure you have the correct permissions to execute the modification.image-20221229120035-2

Next, you need to enter the ID of the Application that you want to modify the memory of, followed by entering the new memory value for the application.
image-20221229120426-5

When you have entered the new memory value for the chosen app, press enter to make the change. This change then is applied to the app, and the total app memory available value is updated to represent the change made.

How is memory assigned to apps?

When an app is installed, the docker container thick provisions required memory for the app application. Regardless of whether the docker container uses all the memory, the full memory allocation is reserved on the QRadar appliance. The full memory is always allocated to ensure that the app has enough available memory to complete tasks and operations when appliances are under heavy load. Administrators who check the amount of free memory by using the free -h command can be mislead whether there is enough memory for apps or not and can use either qappmanager or the Postgres command to verify the overall memory available for QRadar applications.

Resolving The Problem

There are several options to address a memory limitation when dealing with apps:

  1. Increase system memory: System RAM can be increased to meet the app requirements.
  2. Uninstall or stop some low-priority apps via API to reduce the memory usage.
  3. Add an App Host appliance to your deployment to free up resources for applications.

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
29 December 2022

UID

ibm10885336