QRadar: Data to be provided to support for performance degradation issues

Answer

1. In a QRadar distributed environment, performance degradation can occur on the console or the managed hosts. Whenever there is a performance degradation, a system notification is displayed on the GUI. There could be multiple performance degradation system notifications for different hosts.
   
   For each such message, hover the mouse over the message to know the IP address of the affected host and take a screen capture. Send the screen captures to the support team.
    
2. Collect the logs from the console and the affected managed hosts with the instructions provided here.
   
   NOTE: Although the instructions in the article specifically reference the console, the same steps can be used to gather logs from any of the managed hosts where the performance degradation is seen.
3. SSH to each console or managed host that you identified from the system notifications. On each of the hosts, run these commands and send the files that are generated, to the support team:
    

   /opt/qradar/support/findExpensiveCustomProperties.sh

   /opt/qradar/support/dumpDSMInfo.sh

   If the host is a console, event processor, flow processor, or combination event and flow processor, also run this command:

   /opt/qradar/support/findExpensiveCustomRules.sh

4. Performance degradation is caused due to changes in your QRadar environment. Provide sufficient details and screen captures for these items:
   • New log sources were added or modified
   • Custom properties were added or modified
   • Rules were added or modified
   • Apps or extensions were installed or upgraded