Question & Answer
Question
Can I determine how much time it takes for an event to be written to disk in QRadar?
Answer
To analyze the time it takes an event to be processed, from the Event Collector to the Ariel database (Event Pipeline), we can query the Ariel database with an AQL Query:
- Log in to the QRadar Console GUI.
- Click the Log Activity tab.
- On the search toolbar, Advanced Search.
- Type the following AQL Query expression:
select logsourcename(logSourceId) as 'Log_Source',
DATEFORMAT("startTime",'YYYY-MM-dd HH:mm:ss') as 'Start_Time',
"endTime" - "startTime" as 'Storage_Delay_seconds',
DATEFORMAT("endTime",'YYYY-MM-dd HH:mm:ss') as 'Storage_Time',
DATEFORMAT("deviceTime",'YYYY-MM-dd HH:mm:ss') as 'Log_Source_Time',
QIDNAME(qid) as 'Event_Name',
"processorId" as 'Event_Processor'
from events order by "Storage_Delay_seconds" desc LIMIT 1000 last 5 minutes
From the Ariel Query in our example:
Start Time = The time the event entered the QRadar Event Collector. The ecs-ec-ingress is the first service that processes events. It is then passed to ecs-ec.
Storage Time = The time the event is stored in Arial database. The ecs-ep service is what writes the event to storage.
Log Source Time = The time the event occurred at the Log Source. The Log Source time is referenced in the payload of the event.
Storage Time = The time the event is stored in Arial database. The ecs-ep service is what writes the event to storage.
Log Source Time = The time the event occurred at the Log Source. The Log Source time is referenced in the payload of the event.
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"Log Activity","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
08 January 2021
UID
ibm10960143