IBM Support

QRadar: Impact of Deploy Full Configuration on events, flows, and offenses

Question & Answer


Question

What is the impact of initiating a Deploy Full Configuration on QRadar systems?

Cause

There are occasions when the Console will request that you Deploy Full configuration.

Answer

As of QRadar 7.3.1, event and flow collection is handled by the ecs-ec-ingress service, which is not restarted as part of a Deploy Full Configuration action. Ecs-ec-ingress stores data in a buffer, so event and flow collection continues through the Full Deploy action. Full processing of new incoming events and flows occurs after the ecs-ec and ecs-ep services restart were the buffer is handled.



In QRadar 7.3.0 and earlier versions after initiating a Deploy Full Configuration action in QRadar, the system stops logging events and flows. It also stops firing offenses. This is because the Deploy Full Configuration action involves restarting the ECS service on all systems.

The ECS is made up of two processes: ecs-ec and ecs-ep

  • The ecs-ec process is responsible for event and flow collection. This includes event parsing, traffic analysis, coalescing, and event forwarding. The ecs-ec process can exist on Consoles, Event Processors, Flow Processors, Event Collectors, and Flow Collectors.
  • The ecs-ep process is responsible for the Custom Rules Engine (CRE), event and flow streaming, and storage. The ecs-ep process can exist on Consoles, Event Processors, and Flow Processors, but does not exist on Flow Collectors. The Magistrate is also part of the ecs-ep process and exists on the Console only. The Magistrate is responsible for offense rules, offense management and offense storage.

While these processes are restarting, you will not be able to log events or flows, forward events, real-time steam, or search. Consideration must be taken anytime a Deploy Full Configuration is initiated, as ECS service restarts cause an impact to QRadar functions.

For other considerations on changes that impact Event Collection, refer to this Knowledge Center Article,

Changes that Impact Event Collection

 



Where do you find more information?



Internal Use Only

Created from PMR 82362,124,672.

[{"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"General Information","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2;7.3","Edition":""}]

Document Information

Modified date:
13 December 2018

UID

swg21993267