Troubleshooting
Problem
QRadar can display notifications like this "Average Time in Milliseconds for I/O Requests on the device..." concerning users.
They are benign and a one-time incident, but in the worst scenario, if persistent, they can cause disruptions in deploying changes or delays in the search activity. Repeating notifications can indicate hardware disk failure or RAID misconfiguration.
Symptom
QRadar by default includes a system for generating warning notifications, SAR Sentinel. These notifications are generated based on the standard package sar installed with the OS system. The sar command collects, reports, and saves system activity information, which includes CPU statistics, Memory usage, Load average, and Disk I/O statistics.
The sar command writes the contents of selected cumulative activity counters in the operating system to standard output and saves in daily files. This process works along with the QRadar hostcontext and its threshold settings, which are stored in the file.
hostcontext.sar_thresholds.conf
In the article, you can learn how to modify these thresholds to set suitable values for your installation or leave them at the default value.
One of these counters, AWAIT, the average time in ms for I/O requests for a device, is set by default to 500 ms. The 500 ms, which to half a second for each modern hard disk drive, is a massive value. For comparison, a typical HDD has 5-20 ms or an SSD has 0.1-1 ms latency for an idle disk. These values are getting higher under heavy load, which can happen in a heavily used QRadar hard.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSV4BL","label":"IBM QRadar"},"ARM Category":[{"code":"a8m0z000000cwtiAAA","label":"Performance"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Product":{"code":"SSTZMA","label":"QRadar Appliance Hardware"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB77","label":"Automation Platform"}}]
Log InLog in to view more of this document
This document has the abstract of a technical article that is available to authorized users once you have logged on. Please use Log in button above to access the full document. After log in, if you do not have the right authorization for this document, there will be instructions on what to do next.
Was this topic helpful?
Document Information
Modified date:
13 March 2025
UID
ibm17185365