Events and flows are dropped when the IBM®
QRadar® processing pipeline can't
handle the volume of incoming events and flows, or when the number of events and flows exceeds the
license limits for your deployment. You can look at the QRadar log file messages when
these situations occur.
Procedure
-
Use SSH to log in to QRadar as the root user.
-
View the /var/log/qradar.error log file and look for these messages:
These messages indicate that events or flows were
dropped:
[Tenant:[tenantID]:[tenantName]
Event dropped while attempting to add to Tenant Event Throttle queue.
The Tenant Event Throttle queue is full.
[Tenant:[tenantID]:[tenantName]
Flow dropped while attempting to add to Tenant Flow Throttle queue.
The Tenant Flow Throttle queue is full.
These messages indicate that the processing pipeline was near capacity:
Throttle processor cannot keep up with events.
TENANT_QUEUE_THREAD_INTERVAL_IN_MILLISEC is probably too short.
Throttle processor cannot keep up with flows.
TENANT_QUEUE_THREAD_INTERVAL_IN_MILLISEC is probably too short.
If
this warning persists, QRadar
might drop events or flows.
What to do next
If your system is dropping events and flows, you can expand your license to handle more
data or you can set more restrictive EPS and FPM limits for each tenant.