Changes that impact event collection

Events come into QRadar® through the ecs-ec-ingress event collection service. Starting in QRadar V7.3.1, the service is managed separately from other QRadar services. To minimize interruptions in collecting event data, the service does not automatically restart when the hostcontext service restarts.

The following situations can cause an interruption in event collection:

Rebooting an appliance that collects events.
Adding an HA managed host.
During HA failover.
Restoring a configuration backup.
Adding or removing an off-site source connection
Whenever a partition's disk usage exceeds the maximum threshold.

When you deploy changes after you restore a configuration backup, you can restart the event collection service now or later. When you choose to restart the service later, QRadar deploys all changes that don't depend on the event collection service, and continues to collect events while the other services restart. The deployment banner continues to show undeployed changes, and the Event collection service must be restarted message is shown when you view the details.