IBM Support

QRadar: Search performance evaluation for Spectre/Meltdown mitigations

Troubleshooting


Problem

This technical note informs administrators how to review the potential change to search performance in QRadar 7.3.1 Patch 4 when CVE-2017-5754 (Variant 3/Meltdown) is enabled on QRadar appliances.

Symptom

Administrators who install QRadar 7.3.1 Patch 4 and enable CVE-2017-5754 (Variant 3/Meltdown) can expect performance degradation after they enable the remediation for the vulnerability. A performance assessment summary is available in the QRadar 7.3.1 Patch 4 release notes.

Environment

QRadar 7.3.1 Patch 4 appliances where the mitigation for CVE-2017-5754 (Variant 3/Meltdown) is enabled.

Resolving The Problem

Administrators who upgrade to QRadar 7.3.1 Patch 4 have the option to enable CVE-2017-575 (Variant 3/Meltdown) in their deployment during installation or as a post-installation procedure. To assess the change in performance, administrators can run common searches before they install QRadar 7.3.1 Patch 4 to establish a baseline of common search durations. The baseline search durations can be compared to the results when the remediation for CVE-2017-5754 (Variant 3/Meltdown) is enabled.

Procedure


Before you complete the upgrade to QRadar 7.3.1 Patch 4, log in to the QRadar Console.
  1. Click the Log Activity tab.
  2. Run a search.
  3. When the search completes the Duration field defines how long the search took to complete. To view the duration for each appliance in the deployment, click More Details.
  4. Record these values or take a screen capture of the Managed Search Results interface as it includes the overall search duration.
    1. Log Activity > Search > Managed Search Results.
    2. Network Activity > Search > Managed Search Results.
  5. Install QRadar 7.3.1 Patch 4 and enable the mitigation for CVE-2017-5754 Variant 3/Meltdown. For full instructions, see the QRadar 7.3.1 Patch 4 release notes.
  6. Click the Log Activity tab.
  7. Before you run your search, select one of the following options to ensure you are not using cached search results:
    • Select Search > Managed Search Results and delete the saved search result.
    • Alter your search time frame by one minute or more.
  8. Compare the Duration field of the completed search the with the mitigation for CVE-2017-5754 (Variant 3/Meltdown) enabled. To view the duration for each appliance in the deployment, click More Details.

    For information on how to install QRadar 7.3.1 Patch 4, enable or disable the mitigation for CVE-2017-5754 Variant 3/Meltdown, or review the performance assessment summary, see the QRadar 7.3.1 Patch 4 release notes.
 









     

Where do I find more information?

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Log Activity","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3.1","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
03 July 2019

UID

swg22014058

Page Feedback