IBM Support

QRadar: Anomaly Detection Engine (ADE) and Custom Rule Engine (CRE) log sources in 'Error' state

Question & Answer


Question

Why do the Anomaly Detection Engine (ADE) and Custom Rule Engine (CRE) log sources go into an Error state? If the CRE log source is in an Error state, does that mean the CRE is not functional?
image 7061

Answer

When a QRadar® log source does not receive events for 720 minutes (12 hours), it automatically goes into an Error state.
The Custom Rules Engine (CRE) log source is only used to parse events created by the CRE (usually as a rule response). The Anomaly Detection Engine (ADE) log source is only used for events generated as a response when an ADE rule fires.
It is possible that those log sources do not receive an event for 12 hours, especially on test systems or systems with sparse Events Per Second (EPS). In particular, the ADE log source is not likely to get events if the anomaly detection rules are not being tested or if it is not a production system. To check whether these log sources received events in the last 12 hours, run a search in the Log Activity tab.
The CRE log source being in an error state does not necessarily mean that the CRE is not functional. For any custom rule, one of the rule responses is to dispatch a new internal event. The CRE log source is the one that parses that internal event. So the lack of events on this log source could be caused by one or more of these factors:
  • No events are being received by the QRadar system.
  • Events are being received but are not firing any rule.
  • Rules are being fired but their responses are not set to generate new events.

One method to check whether the CRE is running, is to execute the following command on an SSH session to the console:
  
/opt/qradar/support/threadTop.sh -p 7799 -e "CRE Processor"
This command lists threads currently running the CRE. If one or more threads are displayed, it is a good indicator that the CRE is running.
System Time: 12/11/2020 at 23:06:38.259
Server          ID     MSecs  Name
--------------  -----  -----  ------------------------------------------
7799              161      3  CRE Processor [1]
7799              162      1  CRE Processor [2]
7799              156      1  CRE Processor [0]
7799              163      0  CRE Processor [3]
--------------  -----  -----  ------------------------------------------
                           5  Total (5/2000)

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"TS004278452","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
12 November 2020

UID

ibm16365033

Page Feedback