Troubleshooting
Problem
A reported performance issue exists in QRadar 7.5.0 Upgrade Pack 2 where threads for X-Force for rules and searches might be reduced. When this issue occurs, the scaserver threads can be incorrectly reduced to 15 after the administrator installs or upgrades to QRadar 7.5.0 Upgrade Pack 2. This technical note explains the workaround for administrators affected by APAR IJ40606
Cause
The scaserver.ini has the number of SCA_THREADS reduced to 15, instead of being calculated by the number of CPUs available on the appliance.
Environment
QRadar 7.5.0 Upgrade Pack 2 (Build 20220527130137).
Resolving The Problem
Note: This issue has been fixed in 7.5.0 UP3. The following workaround is for systems still at 7.5.0 UP2 only.
- Use SSH to log in to the Console as the root user.
- Create a new file named IJ40606.sh with the command:
touch /root/IJ40606.sh
- Using an editor such as vi add the following to the IJ40606.sh file:
#!/bin/bash SERVER_CPUS=$(lscpu | grep "^CPU(s)" | sed "s/.* //") if [[ $SERVER_CPUS == +([0-9]) ]] then SCA_THREADS=$(((299 + 22*SERVER_CPUS) / 30)) SERVER_INI=/store/dca/server.ini sed -i "/\[threads\]/{n;s/.*/$SCA_THREADS/}" $SERVER_INI grep -A1 "\[threads\]" $SERVER_INI if systemctl -q is-active scaserver then systemctl restart scaserver fi fi
- Make the script executable with the command:
chmod +x /root/IJ40606.sh
- Transfer the script to all managed hosts with the command:
/opt/qradar/support/all_servers.sh -C -p /root/IJ40606.sh
- run the script on all hosts with the command (this will restart the scaserver service on all hosts):
/opt/qradar/support/all_servers.sh -C "/storetmp/IJ40606.sh; rm -f /storetmp/IJ40606.sh"
- Wait for the command prompt to return.
Results
All appliances in the deployment are updated with new values. To verify the SCA server thread value is updated, administrators can SSH to an appliance and type the following command to confirm the value shows greater than 15 assigned threads:cat /store/dca/server.ini
Document Location
Worldwide
[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwszAAA","label":"Install"},{"code":"a8m0z000000cwtdAAA","label":"Upgrade"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.5.0","Type":"MASTER"}]
Was this topic helpful?
Document Information
Modified date:
27 September 2023
UID
ibm16593537