IBM Support

QRadar: Matching hardware with incoming Events Per Second

Troubleshooting


Problem

Need to determine incoming raw event rate to assess whether the hardware specifications are exceeded.

Diagnosing The Problem

Administrators need to be able to identify the appliance to be investigated.
 
  1. Identify the appliance type:
    1. To determine what appliance type is in the deployment, administrators can see this article How to determine the appliance type for each host in a distributed deployment
    2. Administrators can confirm that the Appliance Type is 'Software' by referring to the article, How to identify a 'Software' installation by appliance function.
  2. Use SSH to log in to the appliance. 
    1. Run this command to find the product version type on hardware appliances: 
      dmidecode | grep -i product
    2. Run this command to find the number of CPUs on software appliances: 
      nproc
  3. To determine the average EPS that the appliance is receiving, see this article, How to troubleshoot peak Events Per Second.


    Results 
    After you identified what type of appliance you have in your deployment, and what the Event Per second capabilities are you can use that information to determine how to manage your deployment. 

Resolving The Problem

Before you begin
Compare the average EPS received by that appliance to the maximum EPS listed in the supporting documentation:

Examples

  • Software Appliance

    1. The appliance that is being investigated is confirmed to be a 3199 Console.
      image-20221201124228-2
    2. Confirm the number of CPUs that appliance is by using typing the nproc command: 
      # nproc
24
    3. Find the average incoming event rate for the appliance by using the query: 
      SELECT "Hostname" AS 'Hostname (custom)', AVG("Value") AS 'Value (custom) (Average)', COUNT(*) AS
 'Count' from events where ( "Metric ID"='EventRate' AND "deviceType"='368' )
 GROUP BY "Hostname" order by "Count" desc

      image-20221201090018-2
       
    4. With both outputs, we can compare it to the benchmarks in the System requirements for virtual appliances documentation, which shows that it falls under this category:
      image-20221201091226-1
      These numbers are based on  QRadar maximum EPS certification methodology

      Results
      From the documentation, it is confirmed that the incoming event rate is within the bounds of the hardware limitations.

  • Hardware Appliance

    1. The appliance is identified as an All-In-One Console 3148. Verifying its appliance type shows that it is an M5: 
      # dmidecode | grep -i product 
Product Name: System x3650 M5: -[8871AC1]-
    2.  By using the M5 appliance overview under the QRadar M5 xx48 documentation, it states that the appliance can handle 30,000 EPS.
    3. Use SSH to log in to the appliance you are investigating the event rate as root user.
    4. Find the incoming event rate for the appliance through the CLI: 
      # grep -i 'ecs-ec-ingress\].*SourceMonitor.*event' /var/log/qradar.log | sed -n 's/^\(.\{15\} \).*\((60s: [0-9\.]\{1,\} eps)\).*\(Peak.*60s: [0-9\.]\{1,\} eps\).*\(Appliance Threshold.*$\)$/\1 \2 \3 \4 /p' | tail -n 5

      Nov 25 13:35:08  (60s: 211.80 eps) Peak in the last 60s: 289.20 eps Appliance Threshold: 502.00
Nov 25 13:36:08  (60s: 218.17 eps) Peak in the last 60s: 301.00 eps Appliance Threshold: 502.00
Nov 25 13:37:08  (60s: 209.00 eps) Peak in the last 60s: 295.80 eps Appliance Threshold: 502.00
Nov 25 13:38:08  (60s: 206.30 eps) Peak in the last 60s: 305.20 eps Appliance Threshold: 502.00
Nov 25 13:39:08  (60s: 211.23 eps) Peak in the last 60s: 295.00 eps Appliance Threshold: 502.00

      Results   
      From the documentation, it is confirmed that the incoming event rate is within the bounds of the hardware limitations.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtcAAA","label":"Hardware"},{"code":"a8m0z000000cwtiAAA","label":"Performance"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
01 December 2022

UID

ibm16607615

Page Feedback