Troubleshooting
Problem
In the QRadar SIEM Log Activity page, duplicate events are observed, either as duplicates only, or that events from specific log source, but the additional events are associated to the Console.
Symptom
Duplicate events are observed in Log Activity, and the user confirmed by using TCPDump that only single events are visible.
For more information about reviewing incoming logs by using TCPDump, see QRadar: Using tcpdump to troubleshoot IBM Security QRadar SIEM
For more information about reviewing incoming logs by using TCPDump, see QRadar: Using tcpdump to troubleshoot IBM Security QRadar SIEM
Cause
A possible cause for this issue is that the events are being created from a Global rule, which applies its actions to events both on the Event processor, and for the Console simultaneously.
Environment
IBM QRadar 7.X
Diagnosing The Problem
If duplicate events are spotted in Log Activity, and the user confirmed that they are not duplicate incoming events, one way to diagnose if this issue is a cause is to review the rule matches for each event.
For example, if there is a Global Rule to create a new event based on some criteria, and an Event processor sees an event, it creates two events based on the rule. One from the Event processor, the other from the Console, as the rule is Global.
Resolving The Problem
Review the rules that interact with the events and make changes to stop duplication. These changes might be, but are not limited to:
- Setting a Global Rule to a Local Rule
- Filtering that rule to not affect the event by some criteria
- Adjusting the actions of the rule to not generate new events.
Result
In the Log Activity page, no duplicate events are found. If the issue persists, contact QRadar Support.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtrAAA","label":"Rules"}],"ARM Case Number":"TS006523224","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
28 October 2022
UID
ibm16825571