How To
Summary
Asset vortexing occurs when individual assets are merged into one, which can cause false asset information that does not reflect the assets' true state. If users receive a "The system detected asset profiles that exceed the normal size threshold" notification in their console, they might have vortexed assetes.
Objective
This article shows a method for obtaining a bulk list of vortexed assets, along with their ID, reason for vortexing, and vortex amount.
For more information about what vortexing is and when it occurs, see the following technical note.
Steps
Before you start
This article outlines steps to generate a large, raw report of all vortexed assets. This procedure is ideal for users on large systems with intermediate skill levels, but there is an easier way to investigate vortexed assets that we recommend users attempt first to see whether it solves their problem.
- Follow the Troubleshooting asset profiles that exceed the normal size threshold documentation to investigate assets in the QRadar UI.
- Follow the Identification of asset growth deviations documentation to determine whether assets are vortexed.
Note: Understanding the basics of asset vortexing can help you identify issues on your system, so if you aren't familiar with the basics, see this technical note to learn about the common reasons why assets are improperly merged. - Follow the Clean up asset data after growth deviations documentation.
- See the Prevention of asset growth deviations documentation to prevent future vortexing.
Result
If your issue is resolved, you do not need to follow the further steps in this technical note. If you have too many vortexed assets to reasonably investigate one at a time, use the following procedure.
Generate a vortex report
- SSH into QRadar console.
- Enter the following command to grep the qradar.error file for vortex information:
cat /var/log/qradar.error | grep -o "ASSET ID.*COUNT:[0-9]\{1,4\}\]" |sed 's/],/],\n/g'| sed 's/],//g' | sed 's/]//g'| sed 's/\[//g' | sed 's/,//' | sed 's/ ASSET/ASSET/g' | sed 's/, / /g' | sed 's/ID:/ID: /g' | sed 's/COUNT:/COUNT: /g' | awk '{ print $3,$0 }' | awk '{ print $NF,$0 }' | sort -k 1 -Vr | awk '!seen[$2]++'| awk '{$1=$2=""; print $0}'| sed 's/ REASON/, REASON/g' | sed 's/ COUNT: /, COUNT:/g' | sed 's/ASSET ID: /ASSET ID:/g' | cat -n
Result
Example output:1 ASSET ID:11632, REASON:Too many MAC Addresses, COUNT:126 2 ASSET ID:3200, REASON:Too many MAC Addresses, COUNT:84 3 ASSET ID:5242, REASON:Too many MAC Addresses, COUNT:41The second column shows Asset ID, the third shows reason for vortexing, and the last one shows the number of associated instances, which is the most significant property as it determines vortexing severity. The higher the value, the more vortexed that asset is.
Inspect the assets in the UI
- Log in to the QRadar UI.
- Click the Assets tab.
- From the menu, click Add Filter.
- Choose Asset ID and Equals. Enter the AssetIDs from the CLI report.
- Click the OK button to generate a report to investigate the assets.
Result
You can delete assets that you determine to be vortexed by following information outlined in Deleting invalid assets - IBM Documentation. For a few vortexed assets, follow the Selective clean up instructions. For many vortexed assets, follow the Rebuild the asset database instructions. After you clean them, follow the Prevention of asset growth deviations documentation to ensure the issue does not repeat itself.
Additional Information
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwu1AAA","label":"Assets"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
21 April 2023
UID
ibm16957124