Question & Answer
Question
What are the benefits of cleaning the SIM Model?
Answer
By cleaning the SIM data model, we can ensure that offenses are based on the most recent rules, servers, and network hierarchies. Cleaning the SIM data model after the tuning process is finished ensures that IBM® QRadar® shows only those offenses generated with the updated rules.
In other cases, SIM clean can be needed when IBM QRadar® is no longer generating offenses. For example, offenses might not be generated due to corrupted transactions in the magistrate, which is the process that creates and manages offenses. if magistrate is receiving corrupted offense transactions, restarting the ecs-ep service would not correct the issue. Therefore, SIM clean closes all active offenses and restarts the ecs-ep service with its subcomponents, including the magistrate.
There are two types of SIM clean:
1. Soft Clean: Closes all offenses but not removes them from the system. The UI is unavailable until the process is complete and web server is fully restarted.
2. Hard Clean: Closes all offenses and completely erases them from the system. The UI is unavailable until the process is complete and web server is fully restarted.
Currently, SIM clean is done in the UI on the admin tab. However, as of the current version of IBM QRadar®, when you initiate the SIM clean, you do not get any notification when the process is complete. By scanning the /var/log/qradar.log, you can monitor both when the SIM clean is complete as well as if there were any errors during the process. The payloads in the qradar.log could differ depending on what type of SIM clean you initiate.
In particular, there are a couple of conditions where we need to clean the SIM data model:
- Poor performance around offenses due to a bloated SIM model. There is no way to purge elements selectively from the SIM, so the only option to recover performance is to purge the existing offenses with a hard SIM clean.
- Errors in processing offense updates might require a soft or hard clean to restore operation.
Note: In the case where SIM cleaning is necessary, it is always recommended to contact technical support to determine the necessary action.
Related Information
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwthAAA","label":"Offenses"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
12 April 2023
UID
ibm16967205