I believe we have been hunting down each and every indicator for dropped events or flows. From Overflow Counters and hardware rate limiters, spillover files , missed flow counters to performance problems which resulted in events "routed to storage" without CRE processing.
After several years we expected that we found and track all indicators for situations where your events or flows disappear.
Can you recommend certain QRadar logs where to look for flows dropped in 7.4 , that might now be processed correctly in 7.5 ?
Or would you expect that flows where dropped silently ?
I am still not sure what is more scary - missing flows undetected in 7.4, or the need to almost double the license with 7.5.
Thomas
------------------------------
SIEM-2020
------------------------------
Original Message:
Sent: Sun November 20, 2022 10:21 PM
From: JARED HAYWARD
Subject: Upgrade to 7.5.0 increased reported FPS numbers by 75%
Throughout the 7.5.0 release stream there have been a number of performance improvements made to both QNI and the core flows pipeline. These are listed under the what's new section within the documentation:
- https://www.ibm.com/docs/en/qsip/7.5?topic=750-qradar-network-insights
- https://www.ibm.com/docs/en/qsip/7.5?topic=qradar-flow-improvements
It may have been possible that prior to 7.5.0, your deployment was dropping flows at some point in the flows pipeline and the performance improvements delivered in 7.5.0 has reduced that dropped flow rate.
------------------------------
JARED HAYWARD
Original Message:
Sent: Mon November 14, 2022 02:38 AM
From: SIEM-2020
Subject: Upgrade to 7.5.0 increased reported FPS numbers by 75%
After upgrading our deployment from 7.4.3 to 7.5.0 Update 3 with IF02 the reported FPS numbers have suddenly increased by 75%, compared to the numbers on the last 3 months running with 7.4.3
The Flow Collector Configuration, as shown in Component Management, shows no changes. The number of incoming flow packets over time ist also unchanged.
Has anybody noticed similar behaviour or even found a resolution for this.
Thomas
------------------------------
SIEM-2020
------------------------------