IBM QRadar

Hi everyone,

How to tune the system to reduce the volume of events and flows that enter the event pipeline ?
Below the system notification :


Apr 20 09:01:31 127.0.0.1 [ba0e7e13-ac6c-4fc0-98e3-69e458bb92d8/SequentialEventDispatcher]
com.q1labs.sem.monitors.SourceMonitor: [WARN] [NOT:0060005100][10.12.158.22/- -] [-/- -]A total
of 60688248 dropped raw event(s) have been detected. 65596 raw event(s) have been dropped in
the last 60 seconds. License restrictions have been applied 60 times in the last 60 seconds.
The average event rate in the last 60 seconds was 2265.10 eps (with a peak of 3061.60 eps),
and within that time has exceeded the threshold of 2510.00 eps 6 times.

Thank you in advance.

Regards.


Hichem AZAIEZ

------------------------------
hichem azaiez
------------------------------

​Hi Hichem,

First of all check the top log source in the log activity tab (run a search), This is mostly caused if EPS license limit is crossed. Also chck if any recent changes happened to the QROC, If any new log source has been added? or any new types of diagnostic logs have been enabled.


Regards
Asif Siddiqui

------------------------------
Asif Siddiqui Senior Security Analyst
------------------------------

Original Message:
Sent: Fri April 24, 2020 03:52 AM
From: hichem azaiez
Subject: Qradar : Events/flows were dropped by the event pipeline.

Hi everyone,

How to tune the system to reduce the volume of events and flows that enter the event pipeline ?
Below the system notification :


Apr 20 09:01:31 127.0.0.1 [ba0e7e13-ac6c-4fc0-98e3-69e458bb92d8/SequentialEventDispatcher]
com.q1labs.sem.monitors.SourceMonitor: [WARN] [NOT:0060005100][10.12.158.22/- -] [-/- -]A total
of 60688248 dropped raw event(s) have been detected. 65596 raw event(s) have been dropped in
the last 60 seconds. License restrictions have been applied 60 times in the last 60 seconds.
The average event rate in the last 60 seconds was 2265.10 eps (with a peak of 3061.60 eps),
and within that time has exceeded the threshold of 2510.00 eps 6 times.

Thank you in advance.

Regards.


Hichem AZAIEZ

------------------------------
hichem azaiez
------------------------------

Hi Hichem,

There are several options, depending on the nature of the events you're receiving.

1. Some of our log source protocols (Windows Event Log over MSRPC, WinCollect, for example) allow you to configure what event types you want to retrieve from the remote system and in some cases to apply specific filters. You can use these sort of options to retrieve a subset of all events that you consider most important.
2. Many of our pull-based protocols (Log File, JDBC, various REST API-based protocols) have an Event Rate throttle config parameter which allows you to control how fast they inject their retrieved events into the QRadar event pipeline. Lowering these values will slow down the rate of event ingestion to stay under your license threshold
3. For log sources which use push-based protocols (where the event source is sending events to QRadar, via syslog, SNMP, etc) we can't control on the QRadar side what is being sent to us, so ideally any tuning or filtering would be done on the sending side to avoid sending QRadar any unneeded events. If this cannot be done, it is possible to use routing rules (configurable from the QRadar Admin tab) to drop unneeded events on the QRadar side
4. If you have a multi-host deployment (event collectors and/or event processors in addition to your console), you may be able to redistribute your log sources across your available ECs/EPs such that the event rate is more evenly spread across your available systems.

Cheers
Colin

------------------------------
COLIN HAY
IBM Security
------------------------------

Original Message:
Sent: Fri April 24, 2020 03:52 AM
From: hichem azaiez
Subject: Qradar : Events/flows were dropped by the event pipeline.

Hi everyone,

How to tune the system to reduce the volume of events and flows that enter the event pipeline ?
Below the system notification :


Apr 20 09:01:31 127.0.0.1 [ba0e7e13-ac6c-4fc0-98e3-69e458bb92d8/SequentialEventDispatcher]
com.q1labs.sem.monitors.SourceMonitor: [WARN] [NOT:0060005100][10.12.158.22/- -] [-/- -]A total
of 60688248 dropped raw event(s) have been detected. 65596 raw event(s) have been dropped in
the last 60 seconds. License restrictions have been applied 60 times in the last 60 seconds.
The average event rate in the last 60 seconds was 2265.10 eps (with a peak of 3061.60 eps),
and within that time has exceeded the threshold of 2510.00 eps 6 times.

Thank you in advance.

Regards.


Hichem AZAIEZ

------------------------------
hichem azaiez
------------------------------

Original Message------

Hi Hichem,

There are several options, depending on the nature of the events you're receiving.

1. Some of our log source protocols (Windows Event Log over MSRPC, WinCollect, for example) allow you to configure what event types you want to retrieve from the remote system and in some cases to apply specific filters. You can use these sort of options to retrieve a subset of all events that you consider most important.
2. Many of our pull-based protocols (Log File, JDBC, various REST API-based protocols) have an Event Rate throttle config parameter which allows you to control how fast they inject their retrieved events into the QRadar event pipeline. Lowering these values will slow down the rate of event ingestion to stay under your license threshold
3. For log sources which use push-based protocols (where the event source is sending events to QRadar, via syslog, SNMP, etc) we can't control on the QRadar side what is being sent to us, so ideally any tuning or filtering would be done on the sending side to avoid sending QRadar any unneeded events. If this cannot be done, it is possible to use routing rules (configurable from the QRadar Admin tab) to drop unneeded events on the QRadar side
4. If you have a multi-host deployment (event collectors and/or event processors in addition to your console), you may be able to redistribute your log sources across your available ECs/EPs such that the event rate is more evenly spread across your available systems.

Cheers
Colin

------------------------------
COLIN HAY
IBM Security
------------------------------