Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Warning Notifications for JSA Appliances

 

JSA system health notifications are proactive messages of actual or impending software or hardware failures.

Maximum Sensor Devices Monitored

38750006 - Traffic analysis is already monitoring the maximum number of log sources.

Explanation

The system contains a limit to the number of log sources that can be queued for automatic discovery by traffic analysis. If the maximum number of log sources in the queue is reached, then new log sources cannot be added.

Events for the log source are categorized as SIM Generic and labeled as Unknown Event Log.

User Response

Select one of the following options:

  • Review SIM Generic log sources on the Log Activity tab to determine the appliance type from the event payload.

  • Ensure that automatic updates can download the latest DSM updates to properly identify and parse log source events.

  • Verify whether the log source is officially supported.

    If your appliance is supported, manually create a log source for the events that were not automatically discovered.

  • If your appliance is not officially supported, create a universal DSM to identify and categorize your events.

  • Wait for the device to provide 1,000 events.

    If the system cannot auto discover the log source after 1,000 events, it is removed from the traffic analysis queue. Space becomes available for another log source to be automatically discovered.

Unable to Determine Associated Log Source

38750007 - Unable to automatically detect the associated log source for IP address <IP address>. Unable to automatically detect the associated log source for IP address.

Explanation

When events are sent from an undetected or unrecognized device, the traffic analysis component needs a minimum of 25 events to identify a log source.

If the log source is not identified after 1,000 events, the system abandons the automatic discovery process and generates the system notification. The system then categorizes the log source as SIM Generic and labels the events as Unknown Event Log.

User Response

Review the following options:

  • Review the IP address in the system notification to identify the log source.

  • Review the Log Activity tab to determine the appliance type from the IP address in the notification message and then manually create a log source.

    Ensure that the Log Source Identifier field matches the host name in the original payload syslog header. Verify that the events are appearing on the device by deploying the changes and searching on the manually created log source.

  • Review any log sources that forward events at a low rate. Log sources that have low event rates commonly cause this notification.

  • To properly parse events for your system, ensure that automatic update downloads the latest DSMs.

  • Review any log sources that provide events through a central log server. Log sources that are provided from central log servers or management consoles might require that you manually create their log sources.

  • Verify whether the log source is officially supported. If your appliance is supported, manually create a log source for the events and add a log source extension.

  • If your appliance is not officially supported, create a universal DSM to identify and categorize your events.

Maximum Events or Flows Reached

38750008 - The appliance exceeded the EPS or FPM allocation within the last hour.

Explanation

Each appliance is allocated a specific volume of event and flow data from the license pool. In the last hour, the appliance exceeded the allocated EPS or FPM.

If the appliance continues to exceed the allocated capacity, the system might queue events and flows, or possibly drop the data when the backup queue fills.

User Response

  • Adjust the license pool allocations to increase the EPS and FPM capacity for the appliance.

  • Tune the system to reduce the volume of events and flows that enter the event pipeline.

Flow Processor Cannot Establish Initial Time Synchronization

38750009 - Flow processor could not establish initial time synchronization.

Explanation

The JSA Flow Processor process contains an advanced function for configuring a server IP address for time synchronization. In most cases, do not configure a value. If configured, the Flow process attempts to synchronize the time every hour with the IP address time server.

User Response

In the deployment actions, select the Flow process. Click Actions >Configure and click Advanced. In the Time Synchronization Server IP Address field, clear the value and click Save.

Backup Unable to Complete a Request

38750033 - Backup: Not enough free disk space to perform the backup.

Explanation

Disk Sentry is responsible for monitoring system disk and storage issues. Before a backup begins, Disk Sentry checks the available disk space to determine whether the backup can complete successfully. If the free disk space is less than two times the size of the last backup, the backup is canceled. By default, backups are stored in /store/backup.

User Response

To resolve this issue, select one of the following options:

  • Free up disk space on your appliance to allow enough space for a backup to complete in /store/backup.

  • Configure your existing backups to use a partition with free disk space.

  • Configure more storage for your appliance. For more information, see the Juniper Secure Anaytics Configuring Offboard Storage Guide.

Backup Unable to Run a Request

38750035 - Backup: Unable to Execute Backup Request.

Explanation

A backup cannot start or cannot complete for one of the following reasons:

  • The system is unable to clean the backup replication synchronization table.

  • The system is unable to run a delete request.

  • The system is unable to synchronize backup with the files that are on the disk.

  • The NFS-mounted backup directory is not available or has incorrect NFS export options (no_root_squash).

  • The system cannot initialize on-demand backup.

  • The system cannot retrieve configuration for the type of backup that is selected.

  • Cannot initialize a scheduled backup.

User Response

Manually start a backup to determine whether the failure reoccurs. If multiple backups fail to start, contact Juniper Customer Support.

Process Monitor License Expired or Invalid

38750044 - Process Monitor: Unable to start process: license expired or invalid.

Explanation

The license is expired for a managed host. All data collection processes stop on the appliance.

User Response

Contact your sales representative to renew your license.

Found an Unmanaged Process That is Causing Long Transaction

38750048 - Transaction Sentry: Found an unmanaged process causing unusually long transaction that negatively effects system stability.

Explanation

The transaction sentry determines that an outside process, such as a database replication issue, maintenance script, auto update, or command line process, or a transaction is causing a database lock. Most processes cannot run for more than an hour. Repeated occurrences with the same process need to be investigated.

User Response

Select one of the following options:

  • Review the /var/log/qradar.log file for the word TxSentry to determine the process identifier that is causing your transaction issues.

  • Wait to see whether the process completes the transaction and releases the database lock.

  • Manually release the database lock by restarting the process identifier.

Restored System Health by Canceling Hung Transactions

38750049 - Transaction Sentry: Restored system health by canceling hung transactions or deadlocks.

Explanation

The transaction sentry restored the system to normal system health by canceling suspended database transactions or removing database locks. To determine the process that caused the error, review the qradar.log file for the word TxSentry.

User Response

No action is required.

Maximum Active Offenses Reached

38750050 - MPC: Unable to create new offense. The maximum number of active offenses has been reached.

Explanation

The system is unable to create offenses or change a dormant offense to an active offense. The default number of active offenses that can be open on your system is limited to 2500. An active offense is any offense that continues to receive updated event counts in the past five days or less.

User Response

Select one of the following options:

  • Change low security offenses from open or active to closed, or to closed and protected.

  • Tune your system to reduce the number of events that generate offenses.

    To prevent a closed offense from being removed by your data retention policy, protect the closed offense.

Maximum Total Offenses Reached

38750051 - MPC: Unable to process offense. The maximum number of offenses has been reached.

Explanation

By default, the process limit is 2500 active offenses and 100,000 overall offenses.

If an active offense does not receive an event update within 30 minutes, the offense status changes to dormant. If an event update occurs, a dormant offense can change to active. After five days, dormant offenses that do not have event updates change to inactive.

User Response

Select one of the following options:

  • Tune your system to reduce the number of events that generate offenses.

  • Adjust the offense retention policy to an interval at which data retention can remove inactive offenses.

    To prevent a closed offense from being removed by your data retention policy, protect the closed offense.

  • To free disk space for important active offenses, change offenses from active to dormant.

Long Running Reports Stopped

38750054 - Terminating a report which was found executing for longer than the configured maximum threshold.

Explanation

The system cancels the report that exceeded the time limit. Reports that run longer than the following default time limits are canceled.

Table 1: Default Time Limits by Report Frequency

Report frequency

Default time limits (hours)

Hourly

2

Daily

12

Manual

12

Weekly

24

Monthly

24

User Response

Select one of the following options:

  • Reduce the time period for your report, but schedule the report to run more frequently.

  • Edit manual reports to generate on a schedule.

    A manual report might rely on raw data but not have access to accumulated data. Edit your manual report and change the report to use an hourly, daily, monthly, or weekly schedule.

Out Of Memory Error and Erroneous Application Restarted

38750055 - Out of Memory: system restored, erroneous application has been restarted.

Explanation

An application or service ran out of memory and was restarted. Out of memory issues are commonly caused by software issues or user-defined queries.

User Response

Review the following resolutions:

  • Review the error message that is written to the /var/log/qradar.log file to determine which component failed.

  • If the Ariel proxy server is searching through large amounts of data or is using a grouping option that generates unique values in the search results, reduce the number of unique values or reduce the time frame of the search.

  • If the accumulator is generating a time series graph with many aggregated unique values, reduce the size of the query.

  • If a protocol-based log source is recently enabled, decrease the polling period to reduce the data queried. If multiple protocol-based log sources are running at the same time, stagger the start times.

  • If a rule recently changed to track unique properties over long periods of time, reduce the time frame by half or reduce the number of matching events by adding another filter.

Long Transactions for a Managed Process

38750056 - Transaction Sentry: Found managed process causing unusually long transaction that negatively effects system stability.

Explanation

The transaction sentry determines that a managed process, such as Tomcat or event collection service (ECS) is the cause of a database lock.

A managed process is forced to restart.

User Response

To determine the process that caused the error, review the qradar.log for the word TxSentry.

Protocol Source Configuration Incorrect

38750057 - A protocol source configuration may be stopping events from being collected.

Explanation

The system detected an incorrect protocol configuration for a log source. Log sources that use protocols to retrieve events from remote sources can generate an initialization error when a configuration problem in the protocol is detected.

User Response

Resolve the protocol configuration issues by following these steps:

  • Review the log source to ensure that the protocol configuration is correct.

    Verify authentication fields, file paths, database names for JDBC, and ensure that the system can communicate with remote servers. Hover your mouse pointer over a log source to view more error information.

  • Review the /var/log/qradar.log file for more information about the protocol configuration error.

MPC: Process Not Shutdown Cleanly

38750058 - MPC: Server was not shutdown cleanly. Offenses are being closed in order to re-synchronize and ensure system stability.

Explanation

The magistrate process encountered an error. Active offenses close, services restarts, and the database tables are verified and rebuilt if necessary.

The system synchronizes to prevent data corruption. If the magistrate component detects a corrupted state, then the database tables and files are rebuilt.

User Response

The magistrate component self-repairs. If the error continues, contact Juniper Customer Support.

Last Backup Exceeded the Allowed Time Limit

38750059 - Backup: The last scheduled backup exceeded execution threshold.

Explanation

The time limit is determined by the backup priority that you assign during configuration.

User Response

Select one of the following options:

  • Edit the backup configuration to extend the time limit that is configured to complete the backup. Do not extend over 24 hours.

  • Edit the failed backup and change the priority level to a higher priority. Higher priority levels allocate more system resources to completing the backup.

Deployment Of an Automatic Update

38750069 - Automatic updates installed successfully. In the Admin tab, click Deploy Changes.

Explanation

An automatic update, such as an RPM update, was downloaded and requires that you deploy the change to finish the installation process.

User Response

In the Admin tab, click Deploy Changes.

Log Source Created in a Disabled State

38750071 - A Log Source has been created in the disabled state due to license limits.

Explanation

Traffic analysis is a process that automatically discovers and creates log sources from events. If you are at your current log source license limit, the traffic analysis process might create the log source in the disabled state. Disabled log sources do not collect events and do not count in your log source limit.

User Response

Review the following options:

  • On the Admin tab, click the Log Sources icon and disable or delete low priority log sources. Disabled log sources do not count towards your log source license.

  • Ensure that deleted log sources do not automatically rediscover. You can disable the log source to prevent automatic discovery.

  • Ensure that you do not exceed your license limit when you add log sources in bulk.

  • If you require an expanded license to include more log sources, contact your sales representative.

SAR Sentinel Threshold Crossed

38750073 - SAR Sentinel: threshold crossed.

Explanation

The system activity reporter (SAR) utility detected that your system load is above the threshold. Your system can experience reduced performance.

User Response

Review the following options:

  • In most cases, no resolution is required.

    For example, when the CPU usage over 90%, the system automatically attempts to return to normal operation.

  • If this notification is recurring, increase the default value of the SAR sentinel.

    Click the Admin tab, then click Global System Notifications. Increase the notification threshold.

  • For system load notifications, reduce the number of processes that run simultaneously.

    Stagger the start time for reports, vulnerability scans, or data imports for your log sources. Schedule backups and system processes to start at different times to lessen the system load.

User Does Not Exist or is Undefined

38750075 - User either does not exist or has an undefined role.

Explanation

The system attempted to update a user account with more permissions, but the user account or user role does not exist.

User Response

On the Admin tab, click Deploy Changes. Updates to user accounts or roles require that you deploy the change.

Disk Usage Exceeded Warning Threshold

38750076 - Disk Sentry: Disk Usage Exceeded warning Threshold.

Explanation

The disk sentry detected that the disk usage on your system is greater than 90%.

When the disk space on your system reaches 95% full, the system disables processes to prevent data corruption.

User Response

You must free some disk space by deleting files or by changing your data retention policies. The system can automatically restart processes after the disk space usage falls below a threshold of 92% capacity.

Infrastructure Component is Corrupted or Did Not Start

38750083 - Infrastructure component corrupted.

Explanation

When the message service (IMQ) or PostgreSQL database cannot start or rebuild, the managed host cannot operate properly or communicate with the console.

User Response

Contact Juniper Customer Support.

Data Replication Difficulty

38750085 - Data replication experiencing difficulty.

Explanation

Data replication ensures that managed hosts can continue to collect data if the console is unavailable.

A managed host had difficulty downloading data. If a managed host repeatedly fails to download data, the system might experience performance or communication issues.

User Response

If a managed host does not resolve the replication issue on its own, contact Juniper Customer Support.

Events Routed Directly to Storage

38750088 - Performance degradation has been detected in the event pipeline. Event(s) were routed directly to storage.

Explanation

To prevent queues from filling, and to prevent the system from dropping events, the event collection system (ECS) routes data to storage. Incoming events and flows are not categorized. However, raw event and flow data is collected and searchable.

User Response

Review the following options:

  • Verify the incoming event and flow rates. If the event pipeline is queuing events, expand your license to hold more data.

  • Review recent changes to rules or custom properties. Rule or custom property changes might cause sudden changes to your event or flow rates. Changes might affect performance or cause the system to route events to storage.

  • DSM parsing issues can cause the event data to route to storage. Verify whether the log source is officially supported.

  • SAR notifications might indicate that queued events and flows are in the event pipeline.

  • Tune the system to reduce the volume of events and flows that enter the event pipeline.

Custom Property Disabled

38750097 - A custom property has been disabled.

Explanation

A custom property is disabled because the custom property has processing problems. Rules, reports, or searches that use the disabled custom property stop working properly.

User Response

Select one of the following options:

  • Review the disabled custom property to correct your regex patterns. Do not re-enable disabled custom properties without first reviewing and optimizing the regex pattern or calculation.

  • If the custom property is used for custom rules or reports, ensure that the Optimize parsing for rules, reports, and searches check box is selected.

Device Backup Failure

38750098 - Either a failure occurred while attempting to backup a device, or the backup was cancelled.

Explanation

The error is commonly caused by configuration errors in the configuration source management (CSM) or if a backup is canceled by a user.

User Response

Select one of the following options:

  • Review the credentials and address sets in CSM to ensure that the appliance can log in.

  • Verify the protocol that is configured to connect to your network device is valid.

  • Ensure that your network device and version is supported.

  • Verify that your network device connects to the appliance.

  • Verify that the most current adapters are installed.

Event or Flow Data Not Indexed

38750101 Event/Flow data not indexed for interval.

Explanation

If too many indexes are enabled or the system is overburdened, the system might drop the event or flow from the index portion.

User Response

Select one of the following options:

  • If the dropped index interval occurs with SAR sentinel notifications, the issue is likely due to system load or low disk space.

  • To temporarily disable some indexes to reduce the system load, on the Admin tab, click the Index Management icon.

Threshold Reached for Response Actions

38750102 - Response Action: Threshold reached.

Explanation

The custom rules engine (CRE) cannot respond to a rule because the response threshold is full.

Generic rules or a system that is tuned can generate a many response actions, especially systems with the IF-MAP option enabled. Response actions are queued. Response actions might be dropped if the queue exceeds 2000 in the event collection system (ECS) or 1000 response actions in Tomcat.

User Response

  • If the IF-MAP option is enabled, verify that the connection to the IF-MAP server exists and that a bandwidth problem is not causing rule response to queue in Tomcat.

  • Tune your system to reduce the number of rules that are triggering.

Disk Replication Falling Behind

38750103 - DRBD Sentinel: Disk replication is falling behind. See log for details.

Explanation

If the replication queue fills on the primary appliance, system load on the primary might increases. Replication issues are commonly caused by performance issues on the primary system, or storage issues on the secondary system, or bandwidth problems between the appliances.

User Response

Select one of the following options:

  • Review bandwidth activity by loading a saved search MGMT: Bandwidth Manager from the Log Activity tab. This search displays bandwidth usage between the console and hosts.

  • If SAR sentinel notifications are recurring on the primary appliance, distributed replicated block device (DRBD) queues might be full on the primary system.

  • Use SSH and the cat /proc/drbd command to monitor the DRBD status of the primary or secondary hosts.

Asset Change Discarded

38750106 - Asset Changes Aborted.

Explanation

An asset change exceeded the change threshold and the asset profile manager ignores the asset change request.

The asset profile manager includes an asset persistence process that updates the profile information for assets. The process collects new asset data and then queues the information before the asset model is updated. When a user attempts to add or edit an asset, the data is stored in temporary storage and added to the end of the change queue. If the change queue is large, the asset change can time out and the temporary storage is deleted.

User Response

Select one of the following options:

  • Add or edit the asset a second time.

  • Adjust or stagger the start time for your vulnerability scans or reduce the size of your scans.

Asset Persistence Queue Disk Full

38750113 - Asset Persistence Queue Disk Full.

Explanation

The system detected the spillover disk space that is assigned to the asset persistence queue is full. Asset persistence updates are blocked until disk space is available. Information is not dropped.

User Response

Reduce the size of your scan. A reduction in the size of your scan can prevent the asset persistence queues from overflowing.

Asset Update Resolver Queue Disk Full

38750115 - Asset Update Resolver Queue Disk Full.

Explanation

The system detected that the spillover disk space that is assigned to the asset resolver queue is full.

The system continually writes the data to disk to prevent any data loss. However, if the system has no disk space, it drops scan data. The system cannot handle incoming asset scan data until disk space is available.

User Response

Review the following options:

  • Ensure that your system has free disk space. The notification can accompany SAR Sentinel notifications to notify you of potential disk space issues.

  • Reduce the size of your scans.

  • Decrease the scan frequency.

Disk Full for the Asset Change Queue

38750117 - Asset Change Listener Queue Disk Full.

Explanation

The asset profile manager includes a process, change listener, that calculates statistics to update the CVSS score of an asset. The system writes the data to disk, which prevents data loss of pending asset statistics. However, if the disk space is full, the system drops scan data.

The system cannot process incoming asset scan data until disk space is available.

User Response

Select one of the following options:

  • Ensure that your system has sufficient free disk space.

  • Reduce the size of your scans.

  • Decrease the scan frequency.

Expensive Custom Rule Found

38750120 - Expensive Custom Rules Found in CRE. Performance degradation was detected in the event pipeline. Found expensive custom rules in CRE.

Explanation

The custom rules engine (CRE) is a process that validates if an event matches a rule set and then trigger alerts, offenses, or notifications.

A user can create a custom rule that has a large scope, uses a regex pattern that is not efficient, includes Payload contains tests, or combines the rule with regular expressions. When this custom rule is used, it negatively impacts performance, which can cause events to be incorrectly routed directly to storage. Events are indexed and normalized but they don't trigger alerts or offenses.

When multiple, expensive, or inefficient rule tests are used, the maximum event throughput rate can be reduced, causing backlogs of events to go through the rules engine. Events might be routed directly to storage, and this warning is displayed.

User Response

Review the following options:

  • Review the payload of the notification to determine which expensive rule in the pipeline affects performance.

    For example, the following payload reports the test: "Payload Verification" rule in the pipeline and the EPS rate reported is 787 events per second, potentially reducing the maximum throughput of the rules engine.

  • On the Offenses tab, click Rules and use the search window to find and either edit or disable the expensive rule. By editing the rule, you can reduce the amount of data that goes through the rule, by applying a log source or IP address range filter. Expensive tests, such as payload contains, can also be reduced or removed if they are not required. Reference set tests are to be reviewed to ensure that they are not querying a large reference set.

  • Use SSH to log in to the Event Processor and verify that parser threads are running for longer than 1500 milliseconds for EPS loads by using the following command:

    /opt/qradar/support/threadTop.ssh –p 7799

    Search the Java thread stack for regex.Pattern.Curly, referenceSet, assets, host profile, and port profile by using the following command:

    /opt/qradar/support/threadTop.sh -p 7799 -s -e ".*CRE Processor.*"

    • If the output contains regex.Pattern.Curly, issues with Payload contains tests are possible.

    • If the output contains referenceSet, issues might occur with tests against large reference sets.

    • If the output contains assets, host profile, and port profile, issues might occur with Host with port open tests or asset tests.

Rules Might Not Be the Issue

This notification can trigger when events are routed to storage around the rules engine. If, when you investigate this notice, the "EPS" rate in the notification is higher than ~20,000 EPS, it can indicate that the issue might be elsewhere. A rule that can process events upwards of 20,000 EPS is fairly optimized. The situation that triggered the 'events routed to storage' might not be a rule, but might be something else. Other items to consider are listed as follows.

  • Is the system under higher load for other reasons, such as long-term data searching?

  • Is the disk utilization at 85% or higher "on/store", and potentially data compression is affecting storage performance?

  • If HA is in use, and event rates are higher than 10,000 EPS, ensure that sufficient bandwidth is between the two HA nodes. For example, a single 1Gbps connection, even in a dedicated crossover, can limit storage performance.

  • Is there a separate "/transient/" partition. If not, then temporary data decompression might also use storage resources and contribute to the high storage demands.

Process Exceeds Allowed Run Time

38750122 - Process takes too long to execute. The maximum default time is 3600 seconds.

Explanation

The default time limit of 1 hour for an individual process to complete a task is exceeded.

User Response

Review the running process to determine whether the task is a process that can continue to run or must be stopped.

License Expired

38750123 - An allocated license has expired and is no longer valid.

Explanation

When a license expires on the console, a new license must be applied. When a license expires on a managed host, the appliance continues to process events and flows up to the rate that is allocated from the shared license pool.

When the license contributes EPS and FPM capacity to the shared license pool, the expiry might force the shared license pool into a deficit where it does not have enough capacity to meet the requirements of the deployment. In a deficit situation, JSA blocks access to capabilities on the Network Activity and Log Activity tabs is blocked.

User Response

  1. Determine which appliance has the expired license.

    1. On the Admin tab, click System and License Management.

    2. In the Display box, select Licenses.

      Expired licenses are shown in the License Information Messages section.

  2. If the expired license is on the console, replace it.

  3. If the expired license is on a managed host, review the shared license pool to ensure that the system has enough EPS and FPM capacity.

    1. If the shared license pool is over-allocated, replace the expired license with a new license that has enough EPS and FPM to meet the system capacity requirements.

    2. If the license pool has enough capacity, delete the expired license. In the License table, select the row for the expired license (shown nested beneath the managed host summary row), and select Actions >Delete License.

External Scan Of an Unauthorized IP Address or Range

38750126 - An external scan execution tried to scan an unauthorized IP address or address range.

Explanation

When a scan profile includes a CIDR range or IP address outside of the defined asset list, the scan continues. However, any CIDR ranges or IP addresses for assets that are not within your external scanner list are ignored.

User Response

Update the list of authorized CIDR ranges or IP addresses for assets that are scanned by your external scanner. Review your scan profiles to ensure that the scan is configured for assets that are included in the external network list.

Time Synchronization Failed

38750129 - Time synchronization to primary or Console has failed.

Explanation

The managed host cannot synchronize with the console or the secondary HA appliance cannot synchronize with the primary appliance.

Administrators must allow ntpdate communication on port 123. When time synchronization is incorrect, data might not be reported correctly to the console. The longer the systems go without synchronization, the higher the risk that a search for data, report, or offense might return an incorrect result. Time synchronization is critical to successful requests from managed host and appliances

User Response

Contact Juniper Customer Support.

Cyclic Custom Rule Dependency Chain Detected

38750131 - Found custom rules cyclic dependency chain.

Explanation

A single rule referred to itself directly or to itself through a series of other rules or building blocks. The error occurs when you deploy a full configuration. The rule set is not loaded.

User Response

Edit the rules that created the cyclic dependency. The rule chain must be broken to prevent a recurring system notification. After the rule chain is corrected, a save automatically reloads the rules and resolves the issue.

Blacklist Notification

38750136 - The Asset Reconciliation Exclusion rules added new asset data to the asset blacklists.

Explanation

A piece of asset data, such as an IP address, host name, or MAC address, shows behavior that is consistent with asset growth deviations.

An asset blacklist is a collection of asset data that is considered untrustworthy by the asset reconciliation exclusion custom engine rules. The rules monitor asset data for consistency and integrity. If a piece of asset data shows suspicious behavior twice or more within 2 hours, that piece of data is added to the asset blacklists. Subsequent updates that contain blacklisted asset data are not applied to the asset database.

User Response

  • In the notification description, click Asset Reconciliation Exclusion rules to see the rules that are used to monitor asset data.

  • In the notification description, click Asset deviations by log source to view the asset deviation reports that occurred in the last 24 hours.

  • If your blacklists are populating too aggressively, you can tune the asset reconciliation exclusion rules that populate them.

  • If you want the asset data to be added to the asset database, remove the asset data from the blacklist and add it to the corresponding asset whitelist. Adding asset data to the whitelist prevents it from inadvertently reappearing on the blacklist.

Asset Growth Deviations Detected

38750137 - The system detected asset profiles that exceed the normal size threshold.

Explanation

The system detected one or more asset profiles in the asset database that show deviating or abnormal growth. Deviating growth occurs when a single asset accumulates more IP addresses, DNS host names, NetBIOS names, or MAC addresses than the system thresholds allow. When growth deviations are detected, the system suspends all subsequent incoming updates to these asset profiles.

User Response

Determine the cause of the asset growth deviations:

  • Hover your mouse over the notification description to review the notification payload. The payload shows a list of the top five most frequently deviating assets. It also provides information about why the system marked each asset as a growth deviation and the number of times that the asset attempted to grow beyond the asset size threshold.

  • In the notification description, click Review a report of these assets to see a complete report of asset growth deviations over the last 24 hours.

Expensive Custom Properties Found

38750138 - Performance degradation was detected in the event pipeline. Expensive custom properties were found.

Explanation

During normal processing, custom event and custom flow properties that are marked as optimized are extracted in the pipeline during processing. The values are used in the custom rules engine (CRE) and search indexes.

Regex statements, which are improperly formed regular expressions, can cause events to be incorrectly routed directly to storage.

User Response

Select one of the following options:

  • Disable any custom property that was recently installed.

  • Review the payload of the notification. If possible, improve the regex statements that are associated with the custom property.

    For example, the following payload reports the regex pattern:

  • Modify the custom property definition to narrow the scope of categories that the property tries to match.

  • Specify a single event name in the custom property definition to prevent unnecessary attempts to parse the event.

  • Order your log source parsers from the log sources with the most sent events to the least and disable unused parsers.

Raid Controller Misconfiguration

38750140 - Raid Controller misconfiguration: Hardware Monitoring determined that a virtual drive is configured incorrectly.

Explanation

For maximum performance, raid controllers cache and battery backup unit (BBU) must be configured to use write-back cache policy. When write-through cache policy is used, storage performance degrades and might cause system instability.

User Response

Review the health of the battery backup unit. If the battery backup unit is working correctly, change the cache policy to write-back.

An Error Occurred When the Log Files Were Collected

38750141 - Collecting the required support logs failed with errors. See System and License Manager.

Explanation

Errors were encountered while the log files were being collected. The log file collection failed.

User Response

To view information about why the collection failed, follow these steps:

  1. Click System and License Manager in the notification message.

  2. Expand System Support Activities Messages.

  3. View additional information about why the log file collection failed.

Expensive DSM Extensions were Found

38750143 - Performance degradation was detected in the event pipeline. Expensive DSM extensions were found.

Explanation

A log source extension is an XML file that includes all of the regular expression patterns that are required to identify and categorize events from the event payload. Log source extensions might be referred to as device extensions in error logs and some system notifications.

During normal processing, log source extensions run in the event pipeline. The values are immediately available to the custom rules engine (CRE) and are stored on disk.

Improperly formed regular expressions (regex) can cause events to be routed directly to storage.

User Response

Select one of the following options:

  • Disable any DSM extension that was recently installed.

  • Review the payload of the notification to determine which expensive DSM extension in the pipeline affects performance. If possible, improve the regex statements that are associated with the device extension.

    For example, the following payload reports that the pipeline is blocked by the Checkpoint DSM:

  • Ensure that the log source extension is applied only to the correct log sources.

    On the Admin tab, click System Configuration > Data Sources > Log Sources. Select each log source and click Edit to verify the log source details.

  • Order your log source parsers from the log sources with the most sent events to the least and disable unused parsers.

  • Verify that your Console is installed with the latest DSM versions.

  • If log sources are created for devices that aren’t in your environment, remove the log sources by using the following command:

    /opt/qradar/bin/tatoggle.pl

    If you have multiple event processors, copy the /opt/qradar/conf/TrafficAnalysisConfig.xml file to the /store/configservices/staging/globalconfig/ directory. On the Admin tab, click Deploy Full Configuration for all managed hosts to obtain the configuration file.