To increase the memory limit for the Carbon Black Cloud app to a higher value, perform the following procedure.
Procedure
- Find the application ID of the Carbon Black Cloud app. To do that, you must login (by using ssh) to the QRadar console and run
/opt/qradar/support/recon ps. The output can resemble the following:
App-ID Name Managed Host ID Workload ID Service Name Container Name Port
1055 QRadar Assistant 53 apps qapp-1055 - 0
1051 QRadar Log Source Management 53 apps qapp-1051 - 0
1056 QRadar Use Case Manager 53 apps qapp-1056 - 0
1057 VMware Carbon Black Cloud 53 apps qapp-1057 - 0
The first column lists the App IDs. The second column lists the App names.
- Find the VMware Carbon Black Cloud row and copy the corresponding App ID.
- Open the following URL in your web browser:
https://QRADAR_CONSOLE_IP/api_doc#version=19.0&api=%2Fgui_app_framework%2Fapplications%2F%7Bapplication_id%7D&method=POST
- Replace
QRADAR_CONSOLE_IP with the IP address of your QRadar console.
- Login with an account that has administrator privileges. The resulting
api_doc page should resemble the following:
- In the
application_id input textbox in the Value column, input the Carbon Black Cloud app ID.
- In the
memory input textbox, enter 500.
- Click Try it Out!.
The
Carbon Black Cloud app will stop and then restart. This takes approximately a minute or two.
- To confirm that the memory limit has been successfully changed, open the following URL in your browser:
https://QRADAR_CONSOLE_IP/api_doc#version=19.0&api=%2Fgui_app_framework%2Fapplications%2F%7Bapplication_id%7D&method=GET
- In the
application_id input textbox in the Value column, input the Carbon Black Cloud app ID.
- Click Try it Out!.
The
Response Body section of the
api_doc page should contain the following string:
"memory": 500,.
Results
After the memory limit is increased and the Carbon Black Cloud app is restarted, it should forward all Carbon Black Cloud alerts and audit logs.
