REST API Polling with IBM QRadar

I am using REST API polling to handle a high volume of alerts, and QRadar suddenly stopped receiving any alerts or audit logs.

Under high load (high amount of alerts and audit logs per minute), the Carbon Black Cloud app can stop forwarding messages to QRadar due to reaching a memory limitation that leads to app restarts.

The default memory limit for the Carbon Black Cloud app is set to 500MB. We highly recommend using the Data Forwarder instead of REST API polling for your data ingestion mechanism because Data Forwarder is scalable and capable of handling high loads. If you are using data polling instead, it is possible that on some occasions under high load, no new Carbon Black Cloud alerts are fed into QRadar. The application logs might indicate application restarts. Check poll.log to see if it indicates continous service restarts.

For example:

2023-06-12 13:12:16 INFO Recreating SyslogOutput to use custom ip: 1.2.3.4
2023-06-12 13:12:18 INFO Starting poller in production mode - syslog output to QRadar console at IP address 1.2.3.4
2023-06-12 13:12:18 INFO Log Source Identifier to be used localhost
2023-06-12 13:12:20 INFO Sending 2500 Audit Log Events.
2023-06-12 13:12:31 INFO Recreating SyslogOutput to use custom ip: 1.2.3.4
2023-06-12 13:12:31 INFO Starting poller in production mode - syslog output to QRadar console at IP address 1.2.3.4
2023-06-12 13:12:31 INFO Log Source Identifier to be used localhost
2023-06-12 13:12:32 INFO Sending 2500 Audit Log Events.
2023-06-12 13:12:43 INFO Recreating SyslogOutput to use custom ip: 1.2.3.4

If you have root access to the QRadar console (or to the Apphost if the app runs on a dedicated Apphost), run the ``dmesg`` command (as root) to inspect the kernel log for OOM kills.

For example:

slab_out_of_memory: 72 callbacks suppressed
SLUB: Unable to allocate memory on node -1, gfp=0xdc0(GFP_KERNEL|__GFP_ZERO)
cache: signal_cache(632851:3a166877f91031145f6dc491df3c915c57f1439f4b3bcea4c6a37d1885ea27ea), object size: 1056, buffer size: 1088, default order: 3, min order: 0
node 0: slabs: 31, objs: 930, free: 0
oom_kill_process: 70 callbacks suppressed
python invoked oom-killer: gfp_mask=0x0(), order=0, oom_score_adj=0
CPU: 25 PID: 3143648 Comm: python Not tainted 5.4.0-29-generic

In this case, you might need to increase the memory limit for the Carbon Black Cloud app to a higher value (above 300MB, 500MB recommended).

To increase the memory limit, see Increase the Carbon Black Cloud App Memory Limit for IBM QRadar.