IBM Support

QRadar: How to measure the EPS rate of a Microsoft Windows host

Question & Answer


Question

What tools can be used to determine the Event per Second (EPS) rate from Microsoft Windows system that send data to QRadar?

Cause

When setting up a WinCollect host, there is not an included tool on the Windows host to determine the expected EPS rate. Administrators can use the EventLogReport utility to receive tuning advice for each Windows host in their network.

NOTICE: The contents of the IBM Security GitHub page contain educational example scripts. IBM does not officially maintain, support, or warranty these utilities as they are education tools and examples. Administrators can report issues directly to the tool author that uses the GitHub page Issues tab. IBM makes no guarantee or commitments if or when updates are made to resolve issues. For a full set of instructions on how to use the PowerShell script, see the WinCollect GitHub repository: https://github.com/ibm-security-intelligence/wincollect. IBM encourage administrators to examine all GitHub utilities or scripts before you run them in a production environment. It is the responsibility of the network administrators to test these tools in a lab environment before you use of them in a production network.

Answer

The EventLogReport PowerShell script allows administrators to create EPS reports for local or remote Windows systems by polling the data from the Windows Event Viewer. The script advises the administrator on the best method of event collection, based on the returned EPS rate.

  • This script requires PowerShell V3.0 or V4.0. For more information, see: Windows PowerShell Documentation.
  • PowerShell must be run as local admin and users must run Set-ExecutionPolicy RemoteSigned to use the EventLogReport utility.
  • To use option 3 for domain scans, PowerShell domain cmdlets must be installed.
    • This script can be run on any Windows host installed with Microsoft Windows XP or later.
    • Remote EPS data collection uses WMI to remotely read the Windows Event Log. If  network firewalls are located between Windows hosts, then standard WMI ports might need to be opened to prevent connection error messages.
      image-20200130175311-1
    • QRadar support does not take cases on the EventLogReport utility. Any issue must be reported through GitHub's issue tracker or directed to the WinCollect forums: https://ibm.biz/qradarforums.
    • For information on tuning WinCollect, see: WinCollect: Let's Talk About Log Source Event Rates & Tuning Profiles.


 

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"WinCollect","Platform":[{"code":"PF033","label":"Windows"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
25 July 2022

UID

swg21993316

Page Feedback