Monitoring license usage in multitenant deployments
As the Managed Security Service Provider (MSSP) administrator, you monitor the event and flow rates across the entire IBM® QRadar® deployment.
When you create a tenant, you can set limits for both events per second (EPS) and flows per minute (FPM). By setting EPS and FPM limits for each tenant, you can better manage license capacities across multiple clients. If you have a processor that is collecting events or flows for a single customer, you do not need to assign tenant EPS and FPM limits. If you have a single processor that collects events or flows for multiple customers, you can set EPS and FPM limits for each tenant.
If you set the EPS and FPM limits to values that exceed the limits of either your software licenses or the appliance hardware, the system automatically throttles the events and flows for that tenant to ensure that the limits are not exceeded. If you do not set EPS and FPM limits for tenants, each tenant receives events and flows until either the license limits or the appliance limits are reached. The licensing limits are applied to the managed host. If you regularly exceed the license limitations, you can get a different license that is more suitable for your deployment.
Viewing the cumulative license limits in your deployment
- On the navigation menu ( ), click Admin to open the admin tab.
- In the System Configuration section, click System and License Management.
- Expand Deployment Details and hover your mouse pointer over Event Limit or Flow Limit.
Viewing EPS rates per log source
Use the Advanced Search field to enter an Ariel Query Language (AQL) query to view the EPS rates for log sources.
- On the Log Activity tab, select Advanced Search from the list on the Search toolbar.
- To view the EPS per log source, type the following AQL query in the Advanced
Search field:
select logsourcename(logsourceid) as LogSource, sum(eventcount) / (24*60*60) as EPS from events group by logsourceid order by EPS desc last 24 hours
Viewing EPS rates per domain
Use the Advanced Search field to enter an Ariel Query Language (AQL) query to view the EPS rates for domains.
- On the Log Activity tab, select Advanced Search from the drop-down list box on the Search toolbar.
- To view the EPS per domain, type the following AQL query in the Advanced
Search
field:
select DOMAINNAME(domainid) as LogSource, sum(eventcount) / (24*60*60) as EPS from events group by domainid order by EPS desc last 24 hours
If you want to view average EPS rates for log sources only, click Log Sources in the Data Sources pane on the Admin tab. You can use this to quickly identify configuration issues with log sources that are failing to report.
Viewing individual license limits in your deployment
The EPS and FPM rates that you set for each tenant are not automatically validated against your license entitlements. To see the individual limits for the software licenses that are applied to the system as compared to the appliance hardware limits, do these steps:
- On the navigation menu ( ), click Admin to open the admin tab.
- In the System Configuration section, click System and License Management.
- Expand Deployment Details and hover your mouse over Event Limit or Flow Limit.
Viewing the EPS rate for an individual log source
Use the Advanced Search field to enter an Ariel Query Language (AQL) query to view the EPS rate for an individual log source.
- On the Log Activity tab, select Advanced Search from the list on the Search toolbar.
- To get a log source ID, type the following AQL query in the Advanced
Search field:
select domainid,logsourceid,LOGSOURCENAME(logsourceid) from events GROUP BY domainid,logsourceid order by domainid ASC last 1 HOURS
- To view the EPS rate for your selected log source, type the following AQL query in the
Advanced Search field:
select logsourcename(logsourceid) as LogSource, sum(eventcount) / (24*60*60) as EPS from events where logsourceid=logsourceid group by logsourceid order by EPS desc last 24 hours
Viewing the EPS rate for an individual domain
Use the Advanced Search field to enter an Ariel Query Language (AQL) query to view the EPS rate for an individual domain.
- On the Log Activity tab, select Advanced Search from the list on the Search toolbar.
- To to get a domain ID, type the following AQL query in the Advanced
Search
field:
select domainid, DOMAINNAME(domainid) from events GROUP BY domainid last 1 HOURS
- To view the EPS rate for your selected domain, type the following AQL query in the
Advanced Search
field:
select DOMAINNAME(domainid) as LogSource, sum(eventcount) / (24*60*60) as EPS from events where domainid=domainid group by domainid order by EPS desc last 24 hours