QRadar maximum EPS certification methodology
IBM QRadar® appliances are certified to support a certain maximum events per second (EPS) rate. Maximum EPS depends on the type of data that is processed, system configuration, and system load.
Deployments that significantly deviate from the test parameters that are described in this document might not be able to support the certified rates. The maximum certified EPS rate is absolute. If the load on your system is lighter than the QRadar maximum EPS certification load, the EPS maximum rate for your deployment won't increase.
The following information describes the test parameters used to determine the maximum EPS rates of QRadar hosts to help you set expectations and plan future QRadar deployments with an appropriate EPS goal in mind.
- Event Traffic
- Unique log sources - 50,000
- Unique log source types - 17
- Unique source IP addresses 250,000
- Unique destination IP addresses - 250,000
- Unique username - 300,000
- Coalescing ratio - 15%
- Average raw event size - 382 B
- Traffic composition specifics: Percentage of the total contribution of data for each device type
out of the total dataset. For example, the Microsoft Windows Security events represent 25% of the
total dataset used in testing.
- Microsoft Windows Security - 25%
- Linux® OS - 25%
- Cisco IOS - 15%
- Cisco ASA - 10%
- Linux DHCP - 5%
- Aruba Mobility controller - 5%
- Blue Coat SG Appliance - 3%
- McAfee Web Gateway - 3%
- Apache HTTP Server - 1%
- CheckPoint - 1%
- Cisco IronPort - 1%
- F5 Networks FirePass - 1%
- FireEyeMPS - 1%
- IBM® Security Network ProtectionXGS - 1%
- Palo Alto PA Series - 1%
- Symantec Endpoint Protection - 1%
- Websense V Series - 1%
- System configuration
- Network Hierarchy - 1000 objects
- Custom properties - 350
- Custom Rules and Building Blocks - 451
- Indexes - 20
- Artifacts created as a result of data processing
- Offenses - 3000
- Assets - 365,000
- Reference Data - 11 data structures, 100,000 elements in total
- User load
- Up to 16 concurrent searches