IBM Support

QRadar: Event Rate (EPS) graph may not reflect the entire event load on the system

Question & Answer


Question

How does the QRadar Event Rate (EPS) graph on the System Monitoring Dashboard derive its values?

Cause

QRadar reports event rates at various locations along its event pipeline. This can lead to confusion about the actual event load on the system and questions about licensing.

Quick Links:

Answer


The 'Event Rate (EPS)' Dashboard Graph in QRadar

The QRadar Event Rate (EPS) graph on the System Monitoring Dashboard derives its values from the StatFilter data, which is the last component of the ECS-EC portion of the event pipeline before data enters the processing phase (ECS-EP). Both routing rules and the licensing components occur before StatsFilter values are calculated, so values plotted in the Event Rate (EPS) graph do not include data like events dropped by a routing rule from the event pipeline. This is a common question from administrators who are using routing rules to drop events, however, unwanted events that are purposefully dropped is not reflected in the default dashboard graph due to the data used to generate the graph.



Figure 1: To view the search results that a graph is based on, click View in Log Activity.


The Event Rate (EPS) graphs are based on a search, which you can access by clicking on the “View in Log Activity” link present inside the Widget. When reviewing the results of the Event Rate (EPS) search in the Log Activity tab, you will notice that the search itself is filtering QRadar System Notifications that contain the phrase "StatFilter" and "Events per seconds" in their payloads.


Figure 2: The search filters that make up graphed data in QRadar

Where do you find the StatFilter information in QRadar?

The QRadar System notifications in turn are based on the qradar.log file in the /var/log/ directory in your QRadar Appliances. To see the raw notifications themselves you can open an SSH session from the Console to the managed host and run the following command:
grep StatFilter /var/log/qradar.log


The keyword administrators can use to view the event rate notification is StatFilter. The information used from the StatFilter notification data is used to generate the graph in Figure 1 and Figure 2.

The result will include many lines in the following form:

Jun 12 16:03:09 ::ffff:127.0.0.1 [ecs-ec]
[type=com.q1labs.semsources.filters.stat.StatFilter][parent=Lab-primary.q1labs.lab:ecs-ec/EC/Processor2]]
com.q1labs.semsources.filters.stat.StatFilter: [INFO] [NOT:0000006000][172.16.xx.xx/- -] [-/- -]
Events per second: 1s:5094,5094 (peak 7423,7423) (compression: 0%) 5s:5040,5040 (peak 5507,5507)
(compression: 0%) 10s:5045,5045 (peak 5269,5269) (compression: 0%) 30s:5043,5043 (peak 5120,5120)
(compression: 0%) 60s:5034,5034 (peak 5079,5079) (compression: 0%) 
That was an example of a StatFilter message. A StatFilter message contains several statistics that are averaged over various time ranges. To illustrate the information contained more clearly, this is that same example, formatted over multiple lines:
Events per second: 
1s: 5094,5094 (peak 7423,7423) (compression: 0%)
5s: 5040,5040 (peak 5507,5507) (compression: 0%) 
10s:5045,5045 (peak 5269,5269) (compression: 0%) 
30s:5043,5043 (peak 5120,5120) (compression: 0%) 
60s:5034,5034 (peak 5079,5079) (compression: 0%)
In each section of the message, information is displayed in the following order:
Time Period, Average Coalesced EPS, Average Raw EPS, Peak Coalesced EPS, Peak Raw EPS, Compression.
Components of StatFilter messages
Term Definition
Time Period The time period that the information is calculated over.
Average Coalesced EPS The average of the events per second calculated after coalescing. The average is calculated over readings taken during the time period.
Average Raw EPS The average of the events per second calculated before coalescing. The average is calculated over readings taken during the time period.
Peak Coalesced EPS The highest events per second seen during the time period, after coalescing.
Peak Raw EPS The highest events per second seen during the time period, before coalescing.
Compression QRadar events are compressed when stored on disk. This value is the percentage size of the compressed events compared to the original size.


Important: An enhancement was made to the regular expression used to parse StatFilter notification as part of the Baseline Maintenance Extension for QRadar. Administrators on QRadar 7.2.6 and later should download and install the Baseline Maintenance Extension on their Console.

How to view raw event statistics

The event rate before licensing and forwarding can be also obtained by similarly reviewing the SourceMonitor values found in the same log file, which reflect the Event Rate earlier in the event processing pipeline.

To see SourceMonitor values, use the command:

grep SourceMonitor /var/log/qradar.log


Note: The keyword administrators can use to view the log event rate notifications is SourceMonitor.
The output shows the full information for a SourceMonitor log event:

Jun 12 16:04:42 ::ffff:127.0.0.1 [ecs-ec-ingress.ecs-ec-ingress]
[SourceMonitor-4/ecs-ec-ingress.ecs-ec-ingress] com.q1labs.sem.monitors.SourceMonitor: [INFO]
[NOT:0000006000][127.0.xxx.xxx/- -] [-/- -]Incoming raw event rate (5s: 8422.00 eps), (10s: 8482.10
eps), (15s: 8458.13 eps), (30s: 8459.87 eps), (60s: 8514.48 eps), (300s: 8496.89 eps), (900s:
8496.89 eps). Peak in the last 60s: 8778.20 eps. Max Seen 8903.40 eps. EC Throttles/5s (60s: 10.00).
Total EC Throttles in the last 60s: 120. Total EC Throttles: 5442. Appliance Threshold: 5024.00  
That was an example of a SourceMonitor message. SourceMonitor messages can come from two stages in the
event processing pipeline; before or after event coalescing. Both stages produce messages in the
same format. You can distinguish which stage they are from by looking at this segment of the message:
Jun 12 16:04:42 ::ffff:172.16.xxx.xxx [ecs-ec.ecs-ec] ...
If this segment says ecs-ec-ingress.ecs-ec-ingress, it is based on raw events.
If it says ecs-ec.ecs-ec, it is based on normalized and coalesced events.
The following table describes the various statistics that are displayed in a SourceMonitor message:
Incoming raw event rate Incoming events per second, averaged over different time periods.
Peak in the last 60s Highest events per second measured in the last sixty seconds.
Max Seen Highest events per second measured since the process last started.
EC Throttles/5s Amount of times the event collection is throttling incoming events due to licensing limits or delays over the last 5 seconds.
Total EC Throttles in the last 60s Amount of times the event collection process has had to throttle incoming events in the last minute.
Total EC Throttles Amount of times the event collection process has had to throttle incoming events since it was last restarted.
Appliance Threshold EPS value at which event collection is throttled due to the license.


These examples are intended to contrast the two EPS statistics and show that they provide quite different values even though they were sampled less than 60 seconds apart. The SourceMonitor counter measures 8514.48 (60 second average EPS), while StatFilter reports almost exactly the same period with an Event Rate of 5034 EPS.

The events being received in excess of the license rate are being buffered and processed at license rate as explained in Technote QRadar: Event and Flow Burst Handling (Buffer). When the actual event load exceeds your license capacity there will be other notifications indicating this, but the Event Rate (EPS) graph which is based on the StatFilter data will not reflect this. Furthermore, if you have Routing Rules that drop certain types of events, the value reported by StatsFilter may be even lower than your license limit. This can lead to situations where you are receiving notifications indicating you are above your license rate even though the EPS graph shows values at or below the license rate.

License giveback explained in Technote QRadar: License EPS rates and giveback

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtiAAA","label":"Performance"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3.0;7.4.0;7.5.0"}]

Document Information

Modified date:
12 August 2024

UID

swg21984283