IBM Support

QRadar: License consumption and forwarding events with routing rules

Question & Answer


According to QRadar documentation, when you use the Forwarding option in Routing Rules, the events are processed by the Custom Rules Engine. This could cause questions about how the license is used, such as, do you consume your license when you forward events?  This article provides an answer to that question.


The answer is yes, if you are using the Forward option only, then the events are ingested in QRadar® AND forwarded, QRadar documentation says:
"Data is forwarded to the specified forwarding destination. Data is also stored in the database and processed by the Custom Rules Engine (CRE)."
In order to forward only the events and avoid these from being processed by the CRE. You need to use both Forward and Drop options:
image 8408

When you use both options Forward and Drop, in the internal QRadar logs the license is consumed, but the system gives you back that license in the next interval, for example:

Here we see that the license is taken:

Dec 23 12:39:19 ::ffff: <...> Incoming raw event rate (5s: 868.80 eps), 
(10s: 785.90 eps), (15s: 814.07 eps), (30s: 813.80 eps), (60s: 840.82 eps), 
(300s: 799.53 eps), (900s: 799.53 eps). Peak in the last 60s: 901.00 eps. Max 
Seen 938.00 eps. EC Throttles/5s (60s: 0.00). Total EC Throttles in the last 60s: 0. 
Total EC Throttles: 8. Appliance Threshold: 5020.00

And here we can see that the system gives back this license:

Dec 23 12:33:09 ::ffff: <...> License giveback Event count (SensorDevices 
[60s: 106.57 eps]) (Events Dropped [60s: 735.13 eps]) (Events Log Only [60s: 0.00 eps]) 
(Total [60s: 841.70 eps])

[{"Type":"SW","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"TS004695867","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)"}]

Document Information

Modified date:
19 May 2021