IBM Support

QRadar: License EPS rates and giveback

Question & Answer


How are events generated by QRadar counted against your license?


Events that contribute to your QRadar license

Not all device support modules (DSMs) that parse events count against your EPS license. QRadar includes a number of Internal DSMs used by processes or reporting data from managed hosts. When an event is received and parsed by an Internal DSM, the event count is credited back to the license by using a feature called license give back.

License give back can occur in two scenarios:

  1. An event is dropped by using a routing rule. Since event routing occurs after the license check in QRadar, when you drop an event, license give back is applied to the appliance that dropped the event.
  2. An event was received by QRadar for an internal log source type. Internal log sources for QRadar have license give back built in by default and do not require a routing rule to receive license back. The following log source types are considered internal:
    • System Notifications
    • Custom Rule Engine (CRE)
    • Audit
    • Anomaly Detection Engine
    • Asset Profiler
    • Results from scheduled searches
    • Health Metrics
    • Sense DSM
    • QRadar Risk Manager Policies, Simulations, and internal logging
    • WinCollect Internal Status DSM messages

As of QRadar 7.4.0, the only way to give back the license for a valid event is to parse and identify it first because we cannot determine whether an event is internal until it is already counted against the EPS license. As a result, in the moment ecs-ec-ingress and ecs-ec starts, there is a brief period where the event rate might be higher than the license rate, especially if the console's EPS limit is set to value that is low. 

EPS giveback for internal log sources happens on half-second basis. However, if you set the EPS threshold for the appliance to be low, it takes a considerable amount of time before we provide all EPS give back to account for the amount of EPS we received from the listed internal log sources.

License give back calculation

In QRadar 7.3.1 and later, license give back credits 100% of all dropped events back to the license up to the maximum Events Per Second of the Appliance itself. With license give back, an unlimited number of logs can be dropped without counting against your Events Per Second (EPS) license.

All dropped events are added back into the existing license capacity. The remaining carry through the pipeline and are evaluated as normal. Although you can exceed the license based on how many events you drop on 1-second intervals, you cannot exceed the rated EPS capacity of the hardware. In qradar.log, you can still see the EPS threshold value allocated to the system through the EPS give back. 

The general give back formula is:
Licensed EPS + dropped EPS = EPS rate for the next one second.

For example:

  • If you have a licensed and steady event rate of 1,000 EPS and you decide to drop 500 EPS.
  • On the next one second interval, your license capacity is adjusted to be 1,500 EPS.
  • In the next 1,500 EPS cycle, you get more events that match your drop filter. The system drops 800 matching events. This give back is added on top of your existing 1,000 EPS license and in your next one second interval, you have an 1,800 EPS license.
  • On the next interval you drop 1,000 EPS for events that match your filter, then in the next second you have a 2,000 EPS license for the incoming events.

When you are receiving notifications about dropping raw events, which occur at the ingress level of the pipeline, you need to make sure they are not false positives. If you are really dropping events, then the notifications report how many raw events were dropped at the current interval. For example: 

  • False positive: We detected that you are going over EPS threshold, but after applying the EPS give back, we see that you are within the limit. However, you still receive the following warning:

    Apr 8 03:03:16 [ecs-ec-ingress.ecs-ec-ingress] [WARN][H.H.H.H/- -] [-/- -]The system is currently experiencing a spike in event rate exceeding the system's limits. If this spike is sustained, events will be dropped. On-disk queue stats: Event count=67435 Utilization=0%
  • Non-False Positive: We dropped raw events despite applying the EPS give back, which means you are sending more events to the system than the EPS threshold. Consider decreasing the incoming raw event rate or increase the EPS license threshold.

    Apr 3 12:36:33::ffff:H.H.H.H [ecs-ec-ingress.ecs-ec-ingress] [592c8635-a387-475a-86b6-373fe888544a/SequentialEventDispatcher] com.q1labs.sem.monitors.SourceMonitor: [WARN] [NOT:0060005100][H.H.H.H/- -] [-/- -]A total of 4418640 dropped raw event(s) have been detected. 96807 raw event(s) have been dropped in the last 60 seconds. License restrictions have been applied 60 times in the last 60 seconds. The average event rate in the last 60 seconds was 16653.08 eps (with a peak of 19050.60 eps), and within that time has exceeded the threshold of 15060.00 eps 12 times.

Routing Rule and License giveback information

The following message is reflecting the actions taken by your Routing Rules.

ForwardingFilter is reflecting the following informations since last ecs-ec service restart:

  • Total number of events seen.
  • Total number of events dropped by your Routing Rules.
  • Total number of events forwarded to a destination host.
  • Total number of events not correlated.

    Jan 19 16:15:07 ::ffff: [ecs-ec.ecs-ec] [[][parent=example.hostname:ecs-ec/EC/Processor2]] [INFO] [NOT:0000006000][x.x.x.x/- -] [-/- -] (Total Events Seen: 175588975), (Total Events Dropped: 35781439), (Total Events Forwarded: 3083944), (Total Events Not Correlated: 0)
LicenseGivebackFilter is reflecting the adjustment made to your license limit at ingress due to the following reasons:
  • SensorDevices: Events generated by internal log sources.
  • Events Dropped: Volume of the dropped events.
  • Event Log Only: Amount of events logged only without analysis.

    Jan 19 16:15:07 ::ffff: [ecs-ec.ecs-ec] [] [INFO] [NOT:0000006000][x.x.x.x/- -] [-/- -]License giveback Event count (SensorDevices [60s: 11.63 eps]), (Events Dropped [60s: 1069.85 eps]), (Events Log Only [60s: 0.00 eps]), (Total [60s: 1081.48 eps])

How give back compares to event and flow burst handling

License give back is a separate feature from burst handling. Give back involves parsed events being recredited, while burst handling involves excess events and flows being buffered for parsing later. Both features involve handling when you exceed your license rate, but neither feature can exceed the hardware capacity of an appliance.
For more information about burst handling, see QRadar: Event and flow burst handling.

When give back fails

If events fail to parse, license give back cannot be applied because give back is determined by identifying the log source and these events are stored under the SIM Generic log source. This issue can occur when an event is missing headers or other formatting issues, or when the related DSM is not correctly configured. To learn more about issues with log source association, see QRadar: Unable to Determine Associated Log Source System Notification.
Can I view license give back statistics?
License giveback rate can be viewed from the Log Activity tab by searching for the term “giveback” in the Quick Filter. This information is captured by the System Notification
Alternately, this information is also available in the logs under /var/log/qradar.log.

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2.8;7.3.1;7.4.0;7.5.0"}]

Document Information

Modified date:
23 April 2024