IBM Support

QRadar: MVS tool and enterprise licensing reporting FAQ

Question & Answer


Question

QRadar software has an enterprise model that allows customers to license based on the size of the IT infrastructure. The pricing metric is Managed Virtual Servers (MVS™). All Physical and Virtual Server are counted in the customer environment. This model offers unlimited users, actions, and data ingestion. An updated MVS script is available on IBM Fix Central for users to count servers in their infrastructure. This technical note outlines the latest version of the MVS tool administrators can use the count servers for enterprise licensing.

Answer

Methods to declare MVS for enterprise licenses
Administrators typically are required to declare MVS quarterly to IBM when using an enterprise license. As the new MVS utility counts log sources by type, assets, and ports, users with might require asset exclusion searches to ensure that certain data is not counted as MVS. It is always recommended that you use the -v option in the MVS 2.0 utility to generate a details report for data that contributed to your MVS score. As you review your MVS output, the MVS count can increase in the MVS 2.0 utility based on assets in your QRadar deployment and tuning. If the reported MVS count is higher than expected, users might need an alternate option to report their MVS to IBM. Acceptable methods to report your MVS count can include any of the following:
 
  • Provide a count from your CMDB or internal asset tools.
  • Use the original Python MVS script to count MVS: https://github.com/IBM/count-mvs.
  • Use the MVS 2.0 utility and create asset identity exclusions.
  • Scan report from a VA scanner. Several vendors provide credentialed scans that can report the OS version or application information. These details can be used to count servers or provide an OS overview through default report types.


About the MVS 2.0 utility
The MVS utility is updated to provide more predictive counting to replace the Python-based MVS counting tool. The updated utility updates MVS counting to count log sources by device type, assets through passive flow detection, and scan data that can provide operating system information to determine what assets are counted as IT infrastructure. The updated utility adds a new DSM that is installed through QRadar auto updates or from IBM Fix Central to update asset counts to create reports that show MVS changes, such as latest count and greatest count.

Types of data the MVS tool reviews:
  • Log source types associated to server operating systems (Windows servers, Linux, AIX, z/OS, Kubernetes nodes, Cloud Hosts (IaaS servers).
  • Ports commonly used by servers (22, 53, 80, 137, 443, 8080)
  • Assets populated into the QRadar asset database by vulnerability scans or passive flow scanning that are identified as servers or unknown assets.
 

Before you begin
  • Administrators must confirm they have the DSM-IBMManagedVirtualServer DSM installed on their QRadar Console. To confirm the file is installed, check the Admin tab for the DSM-IBMManageVirtualServer DSM is installed. Optionally, from the command line, type yum info DSM-IBMManage* and confirm the DSM is installed.
    # yum info DSM-IBMManage*
    
    Loaded plugins: product-id, search-disabled-repos
    Installed Packages
    Name        : DSM-IBMManageVirtualServer
    Arch        : noarch
    Version     : 7.5
    Release     : 20240314102425
    Size        : 3.7 M
    Repo        : installed
    From repo   : /DSM-IBMManageVirtualServer-7.5-20240314102425.noarch
    Summary     : DSM IBM Manage Virtual Server Install
    URL         : www.ibm.com
    License     : IBM Corp.
    Description : IBM Manage Virtual Server
  • The mvs.sh tool requires users to provide admin credentials or create an authorized service token to run the utility. The recommended user role permission for the MVS tool is admin to ensure queries for the count can be run. The minimum user role permission level is Log Activity.
Setting up the MVS log source
  1. Optional. If the MVS tool is not installed on your Console, download the DSM from IBM Fix Central and install the DSM:
    yum install -y DSM-IBMManageVirtualServer*
    Note: The weekly auto update for 24 June 2024 installed the DSM-IBMManageVirtualServer RPM file on deployments with automatic updates enabled.
  2. Log in to the QRadar Console as an administrator.
  3. Click the Admin tab.
  4. Click the Log Sources icon.
  5. Click Manage log sources, then select +New Log Source > Single Log Source.
  6. In the Select a Log Source Type field, type MVSCount.
    image-20240627220928-1
    Note: If this option does not display for you, confirm the IBM Manage Virtual Server DSM is installed.
  7. In the Select a Protocol Type field, select Syslog.
    image-20240627221047-3
  8. Configure the log source parameters:
    1. Name: Type a name for the log source, this value can be any name, such as MVS Count.
    2. Description: Optional. Type a description of the log source.
    3. Enabled: Ensure this check box is On.
    4. Log Source Group: Optional. Add the log source to a log source group.
  9. In the Configure protocol parameters field, configure the following parameters:
    1. Log Source Identifier field, type ibm.managevirtualserver.
    2. Incoming Payload Encoding, select UTF-8.
      image-20240628000120-2
  10. Click Finish to save the log source configuration.
Running the MVS utility
The administrator must download the MVS 2.0 script from IBM Fix Central, extract the files, then run the script. The script searches the last 7 days to create an initial MVS count and evaluates new data collected to update the MVS output.

Procedure
  1. Download the MVS Version 2.0 script from IBM Fix Central.
  2. Copy MVS2.0.zip to the QRadar Console.
  3. Use SSH to log in to the QRadar Console as the root user.
  4. To create a directory for the tool, type:
    mkdir /store/mvs
  5. Extract MVS2.0.zip to the directory:
    unzip MVS2.0.zip
  6. To run the utility, type:
    sh mvs.sh -s -v
    Note: The verbose option is recommended the first time administrators run the MVS count utility to create the mvs_details.csv file to understand the servers included in the initial count.
  7. Select an permission for the mvs utility.
    Note: The user or authorized service token user role can be an admin user role for the permission. Users who want to run with reduced permissions can use the Log Activity user role as a minimum permission level.
    # sh mvs.sh -s -v
    
    Which authentication would you like to use:
    1: Admin user
    2: Authorized service
    (q to quit)
    Please enter your choice:
  8. Wait for the MVS utility to run:
    Username: admin
    Password:
    starting MVS counter...
    validating MVS running...
    ..........
    MVS Counter process started successfully.
    
  9. Wait for the CSV files to be created in the /store/mvs directory.

    Results
    The MVS 2.0 utility creates two files for users:
  • count_mvs.csv - This file has a summary of the overall count that administrators can use to declare MVS licenses to IBM.
    image-20240628001544-4
  • mvs_details.csv - If the verbose option is enabled, a details file is created. The details file allows administrators to review the results of the MVS utility to understand the overall count. As the details file has asset information, users are not required to submit this file to IBM.
    image-20240701075324-1

What types of servers need to be reported for enterprise licenses?

Administrators are expected to report both physical and virtual servers that exist in your corporate IT environment. Reported servers are expected to include both physical or virtual servers in use, including servers in Amazon AWS, Microsoft Azure, or Google Cloud. If these server types report events to QRadar or the IP addresses or hostnames provide identity events to QRadar, these are counted by the MVS tool.

What's counted as MVS:
  • All servers (physical and virtual)
    • Servers are counted regardless of infrastructure: Amazon AWS, Microsoft Azure, Google Cloud, IBM Cloud, Oracle Cloud.
    • Operating systems: Windows, Linux, Unix,
  • Kubernetes Nodes
  • Satellite ground stations
What is excluded from MVS:
  • Network infrastructure
    • Routers and switches
    • Firewalls and VPNs
    • Load balancers
    • Proxies
    • Intrusion Prevention Systems (IPS)
    • File Integrity Monitoring (FIM) or File Activity Monitoring (FAM)
    • Data Loss Prevention (DLP)
    • Audio-visual (AV) equipment
  • Client endpoints
    • Workstations
    • Point of Sale devices
    • Meters
    • Network storage and disk drives
  • IoT infrastructure
  • SaaS solutions

Troubleshooting

Users who experience issues with the MVS tool can review the logs in /var/log/mvs/mvs.log.

Incorrect permissions
If your user permission is not correct, the following error message is displayed in the log:

[QRADAR] [main] com.mvs.counter.MvsManager: [INFO] [NOT:0000006000][-/- -] [-/- -]Authenticate user request status: 401
[QRADAR] [main] com.mvs.counter.MvsManager: [ERROR] [NOT:0000003000][-/- -] [-/- -]Credentials are not valid, killing process - 3539
[QRADAR] [main] com.mvs.counter.MvsManager: [INFO] [NOT:0000006000][-/- -] [-/- -]Authentication has been completed successfully false

The MVS script fails to start
If the MVS script fails to start, administrators can complete the following procedure:
  1. Use SSH to log in to the QRadar Console as the root user.
  2. Navigate to the /opt/qradar/jars directory.
  3. To remove the jar file, type:
    rm mvs-1.0.jar
  4. Navigate to the MVS directory, such as /store/mvs.
  5. To replace the removed jar file, type:
    sh mvs.sh -s -v
  6. Provide permissions for the script to start.

    Results
    If the script continues to fail, you can contact QRadar Support for assistance.

How often does the MVS script run?

The MVS tool runs daily at midnight hardware time on the Console to create a new MVS output file.

Why do I see unknown assets in the MVS tool

The MVS tool outputs a detailed list of IP addresses and hostnames that contributed to the MVS score. Depending on the tuning applied to your asset database, unknown assets might be counted. Administrators need to review the output to confirm if the number of IT servers in use to ensure that the best possible number can be declared for licensing.

The numeric score output by the MVS tool is dependent on the data within QRadar. If you want to improve the MVS count accuracy, you can:

  • Run a vulnerability assessment import on QRadar to collect the operating system information for assets in your network. QRadar supports Qualys, Beyond Security, Rapid7, Outpost24, Tripwire, Saint, and more. To configure a vulnerability import to update assets, see our Supported vulnerability scanners list.
  • Create asset identity exclusions from real-time searches to exclude assets you do not want counted by MVS.
  • Ensure network hierarchy is updated so you are not collecting assets outside of your network, such as remote to remote.

How can I tune my asset database to report better results?

As the MVS script uses the asset database to generate the MVS count. Administrators can experience issues where unknowns, such as mobile phones on the network or unknown assets being added to the count based on the mvs_details.csv file. Administrators who need to tune their assets to prevent hosts from being counted as MVS should create real-time searches for asset types they want to exclude, such as VPNs, load balancers, or other asset types.

References

Why are open ports counted?

Open ports are counted for common server communications where data is exchanged from computer to computer on specific ports, which are common to servers. As QRadar detects common port traffic from flow data, this can be used to help identify servers were no operating system information is available.

Ports that contribute to MVS:

  • TCP/443 (HTTPS and APIs)
  • TCP/80 (web server default port)
  • TCP/8080 (web server alternate port)
  • TCP/137 (NetBIOS name services)
  • TCP/53 (DNS server port)

What are my reporting options?

The MVS tool is used to generate an MVS count based on data evaluated in QRadar. Administrators who experience problems with the MVS tool can contact their sales representative or customer success lead for assistance. As tuning of the assets might be required, administrators have the option to use another tool to declare their MVS count for licensing purposes. If you experience issues with the MVS script, administrators can discuss using a scan report, such as a Tenable Nessus credentialed scan to assist with the MVS process.


Acceptable methods to report your MVS count can include any of the following:
 
  • Provide a count from your CMDB or internal asset tools.
  • Use the original Python MVS script to count MVS: https://github.com/IBM/count-mvs.
  • Use the MVS 2.0 utility and create asset identity exclusions.
  • Scan report from a VA scanner. Several vendors provide credentialed scans that can report the OS version or application information. These details can be used to count servers or provide an OS overview through default report types.

What about temporary servers?

As MVS is reported, users are expected to report the assets protected by QRadar directly or indirectly. Administrators who use the MVS 2.0 utility are provided a nightly MVS count and a greatest count that defines the current count of MVS and the highest value recorded. Administrators are required to report the greatest MVS number seen by the tool.

image-20240628001544-4

In this example, users would report an MVS count of 502.

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions","Type":"MASTER"}]

Document Information

Modified date:
09 July 2024

UID

ibm17159084