IBM Support

QRadar: Events dropped at protocol with error "License restrictions have been applied"

Troubleshooting


Problem

This technical note investigates the phenomenon of events dropped by protocols.

Symptom

Logging shows that events dropped at ecs-ec-ingress with "License restrictions have been applied" even when the system sees incoming EPS rate below the licensed rate. These messages are closely preceded by a message that shows the same number of events dropped in the last 60 seconds, but specifically reference the protocol.

In this example, events are dropped at the Microsoft Azure Event Hubs protocol. 
[ecs-ec-ingress.ecs-ec-ingress] [SourceMonitor-0/ecs-ec-ingress.ecs-ec-ingress] com.q1labs.sem.monitors.SourceMonitor: [WARN] [NOT:0000004000][x.x.x.x/- -] [-/- -][Microsoft Azure Event Hubs] has detected a total of 18402 dropped event(s). 1495 event(s) were dropped in the last 60 seconds. Queue is at 0 percent capacity. 
[ecs-ec-ingress.ecs-ec-ingress] [SourceMonitor-3/ecs-ec-ingress.ecs-ec-ingress] com.q1labs.sem.monitors.SourceMonitor: [WARN] [NOT:0060005100][x.x.x.x/- -] [-/- -]A total of 18402 dropped raw event(s) have been detected. 1495 raw event(s) have been dropped in the last 60 seconds. License restrictions have been applied 2 times in the last 60 seconds.
In this example, events are dropped at the AmazonAWSRESTAPI protocol.
[ecs-ec-ingress.ecs-ec-ingress] [SourceMonitor-4/ecs-ec-ingress.ecs-ec-ingress] com.q1labs.sem.monitors.SourceMonitor: [WARN] [NOT:0000004000][x.x.x.x/- -] [-/- -][AmazonAWSRESTAPI] has detected a total of 31616449 dropped event(s).  3252 event(s) were dropped in the last 60 seconds. Queue is at 0 percent capacity.
[ecs-ec-ingress.ecs-ec-ingress] [SourceMonitor-1/ecs-ec-ingress.ecs-ec-ingress] com.q1labs.sem.monitors.SourceMonitor: [WARN] [NOT:0060005100][x.x.x.x/- -] [-/- -]A total of 32247953 dropped raw event(s) have been detected.  3252 raw event(s) have been dropped in the last 60 seconds. License restrictions have been applied 5 times in the last 60 seconds.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtEAAQ","label":"Log Activity"},{"code":"a8m0z000000cwtiAAA","label":"Performance"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Log InLog in to view more of this document

This document has the abstract of a technical article that is available to authorized users once you have logged on. Please use Log in button above to access the full document. After log in, if you do not have the right authorization for this document, there will be instructions on what to do next.

Document Information

Modified date:
11 December 2023

UID

ibm17091952

Page Feedback