IBM Support

QRadar: License EPS rates and giveback

Question & Answer


Question

How are events generated by QRadar counted against your license?

Answer

What types of events contribute to your QRadar license

A common question that QRadar Support receives is, "What events contribute to my EPS license in QRadar? In fact, not all device support modules (DSMs) that parse events count against your EPS license. QRadar includes a number of "Internal DSMs" used by processes or reporting data from managed hosts. When an event is received and parsed by an "Internal DSM", the event count is credited back to the license using a feature called, license give back.


License give back can occur in two scenarios:
1. An event is dropped using a routing rule. Since event routing occurs after the license check in QRadar, when you drop an event, then license give back is applied to the appliance that dropped the event. The rate at which license give back occurs for events dropped by a routing rule was changed in QRadar v7.3.1 and this change is outlined later in this article.

2. An event was received by QRadar for an internal log source type. Internal log sources for QRadar have license give back built in by default and do not require a routing rule to receive license back. The following log source types are considered "internal" and do not count toward your license:

  • System Notifications
  • Custom Rule Engine (CRE)
  • Audit
  • Anomaly Detection Engine
  • Asset Profiler
  • Results from scheduled searches
  • Health Metrics
  • Sense DSM
  • QRadar Risk Manager Policies, Simulations, and internal logging

License changes in QRadar 7.3.1

As of 7.3.1, we now offer a license give back that credits 100% of all dropped events back to the license up to the maximum Events Per Second of the Appliance itself. This feature allows an unlimited number of logs to be dropped without counting against your Events Per Second (EPS) license.

The way this works is all dropped events are added back into the existing license capacity. The rest carries through the pipeline and are evaluated as normal. Although this feature allows you to exceed the license based on how many events you drop on 1-second intervals, you cannot exceed the rated EPS capacity of the hardware.

For example:

  • If you have a licensed and steady event rate of 1,000 EPS and you decide to drop 500 EPS.
  • On the next one second interval, your license capacity is adjusted to be 1,500 EPS.
  • In the next 1,500 EPS cycle, you get more events that match your drop filter. The system drops 800 matching events. This is added back on top of your existing 1,000 EPS license and in your next one second interval, you have an 1,800 EPS license.
  • On the next interval you drop 1,000 EPS for events that match your filter, then in the next second you have a 2,000 EPS license for the incoming events.


The general formula is:
Licensed EPS + dropped EPS = EPS rate that is allowed for the next one second.

How are license rates are calculated in 7.3.0 and earlier

Events that are generated by network devices, operating systems, and appliances, such as Firewalls, Routers, VPN's servers, count against your QRadar license. When you create a routing rule in QRadar 7.3.0 to drop the event, 60% of events that you drop by using routing rules are credited back to the license on the next one second interval, up to a maximum of 2000 events per second (EPS).

This means that if you have an event rate of 1,000 EPS and you decide to drop 500 EPS for a log source, the license give back applies 300 EPS to the next one second interval.

Give back occurs on each appliance where events are processed. Meaning that each appliance is applying license give back when a routing rule is used to drop an event. If you drop 500 EPS on each event processor in the deployment, each of those individual event processors is calculating license give back and applying the give back up to 2,000 EPS maximum per Event Processor.

The general formula is:
Licensed EPS + (dropped EPS x .6) = EPS rate that is allowed for the next one second, up to a maximum of licensed EPS + 2,000 EPS give back.

NOTE: After an administrator upgrades to QRadar 7.3.1, the 2,000 EPS give back restriction is lifted and 100% on the events dropped by a routing rule contribute to license give back.


Where do you find more information?


[{"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"Licensing","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3.1;7.3;7.2.8;7.2","Edition":""}]

Document Information

Modified date:
08 August 2019

UID

swg22002272