IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Average Monthly EPS on Qradar

    Posted Mon April 02, 2018 11:53 AM
    Hello, 

    What is the best practice for getting information about monthly average EPS count? 

    It is possible to see EPS count from Dashboard and at the same time from console qradar log file. But EPS counts are not same on these sources. 

    There is an article in IBM's web site about this issue as well:


    "Event Rate (EPS) graph may not reflect the entire event load on the system"
    http://www-01.ibm.com/support/docview.wss?uid=swg21984283

    So, how to make sure that we are getting actual/real EPS counts? 

    Thanks.

    Sincerely,
    Vusal 



    ------------------------------
    Vusal Salmanli MSc, CISA, CISM, CEH
    Principal Consultant
    ON
    ------------------------------


  • 2.  RE: Average Monthly EPS on Qradar

    Posted Mon April 02, 2018 04:20 PM
    There are a few ways of getting this information. The best way to see Events Per Second (EPS) or Flows per Minute (FPM) on an appliance is to use the QRadar Deployment Intelligence (QDI) app, which shows you a Dashboard for each appliance and a lot of data for the overall appliance. The QDI app is polling for data directly from the ECS service in QRadar. Most of the users in QRadar Support recommend this app to administrators to keep track of their deployments and important metrics on their appliances.

    QRadar Deployment Intelligence application: QRadar Deployment Intelligence - IBM Security App Exchange

    Another good method to see EPS metrics is to run /opt/qadar/support/deployment_info.sh. This utility will write out ECS metrics (since the last service restart) to screen. For example: /opt/qradar/support/deployment_info.sh -PO

    However, if you want to graph the last 30 days you would need to count the actual events and run a search against that time frame. I typically look up on a per week basis, but you can query for the average events per second on each log source with the following query:

    SELECT LOGSOURCENAME(logsourceid) AS "Log Source", SUM(eventcount) AS "Number of Events in Interval", SUM(eventcount) / 604800 AS "EPS in Interval" FROM events GROUP BY "Log Source" ORDER BY "EPS in Interval" DESC LAST 7 days

    If you want to adjust this query to work with your time frame, you just need to adjust the interval of seconds, in this case 604800, which is 7 days in seconds to the appropriate value. If you edit the interval to 30 days, your query would look like the following:

    SELECT LOGSOURCENAME(logsourceid) AS "Log Source", SUM(eventcount) AS "Number of Events in Interval", SUM(eventcount) / 2592000 AS "EPS in Interval" FROM events GROUP BY "Log Source" ORDER BY "EPS in Interval" DESC LAST 30 days

    Then you just need to save this search and add it as a Dashboard.

    There are lots of ways to potentially get this data. Take a look at what I've written and let me know if you have follow-up questions.


    ------------------------------
    JONATHAN PECHTA
    ------------------------------

    Original Message