IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  EPS Calculation

    Posted Tue February 08, 2022 07:34 AM
    Hi All,

    We have a requirement where we need to check or calculate how much is increase in the EPS. 
    There are 10 windows servers where we are enabling additional logs which will get forwarded to Qradar. Now we need to see how much is the impact on EPS and how much is the increase.

    Can anyone tell me the easy method to calculate or estimate the increase in EPS (also how much is the percentage increased)


    Regards
    Asif Siddiqui

    ------------------------------
    Asif Siddiqui Senior Security Analyst
    ------------------------------


  • 2.  RE: EPS Calculation

    Posted Tue February 08, 2022 07:43 AM
    Enable the logging for one of the servers, and get a count of non
    coalesced events for the server for 24 hours or longer and average
    that down to EPS using 86400 seconds per day

    (Number of events per day / 86400 seconds)

    you could run this for a series and graph out averages, spreads and
    standard deviations if you like.


    Take either the one sample day or average of days, multiply by number
    of servers to add assuming the same logging workload. I always try to
    round EPS to nearest 100,1000 or 2.5K for purchasing reasons. I also
    like to add 10% for bursting.

    example:
    one server was 90 EPS average
    (90 EPS average)x(10 servers)=900EPS add 10% 990EPS, round to 1000 EPS.


    Original Message


  • 3.  RE: EPS Calculation

    Posted Wed February 09, 2022 08:14 AM
      |   view attached
    Thank you, excellent explanation. I just added our standard XLS for doing exactly that. It calculates EPS and storage based on EPD and average event size.
    If you already got Qradar just look at system monitoring dashboard event rate widget and drill down into log activity for details for determining current workload. Top log sources will give you the chance to add filter value for your new logsource and fill in the XLS sheet EPD column (24h event count). Add number of systems for your future workload and compare to what you currently got.

    ------------------------------
    [Karl] [Jaeger] [Business Partner]
    [QRadar Specialist]
    [pro4bizz]
    [Karlsruhe] [Germany]
    [4972190981722]
    ------------------------------

    Attachment(s)

    xlsx
    Siem_Sizing_Q1_sample.xlsx   13 KB 1 version
    Original Message


  • 4.  RE: EPS Calculation

    Posted Wed February 09, 2022 08:33 AM

    Hi guys

    You could install the QRadar Self monitoring content pack that contains a pulse dashboard that monitors the EPS rate average and the EPS rate max.
    The widgets contain an AQL query that you can modify to specify the time and period you want to look at.
    I posted a screenshot of the widgets in this blog: How are you checking your QRadar deployment ? Refer to the section "How can I have an idea on the number of events per second I am receiving in real time".

    I hope this will help



    ------------------------------
    Gladys Koskas
    ------------------------------

    Original Message


  • 5.  RE: EPS Calculation

    Posted Mon April 03, 2023 02:40 PM
    thanks for sharing the file, excellent information.
    Now I am entering the IBM QRADAR world and I have some doubts that I would like you to help me please:
     
    1.- EPD is from the sum of the events on the 10 Systems listed in Anzahl Systeme?
    2.- Byte/Event is the calculation of the event of the chosen platform? How do you know or calculate it?
    3.- What is the "Storage Kompr."? Why do you divide it by 10? What does the value 10 mean?
    4.- Your explanation of the "GB in 90 Tagen" formula?
    Thanks for your help,
     
    @Javier


    ------------------------------
    Javier Huaman
    ------------------------------

    Original Message


  • 6.  RE: EPS Calculation

    Posted Wed April 05, 2023 12:05 PM
    Edited by Karl Jaeger Wed April 05, 2023 12:09 PM

    Javier,
    I have uploaded a new version. Content is the same but there are explanations and colors for the columns. Column headers in English!
    Regarding your questions: 
    1. EPD are the events per day (sum) for each devicetype. The sum is calculated in EPD SUM.
    2. Byte/Event is the average event size you measured on your device or estimated based on real world event samples
    3. Storage compr. stands for storage requirement for compressed logdata. QRadar does this automatically for you. 1/10 is the factor you save using this trick.
    4. GB storage takes this into account for a 90 days storage period which is a typical minimum compliance requirement.
    https://community.ibm.com/HigherLogic/System/DownloadDocumentFile.ashx?DocumentFileKey=ddbed68e-2ba6-47f1-a851-e7ef5f58f7e8&forceDialog=0

    Logdata EPD EPS Byte / Event Storage MB/d number of sytems EPS SUM EPD SUM Storage MB/d Storage compr. GB in 90 days
    Systemtype 1 1.000.000      11,57   400             400,00   10             115,74   10.000.000              4.000,00               400,00                     36,00  



    ------------------------------
    [Karl] [Jaeger] [Business Partner]
    [QRadar Specialist]
    [pro4bizz]
    [Karlsruhe] [Germany]
    [4972190981722]
    ------------------------------

    Original Message