IBM QRadar

Hi,
QRadar EPS rate dashboard shows our EPS stays between 5-7K with few spikes over 10K. Our license is for 7500 EPS.
However the system notifications for "events being dropped" continuously pops up. We are collectng events from ~60,000 log sources. majority of them windows.
When I check the raw eps rate via command line it shows the raw EPS rate is ~18-19K.

1- If the raw eps is 18-19K, why does the EPS dashboard shows EPS consumption for 5-7 K EPS.
2- What can we do to stop events from being dropped

------------------------------
HKB
------------------------------

No direct answer unfortunately but I have suffered from this myself.

I have raised a request for AQL which gives a more accurate account of EPS along with a indicator within the GUI for "Events being dropped"

The following gave me slightly more insight into our situation.

https://www.ibm.com/support/pages/qradar-license-eps-rates-and-giveback


------------------------------
James Hill
------------------------------

Original Message:
Sent: Thu September 05, 2019 11:10 AM
From: Hemant Kumar
Subject: EPS Rate difference

Hi,
QRadar EPS rate dashboard shows our EPS stays between 5-7K with few spikes over 10K. Our license is for 7500 EPS.
However the system notifications for "events being dropped" continuously pops up. We are collectng events from ~60,000 log sources. majority of them windows.
When I check the raw eps rate via command line it shows the raw EPS rate is ~18-19K.

1- If the raw eps is 18-19K, why does the EPS dashboard shows EPS consumption for 5-7 K EPS.
2- What can we do to stop events from being dropped

------------------------------
HKB
------------------------------

It is hard to diagnose with this info in your post, but i can give a bit of inside on how it works.

Events being dropped is because your queue is full, you have a 5GB queue on the system, every second Qradar will pull out your license limit from the queue, in this case 7500 so you are likely putting more than 7500 events into the system,

The raw EPS is before routing rules and license giveback (datastore and dropped events), so my guess is that you have some rules that drop or store events without analysis.

You need to find out why your queue is getting full, there will be clear indicators in /var/log/qradar.error and qradar.log

Try "less /var/log/qradar.log | grep spillover" and  "less /var/log/qradar.log | grep eps" that should give you some event with some info on queue and spillover.

Regards Jan

------------------------------
jan straarup
------------------------------

Original Message:
Sent: Thu September 05, 2019 11:10 AM
From: Hemant Kumar
Subject: EPS Rate difference

Hi,
QRadar EPS rate dashboard shows our EPS stays between 5-7K with few spikes over 10K. Our license is for 7500 EPS.
However the system notifications for "events being dropped" continuously pops up. We are collectng events from ~60,000 log sources. majority of them windows.
When I check the raw eps rate via command line it shows the raw EPS rate is ~18-19K.

1- If the raw eps is 18-19K, why does the EPS dashboard shows EPS consumption for 5-7 K EPS.
2- What can we do to stop events from being dropped

------------------------------
HKB
------------------------------