IBM QRadar

Issue: We have a Linux machine that is sending too many events to the Qradar server causing the EPS to exceed the threshold limit.

Requirements: We want to limit the EPS coming for the Linux machine to 1k and drop the rest events.

Remark: We tried to make a routing rule for the log source but observed that the licensed EPS still consumed.

Routing rules do give back 100% of the dropped events, but they are given back in the next 1 second interval. There is an article that describes the issue how it works here: https://www.ibm.com/support/pages/qradar-license-eps-rates-and-giveback

To drop the event, you need to use a custom property to identify the payloads that contain the values that you want to identify and drop.

The only other option would be to tune the remote Linux server to not generate as many events or you could add another Event Collect that is licensed as LOG ONLY, where those events do not count against the EPS license and go to a Data Store appliance. It might also be an option to have the Linux server write to a flat file as line-by-line events and scrub it using an external script. Using Routing Rules is much easier though.

The issue with license and routing rules is that routing happens after licensing in the QRadar Event Pipeline, so even though you are dropping events with a Routing Rule, the logs and system notification occur higher in the event pipeline as you are exceeding the licensed threshold and the notification triggers anyway.

So if I understand correctly, there is no way in qradar (except fine tuning linux server not to generate evetnts) to limit the EPS from particular log source?