IBM Security QRadar

Hi,

we do have a setup of one QRadar Console 3199 and one Event and Flow Processor 1829. Also there is a 2000 EPS License.
There will be more 18xx in the near future, so we thought it would be good to have a dedicated Console. Also we are planning a DR solution in another datacenter.

As the Console will not receive any Event or Flow from outside, we thought 200 EPS should be enough and the left EPS are on the Processor. But now we have "EPS or FPM allocation exceeded" Warning all the time:


As I understood, for all QRadar internal messages we will get a license give back in the next second. But still we do exceed the limit an do get this warning. Is there a way to avoid the warnings?

On an IBM virtual testsystem I once saw that there was a routing rule for some internal Log Sources (Health Metric / System Notification / SIM Audit ... ) to "log only", but to activate this I think you would need a "Data Store" license, right?


------------------------------
Kind regards
Oliver
------------------------------

This is a known issue due to internal EPS sources (System Notifications, SIM Audit, Health Metrics,  CRE, SIM Generic (stored), and other internal DSMs that are either legitimately pushing you over EPS or giveback isn't being calculated as expected. The biggest culprit here is likely your Health Metrics DSM, which on a standard box is likely pushing you over your base limit. There is a support forum discussion here on this exact topic for users who have low EPS on a Console. I think in the forum example, they had a 100EPS license on their Console: https://developer.ibm.com/answers/questions/442370/qradar-license-exceeded/

We have methods to help tune your appliance by setting a database value to report metrics at a slower rate. These are leveraged by QDI, but we have an APAR logged for this issue and we are looking at ways to ensure that these events don't count against licenses, since giveback occurs in the following 1 second interval. 

You didn't list what version you are on with QRadar, but support can assist with tuning the volume of events coming from Health Metrics. The downside to this is that there is less graph resolution if you are using QRadar Deployment Intelligence app heavily for monitoring/admin stats. 

• IJ07448: 'THE APPLIANCE EXCEEDED THE EPS OR FPM ALLOCATION WITHIN THE LAST HOUR' MESSAGES CAN BE CAUSED BY HEALTH METRICS EVENTS
•  IJ05905: HEALTH METRICS CAN SOMETIMES GENERATE A LARGER THAN EXPECTED AMOUNT OF EVENTS
   

We can reduce the traffic volume for Health Metrics, depending on how heavily you use the QDI app in QRadar.  I do not think you want to enable Log Only, due to how this feature is not enforced via license at the moment, but will be in the future. I think the better option would be to understand how far over you are with your current EPS and then possibly look at tuning down Health Metrics to prevent notifications until these issues are resolved. 

Optionally, you could spin off the System Notification Rule in to a new temporary rule and put in a response limiter for QID 38750008. This is the QID that triggers the system notification for license exceeded. You would want to remove QID 38750008 from the System Notification Rule and create a copy called "Tuned License Rule" that only contains QID 38750008 and put a response limiter on the rule for 1 week or something so you are not seeing recurring notifications in your dashboard. 

You didn't mention what version of QRadar you are on (7.3.1 or 7.3.2), but let me know if you have follow-up questions or concerns. It might not be a bad idea to give your sales rep a shout too. If you are on 7.3.2, they might be able to give you an temporary license increase. I'm in support, not sales, but never hurts to ask to eliminate the issue while you wait for a software fix per the APARs listed above.   

Hope this helps, but ping me back with any questions you have. 

------------------------------
Jonathan Pechta
QRadar Support Content Lead
Support forums: ibm.biz/qradarforums
jonathan.pechta1@ibm.com
------------------------------

Original Message:
Sent: Thu May 02, 2019 07:20 AM
From: Oliver Braun
Subject: EPS allocarion exceeded with QRadar internal events

Hi,

we do have a setup of one QRadar Console 3199 and one Event and Flow Processor 1829. Also there is a 2000 EPS License.
There will be more 18xx in the near future, so we thought it would be good to have a dedicated Console. Also we are planning a DR solution in another datacenter.

As the Console will not receive any Event or Flow from outside, we thought 200 EPS should be enough and the left EPS are on the Processor. But now we have "EPS or FPM allocation exceeded" Warning all the time:


As I understood, for all QRadar internal messages we will get a license give back in the next second. But still we do exceed the limit an do get this warning. Is there a way to avoid the warnings?

On an IBM virtual testsystem I once saw that there was a routing rule for some internal Log Sources (Health Metric / System Notification / SIM Audit ... ) to "log only", but to activate this I think you would need a "Data Store" license, right?


------------------------------
Kind regards
Oliver
------------------------------

NOTE: If you are interested in support tuning your Health Metrics resolution, just open a case and ask to have your health metrics adjusted per the APAR IJ05905. I'd like to understand if you are using QRadar Deployment Intelligence and possibly ask the dev a few follow-up questions though before that happens. 

If you are not using QDI and want to tune the reported Health Metrics EPS, support can assist via a case against IJ05905.

------------------------------
Jonathan Pechta
QRadar Support Content Lead
Support forums: ibm.biz/qradarforums
jonathan.pechta1@ibm.com
------------------------------

Original Message:
Sent: Thu May 02, 2019 04:44 PM
From: Jonathan Pechta
Subject: EPS allocarion exceeded with QRadar internal events

This is a known issue due to internal EPS sources (System Notifications, SIM Audit, Health Metrics,  CRE, SIM Generic (stored), and other internal DSMs that are either legitimately pushing you over EPS or giveback isn't being calculated as expected. The biggest culprit here is likely your Health Metrics DSM, which on a standard box is likely pushing you over your base limit. There is a support forum discussion here on this exact topic for users who have low EPS on a Console. I think in the forum example, they had a 100EPS license on their Console: https://developer.ibm.com/answers/questions/442370/qradar-license-exceeded/

We have methods to help tune your appliance by setting a database value to report metrics at a slower rate. These are leveraged by QDI, but we have an APAR logged for this issue and we are looking at ways to ensure that these events don't count against licenses, since giveback occurs in the following 1 second interval. 

You didn't list what version you are on with QRadar, but support can assist with tuning the volume of events coming from Health Metrics. The downside to this is that there is less graph resolution if you are using QRadar Deployment Intelligence app heavily for monitoring/admin stats. 

• IJ07448: 'THE APPLIANCE EXCEEDED THE EPS OR FPM ALLOCATION WITHIN THE LAST HOUR' MESSAGES CAN BE CAUSED BY HEALTH METRICS EVENTS
•  IJ05905: HEALTH METRICS CAN SOMETIMES GENERATE A LARGER THAN EXPECTED AMOUNT OF EVENTS
   

We can reduce the traffic volume for Health Metrics, depending on how heavily you use the QDI app in QRadar.  I do not think you want to enable Log Only, due to how this feature is not enforced via license at the moment, but will be in the future. I think the better option would be to understand how far over you are with your current EPS and then possibly look at tuning down Health Metrics to prevent notifications until these issues are resolved. 

Optionally, you could spin off the System Notification Rule in to a new temporary rule and put in a response limiter for QID 38750008. This is the QID that triggers the system notification for license exceeded. You would want to remove QID 38750008 from the System Notification Rule and create a copy called "Tuned License Rule" that only contains QID 38750008 and put a response limiter on the rule for 1 week or something so you are not seeing recurring notifications in your dashboard. 

You didn't mention what version of QRadar you are on (7.3.1 or 7.3.2), but let me know if you have follow-up questions or concerns. It might not be a bad idea to give your sales rep a shout too. If you are on 7.3.2, they might be able to give you an temporary license increase. I'm in support, not sales, but never hurts to ask to eliminate the issue while you wait for a software fix per the APARs listed above.   

Hope this helps, but ping me back with any questions you have. 

------------------------------
Jonathan Pechta
QRadar Support Content Lead
Support forums: ibm.biz/qradarforums
jonathan.pechta1@ibm.com

Original Message:
Sent: Thu May 02, 2019 07:20 AM
From: Oliver Braun
Subject: EPS allocarion exceeded with QRadar internal events

Hi,

we do have a setup of one QRadar Console 3199 and one Event and Flow Processor 1829. Also there is a 2000 EPS License.
There will be more 18xx in the near future, so we thought it would be good to have a dedicated Console. Also we are planning a DR solution in another datacenter.

As the Console will not receive any Event or Flow from outside, we thought 200 EPS should be enough and the left EPS are on the Processor. But now we have "EPS or FPM allocation exceeded" Warning all the time:


As I understood, for all QRadar internal messages we will get a license give back in the next second. But still we do exceed the limit an do get this warning. Is there a way to avoid the warnings?

On an IBM virtual testsystem I once saw that there was a routing rule for some internal Log Sources (Health Metric / System Notification / SIM Audit ... ) to "log only", but to activate this I think you would need a "Data Store" license, right?


------------------------------
Kind regards
Oliver
------------------------------