Global Security Forum

Expand all | Collapse all

Health Messages

  • 1.  Health Messages

    Posted Wed December 11, 2019 09:52 AM
    Hi ,

    Do you know the way of the Health Messages events are not counted at EPS?

    Thank you,

    ------------------------------
    IOANNIS KAZOLAS
    ------------------------------


  • 2.  RE: Health Messages

    Posted Thu December 12, 2019 04:21 AM
    (Assuming this relates to QRadar) There is a license giveback mechanism for internal log sources (health metrics being one of those) active by default.
    I think this note is what you are looking for.

    ------------------------------
    Dusan VIDOVIC
    ------------------------------



  • 3.  RE: Health Messages

    Posted Thu December 12, 2019 04:43 AM

    Hi Dusan,

    Yes , this is related to QRadar ! :) 

    I wanna know the mechanism that means is the Log Source , the Log Source Type or something else that doesnt count on the EPS .



    ------------------------------
    IOANNIS KAZOLAS
    ------------------------------



  • 4.  RE: Health Messages

    Posted Thu December 12, 2019 05:36 AM
    As mentioned, for the internal log sources, QRadar has a built-in mechanism to recognize them as such (as listed in that note) and provide the license give-back the next second (so you get to use all your license fully).
    AFAIK, QRadar internal architecture is such that license enforcement is checked on several points. The initial check and enforcement is done on the ingress event collection for raw events (every second). If you implemented some routing rules to drop events (and there's a multitude of criteria options for this), the give-back process would again be enforced for these the next second.

    ------------------------------
    Dusan VIDOVIC
    ------------------------------



  • 5.  RE: Health Messages

    Posted Thu December 12, 2019 08:52 AM
    Hallo Mr. Kazolas,

    The reason you are asking, is that because you are exceeding EPS license?
    FYI - There was a defect in earlier QRadar versions where QRadar will exceeding EPS license if you didn't assign a few hundreds EPS to the console, but that is fixed in newer versions. What version are you running and is it a distributed environment?

    As you can see below the Health Metrics does not count towards the EPS license.

    https://www.ibm.com/support/pages/qradar-license-eps-rates-and-giveback

    Output from QRadar documentation:

    Internal log sources for QRadar have license give back built in by default and do not require a routing rule to receive license back. The following log source types are considered "internal" and do not count toward your license:

    • System Notifications
    • Custom Rule Engine (CRE)
    • Audit
    • Anomaly Detection Engine
    • Asset Profiler
    • Results from scheduled searches
    • Health Metrics
    • Sense DSM
    • QRadar Risk Manager Policies, Simulations, and internal logging


    ------------------------------
    Mikael Bøgh
    ------------------------------



  • 6.  RE: Health Messages

    Posted Thu December 12, 2019 09:05 AM
    Hi ,

    The reason i am asking is because i wanna understand the mechanism and if this is based on the Log Source Type , so  the Log SOurce Type id at the DB if i can change it to with another Log Source Type ID which has more EPS than the System Notifications or ADE .

    Thank you,

    ------------------------------
    IOANNIS KAZOLAS
    ------------------------------



  • 7.  RE: Health Messages

    Posted Mon July 26, 2021 07:40 AM
    more explanations

    ------------------------------
    alfarabi tc
    0122 220 4877
    ------------------------------