IBM Security QRadar

Do disabled log sources count towards EPS? We have a lot of log sources that we've labeled as misdetections to lower the amount of EPS over our data gateways. We disable all of the misdetections, but we're still running in to some issues with our gateways being overloaded. 

Is anyone familiar with this?

Thanks

------------------------------
Aaron Gallardo
------------------------------

Depends on protocol. Passive protocols like syslog the datagateways
will still be 'getting logs', where APi and JDBC for example will not.


Original Message:
Sent: 11/16/2022 4:50:00 PM
From: Aaron Gallardo
Subject: Do Disabled Log Sources Count Towards EPS?

Do disabled log sources count towards EPS? We have a lot of log sources that we've labeled as misdetections to lower the amount of EPS over our data gateways. We disable all of the misdetections, but we're still running in to some issues with our gateways being overloaded. 

Is anyone familiar with this?

Thanks

------------------------------
Aaron Gallardo
------------------------------

As a general rule, if you can see the events in Log Activity, even if they're being routed to the SIM Generic Log source because the log source that is supposed to process them is disabled, that means they're counting towards your EPS license. As hostcontext restart said, if you disable a log source attached to an active/outbound protocol, that will disable the protocol config and thus stop events from being ingested at all, but if they're being pushed to QRadar and consumed via a passive/inbound protocol like syslog then they still come into the system whether the log source that was parsing them is enabled or not. In such cases you'd need to change the config on the sending side to stop sending events to your Data Gateway.

Cheers
Colin

------------------------------
COLIN HAY
IBM Security
------------------------------

Original Message:
Sent: Wed November 16, 2022 04:49 PM
From: Aaron Gallardo
Subject: Do Disabled Log Sources Count Towards EPS?

Do disabled log sources count towards EPS? We have a lot of log sources that we've labeled as misdetections to lower the amount of EPS over our data gateways. We disable all of the misdetections, but we're still running in to some issues with our gateways being overloaded. 

Is anyone familiar with this?

Thanks

------------------------------
Aaron Gallardo
------------------------------

If you really don't want these logs but can not avoid the logs coming in, then use "routing rules" to drop the traffic from these sources.

Traffic dropped in this way will is no longer processed or stored and will be counted as licensegiveback.

Your reported EPS numbers will still be the same, but EPS counted against your license is reduced by the licensegiveback numbers.

https://www.ibm.com/support/pages/qradar-license-eps-rates-and-giveback

Regards

Thomasd

------------------------------
SIEM-2020
------------------------------

Original Message:
Sent: Wed November 16, 2022 04:49 PM
From: Aaron Gallardo
Subject: Do Disabled Log Sources Count Towards EPS?

Do disabled log sources count towards EPS? We have a lot of log sources that we've labeled as misdetections to lower the amount of EPS over our data gateways. We disable all of the misdetections, but we're still running in to some issues with our gateways being overloaded. 

Is anyone familiar with this?

Thanks

------------------------------
Aaron Gallardo
------------------------------