IBM Security QRadar

 View Only

  • 1.  EPS consumption

    Posted 4 days ago

    Hello,

    I have a challenge with my EPS consumption and I would like to know if it's possible for Qradar to no process a certain log and transfer it straight to the storage, and what would be the impact of doing that ?

    Thanks



    ------------------------------
    Benjamin Yabre
    ------------------------------


  • 2.  RE: EPS consumption

    Posted 4 days ago

    Create a Log Only Routing Rule:
    https://www.ibm.com/docs/en/qsip/7.5?topic=systems-configuring-routing-rules-use-qradar-data-store



    ------------------------------
    JOHN HANDROP
    ------------------------------

    Original Message


  • 3.  RE: EPS consumption

    Posted 4 days ago

    Thanks John but the link is not reachable.



    ------------------------------
    Benjamin Yabre
    ------------------------------

    Original Message


  • 4.  RE: EPS consumption

    Posted 4 days ago

    Link works for me, your network must be blocking it. Here is some of it's content:

    Procedure

      1. On the navigation menu ( Navigation menu icon ), click Admin.
      2. In the System Configuration section, click Routing Rules.
      3. On the toolbar, click Add.
      4. In the Routing Rule window, type a name and description for your routing rule.
      5. In the Mode field, select Online.
      6. In the Forwarding Event Collector list, select the event collector on which you want to apply the Log Only (Exclude Analytics) option.
      7. In the Data Source field, select Events.
      8. Specify which events to apply the Log Only (Exclude Analytics) option to by applying filters:
        1. To apply the Log Only (Exclude Analytics) option to all incoming data, select the Match All Incoming Events check box.
          Restriction: If you select this check box, you cannot add a filter.
        2. To apply the Log Only (Exclude Analytics) option to only some events, specify the filter criteria, and then click Add Filter.
      9. To apply the Log Only (Exclude Analytics) option to log data that matches the specified filters, select Log Only (Exclude Analytics).
        Note: The Log Only (Exclude Analytics) option specifies that events are stored and flagged in the database as Log Only and bypass CRE. These events are not available for historical correlation, and are credited back 100% to the license. This option is not available for flows.

        You can combine the Forward and Log Only (Exclude Analytics) options. Events are forwarded to the specified forwarding destination in online mode. Events are stored and flagged in the database as Log Only and bypass CRE. These events are not available for historical correlation, and are credited back 100% to the license. This option is not available in offline mode.

        If data matches multiple rules, the safest routing option is applied. For example, if data that matches a rule that is configured to drop and a rule to bypass CRE processing, the data is not dropped. Instead, the data bypasses the CRE and is stored in the database.

      10. Click Save.


    ------------------------------
    JOHN HANDROP
    ------------------------------

    Original Message


  • 5.  RE: EPS consumption

    IBM Champion
    Posted 4 days ago

    Benjamin

    what you need is a new routing rule in admin tab. Screenshot is showing sample. pls checkup documentation on this cause there are many variants. For your usecase you need a datastore license which will just enable writing it to storage rahter than process the selected events.

    logonly


    ------------------------------
    [Karl] [Jaeger] [#ibmchampion]
    [QRadar Specialist]
    [cnag]
    [Siegen] [Germany]
    ------------------------------

    Original Message


  • 6.  RE: EPS consumption

    Posted 4 days ago

    Hi

    Little addition, from what I noticed this is really working only if events are processed by a console, e.g.events received by console itself or EC connected to the console and not when events are processed by an Event Processor.

    I mean routing rules are applied also with Event Processor but events are dropped once raw data reach EPS assigned to that EP, this is not happening when events are processed by a Console



    ------------------------------
    Stefano Pasa
    ------------------------------

    Original Message


  • 7.  RE: EPS consumption

    IBM Champion
    Posted 22 hours ago

    Stefano,

    thats an interesting information for distributed environments. Of course processes should work the same regardless if EC and EP are distributed or not. License and routing rules process are the first services processing events o any machine as you know . Can you please explain what exactly goes wrong in your scenario? do you mean events get dropped by a drop event rule when processed on console only but not when being processed somewhere else? In the above example a drop rule might be executed anywhere regardless if EC is located on console or not. If this is not the case please open a support ticket with IBM

    BTW from my experience the datastore license is not technically enforced in older releases, 750 i have not tested yet



    ------------------------------
    [Karl] [Jaeger] [#ibmchampion]
    [QRadar Specialist]
    [cnag]
    [Siegen] [Germany]
    ------------------------------

    Original Message


  • 8.  RE: EPS consumption

    Posted 20 hours ago

    Thanks Karl for your response



    ------------------------------
    Benjamin Yabre
    ------------------------------

    Original Message