IBM QRadar

Hello,

I have a challenge with my EPS consumption and I would like to know if it's possible for Qradar to no process a certain log and transfer it straight to the storage, and what would be the impact of doing that ?

Thanks

Create a Log Only Routing Rule:
https://www.ibm.com/docs/en/qsip/7.5?topic=systems-configuring-routing-rules-use-qradar-data-store

Hello,

I have a challenge with my EPS consumption and I would like to know if it's possible for Qradar to no process a certain log and transfer it straight to the storage, and what would be the impact of doing that ?

Thanks

Thanks John but the link is not reachable.

Create a Log Only Routing Rule:
https://www.ibm.com/docs/en/qsip/7.5?topic=systems-configuring-routing-rules-use-qradar-data-store

Hello,

I have a challenge with my EPS consumption and I would like to know if it's possible for Qradar to no process a certain log and transfer it straight to the storage, and what would be the impact of doing that ?

Thanks

Hello,

I have a challenge with my EPS consumption and I would like to know if it's possible for Qradar to no process a certain log and transfer it straight to the storage, and what would be the impact of doing that ?

Thanks

Benjamin

what you need is a new routing rule in admin tab. Screenshot is showing sample. pls checkup documentation on this cause there are many variants. For your usecase you need a datastore license which will just enable writing it to storage rahter than process the selected events.

Hello,

I have a challenge with my EPS consumption and I would like to know if it's possible for Qradar to no process a certain log and transfer it straight to the storage, and what would be the impact of doing that ?

Thanks

Hi

Little addition, from what I noticed this is really working only if events are processed by a console, e.g.events received by console itself or EC connected to the console and not when events are processed by an Event Processor.

I mean routing rules are applied also with Event Processor but events are dropped once raw data reach EPS assigned to that EP, this is not happening when events are processed by a Console

Benjamin

what you need is a new routing rule in admin tab. Screenshot is showing sample. pls checkup documentation on this cause there are many variants. For your usecase you need a datastore license which will just enable writing it to storage rahter than process the selected events.

Hello,

I have a challenge with my EPS consumption and I would like to know if it's possible for Qradar to no process a certain log and transfer it straight to the storage, and what would be the impact of doing that ?

Thanks

Stefano,

thats an interesting information for distributed environments. Of course processes should work the same regardless if EC and EP are distributed or not. License and routing rules process are the first services processing events o any machine as you know . Can you please explain what exactly goes wrong in your scenario? do you mean events get dropped by a drop event rule when processed on console only but not when being processed somewhere else? In the above example a drop rule might be executed anywhere regardless if EC is located on console or not. If this is not the case please open a support ticket with IBM

BTW from my experience the datastore license is not technically enforced in older releases, 750 i have not tested yet

Hi

Little addition, from what I noticed this is really working only if events are processed by a console, e.g.events received by console itself or EC connected to the console and not when events are processed by an Event Processor.

I mean routing rules are applied also with Event Processor but events are dropped once raw data reach EPS assigned to that EP, this is not happening when events are processed by a Console

Benjamin

what you need is a new routing rule in admin tab. Screenshot is showing sample. pls checkup documentation on this cause there are many variants. For your usecase you need a datastore license which will just enable writing it to storage rahter than process the selected events.

Hello,

I have a challenge with my EPS consumption and I would like to know if it's possible for Qradar to no process a certain log and transfer it straight to the storage, and what would be the impact of doing that ?

Thanks

Hi Karl

I try to explain with an example:

lets assume that I have and environment with a console and an EP, 2000EPS of total license splitted half and a half between the two hosts (1000 on console and 1000 on EP)

ecs-ec-ingress on console is receiving 1500EPS and 500EPS are dropped by RR -> 1000EPS are processed and no license issues

ecs-ec-ingress on EP  is receiving 1500EPS and 500EPS are dropped by RR -> here license will drop 500EPS at ecs-ec-ingress level and then remaining events are processed by ecs-ec/RR/ecs-ep

I've seen this behaviour in many environments we are managing (all on 7.5 > up3 and < up8) and I'm still troubleshooting this

Stefano,

thats an interesting information for distributed environments. Of course processes should work the same regardless if EC and EP are distributed or not. License and routing rules process are the first services processing events o any machine as you know . Can you please explain what exactly goes wrong in your scenario? do you mean events get dropped by a drop event rule when processed on console only but not when being processed somewhere else? In the above example a drop rule might be executed anywhere regardless if EC is located on console or not. If this is not the case please open a support ticket with IBM

BTW from my experience the datastore license is not technically enforced in older releases, 750 i have not tested yet

Hi

Little addition, from what I noticed this is really working only if events are processed by a console, e.g.events received by console itself or EC connected to the console and not when events are processed by an Event Processor.

I mean routing rules are applied also with Event Processor but events are dropped once raw data reach EPS assigned to that EP, this is not happening when events are processed by a Console

Benjamin

what you need is a new routing rule in admin tab. Screenshot is showing sample. pls checkup documentation on this cause there are many variants. For your usecase you need a datastore license which will just enable writing it to storage rahter than process the selected events.

Hello,

I have a challenge with my EPS consumption and I would like to know if it's possible for Qradar to no process a certain log and transfer it straight to the storage, and what would be the impact of doing that ?

Thanks

Benjamin

what you need is a new routing rule in admin tab. Screenshot is showing sample. pls checkup documentation on this cause there are many variants. For your usecase you need a datastore license which will just enable writing it to storage rahter than process the selected events.

Hello,

I have a challenge with my EPS consumption and I would like to know if it's possible for Qradar to no process a certain log and transfer it straight to the storage, and what would be the impact of doing that ?

Thanks