License Pools (EPS/FPM burst/spillover handling)
The way QRadar works now is that you get EPS/FPM licenses in an overall license pool for your Console. Back in 7.2.6 (I think) there was a feature implemented to allow a single EPS/FPM license, which can then be allocated out from the license pool to each individual appliance as required. This was to add flexibility so IBM did not have to generate license changes at the appliance level as customers data shifted across their networks and some Event Collectors or Event Processors would need more EPS/FPM than was initially scoped. Available license from the pool is allocated from the Console and can be updated as requied to appliances in 100EPS/5000 FPM chunks.
If you exceed the license pool for an appliance, events are processed first in/first out of the burst handling queue (what support and dev call a spillover queue). Both events and flows have an individual 5GB buffer for each data type on the appliance. QRadar holds events until you drop under your license, then uses the gap to process the data in the burst/spillover queue. I've got a tech note that describes how this work here:
QRadar: Event and flow burst handling (buffer).
Log Only
There is another license type called "Log Only", which is a specialty license intended for Data Store appliances. Log Only licenses do require EPS/FPM to effectively process events for burst handling scenarios. The license itself for Data Store is supposed to ignore license throttles. However, there are scenarios where you want to gauge and ensure your Data Store has an EPS license to adjust and aborb bursts of events. We had a few cases on this where some users bought QRadar + Data Store, which is fine and they were issues a Log Only license type with a default EPS of only 100EPS. This is fine depending on your average incoming EPS rate, but let's say your 100EPS license gets a 10k burst of events. The queue spillover queue is going to fill with 10,000 events and only be able to take out of that spillover queue at 100EPS intervals.
- 1 second after the burst: 9,900 events in the queue
- 2 seconds after the burst: 9,800 events in the queue
- 3 seconds after the burst: 9.700 events in the queue
- 4 seconds after the burst: 9,600 events in the queue
- etc...
It is important that if you go the Data Store route, that you have some kind of tolerance for how quickly you need that burst queue to empty. As Log Only isn't a strict EPS/FPM license, but you need to have some default burst capability included to ensure you are not waiting on your burst queue to empty or potentially never catch up.
A good default rule of thumb here that I've heard from our architecture team is to understand your potential EPS scenario. In some cases, a low EPS scenarios (0 to 1K EPS) it is possible to operate at the minimal possible 100 EPS license. For higher EPS scenarios allocate 1K EPS license per each 10K EPS of the expected EPS burst that can be expected.
Examples of sizing Log Only for burst event handling
- A. 1,000 expected average EPS, 10K maximum expected EPS spike. Guidance - allocate 1K EPS license
- B. 500 expected average EPS, 5K maximum expected EPS spike. Guidance - allocate 1K EPS license
- C. 200 expected average EPS, 1K maximum expected EPS spike. Guidance - allocate 100 EPS license
Hope this helps...
------------------------------
Jonathan Pechta
QRadar Support Content Lead
Support forums: ibm.biz/qradarforums
jonathan.pechta1@ibm.com
------------------------------
Original Message:
Sent: Tue June 20, 2023 10:53 AM
From: Jeanne Penland
Subject: IBM QRadar licensing options
Any update?
------------------------------
Jeanne Penland
Original Message:
Sent: Thu May 25, 2023 08:46 AM
From: Zeljko Babogredac
Subject: IBM QRadar licensing options
Hi,
I have a question about licensing options for IBM QRadar. I know that there are two options for licensing: one is per EPS and FPM, where IBM QRadar blocks events and flows if you go beyond the license, and the second option is per server in the network, but I don't understand how that part works. In the second option, does IBM QRadar limit the number of log sources to some number (e.g., 100 if you buy a license for 100 servers) in Log Source Management, or is it something else?
Best regards.
------------------------------
Zeljko Babogredac
------------------------------