IBM Security QRadar

Hi,
I have a question about licensing options for IBM QRadar. I know that there are two options for licensing: one is per EPS and FPM, where IBM QRadar blocks events and flows if you go beyond the license, and the second option is per server in the network, but I don't understand how that part works. In the second option, does IBM QRadar limit the number of log sources to some number (e.g., 100 if you buy a license for 100 servers) in Log Source Management, or is it something else?

Best regards.

QRadar does not "block" the events or flows in over-license situations - they are throttled and buffered (held in the queue) until the next evaluation; when the load drops below license limit, they are processed up to the license limit.
Now, you should work with your IBM tech-sales rep. to get the proper estimation and see if this non-EPS/FPM model is right for you (i.e. cost-effective). 
As I am aware (this might be somewhat simplified summary), non-EPS/FPM licensing essentially uses the number of servers (MVS) on-prem or number of processor cores allocated to the data sources in a cloud environment (VPC). All server (physical and virtual - regardless of underlying infrastructure or OS, Kubernetes nodes) are counted as MVS; network devices, client devices, IoT etc are not counted. There are some resource units attached to the MVS metric and functionality that is being licensed and associated with $. The idea behind this is to create a fair-use model. I have not seen that the number of log sources or other such limitation were implemented (if it were, you would have trouble collecting the logs from network or client devices that were not under licensing calculation). 

Many many years ago (up to about 2016), QRadar did license per Log Source - but that is no longer the case.  There is no 'per log source' license in QRadar now.

pfh

Any update?

License Pools (EPS/FPM burst/spillover handling)
The way QRadar works now is that you get EPS/FPM licenses in an overall license pool for your Console. Back in 7.2.6 (I think) there was a feature implemented to allow a single EPS/FPM license, which can then be allocated out from the license pool to each individual appliance as required. This was to add flexibility so IBM did not have to generate license changes at the appliance level as customers data shifted across their networks and some Event Collectors or Event Processors would need more EPS/FPM than was initially scoped. Available license from the pool is allocated from the Console and can be updated as requied to appliances in 100EPS/5000 FPM chunks.

If you exceed the license pool for an appliance, events are processed first in/first out of the burst handling queue (what support and dev call a spillover queue). Both events and flows have an individual 5GB buffer for each data type on the appliance. QRadar holds events until you drop under your license, then uses the gap to process the data in the burst/spillover queue. I've got a tech note that describes how this work here: 
QRadar: Event and flow burst handling (buffer).
 

Log Only
There is another license type called "Log Only", which is a specialty license intended for Data Store appliances. Log Only licenses do require EPS/FPM to effectively process events for burst handling scenarios. The license itself for Data Store is supposed to ignore license throttles. However, there are scenarios where you want to gauge and ensure your Data Store has an EPS license to adjust and aborb bursts of events. We had a few cases on this where some users bought QRadar + Data Store, which is fine and they were issues a Log Only license type with a default EPS of only 100EPS. This is fine depending on your average incoming EPS rate, but let's say your 100EPS license gets a 10k burst of events. The queue spillover queue is going to fill with 10,000 events and only be able to take out of that spillover queue at 100EPS intervals.

- 1 second after the burst: 9,900 events in the queue
- 2 seconds after the burst: 9,800 events in the queue
- 3 seconds after the burst: 9.700 events in the queue
- 4 seconds after the burst: 9,600 events in the queue
- etc...

It is important that if you go the Data Store route, that you have some kind of tolerance for how quickly you need that burst queue to empty. As Log Only isn't a strict EPS/FPM license, but you need to have some default burst capability included to ensure you are not waiting on your burst queue to empty or potentially never catch up. 

A good default rule of thumb here that I've heard from our architecture team is to understand your potential EPS scenario. In some cases, a low EPS scenarios (0 to 1K EPS) it is possible to operate at the minimal possible 100 EPS license. For higher EPS scenarios allocate 1K EPS license per each 10K EPS of the expected EPS burst that can be expected.

Examples of sizing Log Only for burst event handling
- A.  1,000 expected average EPS, 10K maximum expected EPS spike. Guidance - allocate 1K EPS license
- B.  500 expected average EPS, 5K maximum expected EPS spike. Guidance - allocate 1K EPS license
- C.  200 expected average EPS, 1K maximum expected EPS spike. Guidance - allocate 100 EPS license

Hope this helps...

------------------------------
Jonathan Pechta
QRadar Support Content Lead
Support forums: ibm.biz/qradarforums
jonathan.pechta1@ibm.com
------------------------------