QRadar does not "block" the events or flows in over-license situations - they are throttled and buffered (held in the queue) until the next evaluation; when the load drops below license limit, they are processed up to the license limit.
Now, you should work with your IBM tech-sales rep. to get the proper estimation and see if this non-EPS/FPM model is right for you (i.e. cost-effective).
As I am aware (this might be somewhat simplified summary), non-EPS/FPM licensing essentially uses the number of servers (MVS) on-prem or number of processor cores allocated to the data sources in a cloud environment (VPC). All server (physical and virtual - regardless of underlying infrastructure or OS, Kubernetes nodes) are counted as MVS; network devices, client devices, IoT etc are not counted. There are some resource units attached to the MVS metric and functionality that is being licensed and associated with $. The idea behind this is to create a fair-use model. I have not seen that the number of log sources or other such limitation were implemented (if it were, you would have trouble collecting the logs from network or client devices that were not under licensing calculation).
------------------------------
Dusan VIDOVIC
------------------------------
Original Message:
Sent: Thu May 25, 2023 08:46 AM
From: Zeljko Babogredac
Subject: IBM QRadar licensing options
Hi,
I have a question about licensing options for IBM QRadar. I know that there are two options for licensing: one is per EPS and FPM, where IBM QRadar blocks events and flows if you go beyond the license, and the second option is per server in the network, but I don't understand how that part works. In the second option, does IBM QRadar limit the number of log sources to some number (e.g., 100 if you buy a license for 100 servers) in Log Source Management, or is it something else?
Best regards.
------------------------------
Zeljko Babogredac
------------------------------