IBM QRadar

Hi all,

I would like to calculate the licensing requirements for onboarding 30+ log sources (mostly AIX) to an existing production environment, does anyone know if theres a dedicated IBM QRadar deployment sizing tool and/or guide available?

Searching online, I have only found the following:

- A similar forum question from last year (https://community.ibm.com/community/user/security/discussion/eps-calculation), recommends enabling new log sources for 24hrs or so to generate an estimate.

- Wincollect deployment planning topic [https://www.ibm.com/docs/en/qradar-on-cloud?topic=7-wincollect-deployment-planning] with some estimates for windows-based systems, but still recommends getting a direct sample of the EPS generated by the device.

- An EventLogReport PowerShell script that can be used to generate an EPS report for windows-based hosts [https://www.ibm.com/support/pages/qradar-how-measure-eps-rate-microsoft-windows-host].

Can anyone recommend any other sizing tools, calculators or guides, that should be used to estimate QRadar EPS/License requirements?

If not, as most of our log sources are AIX, we are considering standing-up an evaluation instance of QRadar (default license) to capture log source EPS' baselines and generate estimates, while reducing the risk of breaching license / dropping events on the production system - does this seem like a sound approach?

Kind regards,

------------------------------
exploring data
------------------------------

Hi,

your approach using the evaluation instance is absolutely sound. To reduce invest im time and effort you can as well setup a single AIX host to report into your production system and gather sample logs for 24h in order to calculate your EPS gap. From my experience AIX standaed audit config will only generate a small number of events per day. Windows is much different!

------------------------------
[Karl] [Jaeger] [Business Partner]
[QRadar Specialist]
[pro4bizz]
[Karlsruhe] [Germany]
[4972190981722]
------------------------------

Original Message:
Sent: Tue November 07, 2023 08:42 AM
From: exploring data
Subject: QRadar deployment sizing tools and/or guides [EPS/FPM License estimation]

Hi all,

I would like to calculate the licensing requirements for onboarding 30+ log sources (mostly AIX) to an existing production environment, does anyone know if theres a dedicated IBM QRadar deployment sizing tool and/or guide available?

Searching online, I have only found the following:

- A similar forum question from last year (https://community.ibm.com/community/user/security/discussion/eps-calculation), recommends enabling new log sources for 24hrs or so to generate an estimate.

- Wincollect deployment planning topic [https://www.ibm.com/docs/en/qradar-on-cloud?topic=7-wincollect-deployment-planning] with some estimates for windows-based systems, but still recommends getting a direct sample of the EPS generated by the device.

- An EventLogReport PowerShell script that can be used to generate an EPS report for windows-based hosts [https://www.ibm.com/support/pages/qradar-how-measure-eps-rate-microsoft-windows-host].

Can anyone recommend any other sizing tools, calculators or guides, that should be used to estimate QRadar EPS/License requirements?

If not, as most of our log sources are AIX, we are considering standing-up an evaluation instance of QRadar (default license) to capture log source EPS' baselines and generate estimates, while reducing the risk of breaching license / dropping events on the production system - does this seem like a sound approach?

Kind regards,

------------------------------
exploring data
------------------------------