Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Monitoring License Usage in Multitenant Deployments

As the Managed Security Service Provider (MSSP) administrator, you monitor the event and flow rates across the entire JSA deployment.

When you create a tenant, you can set limits for both events per second (EPS) and flows per minute (FPM). By setting EPS and FPM limits for each tenant, you can better manage license capacities across multiple clients. If you have a processor that is collecting events or flows for a single customer, you do not need to assign tenant EPS and FPM limits. If you have a single processor that collects events or flows for multiple customers, you can set EPS and FPM limits for each tenant.

If you set the EPS and FPM limits to values that exceed the limits of either your software licenses or the appliance hardware, the system automatically throttles the events and flows for that tenant to ensure that the limits are not exceeded. If you do not set EPS and FPM limits for tenants, each tenant receives events and flows until either the license limits or the appliance limits are reached. The licensing limits are applied to the managed host. If you regularly exceed the license limitations, you can get a different license that is more suitable for your deployment.

Viewing the Cumulative License Limits in Your Deployment

The EPS and FPM rates that you set for each tenant are not automatically validated against your license entitlements. To see the cumulative limits for the software licenses that are applied to the system as compared to the appliance hardware limits, do these steps:

  1. On the navigation menu (), click Admin to open the admin tab.

  2. In the System Configuration section, click System and License Management.

  3. Expand Deployment Details and hover your mouse pointer over Event Limit or Flow Limit.

Viewing EPS Rates Per Log Source

Use the Advanced Search field to enter an Ariel Query Language (AQL) query to view the EPS rates for log sources.

  1. On the Log Activity tab, select Advanced Search from the list on the Search toolbar.

  2. To view the EPS per log source, type the following AQL query in the Advanced Search field:

    select logsourcename(logsourceid) as LogSource, sum(eventcount) / ( ( max(endTime) - min(startTime) ) / 1000 ) as EPS from events group by logsourceid order by EPS desc last 24 hours

    The date values for (endTime and (startTime) must be represented in milliseconds since the UNIX Epoch January 1st 1970.

Viewing EPS Rates Per Domain

Use the Advanced Search field to enter an Ariel Query Language (AQL) query to view the EPS rates for domains.

  1. On the Log Activity tab, select Advanced Search from the drop-down list box on the Search toolbar.

  2. To view the EPS per domain, type the following AQL query in the Advanced Search field:

    select DOMAINNAME(domainid) as LogSource, sum(eventcount) / ( ( max(endTime) - min(startTime)) / 1000 ) as EPS from events group by domainid order by EPS desc last 24 hours

The date values for (endTime and (startTime) must be represented in milliseconds since the UNIX Epoch January 1st 1970.

If you want to view average EPS rates for log sources only, click Log Sources in the Data Sources pane on the Admin tab. You can use this to quickly identify configuration issues with log sources that are failing to report.

Viewing Individual License Limits in Your Deployment

The EPS and FPM rates that you set for each tenant are not automatically validated against your license entitlements. To see the individual limits for the software licenses that are applied to the system as compared to the appliance hardware limits, do these steps:

  1. On the navigation menu (), click Admin to open the admin tab.

  2. In the System Configuration section, click System and License Management.

  3. Expand Deployment Details and hover your mouse over Event Limit or Flow Limit.

Viewing the EPS Rate for an Individual Log Source

Use the Advanced Search field to enter an Ariel Query Language (AQL) query to view the EPS rate for an individual log source.

  1. On the Log Activity tab, select Advanced Search from the list on the Search toolbar.

  2. To get a log source ID, type the following AQL query in the Advanced Search field: Select domainid,logsourceid,LOGSOURCENAME(logsourceid) from events GROUP BY domainid,logsourceid order by domainid ASC last 1 HOURS.

  3. To view the EPS rate for your selected log source, type the following AQL query in the Advanced Search field:

    select logsourcename(logsourceid) as LogSource, sum(eventcount) / ( ( max(endTime) - min(startTime) ) / 1000 ) as EPS from events where logsourceid=logsourceid group by logsourceid order by EPS desc last 24 hours

Viewing the EPS Rate for an Individual Domain

Use the Advanced Search field to enter an Ariel Query Language (AQL) query to view the EPS rate for an individual domain.

  1. On the Log Activity tab, select Advanced Search from the list on the Search toolbar.

  2. To get a domain ID, type the following AQL query in the Advanced Search field: Select select domainid, DOMAINNAME(domainid) from events GROUP BY domainid last 1 HOURS.

  3. To view the EPS rate for your selected domain, type the following AQL query in the Advanced Search field:

    select DOMAINNAME(domainid) as LogSource, sum(eventcount) / ( ( max(endTime) - min(startTime)) / 1000 ) as EPS from events where domainid=domainid group by domainid order by EPS desc last 24 hours

Detecting Dropped Events and Flows

Events and flows are dropped when the JSA processing pipeline can't handle the volume of incoming events and flows, or when the number of events and flows exceeds the license limits for your deployment. You can look at the JSA log file messages when these situations occur.

  1. Use SSH to log in to JSA as the root user.

  2. View the /var/log/qradar.error log file and look for these messages:

    These messages indicate that events or flows were dropped:

    [Tenant:[tenantID]:[tenantName] Event dropped while attempting to add to Tenant Event Throttle queue. The Tenant Event Throttle queue is full.

    [Tenant:[tenantID]:[tenantName] Flow dropped while attempting to add to Tenant Flow Throttle queue. The Tenant Flow Throttle queue is full.

    These messages indicate that the processing pipeline was near capacity:

    Throttle processor cannot keep up with events. TENANT_QUEUE_THREAD_INTERVAL_IN_MILLISEC is probably too short.

    Throttle processor cannot keep up with flows. TENANT_QUEUE_THREAD_INTERVAL_IN_MILLISEC is probably too short.

    If this warning persists, JSA might drop events or flows.

If your system is dropping events and flows, you can expand your license to handle more data or you can set more restrictive EPS and FPM limits for each tenant.

Related Documentation