QRadar Sizing – Determining EPS

Posted on Updated on

One of the biggest challenges when sizing a QRadar implementation is estimating the Events Per Second (aka. EPS) of the environment, specially because in the most of the cases we don’t have full access to the log sources to precisely determine the EPS. So in this post we will review some tips about how to estimate the EPS.

Determining the EPS of one event source with access to the system or access to the logfiles.

# Dump the log in a file and delete all the log not from the past 24h. Leave only the last 24h of logs
– If the system generate syslog, follow these steps:
    a. Configure the logsource to send the logs to any linux server
    b. In the destination linux server execute the following command: tcpdump -i eth0 src host SOURCE_IP dst port 514
c. Run the command for exactly 24 hours in a regular day and verify how many log packets you got.

# Verify the number of logs in the file.
– If there is just one log per line, simple open the file on notepad and verify how many lines you have;
– If the logs are not one per line, verify the whole size of the file (in bytes) and divide by 250 (the avarage size of a log line). Example: File with 3Mb = 3145728 bytes / 250 = 12583 Log packets

# Divide the number of packets by 86400, the result will be the EPS of the log source

Determining the EPS without access to logs or the system:
# From my previous experience, a good approximation of EPS is:

Device Type EPS
Active Directory 15
IIS or Exchange 10
General Windows Server 2
General Windows Workstation 0,5
UNIX/Linux Server 0,5
DNS or DHCP 15
AntiVirus Server 20
Database 1
Proxy 25
Core/Border Firewall 150
Small Firewall 20
IPS, IDS or DAM 5
VPN 5
Routers/Switches 0,25

Calculating the EPS of the whole environment:
# Multiply the number of each device by the estimated EPS
# Sum the EPS of all kind of devices and you will have the EPS of your whole environment
– Example:
     3 Core Routers + 2 IPS = 3x 150 + 2x 5 = 460 EPS
Remember to always consider at least 20% margin for buying your license.

Do you have any another tips to calculate EPS? Let us know in the comments!

Advertisements

4 thoughts on “QRadar Sizing – Determining EPS

    amit kumar said:
    January 6, 2014 at 12:57 am

    Above EPS value in table is measure on your experience but my concern is is any difference on device/Server model/version .

      RicardoReimão responded:
      January 6, 2014 at 9:00 pm

      Hi Amit, you are right, the EPS vary according with the device and model. That table is just an approximation for a primary approach when doing some pre-sales and you don’t have access to the log sources. When you have access to the log sources you can use the first method of this post “Determining the EPS of one event source with access to the system or access to the logfiles”

        amit kumar said:
        January 8, 2014 at 3:50 am

        could you provide the details of which device should integrated via Public and private key and also provide the steps to integrate with Qradar.
        Thanks.

        RicardoReimão responded:
        January 9, 2014 at 2:45 am

        Hi Amit, It varies according with the Device. In the DSM Configuration Guide you can search for the device that you want, and understand how the SSL process work. The DSM Configuration Guide can be found at: https://qradarinsights.com/2013/12/05/configuring-the-log-sources/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s