Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[JSA/STRM] Does coalescing count against my license?

0

0

Article ID: KB28164 KB Last Updated: 19 Sep 2019Version: 2.0
Summary:

This article summarizes the how coalescing affects your licensing.

Symptoms:

Understanding coalescing and licensing.

Cause:

Events are counted against the license before they are coalesced. Every event that comes into the pipeline, coalesced or not, is counted against the license. 

Solution:

Events run in the following hierarchy through the pipeline:

        sources      ---> event parsing  ---> custom rules engine    -->  mpc
(syslog/jdbc/checkpoint)     (dsms)                 (cre)        (magistrate, offenses)

 

Events are not coalesced until they hit the “event parsing” or dsm part of the pipeline. However, the EPS license in qradar is applied between the “sources” queue and the “parsing” queue. Total coalescing values can be seen in the qradar.log every minute:

[root@csd6 ~]# grep StatFilter /var/log/qradar.log | tail -20
Aug 27 11:02:31 127.0.0.1 [ecs] [[type=com.eventgnosis.system.ThreadedEventProcessor][parent=csd6.q1labs.inc:ecs0/EC/Processor2]] com.q1labs.semsources.filters.StatFilter: [INFO] [NOT:0000006000][172.16.77.106/- -] [-/- -]Events per second: 1s:1,1 (peak 9,228) (compression: 0%) 5s:0,1 (peak 3,48) (compression: 40%) 10s:1,2 (peak 2,25) (compression: 38%) 30s:1,1 (peak 2,22) (compression: 30%) 60s:1,2 (peak 2,21) (compression: 29%)
Aug 27 11:03:32 127.0.0.1 [ecs] [[type=com.eventgnosis.system.ThreadedEventProcessor][parent=csd6.q1labs.inc:ecs0/EC/Processor2]] com.q1labs.semsources.filters.StatFilter: [INFO] [NOT:0000006000][172.16.77.106/- -] [-/- -]Events per second: 1s:2,2 (peak 9,228) (compression: 0%) 5s:1,1 (peak 3,48) (compression: 14%) 10s:1,2 (peak 2,25) (compression: 38%) 30s:1,1 (peak 2,22) (compression: 29%) 60s:1,1 (peak 2,21) (compression: 28%)

{*}Events per second: 1s:1,1 (peak 9,228)* :
look at the value after the time slice 1s, 5s, etc. ie. “1,1” and then “peak 9,228”. This first number in the “pair” is coalesced, the second number is raw. The peak value in this particular logging example is the greatest amount of events coalesced/raw seen since the last ECS restart.

The StatFilter values are calculated as follows:

60s = number of events over the past minute /60
30s = number of events over the past 30 seconds /30
10s = number of events over the past 10 seconds /10
5s = number of events over the past 5 seconds / 5
1s = number of events in the last second

Modification History:
2019-09-19: Minor, non-technical edit.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search