IBM QRadar Licensing
Introduction:
IBM QRadar is a leading SIEM platform, but its licensing model can be tricky.
QRadar’s cost depends primarily on the amount of data you send it – measured in events per second (EPS) and flows per minute (FPM). Mis-sizing a license can either waste budget or cause important security data to go uncollected.
For an overview, read our guide IBM Security & Compliance Software Licensing: QRadar, Guardium, and Contract Must-Haves.
This guide breaks down QRadar’s licensing metrics, deployment options, sizing methods, overflow handling, cost optimization strategies, and FAQs. It provides key recommendations to help you maximize the value of your QRadar deployment.
1. QRadar Licensing Metrics (EPS and Flows)
IBM QRadar licensing is based on two primary metrics: Events Per Second (EPS) and Flows Per Minute (FPM). EPS is the number of log events (security alerts, syslog messages, etc.) the system can ingest each second. FPM counts network flow records (such as NetFlow or IPFIX data) processed per minute.
These metrics limit the amount of data you can feed into QRadar in real-time. When you purchase QRadar, you choose a license tier based on the peak EPS and FPM you need. Common capacity tiers range from a few hundred EPS to several thousand.
Likewise, flow capacity might be licensed in blocks (e.g., 25,000 FPM or 50,000 FPM). The license key will specify both an EPS limit and an FPM limit for your deployment.
Events and flows are counted separately. An organization focusing solely on log events might prioritize the EPS limit, whereas one that also ingests network traffic must ensure sufficient FPM capacity.
Some QRadar bundles include a nominal flow allowance (since many SIEM deployments are log-centric). Still, if your monitoring relies heavily on network data, you may need to explicitly license a higher FPM quota.
Always align licensing with your plans: if you’ll monitor firewall, OS, and application logs, size the EPS for that; if you’ll also analyze network flows, include ample FPM in your sizing.
To summarize these metrics and their implications, here’s a quick reference of each, potential risks, and optimization tips:
| Metric | How It’s Measured | Licensing Risk | Optimization Tip |
|---|---|---|---|
| Events Per Second (EPS) | Log events ingested per second | Too low an EPS cap means some events won’t be collected; too high means paying for unused capacity. | Measure your average and peak EPS across log sources, then license slightly above the peak. Filter out low-value events so they don’t waste your quota. |
| Flows Per Minute (FPM) | Network flow records per minute | Not enough FPM causes network data to drop when the cap is hit; too much wastes budget. | Collect flows only for important network segments. If full detail isn’t needed everywhere, use sampling or shorter retention to reduce FPM usage. |
| Data Volume (Cloud) | Gigabytes of data per day (cloud) | Exceeding daily ingest limits can trigger extra costs or lost data. | Filter out verbose, non-security logs before sending to the cloud. Send only necessary data and use retention settings to stay within limits. |
2. Deployment Models (On-Premises vs. QRadar on Cloud)
For on-premises deployments, you can choose a perpetual license or a subscription model. A perpetual license means a one-time purchase for a certain EPS/FPM capacity (with an annual support fee for ongoing updates and support).
A subscription license distributes the cost over time (e.g., annual payments) and typically includes support as part of the price. Both models provide the same software capabilities; it’s mainly a budgeting preference (capex vs. opex) and how long you plan to use the system.
IBM also offers QRadar on Cloud (QRoC), a SaaS version of QRadar that IBM hosts and manages. QRoC is sold as a subscription service and is usually measured by usage. Often it’s defined by an EPS limit (for example, 500 EPS in the cloud), similar to on-prem licensing.
In some cases, IBM uses a data volume metric (such as gigabytes of logs per day) instead.
In either scenario, the subscription fee includes all necessary support and infrastructure – you don’t need to maintain servers or handle software upgrades. Feature-wise, QRadar on Cloud has the same core SIEM functions as the on-prem version.
The key trade-off is control versus convenience: with on-prem, you manage and customize the environment (and keep data on-site) but handle maintenance and upfront costs; with the cloud service, you offload management to IBM and get faster setup, but you pay ongoing subscription fees and rely on IBM’s cloud for data storage.
Evaluate both options based on your resources, compliance requirements, and long-term cost projections.
3. Sizing Your QRadar Deployment
Proper sizing ensures you license exactly what you need.
Begin by evaluating the log sources and their corresponding event rates.
Estimate how many events per second each source (firewalls, servers, applications, etc.) generates on average, and identify peak periods when log volumes spike.
Use historical data or a test deployment to gather these metrics, allowing you to determine your typical EPS and peak EPS.
When choosing a license, aim for an EPS capacity that covers your peak with a little buffer. Oversizing by a large margin – buying far more capacity than you use – means paying for unused headroom.
Undersizing, not buying enough, means QRadar might be forced to drop or miss events during high-volume times. License for slightly above your highest expected event rate.
This provides a safety cushion for growth and bursts without incurring the costs of maintaining excess idle capacity. Remember, you can always upgrade later if needed, so there’s no need to overbuy on day one.
Leverage QRadar’s distributed architecture to optimize usage. In a multi-appliance deployment, all collectors and processors share a common license pool. A single license can cover multiple locations as long as the total EPS stays within the limit.
For example, deploying Event Collectors at branch offices enables you to gather logs locally and then forward them to a central QRadar under a single combined license pool. Those collectors can also filter out noise (dropping low-value or redundant events) so that only important data consumes your licensed EPS.
By centralizing log management and filtering unnecessary events at the source, you reduce the overall EPS load, potentially allowing you to fit into a smaller, less expensive license tier.
Read about IBM Cloud licensing, IBM Verify and Security SaaS Licensing: Users, MAUs, and Terms to Watch.
4. Overflow Handling in QRadar
QRadar includes a burst handling feature to cope with occasional spikes above your licensed rate. If incoming events exceed your EPS license for a short period, QRadar will buffer the excess in a queue instead of dropping them immediately.
When the event rate falls back under your limit, the system processes the queued events, so nothing is lost.
This means a brief spike (say, a few minutes of above-cap logs) can be absorbed without data loss – you might just see a slight processing delay as QRadar catches up.
However, this buffering isn’t unlimited. It’s intended for temporary surges, not for continuous operation beyond your license.
If you sustain an event rate above your licensed EPS for too long, the queue will fill up, and new events beyond the limit will be dropped. In short, a quick burst is fine, but a prolonged overload will result in missing data.
Frequent license exceedances indicate undersizing. Technically, you risk losing events, and from a compliance standpoint, you’re operating outside your entitlement. If QRadar often hits its EPS cap, consider filtering out more logs or increasing your license.
It’s smart to set up alerts in QRadar to notify you when you’re nearing your capacity (for example, at 80–90% of your EPS limit) so you have time to react.
If you expect occasional big spikes (for example, during a major security incident or a seasonal traffic peak), discuss options with IBM.
They might offer a temporary capacity boost or an allowance for such bursts. Having a plan for overflow situations can prevent panic during an unexpected surge.
5. Cost Optimization Strategies
Keeping QRadar cost-efficient comes down to smart planning and usage. Consider these strategies:
- Centralize and Consolidate: Use a single QRadar deployment (with distributed components as needed) instead of multiple isolated SIEM instances. All logs are then drawn from one shared EPS pool, which increases utilization efficiency. You won’t pay for separate licenses that sit partly unused – a centralized approach ensures you fully use what you’re paying for.
- Start Small and Scale: Avoid overbuying “just in case.” License for what you need now, and plan to grow later. It’s easier and more cost-effective to add capacity incrementally than to pay upfront for a huge EPS cushion you might never use. Negotiate your contract to allow mid-term upgrades (true-ups) at a pre-agreed rate. That way, if your logging needs grow, you can scale up without a budget shock or a contract battle.
- Compare Long-Term Costs: Calculate your total cost of ownership for on-prem vs. cloud over the same period (including license, support, and infrastructure versus subscription fees). Depending on your situation, a perpetual license may wind up cheaper over time, or a cloud subscription’s all-inclusive approach may be worth the extra cost.
6. FAQs — QRadar Licensing
Q: Are on-premises QRadar licenses perpetual?
A: Yes. Typically, you purchase a perpetual license for a set capacity and can use it indefinitely. You then renew support each year to receive software updates and technical support.
Q: Can I increase my EPS license mid-contract if I need more capacity?
A: Yes. You can expand your licensed EPS during your term by purchasing an upgrade (often called a true-up). It’s best to pre-negotiate the rates for such expansions in your original contract so you can add capacity later without a financial penalty.
Q: How is QRadar on Cloud priced – by EPS or by data volume?
A: It depends on the plan. Many QRadar on Cloud subscriptions are based on a maximum EPS (similar to on-prem licensing), but some plans charge by daily data ingestion (for example, gigabytes per day). Ensure you understand which metric applies to your cloud deployment, allowing you to monitor the correct usage.
Q: What happens if my EPS limit is exceeded?
A: If you briefly exceed your licensed EPS, QRadar will queue the extra events and process them once the rate drops back down. There’s no immediate loss of data for a short spike, only a delay. However, if you exceed your EPS limit for an extended period, the buffer will overflow, and excess events will be dropped. In short, occasional bursts are handled, but sustained overages will result in lost logs.
Q: Does a cold standby (backup) QRadar appliance require its own license?
A: Generally no, as long as it’s truly a cold standby (not actively processing logs). IBM allows a non-production backup instance for failover without an additional license, provided it’s not collecting data alongside your primary system. The standby only needs to be licensed if it becomes active and takes over.
7. Five Recommendations — QRadar Licensing
- Right-Size Carefully: Base your license on real-world data. Aim for an EPS capacity that covers your normal peak with some cushion, but don’t dramatically overestimate “just in case.”
- Negotiate Future Growth: Ensure your IBM contract allows for easy capacity upgrades. Pre-negotiate rates for higher EPS or FPM tiers to enable scaling up later without breaking the budget or requiring a new agreement.
- Plan for Bursts: Discuss with IBM how short-term spikes are addressed. Try to secure a bit of leeway for occasional bursts (or at least be aware of the policy), so that one unusual surge won’t put you out of compliance or cause dropped events.
- Optimize What You Ingest: Don’t feed QRadar logs that add little value. Filter at the source or use event collectors to drop noise. This helps you stay within a smaller, more affordable license while still capturing the important security data.
- Evaluate Cloud vs. On-Prem: On-prem (perpetual licensing) can be cheaper over the years if you have the IT resources to manage it; cloud (subscription) offers ease of use and quick deployment, but with ongoing costs. Compare multi-year costs and benefits to determine which option delivers the best value for your organization.
Read about our IBM Licensing Assessment Service.
