IBM Support

QRadar: The EPS or FPM license pool is over-allocated error

Troubleshooting


Problem

When administrators assign an Event per second (EPS) or Flows per minute (FPM) allocation, they can allocate license from the Console to individual hosts. Assigning values that exceed the overall Console EPS or FPM license in the License Pool Management interface prevents administrators from viewing the Log Activity or Network Activity tab. When license allocations are onfigured incorrectly, a 'The EPS or FPM license pool is over-allocated' message displays to users.

Symptom

The following error displays to users when they select the Log Activity or Network Activity tab, "The EPS or FPM license pool is over-allocated. Please contact your administrator."

For example,
image-20230404122554-1

Cause

The EPS or FPM allocation assigned to hosts in the license pool is larger than the overall Console license.

Diagnosing The Problem

The Console has an overall EPS and FPM license that is a shared license pool for all managed hosts in the QRadar deployment. The license pool is allocated by the administrator from the overall Console license pool to each host that receives events or flows. The feature allows administrators to adjust licenses on-demand to balance hosts that might receive more of less data and require more license.
To review the license allocation:
  1. Log in to the QRadar Console as an administrator.
  2. On the Admin tab, click System and License Management.
  3. Select Licenses from the Display list.
    image-20230404124047-1
  4. Click License Pool Management.
    image-20230404124241-1

    Result
    If the user interface displays a negative value, then hosts in the deployment are allocated license that exceeds the overall license on the Console. Review the License Pool Management interface to determine how much EPS or FPM is over-allocated. In this example, the administrator assigned 4,000 events more than what is available in the Console license and 175,000 flows. You must adjust the license allocation across your appliances to ensure you are not over-allocated.
    image-20230404124511-2

    Note: QRadar Community Edition (CE) users on V7.3.3 can experience a known issue related to license allocations after your initial installation. If you experience license allocation error messages on QRadar Community Edition, you can set your license allocations to zero as managed hosts are not supported to resolve this issue.

     

Resolving The Problem

To resolve the issue, the administrator must decrease the EPS or FPM allocation value of a particular managed host.
Procedure
  1. The administrator needs to identify the quantity of EPS or FPM that is over-allocated by using the License Pool Management page.
    image-20230404132110-1
  2. Click the Edit icon.
    image-20230404132305-1
  3. Update the EPS or FPM allocation values.
    Note: License allocations must be multiples of 100 EPS for events and 5,000 FPM for flows.
    image-20230404132534-1
  4. Click Save.

    Result
    The over-allocated error no longer displays for users. If you are unable to reduce the license pool assignments, you might need to contact your IBM Sales representative to request a license increase for your Console.

    Troubleshooting
    After you save your changes, some users reported that they still experience issues. It is important to alert your users to an event collection restart or note the change for users as they might see short gaps in graph data while services restart.

    Important: Restarting the Event Collection Service stops ecs-ec-ingress for listening to incoming events on all hosts for 5-10 seconds. For more information, see QRadar: Core services and the impact of restarting services.
    1. If your changes are not allocated correctly, click Admin > Advanced > Restart Event Collection Services.
    2. If the issue persists, click Admin > Advanced > Deploy Full Configuration. If there are SourceMonitor Warning messages in the QRadar logs, click Admin > Advanced > Restart Event Collection Services.
    3. If you continue to experience issues, contact QRadar Support for assistance.

Related Information

Shared license pool

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
10 April 2023

UID

ibm16964816

Page Feedback