QRadar: MVS tool and enterprise licensing reporting FAQ

Question & Answer

Question

QRadar software has an enterprise model that allows customers to license based on the size of the IT infrastructure. The pricing metric is Managed Virtual Servers (MVS™). All Physical and Virtual Server are counted in the customer environment. This model offers unlimited users, actions, and data ingestion. An updated MVS script is available on IBM Fix Central for users to count servers in their infrastructure. This technical note outlines the latest version of the MVS tool administrators can use the count servers for enterprise licensing.

Answer

What's new in MVS 2.1?
MVS tool 2.1 includes several new features and updates:

Added domain separation counts for MVS estimates. The report now breaks out domains by MVS count and includes an individual CSV file for each domain configured in QRadar. For example, the following MVS output has three domains 0 (Default), Domain1, and Domain2.
Allow users to exclude Kubernetes or VPN IP addresses by CIDR or IP address ranges.
Improved the MVS counting with:
- Mobile devices are excluded based on their names.
- Updated Log Source Device Types to expand the list of servers for improved detection.
- Updated the Source Ports to identify MVS from server ports from events.
- Added support to count HTTP response code (200) events.
Hardened security by allowing only admins to run the MVS tool.

Methods to declare MVS for enterprise licenses

Administrators typically are required to declare MVS quarterly to IBM when using an enterprise license. As the new MVS utility counts log sources by type, assets, and ports, users with might require asset exclusion searches to ensure that certain data is not counted as MVS. It is always recommended that you use the -v option in the MVS 2.1 utility to generate a details report for data that contributed to your MVS score. As you review your MVS output, the MVS count can increase in the MVS 2.1 utility based on assets in your QRadar deployment and tuning. If the reported MVS count is higher than expected, users might need an alternate option to report their MVS to IBM. Acceptable methods to report your MVS count can include any of the following:

Provide a count from your CMDB or internal asset tools.
Use the MVS 2.1 utility and create asset identity exclusions.
Scan report from a VA scanner. Several vendors provide credentialed scans that can report the OS version or application information. These details can be used to count servers or provide an OS overview through default report types.

Configuring the MVS 2.1 utility

The MVS utility is updated to provide more predictive counting to replace the Python-based MVS counting tool. The updated utility updates MVS counting to count log sources by device type, assets through passive flow detection, and scan data that can provide operating system information to determine what assets are counted as IT infrastructure. The updated utility adds a new DSM that is installed through QRadar auto updates or from IBM Fix Central to update asset counts to create reports that show MVS changes, such as nightly reporting on the latest count and greatest count.

Types of data the MVS tool reviews:

Log source types associated to server operating systems (Windows servers, Linux, AIX, z/OS, Kubernetes nodes, Cloud Hosts (IaaS servers).
Ports commonly used by servers (22, 53, 80, 137, 443, 8080)
Assets populated into the QRadar asset database with known server operating systems by vulnerability scanners (Windows servers, Linux hosts, Unix, or AIX)

Before you begin

Administrators must confirm they have the DSM-IBMManagedVirtualServer DSM installed on their QRadar Console. To confirm the file is installed, check the Admin tab for the DSM-IBMManageVirtualServer DSM is installed. Optionally, from the command line, type yum info DSM-IBMManage* and confirm the DSM is installed.

# yum info DSM-IBMManage*

Loaded plugins: product-id, search-disabled-repos
Installed Packages
Name        : DSM-IBMManageVirtualServer
Arch        : noarch
Version     : 7.5
Release     : 20240314102425
Size        : 3.7 M
Repo        : installed
From repo   : /DSM-IBMManageVirtualServer-7.5-20240314102425.noarch
Summary     : DSM IBM Manage Virtual Server Install
URL         : www.ibm.com
License     : IBM Corp.
Description : IBM Manage Virtual Server

The mvs.sh tool requires users to provide admin credentials or create an authorized service token to run the utility. The recommended user role permission for the MVS tool is admin to ensure queries for the count can be run. The minimum user role permission level is Log Activity.

Setting up the MVS log source for the first time
The steps for configuring the log source is only required during the initial setup of MVS. If you are upgrading from MVS 2.0 to MVS 2.1, you must download and update the MVS.2.1.zip file. For more information, see Running the MVS utility.

Optional. If the MVS tool is not installed on your Console, download the DSM from IBM Fix Central and install the DSM:
```
yum install -y DSM-IBMManageVirtualServer*
```
Note: The weekly auto update for 24 June 2024 installed the DSM-IBMManageVirtualServer RPM file on deployments with automatic updates enabled.
Log in to the QRadar Console as an administrator.
Click the Admin tab.
Click the Log Sources icon.
Click Manage log sources, then select +New Log Source > Single Log Source.
In the Select a Log Source Type field, type MVSCount.

Note: If this option does not display for you, confirm the IBM Manage Virtual Server DSM is installed.
In the Select a Protocol Type field, select Syslog.
Configure the log source parameters:
1. Name: Type a name for the log source, this value can be any name, such as MVS Count.
2. Description: Optional. Type a description of the log source.
3. Enabled: Ensure this check box is On.
4. Log Source Group: Optional. Add the log source to a log source group.
In the Configure protocol parameters field, configure the following parameters:
1. Log Source Identifier field, type ibm.managevirtualserver.
2. Incoming Payload Encoding, select UTF-8.
Click Finish to save the log source configuration.
From the Admin tab, click the Custom Event Property icon.
Select Extraction Based.
Configure the following values:
1. In the Tenant field, select N/A as the property should apply to all domains.
2. Select New Property and type Response Code for the name of the property.
3. In the Field Type, select numeric.
4. Ensure the Enabled check box is selected.
5. From the Log Source Type drop-down list, select Apache HTTP Server.
6. From the Log Source drop-down list, select All.
7. From the High Level Category drop-down list, select Any.
8. From the Low Level Category drop-down list, select Any.
9. In the Regex field, type:
```
" (\d{3}) (\d+|-) (\d+|-|")
```
  Results
  The custom property is created to allow the MVS tool to count 200 response codes.

Running the MVS utility
The administrator must download the MVS 2.1 script from IBM Fix Central, extract the files, then run the script. The script searches the last 7 days to create an initial MVS count and evaluates new data collected to update the MVS output.

Procedure

Download the MVS Version 2.1 script from IBM Fix Central.
Copy MVS2.1.zip to the QRadar Console.
Use SSH to log in to the QRadar Console as the root user.
If you are upgrading to a newer version of the MVS tool:
1. Type the following command to stop the tool:
```
sh mvs.sh -k
```
2. To remove the prior version of the MVS jar, type:
```
rm /opt/qradar/jars/mvs-1.0.jar
```
To create a directory for the tool, type:
```
mkdir /store/mvs
```
Extract MVS2.1.zip to the directory:
```
unzip MVS2.1.zip
```
To run the utility, type:
```
sh mvs.sh -s -v
```
Note: The verbose option is recommended the first time administrators run the MVS count utility to create the mvs_details.csv file to understand the servers included in the initial count.

The tool provides a summary of the types of data that is counted.

# sh mvs.sh -s -v

The MVS utility counts assets using Operating System information, Log Source Types, and Ports 
commonly used by servers. To receive an estimated MVS report, it is advised that tune assets 
on your Console.

For configuration and tuning information, see: https://ibm.biz/qradarmvs.

Do you want to run the MVS tool now (Y/N)?

Tune any IP addresses or CIDR ranges the MVS tool should exclude for Kubernetes.

Would you want to exclude the IP ranges of Kubernetes (Y/N)?  Y

Please provide Kubernetes IP ranges to would like to exclude:

1: CIDR Ranges
2: IP Ranges 
(q to quit)

Please enter your choice: 1

Enter CIDR Range: 10.0.0.0/24, 10.0.0.0/16

To exclude any assets that are not servers

Would you want to exclude the IP ranges of VPN(Y/N)?  Y

Please provide VPN IP ranges to would like to exclude:

1: CIDR Ranges
2: IP Ranges 
(q to quit)

Please enter your choice: 1

Enter CIDR Range: 192.168.1.100-192.168.1.255,10.1.1.10-10.1.1.255

Select an permission for the mvs utility.
Note: The user or authorized service token user role can be an admin user role for the permission. Users who want to run with reduced permissions can use the Log Activity user role as a minimum permission level.

Which authentication would you like to use:
1: Admin user
2: Authorized service
(q to quit)
Please enter your choice:

Wait for the MVS utility to run:

Username: admin
Password:
starting MVS counter...
validating MVS running...
..........
MVS Counter process started successfully.

Wait for the CSV files to be created in the /store/mvs directory.

Results
The tool rights nightly at midnight to generate new MVS reports. The MVS 2.1 utility can create multiple files for administrators if domains are configured in QRadar:

count_mvs.csv - This file has a summary of the overall count that administrators can use to declare MVS licenses to IBM. If you have domains configured a summary is also outlined for each domain.
mvs_details.csv - If the verbose option is enabled, a details file is created. The details file allows administrators to review the results of the MVS utility to understand the overall count. As the details file has asset information, users are not required to submit this file to IBM.
{domainname}_mvs_count.csv - A file is created for each domain, which is then summarized in the mvs_count.cvs file.

Requesting support assistance

The MVS tool reports the estimated server count based on the data available within QRadar. Administrators who experience issues can open a support case to receive assistance with MVS counts, reporting, tuning, configuration help, questions about MVS, or error messages.

Required log files
To understand how the MVS tool counted the servers in your network, several files are required. To best assist you and understand your issue, attach the following files to your support case:

/var/log/mvs.log
/store/mvs/count_mvs.csv
/store/mvs/details_mvs.csv
/store/mvs/{domainname}_mvs_count.csv

Logging a case for the MVS tool

Open a case with QRadar Support: https://www.ibm.com/mysupport/s/createrecord/NewCase
Log in with your IBM ID.
In the Type of support field, select Product support.
In the Case title field, type MVS tool help.

Note: The keyword MVS is important in the case title as it helps our support system more effectively route your case to the proper support team.
Complete the product information fields and select your QRadar software version. For example,
In the Severity and account information section, select a Severity and include your business impact. The impact might be counting issues or errors you experience with the MVS tool.
Fill out the Case Description field and ensure you attach your logs and verify your contact number. If you plan to be out of the office, you can add a team member from your organization to your case.

Results
A QRadar Support representative will review the case and contact you using your preferred method of communication.

What types of servers need to be reported for enterprise licenses?

Administrators are expected to report both physical and virtual servers protected by QRadar. Reported servers are expected to include both physical or virtual servers in use, including servers in Amazon AWS, Microsoft Azure, or Google Cloud. If these server types report events to QRadar or the IP addresses or hostnames provide identity events to QRadar, these are counted by the MVS tool.

What's counted as MVS:

All servers (physical and virtual)
- Servers are counted regardless of infrastructure: Amazon AWS, Microsoft Azure, Google Cloud, IBM Cloud, Oracle Cloud.
- Operating systems: Windows, Linux (Ubuntu, Red Hat, Kali, and other distros), Unix, HP-UX, and AIX.
Kubernetes Nodes
Satellite ground stations

What is excluded from MVS:

Network infrastructure
- Routers and switches
- Firewalls and VPNs
- Load balancers
- Proxies
- Intrusion Prevention Systems (IPS)
- File Integrity Monitoring (FIM) or File Activity Monitoring (FAM)
- Data Loss Prevention (DLP)
- Audio-visual (AV) equipment
Client endpoints
- Workstations
- Point of Sale devices
- Meters
- Network storage and disk drives
IoT infrastructure
SaaS solutions

Troubleshooting

Users who experience issues with the MVS tool can review the logs in /var/log/mvs/mvs.log.

Incorrect permissions
If your user permission is not correct, the following error message is displayed in the log:

[QRADAR] [main] com.mvs.counter.MvsManager: [INFO] [NOT:0000006000][-/- -] [-/- -]Authenticate user request status: 401
[QRADAR] [main] com.mvs.counter.MvsManager: [ERROR] [NOT:0000003000][-/- -] [-/- -]Credentials are not valid, killing process - 3539
[QRADAR] [main] com.mvs.counter.MvsManager: [INFO] [NOT:0000006000][-/- -] [-/- -]Authentication has been completed successfully false

Stopping the MVS utility
If you need to stop the script for any reason, you can use the -k option to kill the utility.

Use SSH to log in to the QRadar Console as the root user.
Navigate to the MVS directory, such as /store/mvs.
To stop the utility, type:
sh mvs.sh -k
Results
The utility is halted.

The MVS script fails to start

If the MVS script fails to start, administrators can complete the following procedure:

Use SSH to log in to the QRadar Console as the root user.
Navigate to the /opt/qradar/jars directory.
To remove the jar file, type:
```
rm mvs-1.0.jar
```
Navigate to the MVS directory, such as /store/mvs.
To replace the removed jar file, type:
```
sh mvs.sh -s -v
```
Provide permissions for the script to start.

Results
If the script continues to fail, you can contact QRadar Support for assistance.

How often does the MVS script run?

The MVS tool runs daily at midnight hardware time on the Console to create a new MVS output file.

Why do I see unknown assets in the MVS tool

The MVS tool outputs a detailed list of IP addresses and hostnames that contributed to the MVS score. Depending on the tuning applied to your asset database, unknown assets might be counted. Administrators need to review the output to confirm if the number of IT servers in use to ensure that the best possible number can be declared for licensing.

The numeric score output by the MVS tool is dependent on the data within QRadar. If you want to improve the MVS count accuracy, you can:

Run a vulnerability assessment import on QRadar to collect the operating system information for assets in your network. QRadar supports Qualys, Beyond Security, Rapid7, Outpost24, Tripwire, Saint, and more. To configure a vulnerability import to update assets, see our Supported vulnerability scanners list.
Create asset identity exclusions from real-time searches to exclude assets you do not want counted by MVS.
Ensure network hierarchy is updated so you are not collecting assets outside of your network, such as remote to remote.

How can I tune my asset database to report better results?

As the MVS script uses the asset database to generate the MVS count. Administrators can experience issues where unknowns, such as mobile phones on the network or unknown assets being added to the count based on the mvs_details.csv file. Administrators who need to tune their assets to prevent hosts from being counted as MVS should create real-time searches for asset types they want to exclude, such as VPNs, load balancers, or other asset types.

What types of data should I tune with identity exclusions?

VPN users with different DHCP addresses. For example, 10.3.18.19, 10.3.18.22, 10.3.20.21, 10.3.20.25
Workstations IP addresses or hostnames e.g “JOHN” or “DESKTOP-XXX”
Mobile phone IP addresses or hostname e.g “galaxy-xx” or “iphone-xx”
Mac addresses that report as ::1

References

What data does the MVS tool use in QRadar to create an MVS count report?

Operating Systems that contributes to MVS
Asset data with operating system information added by VA scanner imports is used to collect information in QRadar on what are servers versus what are endpoints to create a list of hostnames and IP addresses for MVS counting reports. The following operating systems are used to generate MVS counts for data within QRadar:

Windows Servers
Linux Servers
AIX Servers
AS/400
zOS
and other Server OS
Kubernetes Nodes
Satellite ground stations
Apache HTTP servers with HTTP code 200

Log Source Types that contribute to MVS
Log source types that are configured in QRadar that are common to servers are evaluated to estimate the number of servers in QRadar. Each Log Source enabled for the following Log Source Types counts as 1 MVS:

Log Source Type Name
Ambiron TrustWave ipAngel Intrusion Prevention System
Apache HTTP Server
EMC VMware
EMC VMware vCenter
EMC VMware vCloud
FreeRADIUS
GenericAuthServer/Configurable Authentication message filter
Hewlett Packard UniX (HP-UX)
HP Tandem
IBM AIX Server
IBM DB2
IBM i
IBM Informix
IBM RACF
IBM Security Access Manager for Mobile
IBM Security Directory Server
IBM Security Trusteer
IBM WebSphere Application Server
IBM AIX Audit
IBM zSecure Alert
Linux DHCP
Linux IPtables
Linux login messages
Microsoft DHCP Server
Microsoft DNS Debug
Microsoft Exchange Server
Microsoft IAS Server
Microsoft IIS Webserver Logs (IIS)
Microsoft ISA
Microsoft SQL Server
Microsoft Hyper-V
Microsoft SharePoint
OpenBSD OS
OpenLDAP
Oracle Database Listener
Oracle RDBMS OS Audit Record
Oracle Alert Logs
Oracle BEA WebLogic
Oracle FGA
PostFix Mail Transfer Agent
SecureAuth IdP
SecWorld XGF Series
Solaris Operating System Authentication Messages
Solaris Operating System DHCP Logs
Solaris Operating System Sendmail Logs
Solaris BSM
SQL Server Trace
Squid Web Proxy
Sun ONE LDAP
Sybase ASE
WinCollect
WindowsAuthServer

Ports that contribute to MVS
Open ports are counted for common server communications where data is exchanged from computer to computer on specific ports, which are common to servers. As QRadar detects common port traffic from flow data, this can be used to help identify servers where operating system information is available. The following ports are counted as server communication and each asset that communicates on the following ports would count as 1 MVS.

Port number	Server port association
25, 465, 587, 110, 143, 993, 995, 563, 1352	Mail server
3128, 1080, 3127	Proxy server
111, 369, 530	RPC server
161, 162	SNMP server
22	SSH server
514, 1514	Syslog server
80, 8080, 443, 8000, 8001	Web server
135, 137, 138, 139, 445, 593	Windows server

Hostnames for mobile devices that are excluded from MVS estimates
In earlier versions of the MVS tool, assets with hostnames that were mobile devices could be incorrectly counted by the MVS tool. Due to this, the MVS tool 2.1 has an exclusion list for common mobile devices. It is expected that assets with the following hostnames are not counted as MVS as they are likely mobile phones:

Device hostname
android
asus
blackberry
galaxy
google
honor
huawei
ipad
iphone
ipod
mate
moto
motorola
oneplus
oppo
pixel
redmi
reno
samsung
sony
vivo
xiaomi
xperia

What are my reporting options?

The MVS tool is used to generate an MVS count based on data evaluated in QRadar. Administrators who experience problems with the MVS tool can contact their sales representative or customer success lead for assistance. As tuning of the assets might be required, administrators have the option to use another tool to declare their MVS count for licensing purposes. If you experience issues with the MVS script, administrators can discuss using a scan report, such as a Tenable Nessus credentialed scan to assist with the MVS process.

Acceptable methods to report your MVS count can include any of the following:

Provide a count from your CMDB or internal asset tools.
Use the MVS 2.1 utility and create asset identity exclusions.
Scan report from a VA scanner. Several vendors provide credentialed scans that can report the OS version or application information. These details can be used to count servers or provide an OS overview through default report types.
Use the original Python MVS script to count MVS: https://github.com/IBM/count-mvs.

What about temporary servers?

As MVS is reported, users are expected to report the assets protected by QRadar directly or indirectly. Administrators who use the MVS 2.1 utility are provided a nightly MVS count and a greatest count that defines the current count of MVS and the highest value recorded. Administrators are required to report the greatest MVS number seen by the tool. Servers identified by the MVS tool can drop off the count after the asset expires based on the Asset Profiler Configuration set by the administrator. The default asset profile keeps automatically discovered assets is 120 days, but this time frame can be configured by administrators.

image-20240628001544-4

In this example, users would report an MVS count of 502.

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions","Type":"MASTER"}]

Tips