IBM QRadar

Hi,

I have a new client with a very small EPS (100). I'm going to use an EP to collect logs (surprisingly it can act as EC as well). I'm aware of the standard config of this appliance, but it is overkill for this, so what is the absolute minimum CPU and memory wise for an EP as a VM?

Thank you
Laszlo

------------------------------
Laszlo Pal
------------------------------

I have had experiences where the setup has required me to add additional hardware upon installing the managed host, as they were below the minimum requirements - I haven't attempted to alter the hardware post deployment and wouldn't expect it to check again.

Would be keen on knowing how "skinny" you can make a EP also.

------------------------------
JH
------------------------------

Original Message:
Sent: Wed November 06, 2019 04:55 AM
From: Laszlo Pal
Subject: Absolut minimum HW config for EP

Hi,

I have a new client with a very small EPS (100). I'm going to use an EP to collect logs (surprisingly it can act as EC as well). I'm aware of the standard config of this appliance, but it is overkill for this, so what is the absolute minimum CPU and memory wise for an EP as a VM?

Thank you
Laszlo

------------------------------
Laszlo Pal
------------------------------

Hi,

After a quick test on my laptop, I've found 8 GB of RAM is the absolute minimum (with less, it will not install). It seems it is not sensitive to the cpu cores, since it is fine with only 2vcpu. Storage wise the minimum is somewhere 100GB.

I'm not sure how it will work in production, but I'll test

L:

------------------------------
Laszlo Pal
------------------------------

Original Message:
Sent: Thu November 07, 2019 04:44 AM
From: James Hill
Subject: Absolut minimum HW config for EP

I have had experiences where the setup has required me to add additional hardware upon installing the managed host, as they were below the minimum requirements - I haven't attempted to alter the hardware post deployment and wouldn't expect it to check again.

Would be keen on knowing how "skinny" you can make a EP also.

------------------------------
JH

Original Message:
Sent: Wed November 06, 2019 04:55 AM
From: Laszlo Pal
Subject: Absolut minimum HW config for EP

Hi,

I have a new client with a very small EPS (100). I'm going to use an EP to collect logs (surprisingly it can act as EC as well). I'm aware of the standard config of this appliance, but it is overkill for this, so what is the absolute minimum CPU and memory wise for an EP as a VM?

Thank you
Laszlo

------------------------------
Laszlo Pal
------------------------------

Hi Laszlo,

we also had this problem. 
First be aware that there is a big difference between an EP and an EC. The EC is just collection events and then forwarding them to an EP. The EP on the other side is storing the events and also searching them if the console is telling it to do so. So there is more workload on an EP, more active processes.

So you have different requirements for an EC than for an EP.

Some requirements I found are:
- you need 256GB of storage (I always take 300GB because the VM also needs to configure some swap and so on.)
- don't miss the IOPS even for a very small system your disk performance should not be less than 300 IOPS. (with less your system will probably react slow and freeze time by time.

Please see also this link:
https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.2/com.ibm.qradar.doc/c_siem_vrt_ap_reqs.html

Minimum RAM requirement is 12GB with 7.3.2 (but as it is a VM you can cut this after the installation ;-) , I would recommend at least 8GB for an EP and 4 GB for an EC (not tested!)

Minimum CPU requirement is 4 cores (I guess this is not so important, but as virtuell appliance how cares about cpu cores?)

I hope this helps.

Greetings Oliver


------------------------------
Kind regards
Oliver
------------------------------

Original Message:
Sent: Wed November 06, 2019 04:55 AM
From: Laszlo Pal
Subject: Absolut minimum HW config for EP

Hi,

I have a new client with a very small EPS (100). I'm going to use an EP to collect logs (surprisingly it can act as EC as well). I'm aware of the standard config of this appliance, but it is overkill for this, so what is the absolute minimum CPU and memory wise for an EP as a VM?

Thank you
Laszlo

------------------------------
Laszlo Pal
------------------------------

Original Message------

Hi Laszlo,

we also had this problem. 
First be aware that there is a big difference between an EP and an EC. The EC is just collection events and then forwarding them to an EP. The EP on the other side is storing the events and also searching them if the console is telling it to do so. So there is more workload on an EP, more active processes.

So you have different requirements for an EC than for an EP.

Some requirements I found are:
- you need 256GB of storage (I always take 300GB because the VM also needs to configure some swap and so on.)
- don't miss the IOPS even for a very small system your disk performance should not be less than 300 IOPS. (with less your system will probably react slow and freeze time by time.

Please see also this link:
https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.2/com.ibm.qradar.doc/c_siem_vrt_ap_reqs.html

Minimum RAM requirement is 12GB with 7.3.2 (but as it is a VM you can cut this after the installation ;-) , I would recommend at least 8GB for an EP and 4 GB for an EC (not tested!)

Minimum CPU requirement is 4 cores (I guess this is not so important, but as virtuell appliance how cares about cpu cores?)

I hope this helps.

Greetings Oliver


------------------------------
Kind regards
Oliver
------------------------------

Hi let me put this in the right place:

A console always includes an internal EP and an internal EC component.
An EP is always connected to one console and always includes an internal EC. Plus it can collect events from many dedicated ECs.
An EC is always connected to one EP.

Events are always stored on the device which holds the EP component where the events are processed.

I hope this clear now?

------------------------------
Kind regards
Oliver
------------------------------

Original Message:
Sent: Fri November 08, 2019 04:47 AM
From: Laszlo Pal
Subject: Absolut minimum HW config for EP

Hi,

 

Thank you. There are couple of things I need to add this

 

• 4 GB RAM is not an option because install will complain about it, so what I've found 8 GB is the absolute minimum
• Also based on real world experience EP/FP role can act as EC as well. Maybe it is some kind of undocumented feature allowing to save some resource for some small customers. We already have such vm-s, and IBM trainer recently confirmed EP can be EC as well. This is good especially for clients where you have to keep logs locally

 

L:

 

Original Message------

Hi Laszlo,

we also had this problem. 
First be aware that there is a big difference between an EP and an EC. The EC is just collection events and then forwarding them to an EP. The EP on the other side is storing the events and also searching them if the console is telling it to do so. So there is more workload on an EP, more active processes.

So you have different requirements for an EC than for an EP.

Some requirements I found are:
- you need 256GB of storage (I always take 300GB because the VM also needs to configure some swap and so on.)
- don't miss the IOPS even for a very small system your disk performance should not be less than 300 IOPS. (with less your system will probably react slow and freeze time by time.

Please see also this link:
https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.2/com.ibm.qradar.doc/c_siem_vrt_ap_reqs.html

Minimum RAM requirement is 12GB with 7.3.2 (but as it is a VM you can cut this after the installation ;-) , I would recommend at least 8GB for an EP and 4 GB for an EC (not tested!)

Minimum CPU requirement is 4 cores (I guess this is not so important, but as virtuell appliance how cares about cpu cores?)

I hope this helps.

Greetings Oliver


------------------------------
Kind regards
Oliver
------------------------------

Original Message------

Hi let me put this in the right place:

A console always includes an internal EP and an internal EC component.
An EP is always connected to one console and always includes an internal EC. Plus it can collect events from many dedicated ECs.
An EC is always connected to one EP.

Events are always stored on the device which holds the EP component where the events are processed.

I hope this clear now?

------------------------------
Kind regards
Oliver
------------------------------