IBM QRadar

Hi all,

Is there any information on the level of compression reached for communication between the QRadar components, especially between an EC and the EP in a distributed architecture ? I am NOT referring to bandwidth required for management trafic between components but bandwidth required to transfer EPS/logs.

Thank you.
Regards
Olivier.

------------------------------
Olivier Paridaens
------------------------------

Olivier, I am sure you are aware of the guidelines related to min 100Mbps to ensure deployment and config replication works. Over that, of course you need to take in count the EPS and realistic log size (based on realistic mix of log sources you have). Articles (such as this one or other technotes) say you should have over 100Mbs in case of searches and EPS rates starting from 10k.
Usually we see average log size estimates 700-900 bytes (and no coalescing). I've seen estimates of average compression rates cca 10:1 (though personally I'd do my guess with somewhat lower rate estimates - to be on the safe side). Take in count your peak EPS rate.
To be considered also is if you are doing store & forward (with particular time limits) or real-time events streaming from the collector and if flows are included somewhere (then you'd need to include the flow content capture size in count along to the peak FPS/FPM rate).

------------------------------
Dusan VIDOVIC
------------------------------

Original Message:
Sent: Wed July 28, 2021 01:52 AM
From: Olivier Paridaens
Subject: Compression rate on links

Hi all,

Is there any information on the level of compression reached for communication between the QRadar components, especially between an EC and the EP in a distributed architecture ? I am NOT referring to bandwidth required for management trafic between components but bandwidth required to transfer EPS/logs.

Thank you.
Regards
Olivier.

------------------------------
Olivier Paridaens
------------------------------