Hello,

I want to know if its possible to connect two Qradar. I want to forward the events from one Qradar deployment to another (in a different building). So, will be there any problem for twice the EPS? 


Thank you

------------------------------
Aitor Vivanco Sata Cruz
------------------------------

If you want to forward events from one QRadar instance to another, you can achieve that through Admin > Routing rules:
- click to Add, check the Match all incoming events (or chose the criteria that meets your requirements),
- underneath keep Forward checkbox on,
- use the Manage destinations link, click Add and enter the target QRadar's IP address, keep the Payload option, then Save
With this you should be able to get the unchanged raw payload on the target instance.
I do not recall any issues with EPS on the forwarding instance in this scenario, as the license enforcement should be on the ingress side.

------------------------------
Dusan VIDOVIC
------------------------------

Original Message:
Sent: Tue December 10, 2019 03:19 AM
From: Aitor Vivanco Sata Cruz
Subject: Connect two Qradar

Hello,

I want to know if its possible to connect two Qradar. I want to forward the events from one Qradar deployment to another (in a different building). So, will be there any problem for twice the EPS? 


Thank you

------------------------------
Aitor Vivanco Sata Cruz
------------------------------

Hi @Aitor Vivanco Santa Cruz,

@Dusan VIDOVIC is right.

What do you want to achieve and what do you exactly mean by connect? You can forward logs from one deployment to another as Dusan mentioned.
And the EPS will of course be counted also for the events that you forward. Which means that the EPS will be counted in the first system and then also in the second system as well.
​​​​

------------------------------
Chinmay Kulkarni
------------------------------

Original Message:
Sent: Tue December 10, 2019 03:19 AM
From: Aitor Vivanco Sata Cruz
Subject: Connect two Qradar

Hello,

I want to know if its possible to connect two Qradar. I want to forward the events from one Qradar deployment to another (in a different building). So, will be there any problem for twice the EPS? 


Thank you

------------------------------
Aitor Vivanco Sata Cruz
------------------------------

Hi Aitor,

are you aware, that there can be various QRadar machine in one "QRadar deployment"? You can have just one QRadar console or All-in-one in a deployment. But it can be extended with several components as event processors and event collectors and this components can be located all over the world. In that case you just need the EPS once.

I just wanted to clarify this, because you wrote "different  building".

------------------------------
Kind regards
Oliver
------------------------------

Original Message:
Sent: Tue December 10, 2019 03:19 AM
From: Aitor Vivanco Sata Cruz
Subject: Connect two Qradar

Hello,

I want to know if its possible to connect two Qradar. I want to forward the events from one Qradar deployment to another (in a different building). So, will be there any problem for twice the EPS? 


Thank you

------------------------------
Aitor Vivanco Sata Cruz
------------------------------