IBM QRadar

Hi everyone,



Thank you in advance.

Regards.

------------------------------
Halil BALIM
------------------------------

I would not recommend using the same database on the console as the product itself.

Not withstanding the warranty aspects, any impact on performance is going to make problem diagnosis tricky.

Avoid doing this is my recommendation.

------------------------------
Darren H.
------------------------------

Original Message:
Sent: Thu April 09, 2020 06:05 AM
From: Halil BALIM
Subject: Creating a new DB on QRadar PSQL

Hi everyone,

We want to use the QRadar psql database for timestamp issues. We have created a new db on the psql and we want to use that db with a different user which we create for only that database on the test QRadar environment. We want to check this information before applying this process on primary one.

I am wondering if creating a new db (with a specific user for that db) on psql QRadar is allowed? Is there any inconvenience to that?  

Also, in functionality, if the timestamped files are located with the log files itself in /store/event/payload directory, does this cause a problem? (For example, while searching, reading log files)

Thank you in advance.

Regards.

------------------------------
Halil BALIM
------------------------------

Hi Darren,

Thank you for your advice. 

Actually we were considering creating a new db, not the same db.
You are mentioning that, too?

Thank you.
Regards.

------------------------------
Halil BALIM
------------------------------

Original Message:
Sent: Thu April 09, 2020 06:35 AM
From: Darren H.
Subject: Creating a new DB on QRadar PSQL

I would not recommend using the same database on the console as the product itself.

Not withstanding the warranty aspects, any impact on performance is going to make problem diagnosis tricky.

Avoid doing this is my recommendation.

------------------------------
Darren H.

Original Message:
Sent: Thu April 09, 2020 06:05 AM
From: Halil BALIM
Subject: Creating a new DB on QRadar PSQL

Hi everyone,

We want to use the QRadar psql database for timestamp issues. We have created a new db on the psql and we want to use that db with a different user which we create for only that database on the test QRadar environment. We want to check this information before applying this process on primary one.

I am wondering if creating a new db (with a specific user for that db) on psql QRadar is allowed? Is there any inconvenience to that?  

Also, in functionality, if the timestamped files are located with the log files itself in /store/event/payload directory, does this cause a problem? (For example, while searching, reading log files)

Thank you in advance.

Regards.

------------------------------
Halil BALIM
------------------------------

Hi,

Qradar should be considered as an appliance, so as you are not changing the incoming gas to hydrogen in your kitchen, you should carefully touch any component of Qradar especially the databases and the docker internal infrastructure... Why you don't install a separate server for your custom needs? What kind of timestamp issues are you facing with?

L:

------------------------------
Laszlo Pal
------------------------------

Original Message:
Sent: Fri April 10, 2020 03:24 AM
From: Halil BALIM
Subject: Creating a new DB on QRadar PSQL

Hi Darren,

Thank you for your advice. 

Actually we were considering creating a new db, not the same db.
You are mentioning that, too?

Thank you.
Regards.

------------------------------
Halil BALIM

Original Message:
Sent: Thu April 09, 2020 06:35 AM
From: Darren H.
Subject: Creating a new DB on QRadar PSQL

I would not recommend using the same database on the console as the product itself.

Not withstanding the warranty aspects, any impact on performance is going to make problem diagnosis tricky.

Avoid doing this is my recommendation.

------------------------------
Darren H.

Original Message:
Sent: Thu April 09, 2020 06:05 AM
From: Halil BALIM
Subject: Creating a new DB on QRadar PSQL

Hi everyone,

We want to use the QRadar psql database for timestamp issues. We have created a new db on the psql and we want to use that db with a different user which we create for only that database on the test QRadar environment. We want to check this information before applying this process on primary one.

I am wondering if creating a new db (with a specific user for that db) on psql QRadar is allowed? Is there any inconvenience to that?  

Also, in functionality, if the timestamped files are located with the log files itself in /store/event/payload directory, does this cause a problem? (For example, while searching, reading log files)

Thank you in advance.

Regards.

------------------------------
Halil BALIM
------------------------------

As noted by Laszlo ... to be specific on the terminology, implement a separate database within a separate postgres instance on a separate appliance (server).

Do not implement a database within the same postgres instance as the QRadar appliance (server).

QRadar is pretty much a real-time system so anything you are doing will affect performance (even marginally) and will probably invalidate any support arrangements you have.

I hope this clarifies.

------------------------------
Darren H.
------------------------------

Original Message:
Sent: Fri April 10, 2020 03:24 AM
From: Halil BALIM
Subject: Creating a new DB on QRadar PSQL

Hi Darren,

Thank you for your advice. 

Actually we were considering creating a new db, not the same db.
You are mentioning that, too?

Thank you.
Regards.

------------------------------
Halil BALIM

Original Message:
Sent: Thu April 09, 2020 06:35 AM
From: Darren H.
Subject: Creating a new DB on QRadar PSQL

I would not recommend using the same database on the console as the product itself.

Not withstanding the warranty aspects, any impact on performance is going to make problem diagnosis tricky.

Avoid doing this is my recommendation.

------------------------------
Darren H.

Original Message:
Sent: Thu April 09, 2020 06:05 AM
From: Halil BALIM
Subject: Creating a new DB on QRadar PSQL

Hi everyone,

We want to use the QRadar psql database for timestamp issues. We have created a new db on the psql and we want to use that db with a different user which we create for only that database on the test QRadar environment. We want to check this information before applying this process on primary one.

I am wondering if creating a new db (with a specific user for that db) on psql QRadar is allowed? Is there any inconvenience to that?  

Also, in functionality, if the timestamped files are located with the log files itself in /store/event/payload directory, does this cause a problem? (For example, while searching, reading log files)

Thank you in advance.

Regards.

------------------------------
Halil BALIM
------------------------------

Hi,

Thank you all for your answers. I was thinking like you, however, our customer insist of getting a reply from someone official. 

I believe, it is enough for them as you think like me.

Thank you for all of your thoughts.

------------------------------
Halil BALIM
------------------------------

Original Message:
Sent: Tue April 14, 2020 08:50 AM
From: Darren H.
Subject: Creating a new DB on QRadar PSQL

As noted by Laszlo ... to be specific on the terminology, implement a separate database within a separate postgres instance on a separate appliance (server).

Do not implement a database within the same postgres instance as the QRadar appliance (server).

QRadar is pretty much a real-time system so anything you are doing will affect performance (even marginally) and will probably invalidate any support arrangements you have.

I hope this clarifies.

------------------------------
Darren H.

Original Message:
Sent: Fri April 10, 2020 03:24 AM
From: Halil BALIM
Subject: Creating a new DB on QRadar PSQL

Hi Darren,

Thank you for your advice. 

Actually we were considering creating a new db, not the same db.
You are mentioning that, too?

Thank you.
Regards.

------------------------------
Halil BALIM

Original Message:
Sent: Thu April 09, 2020 06:35 AM
From: Darren H.
Subject: Creating a new DB on QRadar PSQL

I would not recommend using the same database on the console as the product itself.

Not withstanding the warranty aspects, any impact on performance is going to make problem diagnosis tricky.

Avoid doing this is my recommendation.

------------------------------
Darren H.

Original Message:
Sent: Thu April 09, 2020 06:05 AM
From: Halil BALIM
Subject: Creating a new DB on QRadar PSQL

Hi everyone,

We want to use the QRadar psql database for timestamp issues. We have created a new db on the psql and we want to use that db with a different user which we create for only that database on the test QRadar environment. We want to check this information before applying this process on primary one.

I am wondering if creating a new db (with a specific user for that db) on psql QRadar is allowed? Is there any inconvenience to that?  

Also, in functionality, if the timestamped files are located with the log files itself in /store/event/payload directory, does this cause a problem? (For example, while searching, reading log files)

Thank you in advance.

Regards.

------------------------------
Halil BALIM
------------------------------

Hi,

I'm not sure I understand the requirement, but if you are looking at saving timestamps of files in /store/event/payload to check if they are changed, then you should use hashing as described here: https://www.ibm.com/support/knowledgecenter/SS42VS_7.3.2/com.ibm.qradar.doc/t_qradar_adm_check_event_flow_log_integrity.html - This is basically checking the integrity of data.

You should open a ticket with IBM support if you are after an official response. I don't think it will be supported as QRadar is an appliance and you are not meant to make that type of changes.


------------------------------
Cheers,
Damian Zinni
------------------------------

Original Message:
Sent: Thu April 09, 2020 06:05 AM
From: Halil BALIM
Subject: Creating a new DB on QRadar PSQL

Hi everyone,

We want to use the QRadar psql database for timestamp issues. We have created a new db on the psql and we want to use that db with a different user which we create for only that database on the test QRadar environment. We want to check this information before applying this process on primary one.

I am wondering if creating a new db (with a specific user for that db) on psql QRadar is allowed? Is there any inconvenience to that?  

Also, in functionality, if the timestamped files are located with the log files itself in /store/event/payload directory, does this cause a problem? (For example, while searching, reading log files)

Thank you in advance.

Regards.

------------------------------
Halil BALIM
------------------------------

Just for the information, QRadar does not require or support traditional anti-virus or malware agents, or support the installation of third-party packages or programs.

You can refer the official documentation here: https://www.ibm.com/support/knowledgecenter/SS42VS_7.3.2/com.ibm.qradar.doc/c_3rd_party_software_statement.html

Thanks.

------------------------------
Prabir Meher
------------------------------

Original Message:
Sent: Thu April 09, 2020 06:05 AM
From: Halil BALIM
Subject: Creating a new DB on QRadar PSQL

Hi everyone,

We want to use the QRadar psql database for timestamp issues. We have created a new db on the psql and we want to use that db with a different user which we create for only that database on the test QRadar environment. We want to check this information before applying this process on primary one.

I am wondering if creating a new db (with a specific user for that db) on psql QRadar is allowed? Is there any inconvenience to that?  

Also, in functionality, if the timestamped files are located with the log files itself in /store/event/payload directory, does this cause a problem? (For example, while searching, reading log files)

Thank you in advance.

Regards.

------------------------------
Halil BALIM
------------------------------