Hello Community,

I would like to clarify how data accessibility works in QRadar Data Node environments.

Scenario 1:
We currently have one Console and two Data Nodes (DN1 and DN2). If one Data Node goes down (for example, DN1), will the data stored on that Data Node remain accessible during the downtime?

Scenario 2:
We are planning a two-site setup similar to an HA design:

• Site A: Primary Console + 2 Data Nodes

• Site B: Secondary Console + 2 Data Nodes

Both sites are connected through an extended VLAN, and all 4 Data Nodes are linked to the Primary Console.

My question is:
If both Data Nodes in Site B go down, will the data that was previously stored on those Site B Data Nodes still be accessible? Or will that data remain inaccessible until the nodes come back online?

------------------------------
Abu Mussa Elahi
------------------------------

Adding Data Nodes under an All-in-One or Event Processor means there will be data rebalancing ; data will be distributed among them as data rebalancing tries to maintain the same percentage of available space on each Data Node. So, only part of data will be on Data nodes - not a copy of all data. 

On the console runs ariel_proxy_server service which proxies search requests from different processes to ariel_query_server instances running on managed hosts; ariel_query_server will send the requested data back to  ariel_proxy_server which transforms and aggregates data and stores them for later processing and retrieval. So, if the DN is not up, there is no running ariel_query_server that would respond to the request from the ariel_proxy_server on the console.

Assuming there is no QRADAR HA with DRBD implemented - if DN1 goes down, the data from it will not be available / searchable; this does not impact access to data on DN2 (and your search should return that resulting part). However, if you implement your Data nodes in QRADAR HA configuration DRBD will replicate the data and if one node fails, the remaining node will respond and provide tha data from its own copy. 

Regarding your scenario 2 (forgive me for a probably redundant reminder), managed hosts can be part of only one deployment - i.e. only under one console. If the secondary console in Site B is there only for redundancy and passive, you may opt to do a config/data restore in case the first one fails (DR strategies are different discussion); maybe, if your Site B is close enough to Site A and you have sufficient network bandwidth, you can implement e.g. your console in HA. If you are considering HA, do check the prerequisites (appliances should not differ meaningfully, hosts should be in the same subnet, latency between primary and secondary host should be kept at below 2ms, link should be 1Gbps+).

------------------------------
Dusan VIDOVIC
------------------------------

Original Message:
Sent: Sun December 07, 2025 11:53 AM
From: Abu Mussa Elahi
Subject: Data Node Accessibility During Down Time.

Hello Community,

I would like to clarify how data accessibility works in QRadar Data Node environments.

Scenario 1:
We currently have one Console and two Data Nodes (DN1 and DN2). If one Data Node goes down (for example, DN1), will the data stored on that Data Node remain accessible during the downtime?

Scenario 2:
We are planning a two-site setup similar to an HA design:

• Site A: Primary Console + 2 Data Nodes

• Site B: Secondary Console + 2 Data Nodes

Both sites are connected through an extended VLAN, and all 4 Data Nodes are linked to the Primary Console.

My question is:
If both Data Nodes in Site B go down, will the data that was previously stored on those Site B Data Nodes still be accessible? Or will that data remain inaccessible until the nodes come back online?

------------------------------
Abu Mussa Elahi
------------------------------

No. Data node is not a redundancy component. It is a scalability components. One unique copy of data exists on any one of the DNs. As such, if you care about your data and need high availability of it then you should use a data redundancy component - QRadar HA. 

Moreover, based on your described architecture, it looks like you are trying to implement a DR solution. There is a QRadar DR solution available that automates this for you and described a sane architecture. 

For an additional data safety consideration in QRadar please refer to the documentation. 

------------------------------
Perf1
------------------------------

Original Message:
Sent: Sun December 07, 2025 11:53 AM
From: Abu Mussa Elahi
Subject: Data Node Accessibility During Down Time.

Hello Community,

I would like to clarify how data accessibility works in QRadar Data Node environments.

Scenario 1:
We currently have one Console and two Data Nodes (DN1 and DN2). If one Data Node goes down (for example, DN1), will the data stored on that Data Node remain accessible during the downtime?

Scenario 2:
We are planning a two-site setup similar to an HA design:

• Site A: Primary Console + 2 Data Nodes

• Site B: Secondary Console + 2 Data Nodes

Both sites are connected through an extended VLAN, and all 4 Data Nodes are linked to the Primary Console.

My question is:
If both Data Nodes in Site B go down, will the data that was previously stored on those Site B Data Nodes still be accessible? Or will that data remain inaccessible until the nodes come back online?

------------------------------
Abu Mussa Elahi
------------------------------

Hi Abu

If a data node is not accessible/down then the data that is currently on that Datanode will not be searchable untill the box is restored.  If the Datanode is in HA then if the primary goes down the secondary should still be searchable.

Thanks

------------------------------
John Dawson
Qradar Support Architect
IBM
------------------------------

Original Message:
Sent: Sun December 07, 2025 11:53 AM
From: Abu Mussa Elahi
Subject: Data Node Accessibility During Down Time.

Hello Community,

I would like to clarify how data accessibility works in QRadar Data Node environments.

Scenario 1:
We currently have one Console and two Data Nodes (DN1 and DN2). If one Data Node goes down (for example, DN1), will the data stored on that Data Node remain accessible during the downtime?

Scenario 2:
We are planning a two-site setup similar to an HA design:

• Site A: Primary Console + 2 Data Nodes

• Site B: Secondary Console + 2 Data Nodes

Both sites are connected through an extended VLAN, and all 4 Data Nodes are linked to the Primary Console.

My question is:
If both Data Nodes in Site B go down, will the data that was previously stored on those Site B Data Nodes still be accessible? Or will that data remain inaccessible until the nodes come back online?

------------------------------
Abu Mussa Elahi
------------------------------

From your explanation, my understanding is that if the Data Node appliance is linked to an HA pair, meaning it is attached to the Primary Console in an HA setup, then the data on the Data Node will remain searchable even if the Primary fails over to the Secondary.

------------------------------
Abu Mussa Elahi
------------------------------

Original Message:
Sent: Mon December 08, 2025 09:30 AM
From: John Dawson
Subject: Data Node Accessibility During Down Time.

Hi Abu

If a data node is not accessible/down then the data that is currently on that Datanode will not be searchable untill the box is restored.  If the Datanode is in HA then if the primary goes down the secondary should still be searchable.

Thanks

------------------------------
John Dawson
Qradar Support Architect
IBM

Original Message:
Sent: Sun December 07, 2025 11:53 AM
From: Abu Mussa Elahi
Subject: Data Node Accessibility During Down Time.

Hello Community,

I would like to clarify how data accessibility works in QRadar Data Node environments.

Scenario 1:
We currently have one Console and two Data Nodes (DN1 and DN2). If one Data Node goes down (for example, DN1), will the data stored on that Data Node remain accessible during the downtime?

Scenario 2:
We are planning a two-site setup similar to an HA design:

• Site A: Primary Console + 2 Data Nodes

• Site B: Secondary Console + 2 Data Nodes

Both sites are connected through an extended VLAN, and all 4 Data Nodes are linked to the Primary Console.

My question is:
If both Data Nodes in Site B go down, will the data that was previously stored on those Site B Data Nodes still be accessible? Or will that data remain inaccessible until the nodes come back online?

------------------------------
Abu Mussa Elahi
------------------------------

Hi Aub.

Scenario1:

My assumptions:

1. One Console (AIO without HA)
2. DN1 and DN2 are in HA. 

with the assumptions above, if DN1 (Primary Active data node) is down, the DN2 will take will become the secondary active and there will not by any data loss. Once the Primary DN1 is restored, and make a active again, DN2 will replicate all the interim data to DN1 from the point DN2 took over as the active node.

Scenario2:

This may have multiple sub-cases.

My assumptions:

@ SiteA the console is Primary-Active, DN1 is primary-Active and DN2 is secondary-satandby.

@ SiteB the console is Secondary-Standby, DN3 is primary-Active and DN4 is secondary-standby.

Now as per your question, if both DN(s) at siteB (DN3, and DN4) go down, then there will be no data loss, because these DN(s) are connected to secondary-Standby Console, that doesn't have the /store partition. All the data is being stored at Console's Primary-Active node and its associated DN(s), i.e. DN1 and DN2.

Now if, @ SiteA, the Primary-Active Console is down, the Secondary node @ SiteB, will become Active and still in this scenario, the DN1 and DN2 will still be storing the data, as they are communicating with the Virtual IP of Console. 

Another Scenario @ SiteA, would be, that the Primary-Active Console is up and running, and DN1 gets down, then in this case, DN2 will become active and this becomes exactly the scenario number 1, mentioned above. 

Another Scenario @ SiteA would be, that Primary-Active Console is up and running, and DN2, gets down, then in this case nothing will happen, because the Primary-Active DN, the DN1 is still there and keep storing the data.

When DN3 and DN4 will come into action:

DN3 and DN4 will come into action, only when SiteA console is down along with DN1 and DN2. Then in this scenario, the Secondary Console will become active and the DN3 will be working as the Primary-Active DN at this time. 

But now if SiteA is restored, and the console is made active along with the DN1 and DN2, then the data at Secondary-console's internal storage, will be replicated to SiteA console. But I am not sure what will happen with DN3 and DN4 interim data. Will it be replicated to DN1 or DN2. This needs to be tested in the lab.

BR,

MBF

------------------------------
Muhammad Burhan Faruqi
------------------------------

Original Message:
Sent: Sun December 07, 2025 11:53 AM
From: Abu Mussa Elahi
Subject: Data Node Accessibility During Down Time.

Hello Community,

I would like to clarify how data accessibility works in QRadar Data Node environments.

Scenario 1:
We currently have one Console and two Data Nodes (DN1 and DN2). If one Data Node goes down (for example, DN1), will the data stored on that Data Node remain accessible during the downtime?

Scenario 2:
We are planning a two-site setup similar to an HA design:

• Site A: Primary Console + 2 Data Nodes

• Site B: Secondary Console + 2 Data Nodes

Both sites are connected through an extended VLAN, and all 4 Data Nodes are linked to the Primary Console.

My question is:
If both Data Nodes in Site B go down, will the data that was previously stored on those Site B Data Nodes still be accessible? Or will that data remain inaccessible until the nodes come back online?

------------------------------
Abu Mussa Elahi
------------------------------