IBM QRadar

Hello,

Supposed you have the QRadar SIEM in the distributed configuration as follow (in the same subnet).

All in M6 xx29 appliances. (40K EPS and 2.4MM FPM)

Console x 1

Event Processor x 3

Data Nodes for the Event Processor x 3

Flow Processor x 1

Data Node for the Flow Processor x 1

App Host x 1

Suppose one of the log source type is dedicated to send all the logs to a single Event Processor and it might be maxing out the system limitation of 40K EPS.  Is it possible to replace that EP with M6 xx48 (80K EPS, 3.6MM FPM) and keep the existing M6 xx29 data node (and then convert the existing EP M6 xx29 to use it as data node)? 

The final configuration would look like this:

Console (M6, xx29)

EP1 (M6, xx29), Data Node1 (M6, xx29)

EP2 (M6, xx29), Data Node2 (M6, xx29)

EP3 (M6, xx48), Data Node3a (M6, xx29), Data Node3b (M6, xx29)

FP1 (M6, xx29), Data Node4 (M6, xx29)

AppHost (M6, xx29)

Any thoughts about the proposed configuration?

There is a KB article about using a load balancer before the EP and I'm trying to avoid adding that tier.

Thanks.

-nelson

------------------------------
nelson lee
------------------------------

Nelson

looks like a good approach.

the xx48 will give you additional power in your 3 node cluster.

of course you have to do fresh install for the xx48 and the xx29 running new appliance type.

No Migration from type A to B.

Use export and CMT for migration of configuration data.

Regards

Karl

------------------------------
[Karl] [Jaeger] [Business Partner]
[QRadar Specialist]
[pro4bizz]
[Karlsruhe] [Germany]
[4972190981722]
------------------------------

Original Message:
Sent: Thu July 20, 2023 08:39 PM
From: nelson lee
Subject: deployment of hardware in distributed environment

Hello,

Supposed you have the QRadar SIEM in the distributed configuration as follow (in the same subnet).

All in M6 xx29 appliances. (40K EPS and 2.4MM FPM)

Console x 1

Event Processor x 3

Data Nodes for the Event Processor x 3

Flow Processor x 1

Data Node for the Flow Processor x 1

App Host x 1

Suppose one of the log source type is dedicated to send all the logs to a single Event Processor and it might be maxing out the system limitation of 40K EPS.  Is it possible to replace that EP with M6 xx48 (80K EPS, 3.6MM FPM) and keep the existing M6 xx29 data node (and then convert the existing EP M6 xx29 to use it as data node)? 

The final configuration would look like this:

Console (M6, xx29)

EP1 (M6, xx29), Data Node1 (M6, xx29)

EP2 (M6, xx29), Data Node2 (M6, xx29)

EP3 (M6, xx48), Data Node3a (M6, xx29), Data Node3b (M6, xx29)

FP1 (M6, xx29), Data Node4 (M6, xx29)

AppHost (M6, xx29)

Any thoughts about the proposed configuration?

There is a KB article about using a load balancer before the EP and I'm trying to avoid adding that tier.

Thanks.

-nelson

------------------------------
nelson lee
------------------------------