Hi,
In a distributed environment, what will happen if you bring down the console 
and the event processor for maintenance(lets say for 8 hours), will the remote collectors store the events until the connection is back and than push them? or will i lose the events for good?

Thanks,
Itzik

------------------------------
Itzik Shviro
------------------------------

Hello,
I think the below link should help

https://www.ibm.com/support/knowledgecenter/SS42VS_7.3.0/com.ibm.qradar.doc/c_qradar_adm_store_fwd_ovrvw.html

T&R

------------------------------
Arjun Kumar Network & Security Engineer
------------------------------

Original Message:
Sent: Mon May 04, 2020 11:41 AM
From: Itzik Shviro
Subject: Event collector behavior when network is down

Hi,
In a distributed environment, what will happen if you bring down the console 
and the event processor for maintenance(lets say for 8 hours), will the remote collectors store the events until the connection is back and than push them? or will i lose the events for good?

Thanks,
Itzik

------------------------------
Itzik Shviro
------------------------------

Hi arjun,
Thanks for the reply.
I have seen this post.
The question is - what will happen if i do not configutre scheduling? will the events just get droped?

------------------------------
Itzik Shviro
------------------------------

Original Message:
Sent: Tue May 05, 2020 01:45 AM
From: Arjun Kumar
Subject: Event collector behavior when network is down

Hello,
I think the below link should help

https://www.ibm.com/support/knowledgecenter/SS42VS_7.3.0/com.ibm.qradar.doc/c_qradar_adm_store_fwd_ovrvw.html

T&R

------------------------------
Arjun Kumar Network & Security Engineer

Original Message:
Sent: Mon May 04, 2020 11:41 AM
From: Itzik Shviro
Subject: Event collector behavior when network is down

Hi,
In a distributed environment, what will happen if you bring down the console 
and the event processor for maintenance(lets say for 8 hours), will the remote collectors store the events until the connection is back and than push them? or will i lose the events for good?

Thanks,
Itzik

------------------------------
Itzik Shviro
------------------------------

Then i believe its a 5GB queue limit which will apply

https://www.ibm.com/support/pages/qradar-event-and-flow-burst-handling-buffer

T&R

------------------------------
Arjun Kumar Network & Security Engineer
------------------------------

Original Message:
Sent: Tue May 05, 2020 01:53 AM
From: Itzik Shviro
Subject: Event collector behavior when network is down

Hi arjun,
Thanks for the reply.
I have seen this post.
The question is - what will happen if i do not configutre scheduling? will the events just get droped?

------------------------------
Itzik Shviro

Original Message:
Sent: Tue May 05, 2020 01:45 AM
From: Arjun Kumar
Subject: Event collector behavior when network is down

Hello,
I think the below link should help

https://www.ibm.com/support/knowledgecenter/SS42VS_7.3.0/com.ibm.qradar.doc/c_qradar_adm_store_fwd_ovrvw.html

T&R

------------------------------
Arjun Kumar Network & Security Engineer

Original Message:
Sent: Mon May 04, 2020 11:41 AM
From: Itzik Shviro
Subject: Event collector behavior when network is down

Hi,
In a distributed environment, what will happen if you bring down the console 
and the event processor for maintenance(lets say for 8 hours), will the remote collectors store the events until the connection is back and than push them? or will i lose the events for good?

Thanks,
Itzik

------------------------------
Itzik Shviro
------------------------------

The 5 GB limit is for the license filter spillover queue - this comes into play if the Event Collector is receiving more raw events than it is licensed for.

There is a separate on-disk queue used when the EC cannot reach the downstream EP, as in the case Itzik described. That queue will basically fill until there is no disk space left - it actually stops at 93% or 95% or something like that, but as opposed to the license spillover it is effectively unbounded. When the EP comes back up, all the events will be sent at that time.

Cheers
Colin

------------------------------
COLIN HAY
IBM Security
------------------------------

Original Message:
Sent: Tue May 05, 2020 02:05 AM
From: Arjun Kumar
Subject: Event collector behavior when network is down

Then i believe its a 5GB queue limit which will apply

https://www.ibm.com/support/pages/qradar-event-and-flow-burst-handling-buffer

T&R

------------------------------
Arjun Kumar Network & Security Engineer

Original Message:
Sent: Tue May 05, 2020 01:53 AM
From: Itzik Shviro
Subject: Event collector behavior when network is down

Hi arjun,
Thanks for the reply.
I have seen this post.
The question is - what will happen if i do not configutre scheduling? will the events just get droped?

------------------------------
Itzik Shviro

Original Message:
Sent: Tue May 05, 2020 01:45 AM
From: Arjun Kumar
Subject: Event collector behavior when network is down

Hello,
I think the below link should help

https://www.ibm.com/support/knowledgecenter/SS42VS_7.3.0/com.ibm.qradar.doc/c_qradar_adm_store_fwd_ovrvw.html

T&R

------------------------------
Arjun Kumar Network & Security Engineer

Original Message:
Sent: Mon May 04, 2020 11:41 AM
From: Itzik Shviro
Subject: Event collector behavior when network is down

Hi,
In a distributed environment, what will happen if you bring down the console 
and the event processor for maintenance(lets say for 8 hours), will the remote collectors store the events until the connection is back and than push them? or will i lose the events for good?

Thanks,
Itzik

------------------------------
Itzik Shviro
------------------------------

Thanks a lot.
Really helpful.

------------------------------
Itzik Shviro
------------------------------

Original Message:
Sent: Tue May 05, 2020 02:43 AM
From: COLIN HAY
Subject: Event collector behavior when network is down

The 5 GB limit is for the license filter spillover queue - this comes into play if the Event Collector is receiving more raw events than it is licensed for.

There is a separate on-disk queue used when the EC cannot reach the downstream EP, as in the case Itzik described. That queue will basically fill until there is no disk space left - it actually stops at 93% or 95% or something like that, but as opposed to the license spillover it is effectively unbounded. When the EP comes back up, all the events will be sent at that time.

Cheers
Colin

------------------------------
COLIN HAY
IBM Security

Original Message:
Sent: Tue May 05, 2020 02:05 AM
From: Arjun Kumar
Subject: Event collector behavior when network is down

Then i believe its a 5GB queue limit which will apply

https://www.ibm.com/support/pages/qradar-event-and-flow-burst-handling-buffer

T&R

------------------------------
Arjun Kumar Network & Security Engineer

Original Message:
Sent: Tue May 05, 2020 01:53 AM
From: Itzik Shviro
Subject: Event collector behavior when network is down

Hi arjun,
Thanks for the reply.
I have seen this post.
The question is - what will happen if i do not configutre scheduling? will the events just get droped?

------------------------------
Itzik Shviro

Original Message:
Sent: Tue May 05, 2020 01:45 AM
From: Arjun Kumar
Subject: Event collector behavior when network is down

Hello,
I think the below link should help

https://www.ibm.com/support/knowledgecenter/SS42VS_7.3.0/com.ibm.qradar.doc/c_qradar_adm_store_fwd_ovrvw.html

T&R

------------------------------
Arjun Kumar Network & Security Engineer

Original Message:
Sent: Mon May 04, 2020 11:41 AM
From: Itzik Shviro
Subject: Event collector behavior when network is down

Hi,
In a distributed environment, what will happen if you bring down the console 
and the event processor for maintenance(lets say for 8 hours), will the remote collectors store the events until the connection is back and than push them? or will i lose the events for good?

Thanks,
Itzik

------------------------------
Itzik Shviro
------------------------------

Thanks for the update Colin. This type of information is very hard to find on IBM documentation :)

------------------------------
Arjun Kumar Network & Security Engineer
------------------------------

Original Message:
Sent: Tue May 05, 2020 02:43 AM
From: COLIN HAY
Subject: Event collector behavior when network is down

The 5 GB limit is for the license filter spillover queue - this comes into play if the Event Collector is receiving more raw events than it is licensed for.

There is a separate on-disk queue used when the EC cannot reach the downstream EP, as in the case Itzik described. That queue will basically fill until there is no disk space left - it actually stops at 93% or 95% or something like that, but as opposed to the license spillover it is effectively unbounded. When the EP comes back up, all the events will be sent at that time.

Cheers
Colin

------------------------------
COLIN HAY
IBM Security

Original Message:
Sent: Tue May 05, 2020 02:05 AM
From: Arjun Kumar
Subject: Event collector behavior when network is down

Then i believe its a 5GB queue limit which will apply

https://www.ibm.com/support/pages/qradar-event-and-flow-burst-handling-buffer

T&R

------------------------------
Arjun Kumar Network & Security Engineer

Original Message:
Sent: Tue May 05, 2020 01:53 AM
From: Itzik Shviro
Subject: Event collector behavior when network is down

Hi arjun,
Thanks for the reply.
I have seen this post.
The question is - what will happen if i do not configutre scheduling? will the events just get droped?

------------------------------
Itzik Shviro

Original Message:
Sent: Tue May 05, 2020 01:45 AM
From: Arjun Kumar
Subject: Event collector behavior when network is down

Hello,
I think the below link should help

https://www.ibm.com/support/knowledgecenter/SS42VS_7.3.0/com.ibm.qradar.doc/c_qradar_adm_store_fwd_ovrvw.html

T&R

------------------------------
Arjun Kumar Network & Security Engineer

Original Message:
Sent: Mon May 04, 2020 11:41 AM
From: Itzik Shviro
Subject: Event collector behavior when network is down

Hi,
In a distributed environment, what will happen if you bring down the console 
and the event processor for maintenance(lets say for 8 hours), will the remote collectors store the events until the connection is back and than push them? or will i lose the events for good?

Thanks,
Itzik

------------------------------
Itzik Shviro
------------------------------