IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

Failure scenario: QRadar Event Processor failure

  • 1.  Failure scenario: QRadar Event Processor failure

    Posted Fri October 21, 2022 10:22 AM
    Hello,

    Question if I may,
    Given the architecture scenario:

    (1)Event Source > (forwards events to) > (2)WinCollect/Syslog Server > (3)QRadar Event Processor > (4)Qradar Console

    If the QRadar Event Processor fails... will logs simply queue on WinCollect Server; service is restored and all backlog from WinCollect Server is then processed by processor?  Or will the WinCollect Server drop logs?

    thanks in advance. 

    My working assumption is that only failure on (2) (WinCollect/Syslog Server) would result in data loss?


  • 2.  RE: Failure scenario: QRadar Event Processor failure

    Posted Mon October 24, 2022 04:04 AM

    Hello IBM Customer,

    if (3)QRadar Event Processor fails (2)WinCollect will buffer events in the data storage (see https://www.ibm.com/docs/en/qradar-common?topic=cases-modifying-event-data-storage-configuration for configuration details). Events in the buffer will be sent to (3) once the connection can be established again. Please be aware that this mechanism is available for protocol TCP or TCP/TLS. You also can configure a secondary destination (3) to receive events from your (2) if the primary destination fails.
    In case of a failure on (2)WinCollect/Syslog Server it depends on the (1) if it does provide a similar mechanism for event buffering.

    rgdes. B.



    ------------------------------
    CISSP, Security Technical Specialist
    ------------------------------

    Original Message


Related Content