Hi

We've been using Qradar for several months now. We want to move data to an archive data node. What do we have to set? can we set how old the data are that's moved to the archive node?

Thanks for your help

------------------------------
Best regards,

Peter Fischer
------------------------------

In QRadar there is a nightly backup that can be used to transfer the data collected for the last 24hrs along with the actual configuration data. You can set the retention period for these. These are saved by default to /store/backup (can be changed), so you should present e.g. an external file share and mount it to the selected folder - thus enabling these to be moved to an offboard storage.
In QRadar you have a concept of Retention Buckets (for events as well as for flows), where you can set how long and which data will be kept on to be readily available (and deleted after the set period expires). You can set up to 10 buckets (evaluated top-down, the last one is regarded as default).
There is also a so called Data Node appliance offered. This is a a dedicated storage and search appliance used to scale the storage and search performance by adding them to the All-in-One or Event/Flow Processor appliances. If added, the data will be automatically balanced across.

------------------------------
Dusan VIDOVIC
------------------------------

Original Message:
Sent: Wed January 15, 2020 04:26 AM
From: Peter Fischer
Subject: Move Data to Archive Node

Hi

We've been using Qradar for several months now. We want to move data to an archive data node. What do we have to set? can we set how old the data are that's moved to the archive node?

Thanks for your help

------------------------------
Best regards,

Peter Fischer
------------------------------

Hi Peter, 

Dusan is right. I would like to add, that it is possible to use a QRadar Data Node in archive mode. (https://www.ibm.com/support/knowledgecenter/SS42VS_7.3.3/com.ibm.qradar.doc/t_data_node_archiving.html)
Quote: 

Configure a Data Node appliance to use Archive mode when you want the Data Node to provide online access to historical data without impacting storage for incoming data.

In Archive mode, the appliance does not receive new data, but existing data is saved.


Another way would be just to transfer the data from /store/ariel/... to an archive location via the command line.

For what reason to you want to archive the data and not keep it in the QRadar stored?

------------------------------
Kind regards
Oliver
------------------------------

Original Message:
Sent: Thu January 16, 2020 05:01 AM
From: Dusan VIDOVIC
Subject: Move Data to Archive Node

In QRadar there is a nightly backup that can be used to transfer the data collected for the last 24hrs along with the actual configuration data. You can set the retention period for these. These are saved by default to /store/backup (can be changed), so you should present e.g. an external file share and mount it to the selected folder - thus enabling these to be moved to an offboard storage.
In QRadar you have a concept of Retention Buckets (for events as well as for flows), where you can set how long and which data will be kept on to be readily available (and deleted after the set period expires). You can set up to 10 buckets (evaluated top-down, the last one is regarded as default).
There is also a so called Data Node appliance offered. This is a a dedicated storage and search appliance used to scale the storage and search performance by adding them to the All-in-One or Event/Flow Processor appliances. If added, the data will be automatically balanced across.

------------------------------
Dusan VIDOVIC

Original Message:
Sent: Wed January 15, 2020 04:26 AM
From: Peter Fischer
Subject: Move Data to Archive Node

Hi

We've been using Qradar for several months now. We want to move data to an archive data node. What do we have to set? can we set how old the data are that's moved to the archive node?

Thanks for your help

------------------------------
Best regards,

Peter Fischer
------------------------------