IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  RAW Log Store in QRadar

    Posted Mon December 16, 2019 02:22 PM
    Hi Team,
    I need an answer for my compliance Team. How does EP archive the RAW logs from Log Sources?
    If I had a log archival for 1 year, how does it is being stored in EP/ Data Node? Can we store the archive in txt\csv format?

    Thanks, Sushanta

    ------------------------------
    Sushanta Sena
    ------------------------------


  • 2.  RE: RAW Log Store in QRadar

    Posted Tue December 17, 2019 01:18 PM
    See the following article:

    https://www.ibm.com/support/pages/event-processing-pipeline

    The events get stored on the EP and/or on the DataNode that is attached to the EP.

    They get stored there up to the duration of the retention policy for events which is set in Admin  > Event Retention in the UI.

    They are stored in compressed archives.

    I do not think you would want events to be stored in text/csv format (they are stored as compressed archives) as you would quickly run out of space and searches would most likely become inefficient.

    ------------------------------
    Adam Mcdonald
    ------------------------------

    Original Message


Related Content