IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

Temporary buffer in QRadar EventCollectors.

  • 1.  Temporary buffer in QRadar EventCollectors.

    Posted Mon August 24, 2020 08:50 AM

    Hi!.

    Please, a very quick question.

    In a distributed QRadar infrastructure with: two EventCollectors, an EventProcessor and a Console.

    If both, the EventProcessor and the Console are poweroff. Is there some kind of buffer or temporary file where the EventCollectors store temporarly the inbound events?.

    Thank you.

    Regards.



    #QRadar
    #Support
    #SupportMigration


  • 2.  RE: Temporary buffer in QRadar EventCollectors.
    Best Answer

    Posted Thu August 27, 2020 10:03 AM

    Hello!

    This was the response we had got for the same query raised

    The 5 GB limit is for the license filter spillover queue - this comes into play if the Event Collector is receiving more raw events than it is licensed for.

    There is a separate on-disk queue used when the EC cannot reach the downstream EP. That queue will basically fill until there is no disk space left - it actually stops at 93% or 95% or something like that, but as opposed to the license spillover it is effectively unbounded. When the EP comes back up, all the events will be sent at that time.

    https://www.ibm.com/support/pages/qradar-event-and-flow-burst-handling-buffer

    T&R



    #QRadar
    #Support
    #SupportMigration


  • 3.  RE: Temporary buffer in QRadar EventCollectors.
    Best Answer

    Posted Thu August 27, 2020 04:19 PM

    Hello.

    Great!.

    Thank you so much.

    Regards.



    #QRadar
    #Support
    #SupportMigration


Related Content