I work as a cybersecurity consultant and have deployed IBM QRadar for major banks and other institutions in Scandinavia. Some companies prefer to have QRadar SIEM-as-a-service, while others want an on-premises solution. I stumbled upon an interesting finding in a few deployments, which I want to share through this blog post. It relates to using the type of storage solution for QRadar’s database. Even though IBM recommends not using NFS, I have seen some deployments which use it to save costs.
If your QRadar deployment is facing stability issues and the queries running against QRadar’s Ariel database are taking longer than expected, this could present an unstable environment for you to work in. You may see frequent warnings and errors referring to performance, while queries and reports are processed. Usage of NFS-file storage might be the root cause here. I worked many hours to troubleshoot the problem, and therefore wanted to share my experience here so others can benefit.
Avoid storing searchable data on NFS
An important factor is to check if your Ariel storage (where the data gets written to, from the event pipeline) is residing on a network file storage. Some companies choose NFS as their main storage solution and use it for QRadar Ariel Database as well. It is an important performance consideration when it comes to searchable data in QRadar User Interface.
You can check your mounted disks, and if you see “nfs” as shown below, you should consider moving your ariel storage to iSCSI or Fiber Channel instead:
nfs 585T 511T 68T 89% /store/ariel
Choosing NFS boils down to cost versus performance issue, where Network File Storage provides a cheap data storage solution and is easy to install using existing IP infrastructure. But the savings that NFS provides come at cost of performance, as compared to iSCSI or Fiber Channel.
QRadar queries Ariel database to generate alerts and reports. This database will increase in size with time, and NFS-storage will prove to be slow and unreliable. NFS will ultimately cause stability issues in your QRadar deployment, which will routinely complain about stability and performance issues.
How to approach this problem
Consider using iSCSI or Fiber Channel to store data that is accessible and searchable in the UI, such as the /store/ariel directory and reserve the use of NFS for data backups only.
Amount of data on your disk
The amount of data on your disk is another important consideration. Once the total percentage of data stored on disk reaches 85%, QRadar starts compressing data to have more space. But this compressing and decompressing of data adds to the overhead when QRadar searches and indexes data.
So, make sure you have enough disk space for QRadar to process data and turn it into useful information.