"All in One" option can scale up depending on the resources assigned to it - so, it is possible it supports over 3000 EPS. Bear in mind that the EPS rate and performance does not only depend on CPU and RAM but very much on the performance of underlying storage. In addition, when sizing storage space, you should also consider the retention required.
Backup of the virtual machine is fine, but you should probably consider another storage mount for the backup of config and data (for offline retention).
QRadar can be implemented in HA mode - either using shared storage or DRBD - the latter is also possible for virtual machines. You can also opt to use native recovery options provided by VMware - such as HA restart on alternative host (but choice depends if you can afford that downtime).
If you go with distributed deployment, you would need to use event processors and dedicated console instances. Event processor should be kept close to the console to maintain proper performance. On customer's side you may use e.g. the DLC or event collector instances.
------------------------------
Dusan VIDOVIC
------------------------------
Original Message:
Sent: Wed August 14, 2019 12:02 AM
From: MAC Strater
Subject: Q&A about MSSP model and design
I'm going to implement a SOC in MSSP model to provide service for customer.
Requirement
- Multi-tenant and HA are needed
- collect event from customer (10 customer - total is about 3000EPS)
- Virtual appliance prefers
Design
1. I will deploy two of virtual console as primary and standby on VMware ESXi in Datacenter. VEEAM backup is exist. HA license is needed? such as JSA-TMFPHA. Is there any concerns If I use virtual appliance instead hardware appliance for doing HA?
2. I have no idea about event processor. Shoud it be at customer site? or we can provide a centralized event proccessor. Can we expand when number of EPS increase? Shoud I design a primary and standby for redundancy same as console?
If anything are useful, Please recommend me.
Thank you
------------------------------
MAC Strater
------------------------------