IBM Security QRadar

I have an understanding that Qradar Event Collector would store data temporarily in case of disconnection. Normally this would stored in cache but as per my knowledge the data would be stored under /store/ariel/events/uncompressed

Now I would like feedback on the possibility in case of longer outages, would the data be be stored until the /store gets full or is there a cap on how much cashe size can it store

Thanks

------------------------------
A N
------------------------------

There is a separate on-disk queue used when the EC cannot reach the downstream EP, as in the case Itzik described. That queue will basically fill until there is no disk space left - it actually stops at 93% or 95% or something like that, but as opposed to the license spillover it is effectively unbounded. When the EP comes back up, all the events will be sent at that time

credit to this answer to COLIN HAY
https://community.ibm.com/community/user/security/communities/community-home/digestviewer/viewthread?GroupId=2497&MessageKey=43265b3c-a527-4c1d-b456-84632f529918&CommunityKey=f9ea5420-0984-4345-ba7a-d93b4e2d4864&tab=digestviewer



------------------------------
Ditmar Tavares
------------------------------

Original Message:
Sent: Tue January 04, 2022 05:13 PM
From: A N
Subject: Event Collector Cache Storage in case of disconnection

I have an understanding that Qradar Event Collector would store data temporarily in case of disconnection. Normally this would stored in cache but as per my knowledge the data would be stored under /store/ariel/events/uncompressed

Now I would like feedback on the possibility in case of longer outages, would the data be be stored until the /store gets full or is there a cap on how much cashe size can it store

Thanks

------------------------------
A N
------------------------------

Hi Ditmar 

Thanks for the response , it was really helpful , however if there is a seperate on disk queue where would it located ?

Thanks

------------------------------
A N
------------------------------

Original Message:
Sent: Wed January 05, 2022 01:30 PM
From: Ditmar Tavares
Subject: Event Collector Cache Storage in case of disconnection

There is a separate on-disk queue used when the EC cannot reach the downstream EP, as in the case Itzik described. That queue will basically fill until there is no disk space left - it actually stops at 93% or 95% or something like that, but as opposed to the license spillover it is effectively unbounded. When the EP comes back up, all the events will be sent at that time

credit to this answer to COLIN HAY
https://community.ibm.com/community/user/security/communities/community-home/digestviewer/viewthread?GroupId=2497&MessageKey=43265b3c-a527-4c1d-b456-84632f529918&CommunityKey=f9ea5420-0984-4345-ba7a-d93b4e2d4864&tab=digestviewer



------------------------------
Ditmar Tavares

Original Message:
Sent: Tue January 04, 2022 05:13 PM
From: A N
Subject: Event Collector Cache Storage in case of disconnection

I have an understanding that Qradar Event Collector would store data temporarily in case of disconnection. Normally this would stored in cache but as per my knowledge the data would be stored under /store/ariel/events/uncompressed

Now I would like feedback on the possibility in case of longer outages, would the data be be stored until the /store gets full or is there a cap on how much cashe size can it store

Thanks

------------------------------
A N
------------------------------

Original Message:
Sent: 1/5/2022 3:43:00 PM
From: A N
Subject: RE: Event Collector Cache Storage in case of disconnection

Hi Ditmar 

Thanks for the response , it was really helpful , however if there is a seperate on disk queue where would it located ?

Thanks

------------------------------
A N
------------------------------

Original Message:
Sent: Wed January 05, 2022 01:30 PM
From: Ditmar Tavares
Subject: Event Collector Cache Storage in case of disconnection

There is a separate on-disk queue used when the EC cannot reach the downstream EP, as in the case Itzik described. That queue will basically fill until there is no disk space left - it actually stops at 93% or 95% or something like that, but as opposed to the license spillover it is effectively unbounded. When the EP comes back up, all the events will be sent at that time

credit to this answer to COLIN HAY
https://community.ibm.com/community/user/security/communities/community-home/digestviewer/viewthread?GroupId=2497&MessageKey=43265b3c-a527-4c1d-b456-84632f529918&CommunityKey=f9ea5420-0984-4345-ba7a-d93b4e2d4864&tab=digestviewer



------------------------------
Ditmar Tavares

Original Message:
Sent: Tue January 04, 2022 05:13 PM
From: A N
Subject: Event Collector Cache Storage in case of disconnection

I have an understanding that Qradar Event Collector would store data temporarily in case of disconnection. Normally this would stored in cache but as per my knowledge the data would be stored under /store/ariel/events/uncompressed

Now I would like feedback on the possibility in case of longer outages, would the data be be stored until the /store gets full or is there a cap on how much cashe size can it store

Thanks

------------------------------
A N
------------------------------