IBM Security QRadar

 View Only
Expand all | Collapse all

Performance suggestions when coalescing is disabled for all log sources?

  • 1.  Performance suggestions when coalescing is disabled for all log sources?

    Posted Fri September 20, 2019 08:34 AM
    Hi There,

    Can anyone help advise on this question?

    "I have a question regarding an compliance issue of one of our client, he told us that he is required to keep all events (of all log sources) in origin format (RAW logs) and he asked us if that is possible in Qradar since the last one perform the coalicing which caused the lost of all payloads of the coaliced events. We tried to resolved this situation but the only solution will be to disable the coalicing for all log sources which will cause performance issue according to our understanding. How can we resoled this situation?"

    I fully understand how it works. https://www.ibm.com/support/pages/qradar-how-does-coalescing-work-qradar. Coalescing is meant to help with performance. I would like some guidance on best practices for performance tuning this type of scenario.

    ------------------------------
    Raydo Matthee Instructor
    Course Facilitator
    Tech Hero (Pty) Ltd
    Johannesburg
    ------------------------------


  • 2.  RE: Performance suggestions when coalescing is disabled for all log sources?

    Posted Fri September 20, 2019 03:21 PM
    I have disabled coalescing on a number of large log sources (firewall, windows...).  I did not see a performance hit.  In fact, I believe the act of coalescing takes more CPU/memory than NOT Coalescing.  The biggest impact is on storage.  Quite a substantial impact depending upon log source type.


    ------------------------------
    Drew Maness
    ------------------------------