Hi There,
Can anyone help advise on this question?
"I have a question regarding an compliance issue of one of our client, he told us that he is required to keep all events (of all log sources) in origin format (RAW logs) and he asked us if that is possible in Qradar since the last one perform the coalicing which caused the lost of all payloads of the coaliced events. We tried to resolved this situation but the only solution will be to disable the coalicing for all log sources which will cause performance issue according to our understanding. How can we resoled this situation?"
I fully understand how it works.
https://www.ibm.com/support/pages/qradar-how-does-coalescing-work-qradar. Coalescing is meant to help with performance. I would like some guidance on best practices for performance tuning this type of scenario.
------------------------------
Raydo Matthee Instructor
Course Facilitator
Tech Hero (Pty) Ltd
Johannesburg
------------------------------