QRadar XDR

  • 1.  Compression rate on links

    Posted Wed July 28, 2021 01:53 AM
    Hi all,

    Is there any information on the level of compression reached for communication between the QRadar components, especially between an EC and the EP in a distributed architecture ? I am NOT referring to bandwidth required for management trafic between components but bandwidth required to transfer EPS/logs.

    Thank you.
    Regards
    Olivier.

    ------------------------------
    Olivier Paridaens
    ------------------------------


  • 2.  RE: Compression rate on links

    Posted Thu July 29, 2021 07:03 AM
    Olivier, I am sure you are aware of the guidelines related to min 100Mbps to ensure deployment and config replication works. Over that, of course you need to take in count the EPS and realistic log size (based on realistic mix of log sources you have). Articles (such as this one or other technotes) say you should have over 100Mbs in case of searches and EPS rates starting from 10k.
    Usually we see average log size estimates 700-900 bytes (and no coalescing). I've seen estimates of average compression rates cca 10:1 (though personally I'd do my guess with somewhat lower rate estimates - to be on the safe side). Take in count your peak EPS rate.
    To be considered also is if you are doing store & forward (with particular time limits) or real-time events streaming from the collector and if flows are included somewhere (then you'd need to include the flow content capture size in count along to the peak FPS/FPM rate).

    ------------------------------
    Dusan VIDOVIC
    ------------------------------