IBM Security QRadar

What licensing is required at the failover site? For example, if my active site has an all in one console do I need to buy a full all in one console license for the passive site or is there a cheaper DR site option since this console will be sitting there idle 99% of the time.

Also, if I send logs to event collectors at both sites simultaneously - will qRadar de-duplicate these logs? Ideally all devices would log to both locations all the time so to minimize the changes required during a DR scenario.

Thanks!

------------------------------
Ryan Hitch
------------------------------

Hi Ryan

For licensing you are required to purchase Data Sync Licenses for your DR site. So for example if you had a 1 console + 2 EP + 2 EC on your main site and you have the required 1:1 mapping on the DR site (1 Console +. 2 EP + EC). You are only required to purchase a license per node where data is being transferred. In this case it would be the Console and 2 EP's so you would be required to purchase 3 Data Sync licenses only for your DR site. 

Regards sending logs to both sites at the same time. Yes you should be able to do that with EC's. We have all services suppressed on the DR site meaning that log collection will just drop the events as they come in. The only events that will be in the DR site will be the events copied over from the main site.

Shane

------------------------------
SHANE LUNDY
------------------------------

Original Message:
Sent: Wed October 07, 2020 09:27 AM
From: Ryan Hitch
Subject: QRadar Data Synchronization App

What licensing is required at the failover site? For example, if my active site has an all in one console do I need to buy a full all in one console license for the passive site or is there a cheaper DR site option since this console will be sitting there idle 99% of the time.

Also, if I send logs to event collectors at both sites simultaneously - will qRadar de-duplicate these logs? Ideally all devices would log to both locations all the time so to minimize the changes required during a DR scenario.

Thanks!

------------------------------
Ryan Hitch
------------------------------

Thanks Shane! Appreciate the quick and succinct response.

------------------------------
Ryan Hitch
------------------------------

Original Message:
Sent: Thu October 08, 2020 03:56 AM
From: SHANE LUNDY
Subject: QRadar Data Synchronization App

Hi Ryan

For licensing you are required to purchase Data Sync Licenses for your DR site. So for example if you had a 1 console + 2 EP + 2 EC on your main site and you have the required 1:1 mapping on the DR site (1 Console +. 2 EP + EC). You are only required to purchase a license per node where data is being transferred. In this case it would be the Console and 2 EP's so you would be required to purchase 3 Data Sync licenses only for your DR site. 

Regards sending logs to both sites at the same time. Yes you should be able to do that with EC's. We have all services suppressed on the DR site meaning that log collection will just drop the events as they come in. The only events that will be in the DR site will be the events copied over from the main site.

Shane

------------------------------
SHANE LUNDY

Original Message:
Sent: Wed October 07, 2020 09:27 AM
From: Ryan Hitch
Subject: QRadar Data Synchronization App

What licensing is required at the failover site? For example, if my active site has an all in one console do I need to buy a full all in one console license for the passive site or is there a cheaper DR site option since this console will be sitting there idle 99% of the time.

Also, if I send logs to event collectors at both sites simultaneously - will qRadar de-duplicate these logs? Ideally all devices would log to both locations all the time so to minimize the changes required during a DR scenario.

Thanks!

------------------------------
Ryan Hitch
------------------------------