IBM Security QRadar

Expand all | Collapse all

Log Source Event Coalescing

  • 1.  Log Source Event Coalescing

    Posted 2 days ago
    Hi Folks,

    In the place where I work, there have been some discussions regarding QRadar Event coalescing on log sources so as to optimize memory consumption for event storage.

    I'm now researching the best practices & the pros and cons of doing or not such on different log source types and was wondering what you folks have to say.

    Thanks in advance!

    ------------------------------
    Nathan Pavlovsky
    ------------------------------


  • 2.  RE: Log Source Event Coalescing

    Posted 2 days ago
    Coalescing on critical assets like firewalls, web servers, WAF devices is dangerous.  On stuff like workstations, it depends on security risks and compliance.

    Sent from my Mobile





  • 3.  RE: Log Source Event Coalescing

    Posted 2 days ago
    Hi Nathan,
    in addition to what Frank said correctly, I would start with coalescing turned off when onboarding new logsource. This is especially true for Windows based logsources as they contain many custom properties which are not checked for coalescing criteria. When you do incident forensics thats not what you want as you are missing valuable info. Same is true for many other logsources as NG firewalls, cloud based logsources etc.
    If your really want to turn it on check a 24h interval of logged events first.
    BTW the additional storage consumption is relatively low as date gets compressed anyway as soon as data are coming in. Unfortunately coalescing is still turned on by default afaik.
    BR
    Karl

    ------------------------------
    [Karl] [Jaeger] [Business Partner]
    [QRadar Specialist]
    [pro4bizz]
    [Karlsruhe] [Germany]
    [4972190981722]
    ------------------------------



  • 4.  RE: Log Source Event Coalescing

    Posted 2 days ago
    Edited by Nathan Pavlovsky 2 days ago
    Removed due to it being a duplicate of my other response below


  • 5.  RE: Log Source Event Coalescing

    Posted 2 days ago
    Edited by Nathan Pavlovsky 2 days ago
    Many thanks for the effort writing this and for the tips. Definitely useful and will keep in mind. Wishing you both a great day!

    ------------------------------
    Nathan Pavlovsky
    ------------------------------