IBM QRadar

Hello,

For our client, we are facing issues transmitting the logs from the QRadar Event Collector to the QRadar console.
At the EC, we see the logs accumulating in the ECS-ingress, but the logs are not sent to the console. 
The primary reason is bandwidth. 

While the client works on fixing the bandwidth issue, is there an alternate method to transmit the logs from the EC to the console using the exisiting reduced bandwidth. 

Note: The bandwidth is really low (around 80kbps).

Thanks in advance.
Siddarth 

Hello,

If the bandwidth is the main issue the the Console can only process at the speed it receives the events at, so with the current configuration and limitations there isnt anything you can do. 

You will need ot watch the /store/persistent_queue folders on the EC to make sure they don't grow to large and stop collection completely. 
The only other things I could suggest are:
1. Depending on what EPS your Console is already receiving, console load and BW limitations again, you could point some log sources directly at the Console. 
2. Build and add an EP to your deployment where you can have a better BW connection to allow it to process the queue. Though you will still hit deployment issues here due to console Bandwidth.

Regards,

Hello,

For our client, we are facing issues transmitting the logs from the QRadar Event Collector to the QRadar console.
At the EC, we see the logs accumulating in the ECS-ingress, but the logs are not sent to the console. 
The primary reason is bandwidth. 

While the client works on fixing the bandwidth issue, is there an alternate method to transmit the logs from the EC to the console using the exisiting reduced bandwidth. 

Note: The bandwidth is really low (around 80kbps).

Thanks in advance.
Siddarth 

Hello @Comghall Morgan,

Thank you for your response.

- we have disabled log collection to ensure /store/persistent_queue doesn't spill.
- Regarding Point 1 - This is a new deployment, and there is no load on the console. 

- Regarding Point 2 - The console is in Azure, and EC is in the client data center. So I am looking at an option to throttle with the existing bandwidth.

Please advise.

Thanks in advance.

Siddarth

------------------------------
--
Thanks and Best Regards,
Siddarth

Original Message:
Sent: Wed November 29, 2023 09:50 AM
From: Comghall Morgan
Subject: QRadar Operations in Reduced Bandwidth

Hello,

If the bandwidth is the main issue the the Console can only process at the speed it receives the events at, so with the current configuration and limitations there isnt anything you can do. 

You will need ot watch the /store/persistent_queue folders on the EC to make sure they don't grow to large and stop collection completely. 
The only other things I could suggest are:
1. Depending on what EPS your Console is already receiving, console load and BW limitations again, you could point some log sources directly at the Console. 
2. Build and add an EP to your deployment where you can have a better BW connection to allow it to process the queue. Though you will still hit deployment issues here due to console Bandwidth.

Regards,

------------------------------
Comghall Morgan
QRadar Support Architect
IBM

Original Message:
Sent: Wed November 29, 2023 04:18 AM
From: Siddarth Talupula
Subject: QRadar Operations in Reduced Bandwidth

Hello,

For our client, we are facing issues transmitting the logs from the QRadar Event Collector to the QRadar console.
At the EC, we see the logs accumulating in the ECS-ingress, but the logs are not sent to the console. 
The primary reason is bandwidth. 

While the client works on fixing the bandwidth issue, is there an alternate method to transmit the logs from the EC to the console using the exisiting reduced bandwidth. 

Note: The bandwidth is really low (around 80kbps).

Thanks in advance.
Siddarth 

------------------------------
--
Thanks and Best Regards,
Siddarth
------------------------------

This bandwidth is really low - maybe to low too have the EC as managed host (if I'm not mistaken, the official recommendation was at least 100Mbps); it is usually suggested in such cases to use a DLC instance (as it would at least relieve you of the issues with "Deploy changes"). 
Now, would using a Store & Forward feature for the EC make sense (i.e. scheduled forwarding of events for the less busy periods)? Again, only you can evaluate the amount of collected logs which need to be forwarded vs. the usable bandwidth and time. 

------------------------------
Dusan VIDOVIC

Original Message:
Sent: Wed November 29, 2023 10:04 AM
From: Siddarth Talupula
Subject: QRadar Operations in Reduced Bandwidth

Hello @Comghall Morgan,

Thank you for your response.

- we have disabled log collection to ensure /store/persistent_queue doesn't spill.
- Regarding Point 1 - This is a new deployment, and there is no load on the console. 

- Regarding Point 2 - The console is in Azure, and EC is in the client data center. So I am looking at an option to throttle with the existing bandwidth.

Please advise.

Thanks in advance.

Siddarth

------------------------------
--
Thanks and Best Regards,
Siddarth

Original Message:
Sent: Wed November 29, 2023 09:50 AM
From: Comghall Morgan
Subject: QRadar Operations in Reduced Bandwidth

Hello,

If the bandwidth is the main issue the the Console can only process at the speed it receives the events at, so with the current configuration and limitations there isnt anything you can do. 

You will need ot watch the /store/persistent_queue folders on the EC to make sure they don't grow to large and stop collection completely. 
The only other things I could suggest are:
1. Depending on what EPS your Console is already receiving, console load and BW limitations again, you could point some log sources directly at the Console. 
2. Build and add an EP to your deployment where you can have a better BW connection to allow it to process the queue. Though you will still hit deployment issues here due to console Bandwidth.

Regards,

------------------------------
Comghall Morgan
QRadar Support Architect
IBM

Original Message:
Sent: Wed November 29, 2023 04:18 AM
From: Siddarth Talupula
Subject: QRadar Operations in Reduced Bandwidth

Hello,

For our client, we are facing issues transmitting the logs from the QRadar Event Collector to the QRadar console.
At the EC, we see the logs accumulating in the ECS-ingress, but the logs are not sent to the console. 
The primary reason is bandwidth. 

While the client works on fixing the bandwidth issue, is there an alternate method to transmit the logs from the EC to the console using the exisiting reduced bandwidth. 

Note: The bandwidth is really low (around 80kbps).

Thanks in advance.
Siddarth 

------------------------------
--
Thanks and Best Regards,
Siddarth
------------------------------