IBM QRadar

Hello

I have a console as well as an event processor and collectors. Collectors are connected to the Processor. As far as I understand, the Collector collects events and sends them for processing to the Processor, which, in turn, sends it to the Console. I would like to know the events are stored in the /store directory on the Console or on the Processor? If on the Processor, what events are stored in / store on the Console?

Events are saved to the appliance with storage (Ariel Writer) service, such as Event Processors or Consoles. Where events are stored can depend on how you have your Event Collectors attached to Event Processors. 

For example, depending on how you have your deployment configured this answer can vary:

1. Event Source --> Event Collector (Receives events) --> Event Processor (events stored locally here)
2. Event Source --> Event Collector (Receives events) --> Console (events stored locally here)  **This is uncommon
3. Event Source --> Event Collector (Receives events) --> Event Processor (stores some events here) --> Data Node (some events stored here). 

Events in QRadar are most often stored on either the Event Processors or the Data Nodes. Smaller deployments might only have an Event Collector and a Console, so in some scenarios events are stored on the Console. However, in most deployments the Console is given a smaller license and events are stored on the Event Processor. When someone runs a search from the Console, the Console reaches out to all hosts that store events to find appliances that have matches and those appliances provide results back to the Console. 

There are some events that are stored on the Console, such as global rule events. When a global rule matches on an Event Processor an event is generated and sent to the Console. The Console then tracks incoming global rule counts and then triggers the global rule. These events are not firewall logs, or database events, but are functional for the Console to track data coming from EPs. Other events stored on the Console are Health Metrics, Audit events, System Notifications, and other "feature" events that are not directly associated to security data. 

Let me know if this answered your question or if you have follow-up. In most cases, for backup purposes the security data from your log sources is stored on the Event Processors. However, depending on your deployment the Console can also have security events, but most events on the Console run features, alert, or audit, health data, etc. 

Hello

I have a console as well as an event processor and collectors. Collectors are connected to the Processor. As far as I understand, the Collector collects events and sends them for processing to the Processor, which, in turn, sends it to the Console. I would like to know the events are stored in the /store directory on the Console or on the Processor? If on the Processor, what events are stored in / store on the Console?