IBM QRadar

Hi,

I'm wondering if anyone has experience with the DLC collector and can help answer a few questions:

1. DLC Performance
If, for example, we forward logs from approximately 200 workstations to a DLC collector, can it handle collecting, storing (if needed), and forwarding logs from that number of endpoints?
Does the DLC have any limitations in terms of EPS (Events Per Second) or similar metrics?
I couldn't find specific documentation on DLC limitations. For comparison, I know that a QRadar all-in-one console has a limit of around 30,000 EPS. Does DLC have comparable limitations?

2. DLC Use for MSSPs
I found that DLC can be used in MSSP environments.
Does anyone have experience with this use case?
Am I correct in assuming that the DLC would be installed in the client's infrastructure, and then use IPsec to forward logs to the QRadar Console in the provider's environment. Or even both can be installed in provider env (DLC and Console)?
What are the downsides of this setup compared to a more traditional approach like:

• Log sources → EP/EC → QRadar, or

• Log sources → All-in-one Console?

3. Log Forwarding Delay
Is there any noticeable delay in log forwarding when using DLC - for example, delays of 5 minutes or more?

Thanks,

1. Max that a DLC instance can send is 5000 EPS (I assume that it should be able to receive more). See this note.
2. Using a DLC is probably the preferred option in MSSP setup. To communicate with the console that is not on the same site, you can also opt to use TLS over TCP (without a VPN). 
   The upside of using a DLC would be that it requires less of a bandwidth since it is not a managed host (you need at least 100+ Mbps between a a console and managed hosts); also, if you use e.g. ECs (as managed hosts) on each of tenant's sites then e.g. adding a log source for any of the tenants would require replicating the change to all of the ECs (as they are managed hosts).
   Mangement of log sources etc. would probably be a bit easier in the latter case, though. 
   You can opt to install a console - AiO or with a sepearate EP/EC at client's site, but that would be a single tenant setup; great for the client, but with multiple such installations you would have to monitor several consoles or build own "master console" that would aggregate all offense information etc. from multiple consoles (you cannot have multiple consoles in a single deployment).
3. I'd assume that the delays would mostly be a result of a break or overload of your communication pipe or of the DLC machine, network issues introduced by an intermediary party on your WAN path. 

1. Yes, DLC should be able to handle a large number of data sources. It depends on system config and protocol used for collection, some supporting more than others.
    DLC supports upto tens of thousands of EPS ingestion and forwarding to QRadar, depending on the configuration, traffic etc. The mentioned 5K EPS is the default forwarding rate and not the maximum, as clearly outlined by the linked documentation. 
Refer to https://www.ibm.com/docs/en/qradar-common?topic=overview-system-requirements-disconnected-log-collector for the resource requirements.

3. There is a minimal processing latency + the networking latency. With a sufficiently good network the latency is 1-2 seconds at most.