IBM QRadar

I have 2 Questions.

Q1: Is it possible to set disc buffer size for events to to be stored on EC during EC and EP unreachability ?

Q2: How to set "throttle" EPS limit for communication  between EC and EP after for example long EC unreachability from EP ?

Thanks

Jan 

Hi Jan

The following links outline the buffering of events during a spike in events or incase the connection from EC to EP is not available

https://www.ibm.com/support/pages/qradar-event-and-flow-burst-handling-buffer

https://www.ibm.com/support/pages/node/7130013

In short. 

There is a 5GB on disk queue for events that are above license.

For events that have been through license but not passed to the EP there is a direcoty - /store/persistent_queue/ecs-ec.ecs-ec - which will store events till either the connection comes back or the disk fills.

Unfortunately there is no way to throtle the events between the EC and the EP.

Thanks

Dear John,

thanks a lot for fast reply. It is a pity that Qradar doesn't support throttle because we already suffered  several times with severe performance issues of EP after EC pushed all Events in buffer to EP after connection recovery.

May be there is some workaround like  configure Store and Forward Schedule. Set time to 24 hours but set Forward Transfer Rate Limit to for example 1 MBs?

Kind Regards

Jan