Hello, 

Please your reply regarding this use case, 

Qradar On premise, Console Licensed to up to 10000 EPS, DR licensed to Up to 2000EPS.

1. What will happen if DR is configured ?
   1. the DR will not work ?
   2. the DR will replicate no more than 2000 EPS ?,
   3.  if yes how that 2000 EPS can be selected ?
2. If we configure a domain within the console with 2000 EPS, can DR will be deployed only for that domain ?

Any Feedback will be very appreciated. 

Thank You,

Kamal

------------------------------
Mohammed Kamal MOULINE
------------------------------

Hi Kamal,

First of all, why you are not checking the HA option with the Primary host at your Primary Site and the Secondary Host at you DR site?
As for your questions, please find my response:

1.1) It will work for up to 2000 eps
1.2) It will be like the primary site case with the 10K eps...If the eps exceeded , it will start dropping events.
1.3)you cant select the log sources which will consume the 2000eps

2)The DR license is irrelevant to which domain will be monitored as you can configure it on your own so if you have three domains A,B,C and you want to monitor only the Domain A by assigning it 2000eps , you can create the relevant Tenants A,B,C and configure there the limits you want.

Hello, 

Please your reply regarding this use case, 

Qradar On premise, Console Licensed to up to 10000 EPS, DR licensed to Up to 2000EPS.

1. What will happen if DR is configured ?
   1. the DR will not work ?
   2. the DR will replicate no more than 2000 EPS ?,
   3.  if yes how that 2000 EPS can be selected ?
2. If we configure a domain within the console with 2000 EPS, can DR will be deployed only for that domain ?

Any Feedback will be very appreciated. 

Thank You,

Kamal

------------------------------
Mohammed Kamal MOULINE
------------------------------

Hi IOANNIS, 

First of all  thank you for your reply.

Actually, in the primary site there are two AIO nodes in HA + 1 AIO node in DR. The problem is that the DR license is not the same as the ingestion license. 2000 vs 10000.

Regarding Your response 2. Is it possible to configure a Domaine limited to 2000 EPS, and configure the DR only for that one only this domain will be replicated to the AIO-DR ?

Even if on an AIO deployment ?

Thank You,

Hi Kamal,

First of all, why you are not checking the HA option with the Primary host at your Primary Site and the Secondary Host at you DR site?
As for your questions, please find my response:

1.1) It will work for up to 2000 eps
1.2) It will be like the primary site case with the 10K eps...If the eps exceeded , it will start dropping events.
1.3)you cant select the log sources which will consume the 2000eps

2)The DR license is irrelevant to which domain will be monitored as you can configure it on your own so if you have three domains A,B,C and you want to monitor only the Domain A by assigning it 2000eps , you can create the relevant Tenants A,B,C and configure there the limits you want.

Hello, 

Please your reply regarding this use case, 

Qradar On premise, Console Licensed to up to 10000 EPS, DR licensed to Up to 2000EPS.

1. What will happen if DR is configured ?
   1. the DR will not work ?
   2. the DR will replicate no more than 2000 EPS ?,
   3.  if yes how that 2000 EPS can be selected ?
2. If we configure a domain within the console with 2000 EPS, can DR will be deployed only for that domain ?

Any Feedback will be very appreciated. 

Thank You,

Kamal

------------------------------
Mohammed Kamal MOULINE
------------------------------

Hi Mohammed,

The DR site is hot or cold?

Have you the QRadar App for Primary-DR synchronization as this do only for the config?

As i mentioned you can configure EPS limit on a Domain once you assign it under a Tenant and configure the limit on the respective Tenant.

Hi IOANNIS, 

First of all  thank you for your reply.

Actually, in the primary site there are two AIO nodes in HA + 1 AIO node in DR. The problem is that the DR license is not the same as the ingestion license. 2000 vs 10000.

Regarding Your response 2. Is it possible to configure a Domaine limited to 2000 EPS, and configure the DR only for that one only this domain will be replicated to the AIO-DR ?

Even if on an AIO deployment ?

Thank You,

Hi Kamal,

First of all, why you are not checking the HA option with the Primary host at your Primary Site and the Secondary Host at you DR site?
As for your questions, please find my response:

1.1) It will work for up to 2000 eps
1.2) It will be like the primary site case with the 10K eps...If the eps exceeded , it will start dropping events.
1.3)you cant select the log sources which will consume the 2000eps

2)The DR license is irrelevant to which domain will be monitored as you can configure it on your own so if you have three domains A,B,C and you want to monitor only the Domain A by assigning it 2000eps , you can create the relevant Tenants A,B,C and configure there the limits you want.

Hello, 

Please your reply regarding this use case, 

Qradar On premise, Console Licensed to up to 10000 EPS, DR licensed to Up to 2000EPS.

1. What will happen if DR is configured ?
   1. the DR will not work ?
   2. the DR will replicate no more than 2000 EPS ?,
   3.  if yes how that 2000 EPS can be selected ?
2. If we configure a domain within the console with 2000 EPS, can DR will be deployed only for that domain ?

Any Feedback will be very appreciated. 

Thank You,

Kamal

------------------------------
Mohammed Kamal MOULINE
------------------------------

Hello, 

The DR site will be cold.

QRadar App will be deployed.

Since it is a DR site for the SIEM Platform it will need to handle the same amount of events, a DR lic with the same capacity will be needed.

Kind regards,

Hi Mohammed,

The DR site is hot or cold?

Have you the QRadar App for Primary-DR synchronization as this do only for the config?

As i mentioned you can configure EPS limit on a Domain once you assign it under a Tenant and configure the limit on the respective Tenant.

Hi IOANNIS, 

First of all  thank you for your reply.

Actually, in the primary site there are two AIO nodes in HA + 1 AIO node in DR. The problem is that the DR license is not the same as the ingestion license. 2000 vs 10000.

Regarding Your response 2. Is it possible to configure a Domaine limited to 2000 EPS, and configure the DR only for that one only this domain will be replicated to the AIO-DR ?

Even if on an AIO deployment ?

Thank You,

Hi Kamal,

First of all, why you are not checking the HA option with the Primary host at your Primary Site and the Secondary Host at you DR site?
As for your questions, please find my response:

1.1) It will work for up to 2000 eps
1.2) It will be like the primary site case with the 10K eps...If the eps exceeded , it will start dropping events.
1.3)you cant select the log sources which will consume the 2000eps

2)The DR license is irrelevant to which domain will be monitored as you can configure it on your own so if you have three domains A,B,C and you want to monitor only the Domain A by assigning it 2000eps , you can create the relevant Tenants A,B,C and configure there the limits you want.

Hello, 

Please your reply regarding this use case, 

Qradar On premise, Console Licensed to up to 10000 EPS, DR licensed to Up to 2000EPS.

1. What will happen if DR is configured ?
   1. the DR will not work ?
   2. the DR will replicate no more than 2000 EPS ?,
   3.  if yes how that 2000 EPS can be selected ?
2. If we configure a domain within the console with 2000 EPS, can DR will be deployed only for that domain ?

Any Feedback will be very appreciated. 

Thank You,

Kamal

------------------------------
Mohammed Kamal MOULINE
------------------------------