IBM QRadar

Has anyone deployed without Data Gateway which i mean send the logs from the devices directly to event processor on cloud cutting the data gateway in between ? Or can we have all in one deployment for QRADAR in cloud please?

------------------------------
Karthick Krishnamoorthy
------------------------------

You can have an AIO in cloud, deployment in AWS for instance. QROC
without a gateway would at the least require VPN established for on
prem and you would have no event caching collection locally which
would be a collection risk. I do not think that is supported.

For 100% cloud, running to a bucket then leveraging API log sources
direct from QROC is an alternative, where all the logging effort stays
cloud local and you just hit API to grab events/flow logs.


Original Message------

Has anyone deployed without Data Gateway which i mean send the logs from the devices directly to event processor on cloud cutting the data gateway in between ? Or can we have all in one deployment for QRADAR in cloud please?

------------------------------
Karthick Krishnamoorthy
------------------------------

Thank you very much for your response. Our log sources are all on-prem, our concern here is the hardware cost for the Data Gateway and we are working the way around if available to avoid the hardware cost for data Gateway. I presume the API will be applicable for the cloud based log sources if am not wrong ?

------------------------------
Karthick Krishnamoorthy
------------------------------

Original Message:
Sent: Tue March 17, 2020 08:17 AM
From: hostcontext restart
Subject: QROC Data Gateway

You can have an AIO in cloud, deployment in AWS for instance. QROC
without a gateway would at the least require VPN established for on
prem and you would have no event caching collection locally which
would be a collection risk. I do not think that is supported.

For 100% cloud, running to a bucket then leveraging API log sources
direct from QROC is an alternative, where all the logging effort stays
cloud local and you just hit API to grab events/flow logs.


Original Message------

Has anyone deployed without Data Gateway which i mean send the logs from the devices directly to event processor on cloud cutting the data gateway in between ? Or can we have all in one deployment for QRADAR in cloud please?

------------------------------
Karthick Krishnamoorthy
------------------------------

In general, when deploying managed hosts (e.g. AiO + Event Collector...) there should be a minimum of 100Mbps bandwidth between them - due to a need to replicate configuration and status data. However, I would advise to have Processors quite "close" to the console, as searches and global correlation could be impacted otherwise. I would suggest you evaluate if Disconnected Log Collector could be of use in your case (it can be deployed on a computer or virtual machine with RHEL7.x or CentOS 7.x and reasonable resources you provide).

------------------------------
Dusan VIDOVIC
------------------------------

Original Message:
Sent: Tue March 17, 2020 09:43 AM
From: Karthick Krishnamoorthy
Subject: QROC Data Gateway

Thank you very much for your response. Our log sources are all on-prem, our concern here is the hardware cost for the Data Gateway and we are working the way around if available to avoid the hardware cost for data Gateway. I presume the API will be applicable for the cloud based log sources if am not wrong ?

------------------------------
Karthick Krishnamoorthy

Original Message:
Sent: Tue March 17, 2020 08:17 AM
From: hostcontext restart
Subject: QROC Data Gateway

You can have an AIO in cloud, deployment in AWS for instance. QROC
without a gateway would at the least require VPN established for on
prem and you would have no event caching collection locally which
would be a collection risk. I do not think that is supported.

For 100% cloud, running to a bucket then leveraging API log sources
direct from QROC is an alternative, where all the logging effort stays
cloud local and you just hit API to grab events/flow logs.


Original Message------

Has anyone deployed without Data Gateway which i mean send the logs from the devices directly to event processor on cloud cutting the data gateway in between ? Or can we have all in one deployment for QRADAR in cloud please?

------------------------------
Karthick Krishnamoorthy
------------------------------