IBM Security QRadar

Hi,

Is it possible and advisable to increase the size of the temporary queue from 5GB to something like 20GB? If yes, then what will be the impact.

Thanks.

------------------------------
Abdul Quadeer
------------------------------

The event and flow burst handling buffer can be increased, but it is typically not recommended. As 5GB can hold a huge volume of events, increasing the buffer does not solve the license issues. As the appliance license needs to be under the limit and in recovery, always pushing up against your license never allows the volume to decrease at any meaningful rate. You either need to size the license properly with an increase or start using some routing rules to drop low security value events. If 5GB can hold 1.5 million events, and you only have 2k EPS the buffer needs to be able to clear in a timely manner for correlation. Having full buffers and increasing the burst handling capacity is not solving the problem, just delaying it. 

Can support increase the buffer size? Yes. 
Does support recommend this action? No. 

You should talk to your sales rep to see about an increase in your license capacity so you can allocate more EPS to the appliance so you are in recovery more often. Optionally, you can drop low security value events, which would give you EPS back on the EPS license interval. 

------------------------------
Jonathan Pechta
QRadar Support Content Lead
Support forums: ibm.biz/qradarforums
jonathan.pechta1@ibm.com

Original Message:
Sent: Mon February 27, 2023 11:26 AM
From: Abdul Quadeer
Subject: temporary queue

Hi,

Is it possible and advisable to increase the size of the temporary queue from 5GB to something like 20GB? If yes, then what will be the impact.

Thanks.

------------------------------
Abdul Quadeer
------------------------------

Thank you, Jonathan Pechta.

The event and flow burst handling buffer can be increased, but it is typically not recommended. As 5GB can hold a huge volume of events, increasing the buffer does not solve the license issues. As the appliance license needs to be under the limit and in recovery, always pushing up against your license never allows the volume to decrease at any meaningful rate. You either need to size the license properly with an increase or start using some routing rules to drop low security value events. If 5GB can hold 1.5 million events, and you only have 2k EPS the buffer needs to be able to clear in a timely manner for correlation. Having full buffers and increasing the burst handling capacity is not solving the problem, just delaying it. 

Can support increase the buffer size? Yes. 
Does support recommend this action? No. 

You should talk to your sales rep to see about an increase in your license capacity so you can allocate more EPS to the appliance so you are in recovery more often. Optionally, you can drop low security value events, which would give you EPS back on the EPS license interval. 

------------------------------
Jonathan Pechta
QRadar Support Content Lead
Support forums: ibm.biz/qradarforums
jonathan.pechta1@ibm.com

Original Message:
Sent: Mon February 27, 2023 11:26 AM
From: Abdul Quadeer
Subject: temporary queue

Hi,

Is it possible and advisable to increase the size of the temporary queue from 5GB to something like 20GB? If yes, then what will be the impact.

Thanks.

------------------------------
Abdul Quadeer
------------------------------