Storage requirements
The integration capabilities in IBM® Security QRadar® EDR use persistent storage to provide reliable and resilient storage of state data. The cluster administrator must provide appropriate storage classes that meet the requirements of the respective Red Hat® OpenShift® Container Platform environment.
Persistence is enabled by default in QRadar EDR. You must have physical volumes available, backed up by a suitable file system. For more information, see Persistent volume storage sizing.
For more information about Kubernetes persistent volumes, see Persistent Volumes.
Validated storage options
The following table shows the storage options that are validated for QRadar EDR.
Cloud provider | Storage class | Access mode | Storage provider | Reclaim policy | Min. IOPS | Encryption is supported on the storage class |
---|---|---|---|---|---|---|
VMware | thin-csi | RWO | VSphere Volume | Retain | 10 IOPS/GB | Yes |
Data encryption
If your cloud provider doesn't encrypt your disks by default, you can ensure that your QRadar EDR data is stored securely by encrypting your disks yourself. If you use Linux® Unified Key Setup-on-disk-format (LUKS) for this purpose, enable LUKS and format the disks with the XFS file system before you install QRadar EDR.
Persistent volume storage sizing
Deployment size | Storage capability | Access mode | Suggested storage |
---|---|---|---|
Small | 1 K Endpoints 45M events/day |
||
Cassandra | RWO |
Cassandra data: 1 TB (45 million events x 30 days + 25% buffer) Cassandra backup: 800 GB Total for 3 Cassandra pods with replication factor of 2 |
|
OpenSearch | RWO |
2 TB (45 million events x 30 days + 25% buffer) Total for 2 OpenSearch pods/replicas |
|
Postgres | RWO | 40 GB | |
RabbitMQ | RWO | 40 GB | |
Medium | 3 K Endpoints 95M events/day |
||
Cassandra | RWO |
Cassandra data: 2.2 TB (95 million events x 30 days + 25% buffer) Cassandra backup: 1.76 TB Total for 3 Cassandra pods with replication factor of 2 |
|
OpenSearch | RWO |
4.3 TB (95 million events x 30 days + 25% buffer) Total for 2 OpenSearch pods/replicas |
|
Postgres | RWO | 40 GB | |
RabbitMQ | RWO | 40 GB | |
Large | 5 K Endpoints 150M events/day |
||
Cassandra | RWO |
Cassandra data: 3.4 TB (150 million events x 30 days + 25% buffer) Cassandra backup: 2.72 TB Total for 3 Cassandra pods with replication factor of 2 |
|
OpenSearch | RWO |
6.75 TB (150 million events x 30 days + 25% buffer) Total for 2 OpenSearch pods/replicas |
|
Postgres | RWO | 40 GB | |
RabbitMQ | RWO | 40 GB | |
10k |
10 K Endpoints 300M events/day |
||
Cassandra | RWO |
Cassandra data: 6.8 TB (300 million events x 30 days + 25% buffer) Cassandra backup: 5.5 TB Total for 3 Cassandra pods with replication factor of 2 |
|
OpenSearch | RWO |
13.5 TB (300 million events x 30 days + 25% buffer) Total for 2 OpenSearch pods/replicas |
|
Postgres | RWO | 40 GB | |
RabbitMQ | RWO | 40 GB | |
15k |
15 K Endpoints 400M events/day |
||
Cassandra | RWO |
Cassandra data: 9.06 TB (400 million events x 30 days + 25% buffer) Cassandra backup: 7.3 TB Total for 3 Cassandra pods with replication factor of 2 |
|
OpenSearch | RWO |
17.9 TB (400 million events x 30 days + 25% buffer) Total for 2 OpenSearch pods/replicas |
|
Postgres | RWO | 40 GB | |
RabbitMQ | RWO | 40 GB |