QRadar components

Use IBM® QRadar® components to scale a QRadar deployment, and to manage data collection and processing in distributed networks.

Important: Software versions for all IBM QRadar appliances in a deployment must be same version and fix pack level. Deployments that use different versions of software are not supported because environments that use mixed versions can cause rules not to fire, offenses not to be created or updated, and errors in search results.

QRadar deployments can include the following components:

QRadar Console

The QRadar Console provides the QRadar user interface, and real-time event and flow views, reports, offenses, asset information, and administrative functions.

In distributed QRadar deployments, use the QRadar Console to manage hosts that include other components.

QRadar Event Collector

The Event Collector collects events from local and remote log sources, and normalizes raw log source events to format them for use by QRadar. The Event Collector bundles or coalesces identical events to conserve system usage and sends the data to the Event Processor.

  • Use the QRadar Event Collector 1501 in remote locations with slow WAN links. The Event Collector appliances do not store events locally. Instead, the appliances collect and parse events before they send events to an Event Processor appliance for storage.
  • The Event Collector can use bandwidth limiters and schedules to send events to the Event Processor to overcome WAN limitations such as intermittent connectivity.
  • The Event Collector is assigned to an EPS license that matches the Event Processor that it is connected to.
QRadar Event Processor

The Event Processor processes events that are collected from one or more Event Collector components. The Event Processor processes events by using the Custom Rules Engine (CRE). If events are matched to the CRE custom rules that are predefined on the Console, the Event Processor executes the action that is defined for the rule response.

Each Event Processor has local storage, and event data is stored on the processor, or it can be stored on a Data Node.

The processing rate for events is determined by your events per second (EPS) license. If you exceed the EPS rate, events are buffered and remain in the Event Collector source queues until the rate drops. However, if you continue to exceed the EPS license rate, and the queue fills up, your system drops events, and QRadar issues a warning about exceeding your licensed EPS rate.

When you add an Event Processor to an All-in-One appliance, the event processing function is moved from the All-in-One to the Event Processor.

QRadar QFlow Collector

The Flow Collector collects flows by connecting to a SPAN port, or a network TAP. The IBM QRadar QFlow Collector also supports the collection of external flow-based data sources, such as NetFlow from routers.

QRadar QFlow Collectors are not designed to be full packet capture systems. For full packet capture, review the QRadar Incident Forensics option. The QRadar QFlow Collector 1310 appliance specifically, can forward packets to a QRadar Network Packet Capture appliance, which allows for flow collection and packet collection from a single packet source.

You can install a QRadar QFlow Collector on your own hardware or use one of the QRadar QFlow Collector appliances.

Restriction: The QRadar Log Manager does not support flow collection or Flow Collectors, which is supported only in QRadar SIEM deployments.
QRadar Flow Processor

The Flow Processor processes flows from one or more QRadar QFlow Collector appliances. The Flow Processor appliance can also collect external network flows such as NetFlow, J-Flow, and sFlow directly from routers in your network. You can use the Flow Processor appliance to scale your QRadar deployment to manage higher flows per minute (FPM) rates. Flow Processors include an on-board Flow Processor, and internal storage for flow data. When you add a Flow Processor to an All-in-One appliance, the processing function is moved from the All-in-One appliance to the Flow Processor.

QRadar Data Node

Data Nodes enable new and existing QRadar deployments to add storage and processing capacity on demand as required. Data Nodes help to increase the search speed in your deployment by providing more hardware resources to run search queries on.

QRadar App Host

An App Host is a managed host that is dedicated to running apps. App Hosts provide extra storage, memory, and CPU resources for your apps without impacting the processing capacity of your QRadar Console. Apps such as User Behavior Analytics with Machine Learning Analytics require more resources than are currently available on the Console.

For more information about managing QRadar components, see the IBM QRadar Administration Guide.

For more information about QRadar appliance specifications, see the IBM QRadar Hardware Guide.