System requirements for virtual appliances

To ensure that IBM® QRadar® works correctly, you must use virtual appliances that meet the minimum requirements.

For more information about supported hypervisors and virtual hardware versions, see Creating your virtual machine.

QRadar virtual appliances require x86 hardware.

QRadar appliances are certified to support certain maximum events per second (EPS) rates. Maximum EPS depends on the type of data that is processed, system configuration, and system load. For more information, see QRadar maximum EPS certification methodology.

Note: The minimum requirements support QRadar functions with minimum data sets and performance. The minimum requirements support a QRadar system that uses only the default apps. For optimal performance, use the suggested requirements.

For information about running QRadar on 3rd party clouds, see QRadar cloud marketplace images.

QRadar Incident Forensics is installed from a separate ISO than other QRadar appliances. For more information about installing QRadar Incident Forensics as a virtual appliance, see Virtual appliance installations for QRadar Incident Forensics.

Important: You can change the memory or the CPU of your virtual appliance by shutting down the virtual appliance and making the changes. When you restart the virtual appliance, the system detects the changes and adjusts the performance-related configuration.

Memory requirements

The following table describes the memory requirements for virtual appliances.

Table 1. Minimum and suggested memory requirements for QRadar virtual appliances
Appliance	Minimum memory requirement	Suggested memory requirement
QRadar Flow Virtual 1299	6 GB	6 GB
QRadar Data Node Virtual 1400 appliance	24 GB	64 GB
QRadar Event Collector Virtual 1599	12 GB (up to 20,000 EPS) 64 GB (40,000 EPS) 128 GB (80,000 EPS)	16 GB (up to 20,000 EPS) 64 GB (40,000 EPS) 128 GB (80,000 EPS)
QRadar SIEM Event Processor Virtual 1699 up to 20,000 EPS	16 GB FIPS installation only 12GB	64 GB FIPS installation only 48 GB
QRadar SIEM Event Processor Virtual 1699 20,000 EPS or higher	128 GB	128 GB
QRadar SIEM Flow Processor Virtual 1799 up to 1,200,000 FPM	16 GB	64 GB
QRadar SIEM Flow Processor Virtual 1799 1,200,000 FPM or higher	128 GB	128 GB
QRadar SIEM Event and Flow Processor Virtual 1899 5,000 EPS or less 200,000 FPM or less	16 GB	64 GB
QRadar SIEM Event and Flow Processor Virtual 1899 30,000 EPS or less 1,000,000 FPM or less	128 GB	128 GB
QRadar SIEM All-in-One (QRadar Console) Virtual 3199 5,000 EPS or less 200,000 FPM or less	32 GB	64 GB
QRadar SIEM All-in-One (QRadar Console) Virtual 3199 30,000 EPS or less 1,000,000 FPM or less	128 GB	128 GB
QRadar Log Manager Virtual 8099	24 GB	48 GB
QRadar Risk Manager	24 GB	48 GB
QRadar Vulnerability Manager Processor Important: The IBM QRadar Vulnerability Manager scanner is end of life (EOL) in 7.5.0 Update Package 6, and is no longer supported in any version of IBM QRadar. For more information, see QRadar Vulnerability Manager: End of service product notification (https://www.ibm.com/support/pages/node/6853425).	32 GB	32 GB
QRadar Vulnerability Manager Scanner Important: The IBM QRadar Vulnerability Manager scanner is end of life (EOL) in 7.5.0 Update Package 6, and is no longer supported in any version of IBM QRadar. For more information, see QRadar Vulnerability Manager: End of service product notification (https://www.ibm.com/support/pages/node/6853425).	16 GB	16 GB
QRadar App Host	12 GB	64 GB or more for a medium-sized App Host 128 GB or more for a large sized App Host
QRadar Incident Forensics Processor 6000 Important: QRadar Incident Forensics is end of life (EOL) in 7.5.0, and is no longer supported in any version of IBM QRadar. For more information, see QRadar Incident Forensics: End of service product notification (https://www.ibm.com/support/pages/node/7145490).	128 GB	128 GB
QRadar Incident Forensics Standalone 6100 Important: QRadar Incident Forensics is end of life (EOL) in 7.5.0, and is no longer supported in any version of IBM QRadar. For more information, see QRadar Incident Forensics: End of service product notification (https://www.ibm.com/support/pages/node/7145490).	128 Gb	128 GB

Processor requirements

The following table describes the CPU requirements for virtual appliances.

Table 2. CPU requirements for QRadar virtual appliances
QRadar appliance	Threshold	Minimum number of CPU cores	Suggested number of CPU cores
QRadar Flow Virtual 1299	10,000 FPM or less	4	4
QRadar Event Collector Virtual 1599	5,000 EPS or less	8	16
QRadar Event Collector Virtual 1599	20,000 EPS or less 40,000 EPS or less 80,000 EPS or less	19 40 80	19 40 80
QRadar SIEM Event Processor Virtual 1699	5,000 EPS or less	8	24
	20,000 EPS or less	16	32
	40,000 EPS or less	40	48
	80,000 EPS or less	56	80 FIPS installation only 56
QRadar SIEM Flow Processor Virtual 1799	150,000 FPM or less	4	24
	300,000 FPM or less	8	24
	1,200,000 FPM or less	16	32 FIPS installation only 24
	2,400,000 FPM or less	40 FIPS installation only 48	48
	3,600,000 FPM or less	56	80
QRadar SIEM Event and Flow Processor Virtual 1899	200,000 FPM or less 5,000 EPS or less	16	32
	300,000 FPM or less 15,000 EPS or less	40	48
	1,200,000 FPM or less 30,000 EPS or less	56	80
QRadar SIEM All-in-One (QRadar Console) Virtual 3199	25,000 FPM or less 500 EPS or less	4	24
	50,000 FPM or less 1,000 EPS or less	8	24
	100,000 FPM or less 1,000 EPS or less	12	24
	200,000 FPM or less 5,000 EPS or less	16	32
	300,000 FPM or less 15,000 EPS or less	40	48
	1,200,000 FPM or less 30,000 EPS or less	56	80
QRadar Log Manager Virtual 8099	2,500 EPS or less	4	16
QRadar Log Manager Virtual 8099	5,000 EPS or less	8	16
QRadar Vulnerability Manager Processor Important: The IBM QRadar Vulnerability Manager scanner is end of life (EOL) in 7.5.0 Update Package 6, and is no longer supported in any version of IBM QRadar. For more information, see QRadar Vulnerability Manager: End of service product notification (https://www.ibm.com/support/pages/node/6853425).		4	4
QRadar Vulnerability Manager Scanner Important: The IBM QRadar Vulnerability Manager scanner is end of life (EOL) in 7.5.0 Update Package 6, and is no longer supported in any version of IBM QRadar. For more information, see QRadar Vulnerability Manager: End of service product notification (https://www.ibm.com/support/pages/node/6853425).		4	4
QRadar Risk Manager		8	8
QRadar Data Node Virtual 1400 appliance		4	16
QRadar App Host		4	12 or more for a medium-sized App Host 24 or more for a large-sized App Host
QRadar Incident Forensics Processor 6000 Important: QRadar Incident Forensics is end of life (EOL) in 7.5.0, and is no longer supported in any version of IBM QRadar. For more information, see QRadar Incident Forensics: End of service product notification (https://www.ibm.com/support/pages/node/7145490).		8	24
QRadar Incident Forensics Standalone 6100 Important: QRadar Incident Forensics is end of life (EOL) in 7.5.0, and is no longer supported in any version of IBM QRadar. For more information, see QRadar Incident Forensics: End of service product notification (https://www.ibm.com/support/pages/node/7145490).		8	24

Storage requirements

Your virtual appliance must have at least 256 GB of storage available.

The following table shows the storage requirements for installing QRadar by using the virtual or software only option.

Table 3. Minimum storage requirements for appliances when you use the virtual or software installation option.
System classification	Appliance information	IOPS	Data transfer rate (MB/s)
Minimum performance	Supports XX05 licensing	800	500
Medium performance	Supports XX29 licensing	1200	1000
High Performance	Supports XX48 licensing	10,000	2000
Small All-in-One (Console) or 1600	Less than 500 EPS	300	300
Event/Flow Collectors	Events and flows	300	300