Offboard storage overview

To increase the amount of storage space available to your appliance, you can move a portion your data to an offboard storage device. You can move your /store, /store/ariel, or /store/backup file systems.

Multiple methods are available for adding external storage, including iSCSI, Fibre Channel, and NFS (Network File System). You must use iSCSI or Fibre Channel to store data that is accessible and searchable, such as the /store/ariel directory.

Warning:

If you use NFS or a Windows share for offboard storage, your system can lock and cause an outage. This practice is not supported by IBM® QRadar®.

If you choose to use NFS anyway, NFS can be used only for daily backup data, such as the /store/backup directory. You cannot use NFS for storing active data, which includes the PostgreSQL and ariel databases. If you do use NFS, it might cause database corruption or performance issues.

You can use offboard storage solutions on any managed host or console, including high-availability (HA) systems. When you use iSCSI or Fibre Channel with HA, the external storage device is mounted by the active HA node, ensuring data consistency for an HA failure. When you use external storage with HA, you must configure these devices on the primary and secondary HA hosts.

Before you implement an offboard storage solution, consider your local storage options, existing hardware infrastructure, and your data retention and fault tolerance requirements.

Offboard storage data encryption

Event data in QRadar® is not encrypted when stored. However, /store or /store/ariel partitions can be placed on an external device, which uses transparent (to QRadar) cryptography. For more information on external storage options, see External storage options.

Important: To set up encryption on the storage, see the documentation for your storage solution.

Local storage

Data that is stored locally on a QRadar appliance can be accessed with lower latency than on external storage. When possible, use local storage and Data Node appliances as an alternative to an external storage device.

Multiple appliances

Use multiple appliances if larger storage capacity is required for your QRadar deployment.

When multiple appliances are not feasible, or when an existing deployment can increase capacity by using available external storage, then external storage might be appropriate for your deployment.

Hardware and infrastructure

Your existing infrastructure and experience with storage area networks are important factors in deciding whether to use an offboard storage solution.

Certain offboard devices require less configuration and might be able to use existing network infrastructures. For example, iSCSI uses existing Ethernet networking, while Fibre Channel uses specialized hardware.

Data retention and fault tolerance

Your QRadar data retention policy is important in considering an offboard storage solution. If your data retention settings exceed the capacity of existing storage or if you are planning to expand the retention of existing deployed appliances, you might require an offboard storage solution.

An offboard storage solution can be used to improve your fault tolerance and disaster recovery capabilities.