Question & Answer
Question
Is it possible to install QRadar on appliances, virtual, or physical, with multiple disks?
Answer
There are unique procedures and requirements depending on if an administrator has a physical appliance or a virtual machine (VM). This article provides administrators with basic information about using multiple disks with QRadar.
QRadar Virtual Appliances
Virtual appliances have a set of rules predefined for partitions creation.
Note: Appliances installed on cloud instances (AWS, Azure, IBM Cloud) have specific instructions that must be follow thoroughly.
QRadar Physical Appliances
Physical appliances contain a fixed number of disks and they cannot be increased. Refer to the product documentation for each appliance type to know how many disks exist per appliance:
The following schema applies to on-premises installation (includes Data Gateway). Depending on how many disks are presented, the QRadar setup applies the following configuration:
| Condition | Disk and Partition | Partitions created separately | Partitions NOT created separately |
|---|---|---|---|
| One disk with less than 256GB NOTE: Your appliance must have at least 256 GB of storage available. |
Disk 1 (sda, vda) - Partition 1 |
/
/boot
/recovery
/storetmp
/tmp
/home
/opt
/var
/var/log/audit
/var/log
|
/store
/transient
|
| One disk with 256GB or more | Disk 1 (sda, vda) - Partition 1 |
/
/boot
/recovery
/storetmp
/tmp
/home
/opt
/var
/var/log/audit
/var/log
|
None |
| Disk 1 (sda, vda) - Partition 2 |
/store
/transient
|
||
| Two disks (104GB minimum each) | Disk 1 (sda, vda) - Partition 1 |
/
/boot
/recovery
/storetmp
/tmp
/home
/opt
/var
/var/log/audit
/var/log
|
None |
| Disk 2 (sdb, vdb) - Partition 1 |
/store
/transient
|
||
| More than two disks | Disk 1 (sda, vda) - Partition 1 |
/
/boot
/recovery
/storetmp
/tmp
/home
/opt
/var
/var/log/audit
/var/log
|
None |
| Disk 2 (sdb, vdb) - Partition 1 |
/store
/transient
|
||
| Disk 3 (sdc, vdc) - Partition 1 | None |
Considerations:
- The following QRadar appliances do not need the /transient partition: App Host, Event Collector, Data Gateway.
- On Linux, the directories inside partitions that are not created separately, defaults to the / partition. This default behavior can cause disk space issues in the / partition.
- When a third disk is used, the setup does not take it in consideration. Administrators that want the extra capacity of the third disk on their systems must use only supported methods of expanding a disk in QRadar.
- QRadar Software Installations, requires administrators to install RHEL first, then QRadar on top of it by following the partition properties in the product documentation.
For more information, see: Linux operating system partition properties for QRadar installations on your own system.
Related Information
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.3.1;and future releases"}]
Was this topic helpful?
Document Information
Modified date:
18 March 2024
UID
ibm16571185