Question & Answer
Question
If I have a distributed QRadar environment, how does QRadar access this Data used by Searches, Offenses, Reports, and how is this used by the Console?
Answer
In an all-in-one system, all data on QRadar resides on the Console, so searches, reports, and rules, have access to the data locally. Conversely, in a distributed environment data storage is more complex. Each QRadar Processor Appliance collects and stores the data locally on their disk storage system or on a Data Node, which is beneficial in a Wide Area Network (WAN) distributed environment, as it avoids having all data transit WAN links.
Searching reports
On an Interactive Search or a Scheduled Report, your search criteria is sent from the Event or Flow Processors. Any data that matches is sent back to the Console for use in the search results or included in the Report. The search result set is kept temporarily on the Console (commonly referred to as a 'cursor' on /store/transient) for 24 hours, which allows multiple users to view the result set, avoiding duplicate data transfers from remote systems to the Console.
Searching reports
On an Interactive Search or a Scheduled Report, your search criteria is sent from the Event or Flow Processors. Any data that matches is sent back to the Console for use in the search results or included in the Report. The search result set is kept temporarily on the Console (commonly referred to as a 'cursor' on /store/transient) for 24 hours, which allows multiple users to view the result set, avoiding duplicate data transfers from remote systems to the Console.
Users can find existing searches in the search settings:
- Log in to the QRadar Web User Interface.
- Click Log Activity tab.
- Click Search > Manage Search Results.
- Double-click the existing Search.
Rules
When data matches a rule, it generates an Offense. A notification of this match is sent from the processor up to the Console to display that Offense. The data remains on the original processor only. The notification of the Offense request is sent to the Console, which reduces the amount of data that must be sent to the Console.
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtEAAQ","label":"Log Activity"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
28 October 2022
UID
swg21622714