QRadar: How does the Log Activity and Network Activity Real Time (streaming) option work?

Answer

The Real Time (streaming) option, on the Log Activity and Network Activity tabs, is designed to provide a quick method to view data as it is being received into the system in real time. This works by creating an interactive search session on the console, which connects to the Event and Flow Processors in your deployment. Event and Flow information that match your search criteria is sent from the Processors to the Console, at a rate of up to 1000 events per second. Any more than 1000 events per second causes the stream to go to a sampling mode. The buffer on the Console holds 1000 of the most recent results in a buffer that is accessed by the user interface. The user interface retrieves data from this buffer, and displays it in the Log Activity and Network Activity tabs. With Real Time (streaming), when events are coming in live, the browser shows the most recent 40 Events from the buffer. Once you click the pause button, the stream is stopped and you are able to browse the 1000 event buffer page by page.

Note: While paused, any new events that are received into the system that match your criteria, are not updated into your stream session.

Due to this sampling method at higher event rates, for the purposes of investigative analysis, we recommend that a time-based search is used for a complete result set. If by using a filtered search criteria that returns a smaller set of results, the streaming option is useful for monitoring events in real time.



Where do you find more information?