IBM Support

QRadar: About Data Nodes

Question & Answer


Question

What is a QRadar Data Node and how it works? 

Answer

Data Nodes are dedicated storage and search appliances that allow Event Processors, Flow Processors, and AIO Consoles to scale up storage capacity.

Benefits of Data Nodes in a QRadar deployment:

  • Faster searches.
  • More storage.
  • Modular environment.
     
How does a QRadar Data Node work?

A QRadar Data Node is an appliance that is attached to a parent node to add storage and search capabilities. The parent node is the host to which the data node is attached, this host could be either:

  • All-in-one Console.
  • Event Processor.
  • Flow Processor.
  • Event & Flow Processor

The parent node receives and distributes the data among the data nodes, and is responsible for the rebalancing process.

The following image illustrates a QRadar deployment with an AIO Console, Event Processor, and two Data Nodes.

image-20230531112151-1

What is the difference between Active and Archive modes?

  • Active Mode: This mode is configured when a new data node is added, it allows storage and searching capabilities.
  • Archive Mode: This mode is used only to perform searching capabilities. A data node in Archive mode is not considered for rebalancing or scattering.
image-20230531112359-2
The following image illustrates a QRadar deployment with an AIO Console, Event Processor, and three Data Nodes.

Informational links:

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Component":"Hardware and Firmware","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
31 May 2023

UID

swg21682128

Page Feedback