Adding a managed host

Add managed hosts, such as event and flow collectors, event and flow processors, and data nodes, to distribute data collection and processing activities across your IBM® QRadar® deployment.

Before you begin

Ensure that the managed host has the same IBM QRadar version and update packages level as the QRadar Console that you are using to manage it.

If you want to enable Network Address Translation (NAT) for a managed host, the network must use static NAT translation. For more information, see NAT-enabled networks.

Warning: Your firewall might block the managed host from being added because of multiple attempts to log in to the QRadar Console by using SSH. To resolve this problem, tune your firewall to prevent the managed host from being blocked.

About this task

The following table describes the components that you can connect:
Table 1. Supported component connections
Source connection Target connection Description
QRadar Flow Collector Event Collector You can connect a IBM QRadar Flow Collector only to an Event Collector. The number of connections is not restricted.

You can't connect a QRadar Flow Collector to the Event Collector on a 15xx appliance.
Event Collector Event Processor You can connect an Event Collector to only one Event Processor.

You can connect a non-console Event Collector to an Event Processor on the same system.

A console Event Collector can be connected only to a console Event Processor. You can't remove this connection.
Event Processor Event Processor You can't connect a console Event Processor to a non-console Event Processor.

You can connect a non-console Event Processor to another console or non-console Event Processor, but not both at the same time.

When a non-console managed host is added, the non-console Event Processor is connected to the console Event Processor.
Data Node Event Processor You can connect a data node to an event or flow processor only. You can connect multiple Data Nodes to the same processor to create a storage cluster.
Event Collector Off-site target The number of connections is not restricted.
Off-site source Event Collector

The number of connections is not restricted.

An Event Collector that is connected to an event-only appliance can't receive an off-site connection from system hardware that has the Receive Flows feature enabled.

An Event Collector that is connected to a QFlow-only appliance can't receive an off-site connection from a remote system that has the https://ibmid.acrolinx.cloud Receive Flows feature enabled.

If you configured IBM QRadar Incident Forensics in your deployment, you can add a QRadar Incident Forensics managed host. For more information, see the IBM QRadar Incident Forensics Installation Guide.

If you configured IBM QRadar Vulnerability Manager in your deployment, you can add vulnerability scanners and a vulnerability processor. For more information, see the IBM QRadar Vulnerability Manager User Guide.

Important: The IBM QRadar Vulnerability Manager scanner is end of life (EOL) in 7.5.0 Update Package 6, and is no longer supported in any version of IBM QRadar. For more information, see QRadar Vulnerability Manager: End of service product notification (https://www.ibm.com/support/pages/node/6853425).

If you configured IBM QRadar Risk Manager in your deployment, you can add a managed host. For more information, see the IBM QRadar Risk Manager Installation Guide.

Procedure

  1. On the navigation menu ( Navigation menu icon ), click Admin.
  2. In the System Configuration section, click System and License Management.
  3. In the Display list, select Systems.
  4. On the Deployment Actions menu, click Add Host.
  5. Configure the settings for the managed host by providing the fixed IP address, and the root password to access the operating system shell on the appliance.
  6. Click Add.
  7. Optional: Use the Deployment actions > View Deployment menu to see visualizations of your deployment. You can download a PNG image or a Microsoft Visio (2010) VDX file of your deployment visualization.
  8. On the Admin tab, click Advanced > Deploy Full Configuration.
    Important: QRadar continues to collect events when you deploy the full configuration. When the event collection service must restart, QRadar does not restart it automatically. A message displays that gives you the option to cancel the deployment and restart the service at a more convenient time.