Storage requirements

The integration capabilities in IBM Security QRadar® Suite Software use persistent storage to provide reliable and resilient storage of state data. The cluster administrator must provide appropriate storage classes that meet the requirements of the respective Red Hat® OpenShift® environment.

To install QRadar Suite Software, you must configure a suitable storage class in the cluster. The configuration must be supported by one or more persistent volumes of suitable size.

Persistence is enabled by default in QRadar Suite Software. You must have physical volumes available, backed up by a suitable file system.

By definition, block storage implies RWO (ReadWriteOnce) access mode and does not support RWX (ReadWriteMany) or ROX (ReadOnlyMany). Block storage provides the best performance for storage, but it forces RWO access mode in the node.

Suggested storage providers

For Linux® on x86 hardware, the following storage providers are validated across all the capabilities of QRadar Suite Software:

  • IBM Cloud® Block Storage and IBM Cloud File Storage
  • IBM Storage Fusion 2.4.0 or later
  • IBM® Storage Suite for IBM Cloud Paks. This suite of offerings includes the following validated storage options:
    • IBM Storage Scale Container Native CSI 2.6 or later
    • Red Hat Ceph® Storage
    • Red Hat OpenShift Data Foundation (ODF) 4.2 or later with the block or file storage type
  • Portworx Storage, version 2.5.5 or later
  • Red Hat OpenShift Data Foundation (ODF) 4.2 or later with the block or file storage type

For more information about these options, see the IBM Storage Suite for IBM Cloud Paks documentation.

Important:
  • If you are using VMWare vSphere and ODF, the CPU and RAM requirements must be incremented in line with the resource requirements in the IBM Storage Suite for IBM Cloud Paks documentation.
  • If you are using VMWare clusters that are hosted on multiple ESXi hosts, your storage must be shared between those hosts.
  • The IBM Storage Suite components are not supported by the QRadar Suite Software support team. You must ensure that you have an appropriate support arrangement with the storage provider for these components.
  • To provide protection for data at rest, use volume encryption for your chosen storage.

Network File Storage (NFS)

If you plan to use NFS for persistent storage, you must set up your NFS before you install QRadar Suite Software. Use an enterprise class storage system that ensures availability with a sufficiently high throughput and reduced latency, such as:
  • Dell EMC Powerscale
  • IBM Spectrum® Scale
  • NetApp Trident
Use an NFS server that is close to your cluster. When I/O performance is not sufficient, services can experience poor performance or cluster instability such as functional failures with timeouts, especially when you are running a heavy workload. Ensure that the following conditions are met on all of the QRadar Suite Software nodes in your Red Hat OpenShift Container Platform cluster.
  • All of the nodes in the cluster have access to mount the NFS server.
  • All of the nodes in the cluster have read/write access to the NFS server.
  • Containerized processes have read/write access to the NFS server.
Important: It is your responsibility to secure your NFS storage. You can use NFS in production or nonproduction environments. It is best to use a separate NFS server for each environment.

You must set up dynamic storage provisioning on your NFS server. NFS does not support dynamic storage provisioning by default, and Red Hat OpenShift does not include a provisioner plug-in to create an NFS storage class.

You must export the NFS share to all the NFS clients. The following options are required to export the NFS share to all the NFS clients.
  • rw
  • sync
  • no_root_squash
  • no_subtree_check
The following NFS configuration requirements are the minimum requirements for optimal performance.
  • 200 input/output operations per second (IOPS)
  • 10 IOPS per GB

For more information about setting up your Red Hat OpenShift Container Platform clusters with persistent storage by using NFS, see Kubernetes NFS Subdir External Provisioner.

Validated storage options

For each of the cloud environment providers that are supported by QRadar Suite Software, the validated storage options are detailed in the following tables.

Table 1. Validated block storage options
Provider Storage class Storage type Access mode Storage provider Suggested reclaim policy Min. IOPS Encryption supported on the storage class
Amazon Web Services (AWS) gp2, gp2-csi, gp3, gp3-csi, ocs-storagecluster-ceph-rbd Block RWO AWS Retain 10 IOPS/GB Yes
Google Cloud Platform csi-gce-pd-ssd Block RWO Google Cloud Platform Retain 10 IOPS/GB Yes
IBM Cloud (Classic) ibmc-block-gold Block RWO IBM Cloud Retain 10 IOPS/GB Yes
IBM Cloud (VPC2) ibmc-vpc-block-10iops-tier, portworx-shared-sc Block RWO IBM Cloud Retain 10 IOPS/GB Yes
IBM Storage Fusion or IBM Storage Scale Container Native ibm-spectrum-scale-sc Block RWO IBM Storage Retain 10 IOPS/GB Yes
Microsoft Azure managed-premium Block RWO Azure Disk Retain 10 IOPS/GB Yes
VMware ocs-storagecluster-ceph-rbd, vsphere-storage-blockvsphere-volume(thin) Block RWO ODF 4.7, VSphere Volume Retain 10 IOPS/GB Yes
Table 2. Validated file storage options
Provider Storage class Storage type Access mode Storage provider Suggested reclaim policy Min. IOPS Encryption supported on the storage class
Amazon Web Services (AWS) ocs-storagecluster-cephfs File RWO AWS Retain 10 IOPS/GB Yes
Google Cloud Platform csi-gce-pd-ssd File RWO Google Cloud Platform Retain 10 IOPS/GB Yes
IBM Cloud ibmc-file-gold-gid, portworx-fs File RWO IBM Cloud Retain 10 IOPS/GB Yes
IBM Storage Fusion or IBM Storage Scale Container Native ibm-spectrum-scale-sc File RWO IBM Storage Retain 10 IOPS/GB Yes
Network File Storage nfs-client File RWO
  • Dell EMC Powerscale
  • IBM Spectrum Scale
  • NetApp Trident
Retain 10 IOPS/GB Yes
Tip: IBM Cloud ROKS supports the following gid storage classes:
  • ibmc-file-bronze-gid
  • ibmc-file-silver-gid
  • ibmc-file-gold-gid

Ensure that the minimum IOPS for the storage class meets or exceeds the minimum IOPS for QRadar Suite Software. For more information about gold, silver, and bronze storage, see Storage class reference.

1:1 mapping exists between deployment replicas and the underlying Persistent Volume Claims (PVCs). For example, a CouchDB deployment that has three replicas has three underlying PVCs.

For more information about Kubernetes persistent volumes, see Persistent Volumes.

Data encryption

You can encrypt your disks yourself if they are not encrypted by default. If you use Linux Unified Key Setup-on-disk-format (LUKS) for this purpose, enable LUKS and format the disks with the XFS file system before you install QRadar Suite Software.

For data encryption at rest on Portworx, AWS, and IBM Cloud File Storage, the following options are suggested.

AWS
When you install Red Hat OpenShift in AWS, the gp2 storage class is created by default. By default this storage class uses the encryption key set within the EBS encryption for the entire AWS Account. Contact your AWS administrator to determine which KMS key was used to encrypt the Red Hat OpenShift nodes, and obtain the full ARN of the key. To use a different encryption key, create a new custom storage class for use with QRadar Suite Software to ensure that the chosen encryption key is used when the persistent volumes are encrypted. For more information, see the AWS Elastic Block Store (EBS) object definition section of Post-installation storage configuration .
IBM Cloud File Storage
For more information, see Setting up encryption for Block Storage for VPC.
Portworx enterprise
For more information, see IBM Cloud in the Portworx documentation.

Other options, such as NFS, are not supported.

Retrieving the default block storage class in your environment

You must set only one default storage class in the Red Hat OpenShift environment.

  • Confirm the default storage class by typing the following command.
    oc get storageclass | grep default
  • If you have more than one default storage class set, unset one of the storage classes by typing the following command.
    oc patch storageclass <storage_class> -p '{"metadata": {"annotations": {"storageclass.kubernetes.io/is-default-class": "false"}}}'

When you update the values.conf file to install QRadar Suite Software, set the default storage class as the value for the storageClass parameter.

IBM Cloud environment storage

In an IBM Cloud environment, the minimal PVC size that is enforced is 20 GB for the standard ibmc-block-gold storage class. For more information, see IBM Cloud documentation.

In IBM Cloud environments, QRadar Suite Software requires one or more persistent volumes of suitable size, as shown in the following table.

Table 3. Suggested storage for IBM Cloud
Storage capability Access mode Deployment replicas x storage per replica Suggested storage
Backup and Restore RWO 1x500 GB 500 GB*
CouchDB RWO 3x60 GB 180 GB
OpenSearch RWO 3x20 GB 60 GB
etcd RWO 3x20 GB 60 GB
Noobaa RWO 3x20 GB 60 GB
Postgres RWO 2x220 GB (default), 2x220 GB (Case Management), 2x250 GB (Data Explorer UDI) 1.38 TB
RabbitMQ RWO 3x20 GB 60 GB
Tip: For the Backup and Restore pod, instead of using the defaults that are specified in the table, you can provision your own storage. For more information, see Creating the backup and restore PVC.

Unmanaged Red Hat OpenShift environment storage

In a Red Hat OpenShift Container Platform environment where you do not have a managed cluster from a cloud provider, QRadar Suite Software requires one or more persistent volumes of suitable size, as shown in the following table.

Table 4. Suggested storage for unmanaged Red Hat OpenShift environments
Storage capability Access mode Deployment replicas x storage required per replica Suggested storage
Backup and Restore RWO 1x500 GB 500 GB
CouchDB RWO 3x60 GB 180 GB
OpenSearch RWO 3x20 GB 60 GB
etcd RWO 3x10 GB 30 GB
Noobaa RWO 3x20 GB 60 GB
Postgres RWO 2x220 GB (default), 2x220 GB (Case Management), 2x250 GB (Data Explorer UDI) 1.38 TB
RabbitMQ RWO 3x20 GB 60 GB
Tip: For the Backup and Restore pod, instead of using the defaults that are specified in the table, you can provision your own storage. For more information, see Creating the backup and restore PVC.