Storage requirements
The integration capabilities in IBM Security QRadar® Suite Software use persistent storage to provide reliable and resilient storage of state data. The cluster administrator must provide appropriate storage classes that meet the requirements of the respective Red Hat® OpenShift® environment.
To install QRadar Suite Software, you must configure a suitable storage class in the cluster. The configuration must be supported by one or more persistent volumes of suitable size.
Persistence is enabled by default in QRadar Suite Software. You must have physical volumes available, backed up by a suitable file system.
By definition, block storage implies RWO (ReadWriteOnce) access mode and does not support RWX (ReadWriteMany) or ROX (ReadOnlyMany). Block storage provides the best performance for storage, but it forces RWO access mode in the node.
Suggested storage providers
For Linux® on x86 hardware, the following storage providers are validated across all the capabilities of QRadar Suite Software:
- IBM Cloud® Block Storage and IBM Cloud File Storage
- IBM Storage Fusion 2.4.0 or later
- IBM® Storage Suite for IBM Cloud Paks. This suite of offerings includes the
following validated storage options:
- IBM Storage Scale Container Native CSI 2.6 or later
- Red Hat Ceph® Storage
- Red Hat OpenShift Data Foundation (ODF) 4.2 or later with the block or file storage type
- Portworx Storage, version 2.5.5 or later
- Red Hat OpenShift Data Foundation (ODF) 4.2 or later with the block or file storage type
For more information about these options, see the IBM Storage Suite for IBM Cloud Paks documentation.
- If you are using VMWare vSphere and ODF, the CPU and RAM requirements must be incremented in line with the resource requirements in the IBM Storage Suite for IBM Cloud Paks documentation.
- If you are using VMWare clusters that are hosted on multiple ESXi hosts, your storage must be shared between those hosts.
- The IBM Storage Suite components are not supported by the QRadar Suite Software support team. You must ensure that you have an appropriate support arrangement with the storage provider for these components.
- To provide protection for data at rest, use volume encryption for your chosen storage.
Network File Storage (NFS)
- Dell EMC Powerscale
- IBM Spectrum® Scale
- NetApp Trident
- All of the nodes in the cluster have access to mount the NFS server.
- All of the nodes in the cluster have read/write access to the NFS server.
- Containerized processes have read/write access to the NFS server.
You must set up dynamic storage provisioning on your NFS server. NFS does not support dynamic storage provisioning by default, and Red Hat OpenShift does not include a provisioner plug-in to create an NFS storage class.
- rw
- sync
- no_root_squash
- no_subtree_check
- 200 input/output operations per second (IOPS)
- 10 IOPS per GB
For more information about setting up your Red Hat OpenShift Container Platform clusters with persistent storage by using NFS, see Kubernetes NFS Subdir External Provisioner.
Validated storage options
For each of the cloud environment providers that are supported by QRadar Suite Software, the validated storage options are detailed in the following tables.
Provider | Storage class | Storage type | Access mode | Storage provider | Suggested reclaim policy | Min. IOPS | Encryption supported on the storage class |
---|---|---|---|---|---|---|---|
Amazon Web Services (AWS) | gp2, gp2-csi, gp3, gp3-csi, ocs-storagecluster-ceph-rbd | Block | RWO | AWS | Retain | 10 IOPS/GB | Yes |
Google Cloud Platform | csi-gce-pd-ssd | Block | RWO | Google Cloud Platform | Retain | 10 IOPS/GB | Yes |
IBM Cloud (Classic) | ibmc-block-gold | Block | RWO | IBM Cloud | Retain | 10 IOPS/GB | Yes |
IBM Cloud (VPC2) | ibmc-vpc-block-10iops-tier, portworx-shared-sc | Block | RWO | IBM Cloud | Retain | 10 IOPS/GB | Yes |
IBM Storage Fusion or IBM Storage Scale Container Native | ibm-spectrum-scale-sc | Block | RWO | IBM Storage | Retain | 10 IOPS/GB | Yes |
Microsoft Azure | managed-premium | Block | RWO | Azure Disk | Retain | 10 IOPS/GB | Yes |
VMware | ocs-storagecluster-ceph-rbd, vsphere-storage-blockvsphere-volume(thin) | Block | RWO | ODF 4.7, VSphere Volume | Retain | 10 IOPS/GB | Yes |
Provider | Storage class | Storage type | Access mode | Storage provider | Suggested reclaim policy | Min. IOPS | Encryption supported on the storage class |
---|---|---|---|---|---|---|---|
Amazon Web Services (AWS) | ocs-storagecluster-cephfs | File | RWO | AWS | Retain | 10 IOPS/GB | Yes |
Google Cloud Platform | csi-gce-pd-ssd | File | RWO | Google Cloud Platform | Retain | 10 IOPS/GB | Yes |
IBM Cloud | ibmc-file-gold-gid, portworx-fs | File | RWO | IBM Cloud | Retain | 10 IOPS/GB | Yes |
IBM Storage Fusion or IBM Storage Scale Container Native | ibm-spectrum-scale-sc | File | RWO | IBM Storage | Retain | 10 IOPS/GB | Yes |
Network File Storage | nfs-client | File | RWO |
|
Retain | 10 IOPS/GB | Yes |
- ibmc-file-bronze-gid
- ibmc-file-silver-gid
- ibmc-file-gold-gid
Ensure that the minimum IOPS for the storage class meets or exceeds the minimum IOPS for QRadar Suite Software. For more information about gold, silver, and bronze storage, see Storage class reference.
1:1 mapping exists between deployment replicas and the underlying Persistent Volume Claims (PVCs). For example, a CouchDB deployment that has three replicas has three underlying PVCs.
For more information about Kubernetes persistent volumes, see Persistent Volumes.
Data encryption
You can encrypt your disks yourself if they are not encrypted by default. If you use Linux Unified Key Setup-on-disk-format (LUKS) for this purpose, enable LUKS and format the disks with the XFS file system before you install QRadar Suite Software.
For data encryption at rest on Portworx, AWS, and IBM Cloud File Storage, the following options are suggested.
- AWS
- When you install Red Hat OpenShift in AWS, the gp2 storage class is created by default. By default this storage class uses the encryption key set within the EBS encryption for the entire AWS Account. Contact your AWS administrator to determine which KMS key was used to encrypt the Red Hat OpenShift nodes, and obtain the full ARN of the key. To use a different encryption key, create a new custom storage class for use with QRadar Suite Software to ensure that the chosen encryption key is used when the persistent volumes are encrypted. For more information, see the AWS Elastic Block Store (EBS) object definition section of Post-installation storage configuration .
- IBM Cloud File Storage
- For more information, see Setting up encryption for Block Storage for VPC.
- Portworx enterprise
- For more information, see IBM Cloud in the Portworx documentation.
Other options, such as NFS, are not supported.
Retrieving the default block storage class in your environment
You must set only one default storage class in the Red Hat OpenShift environment.
- Confirm the default storage class by typing the following command.
oc get storageclass | grep default
- If you have more than one default storage class set, unset one of the storage classes by typing
the following
command.
oc patch storageclass <storage_class> -p '{"metadata": {"annotations": {"storageclass.kubernetes.io/is-default-class": "false"}}}'
When you update the values.conf file to install QRadar Suite Software, set the default storage class as the value for the storageClass parameter.
IBM Cloud environment storage
In an IBM Cloud environment, the minimal PVC size that is enforced is 20 GB for the standard ibmc-block-gold storage class. For more information, see IBM Cloud documentation.
In IBM Cloud environments, QRadar Suite Software requires one or more persistent volumes of suitable size, as shown in the following table.
Storage capability | Access mode | Deployment replicas x storage per replica | Suggested storage |
---|---|---|---|
Backup and Restore | RWO | 1x500 GB | 500 GB* |
CouchDB | RWO | 3x60 GB | 180 GB |
OpenSearch | RWO | 3x20 GB | 60 GB |
etcd | RWO | 3x20 GB | 60 GB |
Noobaa | RWO | 3x20 GB | 60 GB |
Postgres | RWO | 2x220 GB (default), 2x220 GB (Case Management), 2x250 GB (Data Explorer UDI) | 1.38 TB |
RabbitMQ | RWO | 3x20 GB | 60 GB |
Unmanaged Red Hat OpenShift environment storage
In a Red Hat OpenShift Container Platform environment where you do not have a managed cluster from a cloud provider, QRadar Suite Software requires one or more persistent volumes of suitable size, as shown in the following table.
Storage capability | Access mode | Deployment replicas x storage required per replica | Suggested storage |
---|---|---|---|
Backup and Restore | RWO | 1x500 GB | 500 GB |
CouchDB | RWO | 3x60 GB | 180 GB |
OpenSearch | RWO | 3x20 GB | 60 GB |
etcd | RWO | 3x10 GB | 30 GB |
Noobaa | RWO | 3x20 GB | 60 GB |
Postgres | RWO | 2x220 GB (default), 2x220 GB (Case Management), 2x250 GB (Data Explorer UDI) | 1.38 TB |
RabbitMQ | RWO | 3x20 GB | 60 GB |