Adding processing capacity to an All-in-One deployment
Add Event Processors and Flow Processors to your QRadar® deployment to increase processing capacity and increase storage. Adding processors frees up resources on your QRadar Console by moving the processing and storage load to dedicated servers.
When you add Event Processors or Flow Processors to an All-in-One appliance the All-in-One acts as a QRadar Console. The processing power on the All-in-One appliance is dedicated to managing and searching the data that is sent by the processors, and data is now stored on the Event Processors and other storage devices, rather than on the Console.
You typically add Event Processors and Flow Processors to your QRadar deployment for the following reasons:
- As your deployment grows, the workload exceeds the processing capacity of the All-in-One appliance.
- Your security operations center employs more analysts who do more concurrent searches.
- The types of monitored data, and the retention period for that data increases, which increases processing and storage requirements.
- As your security analyst team grows, you require better search performance.
Running multiple concurrent QRadar searches and adding more types of log sources that you monitor, affects the processing performance of your All-in-One appliance. As you increase the number of searches and the amount of monitored data, add Event Processors and Flow Processors to improve the performance of your QRadar deployment.
When you scale your QRadar deployment beyond the 15,000 EPS and 300,000 FPM on the most powerful All-in-One appliance, you must add processor appliances to process that data.
Example: Adding a QRadar Event Processor to your deployment
You can add a QRadar Event Processor 1628, which collects and processes up to 40,000 EPS. You increase your capacity by another 40,000 EPS every time you add a QRadar Event Processor 1628 to your deployment. Add a QRadar Flow Processor 1728, which collects and processes up to 1,200,000 FPM.
The QRadar Event Processor 1628 is a collector and a processor. If you have a distributed network, it’s a good practice to add Event Collectors to distribute the load and to free system resources on the Event Processor.
- Event and flow processing is moved off the All-in-One appliance to the event and flow processors.
- Event processing capacity increases to 40,000 EPS, which includes the 15,000 EPS that was on the All-in-One.
- Flow processing capacity increases to 1,200,000 FPM, which includes the 300,000 FPM that was on the All-in-One.
- Data that is sent by the event and flow collectors is processed and stored on the event and flow processors.
Search performance is faster when you install Event Processors and Flow Processors on the same network as your QRadar Console.
Adding processors and collectors expands the processing capacity of your QRadar deployment. You can also increase the storage capacity of your deployment. Your company's data retention needs can increase due to more traffic or to changes to retention policies. Adding Data Nodes to your deployment expands your data storage capacity, and improves search performance.
When to add Collectors to Processors
Add Event Collectors and Flow Collectors to Event Processors and Flow Processors for the same reasons that you add collectors to an All-in-One appliance:
- Your data collection requirements exceed the collection capability of your processor.
- You must collect events and flows at a different location than where your processor is installed.
- You are monitoring packet-based flow sources.
Because search performance is improved when processors are installed on the same network as the console, adding collectors in remote locations, and then sending that data to the processor, speeds up your QRadar searches.