Event and flow forwarding configuration

For data redundancy, configure IBM® QRadar® systems to forward data from one site to a backup site.

The target system that receives the data from QRadar is known as a forwarding destination. QRadar systems ensure that all forwarded data is unaltered. Newer versions of QRadar systems can receive data from earlier versions of QRadar systems. However, earlier versions cannot receive data from later versions. To avoid compatibility issues, upgrade all receivers before you upgrade QRadar systems that send data. Follow these steps to set up forwarding:

1. Configure one or more forwarding destinations.

   A forwarding destination is the target system that receives the event and flow data from the IBM QRadar primary console. You must add forwarding destinations before you can configure bulk or selective data forwarding. For more information about forwarding destinations, see the IBM QRadar Administration Guide.

2. Configure routing rules, custom rules, or both.

   After you add one or more forwarding destinations for your event and flow data, you can create filter-based routing rules to forward large quantities of data. For more information about routing rules, see the IBM QRadar Administration Guide.

3. Configure data exports, imports, and updates.

   You use the content management tool to move data from your primary QRadar Console to the QRadar secondary console. Export security and configuration content from IBM QRadar into an external, portable format. For more information about using the content management tool to transfer data, see the IBM QRadar Administration Guide.