QRadar deployment overview

IBM® QRadar® architecture supports deployments of varying sizes and topologies, from a single host deployment, where all the software components run on a single system, to multiple hosts, where appliances such as Event Collectors, and Flow Collectors, Data Nodes, an App Host, Event Processors, and Flow Processors, have specific roles.

The primary focus of the first deployment example is to describe a single All-in-One appliance deployment for a medium-size company. Later examples describe the deployment options as the company expands. The examples describe when to add QRadar components, such as Flow Processors, Event Collectors, and Data Nodes, and when you might need to co-locate specific components.

The requirements for your QRadar deployment depend on the capacity of your chosen deployment to both process and store all the data that you want to analyze in your network.

Before you plan your deployment, consider the following questions:

  • How does your company use the Internet? Do you upload as much as you download? Increased usage can increase your exposure to potential security issues.
  • How many events per second (EPS) and flows per minute (FPM) do you need to monitor?

    EPS and FPM license capacity requirements increase as a deployment grows.

  • How much information do you need to store, and for how long?

The following diagram shows the QRadar components that you can use to collect, process, and store event and flow data in your QRadar deployment. An All-in-One appliance includes the data collection, processing, storage, monitoring, searching, reporting, and offense management capabilities.

The Event Collector collects event data from log sources in your network, and then sends the event data to the Event Processor. The Flow Collector collects flow data from network devices such as a switch SPAN port, and then sends the data to the Flow Processor. Both processors process the data from the collectors and provide data to the QRadar Console. The processor appliances can store data but they can also use the Data Nodes to store data. The QRadar Console appliance is used for monitoring, data searches, reporting, offense management, and administration of your QRadar deployment.

Figure 1. QRadar event and flow components
QRadar network components