Bandwidth for managed hosts
To replicate state and configuration data, ensure that you have a minimum bandwidth of 100 Mbps between the IBM® QRadar® console and all managed hosts. Higher bandwidth is necessary when you search log and network activity, and you have over 10,000 events per second (EPS).
An Event Collector that is configured to store and forward data to an Event Processor forwards the data according to the schedule that you set. Ensure that you have sufficient bandwidth to cover the amount of data that is collected, otherwise the forwarding appliance cannot maintain the scheduled pace.
Use the following methods to mitigate bandwidth limitations between data centers:
- Process and send data to hosts at the primary data center
- Design your deployment to process and send data as it's collected to hosts at the primary data
center where the console resides. In this design, all user-based searches query the data from the
local data center rather than waiting for remote sites to send back data.
You can deploy a store and forward event collector, such as a QRadar 15XX physical or virtual appliance, in the remote locations to control bursts of data across the network. Bandwidth is used in the remote locations, and searches for data occur at the primary data center, rather than at a remote location.
- Don't run data-intensive searches over limited bandwidth connections
- Ensure that users don't run data-intensive searches over links that have limited bandwidth. Specifying precise filters on the search limits the amount of data that is retrieved from the remote locations, and reduces the bandwidth that is required to send the query result back.
For more information about deploying managed hosts and components after installation, see the IBM QRadar Administration Guide.