A distributed deployment of QRadar® Incident
Forensics includes a QRadar
Console and one or more QRadar Incident
Forensics managed hosts.
This type of deployment includes event and log management, anomaly detection, risk management,
vulnerability management and also gives you the ability to distribute the workload for forensics
recoveries.
In a distributed deployment, there are three appliances:
Software versions for all IBM®
QRadar appliances in a
deployment must be the same version and fix level. Deployments that use different versions of
software are not supported.
The following diagram shows that you can attach multiple QRadar Incident
Forensics managed hosts
to the QRadar
Console. You can attach QRadar Network Packet
Capture devices to the
QRadar Incident
Forensics managed
hosts (QRadar Incident Forensics
Processor).Figure 1. Distributed deployment example
Distributed installations
New software installations that integrate QRadar Incident
Forensics with IBM
QRadar requires installation
components from at least 2 ISO files. Each installation requires an activation key
which determines the appliance type that is installed.
The following table shows which ISO file to use to install each of the components in a QRadar Incident
Forensics distributed
deployment.
Table 1. Components of a QRadar Incident Forensics distributed deployment
ISO file
Installed component
QRadar ISO
Choose appliance type 3199 to install the QRadar
Console.
This ISO image is also used
to install every QRadar
product except for QRadar Incident
Forensics and IBM
QRadar Network Insights. The activation key determines
the type of appliance that is installed.
QRadar Incident
Forensics ISO
Choose appliance type 6000 to install the QRadar Incident Forensics
Processor.
You cannot attach QRadar Incident Forensics
Standalone (appliance type 6100) to a
QRadar
Console.
