Expanding deployments to add more capacity

Your business might create or expand a deployment beyond an IBM® QRadar® All-in-One appliance because of the lack of processing or data storage capacity, or when you have specific data collection requirements.

The topology and composition of your QRadar deployment are influenced by the capability and capacity of that deployment to collect, process, and store all the data that you want to analyze in your network.

If your processing or storage needs expand beyond the capacity of your All-in-One appliance, you can reconfigure your QRadar environment to a distributed deployment. For more information see, Adding an appliance to an All-in-One console.

To get rough estimates of the events per second (EPS) or flows per minute (FPM) that you need to process in your deployment, use the size of your logs that are collected from firewalls, proxy servers, and Windows boxes.

Reasons to add event or flow collectors to an All-in-One deployment

You might need to add flow or event collectors to your deployment under these conditions:

  • Your data collection requirements exceed the collection capability of the All-in-One appliance.
  • You must collect events and flows in a different location than where your All-in-One appliance is installed.
  • You are monitoring larger, or higher-rate packet-based flow sources that are faster than the 50 Mbps connection on the All-in-One.

A 3128 All-in-One appliance can collect up to 15,000 events per second (EPS) and 300,000 flows per minute (FPM). If your collection requirements are greater, you might want to add Event Collectors and Flow Collectors to your deployment. For example, you can add a QRadar QFlow Collector 1202, which collects up to 3 Gbps.

An All-in-One appliance processes the events and flows that are collected. By adding Event Collectors and Flow Collectors, you can use the processing that the All-in-One appliance usually does for searches and other security tasks.

Packet-based flow sources require a Flow Collector that is connected either to a Flow Processor, or to an All-in-One appliance in deployments where there is no Flow Processor appliance. You can collect external flow sources, such as NetFlow, or IPFIX, directly on a Flow Processor or All-in-One appliance.

To learn more about the different components that you can add to your deployment, see QRadar components.