Event and flow data redundancy

Send the same events and flows to separate data centers or geographically separate sites and enable data redundancy by using a load balancer or other method to deliver the same data to mirrored appliances.

Configure the distribution of log and flow sources for data redundancy:

  • Send log source data to the Event Processor on the second site.
  • Send flow source data to the Flow Processor on the second site.

    For more information about configuring log sources, see the IBM QRadar Log Sources Configuration Guide.

    For more information about flow sources, see the IBM QRadar Administration Guide.

Figure 1. Sending events and flows to two sites
Sending events and flows to two sites
Configure QRadar to receive events

QRadar automatically discovers many log sources that send syslog messages in your deployment. Log sources that are automatically discovered by QRadar appear in the Log Sources window.

You configure the automatic discovery of log sources for each Event Collector by using the Autodetection Enabled setting in the Event Collector configuration. If you want to keep the log source event IDs synchronized with the primary Event Collector, you disable the Autodetection setting. In this situation, use the content management tool to synchronize the log source configuration or restore a configuration backup to the site.

For more information about auto discovered log sources and configurations specific to your device or appliance, see the IBM QRadar DSM Configuration Guide and the IBM QRadar Log Sources Configuration Guide.

Configure QRadar to receive flows

To enable data redundancy for flows, you need to send NetFlow, J-Flow, and sFlow to both sites for QFlow collection.

You can collect flows from a SPAN or tap and then send packets to your backup location, or you mirror the SPAN or tap in the backup location by using external technologies. A load balancer splits flows such as NetFlow, J-Flow, and sFlow but it can't split QFlow.

For more information about flow sources, see the IBM QRadar Administration Guide.
Use the Content Management Tool (CMT)

If you want to ensure that the primary QRadar Console from site 1 and the secondary QRadar Console from site 2 have identical configurations, use the content management tool to update site 2 with the configurations from site 1.

For more information about using the content management tool, see the IBM QRadar Administration Guide.