All-in-One deployment
In a single host QRadar deployment, you have an All-in-One QRadar® appliance that is a single server which collects data, such as syslog event data logs, and Windows events, and also flow data, from your network.
An All-in-One appliance is suitable for a medium-sized company that has low exposure to the Internet, or for testing and evaluation purposes. Single server deployments are suitable for companies that monitor network activity and events such as authentication services and firewall activity.
An All-in-One appliance provides you with the capabilities that you need, up to a specific capacity that is determined by your license and the hardware specifications of the system. For example, a QRadar 3105 (All-in-One) typically processes up to 5000 EPS (events per second), and 200,000 FPM (flows per minute), whereas a QRadar 3128 (All-in-One) typically processes up to 15,000 EPS and 300,000 FPM.
- Manufacturing company deploys a single QRadar server
You are a medium-sized manufacturing company with less than 1000 employees. You deploy a QRadar 3105 All-in-One appliance to collect, process, and monitor event and flow data. With that deployment, you can collect up to 5,000 events per second (EPS), and 200,000 flows per minute (FPM).
The following diagram shows an All-in-One appliance, which collects data from event and flow sources, processes the data, and provides a web application where you can search, monitor, and respond to security threats.
The QRadar All-in-One appliance performs the following tasks:
- Collects event and network flow data, and then normalizes the data in to a data format that QRadar can use.
- Analyzes and stores the data, and identifies security threats to the company.
- Provides access to the QRadar web application.
As your data sources grow, or your processing or storage needs increase, you can add appliances to expand your deployment. For more information, see Expanding deployments to add more capacity.