A distributed deployment of QRadar
Incident Forensics includes a QRadar
Console and one or more QRadar
Incident Forensics managed hosts.
This type of deployment includes event and log management, anomaly detection, risk management,
vulnerability management and also gives you the ability to distribute the workload for forensics
recoveries.
In a distributed deployment, there are three appliances:
Software versions for all IBM
QRadar appliances in a
deployment must be the same version and fix level. Deployments that use different versions of
software are not supported.
The following diagram shows that you can attach multiple QRadar
Incident Forensics managed hosts
to the QRadar
Console. You can attach QRadar
Network Packet Capture devices to the
QRadar
Incident Forensics managed
hosts (QRadar Incident Forensics
Processor).Figure 1. Distributed deployment example
Distributed installations
New software installations that integrate QRadar
Incident Forensics with IBM
QRadar requires installation
components from at least 2 ISO files. Each installation requires an activation key
which determines the appliance type that is installed.
The following table shows which ISO file to use to install each of the components in a QRadar
Incident Forensics distributed
deployment.
Table 1. Components of a QRadar® Incident Forensics distributed deployment
ISO file
Installed component
QRadar ISO
Choose appliance type 3199 to install the QRadar
Console.
This ISO image is also used
to install every QRadar
product except for QRadar
Incident Forensics and IBM
QRadar Network Insights. The activation key determines
the type of appliance that is installed.
QRadar
Incident Forensics ISO
Choose appliance type 6000 to install the QRadar Incident Forensics
Processor.
You cannot attach QRadar Incident
Forensics Standalone (appliance type 6100) to a
QRadar
Console.
