Data redundancy and recovery in QRadar deployments
To safeguard from data loss, configure your deployments to include data redundancy and recovery functionality. Data Synchronization is possible when you have two identical QRadar systems in separate geographic environments that are a mirror of each other, and data is synchronized at both sites. Forwarding data uses off-site forwarding, which is set up on both the primary and secondary deployments. You can set up data synchronization with deployments that are in different geographical locations.
- Data Synchronization App
- Implement the Data Synchronization app to safeguard your IBM QRadar configurations and data by mirroring your data to another identical QRadar system. Recovery from a data loss is possible when you have two identical QRadar systems in separate geographic environments that are a mirror of each other, and data is collected at both sites. To learn more about the Data Synchronization app, see Redundancy and recovery for QRadar deployments.
If you do not meet the requirements for the Data Synchronization app, the following are some alternative solutions. Recovery from data loss is possible when you forward live data, for example, flows and events from a primary QRadar system, to a parallel system at another site.
- Primary QRadar Console and backup console
- A hardware failure solution, where the backup console is a copy of the primary server, with the same configuration but stays powered off. Only one console is operational at any one time. If the primary console fails, you manually turn the power on the backup console, apply the primary configuration backup, and use the IP address from the primary console. After you restore the primary server and before you turn it on, you manually turn off the backup server. If the system is down for a long time, apply the backup console configuration backup to the primary server.
- Event and flow forwarding
- Events and flows are forwarded from a primary site to a secondary site. Identical architectures in two separate data centers are required.
- Distributing the same events and flows to the primary and secondary sites
- Distribute the same event and flow data to two live sites by using a load balancer or other method to deliver the same data to mirrored appliances. Each site has a record of the log data that is sent.