System requirements for virtual appliances
To ensure that IBM QRadar works correctly, you must use virtual appliances that meet the minimum requirements.
For more information about supported hypervisors and virtual hardware versions, see Creating your virtual machine.
QRadar virtual appliances require x86 hardware.
QRadar appliances are certified to support certain maximum events per second (EPS) rates. Maximum EPS depends on the type of data that is processed, system configuration, and system load. For more information, see QRadar maximum EPS certification methodology.
For information about running QRadar on 3rd party clouds, see QRadar cloud marketplace images.
QRadar Incident Forensics is installed from a separate ISO than other QRadar appliances. For more information about installing QRadar Incident Forensics as a virtual appliance, see Virtual appliance installations for QRadar Incident Forensics.
Memory requirements
The following table describes the memory requirements for virtual appliances.
Appliance | Minimum memory requirement | Suggested memory requirement |
---|---|---|
QRadar Flow Virtual 1299 | 6 GB | 6 GB |
QRadar Data Node Virtual 1400 appliance | 24 GB | 64 GB |
QRadar Event Collector Virtual 1599 | 12 GB (up to 20,000 EPS) 64 GB (40,000 EPS) 128 GB (80,000 EPS) |
16 GB (up to 20,000 EPS) 64 GB (40,000 EPS) 128 GB (80,000 EPS) |
QRadar SIEM Event Processor Virtual 1699
up to 20,000 EPS |
16 GB FIPS installation only 12GB |
64 GB FIPS installation only 48 GB |
QRadar SIEM Event Processor Virtual 1699
20,000 EPS or higher |
128 GB | 128 GB |
QRadar SIEM Flow
Processor Virtual 1799
up to 1,200,000 FPM |
16 GB | 64 GB |
QRadar SIEM Flow
Processor Virtual 1799
1,200,000 FPM or higher |
128 GB | 128 GB |
QRadar SIEM Event and Flow Processor Virtual 1899 5,000 EPS or less 200,000 FPM or less |
16 GB | 64 GB |
QRadar SIEM Event and Flow Processor Virtual 1899 30,000 EPS or less 1,000,000 FPM or less |
128 GB | 128 GB |
QRadar SIEM All-in-One
(QRadar Console) Virtual 3199 5,000 EPS or less 200,000 FPM or less |
32 GB | 64 GB |
QRadar SIEM All-in-One
(QRadar Console) Virtual 3199 30,000 EPS or less 1,000,000 FPM or less |
128 GB | 128 GB |
QRadar Log Manager Virtual 8099 | 24 GB | 48 GB |
QRadar Risk Manager | 24 GB | 48 GB |
QRadar Vulnerability Manager Processor Important: The IBM
QRadar Vulnerability Manager scanner
is end of life (EOL) in 7.5.0 Update Package 6, and is no longer supported in any version of IBM
QRadar. For more information,
see QRadar Vulnerability Manager: End of service product notification
(https://www.ibm.com/support/pages/node/6853425).
|
32 GB | 32 GB |
QRadar Vulnerability Manager Scanner Important: The IBM
QRadar Vulnerability Manager scanner
is end of life (EOL) in 7.5.0 Update Package 6, and is no longer supported in any version of IBM
QRadar. For more information,
see QRadar Vulnerability Manager: End of service product notification
(https://www.ibm.com/support/pages/node/6853425).
|
16 GB | 16 GB |
QRadar App Host | 12 GB | 64 GB or more for a medium-sized App Host 128 GB or more for a large sized App Host |
Processor requirements
The following table describes the CPU requirements for virtual appliances.
QRadar appliance | Threshold | Minimum number of CPU cores | Suggested number of CPU cores |
---|---|---|---|
QRadar Flow Virtual 1299 | 10,000 FPM or less | 4 | 4 |
QRadar Event Collector Virtual 1599 | 5,000 EPS or less | 8 | 16 |
20,000 EPS or less 40,000 EPS or less 80,000 EPS or less |
19 40 80 |
19 40 80 |
|
QRadar SIEM Event Processor Virtual 1699 | 5,000 EPS or less | 8 | 24 |
20,000 EPS or less | 16 | 32 | |
40,000 EPS or less | 40 | 48 | |
80,000 EPS or less | 56 | 80 FIPS installation only 56 |
|
QRadar SIEM Flow Processor Virtual 1799 | 150,000 FPM or less | 4 | 24 |
300,000 FPM or less | 8 | 24 | |
1,200,000 FPM or less | 16 | 32 FIPS installation only 24 |
|
2,400,000 FPM or less | 40 FIPS installation only 48 |
48 | |
3,600,000 FPM or less | 56 | 80 | |
QRadar SIEM Event and Flow Processor Virtual 1899 | 200,000 FPM or less 5,000 EPS or less |
16 | 32 |
300,000 FPM or less 15,000 EPS or less |
40 | 48 | |
1,200,000 FPM or less 30,000 EPS or less |
56 | 80 | |
QRadar SIEM All-in-One (QRadar Console) Virtual 3199 | 25,000 FPM or less 500 EPS or less |
4 | 24 |
50,000 FPM or less 1,000 EPS or less |
8 | 24 | |
100,000 FPM or less 1,000 EPS or less |
12 | 24 | |
200,000 FPM or less 5,000 EPS or less |
16 | 32 | |
300,000 FPM or less 15,000 EPS or less |
40 | 48 | |
1,200,000 FPM or less 30,000 EPS or less |
56 | 80 | |
QRadar Log Manager Virtual 8099 | 2,500 EPS or less | 4 | 16 |
5,000 EPS or less | 8 | 16 | |
QRadar Vulnerability Manager Processor Important: The IBM
QRadar Vulnerability Manager scanner
is end of life (EOL) in 7.5.0 Update Package 6, and is no longer supported in any version of IBM
QRadar. For more information,
see QRadar Vulnerability Manager: End of service product notification
(https://www.ibm.com/support/pages/node/6853425).
|
4 | 4 | |
QRadar Vulnerability Manager Scanner Important: The IBM
QRadar Vulnerability Manager scanner
is end of life (EOL) in 7.5.0 Update Package 6, and is no longer supported in any version of IBM
QRadar. For more information,
see QRadar Vulnerability Manager: End of service product notification
(https://www.ibm.com/support/pages/node/6853425).
|
4 | 4 | |
QRadar Risk Manager | 8 | 8 | |
QRadar Data Node Virtual 1400 appliance | 4 | 16 | |
QRadar App Host | 4 | 12 or more for a medium-sized App Host 24 or more for a large-sized App Host |
Storage requirements
Your virtual appliance must have at least 256 GB of storage available.
The following table shows the storage requirements for installing QRadar by using the virtual or software only option.
System classification | Appliance information | IOPS | Data transfer rate (MB/s) |
---|---|---|---|
Minimum performance | Supports XX05 licensing | 800 | 500 |
Medium performance | Supports XX29 licensing | 1200 | 1000 |
High Performance | Supports XX48 licensing | 10,000 | 2000 |
Small All-in-One (Console) or 1600 | Less than 500 EPS | 300 | 300 |
Event/Flow Collectors | Events and flows | 300 | 300 |