Adding remote collectors to a deployment

Add QRadar Event Collectors or QRadar Flow Collectors to expand a deployment when you need to collect more events locally and collect events and flows from a remote location.

For example, you are a manufacturing company that has a QRadar All-in-One deployment and you add e-commerce and a remote sales office. You now must monitor for security threats and are also now subject to PCI audits.

You hire more employees and the Internet usage changes from mostly downloading to two-way traffic between your employees and the Internet. Here are details about your company.

  • The current events per second (EPS) license is 1000 EPS.
  • You want to collect events and flows at the sales office and events from the e-commerce platform.
  • Event collection from the e-commerce platform requires up to 2000 events-per-second (EPS).
  • Event collection from the remote sales office requires up to 2000 events-per-second (EPS).
  • The flows per minute (FPM) license is sufficient to collect flows at the remote office.
You take the following actions:
  1. You add the e-commerce platform at your head office, and then you open a remote sales office.
  2. You install an Event Collector and a Flow Collector at the remote sales office that sends data over the Internet to the All-in-One appliance at your head office.
  3. You upgrade your EPS license from 1000 EPS to 5000 EPS to meet the requirements for the extra events that are collected at the remote office.

The following diagram shows an example deployment of when an Event Collector and a Flow Collector are added at a remote office.

Figure 1. Collectors in remote office
deployment with remote collector

In this deployment, the following processes occur:

  • At your remote office, the Event Collector collects data from log sources and the Flow Collector collects data from routers and switches. The collectors coalesce and normalize the data.
  • The collectors compress and send data to the All-in-One appliance over the wide area network.
  • The All-in-One appliance processes, and stores the data.
  • Your company monitors network activity by using the QRadar web application for searches, analysis, reporting, and for managing alerts and offenses.
  • The All-in-one collects and processes events from the local network.