Bandwidth considerations for managed hosts
QRadar relies on network connectivity to replicate state and configuration data and to maintain synchronization across the deployment. In distributed environments, search performance depends on high network bandwidth. QRadar implements best practice techniques to reduce the required network bandwidth, such as compression, and custom replication bundles ,
General Bandwidth Requirements
- Minimum 100 Mbps between the Console and all managed hosts (except Event Collectors).
- Recommended 1 Gbps high-quality network for:
- Console
- Event Processors
- Data Nodes
- App Hosts
- High Availability (HA) pairs
Event Collector bandwidth requirements
Event Collector bandwidth depends on the expected Events Per Second (EPS), plus replication and management overhead.
On average, excluding the management overhead:
- 0.72 Mbps per 1,000 EPS
- 7.2 Mbps per 10,000 EPS
EPS × ((average event size + 200 bytes) × 8) / 10,000,000 = MbpsFor
example, to sustain 1,000 EPS with an average event size of 700 bytes, the total bandwidth that is
required is as follows 1000 × ((700 + 200) × 8) / 10,000,000 = 0.7 Mbps
Minimum required bandwidth for Event Collectors
40 Mbps + calculated EPS-based Mbps value aboveFor example, to
sustain 1,000 EPS with an average event size of 700 bytes, the total minimal required network
bandwidth is as follows:40Mbps + 0.7Mpbs = 40.7MbpsUse the following methods to mitigate bandwidth limitations between data centers:
- Process and send data to hosts at the primary data center
- Design your deployment to process and send data as it is collected to hosts at the primary data
center where the console is located. In this design, all user-based searches query the data from the
local data center rather than waiting for remote sites to send back data.
You can deploy a store and forward event collector, such as a QRadar 15XX physical or virtual appliance, in the remote locations to control bursts of data across the network. Bandwidth is used in the remote locations, and searches for data occur at the primary data center, rather than at a remote location.
- Don't run data-intensive searches over limited bandwidth connections
- Ensure that users don't run data-intensive searches over links that have limited bandwidth. Specifying precise filters on the search limits the amount of data that is retrieved from the remote locations, and reduces the bandwidth that is required to send the query result back.