Bandwidth considerations for managed hosts

QRadar relies on network connectivity to replicate state and configuration data and to maintain synchronization across the deployment. In distributed environments, search performance depends on high network bandwidth. QRadar implements best practice techniques to reduce the required network bandwidth, such as compression, and custom replication bundles ,

General Bandwidth Requirements

The general bandwidth requirements are listed as follows:
  • Minimum 100 Mbps between the Console and all managed hosts (except Event Collectors).
  • Recommended 1 Gbps high-quality network for:
    • Console
    • Event Processors
    • Data Nodes
    • App Hosts
    • High Availability (HA) pairs

Event Collector bandwidth requirements

Event Collector bandwidth depends on the expected Events Per Second (EPS), plus replication and management overhead.

On average, excluding the management overhead:

  • 0.72 Mbps per 1,000 EPS
  • 7.2 Mbps per 10,000 EPS
You can calculate required bandwidth by using the following formula:
EPS × ((average event size + 200 bytes) × 8) / 10,000,000 = Mbps
For example, to sustain 1,000 EPS with an average event size of 700 bytes, the total bandwidth that is required is as follows
1000 × ((700 + 200) × 8) / 10,000,000 = 0.7 Mbps

Minimum required bandwidth for Event Collectors

QRadar requires 40 Mbps as a reasonable bandwidth requirement for host management. You can calculate the minimal required bandwidth by using the following formula:
40 Mbps + calculated EPS-based Mbps value above
For example, to sustain 1,000 EPS with an average event size of 700 bytes, the total minimal required network bandwidth is as follows:
40Mbps + 0.7Mpbs = 40.7Mbps

Use the following methods to mitigate bandwidth limitations between data centers:

Process and send data to hosts at the primary data center
Design your deployment to process and send data as it is collected to hosts at the primary data center where the console is located. In this design, all user-based searches query the data from the local data center rather than waiting for remote sites to send back data.

You can deploy a store and forward event collector, such as a QRadar 15XX physical or virtual appliance, in the remote locations to control bursts of data across the network. Bandwidth is used in the remote locations, and searches for data occur at the primary data center, rather than at a remote location.

Don't run data-intensive searches over limited bandwidth connections
Ensure that users don't run data-intensive searches over links that have limited bandwidth. Specifying precise filters on the search limits the amount of data that is retrieved from the remote locations, and reduces the bandwidth that is required to send the query result back.