IBM Support

QRadar: Configuring 31xx/16xx/18xx Appliances in "Processing-Only" Mode

Question & Answer


Question

What is "Processing-Only" mode and how can this function be used in my QRadar architecture?

Answer

Requirements

Administrators who want to configure "Processing-Only" mode requires:

  1. An appliance with processor capabilities. Examples are Console (31xx), an Event Processor (16xx), or Combination Event/Flow Processor (18xx).
  2. At least one Data Node appliance connected to the appliance to store event and flow data.
    Note: There is no limit to the number of Data Nodes that can be assigned to a Processor.
     

What is "Processing-Only" Mode?

"Processing-Only" Mode is an advanced option that allows an appliance with processor capabilities to dedicate CPU and memory resources to processing events and flow data. As the data is processed, the actual storage of the event or flow and searches are handled by the attached Data Node appliance. If more than one Data Node is assigned to the Event Processor, then the data is balanced between appliances by using round-robin format to each Data Node to equally distribute data.

Figure 1: An architecture example of how Processing-Only mode is used in a QRadar deployment.

Is "Processing-Only" a common configuration?

No, by default appliances with processor capabilities are configured to process and store data, along with Data Nodes to expand on storage capabilities and search performance.

The event processor mode has 2 options:

  1. Active means that the Event Processor will both Process and Store Events. The default is Active.
  2. Processing-Only means that appliance resources are used for events and the storage and searching of the data is handled by the attached Data Nodes.
     

What are the benefits?

This feature allows administrators to have more performance for high EPS throughput and more granular control over their processors functions. If a Data Node is attached to the Processor, then you can configure Processing-Only Mode, which allows the Data Node to be the primary appliance for storing and searching events and flows.
 

How to enable Processing-Only Mode

  1. Log in to the QRadar User Interface as an admin user.
  2. Click Admin tab.
  3. Click System and License Management icon.
  4. Expand the Display menu, and click Systems.

  5. Click the Processor appliance.
    Note: It can be Console (31xx), an Event Processor (16xx), or Combination Event/Flow Processor (18xx).

  6. Click Deployment Actions, then Edit Host.

  7. Click Component Management.
  8. On the Component Configuration screen, scroll down to the Event Processor section.
  9. Expand Event Processor Mode menu, and select Processing-Only.

  10. Click Save.
     

What happens when the Data Node goes offline?

When the Event Processor is configured for Processing-Only mode, a check is made to determine whether data can be written to the attached Data Node. If for some reason the Data Node is not online or available to receive data, the Event Processor stores events locally, as if it were in "Active" mode.

Does enabling Processing-Only mode affect rebalancing?

Enabling Processing-Only mode on an existing cluster triggers rebalancing across all active data nodes in the cluster.

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
21 September 2023

UID

swg21999409

Page Feedback