IBM Support

QRadar: the Impacts of Storage Hardware Speed

Question & Answer


Question

What is the impact if my storage is not fast enough?

Answer

Different areas of QRadar use storage in different ways, and each of these can have various impacts on the system.

Postgres, Data Updates, User Interface:


Affected By: Disk latency, seek times, input/output operations per second.

The component the most impacted by slow performance/high latency storage is the postgresql database on the QRadar console. Records for many areas of QRadar are constantly being updated. For example offense counts, last seen events, log sources, assets and host profile data, rule statistics, and much more, are all updated constantly on the console, primarily through channels in tomcat.  If your postgresql database (/store/postgres/) is on an external storage volume that is prone to delays and high latency, it can cause contention in tomcat, and greatly impact user interaction with the user interface.  Users will quickly notice this as lag/delay when moving around the user interface, and potentially may go unresponsive.  

 

Data Collected and Written to Disk:


Affected By: Slow disk performance, reduced bandwidth to storage.

The second instance of data that is susceptible to performance degradation, is collected data. As data is received by QRadar, if you are over your license, it is written out temporarily to disk so that it can be processed (in order) once the rate of data returns to rates below the license. Also, as data is finished processing and needs to be written out to disk, this can also be impacted. If your storage system is not fast enough to deal with these data bursts, it is possible that the processing pipeline fills up in memory, and cause data not to be written.  

At lower event and update rates, such as a small environment of 5000 Events Per Second, only a couple users can use the user UI at any time, and a few hundred log sources. You may be able to run on lower performing storage systems. However, when you start looking at 10, 20 or 40,000 Events Per Second, with 10 or more users in the user interface, Offense and Rule updates, and perhaps thousands of log sources reporting into QRadar, you will need faster performing storage systems. 
 

Related Information:


QRadar: Techniques to Reduce Storage Used

[{"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Hardware","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
20 October 2022

UID

swg21993400