IBM Support

Retention policy and space needed for the Storage Account when integrating Microsoft® Azure Event Hub DSM in QRadar.

Question & Answer


Question 1: How much space should be allocated to the Azure Storage Account when integrating Azure Event Hubs DSM in QRadar?

Question 2: Should users implement some data retention policy for the Storage Account? 


Answer 1:
The simplified calculations could consist of Number of partitions times space taken by each log source configured in QRadar:

There are max 32 partitions for each Azure Event Hub Log Source.  Each log source would end up being approximately 140 Bytes. With this formula, the space taken by the metadata would be 32x140 Bytes (for each of the Event Hub configured).

Note: This is a raw estimate based on testing done in IBM labs. However, you can see that the space needed in the Storage Account is minimal.

Answer 2: 
The Storage Account is for permanent storage of the metadata and QRadar users should avoid modifying or deleting the contained files. 

If the Storage Account owner changes the connection information (in the log source configuration) to use a different:

  • Storage Account
  • Consumer group name
  • Event Hub name

In those cases the original files wouldn't be used anymore, so the Storage Account ower would be free to do what they want with that unused data.

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQNH","label":"IBM Security QRadar Log Manager"},"ARM Category":[{"code":"a8m0z000000GnefAAC","label":"QRadar->Install->Cloud->Microsoft Azure"}],"ARM Case Number":"TS003606331","Platform":[{"code":"PF043","label":"Red Hat"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
06 May 2020