IBM Support

QRadar: Considerations when you move and replay ecs-ec-ingress dat files on another QRadar managed host

Question & Answer


Question

While replaying event data from a source event collector on another event collector, can we use the target collector or Event processor filters in the Log Activity tab to search the replayed data?

Answer

When you copy the dat files from following locations on source event collector to another event collector to replay, these events retain the source event collector ID and source event processor ID.

/store/persistent_queue/ecs-ec-ingress.ecs-ec-ingress/
/store/persistent_queue/ecs-ec.ecs-ec/

Replaying data on the target event collector does not change the original event collector ID tagging. You are likely to observe the following limitations:

  • If you use the target event collector ID or target event processor ID as the search filter, you might not get the search results.
  • Such events might not contribute to rule parsing correctly.

You need to use the common search parameters such as log source, domain, or payload contains attribute in searches to retrieve the events.

However, you must consider the following caveats when you copy or move the dat files from the source event collector to another event collector:

  • It is recommended to replay the dat files on the source event collector based on the EPS bandwidth availability.
  • Replaying dat files on any other event collector can cause issues with associating the events properly with the log sources, event collector ID, event processor ID; and can affect searching and rule matching of such events.
For assistance with replaying dat files, contact IBM QRadar SIEM Support team.

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"TS012876979","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
28 June 2023

UID

ibm17001233