Question & Answer
Question
What is the database replication process in QRadar?
Answer
Replication is the process that keeps the PostgreSQL database (which contains QRadar configuration details) on each Managed Host up to date. Database replication allows the managed hosts to continue functioning in the absence of the console.
Replication process in the QRadar Console.
The QRadar console creates two types of replication dumps that are stored in /store/replication/:
- Incremental dump: Every minute the QRadar Console creates an incremental database dump.
Example of an incremental dump file:-rw-r--r-- 1 root root 5.5K Mar 16 14:46 tx0000000000001883607.sql
- Full dump: Every two hours the QRadar Console creates a full database dump.
Example of a full dump file:-rw-r--r-- 1 root root 1.6G Mar 16 13:10 tx_full_0000000000001883509.sql
When a managed host requests a new set of Database dumps (either full or incremental), the QRadar Console takes the latest database dump in /store/replication/, compresses the file, stores the file in /store/replication/tmp/ with the name: <managed_host_IP>-<transaction_ID>.tgz and then sends that compressed file back to the managed host.
Replication process in the Managed Hosts.
The replication process occurs on the QRadar managed hosts with two modes:
- Incremental: Every minute, the managed host requests a new incremental database dump of the QRadar Console's PostgreSQL Database.
- Full: Every two hours, the managed host requests a new full database dump of the QRadar Console's PostgreSQL Database.
Regardless of the replication mode, all QRadar hosts attempt to pull the compressed replication dump file from the QRadar Console by using Tomcat API on port 443.
Administrators need to validate the replication bandwidth requirements to avoid the effects of low bandwidth on replication.
Related Information
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
21 March 2023
UID
ibm16963998