Question & Answer
Question
What is the difference between an All-in-One Console and a Distributed Deployment Console?
Answer
An All-in-One Console is a stand-alone appliance capable of all QRadar functionality. This includes displaying dashboards, receiving and processing event and flow data, rule creation, updating assets with vulnerabilities, creating offenses, reports, and running applications from the IBM X-Force Exchange. Event and flow data for on an All-in-One Console is stored locally on the appliance.
Any All-in-One Console can become part of a distributed deployment by adding another appliance to extend the resources and performance of the All-in-One Console. Adding more appliances allows you to add storage, process more data, search faster. The Console appliance manages the other QRadar appliances in the network.
If you add a Processor such as an Event or Flow Processor, you need to allocate license to these appliances from the Console. The Event or Flow Data that is captured by these appliances would remain on the Processors locally and the Console queries these appliances for their data. A Data Node offers additional storage and can rebalance events or flows to reduce disk space. Offenses and Assets would be stored on the Console. Any Collector devices that are connected to a Processor would get its license from the Processor such as an Event Collector or a Flow Collector. A QNI has its own license.
In QRadar version 7.3.0 and later, a License Pool feature was added to allow administrators to apply a single Console license and distribute event and flow capabilities to other QRadar appliances in the network. Administrators can reallocate license capacity between appliances to account for unexpected event or flow rates. It is important to properly size a QRadar appliance to the expected incoming event rate, but administrators can move license capacity in the System and License Management interface. The Console requires a minimum license value of 1000 Events Per Second (EPS). For assistance with license sizing, contact you Sales Team for advice on expanding your deployment or license capacity. For information on hardware, virtual machine requirements, and appliance capabilities, see the QRadar Hardware Guide
Table 1 Services that run on each appliance type
Appliance type | Ariel Proxy Server | Ariel Query Server | ECS-EC | ECS-EP | Historical Correlation | Qflow | Accumulator | Asset Profiler | Report executor | Vis | Offline Forwarder | Data Node | Forensics Real time |
Console appliance (31xx) | x | x | x | x | x | x | x | x | x | x | x | ||
QFlow Collector (120x) | x | x | |||||||||||
Data Node (140x) | x | x | x | x | |||||||||
Event Collector (15xx) | x | x | |||||||||||
Event Processor (16xx) | x | x | x | x | x | ||||||||
Flow Processor (17xx) | x | x | x | x | x | ||||||||
Combination Event/Flow Processor (18xx) | x | x | x | x | x | ||||||||
QRadar Network Insights (19xx) | x |
How to add an appliance to your Console
Procedure
- Log in to the QRadar Console as an administrator.
- Click the Admin tab.
- Click the System and License Management icon.
- Click Deployment Actions and select Add Host.
- Type the Host IP, Host Password (root user password) and configure the properties to Encrypt Host Connections or define Network Address Translation parameters.
- Click Add.
- From the Admin tab, click Deploy Changes.
- Click Continue to restart services.
Results
The host is added to the QRadar deployment. The System and License Management user interface adds the appliance to the user interface. After the host is added, the administrator can allocate license to the appliance from the Shared License Pool.
Was this topic helpful?
Document Information
Modified date:
16 September 2020
UID
swg22013430