IBM Support

QRadar: All-in-One Consoles and a Distributed Deployment Consoles

Question & Answer


Question

What is the difference between an All-in-One Console and a Distributed Deployment Console?

Answer

An All-in-One Console is a stand-alone appliance capable of all QRadar functionality. This includes displaying dashboards, receiving and processing event and flow data, rule creation, updating assets with vulnerabilities, creating offenses, reports, and running applications from the IBM X-Force Exchange. Event and flow data for on an All-in-One Console is stored locally on the appliance.



 

Any All-in-One Console can become part of a distributed deployment by adding another appliance to extend the resources and performance of the All-in-One Console. Adding more appliances allows you to add storage, process more data, search faster. The Console appliance manages the other QRadar appliances in the network.


If you add a Processor such as an Event or Flow Processor, you need to allocate license to these appliances from the Console. The Event or Flow Data that is captured by these appliances would remain on the Processors locally and the Console queries these appliances for their data. A Data Node offers additional storage and can rebalance events or flows to reduce disk space. Offenses and Assets would be stored on the Console. Any Collector devices that are connected to a Processor would get its license from the Processor such as an Event Collector or a Flow Collector. A QNI has its own license.

In QRadar version 7.3.0 and later, a License Pool feature was added to allow administrators to apply a single Console license and distribute event and flow capabilities to other QRadar appliances in the network. Administrators can reallocate license capacity between appliances to account for unexpected event or flow rates. It is important to properly size a QRadar appliance to the expected incoming event rate, but administrators can move license capacity in the System and License Management interface. The Console requires a minimum license value of 1000 Events Per Second (EPS). For assistance with license sizing, contact you Sales Team for advice on expanding your deployment or license capacity. For information on hardware, virtual machine requirements, and appliance capabilities, see the QRadar Hardware Guide

Table 1 Services that run on each appliance type

Appliance
type
Ariel Proxy Server Ariel
Query Server
ECS-EC ECS-EP Historical
Correlation
Qflow Accumulator Asset Profiler Report executor Vis Offline Forwarder Data Node Forensics Real time
Console appliance (31xx) x x x x x x x x x x x
QFlow Collector (120x) x x
Data Node (140x) x x x x
Event Collector (15xx) x x
Event Processor (16xx) x x x x x
Flow Processor (17xx) x x x x x
Combination Event/Flow Processor (18xx) x x x x x
QRadar Network Insights (19xx) x

How to add an appliance to your Console

This procedure explains how administrators can add an appliance to a QRadar Console. Adding hosts allows users to expand on the capabilities, storage, and resources from an All-in-One appliance to create a distributed deployment.

Procedure
  1. Log in to the QRadar Console as an administrator.
  2. Click the Admin tab.
  3. Click the System and License Management icon.
  4. Click Deployment Actions and select Add Host.
  5. Type the Host IP, Host Password (root user password) and configure the properties to Encrypt Host Connections or define Network Address Translation parameters.
  6. Click Add.
  7. From the Admin tab, click Deploy Changes.
  8. Click Continue to restart services.

Results
The host is added to the QRadar deployment. The System and License Management user interface adds the appliance to the user interface. After the host is added, the administrator can allocate license to the appliance from the Shared License Pool.

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"General Information","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3;7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 September 2020

UID

swg22013430