QRadar appliances and types
QRadar appliances and types group in a large family of products, which can be confusing for people starting with this SIEM. You will find below the list of all currently available types. The most of QRadar varieties are installed using the same ISO image, available to download from IBM FixCentral. During installation depends on used activation key, the installer installs different sets of packets, suitable for a needed type of QRadar.
QRadar appliance
Firstly, we need to answer what is an appliance in this case. A QRadar appliance can be either a “Virtual” appliance (installed and configured within VMWare) or a physical “Appliance” that is sold by IBM, or ultimately installed on your own physical machines (as Appliances) after installation of Red Hat or CentOS inappropriate version.
Only appliances are supported and any modification in an installation of rpm packets after installing QRadar is not supported. It means – since you finish with an installation of Red Hat, you are not allowed to install any additional packet after that – even if this would be possible. This is because, newly provided packets in Linux repositories can interfere with QRadar rpms, which were not tested within an appliance. For the same reasons, there are removed repositories from your system after installation, including Red Hat repo and there is no more need to run yum update command.
All the security patches are provided within QRadar patches – which are usually issued every month. Following the link, you will find the list of the latest versions and patches QRadar available to download and install. Patch your system as soon as possible as usually, it contains some security updates otherwise you put your system in risk.
Your current version of QRadar you can check from your interface using menu Help–>About
or using the commands from the ssh session which will give you some additional information:
# /opt/qradar/bin/myver -v # dmidecode -t system
Each working QRadar installation must include Console. The console provides the QRadar product user interface. The interface delivers real-time information event and flows views, reports, offences, asset information, and administrative functions. In distributed QRadar deployments, use the QRadar Console to manage hosts that include other components. Appliances are add-on’s to QRadar and are controlled/installed, etc. from the Console.
The last two digits of the Appliance ID also tell you something about the appliance.
xx01 appliances are the base offering in terms of events per second, flows per seconds and performance
xx05 appliances are the mid-range offering in terms of performance
xx24 appliances are the high-end offering in terms of performance
xx99 appliances are virtual appliances.
Starting from standalone Console installation (sometimes called as AIO – All in One) you can build larger deployment adding more components responsible for different tasks
Appliance ID | Description |
900 (Virtual) 11xx 12xx 13xx |
QFlow flow collectors. |
14xx | QRadar Data Node Appliances |
15xx | QRadar event collector (AKA store and forward device) |
16xx | QRadar event collector and processor |
17xx | QRadar flow collector and processor |
18xx | QRadar combined event/flow collector and processor |
2100 | QRadar all-in-one console (standalone only) |
31xx | QRadar console (expandable to a distributed deployment) |
8xxx | QRadar log management console (events only, no offences) |
QRadar Physical Appliance types
- xx01 appliances are the base offering in terms of events per second, flows per seconds and performance
QRadar QFlow Collector 1201
The QRadar QFlowCollector 1201 appliance provides high capacity and scalable Layer 7 application data collection for distributed deployments. The QRadarQFlow Collector 1201 also supports external flow-based data sources.
QRadar QFlow Collector 1301
The QRadar QFlowCollector 1301 appliance provides high capacity and scalable Layer 7 application data collection for distributed deployments. The QRadar QFlow Collector 1301 also supports external flow-based data sources.
QRadar 1400 Data Node
The IBM Security QRadar Data Node 1400 appliance provides a scalable data storage solution for QRadar deployments. The QRadar Data Node enhances the data retention capabilities of a deployment as well as augment overall query performance.
QRadar Event Collector 1501
The IBM Security QRadar Event Collector 1501 appliance is a dedicated event collector. By default, a dedicated event collector collects and parses event from various log sources and continuously forwards these events to an event processor. You can configure the QRadar Event Collector 1501 appliance to temporarily store events and only forward the stored events on a schedule. A dedicated event collector does not process events and it does not include an onboard event processor.
- xx05 appliances are the mid-range offering in terms of performance
QRadar Event Processor 1605
The QRadar Event Processor 1605 appliance is a dedicated event processor that you can use to scale your QRadar deployment to manage higher EPS rates. The QRadar Event Processor 1605 appliance includes an onboard event collector, event processor, and internal storage for events
QRadar Flow Processor 1705
The QRadar Flow Processor 1705 appliance is a flow processor that you can deploy with the QRadar 3105 appliance to increase storage. The QRadar Flow Processor 1705 includes an onboard event processor and internal storage.
QRadar 1805
The IBM Security QRadar 1805 appliance is a combine Event Processor and Flow Processor that you can use to scale your QRadar deployment to manage more event and flows. The QRadar 1805 includes an on-board Event Processor and internal storage.
QRadar Log Manager 3105 (All-in-One)
The IBM Security QRadar Log Manager 3105 (All-in-One) appliance is an all-in-one system that you can use to manage and store events from various network devices.
QRadar Log Manager 3105 Console
You can expand the capacity of the QRadar Log Manager (Base) appliance beyond license-based upgrade options by upgrading to the QRadar Log Manager 3128 (Console) appliance. You must also add one or more QRadar Log Manager 1605 or QRadar Log Manager1628 appliances.
QRadar 3105 (All-in-One)
The IBM Security QRadar 3105 (All-in-One) appliance is an all-in-one QRadar system that can profile network behaviour and identify network security threats.
- xx28 appliances are the high-end offering in terms of performance
QRadar Event Processor 1628
The IBM Security QRadar 1628 appliance is a dedicated event processor that you can use to scale your QRadar deployment to manage higher EPS rates. The QRadar Event Processor 1628 appliance includes an onboard event collector, event processor, and internal storage for events.
QRadar Log Manager 1628
The IBM Security QRadar Log Manager 1628 appliance is a dedicated Event Processor that you can use to scale your QRadar Log Manager deployment to manage higher Event Per Second (EPS) rates. The QRadar Log Manager 1628 appliance includes an onboard Event Collector, Event Processor, and internal storage for events.
QRadar Flow Processor 1728
The IBM Security QRadar 1728 appliance is a flow processor that you can deploy with the QRadar 3128 appliance to increase storage. The QRadar Flow Processor 1728 includes an onboard event processor and internal storage.
QRadar Flow Processor 1828
The IBM Security QRadar 1828 appliance is a flow processor that you can deploy with the IBM Security QRadar 3128 appliance to increase storage. The IBM Security QRadar Flow Processor 1828 includes an onboard event processor and internal storage.
QRadar 3128 (All-in-One)
The IBM Security QRadar 3128 (All-in-One) appliance is an all-in-one QRadar system that can profile network behaviour and identify network security threats.
QRadar Log Manager 3128 (All-in-One)
The IBM Security QRadar Log Manager 3128 (All-in-One) appliance is an all-in-one system that you can use to manage and store events from various network devices.
QRadar Log Manager 2100
The IBM Security QRadar Log Manager 2100 appliance is an all-in-one system that that provides Security Information and Event Management (SIEM) to accurately identify and appropriately prioritize threats that occur on your network.
QRadar 2100 (All-In-One)
The IBM Security QRadar 2100 appliance is an all-in-one system that combines Network Behavioral Anomaly Detection (NBAD) and Security Information and Event Management (SIEM) to accurately identify and appropriately prioritize threats that occur on your network.
- xx9x appliances are virtual appliances.
QRadar VFlow Collector 1290 – This virtual appliance provides the same visibility and functionality in your virtual network infrastructure that a QRadar QFlow Collector offers in your physical environment. The QRadar QFlow Collector virtual appliance analyzes network behaviour and provides Layer 7 visibility within your virtual infrastructure. Network visibility is derived from a direct connection to the virtual switch.
QRadar Event Collector Virtual 1590 – This virtual appliance is a dedicated Event Collector, which is required if you want to enable the store and forward feature. The store and forward feature allow you to manage schedules that control when to start and stop forwarding events from your dedicated Event Collector appliances to Event Processor components in your deployment.
QRadar SIEM Event Processor Virtual 1690 – This virtual appliance is a dedicated Event Processor, that allows you to scale your QRadar SIEM deployment to manage higher EPS rates. The QRadar SIEM Event Processor Virtual 1690 includes an on-board Event Collector, Event Processor, and internal storage for events.
QRadar SIEM Flow Processor Virtual 1790 – This virtual appliance is deployed with any QRadar SIEM 3105 or QRadar SIEM 3124 series appliance. The virtual appliance is used to increase storage and includes an onboard Event Processor and internal storage.
QRadar SIEM All-in-One Virtual 3190 – This virtual appliance is a QRadar SIEM system that can profile network behaviour and identify network security threats. The QRadar SIEM All-in-One Virtual 3190 virtual appliance includes an onboard Event Collector and internal storage for events.