QRadar Technical Blog: Why Add A Data Node To QRadar
This is a common question posed by QRadar users trying to understand some of the newer additions to the QRadar family.
A data node is simply a repository for incoming events and flows stored away from the processors and console appliances for reasons of efficiency. For users with very high Events Per Second (EPS) values the sheer volume of data can be daunting especially when that data must be maintained for lengthy periods, for example PCI data.
The maximum data that currently can be stored on an appliance is 20TB rising to 60TB with the very latest appliances, XX49, in 2017. For some users even this massive data space in not enough. The choice has always been install another processor, event or flow, to manage the increase in data storage required. While technically it is a viable solution, it does have its drawbacks.
The advent of a data node allowed for almost unlimited storage to be added to a deployment. This has its most apparent value where incident forensics is introduced as packet capture is hugely expensive in storage.
Data nodes can be added anywhere within the deployment as a virtual device or as a hardware appliance, giving QRadar users the options to store all their data online.