// Join our awesome newsletter! * You can also place any other content here


QRadar components

QRadar components

IBM® Security QRadar® consolidates event data from log sources that are used by devices and applications in your network.


Software versions for all IBM Security QRadar appliances in a deployment must be same version and fix level. Deployments that use different versions of software are not supported.

QRadar deployments can include the following components:

QRadar QFlow Collector
Passively collects traffic flows from your network through span ports or network taps. The IBM Security QRadar QFlow Collector also supports the collection of external flow-based data sources, such as NetFlow.

You can install a QRadar QFlow Collector on your own hardware or use one of the QRadar QFlow Collector appliances.


The component is available only for QRadar SIEM deployments.
QRadar Console
Provides the QRadar product user interface. The interface delivers real-time event and flow views, reports, offenses, asset information, and administrative functions.

In distributed QRadar deployments, use the QRadar Console to manage hosts that include other components.

QRadar Event Collector
Gathers events from local and remote log sources. Normalizes raw log source events. During this process, the Magistrate component examines the event from the log source and maps the event to a QRadar Identifier (QID). Then, the Event Collector bundles identical events to conserve system usage and sends the information to the Event Processor.
QRadar Event Processor
Processes events that are collected from one or more Event Collector components. The Event Processor correlates the information from QRadar products and distributes the information to the appropriate area, depending on the type of event.

The Event Processor also includes information that is gathered by QRadar products to indicate behavioral changes or policy violations for the event. When complete, the Event Processor sends the events to the Magistrate component.

Provides the core processing components. You can add one Magistrate component for each deployment. The Magistrate provides views, reports, alerts, and analysis of network traffic and security events.

The Magistrate component processes events against the custom rules. If an event matches a rule, the Magistrate component generates the response that is configured in the custom rule.

For example, the custom rule might indicate that when an event matches the rule, an offense is created. If there is no match to a custom rule, the Magistrate component uses default rules to process the event. An offense is an alert that is processed by using multiple inputs, individual events, and events that are combined with analyzed behavior and vulnerabilities. The Magistrate component prioritizes the offenses and assigns a magnitude value that is based on several factors, including number of events, severity, relevance, and credibility.

For more information about each component, see the Administration Guide.

Leave a Reply