Replacing a QRadar managed host

Migrate data from an older IBM® QRadar® managed host (16xx, 17xx, or 18xx) appliance to newer hardware.

Before you begin

Ensure that the following conditions are met:
  • You recorded the network information for the old appliance. You must manually type this information into the network configuration for the new appliance.
  • The software version of the new appliance matches the software version of the QRadar Console. You might have to reinstall an ISO image for the appliance to downgrade or use an SFS fix pack to upgrade.
  • You configured data backups to prevent potential data loss during the migration.

About this task

Follow this process for non-HA appliances. If you need to replace an appliance in a high-availability (HA) cluster, you must first remove the HA appliance from the cluster.

During migration, the IP address of the old appliance is assigned to the new hardware. The new hardware is added to the deployment and then you move data while new events are collected from the network.

Procedure

  1. Prepare your new hardware:
    1. Rack the appliance and connect network connections.
    2. Review the paperwork for your appliance to determine which QRadar version is installed on the new hardware.
  2. Review your software version.
    1. If your Console software version is older than the software on the appliance, reinstall the appliance with the newest ISO that is less than or equal to the Console software version. Download the ISO file from Fix Central (www.ibm.com/support/fixcentral/).
    2. Follow the installation wizard to complete the installation.
    3. Type a root password for the appliance.
    4. Type a temporary IP address and network information for the new hardware.
    5. Log in as a root user, and select the appliance type during the installation process.
    6. If your Console patch version is newer than the software on the appliance, download and install the SFS (software fix/patch) from Fix Central (www.ibm.com/support/fixcentral/).
  3. Remove the old appliance from the deployment.
    1. Log in to QRadar as an administrator.
    2. Click the Admin tab and click the System and License Management icon.
    3. From the Display menu, click Systems, and then select the old QRadar appliance.
    4. Click Deployment Actions > Remove Host.
    5. When prompted, click Remove to confirm the removal of the host deployment.
      Attention: Don't delete the components for the Event Collector, and Event Processor, because these components are reused.
      Note: Verify all external storage that is not /store/ariel or /store is not mounted.
  4. Reassign the IP addresses to ensure that the decommissioned appliance doesn't cause an IP address conflict in the network after it is powered back on.
    1. To reassign the IP address of the old appliance to any unused address:
      1. Use IMM (Integrated Management Module) for remote access, or use the local Console keyboard, to log in to the command line of the old appliance as the root user.
      2. Reassign the IP address of the old appliance by typing the following command: 
        /opt/qradar/bin/qchange_netsetup
    2. Set the IP address for the new hardware:
      1. Use IMM for remote access, or use the local Console keyboard to log in to the command line of the new appliance as the root user.
      2. From the command line of the new appliance, type /opt/qradar/bin/qchange_netsetup to use same host name and IP address as the old appliance.
      If you want to migrate old data to the new system, leave the existing system running and connected to the network. The data is moved when the new appliance is running and collecting data.
  5. Add the new appliance to the deployment
    1. Log in to QRadar as an administrator.
    2. Click the Admin tab and click the System and License Management icon.
    3. Click Deployment Actions > Add Host.
    4. If you're prompted to add old components from the deployment to the host, click Yes. Any deployment components that were on the old appliance are reassociated with this host so that any protocol-based sources are automatically enabled and migrated to the new appliance.
    5. Click Save and Close.
    6. On the Admin tab, click the Deploy Changes icon.
    7. Verify that event or flow sources that were reporting to the original host are being processed in the QRadar user interface.
    After you add the host back to the QRadar deployment, the deployment process ensures that the required configuration is regenerated on the new appliance. After the new host is part of the deployment, you can only use SSH access from the Console.
  6. To copy data from the old appliance, you shut down the host firewall on the new appliance by typing the command systemctl stop iptables.
  7. To migrate data nodes, follow these steps.
    1. On the data nodes that are not being replaced, ensure that you have enough disk space to store the imported data until the migration is complete.
    2. Select the Data Node appliance in the host table, and on the Deployment Actions menu, click Edit Host.
    3. Click the Component Management settings icon (Gear icon for component management settings). In the Data Node Mode field, select Archive, and then click Save.
    4. On the Admin tab, click Deploy Changes.
    5. On the Deployment Actions menu, click Add Host.
    6. Configure the settings for the managed host, and then click Add.
    7. Select the new Data Node appliance in the host table. On the Deployment Actions menu, click Edit host.
    8. Click the Component Management settings icon (Gear icon for component management settings). In the Data Node Mode field, select Archive, and then click Save.
    9. On the Admin tab, click Deploy Changes.
    10. For each old data node, migrate the data to a new data node.
    11. Set the new data nodes to Active mode.
    12. Select the old Data Node appliance in the host table. On the Deployment Actions menu, click Remove host, and then click OK.
    13. On the Admin tab, click Advanced > Deploy Full Configuration.
  8. Copy certificates and custom-generated key pairs from the old appliance to the new appliance to ensure that log sources and scanners can connect to remote sources.

    You must also migrate any custom generated private keys that you have by transferring the /etc/ssh and /root/.ssh directories.

    1. Log in to the old QRadar managed host as the root user.
    2. Copy the data from the old hardware to the new appliance by using the rsync command as in one of the following examples:
      Tip: For better performance when using a crossover cable solution, use rsync -av instead of rsync -avz.
      Use this example for certificates:
      
Example: rsync -avz /opt/qradar/conf/trusted_certificates/ 
   root@new_appliance:/opt/qradar/conf/trusted_certificates
      Use these examples for SSH:
      Example 1: rsync -avz /etc/ssh/ root@new_appliance:/etc/ssh
 
      Example 2: rsync -avz /root/.ssh/ root@new_appliance:/root/.ssh
  9. Transfer event and flow data to the new appliance.

    You can use either rsync or SCP to complete the data transfer. These commands might require the root user to accept SSH keys and provide the root password for the target server. The length of this process depends on how much data needs to be transferred.

    1. Log in to the old QRadar appliance as the root user.
    2. Copy the data from the old appliance to the new appliance (target server) by using the rsync command, as in the following example:
      Tip: For better performance when you use a crossover cable solution, use rsync -av instead of rsync -avz.
      rsync -avz /store/ariel/ root@new_appliance:/store/ariel
  10. Optional: Copy over event collector data, if you have any data in /store/ec.
    1. Log in to the old appliance as the root user.
    2. Stop ecs-ec-ingress on the old appliance by typing the following command: 
      systemctl stop ecs-ec-ingress
    3. Log in to the new appliance as the root user.
    4. Create a file on the new appliance to prevent ecs-ec-ingress from automatically restarting by typing the following command: 
      touch /storetmp/ecs-ec-ingress.ecs-ec-ingress.manually_stopped
    5. Stop ecs-ec-ingress on the new appliance by typing the following command: 
      systemctl stop ecs-ec-ingress
    6. Copy the data from /store/ec on the old appliance to /store/ec on the new appliance.
    7. Remove the file that is created in substep d from the new appliance by typing the following command: 
      rm -f /storetmp/ecs-ec-ingress.ecs-ec-ingress.manually_stopped
    8. Start ecs-ec-ingress on the new appliance by typing the following command: 
      systemctl start ecs-ec-ingress
  11. Type the command systemctl start iptables after the configuration and data migration are complete.

What to do next

After the data transfer is complete, decommission the old appliance and unrack the obsolete hardware.