Preparation checklist for QRadar upgrades

To successfully upgrade an IBM® QRadar® system, verify your upgrade path, especially when you upgrade from older versions that require intermediate steps. You must also review the software, hardware, and high availability (HA) requirements.

ISO files are used for major operating system version upgrades and SFS files are used for any upgrades that do not include a major operating system version upgrade.

Use the following checklist to make sure that you are prepared for an upgrade.
  • Review the QRadar Release Notes® (https://www.ibm.com/docs/en/qsip/7.4?topic=overview-release-notes).
  • Run a health check and fix any failures. See Running health checks.
  • Notify users of scheduled maintenance.
  • Verify that running scans and reports are complete.
  • Request that users close all QRadar sessions and screen sessions.
  • When upgrading to QRadar 7.4.2 or later, ensure that all event collectors are migrated from GlusterFS to Distributed Replicated Block Device. For more information, see Migrating event collectors from GlusterFS to Distributed Replicated Block Device.
  • Review the release notes for the version you are upgrading to and download the SFS file. To access the release notes and SFS file download link, go to QRadar Software 101 (https://ibm.biz/qradarsoftware).
  • Verify the checksum of the SFS file. For information about verifying the checksum of the SFS file, see Using a Windows Host for Checksum verification of the build (https://www.ibm.com/support/pages/radar-error-installing-radar-when-using-iso).
  • Get a CSV file that contains a list of IP addresses for each appliance in your deployment if you don't already have this information, by typing the following command: 
    /opt/qradar/support/deployment_info.sh
  • Unmount all external storage which is not /store/ariel or /store.
  • Back up all third-party data, such as:
    • scripts
    • personal utilities
    • important files or exports
    • JAR files or interim fixes that were provided by QRadar support
    • static route files for network interfaces
  • If you have HA appliances in your deployment, verify that your primary appliances are in the Active state, and your secondary appliances are in the Standby state.
  • Ensure that you have direct access to the command line on all appliances. If you are using IMM, iDRAC, Raritan, KVM, or other technology for command line access, ensure that they are configured and functional.
  • Verify that the firmware is the latest version for your appliances. For more information about updating firmware, see Firmware update for QRadar (http://www.ibm.com/support/docview.wss?uid=swg27047121).
  • You can also back up your custom content by typing the following command: 
    /opt/qradar/bin/contentManagement.pl --action export --content-type all

    Depending on the environment size, it could take hours, days, or in some cases weeks for the export to complete in large environments. For more information, see QRadar: Best practices when using the Content Management Tool to export custom data.

  • Confirm that all appliances in your deployment are at the same software version by typing the following commands: 
    /opt/qradar/support/all_servers.sh -C -k /opt/qradar/bin/myver > 
myver_output.txt
    cat myver_output.txt
  • Confirm that all previous updates are unmounted by typing the following commands: 
    /opt/qradar/support/all_servers.sh -k "umount /media/cdrom"
    /opt/qradar/support/all_servers.sh -k "umount /media/updates"
  • If you have HA appliances in your deployment:
    • Verify that the /store file system is mounted on the primary appliance and not mounted on the secondary appliance.
    • Verify that the /transient file system is mounted on both the primary and secondary appliances.
  • Review system notifications for errors and warnings for the following messages before you attempt to update. Resolve these error and warning system notifications before you attempt to update:
    • Performance or event pipeline degradation notifications
    • Memory notifications
    • TX sentry messages or process stopped notifications
    • HA active or HA standby failure system notifications
    • Disk failure system notifications
    • Disk Sentry noticed one or more storage partitions are unavailable notifications
    • Time synchronization system notifications
    • Unable to execute a backup request notifications
    • Data replication experiencing difficulty notifications
    • RAID controller misconfiguration notifications
  • Manually deploy changes in the user interface to verify that it completes successfully.
  • Verify that the latest configuration backup completed successfully and download the file to a safe location.
  • Ensure that all apps on your system are updated. Out-of-date apps might not work after you upgrade QRadar.
  • Resolve any issues with applications in an error state or not displaying properly.
  • App Nodes are no longer supported as of V7.3.2. If you have an App Node in your deployment, follow the steps in Migrating from an App Node to an App Host before you start the upgrade.