You must upgrade all of the IBM®
QRadar® products in your
deployment to the same version.
Before you begin
New in
7.4.2 When you run the
upgrade, any QRadar Event Collectors are
detected. These event collectors must be migrated from GlusterFS to Distributed Replicated Block
Device before the upgrade can continue. For information, see Migrating event collectors from GlusterFS to Distributed Replicated Block Device.Determine the minimum QRadar version that is required
for the version of QRadar to which you want to update.
- Click to check your current version of QRadar.
- To determine if you can upgrade to a version of QRadar,
go to QRadar Software 101
(https://www.ibm.com/community/qradar/home/software/) and check the release notes of the version you
want to upgrade to.
About this task
To ensure that IBM
QRadar
upgrades without errors, ensure that you use only the supported versions of QRadar software.
Important:
- Software versions for all IBM
QRadar appliances in a
deployment must be the same version and fix level. Deployments that use different QRadar versions of software are
not supported.
- Custom DSMs are not removed during the upgrade.
Upgrade your QRadar Console
first, and then upgrade each managed host. In high-availability (HA) deployments, when you upgrade
the HA primary host, the HA secondary host is automatically upgraded.
The following
QRadar systems can be upgraded concurrently:
- Event processors
- Event collectors
- Flow processors
- QFlow collectors
- Data nodes
- App hosts
Procedure
-
Download the .sfs file from Fix Central
(www.ibm.com/support/fixcentral).
-
If you are upgrading QRadar SIEM, download the
<QRadar>.sfs file.
-
If your deployment includes an IBM
QRadar Incident Forensics (6000)
appliance, download the
<identifier>_Forensics_patchupdate-<build_number>.sfs file. The
.sfs file upgrades the entire QRadar deployment, including QRadar Incident
Forensics and QRadar Network
Insights.
- Use SSH to log in to your system as the root user.
- Copy the SFS file to the /storetmp or /var/log
directory or to another location that has sufficient disk space.
Important: If the SFS file is in the
/storetmp directory and you do
not upgrade, when the overnight diskmaintd.pl utility runs, the SFS file is deleted. For more
information, see
Daily disk maintenance
(https://www.ibm.com/support/pages/qradar-732-files-storetmp-are-removed-daily-disk-maintenance).
To verify you have enough space (5 GB) in the QRadar
Console, type the following command:
df -h /storetmp /var/log | tee diskchecks.txt
Important: Don't copy the file to an existing QRadar system directory such as
the /store directory.
- To create the /media/updates directory, type the following
command:
- Use the command cd to change to the directory where you copied the SFS
file.
- To mount the SFS file to the /media/updates directory, type the
following command:
mount -o loop <QRadar>.sfs /media/updates
- To run the installer, type the following command:
New in
7.4.2 If you receive the following
error message, you have a QRadar Incident Forensics
appliance in your deployment. Download the QRadar Incident
Forensics patch file from IBM Fix Central
(www.ibm.com/support/fixcentral). The patch file is named similar to this one:
<identifier>_Forensics_patchupdate-<build_number>.sfs. For information about upgrading
with a QRadar Incident Forensics appliance in your
deployment, see Upgrading QRadar Incident Forensics.
Error: This patch is incompatible with Forensics deployments
[ERROR](testmode) Patch pretest 'Check for QIF appliances in deployment' failed. (check_qif.sh)
[ERROR](testmode) Failed 1/8 pretests. Aborting the patch.
[ERROR](testmode) Failed pretests
[ERROR](testmode) Pre Patch Testing shows a configuration issue. Patching this host cannot continue.
[INFO](testmode) Set ip-130-86 status to 'Patch Test Failed'
[ERROR](testmode) Patching can not continue
[ERROR] Failed to apply patch on localhost, not checking any managed hosts.
An error was encountered attempting to process patches.
Please contact customer support for further assistance.
What to do next
- Unmount /media/updates by typing the following command:
umount /media/updates
- Delete the SFS file.
- Perform an automatic update to ensure that your configuration files contain the latest network
security information. For more information, see Checking for new updates.
- Delete the patch file to free up space on the partition.
- Clear your web browser cache. After you upgrade QRadar, the
Vulnerabilities tab might not be displayed. To use QRadar Vulnerability
Manager after you upgrade, you must
upload and allocate a valid license key. For more information, see the Administration
Guide for your product.
- Determine whether there are changes that must be deployed. For more
information, see Deploy Changes.