Upgrading QRadar SIEM

You must upgrade all of the IBM® QRadar® products in your deployment to the same version.

Before you begin

New in 7.4.2 When you run the upgrade, any QRadar Event Collectors are detected. These event collectors must be migrated from GlusterFS to Distributed Replicated Block Device before the upgrade can continue. For information, see Migrating event collectors from GlusterFS to Distributed Replicated Block Device.

Determine the minimum QRadar version that is required for the version of QRadar to which you want to update.

  • Click Help > About to check your current version of QRadar.
  • To determine if you can upgrade to a version of QRadar, go to QRadar Software 101 (https://www.ibm.com/community/qradar/home/software/) and check the release notes of the version you want to upgrade to.

About this task

To ensure that IBM QRadar upgrades without errors, ensure that you use only the supported versions of QRadar software.

Important:
  • Software versions for all IBM QRadar appliances in a deployment must be the same version and fix level. Deployments that use different QRadar versions of software are not supported.
  • Custom DSMs are not removed during the upgrade.

Upgrade your QRadar Console first, and then upgrade each managed host. In high-availability (HA) deployments, when you upgrade the HA primary host, the HA secondary host is automatically upgraded.

The following QRadar systems can be upgraded concurrently:
  • Event processors
  • Event collectors
  • Flow processors
  • QFlow collectors
  • Data nodes
  • App hosts

Procedure

  1. Download the .sfs file from Fix Central (www.ibm.com/support/fixcentral).

    • If you are upgrading QRadar SIEM, download the <QRadar>.sfs file.

    • If your deployment includes an IBM QRadar Incident Forensics (6000) appliance, download the <identifier>_Forensics_patchupdate-<build_number>.sfs file. The .sfs file upgrades the entire QRadar deployment, including QRadar Incident Forensics and QRadar Network Insights.

  2. Use SSH to log in to your system as the root user.
  3. Copy the SFS file to the /storetmp or /var/log directory or to another location that has sufficient disk space.
    Important: If the SFS file is in the /storetmp directory and you do not upgrade, when the overnight diskmaintd.pl utility runs, the SFS file is deleted. For more information, see Daily disk maintenance (https://www.ibm.com/support/pages/qradar-732-files-storetmp-are-removed-daily-disk-maintenance).

    To verify you have enough space (5 GB) in the QRadar Console, type the following command: 

    df -h /storetmp /var/log | tee diskchecks.txt
    Important: Don't copy the file to an existing QRadar system directory such as the /store directory.
  4. To create the /media/updates directory, type the following command: 
    mkdir -p /media/updates
  5. Use the command cd to change to the directory where you copied the SFS file.
  6. To mount the SFS file to the /media/updates directory, type the following command: 
    mount -o loop <QRadar>.sfs /media/updates
  7. To run the installer, type the following command: 
    /media/updates/installer

    New in 7.4.2 If you receive the following error message, you have a QRadar Incident Forensics appliance in your deployment. Download the QRadar Incident Forensics patch file from IBM Fix Central (www.ibm.com/support/fixcentral). The patch file is named similar to this one: <identifier>_Forensics_patchupdate-<build_number>.sfs. For information about upgrading with a QRadar Incident Forensics appliance in your deployment, see Upgrading QRadar Incident Forensics.

    Error: This patch is incompatible with Forensics deployments
[ERROR](testmode) Patch pretest 'Check for QIF appliances in deployment' failed. (check_qif.sh)
[ERROR](testmode) Failed 1/8 pretests. Aborting the patch.
[ERROR](testmode) Failed pretests
[ERROR](testmode) Pre Patch Testing shows a configuration issue. Patching this host cannot continue.
[INFO](testmode) Set ip-130-86 status to 'Patch Test Failed'
[ERROR](testmode) Patching can not continue
[ERROR] Failed to apply patch on localhost, not checking any managed hosts.
An error was encountered attempting to process patches.
Please contact customer support for further assistance.

What to do next

  1. Unmount /media/updates by typing the following command: 
    umount /media/updates
  2. Delete the SFS file.
  3. Perform an automatic update to ensure that your configuration files contain the latest network security information. For more information, see Checking for new updates.
  4. Delete the patch file to free up space on the partition.
  5. Clear your web browser cache. After you upgrade QRadar, the Vulnerabilities tab might not be displayed. To use QRadar Vulnerability Manager after you upgrade, you must upload and allocate a valid license key. For more information, see the Administration Guide for your product.
  6. Determine whether there are changes that must be deployed. For more information, see Deploy Changes.