Replacing a QRadar Console with an appliance that uses a new IP address

Migrate data from an older QRadar® Console to a new Console appliance that uses a new IP address. All managed host appliances stay as-is. Use this process for non-HA appliances.

Before you begin

You must complete a QRadar installation on the new Console with a matching software version to the old Console.

About this task

You don't have to remove managed hosts from the old QRadar Console because the new QRadar Console takes over any existing hosts in the deployment. This procedure allows managed hosts in the deployment to continue to receive events while the Console is offline.

Important: App data is separated from the configuration backup and restore. To backup and restore app data, see Backing up and restoring app data.

Procedure

  1. Prepare your new hardware:
    1. Rack the appliance and connect network connections.
    2. Review the paperwork for your appliance to determine which QRadar version is installed on the new hardware.
  2. Review your software version.
    1. If your Console software version is older than the software on the appliance, reinstall the appliance with the newest ISO that is less than or equal to the Console software version. Download the ISO file from Fix Central (www.ibm.com/support/fixcentral/).
    2. Follow the installation wizard to complete the installation.
    3. Type a root password for the appliance.
    4. Type a new IP address and network information for the new hardware.
    5. Log in as a root user and select the appliance type during the installation process.
    6. If your Console patch version is newer than the software on the appliance, download and install the SFS (software fix/patch) from Fix Central (www.ibm.com/support/fixcentral/).
  3. On the navigation menu ( Navigation menu icon ), click Admin.
  4. In the System Configuration section, click Backup and Recovery.
  5. Select the archive that you want to restore, and click Restore.
  6. On the Restore a Backup window, configure the following parameters and then click Restore.
    Table 1. Restore a Backup parameters
    Parameter Description
    Select All Configuration Items Indicates that all configuration items are included in the restoration of the backup archive. This checkbox is selected by default.
    Restore Configuration

    Lists the configuration items to include in the restoration of the backup archive. All items are selected by default.
    Select All Data Items

    Indicates that all data items are included in the restoration of the backup archive. This checkbox is selected by default.

    Restore Data

    Lists the configuration items to include in the restoration of the backup archive. All items are cleared by default.
  7. Stop the IP table service on each managed host in your deployment. The IP tables is a Linux®-based firewall.
    1. Using SSH, log in to the managed host as the root user.
    2. For App Host, type the following commands:
      systemctl stop docker_iptables_monitor.timer
      systemctl stop iptables
    3. For all other managed hosts, type the following command:
      systemctl stop iptables
    4. Repeat for all managed hosts in your deployment.
  8. On the Restore a Backup window, click Test Hosts Access.
  9. After testing is complete for all managed hosts, verify that the status in the Access Status column indicates a status of OK.
  10. If the Access Status column indicates a status of No Access for a host, stop iptables again, and then click Test Host Access again to attempt a connection.
  11. On the Restore a Backup window, configure the parameters.
    Important: By selecting the Installed Applications Configuration checkbox, you restore the install app configurations only. Extension configurations are not restored. Select the Deployment Configuration checkbox if you want to restore extension configurations.
  12. Click Restore.
  13. Click OK.
  14. Click OK to log in.
  15. Choose one of the following options:
    • If the user interface was closed during the user restore process, open a web browser and log in to QRadar.
    • If the interface was not closed, the login window is displayed. Log in to QRadar.
  16. View the results of the restore process and follow the instructions to resolve any errors.
  17. Refresh your web browser window.
  18. From the Admin tab, select Advanced > Deploy Full Configuration.
    QRadar continues to collect events when you deploy the full configuration. When the event collection service must restart, QRadar does not restart it automatically. A message displays that gives you the option to cancel the deployment and restart the service at a more convenient time.
  19. To enable the IP tables for an App Host, type the following command:
    systemctl start docker_iptables_monitor.timer

What to do next

After the data transfer is complete, you might want to keep the old Console on hand in case you need to revert to the old appliance. Otherwise, after a week or two, the old Console is no longer required and can be decommissioned or repurposed for other uses.

To verify that your migration is successful, log in as an administrator, click the Log Activity tab and perform a search to see whether events are flowing. Then, click the Network Activity tab and perform a search to see whether flows are being processed.