Replacing a QRadar Console with an appliance that uses the same IP address

Migrate data from an older IBM® QRadar® Console to a new console that uses the same IP address. All managed host appliances stay as-is. Use this process for non-HA appliances.

Before you begin

  • Write down the network information for the old Console; you must enter this information into the network configuration for the new appliance. Ensure that the old Console and the new Console are in the same network.
  • Save a recent configuration backup from the old Console. The configuration backup is used to restore settings, users, rules, log sources, and more to the new Console.
  • Complete a QRadar installation on the new Console by using the software version that matches that of the old Console. The installation of the new Console uses a temporary IP address until the old hardware is removed from the deployment.
  • If you are using WinCollect, ensure that the WinCollect version on the new Console matches the version on the old Console before you migrate.

About this task

It is not necessary to remove managed hosts from the old QRadar Console because the new QRadar Console takes over any existing hosts in the deployment. This procedure allows managed hosts in the deployment to continue to receive events while the Console is offline.

Important: App data is separated from the configuration backup and restore. To backup and restore app data, see Backing up and restoring app data.

Procedure

  1. Prepare your new hardware:
    1. Rack the appliance and connect network connections.
    2. Turn on the appliance and log in as a root user.
    3. When the system displays the license agreement (EULA), press Ctrl+C to open a command prompt.
    4. To view the installed software version, type the following command: 
      /opt/qradar/bin/myver
    5. Compare the software version on the new hardware and the old hardware:
      • If the new hardware's software version is older than the software that is running in production, log out, and then log in again as the root user and complete the installation. After the installation completes, download the correct update package to upgrade the Console to the same version as the deployment.
      • If the new hardware's software version is newer than the software that is running in production, you can either choose to upgrade your production system to match the new appliance, or downgrade the software by installing an older release of QRadar from Fix Central (www.ibm.com/support/fixcentral/). Reinstall the new system with an older release first, and then begin this procedure.
      • If the new hardware's software version is the same as the software that is running in production, log out, log in again as root, and complete the installation.
    6. Configure QRadar.
    7. Type a temporary IP address and network information for the new hardware.
    8. Type a root password for the appliance.
    9. Follow the installation wizard to complete the installation.
    10. If required from Step 1e, upgrade the new hardware to the same version level as the old Console.
  2. Prepare your old QRadar hardware:
    1. Log in to the old Console.
    2. Click the Admin tab, and then click the Backup and Recovery icon.
    3. From the navigation menu, click On Demand Backup.
      Important: Configuration backups can only be restored to the same version of QRadar that they were created with. If you plan to change the overall QRadar version in the deployment, you must create a new configuration backup after any software change and keep these files in a safe place for your hardware migration. Moving from a smaller Console to a larger or newer appliance is supported by the migration or backup process. For example, a 3105 Console's configuration backup can be applied to a 3128 or a 3148 appliance.
    4. Type a name and description for the new configuration backup.
    5. Click Run Backup and wait for the configuration backup to complete.
    6. After the backup finishes, click the new configuration backup name that you created to download the file.
    7. Copy the configuration backup from the old QRadar Console to a safe location.
    8. Stop services on the old Console by typing the following commands: 
      systemctl stop hostcontext
systemctl stop tomcat
systemctl stop hostservices
systemctl stop tunnel_manager

    A configuration backup file is created for the new Console to use. This file is required later on in the procedure to restore users, rules, log sources, offenses, reports, admin configurations, and other system settings to the new hardware.

  3. Reassign IP addresses on the old QRadar Console.

    This process is done manually by adjusting the network configuration file directly, instead of using the qchange_netsetup command. You can use this method to change the system's physical IP address to avoid conflicts. If the backup restore does not complete on the new system, you can easily revert to the old address. After the IP address is changed on the existing console, it cannot affect any changes to the other hosts in the deployment unless the IP address is reverted.

    Note: Complete this task by using IMM or a physical keyboard to prevent connection and lockout issues. If you're used to editing network configuration files in Linux®, you can use SSH and the screen command. Using a direct SSH session with systemctl restart network results in the loss of network connectivity and causes issues with the address change and service restart.
    1. Use IMM for remote access, or the local Console keyboard, to log in to the command line of the old appliance as the root user.
    2. Verify which network interface is the management interface by typing the following command: 
      cat /etc/management_interface
      The interface that is listed in this file is the QRadar management interface.
    3. Change the directory to /etc/sysconfig/network-scripts/.
    4. Open the ifcfg-<name> file that was listed in the /etc/management_interface file.
    5. Change the IP address to an unused or decommissioned range by editing the IPADDR= line.
    6. Save the changes to the file.
    7. Restart networking by typing the following command: 
      systemctl restart network
      Tip: After the network services are restarted, the IP address switch and the IP address change are completed, freeing up the old IP address to use on the new Console. If any QRadar processes on the system result in errors, QRadar operates normally if you switch the IP address back later. Don't unrack the old hardware until after you transfer the data to the new appliance.
  4. Set IP addresses on the new QRadar Console:
    1. Use IMM for remote access or the local Console keyboard to log in to the command line of the new appliance as the root user.
    2. Change the IP address by typing the following command: 
      /opt/qradar/bin/qchange_netsetup
    3. Use the Configuration Wizard to change the IP address of the system to the old Console's IP address.
    4. Save and exit the wizard to complete the address change.
    The new Console is installed with the old Console's IP address.
  5. Copy certificates and custom-generated key pairs from the old appliance to the new appliance to ensure that log sources and scanners can connect to remote sources. You must also migrate any custom-generated private keys that you have by transferring the /etc/ssh and /root/.ssh directories.
    1. Log in to the old QRadar Console as the root user.
    2. Copy the data from the old hardware to the new appliance by using the rsync as in the following examples:
      Tip: For better performance when you use a crossover cable solution, use rsync -av instead of rsync -avz.
      Use this example for certificates:
      
Example: rsync -avz /opt/qradar/conf/trusted_certificates/ 
   root@new_appliance:/opt/qradar/conf/trusted_certificates/
      Use these examples for SSH:
      Example 1: rsync -avz /etc/ssh/ root@new_appliance:/etc/ssh
 
      Example 2: rsync -avz /root/.ssh/ root@new_appliance:/root/.ssh
    3. Wait for the transfer to complete.
    4. If you are using custom SSL certificates, follow these steps:
      1. Copy the certificate or intermediate certificate from the /etc/httpd/conf/certs directory on the old Console to the /tmp directory or your preferred location on the new Console.

        Do not copy the certificate to the /etc/httpd/conf/certs directory on a new Console.

      2. Install the SSL certificate that you copied on the new Console by using /opt/qradar/bin/install-ssl-cert.sh -i and follow the instructions.

        The wizard prompts you for a private key. You might have to copy the private key to the server if it is not stored in the /etc/httpd/conf/certs/ directory. It is usually a best practice not to store the private key on the server itself.

      Important: If the Console on your new appliance has a different certificate authority (CA) certificate than the Console on your old appliance, the CA from your old appliance should be placed under the directory /etc/pki/ca-trust/source/anchors and run the command $ update-ca-trust.
    Warning:
    • Verify that when your migration completes, the certificates on the console in /etc/http/conf/certs match that of the managed hosts
    • Do not copy the certificate key (cert.key) from the console to the MH.
    The required certificate and ssh key files are transferred to the new Console. You can now migrate event and flow data from the old Console to the new Console.
  6. Restore the backup configuration to the new QRadar Console appliance:
    1. Using SCP, copy the configuration backup file that you downloaded previously to the /store/backupHost/inbound/ directory on the new Console.
    2. Log in to the new QRadar Console as an administrator.
    3. Click the Admin tab and select the Backup and Recovery icon.
    4. Select the configuration backup that you copied to the Console and click Restore.
    5. In the restore options list, check Select All Configuration Items and Select All Data Items.
    6. Click Restore to start the configuration restore process.
      Note: The restore process might take a while to complete.
    7. After the restore process is complete, log in to QRadar.
    8. From the Admin tab, click Advanced > Deploy Full Configuration.
    9. Verify that event or flow sources that reported to the original host are now processed in QRadar.
    After the host is added back to the QRadar deployment, the deployment process ensures that the required configuration is regenerated on the new appliance. Verify that log source data is pulled and that flow data is received by the new Console. Any log sources that are not collecting data might require certificates to be moved to the new host.

    When the configuration is finished restoring on the new console, you might receive an error that indicates that the console license keys expired. You can add the new licenses to resolve this error.

  7. Transfer any event and flow data to the new hardware.

    The data transfer can be a lengthy process. You can use cross-over cables to quicken the transfer of event and flow information if your appliances are located in the same data center. Data is moved in one month intervals to keep the performance impact at a minimum. The syncAriel.sh utility does not move certificates or configurations, only data that is stored in the /store/ariel/ directory. SSH traffic must be allowed to migrate the data. You might be required to accept SSH keys and provide the root password for the target server to start the transfer.

    1. Download syncAriel.sh from step 7 in this technote (http://www-01.ibm.com/support/docview.wss?uid=swg21984607).
    2. Log in to the old QRadar Console as the root user.
    3. Using SCP, copy the syncAriel.sh utility to the old Console.
    4. Navigate to the directory with the syncAriel.sh utility and type the following command: 
      chmod +x syncAriel.sh
    5. Type the following command: 
      screen
      Note: For data transfers, start a screen session to reestablish the connection in case of a minor network outage. To detach the session so that you can log out, type Ctrl+A and press D or use Ctrl+D, then type Ctrl+D and use screen -r to reattach to the screen session.
    6. Run the utility by typing the following command: 
      sh syncAriel.sh -i <new_Console's_IPAddress>
    7. Wait for the transfer to complete, then close the screen session.
    Data is migrated from the /store/ariel directory of the old Console to the new Console.
    If your connection dropped or a network outage occurred, you can run the syncAriel.sh utility again to migrate data. The syncAriel.sh utility tracks the files that have been rsync'd to the new appliance and data that has already been transferred is not copied a second time.

    If the transfer fails or encounters errors, transfer the data manually by using SCP, SFTP, or another file transfer method.

  8. Optional: Copy over event collector data, if you have any data in /store/ec.
    1. Log in to the old appliance as the root user.
    2. Stop ecs-ec-ingress on the old appliance by typing the following command: 
      systemctl stop ecs-ec-ingress
    3. Log in to the new appliance as the root user.
    4. Create a file on the new appliance to prevent ecs-ec-ingress from automatically restarting by typing the following command: 
      touch /storetmp/ecs-ec-ingress.ecs-ec-ingress.manually_stopped
    5. Stop ecs-ec-ingress on the new appliance by typing the following command: 
      systemctl stop ecs-ec-ingress
    6. Copy the data from /store/ec on the old appliance to /store/ec on the new appliance.
    7. Remove the file that is created in substep d from the new appliance by typing the following command: 
      rm -f /storetmp/ecs-ec-ingress.ecs-ec-ingress.manually_stopped
    8. Start ecs-ec-ingress on the new appliance by typing the following command: 
      systemctl start ecs-ec-ingress

Results

After the data transfer is complete, you might want to keep the old Console on hand in case you need to revert to the old appliance. Otherwise, after a week or two, you won't need the old Console and you can decommission or repurpose it for other uses.