Upgrading QRadar SIEM to 7.5.0 UP8 or later
You must upgrade all the IBM®
QRadar® products in your
deployment to the same version.
Before you begin
Review the software update checklist on the Update checklist tab. For more
information, see Software update checklist
(https://www.ibm.com/support/pages/qradar-software-update-checklist-administrators).
Restriction:
The following restrictions apply to the upgrade process:
- To successfully upgrade to QRadar 7.5.0 UP8 or UP9, your deployment must be on QRadar 7.5.0 UP7.
- To successfully upgrade to RHEL-8, your deployment must use a supported device driver. If any unsupported drivers exist on your deployment, they are removed during the upgrade. For more information on the list of unsupported drivers, see Removed device drivers.
- Upgrading to RHEL-8 on systems with LUKS encrypted partitions is not supported. Verify that your deployment does not include hosts with LUKS encrypted partitions to successfully upgrade your system.
- UP8 only Upgrading to RHEL-8 on systems with Secure Boot enabled is not supported.
- The Leapp pretest can fail if the tool detects any Network Interface Card (NIC) that uses kernel naming (eth) and multiple NICs existing on the same system. To resolve this issue, follow the steps in https://access.redhat.com/solutions/4067471.
Determine the minimum QRadar version that is required for the version of QRadar to which you want to update.
- Click to check your current version of QRadar.
- To determine whether you can upgrade to a version of QRadar, go to QRadar Software 101 (https://www.ibm.com/community/qradar/home/software/). And check the release notes of the version that you want to upgrade to.
About this task
To ensure that IBM QRadar upgrades without errors, verify that you use only the supported versions of QRadar software.
Important:
- Software versions for all IBM QRadar appliances in a deployment must be the same version and fix level. Deployments that use different QRadar versions of software are not supported.
- Custom DSMs are not removed during the upgrade.
- After you upgrade to Update Package 8, WinCollect 7.3.1 managed agents do not receive updates from encrypted QRadar managed hosts. For more information, see technote DT269649.
- After you upgrade from QRadar 7.5.0 Update Package 7 to Update Package 8 or later, a full Distributed Replicated Block Device (DRBD) synchronization process runs on HA systems. If you upgrade from QRadar 7.5.0 Update Package 8 to Update Package 9, a partial DRBD synchronization process runs on HA systems. For more information, see technote DT365804.
Upgrade your QRadar Console first, and then upgrade each managed host. In high-availability (HA) deployments, when you upgrade the HA primary host, the HA secondary host is automatically upgraded.
The following QRadar systems can be upgraded concurrently:
- Event processors
- Event collectors
- Flow processors
- QFlow collectors
- Data nodes
- App hosts
Procedure
What to do next
- Unmount /media/updates by typing the following command.
umount /media/updates
- Delete the SFS file.
- Perform an automatic update to ensure that your configuration files contain the latest network security information. For more information, see Checking for new updates.
- Delete the patch file to free up space on the partition.
- Clear your web browser cache. After you upgrade QRadar, the Vulnerabilities tab might not be displayed. To use QRadar Vulnerability Manager after you upgrade, you must upload and allocate a valid license key. For more information, see the Administration Guide for your product.
- FIPS installation only To verify that the FIPS mode is enabled, run the following
command.
fips-mode-setup --check
If the FIPS mode is disabled, run the following command, and then reboot your system to enable the FIPS mode./opt/qradar/bin/qradar_fips_toggle.sh enable
- If you have custom syslog-ng configuration files, update your files to ensure compatibility with the new syslog-ng syntax in version 3.23. For more information, see Updating custom syslog-ng configuration files.
- Determine whether there are changes that must be deployed. For more information, see Deploy Changes.