Question & Answer
Question
How is event collection affected when a QRadar High Availability pair is upgraded?
Answer
Event collection in QRadar environments can be done by any of these components:
- Console
- Event Processors (EP)
- Event Collectors (EC)
All of these components can be part of a High Availability (HA) pair.
When an HA pair is upgraded, event collection can be affected depending on:
- The type of the component in the HA pair (EC, EP, Console, etc.)
- Whether that component is set as the target event collector for any log sources
The rule of thumb is that for devices that have event processing capabilities like the Console and EP, all services are shut down during the upgrade to maintain the integrity of data. The HA manager and the event collection service are among those services. Hence, event collection is affected and HA functionality does not work.
Since ECs do not have event processing capabilities, the event collection service and the HA service both keep running and hence event collection is not affected.
With that context, event collection gets affected as follows:
- When we upgrade a console HA pair, there will be event loss only if log sources are configured with the Console as the target event collector. This is less likely in a distributed environment that has dedicated ECs. In smaller environments, where the Console is the sole device, event collection is affected.
- When an EP HA pair is upgraded, there will be event loss only if log sources are configured with that EP as the target event collector.
- When an EC HA pair is upgraded, event collection is not likely to be affected. In an EC HA pair, the primary is upgraded first and in that duration, the secondary becomes Active and keeps collecting events. When the primary gets upgraded, it becomes the Active device and the secondary gets upgraded.
On any of the QRadar devices, you can check the status of services by running the wait_for_start script:
/opt/qradar/upgrade/util/setup/upgrades/wait_for_start.sh
If the ecs-ec-ingress service is up and running, events are collected.
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtXAAQ","label":"High Availability"},{"code":"a8m0z000000cwtdAAA","label":"Upgrade"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
16 August 2021
UID
ibm16479903