Release Notes
Abstract
A list of the installation instructions, new features, and resolved issues for the release of QRadar Incident Forensics 7.5.0 Update Package 8 (7.5.0-QRADAR-QIFFULL-20240302192142) ISO. These instructions are intended for administrators who want to install QRadar Incident Forensics 7.5.0 Update Package 8 by using an ISO file.
Content
Known issues in QRadar 7.5.0
WinCollect 7.3.1-43 upgrade fails
The WinCollect RPM validation is out of date and causes the upgrade to fail. To resolve the issue, and for more information, see WinCollect 7.3.1-43 upgrade fails due to "[CRITICAL] Transaction failed".
The WinCollect RPM validation is out of date and causes the upgrade to fail. To resolve the issue, and for more information, see WinCollect 7.3.1-43 upgrade fails due to "[CRITICAL] Transaction failed".
After you upgrade to QRadar 7.5.0 Update Package 8 with SSH, CLI session is down temporarily
If you use SSH to upgrade to 7.5.0 Update Package 8, you will lose access to the CLI session for 20-30 minutes after the system reboot. You can use the Integrated Management Module (IMM), the Integrated Dell Remote Access controller (iDRAC), or a remote console, to monitor the upgrade.
Upgrading to RHEL-8 on systems with LUKS encrypted partitions is not supported
You must ensure that your deployment does not include hosts with LUKS encrypted partitions to successfully upgrade your system. For more information see, Upgrading QRadar SIEM.
You must ensure that your deployment does not include hosts with LUKS encrypted partitions to successfully upgrade your system. For more information see, Upgrading QRadar SIEM.
HA host status does not update during the sync process
During the synchronization process, the host status does not reflect the sync status of the HA hosts and the remote host status remains in standby.
During the synchronization process, the host status does not reflect the sync status of the HA hosts and the remote host status remains in standby.
Important: In QRadar 7.5.0 Update Package 8, administrators with High Availability (HA) appliances in their deployment must complete a post-installation step. For more information, see DT365145.
Leapp pretests do not verify sufficient disk space
Leapp pretests fail to ensure if the /storetmp directory has sufficient disk space to store the upgrade cache directory. You must ensure that all appliances have at minimum 10GB of space available in the /storetmp directory before you upgrade to 7.5.0 Update Package 8.
Leapp pretests are not supported on HA secondaries
When you install 7.5.0 Update Package 8, the --leapp-only installer option does not work with High Availability (HA) secondary nodes. For more information, see DT365203.
Leapp pretests are not supported on QRadar 7.5.0 Update Package 7 ISO installations
When you install 7.5.0 Update Package 8, the --leapp-only installer option does not work on managed hosts that are running new installs of 7.5.0 Update Package 7. For more information, see DT365204.
Leapp pretests are not supported on detached console HA
To run a Leapp pretest on a detached console HA that is not a removed HA from a existing deployment, complete the following steps.
- Run the following command:
/opt/qradar/bin/ssh_key_generating - Edit the /store/configservices/deployed/deployment.xml file to add the missing
mhIptag to the console node by using only one of the following methods:- Edit the file by adding the
mhIptag manually:
<managedHost xmlns="" hostName="hostName of the system" console="true" offsite="false" changed="false" id="1" privateIP="IP of the system" mhIp="Same as privateIP" publicIP="" natId="0"> - Edit the file by running the following command:
mhip=$(/opt/qradar/bin/myver -vi); sed -e "/mhIp=/ n; /console=\"true\"/s/>/ mhIp=\"$mhip\">/" /store/configservices/deployed/deployment.xml
- Edit the file by adding the
Leapp pretests fail due to multiple physical network interface configurations
When you upgrade to 7.5.0 Update Package 8, the Leapp pretest fails if the tool detects any Network Interface Card (NIC) that uses kernel naming (eth) and multiple NICs existing on the same system. For more information on the known issue and the workaround, see https://access.redhat.com/solutions/4067471.
When you upgrade to 7.5.0 Update Package 8, the Leapp pretest fails if the tool detects any Network Interface Card (NIC) that uses kernel naming (eth) and multiple NICs existing on the same system. For more information on the known issue and the workaround, see https://access.redhat.com/solutions/4067471.
Upgrade patch pretest fails on dual stack
After you upgrade to 7.5.0 Update Package 8, the RHEL-8 upgrade pretest fails after the system reboot.
Apps might go down during base image upgrade
After you install QRadar 7.5.0, your applications might go down temporarily while they are being upgraded to the latest base image.
Apps fail to restart after upgrade
After you upgrade some apps remain in an "error" state on deployments with 30+ apps. Restart the apps by using the qappmanager:
/opt/qradar/support/qappmanagerFor more information, see About the qappmanager support utility.
Cannot send udp syslog to QRADAR_CONSOLE_IP from the app container on AppHost
In QRadar 7.5.0 Update Package 8, you can not send Syslog UDP to QRADAR_CONSOLE_IP from the app container on AppHost. For more information, see DT365799.
Duplicate app entries on Traefik when QRadar console is powered off and on again
If you power off your QRadar console via VSphere and power it on again, duplicate entires of apps exist on the Traefik UI. To resolve this issue, restart the Traefik service.
If you power off your QRadar console via VSphere and power it on again, duplicate entires of apps exist on the Traefik UI. To resolve this issue, restart the Traefik service.
Factory reinstall on QRadar 7.5.0 Update Package 8 in the recovery partition fails on M5 hardware.
Factory reinstall with Update Package 8 ISO in the recovery partition on M5 hardware is not supported.
Alternatively, you can use one of the following methods:
- Reinstall QRadar from media. For more information, see Reinstalling QRadar from media.
- Replace the factory reinstall image in the recovery partition with a previous version. For more information, see https://www.ibm.com/support/pages/node/6490659.
For more information, see DT364088.
Managed WinCollect 7 agents cannot receive updates from encrypted QRadar Managed Hosts with 7.5.0 Update Package 7 Interim Fix 05 and later
In 7.5.0 Update Package 7 Interim Fix 5 and later, changes for managed WinCollect agents on 7.3.1 Patch 2 (7.3.1-28) do not complete as expected for encrypted managed hosts that attempt to connect to the Console. To resolve this issue, you must upgrade to WinCollect 7.3.1 P3. For more information, see DT269649.
In 7.5.0 Update Package 7 Interim Fix 5 and later, changes for managed WinCollect agents on 7.3.1 Patch 2 (7.3.1-28) do not complete as expected for encrypted managed hosts that attempt to connect to the Console. To resolve this issue, you must upgrade to WinCollect 7.3.1 P3. For more information, see DT269649.
Error messages appear during decapper startup in QRadar Network Insights
The following error messages on the terminal broadcast messages or decapper logs indicate an automatic fallback to a legacy decapper library on virtual hosts.
EAL: rte_mem_virt2phy(): cannot open /proc/self/pagemap: Permission denied EAL: Cannot use IOVA as 'PA' since physical addresses are not available
This fallback is necessary when IOMMU and virtualization passthrough are not available and enabled in the virtual platform configuration. The decapper continues to function, possibly with lowered throughput.
Cert file /etc/httpd-qif/tls/httpd-qif.cert fails the key modulus check in QRadar 7.5.0 Update Package 8
After you upgrade to 7.5.0 Update Package 8, cert file /etc/httpd-qif/tls/httpd-qif.cert fails the key modulus check.
Admin password does not set correctly on auto-install
In some instances of QRadar installations using the auto-install method, the Admin password is not being set properly. To resolve this issues, manually update the Admin password in the QRadar host CLI. For more information, see DT258627.
RHEL 8.8 - scaserver does not start after system reboot
After you upgrade to QRadar 7.5.0 Update Package 8, scaserver is unable to start after system reboot.
HA pairing on QRadar console fails when Network File System (NFS) is configured on the QRadar 7.5.0 Update Package 8 install
To resolve this issue, add HA pairing before configuring NFS. For more information, see Configuring NFS backup on an existing HA cluster.
For more information, see DT364450.
For more information, see DT364450.
After you upgrade to QRadar 7.5.0 Update Package 5, WinCollect 7.X agents can experience management or configuration change errors
Important: A flash notice exists for this issue. For the latest information, see https://www.ibm.com/support/pages/node/6953887.
Autoupdates (AU) issue after upgrade to QRadar 7.5.0 or later
It is possible for autoupdates to revert to a previous version of autoupdates after you upgrade. Older versions of autoupdate might not update RPMs as expected.
It is possible for autoupdates to revert to a previous version of autoupdates after you upgrade. Older versions of autoupdate might not update RPMs as expected.
After you upgrade to QRadar 7.5.0 or later, type the following command to check your autoupdate version:
/opt/qradar/bin/UpdateConfs.pl -v
Review the issue and the resolution section for your auto update version in the following technical note, https://www.ibm.com/support/pages/node/6515880.
Issue adding Data Nodes to a cluster
When you add a Data Node to a cluster, they must either all be encrypted, or all be unencrypted. You cannot add both encrypted and unencrypted Data Nodes to the same cluster.
Resolved issues
For a list of Known Issues links of resolved issues in QRadar Incident Forensic 7.5.0 Update Package 8, see Known Issues. The Known Issues search page allows users to search for Known Issues by versions or status.
Some Known Issues links might take 24 hours to display properly after a software release is posted to IBM Fix Central.
What's new
For information on new and changed features in QRadar Incident Forensics 7.5.0 Update Package 8, see What's new in 7.5.0.
About this installation
These instructions are intended to assist you when you install QRadar Incident Forensics 7.5.0 Update Package 8 by using an ISO file. These instructions inform you how to update your deployment to the latest version. For more information, see the QRadar Incident Forensics Installation Guide.
The QRadar Incident Forensics 7.5.0 Update Package 8 ISO (7.5.0-QRADAR-QIFFULL-20240302192142) can install QRadar Incident Forensics 7.5.0. However, this document does not cover all of the installation messages and requirements, such as changes to memory requirements or browser requirements for QRadar Incident Forensics.
Part 1. Installing the QRadar 7.5.0 ISO Update Package 8
These instructions guide you through the process of installing QRadar Incident Forensics 7.5.0 Update Package 8.
Important: You can use the verify signature tool to validate the integrity of your downloads from IBM Fix Central. For more information, see How to verify downloads from IBM Fix Central are trusted and code signed.
Procedure
- Download the QRadar Incident Forensics 7.5.0 Update Package 8 ISO (5.5 GB) from the IBM Fix Central website: https://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+Incident+Forensics&release=All&platform=All&function=fixId&fixids=7.5.0-QRADAR-QIFFULL-20240302192142&includeSupersedes=0&source=fc
- Use SSH to log in to the Console as the root user.
NOTE: When you log in, the SSH session should display 7.5.0 as the Console's version. This is verification that the QRadar Console has been updated to 7.5.0, which is required before you update your Incident Forensics appliance. - Open an SSH session to the QRadar Incident Forensics appliance.
- To run the ISO installer, type the following command: /media/dvd/setup
Important: Installing QRadar Incident Forensics 7.5.0 Update Package 8 can take 1 to 2 hours to complete on the appliance.
- Wait for the installation to complete.
A summary of the ISO installation advises you of any issues. If there are no issues, you can now SSH to managed hosts and start the installer on each host to run the setup in parallel.
Part 2. Installation wrap-up
- After all hosts are updated, send an email to your team to inform them that they will need to clear their browser cache before they log in to the QRadar Incident Forensics SIEM interface.
- To unmount the /media/dvd directory, type: umount /media/dvd
- Delete the ISO from the appliance.
- Review any static routes or customized routing. As mentioned in the administrator notes, all routes were removed and will need to be reconfigured after the upgrade completes.
- Review any iptable rules that are configured as the interface names have changed in QRadar Incident Forensics 7.5.0 Update Package 8 due to the Red Hat Enterprise 7 operating system updates. Update any iptables rules that use Red Hat 6 interface naming conventions.
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt3AAA","label":"QRadar Apps"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.5.0"}]
Was this topic helpful?
Document Information
Modified date:
24 June 2024
UID
ibm17116873