IBM Support

Release of the QRadar Incident Forensics 7.3.1 Patch 6 ISO (7.3.1.20180912181210)

Release Notes


Abstract

This technical note contains installation instructions, new features, and includes a resolved issues list for the release of QRadar Incident Forensics 7.3.1 Patch 6 (7.3.1.20180912181210) ISO. These instructions are intended for administrators who are upgrading from QRadar Incident Forensics 7.2.8 Patch 1 or later to QRadar Incident Forensics 7.3.1 Patch 6 using an ISO file.

Content

About this upgrade


These instructions are intended to assist administrators to update appliances from QRadar Incident Forensics 7.2.8 to 7.3.1 Patch 6 by using an ISO file. For more information, see the QRadar Incident Forensics Installation Guide .

QRadar Incident Forensics 7.3.1 Patch 6 uses an ISO file to update to the latest software version. A minimum of QRadar Incident Forensics 7.2.8 Patch 1 (or later) is required to be able to upgrade to QRadar Incident Forensics 7.3.1 Patch 6.

See QRadar: Software update check list for administrators for a list of steps to review before updating your QRadar deployment.

Administrator notes

Current QRadar Incident Forensics Version Upgrades to QRadar Incident Forensics 7.3.1 Patch 5?
QRadar Incident Forensics 7.2.6 (any patch level) or earlier No
QRadar Incident Forensics 7.2.7 (any patch level) No
QRadar Incident Forensics 7.2.8.0 No
QRadar Incident Forensics 7.2.8 Patch 1 or later Yes, use these release notes to complete this process.
QRadar Incident Forensics 7.3.0 (any patch version) See the QRadar 7.3.1 Patch 6 SFS Release Notes for more information. The QRadar SFS file can update an existing 7.3.0 Incident Forensics install to version 7.3.1 Patch 6.
QRadar Incident Forensics 7.3.1 See the QRadar 7.3.1 Patch 6 SFS Release Notes for more information. The QRadar SFS file can update an existing 7.3.1 Incident Forensics install to version 7.3.1 Patch 6.
  1. You must be on QRadar Incident Forensics 7.2.8 Patch 1 or later to upgrade to QRadar Incident Forensics 7.3.1 Patch 6.
  2. The upgrade from QRadar Incident Forensics 7.2.8 Patch 1 to QRadar Incident Forensics 7.3.1 Patch 6 will use an .ISO file. In the past, ISOs were for new appliance installations only, but QRadar Incident Forensics 7.3.1 Patch 6 is an exception to this rule because of the Red Hat kernel update requirements.
  3. Utilities or custom scripts that power users created for their QRadar Incident Forensics deployment should be copied off the system. During the 7.3.1 Patch 6 update, a warning is displayed that only data in /store will be preserved. After the appliance reboots, any scripts, 3rd party accounts, or utilities in /tmp, or /, or /root are deleted. This does not impact any ISO files that were initially mounted by using /root because this cleanup occurs later in the installation procedure.


image
Figure 1: If you have installed QRadar 7.2.8 or later, you are not required to install each ISO release to update to QRadar 7.3.1 Patch 6.

The QRadar Incident Forensics 7.3.1 Patch 6 ISO (20180912181210) can upgrade QRadar Incident Forensics 7.2.8 Patch 1 (7.2.8.20161207001258) and later to QRadar Incident Forensics 7.3.1 Patch 6. However, this document does not cover all the installation messages and requirements, such as changes to memory requirements or browser requirements for QRadar Incident Forensics. If you are on a version of QRadar Incident Forensics earlier than QRadar Incident Forensics 7.2.8 Patch 1, you can upgrade to QRadar Incident Forensics 7.2.8 Patch 10 before proceeding to install the QRadar Incident Forensics 7.3.1 Patch 6 ISO.

Before you upgrade


Ensure that you take the following precautions:

  • Back up your data before you begin any software upgrade and verify that you have recent configuration backups that match your existing Console version. If required, take an on demand configuration backup before you begin. For more information about backup and recovery, see the QRadar Administration Guide .
  • All appliances in the deployment must be at the same software and patch level in the deployment.
  • Verify that all changes are deployed on your appliances. The update cannot install on appliances that have changes that are not deployed.
  • A QRadar Incident Forensics 7.3.1 ISO is available to upgrade from QRadar Incident Forensics 7.2.8 Patch 1 or install a new appliance or virtual machine. To complete a new install, review the QRadar Incident Forensics Installation Guide .
  • To avoid access errors in your log file, close all open user interface sessions.
  • If you are unsure of the IP addresses or hostnames for the appliances in the deployment, run the utility /opt/QRadar/support/deployment_info.sh to get a .CSV file that contains a list of IP addresses for every managed host.
  • If you are unsure of how to proceed when reading these instructions or the documentation, it is best to ask before you start your upgrade. To ask a question in our forums, see: https://ibm.biz/qradarforums .

Part 1. Staging files and pretesting your appliance


It is important to pretest your deployment to ensure that you will not experience unexpected issues when you update to QRadar Incident Forensics 7.3.1 Patch 6. A pretest is a common precaution to locate potential issues. The pretest does not restart services and can be completed without scheduled downtime. The pretest typically takes between 3 to 5 minutes to complete on each appliance. If for some reason your SSH session is disconnected, you can reconnect to the remote host using screen.

Procedure
The pretest should be completed on all hosts before you attempt to upgrade to QRadar Incident Forensics 7.3.1 Patch 6.

  1. You must install the QRadar Console with 7.3.1 before you begin this procedure.
  2. Download the QRadar Incident Forensics 7.3.1 Patch 6 ISO (5.5 GB) from the IBM Fix Central website: http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FIBM+Security+QRadar+Incident+Forensics&fixids=7.3.1-QRADAR-QIFFULL-20180912181210

  3. Use SSH to log in to your Console as the root user.
  4. Open an SSH session to the QRadar Incident Forensics appliance.
  5. Type the following command: screen
  6. To make the directory for the update, type: mkdir -p /media/dvd
  7. To verify you have enough space (5.5 GB) in /root or /var/log for the ISO on all appliances, type:
    df -h /root /var/log | tee diskchecks.txt
    • Best directory option: /root
      It is available on all appliance types, is the best option to host the ISO file.
    • 2nd best directory option: /var/log
      This directory is available on all appliances, but there might not be the required space available.
    • DO NOT USE: /tmp, /store/tmp, or /store/transient for your ISO upgrade. These directories are partitioned as part of the upgrade; you cannot use them as storage locations or mount points for the ISO file.

      If the disk check command fails, retype the quotation marks from your terminal, then re-run the command. This command returns the details to both the command window and to a file on the Console named diskchecks.txt. Review this file to ensure that all appliances have at minimum 5.5 GB of space available in a directory to copy the ISO before attempting to move the file to a managed host. If required, free up disk space on any host that fails to have less that 5.5 GB available.

      Reminder: Any utilities or custom scripts that you have created for QRadar Incident Forensics should be copied off the system. During the 7.3.1 update, a warning is displayed that only data in /store will be preserved. Scripts, 3rd party utilities in /tmp, or /, or /root will be deleted during the upgrade.

  8. If there is not 5.5GB of space in /root or /var/log, make directory space for the ISO file.
  9. Using WinSCP or SCP, copy the ISO to the /root or /var/log directory on the QRadar Incident Forensics Console with 5.5 GB of disk space for the ISO file.
  10. To check for any previously mounted files in the /media/dvd directory, type the following command:
    df -h
  11. You must unmount any previously mounted files before you mount this software update file. To unmount any previously mounted files, type the following command:
    umount /media/dvd
  12. To mount the ISO, type the following command: mount -o loop /root/Rhe764forensics7_3_1_20180912181210.stable-7-3-1.iso /media/dvd
  13. To pretest the Console appliance, type: /media/dvd/setup -t
    The pretest output is written to the command window. Review this output after the pretest completes.
  14. Use SSH to open an SSH session to the other appliances in your deployment. QRadar Incident Forensics Support recommends that you run the pretest to identify issues before the update begins.
  15. To pretest the managed host, type: /media/dvd/setup -t

    Results
    If an appliance in your deployment fails the pretest, you can take the recommended action from the pretest utility. The issue must be resolved before the update to 7.3.1 begins to prevent downtime for specific appliances. If there are messages you do not understand or want to discuss further, you can use our forums: https://ibm.biz/qradarforums .

Part 2. Installing the QRadar Incident Forensics 7.3.1 Patch 6 ISO


These instructions guide you through the process of upgrading an existing QRadar Incident Forensics install at 7.2.8 Patch 1 or later to QRadar Incident Forensics software version 7.3.1 Patch 6. The update on the Console must be completed first before you attempt to update QRadar Incident Forensics 7.3.1 Patch 6.

Procedure
You must complete: Staging files and pretesting your deployment before you begin the installation steps listed below.

  1. Use SSH to log in to the Console as the root user.

    NOTE: When you log in, the SSH session should display 7.3.1 as the Console's version. This verifies that the QRadar Console has been updated to 7.3.1, which is required before you update your Incident Forensics appliance.
  2. Open an SSH session to the QRadar Incident Forensics appliance.
  3. To run the ISO installer, type the following command: /media/dvd/setup

    Important: Upgrading from QRadar Incident Forensics 7.2.8 Patch 1 or later to QRadar Incident Forensics 7.3.1 Patch 6 can take 1 to 2 hours to complete on the appliance.


Results
A summary of the ISO installation advises you of any issues. If there are no issues, use SSH to log in to managed hosts and start the installer on each host to run the setup in parallel.

Note: In QRadar 7.3.1 Patch 6, a kernel update is introduced to address issues with appliances failing to log in or list unit files. These issues could prevent the appliance from rebooting. This new kernel does not take effect until the appliance is rebooted. You might need to reboot your system manually for the kernel update to take effect.

To work around this issue, do one of the following:

  •  If you are able to use SSH, type the following command: systemctl --force --force reboot
  •  If you are not able to use SSH, you must perform a cold reboot of the appliance. To do this, physically reboot the appliance or use Integrated Management Module (IMM)

Part 3. Installation wrap-up

  1. After all hosts are updated, send an email to your team to clear their browser cache before logging in to the QRadar Incident Forensics SIEM interface.
  2. To unmount the /media/dvd directory, type: umount /media/dvd
  3. Delete the ISO from the appliance.
  4. Review any static routes or customized routing. As mentioned in the administrator notes, all routes were removed and will need to be reconfigured after the upgrade completes.
  5. Review any iptable rules configured because the interface names changed in QRadar Incident Forensics 7.3.1 Patch 1 due to the Red Hat Enterprise 7 operating system updates. Any iptables rules that use Red Hat 6 interface naming conventions must be updated.

Resolved issues for QRadar Incident Forensics 7.3.1 Patch 6


Some APAR links in the table below might take 24 hours to display properly after a software release is posted to IBM Fix Central.

Resolved issues in QRadar 7.3.1 Patch 6
Product Component Number Description
QRADAR DATA IJ07162 CONFIGURED DATA RETENTION DELETE SETTINGS ARE NOT HONORED FOR MULTI-TENANCY
QRADAR USER INTERFACE IJ05649 'DEPLOY CHANGES' CAN SOMETIMES CAUSE A DROP IN CONNECTION BETWEEN ECS-EC AND ECS-EP LEADING TO EVENTS BEING DROPPED
QRADAR RULES IV98895 RULE RESPONSE LIMITER FOR ANOMALY (THRESHOLD) RULES IS NOT FUNCTIONING AS EXPECTED
QRADAR UPGRADES IJ09572 PATCH/UPGRADE TO QRADAR 7.3.1 PATCH 6 CAN HANG FOR AN EXTENDED PERIOD OF TIME (HOURS) WITH "VULN_MAP_ASSET_MV DOES NOT EXIST"
QRADAR DOMAINS IJ07713 QRADAR DOES NOT ALLOW ALL TOP LEVEL DOMAINS IN EMAIL ADDRESS DATA VALIDATION, CAN RETURN 'EMAIL ADDRESS IS NOT VALID'
QRADAR USER INTERFACE IJ06980 DASHBOARDS AND/OR QUICK SEARCHES CAN DISAPPEAR AFTER MODIFICATIONS HAVE BEEN MADE TO USER SETTINGS
QRADAR SEARCHES IV54692 EVENT SEARCHES THAT FILTER BY THE EVENT PROCESSOR MIGHT DISPLAY UNEXPECTED GRAPH RESULTS
QRADAR REPORTS IJ07276 RTF FORMATTED REPORTS CAN FAIL TO GENERATE WITH A NULLPOINTEREXCEPTION DISPLAYED IN THE LOGS
QRADAR SEARCHES IJ07123 INCONSISTENT RESULTS FOR ASSET SEARCHES 'ASSETS WITH OPEN SERVICE = DNS' VS 'ASSETS WITH OPEN SERVICE = DOMAIN'
QRADAR REPORTS IJ06862 REPORT RUNNER OUT OF MEMORY CAN OCCUR WHILE ATTEMPTING TO GENERATE VERY LARGE TABLE CHART PDF REPORTS
QRADAR SEARCHES IJ06807 MODIFYING THE START TIME FOR A LOG ACTIVITY SEARCH CAUSES A BLANK UI WINDOW FOR SOME QRADAR USER LOCALES
QRADAR ASSETS IJ05767 WHEN AN ASSET'S 'GIVEN NAME' IS SET ON THE 'EDIT ASSET PROFILE' WINDOW, IT CAN NO LONGER BE EDITED SUCCESSFULLY
QRADAR ASSETS IJ05756 WHEN AN ASSET HAS A 'GIVEN NAME' ASSIGNED, ANY SUBSEQUENT ASSET NAME CHANGES DO NOT OCCUR IN 'EDIT ASSET PROFILE' WINDOW
QRADAR SEARCHES IJ00800 "HTTP ERROR 400" ERROR WHEN DRILLING DOWN INTO SEARCH RESULTS USING INTERNET EXPLORER 11 AND EDGE WEB BROWSER
QRADAR OFFENSES IV90797 DISPLAYING OFFENSE COUNT BY CATEGORY AND/OR NETWORK DOES NOT RESPECT USER ACCOUNT DOMAIN CONFIGURATION
QRADAR EVENTS IJ07456 EVENT DATA FROM SPILLOVER QUEUE CAN SOMETIMES FAIL TO PARSE WHEN PROCESSED BY THE REGULAR QRADAR PIPELINE
QRADAR HOSTS IJ07127 QRADAR HOSTS CAN TAKE A LONGER THAN EXPECTED TIME TO RECONNECT AFTER A VPN CONNECTION RESET OR INTERRUPTION HAS OCCURRED
QRADAR QUERIES IJ06633 SNMPD DAEMON CRASH OCCURS WHEN PERFORMING A WIDE QUERY
QRADAR DATA IJ02816 APPLICATION DATA CONTINUES TO BE SENT TO THE ASSET MODEL AFTER DISABLING 'CLIENT APPLICATION PROFILING'
QRADAR DASHBOARD IJ05151 DASHBOARD WIDGETS AND REPORTS CAN BE EMPTY AFTER A COMPLETED UPGRADE FROM 7.2.8P1+ TO 7.3.0+ OR 7.3.1+
QRADAR DATA IJ03225 DATA BACKUPS CAN TAKE LONGER THAN EXPECTED OR FAIL TO COMPLETE
QRADAR EVENTS IJ02598 MISSING THE FILE /STORE/PERSISTENT_QUEUE/ECS-EC.ECS-EC CAUSES EVENT PROCESSING/STORAGE TO FAIL
QRADAR INCIDENT FORENSICS SERVICES IJ07138 PACKET CAPTURE FAILS DUE TO NAPATECH3 SERVICE FAILING TO START
QRADAR FLOWS IJ08089 QFLOW PROCESS CAN FAIL ON A MANAGED HOST WHILE APPENDING MESSAGE TEXT SEQUENCE NUMBERS WHEN RECEIVING NETFLOW
QRADAR RULES IJ04902 GEOGRAPHIC RULE TESTS CONTAINING COUNTRIES WITH SPACES IN THEIR NAMES (MULTIPLE WORDS) ARE NOT BEING MATCHED
QRADAR USER INTERFACE IJ04174 APPS TABS CAN BE SLOW TO LOAD AND/OR OR FAIL TO LOAD IN THE USER INTERFACE DUE TO DOCKER FREE SPACE PROVISIONING
QRADAR NETWORK INSIGHTS LOG SOURCES IV87195 SOME QRADAR CONFIGURATIONS CONTAINING A LARGE NUMBER OF LOG SOURCES CAN SOMETIMES EXPERIENCE PERFORMANCE DEGRADATION
QRADAR DATA IJ06757 IMPORTED REFERENCE DATA DOES NOT EXPIRE AT ITS TIME TO LIVE WHEN THE REFERENCE DATA STRUCTURE IS IMPORTED USING CMT
QRADAR DATABASE IJ04182 CONTENT MANAGEMENT TOOL CAN FAIL DURING THE IMPORT OF CUSTOM_ACTION TABLES
QRADAR UPGRADES IV99773 QRADAR DEPLOY FUNCTION REQUIRED AFTER UPGRADE CAN FAIL IF THERE IS NOT ENOUGH FREE SPACE IN /TMP
QRADAR UPGRADES IJ07254 BUILD OR REBUILD OF A DISCONNECTED HIGH AVAILABILITY (HA) SECONDARY APPLIANCE (500) FROM QRADAR 7.2.8P1 TO 7.3.1 CAN FAIL
QRADAR LOGS IJ06866 LOG ROTATE NEEDS TO RUN MORE FREQUENTLY
QRADAR QUERIES IJ06633 SNMPD DAEMON CRASH OCCURS WHEN PERFORMING A WIDE QUERY
QRADAR APPLIANCES IJ06268 DBUS COMPONENT OF SYSTEMD CAN SOMETIMES ENTER A HUNG STATE CAUSING SOME RHEL COMMANDS TO FAIL TO RUN AS EXPECTED
QRADAR UPGRADES IJ06082 QRADAR UPGRADE TO 7.3.1.X CAN FAIL DURING THE INSTALLATION PROCESSES INCLUDED WITHIN "34-POSTGRESQL-UPGRADE.SH"
QRADAR SEARCHES IJ06148 'THERE WAS AN ERROR DOWNLOADING THIS ITEM' MESSAGE WHEN USING AN AQL SEARCH WITH TABLE, BAR, OR PIE CHARTS FOR A DASHBOARD
QRADAR APPLIANCES IJ02752 RUNNING THE QFLOW_DTLS_CERT_SETUP.PY AS PART OF A QNI APPLIANCE SETUP CAN FAIL
QRADAR RISK MANAGER BACKUP IJ06480 QRADAR UPGRADE TO 7.3.0.X CAN FAIL "...GENERATE_ENVIRONMENT.SH: OPTION REQUIRES AN ARGUMENT -- N"
QRADAR RISK MANAGER SIMULATIONS IJ06008 QRADAR RISK MANAGER SIMULATION CAN FAIL WITH 'NO RESULTS' IN THE SIMULATIONS SCREEN
QRADAR SEARCHES IJ06914 LEFT AND RIGHT KEYBOARD ARROW KEYS DO NOT RESPOND APPROPRIATELY WHILE BEING USED WITHIN SOME QRADAR SEARCH FIELDS
QRADAR VULNERABILITY MANAGER DEVICES IJ03313 'APPLICATION ERROR' WHEN PERFORMING A NORMALIZED DEVICE COMPARISON FOR A PALO ALTO DEVICE
QRADAR VULNERABILITY MANAGER LICENSES IJ01180 VULNERABILITY MANAGER 'TRY IT OUT' ICON IS STILL PRESENT AFTER APPLYING A PROPER VULNERABILITY MANAGER LICENSE
QRADAR OFFENSES IV90797 DISPLAYING OFFENSE COUNT BY CATEGORY AND/OR NETWORK DOES NOT RESPECT USER ACCOUNT DOMAIN CONFIGURATION
QRADAR EVENTS IJ07174 "(1026) INVALID DATA" WHEN ADDING COMMA SEPARATED IP ADDRESSES TO AN EVENT RULE
QRADAR OFFENSES IJ06833 OFFENSES CAN HAVE AN INCORRECT START TIME THAT IS PRIOR TO THE OFFENSE CREATION TIME WHEN USING "MATCH COUNT" RULES
QRADAR EVENTS IJ05592 NETWORK NAME AND EVENT 'DIRECTION' CAN BE DISPLAYED INCORRECTLY WHEN EVENTS CONTAIN IPV6 ADDRESSES
QRADAR USER INTERFACE IJ04928 HOVERING OVER AN IP ADDRESS DOES NOT SHOW THE NETWORK NAME IF THE COUNTRY FIELD IS NOT POPULATED IN NETWORK HIERARCHY
QRADAR OFFENSES IJ08032 QRADAR USERS WITHOUT THE 'MANAGE OFFENSE CLOSING' USER ROLE OPTION SELECTED CAN CLOSE OFFENSES
QRADAR AUTHENTICATION IJ07975 LDAP LOGIN CAN FAIL FOR USERS WITH INTERNAL OR OPERATIONAL ATTRIBUTES
QRADAR SERVICES IJ08436 PROCESS RUNNING OUT OF MEMORY DOES NOT CREATE SYSTEM.DMP FILE
QRADAR SEARCHES IJ08828 NON-ADMIN USERS ARE UNABLE TO USE SEARCH FILTER 'LOG SOURCE GROUP', THE LIST DOES NOT LOAD
QRADAR RULES IJ08845 /VAR/LOG/ FILLING WITH 'COM.Q1LABS.CORE.AQL.XFORCEFUNCTIONS: [ERROR]' MESSAGES


Where do I find more information?

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSUK44","label":"IBM Security QRadar Incident Forensics"},"Component":"Release Notes","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3.1","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
18 January 2019

UID

ibm10729561

Page Feedback