Release of QRadar 7.2.5 Patch 2 (7.2.5.20150605140117)

Release Notes

Abstract

A list of the installation instructions and fixes for IBM Security QRadar 7.2.5 (7.2.5.20150605140117).

Content

If your deployment is installed with QRadar 7.2.4 or later, you can install fix pack 7.2.5-QRADAR-QRSIEM-20150605140117.

Note: The 7.2.5-QRADAR-QRSIEM-20150605140117 fix pack can upgrade QRadar 7.2.4 and above to the latest software version. However, this document does not cover all of the installation messages and requirements. For information on upgrading from QRadar 7.2.4 to QRadar 7.2.5, see the QRadar Upgrade Guide.

Before you begin

Ensure that you take the following precautions:

Back up your data before you begin any software upgrade. For more information about backup and recovery, see the IBM Security QRadar Administration Guide.
To avoid access errors in your log file, close all open QRadar sessions.
The fix pack for QRadar cannot be installed on a managed host that is at a different software version from the Console. All appliances in the deployment must be at the same software revision to patch the entire deployment.
Verify that all changes are deployed on your appliances. The patch cannot install on appliances that have changes that are not deployed.

About this task

Fix packs are cumulative software updates to fix known software issues in your QRadar deployment. QRadar fix packs are installed by using an SFS file. The fix pack can update any appliance that is attached to the QRadar Console that is at the same software version as the Console.

Procedure

Download the fix pack 7.2.5-QRADAR-QRSIEM-20150605140117 from the IBM Fix Central website: http://www.ibm.com/support/fixcentral/swg/quickorder?parent=Security%2BSystems&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.2.0&platform=Linux&function=fixId&fixids=7.2.5-QRADAR-QRSIEM-20150605140117&includeSupersedes=0&source=fc
Using SSH, log in to your system as the root user.
Copy the fix pack to the/tmp directory on the QRadar Console.
Note: If space in the /tmp directory is limited, copy the fix pack to another location that has sufficient space.
Review the files in the /tmp directory for replication files that might be using up space unnecessarily, such as tx000XX.sql.
If tx000xx.sql files are listed, type the following command to remove these files: rm tx*.sql
This prevents a disk space issue from occurring in /tmp that can occur.
To create the /media/updates directory, type the following command: mkdir -p /media/updates
Change to the directory where you copied the patch file. For example, cd /tmp
To mount the patch file to the /media/updates directory, type the following command: mount -o loop -t squashfs 725_QRadar_patchupdate-7.2.5.20150605140117.sfs /media/updates
To run the patch installer, type the following command: /media/updates/installer
Note: The first time that you run the fix pack, there might be a delay before the fix pack installation menu is displayed.
Using the patch installer, select all.

The all option updates the software on all systems in your deployment. In HA deployments, primary HA appliances are patched and replicate the patch update to the secondary HA appliance.

If you do not select the all option, you must copy the update to each appliance in your deployment and install the fix pack. If you manually install fix packs in your deployment, you must update your appliances in the following order:

1. Console
2. Event Processors
3. Event Collectors
4. Flow Processors
5. Flow Collectors

If your Secure Shell (SSH) session is disconnected while the upgrade is in progress, the upgrade continues. When you reopen your SSH session and rerun the installer, the patch installation resumes.
After the patch completes and you have exited the installer, type the following command: umount /media/updates
Administrators and users should clear their browser cache before logging in to the Console.

Results

A summary of the fix pack installation advises you of any managed host that were not updated. If the fix pack fails to update a managed host, you can copy the fix pack to the host and run the installation locally.

After all hosts are updated, administrators can send an email to their team to inform them that they will need to clear their browser cache before logging in to the QRadar SIEM interface.

Resolved issues

Since QRadar 7.2.5 is a cumulative release, the release notes listed below include fixes assigned to 7.2.5 and the issues resolved in 7.2.5 Patch 2. Note: Some APAR links in the table below might take 24 hours to display properly after a software release.

**IBM Security QRadar**
The following issues were corrected in IBM Security QRadar V7.2.5 Patch 2
Product	Number	Description
QRADAR	IV73889	OFFENSE GENERATION UNEXPECTEDLY STOPS OCCURRING IN QRADAR
QRADAR	IV73895	'APPLICATION ERROR' POP UP WHEN OPENING AN OFFENSE

**IBM Security QRadar**
The following issues were corrected in IBM Security QRadar V7.2.5 Patch 1
Product	Number	Description
QRADAR	IV73672	THE QRADAR USER INTERFACE CAN BECOME INACCESSIBLE DUE TO THE TOMCAT SERVICE RUNNING OUT OF MEMORY

**IBM Security QRadar**
The following issues were corrected in IBM Security QRadar V7.2.5.
Product	Number	Description
QRADAR	IV42471	WHEN CHANGING GLOBAL CONFIGURATION PASSWORD, IT MAY TAKE A LONG TIME TO COMPLETE.
QRADAR	IV43440	UNABLE TO FILTER ON CLOSED OFFENSES.
QRADAR	IV46111	RULE TEXT COUNTERS MIGHT RESET WHEN THE RULE TEST RELOADS.
QRADAR	IV46116	THE HIGH AVAILABILITY (HA) WIZARD FAILS TO ADD A HOST BECAUSE THE IP ADDRESS IS ALREADY DEFINED IN THE SERVER HOST TABLE.
QRADAR	IV46417	A HARMLESS ERROR MESSAGE MIGHT DISPLAY WHEN YOU APPLY A FIX PACK UPDATE TO YOUR QRADAR SYSTEM.
QRADAR	IV50522	EMAIL NOTIFICATIONS FAIL IF THE CONFIGURED EMAIL ADDRESS CONTAINS A HYPHEN "-".
QRADAR	IV50564	CHANGING FROM THE ALL USER ROLE TO THE ADMIN USER ROLE DOES NOT UPDATE THE EVENT OR FLOW LISTS DISPLAYED ON THE DASHBOARD TABLE.
QRADAR	IV50732	LIST OF EVENTS DOES NOT DISPLAY PROPERLY DUE TO HTML PARSING ERROR WHEN YOU USE THE MICROSOFT INTERNET EXPLORER 8 WEB BROWSER.
QRADAR	IV50740	PENDING AUTOMATIC UPDATES MIGHT INSTALL UNEXPECTEDLY WHEN YOU UPDATE A SCHEDULE ON THE UPDATES WINDOW.
QRADAR	IV51020	UNABLE TO CREATE A LOG SOURCE ONLY OR NETWORK ONLY SECURITY PROFILE WITHOUT BOTH LOG SOURCES AND NETWORKS SPECIFIED.
QRADAR	IV54327	SOURCE AND DESTINATION ASSET NAME COLUMNS DO NOT QUERY THE HOSTNAME COMPONENT OF THE ASSET PROFILE.
QRADAR	IV54471	MODIFYING A REPORT TEMPLATE MIGHT NOT ALLOW USERS TO CHANGE THE END DATE OF THE REPORT BEYOND SEPTEMBER 16, 2010.
QRADAR	IV54685	NETWORK I/O ISSUES ON A MANAGED HOST MIGHT GENERATE AN OUT-OF-MEMORY ISSUE ON THE CONSOLE.
QRADAR	IV54705	ARIELCLIENT CONTAINS ADDITIONAL LINE FEED AT THE END OF FILE.
QRADAR	IV55696	CANNED QUICK SEARCHES DO NOT SHOW IN MANAGE SEARCH RESULTS BUT CUSTOM QUICK SEARCHES DO.
QRADAR	IV56033	PERFORMING A SORT OF SEARCH RESULTS FOR AN IN-PROGRESS SEARCH GIVES ERROR 'THIS QUERY HAS TIMED OUT AND IS NO LONGER VALID.
QRADAR	IV56451	BULK ADD OF LOG SOURCES MAY GENERATE AN F5 ERROR ON THE UI.
QRADAR	IV57325	DATA ACCUMULATION AND UNIQUE COUNT MAY NOT BE DISPLAYED FOR THE ADMIN ON SEARCHES CREATED BY NON-ADMIN USERS.
QRADAR	IV58681	FILTERING ON A CUSTOM PROPERTY THAT CONTAINS THE SUBSTRING "ID:"RETURNS NO RESULTS.
QRADAR	IV59099	INCORRECT HOST.TOKEN CAUSES EXTERNAL AUTHENTICATION TO FIRE FOR "SEC" USER.
QRADAR	IV59873	ADDING CUSTOM EVENT PROPERTIES WITH CERTAIN SPECIAL CHARACTERS CAN CAUSE AN EXCEPTION WHEN FILTERING.
QRADAR	IV59990	LOG ACTIVITY SEARCH SHOWS WRONG DATE WHEN THE DASHBOARD GRAPHS HAVEN'T FULLY LOADED AND VIEW IS PRESSED IN LOG ACTIVITY.
QRADAR	IV60091	DHCPV6 FLOW TRAFFIC BEING PARSED WITH INCORRECT EVENT NAME AND LOW LEVEL CATEGORY.
QRADAR	IV60208	AFTER AN UPGRADE TO QRADAR 7.2.2 Patch 2, NEW LOG SOURCES DO NOT AUTOMATICALLY DISCOVER ON MANAGED HOSTS.
QRADAR	IV60574	ARIEL RIGHT CLICK API DOES NOT WORK ON ARIEL PROPERTIES.
QRADAR	IV61205	APPLICATION ERROR IN MANY PAGES FOR USER WITH $ IN USERNAME.
QRADAR	IV61910	SEARCHES THAT COMBINE HIGH AND LOW CATEGORY SEARCH VALUE FILTERS RETURN INCORRECT RESULTS.
QRADAR	IV62434	X-FORCE RULES TRIGGER EVEN WHEN TARGETING TRUSTED (NON-MALICIOUS) DOMAINS.
QRADAR	IV62512	UNABLE TO CHANGE LANGUAGE SETTINGS AS NON-ADMINISTRATOR USER.
QRADAR	IV63067	1705 APPLIANCES SHOW UP AS 1701 APPLIANCES IN THE SYSTEM AND LICENSE MANAGEMENT SCREEN OF THE UI.
QRADAR	IV63125	ADDING A SECONDARY TO A MANAGED HOST MAY FAIL DUE TO /STORE BEING BUSY ON THE SECONDARY.
QRADAR	IV63420	ASSETPROFILER ERRORS IN QRADAR.LOG THAT REFER TO MESSAGEMARSHALLERV2.
QRADAR	IV63466	THE 'EVENT PROCESSOR' SEARCH FILTER DOES NOT WORK WHEN SETUP IN RULES.
QRADAR	IV63939	SEARCHES AND/OR REPORTS THAT CONTAIN THE COLUMN 'SOURCE ASSET NAME' AND ARE GROUPED BY SOURCE IP WILL RETURN 'NONE'.
QRADAR	IV64549	IPFIX AND NETFLOW V9 ONLY READS 16-BIT AND NOT 32-BIT ASN NUMBERS.
QRADAR	IV64741	QRADAR SOFTWARE ONLY INSTALLATION ON CUSTOMER SUPPLIED HARDWARE WITH XX28 SPECIFICATIONS MAY FAIL DURING SETUP.
QRADAR	IV64777	REPORTS RETURN DIFFERENT DATA WHEN RUN AGAINST RAW DATA VERSUS A SCHEDULED/ACCUMULATED DATA REPORT.
QRADAR	IV65085	WHEN LOGGING INTO THE QRADAR USER INTERFACE, CERTAIN DASHBOARD ITEMS SHOW AN ERROR MESSAGE.
QRADAR	IV65502	RULES THAT USE 'INCLUDE DETECTED EVENT FROM THIS ATTACKER FROM THIS POINT FORWARD' ARE NOT ADDING NEW EVENTS TO THE OFFENSE.
QRADAR	IV65584	WHEN APPLYING A LOG SOURCE EXTENSION TO A LOG SOURCE TYPE, THE USER INTERFACE APPEARS TO NOT APPLY THE CHANGE SUCCESSFULLY.
QRADAR	IV65935	OFFENSE SEARCH 'SAVE CRITERIA' OPTION THAT CONTAINS A 'SOURCE NETWORK' FUNCTIONS CORRECTLY BUT DOES NOT DISPLAY PROPERLY.
QRADAR	IV66213	NEWLY CREATED QRADAR DASHBOARDS ARE ACCESSIBLE TO ALL USERS WITH THE SAME ASSIGNED USER ROLE.
QRADAR	IV66756	UNABLE TO LOAD THE 'LOG SOURCES' PAGE IN THE QRADAR UI AFTER PATCHING FROM 7.1.2.X TO 7.2.X.
QRADAR	IV67083	RULES ARE NO LONGER ASSOCIATED TO OFFENSES AFTER A SOFT CLEAN SIM IS PERFORMED.
QRADAR	IV67212	HOSTCONTEXT SERVICE DOES NOT AUTOMATICALLY RESTART AFTER DAYLIGHT SAVINGS TIME CHANGE.
QRADAR	IV67219	EMPTY PLUG-INS OPTION ON ADMIN TAB IN THE QRADAR USER INTERFACE.
QRADAR	IV67325	SNMP DAEMON IS NOT ENABLED ON HIGH AVAILABILITY SECONDARY.
QRADAR	IV67522	THE REMOVE ITEM OPTION FROM WITHIN A TIME SERIES GRAPH DOES NOT ALWAYS WORK AS EXPECTED IN CHROME WEB BROWSER.
QRADAR	IV67755	QRADAR DATA BACKUPS MIGHT FAIL TO RUN SUCCESSFULLY ON MANAGED HOSTS.
QRADAR	IV67807	THE ARIEL RIGHTCLICK.PROPERTIES API DROPS THE '\' OR '$' CHARACTERS IN EVENT PROPERTIES.
QRADAR	IV67847	FILTERED NETWORK ACTIVITY SEARCHES MAY RETURN UNEXPECTED RESULTS.
QRADAR	IV67939	SILENT INSTALLS DO NOT WORK IN 7.2.4.
QRADAR	IV68011	AN 'APPLICATION ERROR' POP UP WINDOW OCCURS WHEN CREATING A FLOW RULE THAT TESTS AGAINST REFERENCE TABLE DATA.
QRADAR	IV68343	APPLYING QRADAR PATCH .SFS FAILS ON HIGH AVAILABILITY SECONDARY.
QRADAR	IV68596	'AN ERROR HAS OCCURRED. REFRESH YOUR BROWSER...' MESSAGE WHEN ATTEMPTING TO DISABLE OR DELETE A RULE IN QRADAR.
QRADAR	IV68877	TIME ZONE DATA DISPLAYED WITHIN QRADAR IS NOT ACCURATE FOR SOME TIME ZONES.
QRADAR	IV69168	SAVED SEARCHES WITH SPECIAL CHARACTERS CAUSES DASHBOARDS TO DISAPPEAR.
QRADAR	IV69695	WHEN DASHBOARDS ARE ADDED TO USER ROLES, THOSE USERS WILL NO LONGER SEE THE DEFAULT DASHBOARDS.
QRADAR	IV69750	IDENTITY HOSTNAME IS BEING POPULATED BY USERNAME IN OFFENSE.
QRADAR	IV69817	QFLOW CRASHES IF PACKET SOURCE ADAPTOR IS DISABLED.
QRADAR	IV69895	UNABLE TO RESTORE CONFIG BACKUP FOR NON-ENGLISH UI.
QRADAR	IV70515	EVENTPROCESSOR FILTER IN ADVANCED QUERY AND RESTAPI QUERIES ALL EVENT PROCESSORS WHEN SPECIFYING A SPECIFIC EVENT PROCESSOR.
QRADAR	IV70522	'ERROR: NULL VALUE IN COLUMN' WHEN ADDING A NEW ADMIN USER ACCOUNT WITH EXTERNAL AUTH AND NO PASSWORD IS ENTERED.
QRADAR	IV70525	RESPONSE TIME WHEN CONFIGURING A LOG SOURCE IS VERY SLOW WHEN USING WITH CHROME.
QRADAR	IV70601	ARIEL ERROR WHEN FILTERING ON A SORTED, AGGREGATED COLUMN.
QRADAR	IV71009	DELETING REFERENCE SETS USED IN RULES FAILS, BUT DOESN'T WARN WHY.
QRADAR	IV71013	RE-EDITING REPORT DESCRIPTION SHOWS HTML </BR>.
QRADAR	IV71265	DASHBOARD LEGENDS BLEEDING HTML CODE IN TOOLTIP.
QRADAR	IV71266	DSM JAR FILES ARE NOT BEING PROPERLY RESTORED FROM A CONFIG BACKUP.
QRADAR	IV71980	'DOMAIN' DOES NOT WORK AS A SEARCH FILTER WHEN USING THE QRADAR ADVANCED SEARCH FUNCTIONS.
QRADAR	IV72129	'AN INVALID CURSOR WAS PROVIDED TO THE QUERY. PLEASE TRY AGAIN' WHEN A LOG OR NETWORK ACTIVITY SEARCH IS PERFORMED.
QRADAR	IV72736	RESTAPI EVENTS ARE DISPLAYING AS 'UNKNOWN' EVENTS.
QRADAR	IV72903	SYSTEM NOTIFICATION ERROR 'OUT OF MEMORY DISCOVERED FOR HOSTCONTEXT' DURING BACKUP PROCESS.
QRADAR	IV72934	NULLPOINTEREXCEPTION IN QRADAR LOG FILES CAUSED BY AN INVALID REGULAR EXPRESSION (REGEX) IN A RULE SEARCH FILTER TEST.
QRADAR	IV73043	THE /STORE/TRANSIENT PARTITION DOES NOT GET RE-MOUNTED AFTER PERFORMING A FACTORY RE-INSTALL USING THE 7.2.4 ISO.
QRM	IV69656	QRM MULTILINE LOG MESSAGE PRODUCES EXCESSIVE EVENTS IN QRADAR.
QVM	IV73452	SCHEDULED SCANS DO NOT APPEAR IN THE SCHEDULED SCANS CALENDAR.
QVM	IV70824	AUTOMATIC POST SCAN REPORTS ARE NOT BEING GENERATED.
QVM	IV67786	ERROR MESSAGE RETURNED WHEN ATTEMPTING TO UPLOAD A QVM LICENSE.

Where do I find more information?
If you have additional questions or some of this content is not clear, you can see the QRadar forum or contact customer support:

Online QRadar Customer Forums
Submit and manage your support tickets online 24x7 using IBM Service Request
QRadar Downloads - IBM Fix Central

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Documentation","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Tips

Release of QRadar 7.2.5 Patch 2 (7.2.5.20150605140117)

Release Notes

Abstract

Content

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?