IBM Support

QRadar: Replacing a Console appliance in a deployment using a new IP address or hostname

Troubleshooting


Problem

This technical note describes the process for migrating data from an older QRadar Console to a new Console appliance that uses a new IP address or hostname. All managed host appliances in the deployment stay as-is. This instruction is intended for non-HA appliances.

Environment

QRadar deployments where administrators are replacing a Console with new hardware while keeping managed hosts as-is. The new Console uses a new IP address.

Resolving The Problem

The process

The procedure outline is intended to get the Console appliance replaced in the network quickly with minimum downtime. The new Console in the deployment will have a new IP address or hostname that is different than the old Console hardware. This procedure allows managed hosts in the deployment to continue to receive events while the Console is offline. There is no need for the administrator to remove managed host from the old Console as this procedure allows the new Console to takeover any existing hosts in the deployment.
 

Overview / check list

Before you begin
Step 1: Preparing your old Console appliance
Step 2: Preparing your new Console hardware
Step 3: Restoring the configuration backup to the new Console appliance
Step 4: Restart iptables
Step 5: Moving certificates and any custom generated private/public key pairs 
Step 6: How to transfer event and flow data to the new hardware
Step 7: Migration complete

Note: Other hardware migration scenarios for QRadar appliances are outlined on the following page: https://www.ibm.com/support/pages/node/248061.
 

Before you begin

  • Write down the network information for the old Console appliance as the administrator needs to manually type the information in to the network configuration for the new appliance, that you don't plan on changing.
  • The administrator must have a recent configuration backup from the old Console appliance. The configuration backup is used to restore settings, users, rules, log sources, and more to the new Console.
  • The software version of the new Console appliance must match the software version of the old Console appliance. QRadar does not allow appliances at different software versions in the deployment. Administrators might be required to reinstall an ISO for the appliance to downgrade or use a Fix Pack (SFS) to upgrade on the new appliance. The paperwork that came with your appliance lists the installed software version.

Note: New console installations will have a 35-day temporary license. Once the temporary license expires, you will lose access to the Qradar user interface (UI) and will be unable to initiate the configuration restore. If your temp license expires before you migrate, you can upload your purchased console license key (if you have a copy) to regain access to the UI, or you may need to reinstall the new console. Though there is no way to export the license keys from your current production system, the license key will be migrated after a full configuration restore has been applied (Step 4).
 
Important: App data is separated from the configuration backup and restore. To backup and restore app data, see Backing up and restoring app data.

 

Step 1: Preparing your old Console appliance

During this step, the administrator needs to verify they have a recent configuration backup file from the old Console. If a recent configuration backup does not exist, then administrators can use the procedure to create an On Demand Backup. By default, configuration backups are stored in /store/backup on the QRadar Console and a recent backup should be copied to a safe location, such as the administrators workstation.

Important: Configuration backups can be restored only to the same version of QRadar that they were created with. If the administrator plans to change the overall QRadar version in the deployment, make sure you create a new configuration backup after any software change. Keep these files in a safe place for your hardware migration. Moving from a smaller Console to a larger or newer appliance is supported by the migration / backup process. For example, a 3105 Console's configuration backup can be applied to a 3128 or a 3148 appliance.
Notice: Administrators migrating appliances on 7.4.3 versions should review the following issue before you begin a hardware migration. IJ37604: FAILURE TO DECRYPT A CONFIG RESTORE IN 7.4.3 FIX PACK 4 CAN CAUSE USER INTERFACE ISSUES.

Procedure
  1. Log in to the old Console appliance.
  2. Click the Admin tab.
  3. Click Backup and Recovery.
  4. From the navigation menu, click On Demand Backup.
  5. Type a name and a description for the new configuration backup.
  6. Click Run Backup.
  7. Wait for the configuration backup to complete.
  8. Click the name of the On Demand Backup to download the file.
  9. Copy the configuration backup off the old QRadar Console to a safe location.
  10. Using SSH, log in to the QRadar Console as the root user.
  11. To stop iptables on all hosts, type the following command: 
    /opt/qradar/support/all_servers.sh "service iptables stop"

    Results
    A configuration backup file is created for the new Console to use. This file is required later on in the procedure to restore users, rules, log sources, offenses, reports, admin configurations, and other system settings to the new hardware.

     

Step 2: Preparing your new hardware

During this step, the administrator needs to first verify the software version from the deployment. If required, complete a QRadar installation on the new hardware.
 
Notice: Administrators migrating appliances on 7.4.3 versions should review the following issue before you begin a hardware migration. IJ37604: FAILURE TO DECRYPT A CONFIG RESTORE IN 7.4.3 FIX PACK 4 CAN CAUSE USER INTERFACE ISSUES.
 
Procedure
  1. Rack the appliance.
  2. Connect network connections.
  3. To determine the QRadar version installed from the factory. To verify the version:
    1. Power ON the appliance and log in as root.
    2. When the system displays the license agreement (EULA), press and hold the Ctrl + c keys. This returns you to a command prompt.
    3. To view the installed software version, type:  
      /opt/qradar/bin/myver
    4. If the new hardware's software version is older than the software running in production, logout, then log in again as root and complete the installation. After the installation completes, download the proper Fix Pack to bring the Console to the same version as the deployment.
    5. If the new hardware's software version is newer than the software running in production, you can either choose to upgrade your production system to match the new appliance or install an older release of QRadar from IBM’s Fix Central site. If you decide to reinstall the new system with an older release, complete that first, then begin this procedure again.

      Note: For a list of software versions, see: QRadar Forums, Software Version List.
  4. Reboot the system.
  5. Select the desired appliance type.
  6. Follow the installation wizard to complete the installation.
  7. Type a new IP address or hostname and network information from the old Console when you configure the new hardware.
  8. Type a root password for the appliance.
  9. If required from Step 3e, upgrade the new hardware to the same patch level as the old Console appliance.

    Results
    You are now ready to prepare files on your old Console and ensure you have a configuration backup.
     

Step 3: Restoring the configuration backup to the new Console appliance

The configuration backup from the old Console can now be applied to the new hardware.
 
Procedure
  1. Log in to the QRadar Console as an administrator.
  2. Click the Admin tab and select the Backup and Recovery icon.
  3. Click the Browse icon, at the bottom of the window, and then select the configuration backup from the location it was saved.
  4. Click the Upload icon, and wait for the upload to complete. This might take some time.
  5. Select the configuration backup you uploaded and click Restore.
  6. From the restore options list, select the Select All Configuration Items check box.
  7. From the restore options list, select the Select All Data Items check box.
  8. Click Restore to start the configuration restore process.
  9. Click Ok.
  10. Using SSH log in to old Console and stop all QRadar services.
    1. For QRadar 7.3, 7.4, or 7.5 versions, type: 
      systemctl stop hostcontext
systemctl stop tomcat
systemctl stop hostservices
    2. For legacy QRadar versions, such as 7.2.x or earlier, type: 
      service hostcontext stop
service tomcat stop
service hostservices stop
  11. Log back into the new QRadar Console as an administrator.
  12. You need to restart the hostcontext service on all managed hosts. Using SSH, from the console, run the following command: 
    /opt/qradar/support/all_servers.sh “service hostcontext restart”
  13. From the Admin tab, select Advanced > Deploy Full Configuration.
  14. Verify that event or flow sources that were reporting to the original host are being processed in the QRadar user interface.

    Results
    After the host is added back to the QRadar deployment, the deploy process will ensure that required configuration is regenerated on the new appliance. The administrator can verify that log source data is being pulled and that flow data is being received by the new hardware. Any log sources that are not collecting data might require certificates to be moved to the new host.

     

Step 4: Restart iptables

After the backup configuration is restored on the new hardware, administrators can restart iptables on all QRadar appliances.

Procedure
  1. Using SSH, log in to the QRadar Console as the root user.
  2. To start iptables on all hosts, type the following command: 
    /opt/qradar/support/all_servers.sh "service iptables restart"

     

Step 5: Moving certificates and custom-generated private/public key pairs (as required)

Administrators can use either rsync or SCP to complete the data transfer. The commands listed might require the root user to accept SSH keys and provide root password for the target server. Depending on how much data needs to be transferred might be a lengthy process, so plan.


Optional configurations
  • Appliances can use cross-over cables if the appliances are located in the same data center to expedite the transfer of events and flows information.
  • Appliances on a slower network connection can expand on the rsync examples to limit the transfer rate between appliances.
  • Appliances that manage scanners and log sources that authenticate should copy the certificates from the old appliance to the new appliance to ensure that log sources and scanners can connect to remote sources.  Custom-generated private keys also need to be migrated by transferring /etc/ssh and /root/.ssh directories.

Procedure
  1. Log in to the QRadar old Console as the root user.
  2. To copy the data from the old hardware to the new appliance (targetserver), use either the SCP or rsync commands:

    For certificates: 
    rsync -avz /opt/qradar/conf/trusted_certificates/ root@targetserver:/opt/qradar/conf
rsync -avz /opt/qradar/conf/syslog-tls.keystore root@targetserver:/opt/qradar/conf
    scp -pr /opt/qradar/conf/trusted_certificates/ root@targetserver:/opt/qradar/conf
scp -pr /opt/qradar/conf/syslog-tls.keystore root@targetserver:/opt/qradar/conf
    For SSH keys: 
    rsync -avz /etc/ssh/ root@targetserver:/etc/ssh
rsync -avz /root/.ssh/ root@targetserver:/root
    scp -pr /etc/ssh/ root@targetserver:/etc/ssh
scp -pr /root/.ssh/ root@targetserver:/root
  3. Wait for the transfer to complete.
  4. If the administrator is using custom SSL certificates, they should copy the certificate or intermediate certificate from the old Console's /etc/httpd/conf/certs directory.
  5. On the new Console, install the SSL certificate by using /opt/qradr/bin/install_ssl_cert.sh -i and follow the on-screen instructions.
    Important: If the Console on your new appliance has a different certificate authority (CA) certificate than the Console on your old appliance, the CA from your old appliance should be placed under the directory /etc/pki/ca-trust/source/anchors and run the command: 
    update-ca-trust
    Results
    The required certificate and ssh key files are transferred to the new Console. The administrator is now ready for the final step, which is to migrate event and flow data off the old appliance.
     

Step 6: How to transfer event and flow data to the new hardware

The attached utility was designed by QRadar engineering to facilitate moving data from /store/ariel of an old appliance to a new appliance. Data is moved in one month intervals to keep performance impact at a minimum. This utility does not move certificates or configurations, only data is /store/ariel/; however, it does leverage rsync, so SSH traffic must be allowed to migrate the data. The administrator might be required to accept SSH keys and provide root password for the target server to stat the transfer. Administrators should also be aware that if they do not transfer private keys between hosts as outlined in a previous step, they are prompted to type a password each time the syncAriel.sh utility

NOTE: The data transfer can be a lengthy process. Appliances can use cross-over cables if located in the same data center to expedite the transfer of event and flow information.



Procedure

  1. To copy data from the old Console to the new appliance, download the syncAriel.sh utility: syncAriel.sh
  2. Using SSH, log in to the old QRadar Console as the root user.
  3. Copy or SCP the file to the old Console, for example the /tmp directory.
  4. Navigate to the directory with the syncAriel utility and type: chmod +x syncAriel.sh.
  5. Type screen.
    NOTE: For data transfers, it is recommended that the administrator starts a screen session to reestablish the connection in a minor network outage. To detach the session so you can log out, type Ctrl-a and press d or use Ctrl+a, then Ctrl+d and use screen -r to reattach to the screen session.
  6. To run the utility, type: sh syncAriel.sh -i IP address
    Where IP address is the new Console's IP Address. For a list of other commands, run the script without any parameters.
  7. Wait for the transfer to complete.
  8. Close the screen session.

    Results
    Data is migrated from /store/ariel of the old Console to the new Console appliance. Depending on how much data needs to be transferred this can be a lengthy process, so plan.

    Disconnects / Troubleshooting
    If your connection dropped or a network outage occurred, administrators can run the syncAriel.sh utility again to migrate data. The syncAriel.sh utility keeps track of files that are rsync'd to the new appliance and data already transferred is not copied a second time. Using screen helps reconnects for minor network issues.
     

Step 7: Migration complete

The migration should now be complete. You might want to keep the old console on hand for a few days to ensure there are no other issues that might arise that requires you to revert to the old appliance. Otherwise, after a week or two the old Console is no longer required and can be decommissioned or repurposed for non-QRadar uses.

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3.3;7.4.0;7.4.1;7.4.2;7.4.3;7.5.0"}]

Document Information

Modified date:
15 May 2023

UID

swg21984320

Page Feedback