IBM Support

Release of QRadar 7.2 MR1 Patch 2 (7.2.1.734536)

Release Notes


Abstract

A list of the installation instructions and fixes for IBM Security QRadar 7.2 MR1 Patch 2 (7.2.1.734536).

Content

If your deployment is installed with QRadar 7.1 MR2 or later, you can install fix pack 7.2.1-QRADAR-QRSIEM-734536.

Note: The 7.2.1-QRADAR-QRSIEM-734536 fix pack can upgrade QRadar 7.1 MR2 and above to the latest software version. However, this document does not cover all of the installation messages and requirements. For information on upgrading from QRadar 7.1 MR2 to QRadar 7.2, see http://www.ibm.com/support/docview.wss?uid=swg27038439.


Before you begin

Ensure that you take the following precautions:

  • Back up your data before you begin any software upgrade. For more information about backup and recovery, see the IBM Security QRadar Administration Guide.
  • To avoid access errors in your log file, close all open QRadar sessions.
  • The fix pack for QRadar cannot be installed on a managed host that is at a different software version from the Console. All appliances in the deployment must be at the same software revision to patch the entire deployment.
  • Verify that all changes are deployed on your appliances.
  • The patch cannot install on appliances that have changes that are not deployed.

About this task

Fix packs are cumulative software updates to fix known software issues in your QRadar deployment. QRadar fix packs are installed by using an SFS file. The fix pack can update any appliance that is attached to the QRadar Console that is at the same software version as the Console.


Procedure

    1. Download the fix pack 7.2.1-QRADAR-QRSIEM-734536 from the IBM Fix Central website: https://ibm.biz/BdR2t7 (IBM shortened link to the download this Fix Pack)
    2. Using SSH, log in to your system as the root user.
    3. Copy the fix pack to the /tmp directory on the QRadar Console.
      Note: If space in the /tmp directory is limited, copy the fix pack to another location that has sufficient space.
    4. To create the /media/updates directory, type the following command: mkdir -p /media/updates
    5. Change to the directory where you copied the patch file. For example, cd /tmp
    6. To mount the patch file to the /media/updates directory, type the following command:
      mount -o loop -t squashfs 721_QRadar_patchupdate-7.2.1.734536.sfs /media/updates/
    7. To run the patch installer, type the following command:
      /media/updates/installer
      The first time that you run the fix pack, there might be a delay before the fix pack installation menu is displayed.
    8. Using the patch installer, select all.
      The all option updates the software on all systems in your deployment. In HA deployments, primary HA appliances are patched and replicate the patch update to the secondary HA appliance.

      If you do not select the all option, you copy the fix to each appliance in your deployment and install the fix pack. If you manually install fix packs in your deployment, you must update your appliances in the following order:

      1. Console
      2. Event Processors
      3. Event Collectors
      4. Flow Processors
      5. Flow Collectors
      If your Secure Shell (SSH) session is disconnected while the upgrade is in progress, the upgrade continues. When you reopen your SSH session and rerun the installer, the patch installation resumes.
Results

A summary of the fix pack installation advises you of any managed host that were not updated. If the fix pack fails to update a managed host, you can copy the fix pack to the host and run the installation locally.


Issues resolved in QRadar 7.2 MR1 Patch 2 (7.2.1.734536)

Number
Description
DEFAULT SEARCHES DO NOT SHOW UP IN QUICK SEARCHES OR DASHBOARDS FOR NEW NON-ADMIN USERS
THE ASSET PROFILER MAY STORE IP ADDRESSES IN THE NETBIOS FIELD
AFTER AN UPGRADE TO QRADAR 7.2 MR1, THE SECONDARY HA HOST MIGHT TRANSITION TO THE ACTIVE SYSTEM WHEN THE PRIMARY REBOOTS.
AN APPLICATION ERROR CAN OCCUR WHEN A LOG SOURCE LIST IS FILTERED BY MODIFICATION DATE OR CREATION DATE.
DEPLOY CHANGES FAILS TO COMPLETE AND CONTINUALLY PROMPTS THE ADMINISTRATOR THAT THERE ARE UNDEPLOYED CHANGES.
LOG SOURCES THAT WERE MODIFIED AFTER BEING BULK ADDED IN THE USER INTERFACE MIGHT DISPLAY A DUPLICATE KEY ERROR.
A REPORT MIGHT FAIL TO GENERATE FROM RAW DATA WHEN THE DATABASE QUERY REQUIRES MORE THAN 20 MINUTES TO COMPLETE.
QRADAR MIGHT STOP PROCESSING EVENTS WHEN A REMOTE PROCEDURE CALL (RPC) ERROR IS GENERATED WITH "TOO MANY OPEN FILES".
CLOSING AN OFFENSE FROM THE OFFENSE SUMMARY WINDOW MIGHT CAUSE THE USER INTERFACE TO DISPLAY IMPROPERLY AND GENERATE AN ERROR.
AFTER AN UPGRADE TO QRADAR 7.2 MR1 PATCH 1, THE ARIEL DATABASE DOES NOT START AS EXPECTED.
AN APPLICATION ERROR MIGHT DISPLAY WHEN A RULE USES THE RULE TEST: "WHEN THE EVENT MATCHES THIS SEARCH FILTER."
NEW VULNERABILITY DATA MAY BECOME UNAVAILABLE DUE TO AN EXCEPTION IN THE ASSET PROFILER.
AFTER AN UPGRADE, EPS & FPS GRAPHS MIGHT NOT DISPLAY CONTENT FROM MANAGED HOSTS WITH ENCRYPTION ENABLED.

For specific questions or concerns about updating your system, contact IBM support or post a question in our QRadar Developerworks forum: https://ibm.biz/BdR2kC

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Documentation","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
10 May 2019

UID

swg27041201

Page Feedback