Pinned topic 1st time HA Setup
- HA Issue.rar
- 425 KB
G.Bizeau 27000600FR1 Post
Re: 1st time HA Setup2013-04-23T18:41:17ZThis is the accepted answer. This is the accepted answer.
I have looked over your screen shots and I think I know where the issue is. Lets start with your external storage. It is not recommended to mount the entire /store partition to external storage. We recommend mount /store/ariel only. This is where the BULK of the storage space is needed by QRadar. Our PostgreSQL database is mounted in /store as well and need data access speeds of physical disks to function optimally.
/store being mounted externally is also a cause for concern in this particular case because a console cannot have an HA secondary without replication. In normal circumstances, when using external storage with HA you would disable replication as it is not required. Since this is a console and contains the primary database, we cannot disable replication.
Part of the HA setup does a FSCK (File System ChecK) and re-sizes the primary storage to be slightly smaller then the secondary storage. With your external storage mounted, it cannot accomplish this step. In order to do this, we need to stop all services, including the web interface to take everything that might have a file system lock on /store. This is why you are loosing the web interface, The reason it never comes back is that the partition will never be re-sized or checked since it's external. One of your error screens shows this as we try to do a FSCK then error out.
The 16TB limit is a Linux thing, nothing to do with our product. If you have more space not being used on your external storage, I suggest also mounting /store/backup as a second external mount as well. But please do this before the HA setup.
I would suggest the following as a proper config.
* Mount your external storage to /store/ariel instead of /store; Also you can mount /store/backup externally if required as I mentioned above.
* Continue your HA setup as normal, the rest of /store will be replicated as needed, it will skip /store/ariel for replication as it will see it's mounted externally. There is no need to mount the share on the secondary. HA Setup will do this for you. You should however verify that the you can mount the external storage on the secondary for permissions/path/network etc. But they should not be mounted for the setup process.
This configuration should not cause you any issues with setting up your HA system moving forward. Please be aware that the FSCK and re-size of the /store partition can take some time. It's not a quick process. You can watch whats going on up till reboot by tailing the /var/log/qradar-ha.log; After the system reboots it should be functional and collecting events again as the replication process starts the back ground sync.
Technical Support Engineer
IBM Certified Associate - Security QRadar
IBM Certified Deployment Professional - Security QRadar SIEM
IBM Security Systems
Submit and manage your support tickets online 24x7 using IBM Service Request
Asadz 2700066N0Q2 Posts
Re: 1st time HA Setup2013-04-24T07:11:29ZThis is the accepted answer. This is the accepted answer.
- G.Bizeau 27000600FR
Thank you Glen Bizeau. The above post is written by colleague and we are part of the same team.
I want to further add that we setup the partition / volume using LVM. In my discussion with support guys at IBM it says that LVM is not supported in Qradar instead a script ha_setup.sh in the /bin directory is recommended to setup HA.
If i have already configured the installation using LVM would i have now remove and start with new image.