Topic
  • 4 replies
  • Latest Post - ‏2013-04-30T18:34:30Z by Asadz
abd.halimah
abd.halimah
1 Post

Pinned topic 1st time HA Setup

‏2013-04-23T13:06:01Z |

 

hello,
                                                               
useful info to understand what i need:                                  
1- two Qradars installed and configured in HA on my own hardware with   
red hat 6.3                                                             
2- fiber channel off board storage is used and both devices are mounted 
to the same storage                                                     
3- /store of both Qradars (Pri & Sec) is mounted to off board on my     
storage which is 16 TB                                                  
4- GUID Partition Table (GPT) is used where i cannot assign more than   
16 TB to Qradar                                                         
                                                                    
NOW,                                                                    
whenever i start the wizard and configure HA i get the attached         
snapshots then i lose the GUI to qradar and i cannot connect through    
HTTPS at all. kindly review the attached snaps and logs and let me know 
where it's going wrong and why this is happening.                       
                                                                        
reg,                                                                    
Abdullah                                   

Attachments

  • G.Bizeau
    G.Bizeau
    1 Post

    Re: 1st time HA Setup

    ‏2013-04-23T18:41:17Z  

    Abdullah,

    I have looked over your screen shots and I think I know where the issue is. Lets start with your external storage. It is not recommended to mount the entire /store partition to external storage. We recommend mount /store/ariel only. This is where the BULK of the storage space is needed by QRadar. Our PostgreSQL database is mounted in /store as well and need data access speeds of physical disks to function optimally.

    /store being mounted externally is also a cause for concern in this particular case because a console cannot have an HA secondary without replication. In normal circumstances,  when using external storage with HA you would disable replication as it is not required. Since this is a console and contains the primary database, we cannot disable replication.

    Part of the HA setup does a FSCK (File System ChecK) and re-sizes the primary storage to be slightly smaller then the secondary storage. With your external storage mounted, it cannot accomplish this step. In order to do this, we need to stop all services, including the web interface to take everything that might have a file system lock on /store. This is why you are loosing the web interface, The reason it never comes back is that the partition will never be re-sized or checked since it's external. One of your error screens shows this as we try to do a FSCK then error out.

    The 16TB limit is a Linux thing, nothing to do with our product. If you have more space not being used on your external storage, I suggest also mounting /store/backup as a second external mount as well. But please do this before the HA setup.

    I would suggest the following as a proper config.

     * Mount your external storage to /store/ariel instead of /store; Also you can mount /store/backup externally if required as I mentioned above.

     * Continue your HA setup as normal, the rest of /store will be replicated as needed, it will skip /store/ariel for replication as it will see it's mounted externally. There is no need to mount the share on the secondary. HA Setup will do this for you. You should however verify that the you can mount the external storage on the secondary for permissions/path/network etc. But they should not be mounted for the setup process.

    This configuration should not cause you any issues with setting up your HA system moving forward. Please be aware that the FSCK and re-size of the /store partition can take some time. It's not a quick process. You can watch whats going on up till reboot by tailing the /var/log/qradar-ha.log; After the system reboots it should be functional and collecting events again as the replication process starts the back ground sync.

    Regards

     

    Glen Bizeau
    Technical Support Engineer

    Linux+ Certified
    IBM Certified Associate - Security QRadar
    IBM Certified Deployment Professional - Security QRadar SIEM

    IBM Security Systems

    Submit and manage your support tickets online 24x7 using IBM Service Request

  • Asadz
    Asadz
    2 Posts

    Re: 1st time HA Setup

    ‏2013-04-24T07:11:29Z  
    • G.Bizeau
    • ‏2013-04-23T18:41:17Z

    Abdullah,

    I have looked over your screen shots and I think I know where the issue is. Lets start with your external storage. It is not recommended to mount the entire /store partition to external storage. We recommend mount /store/ariel only. This is where the BULK of the storage space is needed by QRadar. Our PostgreSQL database is mounted in /store as well and need data access speeds of physical disks to function optimally.

    /store being mounted externally is also a cause for concern in this particular case because a console cannot have an HA secondary without replication. In normal circumstances,  when using external storage with HA you would disable replication as it is not required. Since this is a console and contains the primary database, we cannot disable replication.

    Part of the HA setup does a FSCK (File System ChecK) and re-sizes the primary storage to be slightly smaller then the secondary storage. With your external storage mounted, it cannot accomplish this step. In order to do this, we need to stop all services, including the web interface to take everything that might have a file system lock on /store. This is why you are loosing the web interface, The reason it never comes back is that the partition will never be re-sized or checked since it's external. One of your error screens shows this as we try to do a FSCK then error out.

    The 16TB limit is a Linux thing, nothing to do with our product. If you have more space not being used on your external storage, I suggest also mounting /store/backup as a second external mount as well. But please do this before the HA setup.

    I would suggest the following as a proper config.

     * Mount your external storage to /store/ariel instead of /store; Also you can mount /store/backup externally if required as I mentioned above.

     * Continue your HA setup as normal, the rest of /store will be replicated as needed, it will skip /store/ariel for replication as it will see it's mounted externally. There is no need to mount the share on the secondary. HA Setup will do this for you. You should however verify that the you can mount the external storage on the secondary for permissions/path/network etc. But they should not be mounted for the setup process.

    This configuration should not cause you any issues with setting up your HA system moving forward. Please be aware that the FSCK and re-size of the /store partition can take some time. It's not a quick process. You can watch whats going on up till reboot by tailing the /var/log/qradar-ha.log; After the system reboots it should be functional and collecting events again as the replication process starts the back ground sync.

    Regards

     

    Glen Bizeau
    Technical Support Engineer

    Linux+ Certified
    IBM Certified Associate - Security QRadar
    IBM Certified Deployment Professional - Security QRadar SIEM

    IBM Security Systems

    Submit and manage your support tickets online 24x7 using IBM Service Request

    Thank you Glen Bizeau. The above post is written by colleague and we are part of the same team.

    I want to further add that we setup the partition / volume using LVM. In my discussion with support guys at IBM it says that LVM is not supported in Qradar instead a script ha_setup.sh in the /bin directory is recommended to setup HA.

    If i have already configured the installation using LVM would i have now remove and start with new image.

  • Aaron_Breen(IBM)
    Aaron_Breen(IBM)
    7 Posts

    Re: 1st time HA Setup

    ‏2013-04-24T11:43:45Z  
    • Asadz
    • ‏2013-04-24T07:11:29Z

    Thank you Glen Bizeau. The above post is written by colleague and we are part of the same team.

    I want to further add that we setup the partition / volume using LVM. In my discussion with support guys at IBM it says that LVM is not supported in Qradar instead a script ha_setup.sh in the /bin directory is recommended to setup HA.

    If i have already configured the installation using LVM would i have now remove and start with new image.

    LVM is not supported and yes you would have to remove this.

  • Asadz
    Asadz
    2 Posts

    Re: 1st time HA Setup

    ‏2013-04-30T18:34:30Z  

    LVM is not supported and yes you would have to remove this.

    Thank you for your help :)