Upgrading QRadar SIEM to 7.5.0 UP8

You must upgrade all the IBM® QRadar® products in your deployment to the same version.

Before you begin

Review the software update checklist on the Update checklist tab. For more information, see Software update checklist (https://www.ibm.com/support/pages/qradar-software-update-checklist-administrators).
Restriction:
  • To successfully upgrade to QRadar 7.5.0 UP8, your deployment must be on QRadar 7.5.0 UP7.
  • To successfully upgrade to RHEL-8, your deployment must use a supported device driver. If any unsupported drivers exist on your deployment, they are removed during the upgrade. For more information on the list of unsupported drivers, see Removed device drivers.
  • Upgrading to RHEL-8 on systems with LUKS encrypted partitions is not supported. Verify that your deployment does not include hosts with LUKS encrypted partitions to successfully upgrade your system.
  • Upgrading to RHEL-8 on systems with Secure Boot enabled is not supported.
  • The Leapp pretest can fail if the tool detects any Network Interface Card (NIC) that uses kernel naming (eth) and multiple NICs existing on the same system. To resolve this issue, follow the steps in https://access.redhat.com/solutions/4067471.

Determine the minimum QRadar version that is required for the version of QRadar to which you want to update.

  • Click Help > About to check your current version of QRadar.
  • To determine whether you can upgrade to a version of QRadar, go to QRadar Software 101 (https://www.ibm.com/community/qradar/home/software/). And check the release notes of the version that you want to upgrade to.

About this task

To ensure that IBM QRadar upgrades without errors, verify that you use only the supported versions of QRadar software.

Important:
  • Software versions for all IBM QRadar appliances in a deployment must be the same version and fix level. Deployments that use different QRadar versions of software are not supported.
  • Custom DSMs are not removed during the upgrade.
  • After you upgrade to Update Package 8, WinCollect 7.3.1 managed agents do not receive updates from encrypted QRadar managed hosts. For more information, see https://www.ibm.com/mysupport/aCI3p000000Xr2j.

Upgrade your QRadar Console first, and then upgrade each managed host. In high-availability (HA) deployments, when you upgrade the HA primary host, the HA secondary host is automatically upgraded.

The following QRadar systems can be upgraded concurrently:
  • Event processors
  • Event collectors
  • Flow processors
  • QFlow collectors
  • Data nodes
  • App hosts

Procedure

  1. Download the .sfs file from Fix Central (www.ibm.com/support/fixcentral).

    • If you are upgrading QRadar SIEM, download the <QRadar>.sfs file.

    • If your deployment includes an IBM QRadar Incident Forensics (6000) appliance, download the <identifier>_Forensics_patchupdate-<build_number>.sfs file. The .sfs file upgrades the entire QRadar deployment, including QRadar Incident Forensics and QRadar Network Insights.

  2. Use SSH to log in to your system as the root user.
  3. Copy the SFS file to the /storetmp or /var/log directory or to another location that has sufficient disk space. Verify that the /storetmp​​​​​​​ directory has at minimum 10 GB of space available on all hosts, including secondary hosts, for the upgrade.
    Important: If the SFS file is in the /storetmp directory and you do not upgrade, when the overnight diskmaintd.pl utility runs, the SFS file is deleted. For more information, see Daily disk maintenance (https://www.ibm.com/support/pages/node/874848?mhsrc=ibmsearch_a&mhq=daily%20disk%20maintenance).

    To verify that you have enough space (10 GB) in the QRadar Console, type the following command: 

    df -h /storetmp /var/log | tee diskchecks.txt
    Important: Don't copy the file to an existing QRadar system directory such as the /store directory.
  4. To create the /media/updates directory, type the following command: 
    mkdir -p /media/updates
  5. Use the command cd to change to the directory where you copied the SFS file.
  6. To mount the SFS file to the /media/updates directory, type the following command: 
    mount -o loop <QRadar>.sfs /media/updates
  7. You must run the Leapp pretest to verify your system before the upgrade. To run the Leapp pretest, type the following command: 
    /media/updates/installer --leapp-only
    Important:
    • If the Leapp pretest is unsuccessful, you must resolve the issues in the pretest output, and then run the test again. The upgrade is blocked until the Leapp pretest runs successfully.
  8. Optional: Pretest the installation by typing the following command: 
    /media/updates/installer -t
    Important: The web server and hostcontext services are stopped while the tests are running. After the test is complete, they are started back automatically.
    Review the pretest output. If your deployment fails any pretests, take any of the suggested actions.
  9. To run the installer, type the following command: 
    /media/updates/installer

    If you receive the following error message, you have a QRadar Incident Forensics appliance in your deployment. Download the QRadar Incident Forensics patch file from IBM Fix Central (www.ibm.com/support/fixcentral). The patch file is named similar to this one: <identifier>_Forensics_patchupdate-<build_number>.sfs. For more information about upgrading with a QRadar Incident Forensics appliance in your deployment, see Upgrading QRadar Incident Forensics.

    Error: This patch is incompatible with Forensics deployments
[ERROR](testmode) Patch pretest 'Check for QIF appliances in deployment' failed. (check_qif.sh)
[ERROR](testmode) Failed 1/8 pretests. Aborting the patch.
[ERROR](testmode) Failed pretests
[ERROR](testmode) Pre Patch Testing shows a configuration issue. Patching this host cannot continue.
[INFO](testmode) Set ip-130-86 status to 'Patch Test Failed'
[ERROR](testmode) Patching can not continue
[ERROR] Failed to apply patch on localhost, not checking any managed hosts.
An error was encountered attempting to process patches.
Please contact customer support for further assistance.

What to do next

  1. Unmount /media/updates by typing the following command. 
    umount /media/updates
  2. Delete the SFS file.
  3. Perform an automatic update to ensure that your configuration files contain the latest network security information. For more information, see Checking for new updates.
  4. Delete the patch file to free up space on the partition.
  5. Clear your web browser cache. After you upgrade QRadar, the Vulnerabilities tab might not be displayed. To use QRadar Vulnerability Manager after you upgrade, you must upload and allocate a valid license key. For more information, see the Administration Guide for your product.
  6. FIPS mode only To verify that the FIPS mode is enabled, run the following command.
    fips-mode-setup --check
    If the FIPS mode is disabled, run the following command, and then reboot your system to enable the FIPS mode.
    /opt/qradar/bin/qradar_fips_toggle.sh enable
  7. If you have custom syslog-ng configuration files, update your files to ensure compatibility with the new syslog-ng syntax in version 3.23. For more information, see Updating custom syslog-ng configuration files.
  8. Determine whether there are changes that must be deployed. For more information, see Deploy Changes.