Migrating Disconnected Log Collector data to the destination QRadar site
If you created a Disaster Recovery (DR) QRadar® environment, but did not create a Disaster Recovery Disconnected Log Collector, then your server certificate must include information about both the main and destination sites. This information ensures that your Disconnected Log Collector log source transfers properly between sites.
Before you begin
- Copy the root certificate that is used for Disconnected Log
Collector from the main IBM®
QRadar site to the destination site.
- If you're using the default Java™ truststore, the root CA certificates are not synchronized between the main and destination QRadar sites. Copy the root certificate from the /etc/pki/ca-trust/source/anchors folder on the main site to the same folder on the destination site. Then, run the update-ca-trust command on the destination site to import the certificate.
- If you're using your own custom Java truststore, the truststore is not synchronized between the main and destination QRadar sites. Copy the truststore file that you use with the Disconnected Log Collector log source to the same folder on the destination site.
- Copy the server certificate that you use for the Disconnected Log Collector log source from the /opt/qradar/conf/key_stores folder on the main site to the same folder on the destination site.
Tip: When you generate the server certificate for the Disconnected Log
Collector log source, you can add the IP
address of the secondary QRadar box to the SAN of the certificate request.
DNS:<ec.example.com>,IP:<Primary IP address>,IP:<Destination IP address>For more information, see Setting up certificate-based authentication on Disconnected Log Collector.