Migrating Disconnected Log Collector data to the destination QRadar site

If you created a disaster recovery QRadar® environment, but did not create a disaster recovery Disconnected Log Collector, then your server certificate must include information about both the main and destination sites. This information ensures that your Disconnected Log Collector log source transfers properly between sites.

Before you begin

  1. Copy the root certificate that is used for Disconnected Log Collector from the main IBM® QRadar site to the destination site.
    1. If you're using the default Java™ truststore, the root CA certificates are not synchronized between the main and destination QRadar sites. Copy the root certificate from the /etc/pki/ca-trust/source/anchors folder on the main site to the same folder on the destination site. Then, run the update-ca-trust command on the destination site to import the certificate.
    2. If you're using your own custom Java truststore, the truststore is not synchronized between the main and destination QRadar sites. Copy the truststore file that you use with the Disconnected Log Collector log source to the same folder on the destination site.
  2. Copy the server certificate that you use for the Disconnected Log Collector log source from the /opt/qradar/conf/key_stores folder on the main site to the same folder on the destination site.
Tip: When you generate the server certificate for the Disconnected Log Collector log source, you can add the IP address of the secondary QRadar box to the SAN of the certificate request.
DNS:<ec.example.com>,IP:<Primary IP address>,IP:<Destination IP address>

For more information, see Setting up certificate-based authentication on Disconnected Log Collector.

Procedure

  1. Stop the Disconnected Log Collector service on the main QRadar site by typing the following command:
    systemctl stop dlc
  2. Update the destination.ip value in /opt/ibm/si/services/dlc/conf/config.json to be the IP address of the host you want to point to on the destination site.
  3. Start the Disconnected Log Collector service on the destination QRadar site by typing the following command:
    systemctl start dlc