Upgrading QRadar Incident Forensics
Before you begin
Download the QRadar Incident Forensics patch file from IBM Fix Central (www.ibm.com/support/fixcentral). The patch file is named similar to this one: <identifier>_Forensics_patchupdate-<build_number>.sfs.
About this task
This .sfs file upgrades the entire QRadar deployment, including QRadar Incident Forensics and QRadar Network Insights.
|IBM QRadar version||Red Hat Enterprise Linux version|
|IBM QRadar 7.4.0||Red Hat Enterprise Linux V7.6 64-bit|
|IBM QRadar 7.4.1||Red Hat Enterprise Linux V7.7 64-bit|
|IBM QRadar 7.4.2||Red Hat Enterprise Linux V7.7 64-bit|
|IBM QRadar 7.4.3||Red Hat Enterprise Linux V7.7 64-bit|
QRadar Incident Forensics supports custom certificates. When you upgrade to 7.4.3, custom certificates that are already in use on the QRadar Console are migrated as part of the upgrade.
If you want to upgrade from QRadar Incident Forensics V7.2.4 or earlier versions, but don't want to keep your data, you can upgrade directly to 7.4.3 by doing a new installation. If you want to keep your data, contact your IBM sales representative.
- Use SSH to log in to your system as the root user.
- Copy the patch file to the /tmp directory or to another location that has sufficient disk space.
To create the /media/updates directory, type the following command:
mkdir -p /media/updates
- Change to the directory where you copied the patch file.
To mount the patch file to the /media/updates directory, type the
mount -o loop -t squashfs <identifier>_Forensics_patchupdate-<build_number>.sfs /media/updates
To run the upgrade installer, type the following command:
The first time that you run the patch installer script, there might be a delay before the first patch installer menu is displayed.
- Provide answers to the pre-installation questions based on your deployment.
Use the upgrade installer to upgrade all hosts in your deployment.
If you do not select Patch All, you must upgrade systems in the following order:
- QRadar Console
- QRadar Incident Forensics
If your SSH session is disconnected while the upgrade is in progress, the upgrade continues. When you reopen your SSH session and rerun the installer, the installation resumes.
After the upgrade is complete, unmount the software update by using the following command:
What to do next
Upgrade your packet capture devices. For more information, see the IBM QRadar Network Packet Capture documentation.