Upgrading QRadar Incident Forensics

Upgrade to IBM® QRadar® Incident Forensics 7.4.3 by using an upgrade installer. You must upgrade all of your IBM QRadar products in your deployment to the same version.

Before you begin

Download the QRadar Incident Forensics patch file from IBM Fix Central (www.ibm.com/support/fixcentral). The patch file is named similar to this one: <identifier>_Forensics_patchupdate-<build_number>.sfs.

About this task

This .sfs file upgrades the entire QRadar deployment, including QRadar Incident Forensics and QRadar Network Insights.

During the upgrade, the Red Hat® Enterprise Linux® version might also be upgraded. The following table shows the Red Hat Enterprise Linux version that is used with IBM QRadar.
Table 1. Red Hat version
IBM QRadar version Red Hat Enterprise Linux version
IBM QRadar 7.4.0 Red Hat Enterprise Linux V7.6 64-bit
IBM QRadar 7.4.1 Red Hat Enterprise Linux V7.7 64-bit
IBM QRadar 7.4.2 Red Hat Enterprise Linux V7.7 64-bit
IBM QRadar 7.4.3 Red Hat Enterprise Linux V7.7 64-bit

QRadar Incident Forensics supports custom certificates. When you upgrade to 7.4.3, custom certificates that are already in use on the QRadar Console are migrated as part of the upgrade.

Restriction: Resizing logical volumes by using a logical volume manager (LVM) is not supported.

If you want to upgrade from QRadar Incident Forensics V7.2.4 or earlier versions, but don't want to keep your data, you can upgrade directly to 7.4.3 by doing a new installation. If you want to keep your data, contact your IBM sales representative.


  1. Use SSH to log in to your system as the root user.
  2. Copy the patch file to the /tmp directory or to another location that has sufficient disk space.
  3. To create the /media/updates directory, type the following command:
    mkdir -p /media/updates
  4. Change to the directory where you copied the patch file.
  5. To mount the patch file to the /media/updates directory, type the following command:
    mount -o loop -t squashfs <identifier>_Forensics_patchupdate-<build_number>.sfs /media/updates
  6. To run the upgrade installer, type the following command:

    The first time that you run the patch installer script, there might be a delay before the first patch installer menu is displayed.

  7. Provide answers to the pre-installation questions based on your deployment.
  8. Use the upgrade installer to upgrade all hosts in your deployment.
    If you do not select Patch All, you must upgrade systems in the following order:
    • QRadar Console
    • QRadar Incident Forensics

    If your SSH session is disconnected while the upgrade is in progress, the upgrade continues. When you reopen your SSH session and rerun the installer, the installation resumes.

  9. After the upgrade is complete, unmount the software update by using the following command:
    umount /media/updates

What to do next

Upgrade your packet capture devices. For more information, see the IBM QRadar Network Packet Capture documentation.