Replacing a QRadar managed host

Migrate data from an older QRadar® managed host (16xx, 17xx, or 18xx) appliance to newer hardware. Follow this process for non-HA appliances.

Before you begin

Ensure that the following conditions are met:
  • You recorded the network information for the old appliance, because you must manually type this information into the network configuration for the new appliance.
  • The software version of the new appliance matches the software version of the QRadar Console. You might be required to reinstall an ISO image for the appliance to downgrade or use an SFS fix pack to upgrade.
  • You configured data backups to prevent potential data loss during the migration.

About this task

During migration, the IP address of the old appliance is assigned to the new hardware. The new hardware is added to the deployment and then you move data while new events are collected from the network.

Procedure

  1. Prepare your new hardware:
    1. Rack the appliance and connect network connections.
    2. Review the paperwork for your appliance to determine which QRadar version is installed on the new hardware.
  2. Review your software version.
    1. If your Console software version is older than the software on the appliance, re-install the appliance with the newest ISO that is less than or equal to the Console software version. Download the ISO file from Fix Central (www.ibm.com/support/fixcentral/).
    2. Follow the installation wizard to complete the installation.
    3. Type a root password for the appliance.
    4. Type a temporary IP address and network information for the new hardware.
    5. Log in as a root user, and select the appliance type during the installation process.
    6. If your Console patch version is newer than the software on the appliance, download and install the SFS (software fix/patch) from Fix Central (www.ibm.com/support/fixcentral/).
  3. Remove the old appliance from the deployment.
    1. Log in to QRadar as an administrator.
    2. Click the Admin tab and click the System and License Management icon.
    3. From the Display menu, click Systems, and then select the old QRadar appliance.
    4. Click Deployment Actions > Remove Host.
    5. When prompted, click Remove to confirm the removal of the host deployment.
      Attention: Don't delete the components for the Event Collector, and Event Processor, because these components are re-used.
  4. Reassign the IP addresses to ensure that the decommissioned appliance doesn't cause an IP address conflict in the network after it is powered back on.
    1. To reassign the IP address of the old appliance to any unused address:
      1. Use IMM (Integrated Management Module) for remote access, or use the local Console keyboard, to log in to the command line of the old appliance as the root user.
      2. Reassign the IP address of the old appliance by typing the following command:
        /opt/qradar/bin/qchange_netsetup
    2. Set the IP address for the new hardware:
      1. Use IMM for remote access, or use the local Console keyboard to log in to the command line of the new appliance as the root user.
      2. From the command line of the new appliance, type /opt/qradar/bin/qchange_netsetup to use same host name and IP address as the old appliance.
      If you want to migrate old data to the new system, leave the existing system running and connected to the network. The data is moved when the new appliance is running and collecting data.
  5. Add the new appliance to the deployment
    1. Log in to QRadar as an administrator.
    2. Click the Admin tab and click the System and License Management icon.
    3. Click Deployment Actions > Add Host.
    4. If you're prompted to add old components from the deployment to the host, click Yes. Any deployment components that were on the old appliance are reassociated with this host so that any protocol-based sources are automatically enabled and migrated to the new appliance.
    5. Click Save and Close.
    6. On the Admin tab, click the Deploy Changes icon.
    7. Verify that event or flow sources that were reporting to the original host are being processed in the QRadar user interface.
    After you add the host back to the QRadar deployment, the deployment process ensures that the required configuration is regenerated on the new appliance. After the new host is part of the deployment, you can only use SSH access from the Console.
  6. To copy data from the old appliance, you shut down the host firewall on the new appliance by typing the command systemctl stop iptables.
  7. Copy certificates and custom-generated key pairs from the old appliance to the new appliance to ensure that log sources and scanners can connect to remote sources.

    You must also migrate any custom generated private keys that you have by transferring the /etc/ssh and /root/.ssh directories.

    1. Log in to the old QRadar managed host as the root user.
    2. Copy the data from the old hardware to the new appliance by using the rsync command as in one of the following examples:
      Tip: For better performance when using a crossover cable solution, use rsync -av instead of rsync -avz.
      Use this example for certificates:
      
      Example: rsync -avz /opt/qradar/conf/trusted_certificates/ 
         root@new_appliance:/opt/qradar/conf/trusted_certificates
      Use these examples for SSH:
      Example 1: rsync -avz /etc/ssh/ root@new_appliance:/etc/ssh
       
      Example 2: rsync -avz /root/.ssh/ root@new_appliance:/root/.ssh
       
  8. Transfer event and flow data to the new appliance.

    You can use either rsync or SCP to complete the data transfer. These commands might require the root user to accept SSH keys and provide the root password for the target server. The length of this process depends on how much data needs to be transferred.

    1. Log in to the old QRadar appliance as the root user.
    2. Copy the data from the old appliance to the new appliance (target server) by using the rsync command, as in the following example:
      Tip: For better performance when using a crossover cable solution, use rsync -av instead of rsync -avz.
      rsync -avz /store/ariel/ root@new_appliance:/store/ariel
  9. Optional: Copy over event collector data, if you have any data in /store/ec.
    1. Log into the old appliance as the root user.
    2. Stop ecs-ec-ingress on the old appliance by typing the following command:
      systemctl stop ecs-ec-ingress
    3. Log into the new appliance as the root user.
    4. Create a file on the new appliance to prevent ecs-ec-ingress from automatically restarting by typing the following command:
      touch /storetmp/ecs-ec-ingress.ecs-ec-ingress.manually_stopped
    5. Stop ecs-ec-ingress on the new appliance by typing the following command:
      systemctl stop ecs-ec-ingress
    6. Copy the data from /store/ec on the old appliance to /store/ec on the new appliance.
    7. Remove the file created in substep d from the new appliance by typing the following command:
      rm -f /storetmp/ecs-ec-ingress.ecs-ec-ingress.manually_stopped
    8. Start ecs-ec-ingress on the new appliance by typing the following command:
      systemctl start ecs-ec-ingress
  10. Type the command systemctl start iptables after the configuration and data migration are complete.

What to do next

After the data transfer is complete, decommission the old appliance and unrack the obsolete hardware.