Configuring the iSCSI volumes

You can configure iSCSI for a stand-alone QRadar Console or a QRadar Console that is the primary high-availability (HA) host in an HA deployment.

About this task

Optionally, you can create a partition on the volume of the external iSCSI storage device.

IBM QRadar V7.2.1 and later uses the XFS file system. You can create the partition on your iSCSI device with either an ext4 or XFS file system.

Disk partitions are created by using a GUID Partition Table (GPT). You can use a new device partition as the mount point for the file system, such as /store or /store/ariel that you migrate.

Important: If you created an iSCSI or Fibre Channel device partition on your external device and QRadar® data is stored, then you cannot create a partition or reformat the partition on the volume.

Procedure

  1. Using SSH, log in to the QRadar Console as the root user.
  2. Edit the /etc/iscsi/initiatorname.iscsi file to include the iSCSI qualified name for your host. 
    InitiatorName=<iqn.yyyy-mm>.<reversed_domain_name>:<hostname>
    Example: InitiatorName=iqn.2014-11.com.qradar:pl13
  3. Open a session to the iSCSI server by typing the following command: 
    systemctl restart iscsi
  4. To detect volumes on the iSCSI server, type the following command: 
    iscsiadm -m discovery --type sendtargets --portal <portal_IP_address>:[<port>]

    The IP address option is the IP address of the iSCSI server. The port is optional. Record the initiator name.

  5. To log in to the iSCSI server, type the following command: 
    iscsiadm -m node --targetname <initiator_name_from_step_4> --portal <IP_address>:[<port>]> --login
  6. To find the iSCSI device volume name, type the following command: 
    dmesg | grep "Attached SCSI disk"
  7. Optional: To create a partition, use the GNU parted command: 
    parted /dev/<volume>
  8. Configure the partition label to use GPT by typing the following command: 
    mklabel gpt
  9. If the following message is displayed, type Yes. 
    Warning: The existing disk label on /dev/<volume> will be
destroyed and all data on this disk will be lost. Do you want to
continue?
  10. Create a partition on the iSCSI disk volume.
    1. To create the partition, type the following command: 
      mkpart primary 0% 100%
    2. Set the default units to TB by typing the following command: 
      unit TB
    3. Verify that the partition is created by typing the following command: 
      print
    4. Exit from GNU parted by typing the following command: 
      quit
    5. Update the kernel with the new partition data by typing the following command: 
      partprobe /dev/<volume>

      After you update the kernel, you might be prompted to restart the appliance. If you are prompted to do so, restart the appliance.

    6. To verify that the partition is created, type the following command: 
      cat /proc/partitions
  11. Reformat the partition and make a file system.
    • To create an XFS file system, type the following command: 
      mkfs.xfs -f /dev/<partition>
    • For an ext4 files system, type the following command: 
      mkfs.ext4 /dev/<partition>

What to do next

See Moving the /store/ariel file system to an iSCSI storage solution or Moving the /store file system to an iSCSI storage solution.