Migrate data from an older QRadar
Console to a new Console appliance
that uses a new IP address. All managed host appliances stay as-is. Use this process for non-HA
appliances.
Before you begin
You must complete a QRadar installation on the new
Console with a matching software version to the old Console.
About this task
You don't have to remove managed hosts from the old QRadar
Console because the new QRadar
Console takes over any existing hosts
in the deployment. This procedure allows managed hosts in the deployment to continue to receive
events while the Console is offline.
Procedure
-
Prepare your new hardware:
-
Rack the appliance and connect network connections.
-
Review the paperwork for your appliance to determine which QRadar version is installed on the
new hardware.
-
Review your software version.
-
If your Console software version is older than the software on the appliance, reinstall the
appliance with the newest ISO that is less than or equal to the Console software version. Download
the ISO file from Fix Central
(www.ibm.com/support/fixcentral/).
-
Follow the installation wizard to complete the installation.
-
Type a root password for the appliance.
-
Type a new IP address and network information for the new hardware.
-
Log in as a root user and select the appliance type during the installation process.
-
If your Console patch version is newer than the software on the appliance, download and install
the SFS (software fix/patch) from Fix Central
(www.ibm.com/support/fixcentral/).
-
On
the navigation menu ( ), click
Admin.
-
In the System Configuration section, click Backup and
Recovery.
-
Select the archive that you want to restore, and click Restore.
-
On the Restore a Backup window, configure the following parameters and
then click Restore.
Table 1. Restore a Backup parameters
Parameter |
Description |
Select All Configuration Items |
Indicates that all configuration items are included in the restoration of the backup archive.
This checkbox is selected by default. |
Restore Configuration |
Lists the configuration items to include in the restoration of the backup archive. All items are
selected by default.
|
Select All Data Items |
Indicates that all data items are included in the restoration of the backup archive. This
checkbox is selected by default.
|
Restore Data |
Lists the configuration items to include in the restoration of the backup archive. All items are
cleared by default.
|
-
Stop the IP table service on each managed host in your deployment. The IP tables is a Linux®-based firewall.
-
Using SSH, log in to the managed host as the root user.
-
For App Host, type the following commands:
systemctl stop
docker_iptables_monitor.timer
systemctl stop
iptables
- For all other managed hosts, type the following command:
systemctl stop iptables
-
Repeat for all managed hosts in your deployment.
-
On the Restore a Backup window, click Test Hosts
Access.
-
After testing is complete for all managed hosts, verify that the status in the
Access Status column indicates a status of OK.
-
If the Access Status column indicates a status of No
Access for a host, stop iptables again, and then click Test Host
Access again to attempt a connection.
-
On the Restore a Backup window, configure the parameters.
Important: By selecting the Installed Applications Configuration
checkbox, you restore the install app configurations only. Extension configurations are not
restored. Select the Deployment Configuration checkbox if you want to restore
extension configurations.
-
Click Restore.
-
Click OK.
-
Click OK to log in.
-
Choose one of the following options:
- If the user interface was closed during the user restore process, open a web browser and log
in to QRadar.
- If the interface was not closed, the login window is displayed. Log in to QRadar.
-
View the results of the restore process and follow the instructions to resolve any
errors.
-
Refresh your web browser window.
-
From the Admin tab, select
.
QRadar continues
to collect events when you deploy the full configuration. When the event collection service must
restart, QRadar does not
restart it automatically. A message displays that gives you the option to cancel the deployment and
restart the service at a more convenient time.
- To enable the IP tables for an App Host, type the following
command:
systemctl start docker_iptables_monitor.timer
What to do next
After the data transfer is complete, you might want to keep the old Console on hand in case
you need to revert to the old appliance. Otherwise, after a week or two, the old Console is no
longer required and can be decommissioned or repurposed for other uses.To verify that your
migration is successful, log in as an administrator, click the Log Activity
tab and perform a search to see whether events are flowing. Then, click the Network
Activity tab and perform a search to see whether flows are being
processed.