Moving the /store file system to a Fibre Channel solution

You can move the IBM QRadar data that is maintained in the /store file system and mount the /store file system to a Fibre Channel (FC) device partition.

Before you begin

Verifying the Fibre Channel connections

Procedure

  1. After the QRadar installation, connect QRadar with fibre channel and restart.
  2. Stop the QRadar services by typing the following commands in the order specified: 
    systemctl stop hostcontext
systemctl stop ecs-ec-ingress
systemctl stop tomcat
systemctl stop hostservices
systemctl stop systemStabMon
systemctl stop crond
  3. Unmount the file systems by typing the following commands: 
    umount /store

    The /transient file system is mounted only when the /store file system is XFS.

  4. Create the /store_old directory by typing the following command: 
    mkdir /store_old
  5. Derive the device partition universal unique identifier (UUID) by typing the following command: 
    blkid /dev/partition
  6. Edit the /etc/fstab file to update the existing /store file system mount point to /store_old.
  7. Add a mount point for the /store file system by adding the following text to the /etc/fstab file:
    • If the file system is XFS and you are not using HA, add the following text: 
      UUID=uuid /store xfs inode64,logbsize=256k,noatime 0 0
    • If the file system is XFS and you are using HA, add the following text: 
      UUID=uuid /store xfs inode64,logbsize=256k,noatime,noauto 0 0
    • If the file system is ext4 and you are not using HA, add the following text: 
      UUID=uuid /store ext4 noatime 0 0
    • If the file system is ext4 and you are using HA, add the following text: 
      UUID=uuid /store ext4 noatime,noauto 0 0

    Save and close the file.

  8. Mount the /store file system to the FC device partition by typing the following command: 
    mount /store
  9. Mount the /store_old file system to the local disk by typing the following command: 
    mount /store_old
  10. Copy the data to the Fibre Channel partition by typing the following command: 
    cp -af /store_old/* /store
  11. Unmount /store_old by typing the following command: 
    umount /store_old
  12. Remove the /store_old directory by typing the following command: 
    rmdir /store_old
  13. Edit the /etc/fstab file to remove the /store_old mount point entry.
  14. Start the QRadar services by typing the following commands in the order specified: 
    systemctl start crond
systemctl start systemStabMon
systemctl start hostservices
systemctl start tomcat
systemctl start ecs-ec-ingress
systemctl start hostcontext
  15. Remove the local copy of /store from the logical volume manager (LVM) by typing the following command: 
    lvchange -an /dev/storerhel/store 2>/dev/null
lvrename /dev/storerhel/store /dev/storerhel/storeold 2>/dev/null
  16. Verify the Fibre Channel mount point by typing the following command: 
    df -h