Upgrade to IBM
QRadar Incident Forensics
7.5.0 by using an upgrade
installer. You must upgrade all of your IBM
QRadar products in your
deployment to the same version.
Before you begin
Download the QRadar
Incident Forensics patch file
from IBM® Fix Central (www.ibm.com/support/fixcentral). The patch
file is named similar to this one:
<identifier>_QIFSFS_FixPack-<build_number>.sfs.
About this task
This .sfs file upgrades the entire QRadar deployment, including QRadar
Incident Forensics and QRadar Network Insights.
During the upgrade, the Red Hat® Enterprise Linux® version might also be upgraded. The following table shows
the Red Hat Enterprise Linux version that is used with
IBM
QRadar.
Table 1. Red Hat
version
IBM
QRadar
version |
Red Hat Enterprise Linux version |
IBM
QRadar 7.5.0 |
Red Hat Enterprise Linux
V7.9 64-bit |
QRadar
Incident Forensics supports
custom certificates. When you upgrade to 7.5.0, custom certificates that are
already in use on the QRadar
Console are
migrated as part of the upgrade.
Restriction: Resizing logical volumes by using a logical volume manager (LVM) is not
supported.
If you want to upgrade from QRadar
Incident Forensics
V7.2.4 or earlier versions, but don't want
to keep your data, you can upgrade directly to 7.5.0 by doing a new installation.
If you want to keep your data, contact your IBM sales
representative.
Procedure
-
Use SSH to log in to your system as the root user.
- Copy the SFS file to the /storetmp or /var/log
directory or to another location that has sufficient disk space.
Important: If the SFS file is in the
/storetmp directory and you do
not upgrade, when the overnight diskmaintd.pl utility runs, the SFS file is deleted. For more
information, see
Daily disk maintenance
(https://www.ibm.com/support/pages/node/874848?mhsrc=ibmsearch_a&mhq=daily%20disk%20maintenance).
To verify you have enough space (5 GB) in the QRadar®
Console, type the following command:
df -h /storetmp /var/log | tee diskchecks.txt
Important: Don't copy the file to an existing QRadar system directory such as
the /store directory.
-
To create the /media/updates directory, type the following command:
-
Change to the directory where you copied the patch file.
-
To mount the patch file to the /media/updates directory, type the
following command:
mount -o loop -t squashfs <identifier>_QIFSFS_FixPack-<build_number>.sfs /media/updates
-
To run the upgrade installer, type the following command:
/media/updates/installer
The first time that you run the patch installer script, there might be a delay before the first
patch installer menu is displayed.
-
Provide answers to the pre-installation questions based on your deployment.
-
Use the upgrade installer to upgrade all hosts in your deployment.
If you do not select
Patch All, you must upgrade systems in the following order:
- QRadar
Console
- QRadar
Incident Forensics
If your SSH session is disconnected while the upgrade is in progress, the upgrade continues. When
you reopen your SSH session and rerun the installer, the installation resumes.
-
After the upgrade is complete, unmount the software update by using the following command:
What to do next
Upgrade your packet capture devices. For more information, see the IBM
QRadar Network Packet Capture Installation
Guide.