You must upgrade all of the IBM®
QRadar® products in your
deployment to the same version.
Before you begin
Review the software update checklist on the Update checklist tab. For more
information, see Software update checklist
(https://www.ibm.com/support/pages/qradar-software-update-checklist-administrators).
For QRadar versions earlier than QRadar 7.4.2, you must migrate your event collectors from
GlusterFS to Distributed Replicated Block Device. When you upgrade, QRadar event collectors are
detected and before the upgrade can continue, the event collectors must be migrated. For more
information, see Migrating event collectors from GlusterFS to Distributed Replicated
Block Device.
Determine the minimum QRadar version that is required
for the version of QRadar to which you want to update.
- Click to check your current version of QRadar.
- To determine whether you can upgrade to a version of QRadar, go to QRadar Software 101
(https://www.ibm.com/community/qradar/home/software/) and check the release notes of the version you
want to upgrade to.
About this task
To ensure that IBM
QRadar
upgrades without errors, ensure that you use only the supported versions of QRadar software.
Important:
- Software versions for all IBM
QRadar appliances in a
deployment must be the same version and fix level. Deployments that use different QRadar versions of software are
not supported.
- Custom DSMs are not removed during the upgrade.
Upgrade your QRadar Console
first, and then upgrade each managed host. In high-availability (HA) deployments, when you upgrade
the HA primary host, the HA secondary host is automatically upgraded.
The following
QRadar systems can be upgraded concurrently:
- Event processors
- Event collectors
- Flow processors
- QFlow collectors
- Data nodes
- App hosts
With QRadar 7.5.0 Update Package 2 you can enable secure boot. If Secure Boot is to be enabled on
the system the public key must be imported after the patch completes. For more information, see
Enabling Secure
Boot.
Procedure
-
Download the .sfs file from Fix Central
(www.ibm.com/support/fixcentral).
-
If you are upgrading QRadar SIEM, download the
<QRadar>.sfs file.
-
If your deployment includes an IBM
QRadar Incident Forensics (6000)
appliance, download the
<identifier>_Forensics_patchupdate-<build_number>.sfs file. The
.sfs file upgrades the entire QRadar deployment, including QRadar
Incident Forensics and QRadar Network Insights.
- Use SSH to log in to your system as the root user.
- Copy the SFS file to the /storetmp or /var/log
directory or to another location that has sufficient disk space.
Important: If the SFS file is in the
/storetmp directory and you do
not upgrade, when the overnight diskmaintd.pl utility runs, the SFS file is deleted. For more
information, see
Daily disk maintenance
(https://www.ibm.com/support/pages/node/874848?mhsrc=ibmsearch_a&mhq=daily%20disk%20maintenance).
To verify you have enough space (5 GB) in the QRadar
Console, type the following command:
df -h /storetmp /var/log | tee diskchecks.txt
Important: Don't copy the file to an existing QRadar system directory such as
the /store directory.
- To create the /media/updates directory, type the following
command:
- Use the command cd to change to the directory where you copied the SFS
file.
- To mount the SFS file to the /media/updates directory, type the
following command:
mount -o loop <QRadar>.sfs /media/updates
- To run the installer, type the following command:
If you receive the following error message, you have a QRadar Incident Forensics appliance in your deployment. Download the QRadar Incident Forensics patch file from IBM Fix Central (www.ibm.com/support/fixcentral). The patch file is named
similar to this one: <identifier>_Forensics_patchupdate-<build_number>.sfs. For more
information about upgrading with a QRadar Incident
Forensics appliance in your deployment, see Upgrading
QRadar Incident Forensics.
Error: This patch is incompatible with Forensics deployments
[ERROR](testmode) Patch pretest 'Check for QIF appliances in deployment' failed. (check_qif.sh)
[ERROR](testmode) Failed 1/8 pretests. Aborting the patch.
[ERROR](testmode) Failed pretests
[ERROR](testmode) Pre Patch Testing shows a configuration issue. Patching this host cannot continue.
[INFO](testmode) Set ip-130-86 status to 'Patch Test Failed'
[ERROR](testmode) Patching can not continue
[ERROR] Failed to apply patch on localhost, not checking any managed hosts.
An error was encountered attempting to process patches.
Please contact customer support for further assistance.
What to do next
- Unmount /media/updates by typing the following command:
umount /media/updates
- Delete the SFS file.
- Perform an automatic update to ensure that your configuration files contain the latest network
security information. For more information, see Checking for new updates.
- Delete the patch file to free up space on the partition.
- Clear your web browser cache. After you upgrade QRadar, the
Vulnerabilities tab might not be displayed. To use QRadar Vulnerability Manager after you upgrade, you must
upload and allocate a valid license key. For more information, see the Administration
Guide for your product.
- Determine whether there are changes that must be deployed. For more
information, see Deploy Changes.