Moving the /store file system to an iSCSI storage solution

You can migrate the IBM QRadar data that is maintained in the /store file system and mount the /store file system to an iSCSI device partition.

Migrating the /store files system to your offboard storage device can take an extended time.

Before you begin

Configure iSCSI volumes.

Procedure

  1. Stop the QRadar services by typing the following commands in the order specified:
    Note: Run the command systemctl stop solr, only if you have QRadar® Incident Forensics in your deployment.
    systemctl stop hostcontext
    systemctl stop ecs-ec-ingress
    systemctl stop tomcat
    systemctl stop hostservices
    systemctl stop systemStabMon
    systemctl stop crond
    systemctl stop solr
    Note: Run the command systemctl stop tomcat on the Console.
  2. Unmount the file systems by typing the following commands:
    umount /store
  3. Create the /store_old directory by typing the following command:
    mkdir /store_old
  4. Derive the iSCSI device partition universal unique identifier (UUID) by typing the following command:
    blkid /dev/<partition>
  5. Edit the /etc/fstab file to update the existing /store file system mount point to /store_old.
  6. Make a new mount point for the /store file system by adding the following text to the /etc/fstab file:
    • If the file system is XFS, add the following text:
      UUID=<uuid> /store xfs inode64,logbsize=256k,noatime,noauto,_netdev 0 0
    • If the file system is ext4, add the following text:
      UUID=<uuid> /store ext4 noatime,noauto,nobarrier,_netdev 0 0
      Note: The nobarrier option is not supported in Red Hat® Enterprise Linux® (RHEL) Version 8 operating system.

    Save and close the file.

  7. Mount the /store file system to the iSCSI device partition by typing the following command:
    mount /store
  8. Mount the /store_old file system to the local disk by typing the following command:
    mount /store_old
  9. Move the data from the local disk to the iSCSI storage device by typing the following command:
    cp -af /store_old/* /store
  10. Unmount /store_old by typing the following command:
    umount /store_old
  11. Remove the /store_old directory by typing the following command:
    rmdir /store_old
  12. Edit the /etc/fstab file to remove the /store_old entry.
  13. Start the QRadar services by typing the following commands in the order specified:
    Note: Run the command systemctl start solr, only if you have QRadar Incident Forensics in your deployment.
    systemctl start crond
    systemctl start systemStabMon
    systemctl start hostservices
    systemctl start tomcat
    systemctl start ecs-ec-ingress
    systemctl start hostcontext
    systemctl start solr
  14. Remove the local copy of /store from the logical volume manager (LVM) by typing the following commands:
    lvchange -an /dev/storerhel/store 2>/dev/null
    lvrename /dev/storerhel/store /dev/storerhel/storeold 2>/dev/null

What to do next

See Mounting the iSCSI volume automatically.