You can migrate the IBM
QRadar data that is maintained
in the /store file system and mount the /store file system
to an iSCSI device partition.
Migrating the /store files system to your offboard storage device can take
an extended time.
Procedure
-
Stop the QRadar services
by typing the following commands in the order specified:
Note: Run the command systemctl stop solr, only if you have QRadar® Incident Forensics in your deployment.
systemctl stop hostcontext
systemctl stop ecs-ec-ingress
systemctl stop tomcat
systemctl stop hostservices
systemctl stop systemStabMon
systemctl stop crond
systemctl stop solr
Note: Run the command systemctl stop tomcat on the Console.
-
Unmount the file systems
by typing the following commands:
-
Create the /store_old directory
by typing the following
command:
-
Derive the iSCSI device partition universal unique identifier (UUID) by typing the following
command:
-
Edit the /etc/fstab file to update the existing
/store file system mount point to /store_old.
-
Make a new mount point for the /store file system by adding the following
text to the /etc/fstab file:
- If the file system is XFS, add the following text:
UUID=<uuid> /store xfs inode64,logbsize=256k,noatime,noauto,_netdev 0 0
- If the file system is ext4, add the following
text:
UUID=<uuid> /store ext4 noatime,noauto,nobarrier,_netdev 0 0
Note: The
nobarrier option is not supported in Red Hat® Enterprise Linux® (RHEL) Version 8 operating
system.
-
Mount the /store file system to
the iSCSI device
partition by typing the following command:
-
Mount the /store_old file system to the local disk by typing the following
command:
-
Move the data from the local disk to the iSCSI storage device by typing the following
command:
cp -af /store_old/* /store
-
Unmount /store_old by typing the following command:
-
Remove the /store_old directory by typing the following command:
-
Edit the /etc/fstab file to remove the /store_old
entry.
-
Start the QRadar services
by typing the following commands in the order specified:
Note: Run the command systemctl start solr, only if you have QRadar Incident Forensics in your deployment.
systemctl start crond
systemctl start systemStabMon
systemctl start hostservices
systemctl start tomcat
systemctl start ecs-ec-ingress
systemctl start hostcontext
systemctl start solr
-
Remove the local copy of /store from the logical volume manager (LVM) by
typing the following commands:
lvchange -an /dev/storerhel/store 2>/dev/null
lvrename /dev/storerhel/store /dev/storerhel/storeold 2>/dev/null