IBM Support

DSM, scanner, and protocol update processes available to QRadar administrators

Question & Answer


Question

How do updates from Fix Central, auto updates, and offline updates work and interact in QRadar?

Cause

When updating QRadar there are a number of mechanisms which can be used. This will help to explain how those mechanisms interact with each other.

Answer

There are three potential methods of installing auto updates on your QRadar Console:

    1. The online autoupdate process
    2. The offline autoupdate process
    3. Manually installing RPMs from IBM Fix Central


1. The online autoupdate process
Updates to DSM, PROTOCOL and VIS rpms are made available on a weekly basis to QRadar administrators using the Internet to allow appliances to connect to an automatic update server. These updates may or may not be attempted to be installed automatically, depending on the customer's autoupdate preferences configured in QRadar and the availability of Internet access to the QRadar Console.

System notifications are generated to alert administrators to successful automatic updates, failed automatic updates, and installation issues related to the weekly automatic update.

In some circumstances, an attempt to install a particular update may fail. This is most commonly due to a failed or required dependency to another RPM file. The recent status can be viewed from the Admin tab under the Auto Update > Check for Updates to see any 'Failed' installs exist. If you select a failed update, a description is display to show the dependency that caused this update to fail.

To install a failed update, you will need to review and install the relevant dependency that caused the error. After the dependency issue has been resolved, the administrator can select the failed update and click Install > Selected Updates to retry the installation of the failed RPM.

Note: If you do not have a security appliance for a failed DSM, protocol, or scanner then you may leave the update in the failed state or hide it from the user interface.


2. The offline autoupdate process
For customers who have QRadar systems which are not connected to the Internet there is a manual autoupdate file that administrators can download from IBM Fix Central. Administrators can copy this file to the QRadar appliance and configure QRadar auto updates to look in this location for the update package with all of the weekly updates.

The file downloaded from IBM Fix Central will look something like "autoupdate-1397067597.tgz". A change list is provided for download as well that shows the changes to the RPM files in the weekly auto update. You must sign-in to IBM Fix Central to review or download the change list.

image-20190419134102-2

Instructions and a discussion on how to offline install the auto update file can be found here:


After QRadar is configured to get the autoupdate from this location, the system will install the files on the QRadar Console, then replicate all of the required files and configurations to managed hosts in the deployment. RPM files are only ever installed on the QRadar Console appliance.

If an administrator has a Console without Internet access, then are responsible for ensuring the autoupdate package is downloaded from FixCentral and made available to QRadar on a regular basis. AutoUpdates are cumulative and missing some out will not prevent future updates from installing properly if the administrator misses a week.


Note: The auto update files contains folders with QRadar  7.1, 7.2, and 7.3  RPMs.
 


3. Manually Installing RPMs from IBM Fix Central
Where required, certain updates may need to be installed manually from the FixCentral repository. To install an individual RPM file, download the DSM, protocol, or scanner from Fix Central a directory on the QRadar Console and type the command: yum install -y <FILENAME>

Any unresolved dependencies will be indicated in the command line and further RPMs may need to be downloaded and installed to allow an update to be installed.

The command listed below installs files in the proper order for the Console. If you decide to manually download a large number of rpms, you must install the rpms in the following order:

  1. Install all Common rpms
  2. Install all DSM rpms
  3. Install all PROTOCOL rpms
  4. Install all VIS rpms

To install a large number of RPMs in a single command, type: for FILE in *Common*.rpm DSM-*.rpm PROTOCOL-*.rpm VIS-*.rpm; do yum install -y "${FILE}"; done


What to do next
The installation will indicate any additional steps that are required following an update. After any large number of RPM files that are updated, administrators typically need to do the following:

  1. From the Admin tab, select Advanced > Deploy Full Configuration.
  2. From the Admin tab, select Advanced > Restart Web Server.
     



Where do you find more information?



 

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"General Information","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"7.1;7.2;7.3","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
10 May 2019

UID

swg21682051