Resolving The Problem
What is a "Deploy" in QRadar?
When a QRadar Console detects changes that are required to be pushed out to managed hosts, it shows in the Admin tab as banner stating that changes need to be deployed:
Changes are pushed out from the "staging" area of QRadar to the "deployed" area and the Hostcontext service restarts the appropriate components. If a component does not have changes then there are no changes to deploy, then a restart of that service might not be required.
What is the difference between "Deploy Changes" and "Deploy Full Configuration"?
After you perform a "Deploy changes", only services that need updates are restarted on the appliances. Data collection and processing continues as normal because the Event Collection Server/Service (ECS) does not restart. A Deploy Changes does not impact the QRadar event pipeline (collection, processing, rules, or offenses).
A "Deploy Full Configuration" from the Admin tab sends a request to rebuild all configuration file sets. Each individual appliance contains its own configuration files which then restarts services to ensure that the new configuration is loaded. All processes that collect and process QRadar data restart, and an interruption of data collection occurs. The data collection disruption is due to the ECS service being restarted, during a full deploy.
Starting from QRadar 7.2.6, anytime a service interruption is expected on a Deploy, a warning dialog message is shown to an Admin user. This allows the Admin user to cancel a deploy and to defer to a later time:
Examples of QRadar changes that require Deploy Full Configuration:
Adding or removing a host in the deployment editor that has an EC, EP, or MPC component.
Adding, removing, or editing the values on an EC/EP component or offsite source or target component in the deployment editor.
Adding or updating a license that changes the EPS or FPM (flows per minute) values (Not valid in QRadar 7.3).
Enabling or disabling encryption (Tunneling) on a "managed host".
Examples of QRadar changes that require a Deploy Changes:
Adding or editing a new user or user role.
Adding or updating network hierarchy.
Adding a new security profile.
Creating a new authorized service token.
Adding a centralized credential (security descriptor)
Adding a new log source.
Setting a password for another user.
User changing their own password.
Change a users' user role and/or security profile.
Note: The list above may change in future releases as QRadar is moving towards having less interruption and downtime.
Where do you find more information?
01 September 2019