IBM Support

QRadar: How to manually install the QRadar weekly auto update bundle

Question & Answer


Question

This article describes how to download and install the QRadar automatic update bundle that is posted every week to IBM Fix Central. The auto update bundle includes the latest RPMs for QRadar as a single tgz file. Most administrators are not required to install the auto update bundle manually each week. This article informs administrators how to complete a manual install of a weekly update if a technical issue prevents you from receiving weekly update automatically.

Answer

Quick links:
  1. About the QRadar weekly auto update bundle
  2. Auto update server locations
  3. Configuring an auto update file on your local QRadar console
  4. How to install the auto update file
  5. Auto update log file locations




About the QRadar auto update bundle

The QRadar® automatic update bundle is intended for administrators who block Internet access or air-gap access to the QRadar Console from external networks. The QRadar weekly auto update bundle can be found in the AUTOUPDATE section of IBM Fix Central.

image 7299
Fig 1: The auto update file download from IBM Fix Central.

The auto update bundle from IBM Fix Central contains the following content:
 
  • Device support module (DSM) rpm files - New integrations and parsing/categorization updates for existing DSMs are provided for QRadar 7.3.x and 7.4.x versions.
  • Protocol rpm files - New protocols and updates are provided to listen for or retrieve events from remote sources for QRadar 7.3.x and 7.4.x versions.
  • Scanner rpm files - New scanner module releases and updates are provided for QRadar 7.3.x and 7.4.x versions.
  • Vulnerability catalog updates - The vulnerability catalog update is a database file that includes CVE information, vulnerability descriptions, and signature information so scan results can display vulnerability information. Vulnerability catalog updates are delivered daily for administrators with QRadar Vulnerability Manager.


 

Configuring an auto update file on your local QRadar Console

  1. In a web browser, navigate to IBM Fix Central and log in with your IBMid.
  2. Select QRadar, provide your product version, and platform.
  3. Select Browse for fixes.
  4. Download the auto update file to your local workstation.
  5. Use SSH to log in to the QRadar Console as the root user.
  6. Create a symbolic link between the /storetmp and the /opt/qradar/www/autoupdates directory.
      ln -s /storetmp/ /opt/qradar/www/autoupdates
  7. To verify there is enough space for the auto update, type:
       df -h /opt/qradar/www/autoupdates
    Note:  The size of the weekly auto update file is approximately 2 GB to 3 GB.
  8. Copy the autoupdate-<version>.tgz file from your workstation to the QRadar Console. The file should be placed in /opt/qradar/www/autoupdates/ directory or the symlink directory you created in Step #6.
  9. On your QRadar Console, type the following command to extract the autoupdate package:
       tar -zxvf autoupdate-[timestamp].tgz

    Results
    You are now ready to configure the QRadar user interface to install the local auto update file. If you have questions or concerns about changing your automatic update setting, you should ask a question in the forums before you make changes to your auto update configuration.

How to install the auto update file

  1. Log in to the QRadar user interface.
  2. Click Admin tab.
  3. Click Auto Update icon.
  4. Click Change Settings.
  5. Select Advanced tab.
  6. In the Webserver field, type https://localhost/ or https://Console_IP_address/ as either option can be used.
    Note: The trailing forward slash (/) is required in the Webserver field. For example, if your IP address is 10.10.10.10, type: https://10.10.10.10/.
  7. In the Directory field, leave the autoupdates/ configuration as the default value.
  8. Optional. Configure the proxy fields if you are using a proxy for external Internet connections.
  9. If the Send feedback option is enabled, clear the check box to disable the feedback option.
  10. Click Save.
  11. The system attempts to contact the URL defined as your https address and displays a message that states that the remote webserver is unavailable. This is an expected, but benign message for local autoupdate configurations.
  12. Click Check for Updates navigation menu, then click Get New Updates.
  13. Wait for the update to complete. A dashboard system notification is generated when updates are successfully installed or when an error occurs. If you have questions or concerns about an auto update status, you can ask a question in the forums.
Fig 2: A system notification is generated on the QRadar Dashboard when the update completes successfully.
After the auto update completes, the administrator can close the notification.

IMPORTANT: To receive automated updates in the future from QRadar Consoles that have Internet access, the administrator can set the Web Server field to https://auto-update.qradar.ibmcloud.com/. If you plan to manually update your Console appliance every week, the administrator can leave the Web Server field as https://localhost/.

 

Auto update log file locations

To view the auto-update log for QRadar 7.3, and 7.4, you must extract the AU-timestamp.gz file from /var/log/autoupdates directory.
 

Auto update server locations

Administrators who decide to enable QRadar weekly auto updates need to be aware of a new server location in the IBM Cloud. If you use IP-based firewall rules, update your firewall rules to ensure daily and weekly updates continue without interruption. All QRadar® products and versions are impacted by this change.
 
Server changes Hostname Static IP address Location Description
New server cluster https://auto-update.qradar.ibmcloud.com/ 169.47.251.244 Global New server active on 27 July 2020
Legacy server https://qmmunity.q1labs.com/ 69.20.113.167 United States Active until 30 November 2020
Legacy server https://qmmunity-eu.q1labs.com/ 212.64.156.13 Europe Active until 30 November 2020


IMPORTANT: Administrators who fail to update their corporate firewalls might experience an interruption in service after 30 November 2020. QRadar Support recommends that all administrators update their QRadar Console's auto update settings during a maintenance window and confirm that auto updates complete successfully.

For more information on the new IBM Cloud auto update server, see QRadar: Important auto update server changes for administrators.

[{"Business Unit":{"code":"BU008","label":"Security"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000bpQsAAI","label":"QRadar->Administration->AutoUpdates"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3.3;7.4.0","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
30 November 2020

UID

swg22003034