IBM Support

QRadar RAID6 Diagnostic Utility

Download


Abstract

This article advises administrators about a potential RAID 6 issue and includes instructions for locating these misconfigured appliances in the QRadar deployment.

Download Description


Quick links


About the RAID 6 Detection Utility


QRadar administrators are being contacted as some appliances might be configured with only 8 of the 9 drives allocated to the RAID array. All drives are present in the system, however, a single drive unallocated to the array does not allow the appliance to use all of the available drive space for event or flow storage. Administrators receiving this notice potentially have a RAID configuration issue on an appliance in their deployment and should run the attached detection utility to identify the hostnames and IP addresses of QRadar appliances that are affected by this RAID 6 configuration issue. The detection utility creates a results.txt report for all appliances in the deployment and identifies any systems with a RAID array configuration issue with the following text: "RAID 6 Issue Identified".

The detection utility does not adversely affect performance on the QRadar Console or remote appliances when generating the report for the RAID configuration. An example of the report output to the screen and to a text file.

For example:
    IP= "172.16.77.35"
    Hostname= "csd35.ibm.com"
    Status= "Active"
    App. Type= "software"
    IBM Serial Number= "7804056"
    Foxconn Serial Number= "WS2NNL4"
    Result= "RAID 6 Issue Identified"

Prerequisites

Prerequisites for the RAID 6 Detection Utility


This utility and instructions are only intended for administrators who were contacted with appliances that might have the RAID 6 issue. This utility is intended to only run from the Console appliance. Any other appliances in the deployment are identified and a report is generated on the Console. The detection utility does not adversely affect performance on the QRadar Console or remote appliances.

The RAID6 detection utility includes the following prerequisites:

    • Remote access to the appliance is required by QRadar Support.
    • Root access to the QRadar Console is required to run the detection utility.
    • Administrators must have a method of copying files to and from the QRadar appliance, such as WinSCP or a USB drive.
    • The detection utility can be run on QRadar Consoles at software version v7.2.1 to v7.2.8.
    • The data on any affected appliance must be backed up before QRadar Support conducts any configuration updates. While it is unlikely that data will be lost during a drive configuration update, it is a best practice to back up the appliance data before any changes are started on the appliance.
    • All QRadar appliances must be installed in the deployment.
    • All QRadar appliances must be powered on.

      Important: If you do not meet any of these prerequisites, you can contact QRadar Support for assistance.

Installation Instructions

Installing the RAID 6 Detection Utility


These installation instructions prepare the Console to run the RAID6 detection utility.

    Procedure
    1. Using SSH, log in to your QRadar Console as a root user.
    2. Download the RAID6_diagnostic.tgz utility attached to this article to a workstation or notebook with access to the QRadar Console.
    3. Using SCP or WinSCP, copy the diagnostic utility and sha1 file to the / directory.
    4. To verify the sha1 sum of the file, type sha1sum RAID6_detection.tgz.

      The returned sums should match this hashed value:
      279a535c935e3f864c44d3286f5e8db6671398a5         RAID6_detection.tgz

      For example:


      Optionally, copy the .sha1 file to the QRadar Console and type: sha1sum -c RAID6_detection.sha1
      An OK output verifies that the RAID6_detection.tgz file is complete.

    5. To extract the file, type tar -zxvf RAID6_diagnostic.tgz.
    6. To set permissions on the files, type chmod +x /opt/qradar/support/devinfo/*
    7. To verify that permissions are set, type ls -lart

      Results
      The utility permissions should be set to execute by all users. You are now ready to be run the detection utility from the Console to identify appliances with a RAID6 configuration issue.

Using the RAID 6 Detection Utility


The RAID6 diagnostic utility returns a report named results.txt of all appliances in the QRadar deployment and identifies any systems that have a misconfigured RAID array. The results.txt report can be provided to QRadar Support representatives to identify and schedule maintenance for these appliances.

    Procedure
    1. To start a screen session, type: screen
    2. Navigate to the /opt/qradar/support/devinfo directory.
    3. From the devinfo directory, type ./SerNums.py -i Console_IP_address

      For example: ./SerNums.py -i 172.16.77.35
    4. Depending on the size of the deployment, the utility might take several minutes to complete the report. Do not attempt to stop the detection utility that is currently generating a report.
    5. The contents of the report are printed to the screen and a results.txt file is generated in the directory.
    6. Administrators can review the results= field in the report to determine if any appliances are affected.
    7. Any hosts that returned a result of "RAID 6 Issue Identified" should contact QRadar Support to schedule maintenance on that appliance

      Reading the results
      Administrators can review the results for each appliance to determine if any hosts in the network are affected by the RAID6 drive issue. There are two result types that the utility returns:
      • Result= "No Issue"
      • Result= "RAID 6 Issue Identified"
      .

      If your SSH session is disconnected while the utility is running
      If your SSH session becomes disconnected, open a new SSH connection to the Console and type screen -r to view a list of screen sessions that you can reconnect to. To reconnect to an existing screen session, type screen -r sessionname. For example, type: screen -r 31844.pts-1.qradar to reconnect and retrieve the output of the results.txt file.

Contacting QRadar Support


Administrators who have reports that returned a result of "RAID 6 Issue Identified" should open a support ticket (PMR) with QRadar Support and attach the results.txt file. The support representative will review the report attached to the support ticket and contact you.

NOTE: If you do not allow remote access at your facility, let your support representative know so they can make additional accommodations.

    Procedure
    1. Using SCP or WinSCP, copy the output of results.txt to your laptop or workstation.
    2. In any web browser, go to https://ibm.biz/qradarsupport.
    3. Open a software PMR.
    4. In your ticket, mention you are reporting a 'RAID 6 configuration issue' on your appliance.
    5. Attach the results.txt file to your support ticket and provide which repair option you want to have completed on your appliance.

      Repair options
      Option 1: Take no action

      This option incurs no downtime for administrators; however; leaves the appliance with 11% less storage space compared to option #3.

      Option 2: Configure the ninth drive to be a hot spare drive for the appliance.

      Option two incurs no downtime and increases fault tolerance for the appliance for the administrator. This option leaves the appliance with less storage, but allows support to convert the ninth drive to a hot spare in case of a future drive failure.

      Option 3: Repair and re-add the 9th drive to the RAID6 array to recover the drive space. This option recovers the drive space, but requires support to complete extended maintenance on the appliance.

      Option 3 requires two phases to complete. Phase 1 adds the drive to the RAID array, which can take 30+ hours to complete. During phase 1 the appliance is running, but the system might experience significantly reduced storage performance while the remediation is in progress due to rebuilding the RAID array. Phase 2 is the configuration of QRadar to use the additional disk space. Phase 2 requires QRadar services to be restarted and several appliance reboots to complete for up to 2 hours of downtime. After support completes this process, all drive space is recovered.


    Results
    A QRadar Support representative will contact you to discuss this issue with you and identify a time when maintenance can be performed on the QRadar host to repair and add the missing drive back in to the RAID array.

Download Package

RAID6_detection.sha1RAID6_detection.sha1 RAID6_detection.tgzRAID6_detection.tgz

Off
[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Operating System","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
30 August 2019

UID

swg24042609

Page Feedback