Interim Fix 01 - For QRadar 7.2.6 Patch 5 (7.2.6.20160506171537)

Content

Interim fixes are intended to resolve specific APAR issues in the latest version of QRadar. If your deployment is installed with IBM Security QRadar 7.2.6 Patch 5 (7.2.5.20150831191404), then this interim fix can be applied to your system.

Before you begin

Ensure that you take the following precautions:

• Back up your data before you begin any software upgrade. For more information about backup and recovery, see the IBM Security QRadar Administration Guide.
• To avoid access errors in your log file, close all open QRadar sessions.
• The fix pack for QRadar cannot be installed on a managed host that is at a different software version from the Console. All appliances in the deployment must be at the same software revision to patch the entire deployment.
• Verify that all changes are deployed on your appliances. The patch cannot install on appliances that have changes that are not deployed.

About this task

Fix packs are cumulative software updates to fix known software issues in your QRadar deployment. QRadar fix packs are installed by using an SFS file. The fix pack can update any appliance that is attached to the QRadar Console that is at the same software version as the Console.

Procedure
1. Download the fix pack 7.2.6-QRADAR-QRSIEM-20160510193943INT from the IBM Fix Central website: http://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=Security%2BSystems&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.2.0&platform=Linux&function=fixId&fixids=7.2.6-QRADAR-QRSIEM-20160510193943INT&includeRequisites=0&includeSupersedes=0
   
2. Using SSH, log in to your system as the root user.
3. Copy the fix pack to the /tmp directory on the QRadar Console.
   
   Note: If space in the /tmp directory is limited, copy the fix pack to another location that has sufficient space.
4. To create the /media/updates directory, type the following command: mkdir -p /media/updates
5. Change to the directory where you copied the patch file. For example, cd /tmp
6. To mount the patch file to the /media/updates directory, type the following command:
   mount -o loop -t squashfs 726_QRadar_interimfix-7.2.6.20160121152811-IF01-20160510193943.sfs /media/updates
7. To run the patch installer, type the following command: /media/updates/installer
   
   Note: The first time that you run the fix pack, there might be a delay before the fix pack installation menu is displayed.
8. Using the patch installer, select one of the following options:
   
   
• The all option updates the software on all appliances in the following order:
  
  1. Console
  2. Event Processors
  3. Event Collectors
  4. Flow Processors
  5. Flow Collectors
• If you do not select the all option, you must select your Console appliance.
  
  As of QRadar 7.2.6 Patch 3 and later, administrators are only provided the option to update all or update the Console appliance as the managed hosts are not displayed in the installation menu. After the Console is patched, a list of managed hosts that can be updated is displayed in the installation menu. This change was made starting with QRadar 7.2.6 Patch 3 to ensure that the Console appliance is always updated before managed hosts to prevent upgrade issues.
  
  If administrators want to patch systems in series, they can update the Console first, then copy the patch to all other appliances and run the patch installer individually on each managed host. The Console must be patched before you can run the installer on managed hosts.
  
  If your Secure Shell (SSH) session is disconnected while the upgrade is in progress, the upgrade continues. When you reopen your SSH session and rerun the installer, the patch installation resumes.
9. After the patch completes and you have exited the installer, type the following command: umount /media/updates
10. Administrators and users should clear their browser cache before logging in to the Console.

After all hosts are updated, administrators can send an email to their team to inform them that they will need to clear their browser cache before logging in to the QRadar SIEM interface.