Question & Answer
Question
How to check whether your QRadar deployment is ready for GlusterFS to Distributed Replication Block Device migration?
Cause
The QRadar® upgrade to V7.4.2 or later requires you to run a migration script on the Console appliance. This script migrates the High Availability (HA) file system from GlusterFS to Distributed Replication Block Device on all Event Collectors in your deployment (irrespective of whether they are currently part of an HA setup).
This article provides a list of checks to ensure the migration goes well and does not encounter any known issues. Some of the checks require commands to be run on the Event Collectors in your deployment - for that purpose you can use the all_servers.sh command that is documented in this article.
Answer
- Check whether you have Event Collectors in your deployment. This can be found by:
- Log in to the Console UI as an admin user.
- Click Admin tab > System Configuration > System and License Management.
- Under the System and License Management user interface, in the Version column, confirm whether the Event Collectors are all at a version lower than 7.4.2.
- Ensure that bidirectional SSH is working between the console and all the Event Collectors in the deployment. In case bidirectional SSH is not working, use this article to troubleshoot and fix the issues.
- On each Event Collector, ensure that /storetmp has enough space. By default, the migration script takes a backup of /store and stores it on /storetmp. The unused space on the /storetmp partition needs to be greater than the space that is used on the /store partition. You can use the df command with the -h parameter to list the partitions along with the details on used and unused space on each partition.
For example, consider this output:Filesystem Size Used Avail Use% Mounted on /dev/mapper/storerhel-store 365G 8G 311G 15% /store /dev/mapper/rootrhel-storetmp 15G 35M 15G 1% /storetmpThis space usage is suitable as the used space of /store is 8 GB and the unused space of /storetmp is 15 GB. - Ensure that disk space on the Event Collectors is greater than 256 GB. Disk capacity can be found by using the lsblk command:
lsblk Output : NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT sda 8:0 0 500G 0 disk -
On each Event Collector, check whether the /store partition is available. If not available, then rebuild the Event Collector with a minimum 256 GB of disk space. Run this command on the Event Collector to verify the /store partition is available. If the Event Collector is in HA, run the command on the active Event Collector.
df -h | grep -i /storeFor more details, visit this knowledge-base article. -
Check the permissions assigned to the script. The permissions need to be -rwxr-xr-x or 755. On the QRadar console, check the file permission of the script (the file with the .bin extension) by using this command:
ls -ltrh /opt/qradar/ha/bin/glusterfs_migration_manager-<script_version>.bin - Ensure the hostnames of the Event Collectors in the deployment do not exceed 54 characters. More details about this limitation and the workaround can be found in this article.
- If the entry for /store in the Event Collector's /etc/fstab has the filesystem type set to ext4, you are likely to encounter symptoms mentioned in this article. Use the instructions provided there to fix the issue.
The words LINSTOR®, DRBD®, LINBIT®, and the logo LINSTOR®, DRBD®, and LINBIT® are trademarks or registered trademarks of LINBIT in Austria, the United States, and other countries.
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtdAAA","label":"Upgrade"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.4.2;and future releases"}]
Was this topic helpful?
Document Information
Modified date:
02 December 2021
UID
ibm16507641