IBM Support

QRadar EDR (formerly ReaQta): Updating the hive and agent endpoints

Question & Answer


Question

What do you need to know about updating QRadar EDR (formerly ReaQta)? 

Answer

Hive Server

What is the hive update process?

You must contact support. This update process is performed by the aid of the DevOps team. When these updates are planned, the dates are shared with the relevant stakeholders to announce the downtime and prepare for it.

What major versions of ReaQta hive are supported?

ReaQta Hiver server 3.11.1
Windows Agent 3.10.1 - Linux Agent 0.70.0

Endpoint Agent

What is the update agent process?

  • When a new agent distribution build is available, the agent distributions are automatically or manually added to the hive server. 
  • Once the agent distributions are uploaded, the dashboard manager decides when they are pushed to the endpoint. When they are ready, it can be done from the User Interface (UI): Administration > Update Manager
  • Enabling of a distribution essentially enables the auto update of any applicable agent.
  • Push are based on targets, typically groups.
  • Standard agent communication to the Hive picks up the enabled distribution.
  • The update action is performed by the keeper service on the endpoint.
For more detailed information about the steps on how to upload new agent packages to the Hive Server, review QRadar EDR (formerly ReaQta): How to upload new agent packages to the Hive Server 
Points to consider
 
  • Downgrading to older distributions is not supported by this method.
  •  Agents upgrade only if the distribution is newer than its current version. 
  • Agent build distribution process can take some time for all agents to check in and update. Generally, it can take around 30 minutes for all agents.
Tip: If keeper gets stuck downloading the update or stuck in 'stop pending', you can kill the keeper process. The process starts automatically again and completes the operation.
 

Hive and Agent versions considerations

  • Do not install an agent version that is newer than the Hive Server, as it is likely that new functionalities available in the agent do not work or not able to manage. Therefore, the hive server drops events from the new agents when it is at a newer version than the hive itself.
  • Running older agent versions than the hive server is fine, though, as the hive server is compatible with earlier versions of the agent endpoints.

Troubleshooting guide for agents failing to update to newly enabled package

Check the installation logs to track the agent update failure and note the status code error to proceed with the specific troubleshooting as described in the following article QRadar EDR (formerly ReaQta): Troubleshooting registration errors that occur during client installation 

- For Windows deployments, the update failure log can be tracked in the following folder:  C:\Program Files\ReaQta. There is a file called rqt_update.rqa. This file can be renamed with a .txt extension and opened with a text viewer. This file contains the reason of the failure.

- For Linux deployments, the update failure can be tracked from command line by reviewing journalctl or /var/log/messages.

- For MacOS deployments, the update failure can be tracked down from the console terminal at update failure (filter by keeperi).

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSVOEH","label":"IBM Security ReaQta"},"ARM Category":[{"code":"a8m3p000000hBSAAA2","label":"Administrative Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Product Synonym

ReaQta

Document Information

Modified date:
18 May 2023

UID

ibm16568599

Page Feedback