IBM Support

QRadar: How to reinstall an appliance retaining existing ariel data

How To


Summary

QRadar appliances have the ability to be rebuilt by using the RETAIN option in order to keep ariel data in the appliance. QRadar appliances that store data is the Console, Event processor (EP), Flow processor (FP), Event and Flow (Combo) processor (EP/FP) and Data Nodes (DN).

This document contains considerations and step-by-step instructions on how to use the RETAIN option when these appliances have to be rebuilt.

Environment

QRadar (physical or virtual) appliances installed with appliance-type method.
Considerations
  • When a Console is rebuilt and the setup completes, the default data (events and flows) retention is set to 30 days. Due to this policy, the retained data can be deleted unexpectedly. Administrators must contact QRadar Support for assistance to avoid data deletion by the policy.
  • When the appliance is rebuilt, the administrators must reconfigure the settings such as the appliance type, IP address, and hostname.
  • The RETAIN option is only available for Appliance installations. To determine whether the appliance is a software-type installation or appliance-type installation, check this article.
  • The RETAIN option ONLY keeps the data in /store/ariel/. Any other data outside /store/ariel/ in the /store partition is cleaned.
  • Administrators must keep a recent configuration backup outside the server to rebuilt (for example, by using NFS).
  • Administrators must patch to the latest version (includes Fix Pack or Update Pack and interim fix) that the appliance was running before the reinstallation.
  • (Optional) A configuration restore is optional on the Console after the setup completes. Administrators must choose which settings to restore depending on their needs.

Steps

  1. Start a console-type connection to the appliance.
    1. For physical servers, log in by using IMM, XCC WebUI, or equivalent.
    2. For virtual machines, log in by using the hypervisor virtual console.
  2. Reboot the appliance.
  3. At the first GRUB menu, select Factory re-install by using the arrow keys.
    Note: The move and select must be done within a 5 seconds threshold.
    grub
    This line contains the base version (General Availability) that the appliance is going to be installed with.
  4. When the following menu is displayed, type RETAIN and then hit enter.
    menu
  5. Wait until the screen prompts for the normal QRadar setup process. This process can take up to several minutes. When the process is complete, a confirmation is displayed.
  6. Follow the instructions in the installation wizard to complete the installation.
    1. At the login prompt, log in as the root user. The root user does not prompt for a password in this step.
    2. Accept the End User License Agreement (EULA) is displayed. Press the Spacebar key to advance through the document.
    3. Configure the appliance type, network settings, and the user credentials.
    4. Wait for the confirmation message that the installation finished.
  7. Log in to the appliance as the root user.
  8. Verify the data under /store/ariel/ persists.

Results
The appliance is reinstalled and the data prior reinstallation persists. If any error is encountered during this procedure, contact QRadar Support for assistance.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwszAAA","label":"Install"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
23 May 2022

UID

ibm16586980