Resolving The Problem
What is a "Deploy" in QRadar?
When a QRadar Console detects changes that are required to be pushed out to managed hosts, it shows in the Admin tab as banner stating that changes need to be deployed:
Changes are pushed out from the "staging" area of QRadar to the "deployed" area and the Hostcontext service restarts the appropriate components. If a component does not have changes then there are no changes to deploy, then a restart of that service might not be required.
What is the difference between "Deploy Changes" and "Deploy Full Configuration"?
After you perform a "Deploy changes", only services that need updates are restarted on the appliances. Data collection and processing continues as normal because the Event Collection Server/Service (ECS) does not restart. A Deploy Changes does not impact the QRadar event pipeline (collection, processing, rules, or offenses).
A "Deploy Full Configuration" from the Admin tab sends a request to rebuild all configuration file sets. Each individual appliance contains its own configuration files which then restarts services to ensure that the new configuration is loaded. All processes that process QRadar data restart, and an interruption of services occurs.
Since QRadar 7.3.1, an ecs-ec-ingress service was introduced that spools events as all other QRadar services are restarted. The ecs-ec-ingress service will NOT be restarted as a result of a deploy and will continue to collect data. All searches, reports and other QRadar functions will not be available while the full deploy is running. The events will not be processed until the full deploy completes.
Anytime a service interruption is expected on a Deploy, a warning dialog message is shown to an Admin user. This allows the Admin user to cancel a deploy and to defer to a later time:
Examples of QRadar changes that require Deploy Full Configuration:
Adding or removing a host in the deployment editor that has an EC, EP, or MPC component.
Adding, removing, or editing the values on an EC/EP component or offsite source or target component in the deployment editor.
Adding or updating a license that changes the EPS or FPM (flows per minute) values (Not valid in QRadar 7.3).
Enabling or disabling encryption (Tunneling) on a "managed host".
Examples of QRadar changes that require a Deploy Changes:
Adding or editing a new user or user role.
Adding or updating network hierarchy.
Adding a new security profile.
Creating a new authorized service token.
Adding a centralized credential (security descriptor)
Adding a new log source.
Setting a password for another user.
User changing their own password.
Change a users' user role and/or security profile.
Note: The list above may change in future releases as QRadar is moving towards having less interruption and downtime.
24 February 2021