IBM Support

Release of QRadar 7.3.0 (7.3.0.20170315023309)

Release Notes


Abstract

A list of the installation instructions, new features, and resolved issues list for the release of IBM Security QRadar 7.3.0 (7.3.0.20170315023309).

Content

These instructions are intended to assist administrators with updating appliances to QRadar 7.3.0. If you have a software installation, need the latest memory requirements, or are making use of Offboard storage, it is recommended that you review the QRadar Upgrade Guide.

About this upgrade & general information


QRadar 7.3.0 uses an ISO file to update hosts to the latest software version. A minimum of QRadar 7.2.8 Patch 1 (or later) is required to be able to upgrade to QRadar 7.3.0. Each host must be updated individually, this includes HA secondary appliances.
 
Current QRadar Version Upgrades to QRadar 7.3.0?
QRadar 7.2.6 (any patch level) or earlier No
QRadar 7.2.7 (any patch level) No
QRadar 7.2.8.0 No
QRadar 7.2.8 Patch 1 and later Yes

Note: Administrators can use the latest 7.3.0 Patch ISO files to upgrade beyond the initial QRadar 7.3.0 initial release installation.
QRadar 7.3.0 Requires the QRadar 7.3.0 Parch 4 SFS to update
QRadar 7.3.0 Patch 1 to Patch 3 Requires the QRadar 7.3.0 Parch 4 SFS to update
  1. You must be on QRadar 7.2.8 Patch 1 or later to upgrade to QRadar 7.3.0.
  2. The upgrade to QRadar 7.3 will use a .ISO file. In the past, support has stated that ISOs are for new appliance installs only, but QRadar 7.3.0 is going to be an exception to this rule because of the Red Hat kernel update.
  3. Each HA appliance must be updated individually using the ISO file. The SFS file is capable of allowing the primary appliance to update the secondary, but the ISO file does not support this functionality. If you run the ISO setup on an HA primary, you should wait for the update to complete, then run the setup on the HA secondary.
  4. There is no update "All" option as QRadar 7.3 uses an ISO file to upgrade. The ISO must be mounted to the appliance and run locally on each host. If you have a software install, you need your Red Hat Enterprise ISO and the QRadar ISO. Administrators with software installations on your own hardware MUST read the QRadar Upgrade Guide to understand how to partition their systems appropriately.
  5. For administrators with managed WinCollect agents, you must upgrade to WinCollect 7.2.5 before installing QRadar 7.3.0. WinCollect 7.2.5 is a pre-requisite for QRadar 7.3.0.
  6. The 7.3.0 upgrade will take longer than expected due to the kernel changes to Red Hat 7 Enterprise. Early upgrade customers are reporting 2 to 2.5 hours to upgrade the Console appliance. Administrators should be aware of this longer time frame to plan their maintenance windows.
  7. Utilities or custom scripts that power users might have created for their QRadar deployment should be copied off of the system. During the 7.3.0 update a warning is displayed that only data in /store is going to be preserved. Therefore, scripts, 3rd party accounts, or utilities in /tmp, or /, or /root will be deleted.
     

The 7.3.0-QRADAR-QRSIEM-20170315023309 ISO can upgrade QRadar 7.2.8 Patch 1 (7.2.8.20161207001258) and later to QRadar 7.3.0. However, this document does not cover all of the installation messages and requirements, such as changes to memory requirements or browser requirements for QRadar. To review any additional requirements, see the QRadar Upgrade Guide. If you are on a version of QRadar earlier than QRadar 7.2.8 Patch 1, you must upgrade to QRadar 7.2.8 Patch 1 or later before proceeding to install the QRadar 7.3.0 ISO to upgrade an appliance. For a list of all release note for QRadar, see the QRadar Software 101 page.



Figure 1: Administrators are not required to install each ISO release to upgrade from QRadar 7.2.8. If an ISO is available for QRadar 7.3.0, you only need to install latest version.

Before you upgrade


Ensure you review the following information before starting any software update:

  • Back up your data before you begin any software upgrade and verify that you have recent configuration backups that match your existing Console version. If required, take an on demand configuration backup before you begin. For more information about backup and recovery, see the IBM Security QRadar Administration Guide.
  • HA appliances should have primaries in the online state and secondary as standby for their HA pair status.
  • If you have offboard storage configured, see the QRadar Upgrade Guide as there are special instructions for administrators with /store partitions that are mounted off of the appliance.
  • To avoid access errors in your log file, close all open QRadar sessions.
  • All appliances in the deployment must be at the same software & patch level in the deployment.
  • Verify that all changes are deployed on your appliances. The update cannot install on appliances that have changes that are not deployed.
  • A QRadar 7.3.0 ISO is capable of both upgrades from QRadar 7.2.8 Patch 1 or new appliance installations for physical or virtual machines. Administrators who want to complete a new install need to review the QRadar Installation Guide.
  • If you are unsure of how to proceed when reading these instructions or the documentation, it is best to ask before starting your upgrade. To ask a question in our forums, see: http://ibm.biz/qradarforums.

Staging files and pretesting your deployment (required)


It is important that administrators pretest their deployment to ensure that they will not experience unexpected issues when trying to update to QRadar 7.3.0. A pretest is a common precaution that should be taken by all administrators before they install an update to locate potential issues. The prestest does not restart services and can be completed without scheduled downtime. The pretest typically takes between 3 to 5 minutes to complete on each appliance. If for some reason your SSH session is disconnected, you can reconnect to the remote host using screen.


The pretest should be completed on all hosts by the administrator before you attempt to upgrade to QRadar 7.3.0.

  1. Download the ISO to install QRadar 7.3.0 from the IBM Fix Central website: http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.3.0&platform=Linux&function=fixId&fixids=7.3.0-QRADAR-QRFULL-20170315023309&includeSupersedes=0&source=fc
  2. Using SSH, log in to your Console as the root user.
  3. Type the following command: screen
  4. To make the directory for the update, type:
    /opt/qradar/support/all_servers.sh -k “mkdir -p /media/cdrom || umount /media/cdrom"
  5. To verify you have enough space (5GB) in /tmp for the ISO on all appliances, type:
    /opt/qradar/support/all_servers.sh -k "df -h /tmp /store/tmp /store/transient" | tee diskchecks.txt
    1. Best directory option: /store/tmp
      It is available on all appliance types, is not cleaned up if you need to postpone your update, and is available on all appliance types at all versions.
    2. 2nd best directory option: /tmp
      This directory is available on all appliances, but in 7.3.0 versions is significantly smaller and moving a file here can cause services to stop. If you leave a file in /tmp for 10 days without completing the ISO upgrade, it might get cleaned up by Red Hat's tmpwatch cron job.
    3. 3rd best option: /store/transient
      The store/transient directory was introduced in QRadar 7.2.1 and is allocated 10% of the overall /store directory. However, this directory does not exist on all appliances, such as QFlow or QRadar Network Insights and might not be an actual partition on all appliances.

      If the disk check command fails, retype the quotation marks from your terminal, then re-run the command. This command returns the details to both the command window and to a file on the Console named diskchecks.txt. Review this file to ensure that all appliances have at minimum 5GB of space available in a directory to copy the ISO before attempting to move the file to a managed host. If required, free up disk space on any host that fails to have less that 5GB available.

      Reminder: Utilities or custom scripts that administrators have created for QRadar should be copied off of the system. During the 7.3.0 update a warning is displayed that only data in /store will be preserved. Therefore, scripts, 3rd party utilities in /tmp, or /, or /root will be deleted during the upgrade.

  6. Using WinSCP or SCP, copy the ISO to the /store/transient directory on the QRadar Console. This directory should have sufficient disk space for the ISO file.
  7. To copy the files to all appliances, type: /opt/qradar/support/all_servers.sh -p -k -r /store/tmp
  8. To mount the ISO on all appliances, type the following command: 
    /opt/qradar/support/all_servers.sh -C -k “mount -o loop /store/tmp/Rhe764QRadar7_3_0_20170315023309.stable-7-3-0.iso /media/cdrom"


    NOTE: QFlow appliances do not contain a /store/transient directory. It is typically recommended that administrators use /store/tmp as this directory structure exists on all QRadar appliances.

  9. To pretest the Console appliance, type: /media/cdrom/setup -t

    The pretest output will be written to the command window. Review this output after the pretest completes.

  10. Using SSH, open an SSH session to the other appliances in your deployment. QRadar Support recommends that all administrators run the pretest on each host to identify issues before the update begins.
  11. To pretest the managed host, type: /media/cdrom/setup -t

    Results
    If an appliance in your deployment fails the pretest, the administrators can take the recommended action from the pretest utility. The issue must be resolved before the update to 7.3.0 begins to prevent downtime for specific appliances. If there are messages you do not understand or want to discuss further, you can use our forums http://ibm.biz/qradarforums to get advice. Alternately, administrators can open a ticket directly with QRadar Support (http://ibm.biz/qradarsupport).

Installing the QRadar 7.3.0 ISO on the Console Appliance


These instructions guide administrators through the process of upgrading an existing QRadar install at 7.2.8 Patch 1 or later to QRadar software version 7.3.0. The update on the Console must be completed first, before you attempt to update any managed hosts to QRadar 7.3.0.
  1. Using SSH, log in to the Console as the root user.
  2. To run the ISO installer on the Console, type the following command: /media/cdrom/setup

    Important: Upgrading from QRadar 7.2.8 Patch 1 or later to QRadar 7.3.0 should take approximately 2 hours. Upgrades for managed hosts should take approximately 1.5 hours. If you experience extended upgrade times, you can contact QRadar Support for more information (http://ibm.biz/qradarsupport).

    If your Secure Shell (SSH) session is disconnected while the upgrade is in progress, the upgrade continues. When you reopen your SSH session and rerun the installer, the patch installation resumes.
  3. Wait for the Console primary update to complete.
  4. Optional for HA Console pairs.
    1. Open an SSH session to the HA Console secondary.
    2. Type the following command to update the secondary Console: /media/cdrom/setup
    3. Wait for the HA Console secondary to complete the update.

      Results
      A summary of the ISO installation advises you of any issues. If there are no issues, administrators can now SSH to managed hosts and start the installer on each host to run the setup in parallel.
 

Installing the QRadar 7.3.0 ISO on all other managed hosts


After the Console and Console HA secondary are updated to QRadar 7.3.0, then the rest of the deployment can updated. There is no order required for updating appliances after the Console and Console secondary are updated. Customers can start the ISO update in parallel on multiple hosts. However, you must open an SSH session to each host. The all_servers.sh utility is not supported for parallel ISO installations.

NOTE: If you are unsure of the IP addresses or hostnames for the appliances in the deployment, run the utility deployment_info.sh to get a .CSV file with information about the QRadar deployment. The CSV file will contain a list of IP addresses for each managed host.
  1. Using SSH, log in to the Console as the root user.
  2. Open an SSH session to each managed host and type the following command: /media/cdrom/setup

    Important: Upgrading from QRadar 7.2.8 Patch 1 or later to QRadar 7.3.0 should take approximately 2 hours. Upgrades for managed hosts should take approximately 1.5 hours. If you experience extended upgrade times, you can contact QRadar Support for more information (http://ibm.biz/qradarsupport).


    If your Secure Shell (SSH) session is disconnected while the upgrade is in progress, the upgrade continues. When you reopen your SSH session and rerun the installer, the installation screen is displayed.



    Results
    A summary of the ISO installation advises you of any issues. If there are no isues, administrators can now run the ISO setup on the Console HA secondary appliance, if you have an HA pair. If you do not have a Console in HA, you can then start SSH sessions to each host and run the setup in parallel.
     

Installation wrap-up

  1. After all hosts are updated, administrators can send an email to their team to inform them that they will need to clear their browser cache before logging in to the QRadar SIEM interface.
  2. To unmount the /media/cdrom directory on all hosts, type:
    /opt/qradar/support/all_servers.sh -C -k “umount /media/cdrom"
  3. Administrators can delete the ISO from all appliances.


Resolved issues

Note: Some APAR links in the table below might take 24 hours to display properly after a software release. A full APAR link for all QRadar versions is available
 

Issues resolved in QRadar 7.3.0
Number Description
IV94244 QRADAR PATCHING TO 7.3.0 CAN FAIL AT 'ERROR: THE UPGRADE PHASE SCRIPT 40-PRESERVE_PROTECTED_SEARCH_RESULTS.SH FAILED...'
IV91030 QRADAR APPS THAT REQUIRE SPECIFIC USER ROLE PERMISSIONS CAN STOP WORKING AFTER PATCHING TO QRADAR 7.2.8 PATCH 1
IV88705 ASSET UI SCREEN APPLICATION ERROR DISPLAYED DUE TO DELETED ASSET SEARCH
IV89204 QRADAR ASSET PROFILER TREATS HOSTNAMES WITH DIFFERENT CASE CHARACTERS AS SEPARATE ASSETS
IV84736 TOMCAT OUT OF MEMORY CAN OCCUR CAUSING THE USER INTERFACE TO BECOME INACCESSIBLE
IV91288 OFFENSES CAN SOMETIMES STOP GENERATING WHEN OFFENSES ARE INDEXED ON CUSTOM PROPERTIES
IV88270 USING COMPLEX FILTERS ON LOG AND/OR NETWORK ACTIVITY PAGE SEARCHES CAN CAUSE PIPELINE PERFORMANCE ISSUES/NOTIFICATION
IV90364 SETTING A CUSTOMIZED 'RULE RESPONSE' NAME/DESCRIPTION FOR THE 'LACK OF DEVICE' RULE TEST DOES NOT WORK AS EXPECTED
IV78366 THE ECS-EC PROCESS CAN SOMETIMES RUN OUT OF MEMORY WHEN A LARGE NUMBER OF EVENTS WITH CUSTOM PROPERTIES ARE RECEIVED
IV89556 ECS-EP PROCESS RUNNING, BUT EVENT/FLOW PROCESSING NOT OCCURING ON A QRADAR APPLIANCE
IV90906 TIMES SERIES NOT WORKING FOR SOME NON-ADMIN QRADAR USERS
IV91098 INVAILD SUPER INDEXES CAN CAUSE 'GENERAL FAILURE. PLEASE TRY AGAIN' MESSAGES WHEN USED IN A FILTER IN SEARCHES
IV89015 APPLICATION ERROR WHEN DOUBLE CLICKING THE RESULTS OF AN 'ADVANCED SEARCH' (AQL)
IV90007 TIMESERIES ACCUMULATION AND/OR REPORTS CAN FAIL TO GENERATE IN SOME INSTANCES AFTER PATCHING TO QRADAR 7.2.7.X
IV89209 REPEATED ARIEL PROCESS OUT OF MEMORY OCCURANCES WITH LARGE VOLUMES OF DATA IN /STORE/TRANSIENT
IV89207 OPENING AN EVENT FROM AN ADVANCED SEARCH (AQL) RESULTS LIST CAN OPEN THE INCORRECT EVENT IF A COLUMN SORT HAS BEEN PERFORMED
IV90601 FLOW RETENTION WINDOW DOES NOT ACCURATELY DISPLAY DISTRIBUTION USAGE PERCENTAGES
IV73227 INTERMITTENT AND/OR FREQUENT QRADAR SYSTEM NOTIFICATIONS: 'ACCUMULATOR FALLING BEHIND'
IV87313 'SOURCE' AND 'DESTINATION' NETWORK GROUP SHOW FULL NETWORK HIERARCHY NAME WHEN ADDED AS A COLUMN TO DISPLAY
IV90633 QRADAR DATABASE REPLICATION PROCESS CAN TAKE A LONGER THAN EXPECTED AMOUNT OF TIME
IV89022 CUSTOM PROPERTIES SAVED TO ADVANCED SEARCHES (AQL) WITH INVALID SYNTAX ARE UNABLE TO BE DELETED
IV91638 IMPORTING VULNERABILITY SCAN DATA FROM XML INTO QRADAR CAN SOMETIMES FAIL WITH AN EXCEPTION IN THE LOGS
IV85834 EMAIL ADDRESS VALIDATION IN QRADAR ONLY ALLOWS FOUR CHARACTERS IN THE LAST SECTION OF THE DOMAIN
IV89662 UNABLE TO EDIT BULK ADDED LOG SOURCES AFTER A QRADAR CONFIGURATION RESTORE IS PERFORMED
IV90376 SECURITY APP EXCHANGE APPLICATIONS CAN FAIL TO COMMUNICATE IN SOME HIGH AVAILABILITY QRADAR CONFIGURATIONS
IV91071 QRADAR XX48 APPLIANCE ISO BUILDS CAN FAIL WITH 'INVALID ACTIVATION KEY' MESSAGE
IV90089 HOSTCONTEXT PROCESS NAME IS NOT CONSISTENT IN ALL AREAS OF QRADAR
IV86682 SYSTEM NOTIFICATIONS STATING 'THE PRIMARY HIGH AVAILABILITY SYSTEM FAILED' WHEN NO FAILOVER HAS OCCURRED
IV85384 HIGH AVAILABILITY STANDBY APPLIANCE USING CROSSOVER CABLE CAN HAVE ROUTING INCORRECTLY UPDATED
IV85366 QRADAR CONSOLE CONTINUES TO PING THE IP OF A MANAGED HOST CLUSTER AFTER IT IS REMOVED FROM THE DEPLOYMENT
IV87497 IO ERRORS WHEN PERFORMING SEARCHES AFTER A DEPLOY FUNCTION WHERE AN ENCRYPTED MANAGED HOST EXISTS IN THE DEPLOYMENT
IV74231 QRADAR ADMIN TAB DISPLAYS MESSAGE 'THERE ARE UNDEPLOYED CHANGES...' WHEN NO CHANGES HAVE BEEN MADE
IV87856 QRADAR PATCHES THAT INCLUDE A JAVA VERSION UPDATE DO NOT MOVE THE US EXPORT JAR FILES INTO THE APPROPRIATE DIRECTORY
IV89587 KEYBOARD CURSOR/ARROW KEYS AND CTRL-A FUNCTIONS ARE INCONSISTENT ACROSS THE QRADAR USER INTERFACE
IV76165 FLOW SOURCE ALIASES DO NOT APPEAR IN THE ADD FILTER, FLOW INTERFACE, 'VALUE:' DROP DOWN FOR NETWORK ACTIVITY SEARCHES
IV90069 LIST OF OPERATING SYSTEMS AVAILABLE TO SELECT FOR ASSETS IS MISSING SOME OS VERSION ENTRIES
IV90066 'GENERAL FAILURE. PLEASE TRY AGAIN' WHEN PERFORMING A 'GROUP BY' SEARCH OF A PROPERTY, FILTERED AGAINST A REFERENCE SET
IV93147 NETWORK HIERARCHY SEARCH ATTEMPT RESULTS IN POP UP MESSAGE 'AN ERROR OCCURRED, ARGUEMENT TYPE MISMATCH'
IV89519 RULES THAT TEST AGAINST REFERENCE MAP OF DATA SETS CAN SOMETIMES FIRE UNEXPECTEDLY
IV89341 SINGLE RUN HOURLY REPORT CAN SOMETIMES RUN TWICE
IV88805 DOMAINS BASED ON CEP VALUE BROKEN STARTING IN QRADAR 7.2.7
IV89363 MULTIPLE SIMULTANEOUS REFERENCE DATA ADDITIONS AND/OR DELETIONS USING THE API CAN CAUSE THE QRADAR UI TO BECOME UNRESPONSIVE
IV87507 SOME DASBOARD ITEMS NO LONGER DISPLAY IN THE QRADAR USER INTERFACE


 

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtdAAA","label":"Upgrade"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3.0"}]

Document Information

Modified date:
01 July 2021

UID

swg27049543