IBM Support

Release of QRadar Packet Capture SFS for Software Installations (7.3.1 Build 320-1G)

Release Notes


Abstract

A list of the installation instructions, and resolved issues list for the release of IBM Security QRadar Packet Capture for software installations. This software is intended for updates or new installs of QRadar Packet Capture 7.3.1 (Build 320-1G) on your own hardware.

Content

About
This installation is intended for software installs of QRadar Packet Capture 7.3.1 (Build 320-1G) on your own hardware. Software installations assume that you have purchased your own hardware and have either Red Hat Enterprise or CentOS installed as a base operating system. QRadar Packet Capture software installs are capable of completing a new install or updating an existing Packet Capture software installation to the latest version. These updates are cumulative. QRadar Packet Capture software installs use an SFS file. The following operating systems are required:

Required Operating SystemVersionType
Red Hat Enterprise 6.8 or 6.9Software install
CentOS 6.8 or 6.9Software install

Important: These instructions are intended for software updates using your own hardware. If you have a QRadar Packet Capture appliance or Packet Capture Data Node appliance from IBM, see these release notes for installation instructions: http://www.ibm.com/support/docview.wss?uid=swg27050679.



Upgrade Information
If your deployment is installed with any of the following QRadar Packet Capture versions on your own hardware, you can use these instructions upgrade to 7.3.1.320-QRADAR-PCAP-SOFTWARE-INSTALL:
Current Software VersionUpgrades to Patch 3 (Build 320-1G)?
QRadar Packet Capture 7.2.8.277 (software install)No, requires 7.2.8.278 or later
QRadar Packet Capture 7.2.8.278 (software install)Yes, see the instructions below.


Requirements
Administrators should read the following information before they attempt to complete a software install:
  • This update should be completed during a scheduled maintenance window. While the system is updating, Packet Captures are not recorded as services are not started. Administrators with multiple capture installations can capture on one appliance while they complete updates on another appliance. The update typically completes in about 10-15 minutes.
  • This software 7.3.1 (build 320) requires Red Hat Enterprise 6.8 or 6.9. Alternately, administrators can also use CentOS 6.8 or 6.9.
  • This QRadar Packet Capture is intended for software installations at version 7.2.8.278 for administrators with their own hardware who want to upgrade to 7.3.1.320.
  • Administrators who want to do a new install or reinstall need to review the QRadar Packet Capture Installation Guide, as these are not the correct instructions for that procedure.
  • To avoid access errors in your log file, close all open QRadar Packet Capture sessions.
  • Google Chrome 44.0 and Mozilla Firefox ESR 388 and later browsers are supported. Microsoft Internet Explorer 11 is not supported for QRadar Packet Capture appliances.
  • Any search output directories in /extraction that are older than 6 hours will be removed.
  • If Search store is full, any search output directories that are older than 3 hours will be removed.
  • Software installs are NOT supported on a virtual machines (VMs). For hardware requirements, see the Setup Guide.


Instructions for QRadar Packet Capture 7.3.1 (Build 320-1G) Software Installs
The instructions guide administrators through the process of updating an existing QRadar Packet Capture software installation on your own hardware to version: 7.31.320-QRADAR-PCAP-SOFTWARE-INSTALL.


Procedure

  1. Download the software file from the IBM Fix Central website: http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+Packet+Capture&release=7.3.0&platform=Linux&function=fixId&fixids=7.3.1.320-QRADAR-PCAP-SOFTWARE-INSTALL&includeSupersedes=0&source=fc

    Note: Installs that use customer hardware are found in the 'Software Installer' section of IBM Fix Central. If you opt to browse Fix Central for the Packet Capture software install for your hardware, the 'Software Installer' section will contain the files. The correct download uses 'build-version-1G.sfs' in the file name to designate software installs.
  2. Using SSH, log in to your system as the root user.
  3. Copy the software installer to the /tmp directory. If space in the /tmp directory is limited, copy the fix pack to another location that has sufficient space.
  4. To create the /media/updates directory, type the following command: mkdir -p /media/updates
  5. Change to the directory where you copied the patch file. For example, cd /tmp

    Note: This update will cause downtime while the installation completes. The Packet Capture appliance must be rebooted after the installation completes.

  6. To mount the patch file to the /media/updates directory, type the following command:
    mount -o loop -t squashfs 7.3.1-QRadar-PCAP-Build-320-1G.sfs /media/updates
  7. Navigate to the /media/updates directory. For example, cd /media/updates
  8. Type the following command to being the update: sh installer.sh

    Note:
    The first time that you run the software install, there might be a delay before the update begins.


    After the update completes
  9. After the patch completes and you have exited the installer, type the following command: umount /media/updates
  10. To restart the appliance from the command line, type: reboot.
  11. Administrators and users should clear their browser cache before logging in to the Console.

    Results
    A summary of the installation advises you of any issues. After the update is complete, administrators can send an email to their team to inform them that they will need to clear their browser cache before logging in to the QRadar Packet Capture.


    Troubleshooting
    After the system is rebooted, administrators can run nc_bootcheck.sh command on the Packet Capture software install to verify if the capture server is ready or if the system needs to be rebooted to complete the installation.








Where do I find more information?


[{"Product":{"code":"SSMU35","label":"IBM QRadar Network Packet Capture Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Installation","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3.1","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
28 October 2020

UID

swg27050680