ibm security qradar upgrade guide
TRANSCRIPT
Note: Before using this information and the product that it supports, read the information in “Notices and Trademarks” on page 11.
© Copyright IBM Corp. 2013 All Rights Reserved US Government Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
CONTENTS
ABOUT THIS GUIDEIntended Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Technical Documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Contacting Customer Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Statement of good security practices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1 PREPARING FOR YOUR UPGRADEUpgrade considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
QRadar software version requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Memory and disk space requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Upgrade considerations for High Availability (HA) deployment. . . . . . . . . . . . . . . .5Upgrade considerations for virtual appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Upgrade considerations for your asset data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2 SYSTEM UPGRADEUpgrading your system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Clearing the cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
A NOTICES AND TRADEMARKSNotices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
INDEX
ABOUT THIS GUIDE
This guide provides information about how to upgrade your IBM Security QRadar system to version 7.2.
Unless otherwise noted, all references to QRadar refer to the following products:
• IBM Security QRadar SIEM
• IBM Security QRadar Log Manager
• IBM Security QRadar Network Anomaly Detection
Intended Audience The IBM Security QRadar SIEM Upgrade Guide is intended for system administrators that are responsible for upgrading QRadar systems.
Documentation Conventions
The following conventions are used throughout this guide:
Note: Indicates that the information provided is supplemental to the associated feature or instruction.
CAUTION: Indicates that the information is critical. A caution alerts you to potential loss of data or potential damage to an application, system, device, or network.
WARNING: Indicates that the information is critical. A warning alerts you to potential dangers, threats, or potential personal injury. Read all warnings carefully before proceeding.
Technical Documentation
For information about how to access more technical documentation, technical notes, and release notes, see the Accessing IBM Security QRadar SIEM Documentation Technical Note. (http://www.ibm.com/support/docview.wss?rs=0&uid=swg21614644)
Contacting Customer Support
For information about contacting customer support, see the Support and Download Technical Note. (http://www.ibm.com/support/docview.wss?rs=0&uid=swg21612861)
IBM Security QRadar Upgrade Guide
2 ABOUT THIS GUIDE
Statement of good security practices
IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
IBM Security QRadar Upgrade Guide
1
PREPARING FOR YOUR UPGRADEYou must prepare for your upgrade to prevent issues from occurring during the upgrade.
Before you install the latest software version, you can view the Fix Central website to determine if any fix packs are available. Fix packs are cumulative updates that contain the necessary software to upgrade all QRadar products, including QRadar Risk Manager and QRadar Vulnerability Manager to the latest version.
For more information, see http://www.ibm.com/support/fixcentral.
Upgrade considerations
Read these upgrade considerations and prepare for your upgrade to ensure that your upgrade succeeds.
QRadar softwareversion requirements
To upgrade to QRadar 7.2, ensure that the following requirements are met.
• You must be using at least QRadar 7.1 (MR2). In the QRadar user interface, click Help > About to view your QRadar version information.
• We require that you upgrade all of the systems in your deployment to QRadar 7.2.
Memory and diskspace requirements
Before you upgrade, you must verify that your deployment meets the minimum memory and disk space requirements.
The minimum memory requirement outlines the amount of memory that is required to use the software features on each QRadar appliance. The suggested appliance memory defines the amount of memory that is suggested for each appliance to use the current software features and includes extra memory to account for future software capabilities. Appliances with less than the suggested appliance memory might experience various performance issues during periods of excessive event and flow traffic.
Note: Appliances that are manufactured by Dell must use Dell Certified Memory. To purchase Dell Certified Memory for your appliance, contact Dell customer support.
IBM Security QRadar Upgrade Guide
4 PREPARING FOR YOUR UPGRADE
• If you plan to enable payload indexing, your system requires a minimum of 24 GB of memory. However, 48 GB of memory is suggested.
• If you install QRadar software on your own hardware or a virtual machine, your system must meet the minimum memory requirements outlined in Table 1-1.
• Any IBM Security QFlow Collector appliance with less than an 80 GB hard drive must use a fresh installation to upgrade to the latest software. For more information, see the Installation Guide for your product.
• The QRadar 7.2 upgrade requires the following minimum free disk space:
Table 1-1 Appliance memory requirements
ApplianceMinimum memory requirement
Suggested appliance memory
QFlow Collector 1201 6 GB 6 GBQFlow Collector 1202 6 GB 6 GBQFlow Collector 1301 6 GB 6 GBQFlow Collector 1310 6 GB 6 GBQRadar Event Collector 1501 12 GB 16 GBQRadar Event Processor 1601 12 GB 48 GBQRadar Event Processor 1605 12 GB 48 GBQRadar Event Processor 1624 12 GB 64 GBQRadar Flow Processor 1701 12 GB 48 GBQRadar Flow Processor 1705 12 GB 48 GBQRadar Flow Processor 1724 12 GB 64 GBQRadar Event & Flow Processor 1805 12 GB 48 GBQRadar SIEM 2100 24 GB 24 GBQRadar SIEM 2100 Light 24 GB 24 GBQRadar SIEM 3100 24 GB 48 GBQRadar SIEM 3105 24 GB 48 GBQRadar SIEM 3124 48 GB 64 GBQRadar Log Manager 1605 12 GB 48 GBQRadar Log Manager 1624 12 GB 64 GBQRadar Log Manager 2100 24 GB 24 GBQRadar Log Manager 3105 24 GB 48 GBQRadar Log Manager 3124 48 GB 64 GBQRadar Network Anomaly 3105 24 GB 48 GB
Table 1-2 Free space requirements
Partition Free space requirement/ 3 GB or 10 GB
IBM Security QRadar Upgrade Guide
Upgrade considerations 5
The root ( / ) partition requires 10 GB of drive space, if your appliance has less than 8 GB of available swap space or 5 GB of memory. Otherwise, appliances can upgrade with 3 GB of disk space on the root partition. The upgrade pretest determines when a partition does not include enough free space to complete an upgrade. You must free up disk space on the partition that is defined in the pretest error message before you can upgrade.
Upgradeconsiderations for
High Availability (HA)deployment
When you upgrade an HA deployment, prepare for HA-specific upgrade considerations.
If you are upgrading systems in an HA deployment, upgrade the primary system. The upgrade is automatically applied to the associated secondary system if the primary system is the active system and the secondary system is in standby mode. The primary host must be the active system in your deployment. If the secondary host is the active system, the upgrade of the primary host to cancels. For more information about managing HA, see the Administration Guide for your product.
If the HA cluster is disconnected or if you want to add a new secondary HA host to an existing primary HA host, you must reinstall on the secondary HA host with QRadar 7.2. For more information about reinstalling software, see the Installation Guide for your system. After you reinstall the secondary HA host, log in to the user interface to reconnect or create a new HA cluster.
CAUTION: Disk replication and failovers are disabled until the primary and secondary hosts synchronize and the needs upgrade or failed status is cleared from the secondary host.
After the upgrade of the secondary host is complete, you might be required to restore the configuration of the secondary host. For more information about restoring a failed host, see the Administration Guide for your product.
Upgradeconsiderations forvirtual appliances
If your deployment consists of a virtual appliance and you have questions about your deployment, contact Customer Support for assistance. For information on QRadar appliances and hardware, see the QRadar Hardware Installation Guide.
/store 4 GB/var/log 500 MB/store/tmp 800 MB
Table 1-2 Free space requirements (continued)
Partition Free space requirement
IBM Security QRadar Upgrade Guide
6 PREPARING FOR YOUR UPGRADE
Upgradeconsiderations for
your asset data
This sottware update introduces a new asset database with improved DHCP compatibility. Your current asset data, which is not DHCP-aware, provides no means to distinguish the properties of one asset from another asset when both assets share an IP address. Therefore, we provide you with three options for how to handle your asset data during the patch process.
None of the three options adversely affects the asset identity data that is already stored in your events and offenses databases. The asset data on your system continues to be available to you after you complete the software update on your appliances.
Note: If your networks use static IP addresses for assets (as opposed to DHCP IP pools), you can ignore this message and select option 3 to migrate all your assets. Otherwise, read this list carefully and then select one of the following options:
1 Migrate No Assets (Recommended most of the time):
• Use this option if you have DHCP networks
• Event/Offense identity data is preserved.
• All previous asset data is removed
• Allow a few days after the upgrade/patch for your asset model to regenerate itself.
2 Migrate Only User-Edited Assets (Recommended if you edited assets in the UI and do not want to throw that data away):
• Use this option if you have DHCP networks and you want to maintain your manually added asset data.
• Only assets that were directly modified in the UI are migrated.
• Assets that were not user-modified are deleted.
• Event/Offense identity data is preserved.
• Estimated Migration Time: [*]
The time estimate is based on your appliance hardware and the number of assets that are migrated.
• Allow a few days after the upgrade/patch for your asset model to regenerate itself.
3 Migrate All Assets (Not Recommended):
• All existing asset data is carried forward.
• DHCP confusion is carried forward on a 'best effort' basis, often resulting in conjoined assets and data contention.
• Estimated Migration Time: [*]
The time estimate is based on your appliance hardware capabilities and the number of assets that are migrated.
Note: [*] Estimated time are approximations based on your hardware capabilities.
IBM Security QRadar Upgrade Guide
2
SYSTEM UPGRADEYou can use these procedures to update the software for any QRadar product.
Upgrading your system
Use this procedure to update the software on your QRadar appliances.
Before you beginBefore you begin, take the following precautions:
• Back up your data before you begin any software upgrade. For more information about backup and recovery, see the Administration Guide for your product.
• Close all open QRadar sessions to avoid access errors in your log file.
• You must deploy any pending changes on your QRadar Console. Undeployed changes on the Admin tab prevent the patch from starting the software update.
• If your deployment includes offboard storage solutions, you must disconnect your offboard storage before you upgrade. After you complete the upgrade, you can remount your external storage solutions. For more information, see the Configuring Offboard Storage Guide.
About this taskIf you use Secure Shell (SSH) and your SSH session is disconnected while a software update is in progress, the installation is not halted. When you reopen your SSH session and rerun the installer, the patch installation resumes.
ProcedureStep 1 Download the 720_QRadar_patchupdate-7.2.0.0.599863.sfs patch from Fix
Central.
http://www.ibm.com/support/fixcentral/
Note: QRadar ISO files for 7.2 only support fresh installations of QRadar software on your appliances. For more information, see the installation guide for your QRadar product.
Step 2 Using SSH, log in to your system as the root user.
User name: rootPassword: <password>
IBM Security QRadar Upgrade Guide
8 SYSTEM UPGRADE
Step 3 Copy the patch file to the /tmp directory.
If space in /tmp is limited, copy the patch file to another location with sufficient space.
Step 4 Type the following command to create the /media/updates directory:mkdir -p /media/updates
Step 5 Change to the directory where you copied the patch file.
For example, cd /tmpStep 6 Type the following command to mount the patch file to the /media/updates
directory:mount -o loop -t squashfs 720_QRadar_patchupdate-7.2.0.0.<build_number>.sfs /media/updates/
Step 7 Type the following command to run the patch installer:/media/updates/installer The first time that you use the patch installer script, there might be a delay for the installation menu to display.
Step 8 Using the patch installer, upgrade all systems in your deployment.
If you do not select the Patch All option, you must upgrade systems in your deployment in the following order:
• Console
You must update the Console first and ensure that you can log in to QRadar before you attempt to apply a software update to your managed hosts.
• Event Processors
• Event Collectors
• Flow Processors
• Flow Collectors
Step 9 Using the asset migration menu, select an option to update your asset data.
After the software update completes, summary message displays the host names and the appliance status.
What’s nextSelect one of the following options:
• If your deployment updated successfully, you can clear the cache on your browser and log in to QRadar.
• If the software update summary displays a host that did not successfully update, you can write down the host name and repeat the patch process on the individual appliance.
IBM Security QRadar Upgrade Guide
Clearing the cache 9
Clearing the cache To access the user interface after your software update, you might need to clear your JavaTM cache.
Before you beginBefore you clear the cache, ensure that you have only one instance of your browser open. If you have multiple versions of your browser open, the cache fails to clear.
The JavaTM Runtime Environment must be installed on the desktop system that you use to view the user interface. You can download Java version 1.6 or 1.7 at the following website: http://java.com/.
About this taskIf you use the Microsoft® Windows 7 operating system, the Java icon is typically located under the Programs pane.
If you use the Mozilla Firefox web browser, you must clear the cache in the Microsoft Internet Explorer and Mozilla Firefox web browsers.
ProcedureStep 1 Clear your Java cache:
a On your desktop, select Start > Control Panel. b Double-click the Java icon.
c In the Temporary Internet Files pane, click View.
d On the Java Cache Viewer window, select all QRadar Deployment Editor entries.
e Click the Delete icon.
f Click Close.
g Click OK.
Step 2 Open your web browser.
Step 3 Clear the cache of your web browser.
Step 4 Log in to QRadar:https://<IP Address>Where <IP Address> is the IP address of the QRadar system. The default values are:
User name: adminPassword: <password>
IBM Security QRadar Upgrade Guide
A
NOTICES AND TRADEMARKSWhat’s in this appendix:• Notices• Trademarks
This section describes some important notices, trademarks, and compliance information.
Notices This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not grant you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte character set (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:
Intellectual Property Licensing Legal and Intellectual Property Law IBM Japan Ltd. 19-21, Nihonbashi-Hakozakicho, Chuo-kuTokyo 103-8510, Japan
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law:
IBM Security QRadar Upgrade Guide
12
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact:
IBM Corporation170 Tracer Lane, Waltham MA 02451, USA
Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.
The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us.
Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurements may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the
IBM Security QRadar Upgrade Guide
Trademarks 13
capabilities of non-IBM products should be addressed to the suppliers of those products.
All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only.
All IBM prices shown are IBM's suggested retail prices, are current and are subject to change without notice. Dealer prices may vary.
This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental.
If you are viewing this information softcopy, the photographs and color illustrations may not appear.
Trademarks IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at http://www.ibm.com/legal/copytrade.shtml.
The following terms are trademarks or registered trademarks of other companies:
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.
IBM Security QRadar Upgrade Guide
INDEX
CContacting customer support 1conventions 1
Ddocumentation conventions 1
Iintended audience 1
Mmemory and disk space requirements 3
Ssoftware version requirements 3
Ttechnical documentation 1
Uupgrade considerations 3upgrading QRadar SIEM appliances 7
IBM Security QRadar
SIEM Upgrade Guide