Hi,
I'm a fan of keep it simple. Basically, this is what I would do:
Preparation
- which QRadar version should have the common depolyment?
- agree with IBM that the licenses. (EPS / FPM / Datastore?) can be transferred from AIO1 to the AIO2 deployment
- request a downtime for AIO1 conversion
- have an ISO with the QRadar version corresponding to the config backup file of AIO1 to have the possibility of a rollback.
Implementation
- Install extended license to AIO2
- backup data from /store/Ariel on AIO1
- get a config backup from AIO1, if you need to rollback
- factory reset AIO1
- reinstall AIO1 as EP1
- patching to QRadar version of AIO2
- Add managed host EP1 in AIO2 deployment
- restore /store/ariel on EP1 from backup
- enjoy
I hope this helps. There are of course other possibilities with little downtime (for example a Temporary QRadar AIO1temp which continues to collect the logs during the conversion from AIO1 to EP1). I think the above described is the easiest way.
Drop me a message, if you need more information.
------------------------------
Kind regards
Oliver
------------------------------
Original Message:
Sent: Sat March 07, 2020 03:35 PM
From: Muhammad Ausaf Ali Yousaf
Subject: Merging two QRadar AIO
We have the following setup:
- QRadar AIO 1 for Company 1 (Smaller Company)
- QRadar AIO 2 for Company 2
Now both the companies have merged and we are planning to combine QRadars'. We have decided to make QRadar AIO 1 as an event Processor and in the meantime point all logs to QRadar AIO 2. After that we will setup QRadar EP to point to QRadar AIO 2. Can someone check the sanity of this plan and any details on how this can be accomplished will be welcomed.
------------------------------
Muhammad Ausaf Ali Yousaf
------------------------------