IBM QRadar

I'm following the guide https://www.ibm.com/docs/sv/qsip/7.5?topic=qshms-replacing-qradar-console-appliance-that-uses-same-ip-address

console (replace with new hardware)

app host. (replace with new hardware)

flow processor. (replace with new hardware) (no data node attached)

event processor (replace with new hardware) (single data node attached - will not be replaced)

#####

step 4 on the console appliance replacement that uses the same IP address

    change the IP address of the old host by editing the IP address of the interface /etc/sysconfig/sysconfig/network-scripts/ifcfg-ens3f0

    and restarting the network services

for the managed host, https://www.ibm.com/docs/sv/qsip/7.5?topic=scenarios-replacing-qradar-managed-host

    change the IP address of the old host by running /opt/qradar/bin/qchange_netsetup

Question1:  why do we run different commands to change the IP address of the old host?

#####

for replacing the managed host without data node

remove the old host (console web UI) and assign temporary ip via /opt/qradar/bin/qchange_netsetup

assign the ip of the old host to the new hardware via /opt/qradar/bin/qchange_netsetup (use the same hostname and IP of the old host)

add the new hardware (console web UI); deploy changes (console web UI)

turn off the firewall on the new host and copy data from old host to new host (step 6)

i'm pretty clear on the steps to follow.

###

I'm not clear on the steps for replacing the EP (the attached data node is not being replaced)

Question2:  can someone clarify step 7 and step 8? or do I just follow step 8 only?

    a. collect the logs from console, event processor, and data node

    b. remove the data node

    c. remove the old event processor, second? (assign temporary IP by running /opt/qradar/bin/qchange_netsetup)

    d. assign old hostname and IP to the new hardware (by running /opt/qradar/bin/qchange_netsetup)

    e. add the new hardware via console ui

    f. assign the data node to the new hardware

I'm not sure if i'm understanding the steps correctly.

#####

Thank you.

-nelson

------------------------------
nelson lee
------------------------------

Nelson, OMG thats a long list of questions. I will try to answer inline anyway starting at your question one:

You wrote:

Question1:  why do we run different commands to change the IP address of the old host?

Answer1: old hosts and new hosts are very different. Old hosts will have the ip address stored in 100 different places. So all you have to do is get rid of it changing the network script. Only new hosts can use the the script qchange_netsetup. It will take care of updating all the places needed in config files and config database.

#####

for replacing the managed host without data node

remove the old host (console web UI) and assign temporary ip via /opt/qradar/bin/qchange_netsetup

Answer2: as outlined before dont use the script. Change the data in the /etc/sysconfig/network-scripts/ on all old host systems to make sure there is no conflict of IP addresses in the network. Restart network as outlined in the documentation.

assign the ip of the old host to the new hardware via /opt/qradar/bin/qchange_netsetup (use the same hostname and IP of the old host)

add the new hardware (console web UI); deploy changes (console web UI)

turn off the firewall on the new host and copy data from old host to new host (step 6)

i'm pretty clear on the steps to follow.

###

I'm not clear on the steps for replacing the EP (the attached data node is not being replaced)

Question2:  can someone clarify step 7 and step 8? or do I just follow step 8 only?

Answer3: not sure which steps you are referring to, hope my answers help a bit.

    a. collect the logs from console, event processor, and data node

    b. remove the data node

    c. remove the old event processor, second? (assign temporary IP by running /opt/qradar/bin/qchange_netsetup)

Answer4: as outlined before, dont use this on old hosts. Pls read my comment above.

    d. assign old hostname and IP to the new hardware (by running /opt/qradar/bin/qchange_netsetup)

    e. add the new hardware via console ui

    f. assign the data node to the new hardware

I'm not sure if i'm understanding the steps correctly.

Answer5: hope its a bit clearer now! The rest of your statements of understanding are correct!

------------------------------
[Karl] [Jaeger] [#ibmchampion]
[QRadar Specialist]
------------------------------

Original Message:
Sent: Tue March 25, 2025 06:54 PM
From: nelson lee
Subject: qradar appliance hardware replacement (keep the same hostname and IP)

I'm following the guide https://www.ibm.com/docs/sv/qsip/7.5?topic=qshms-replacing-qradar-console-appliance-that-uses-same-ip-address

console (replace with new hardware)

app host. (replace with new hardware)

flow processor. (replace with new hardware) (no data node attached)

event processor (replace with new hardware) (single data node attached - will not be replaced)

#####

step 4 on the console appliance replacement that uses the same IP address

    change the IP address of the old host by editing the IP address of the interface /etc/sysconfig/sysconfig/network-scripts/ifcfg-ens3f0

    and restarting the network services

for the managed host, https://www.ibm.com/docs/sv/qsip/7.5?topic=scenarios-replacing-qradar-managed-host

    change the IP address of the old host by running /opt/qradar/bin/qchange_netsetup

Question1:  why do we run different commands to change the IP address of the old host?

#####

for replacing the managed host without data node

remove the old host (console web UI) and assign temporary ip via /opt/qradar/bin/qchange_netsetup

assign the ip of the old host to the new hardware via /opt/qradar/bin/qchange_netsetup (use the same hostname and IP of the old host)

add the new hardware (console web UI); deploy changes (console web UI)

turn off the firewall on the new host and copy data from old host to new host (step 6)

i'm pretty clear on the steps to follow.

###

I'm not clear on the steps for replacing the EP (the attached data node is not being replaced)

Question2:  can someone clarify step 7 and step 8? or do I just follow step 8 only?

    a. collect the logs from console, event processor, and data node

    b. remove the data node

    c. remove the old event processor, second? (assign temporary IP by running /opt/qradar/bin/qchange_netsetup)

    d. assign old hostname and IP to the new hardware (by running /opt/qradar/bin/qchange_netsetup)

    e. add the new hardware via console ui

    f. assign the data node to the new hardware

I'm not sure if i'm understanding the steps correctly.

#####

Thank you.

-nelson

------------------------------
nelson lee
------------------------------