Qradar is being migrated to a new datacenter. We want to provision the disks on the VM level in the following way:
1. Qradar will be installed with 2 disks. One of 4TB, while the other of 60TB (For '/store').
2. Once Qradar is installed, we will add 30 more disks of 2TB each. The reason behind it is as follows:
• Multiple disks on infrastructure would mean more storage controllers, thus resulting in a better I/O rate.
3. Then we will add those disks to the volume group "storerhel".
4. After the volume group has been extended, then we will move the existing data in the "/storerhel" volume group to the newly added disks and then extend the LVM "storerhel/store" to occupy the whole volume group.
5. Lastly, we will remove the physical volume “/dev/<name>” from the volume group.
This way we expect to get rid of that single chunk of 60TB which would increase the number of storage controllers resulting in Improved Disk IOPs.
Goals:
We already have data on our existing Event Processor, and we do not want to lose it during migration. Our Migration Steps are as follows:
• Break the HA Cluster in the old infrastructure.
• do a fresh HA installation of EP on the new infrastructure with the same configuration
• Remove the secondary EP that was part of the HA cluster in the older infrastructure from the network.
• add the newly installed EP as an HA to the primary EP virtual appliance in the old infrastructure.
• Once the sync is complete, then a manual failover is performed and confirmed that the system is running fine.
• Then we will remove the primary Appliance in the old infrastructure and do a fresh installation in HA Recovery mode.
To sum up, we want to migrate with the steps and disk provisioning method mentioned above without losing data. Please note that current Qradar installation is a software installation and disk provisioning is different than the one we are planning on the new infrastructure.
NOTE: I have already opened a ticket with support and they have redirected me here.
#QRadar#Support#SupportMigration