Benjamin,
you do love challenges right? :-)
Lets break this down into subsections. My answers typed in
-> bold letters
1) I have a local disk space of 300GB (above the required 256GB), i want to install QRadar iso (7.4.0) file as a VM
-> just fine
and attach an external storage that i will use to resize /store
-> external storage is supported. Pls make sure your NAS/SAN is transparently integrated into your ptn scheme. Use soft/hard ptn links depending on your setup.
and all other partitions with LVM. Can this resize be done?
-> LVM is not used by QRadar. QRadar is using traditional ptn layout. Pls refer to https://www.redhat.com/sysadmin/lvm-vs-partitioning
Also the Rhel that is bundled in the QRadar Iso, does it have the necessary tools to support iscsi storage?
-> as long as your ISCSI is part of your ESXi VM host and part of your QRadar guest VM it will be just a virtual disk QRadar is using
2) The other option is to use my own Rhel, i know i have to create partitions with exact names as stated in the link below, But my concern is this, if for example i installed Rhel 7.6 to support 7.4.0 qradar iso, what happen when i want to upgrade my qradar to say version 7,4,2 that supports rhel v7.8, Will the sfs file upgrade my existing Rhel OS from version 7.6 to 7.8? or will i have to upgrade my RHel os to support the QRadar version? Also what is the impact of using this method.
-> the SW install scenario is indeed an alternative cause it may give you more options. Main reason for using it is to run QRadar on your own hardware. However you can choose software install on top of your own RHEL VM install as well. However this makes no real sense.
-> once you have run thru QRadar setup, your installation will completely be managed by the sfs and iso images you install after initial setup. Pls dont mess around with follow up RHEL images as long as you are not instructed to do so by support or QRadar documentation.
In addition i want to set up this Qradar as a secondary node for HA.
-> mighty challenge! Thought about DR already? HA is not a recommended option to go for in VMware environments. Rather use snapshots etc.
-> what does your primary look like? appliance? 3rd party hardware? VM? Pls make sure its architecture is as close to your secondary as possible. As HA will take care of your ptn scheme all questions asked above will become obsolete
Regards
Karl
------------------------------
[Karl] [Jaeger] [Business Partner]
[QRadar Specialist]
[pro4bizz]
[Karlsruhe] [Germany]
[4972190981722]
------------------------------
Original Message:
Sent: Tue January 26, 2021 02:59 PM
From: benjamin Nworah
Subject: QRadar Installation on my own RHEL
Hello Experts,
I am a bit not clear on something.
i am having issue with disk space on my environment, I have two options to deploy QRadar as described below.
1) I have a local disk space of 300GB (above the required 256GB), i want to install QRadar iso (7.4.0) file as a VM, and attach an external storage that i will use to resize /store and all other partitions with LVM. Can this resize be done? Also the Rhel that is bundled in the QRadar Iso, does it have the necessary tools to support iscsi storage?
2) The other option is to use my own Rhel, i know i have to create partitions with texact names as stated in the link below, But my concern is this, if for example i installed Rhel 7.6 to support 7.4.0 qradar iso, what happen when i want to upgrade my qradar to say version 7,4,2 that supports rhel v7.8, Will the sfs file upgrade my existing Rhel OS from version 7.6 to 7.8? or will i have to upgrade my RHel os to support the QRadar version? Also what is the impact of using this method.
https://www.ibm.com/support/knowledgecenter/SS42VS_7.4/com.ibm.qradar.doc/r_siem_inst_part_guide.html
In addition i want to set up this Qradar as a secondary node for HA.
Thank You.
------------------------------
benjamin Nworah
------------------------------