IBM Security QRadar

 View Only
  • 1.  Need to understand

    Posted Wed December 04, 2019 11:12 AM
    ​Hi All,

    I  received an email as below (Its an internal email but nothing sensitive so I am using it here), The email is as below in bracket, At the bottom I have posted my question to the forum,


    (Hi Asif,

     

    Hope you are doing well. We create new VM for QRadar on the new server. First we wanted to migrate it but we think it is much easier and better to do fresh installation.

    Could you please let me know what OS do you need for Qradar and if you are able to install applications once the VM is ready or if you need any help from us.

     

    Thanks)

    Question: What exactly they are asking me? Are they talking about creating a new data gateway, (We are have QROC In use) , Why I am asking I do not want to sound stupid so discussing this first here before I send them my reply. Prompt reply is appreciated.



    Regards Asif Siddiqui.





    ------------------------------
    asif siddiqui
    ------------------------------


  • 2.  RE: Need to understand

    Posted Thu December 05, 2019 03:19 AM
    Hi @asif siddiqui,

    Reading that email, I am guessing you are trying to install QRadar on a virtualized environment. If you are, the first thing the guy is saying is the ides was migrating QRadar from on premise t​o maybe private cloud(on a VM). But they think (and I agree) a fresh installation would be better as it will reduce the complexity of restoring data and configuration etc.

    The second thing the guy is asking about the OS they need to install. Normally for QRadar, you need to install RHEL (Red Hat Enterprise Linux). The version of RHEL depends upon the version of QRadar you want to install. You must use the RHEL V7.3 minimal install ISO. For QRadar® V7.3.1.6 or later, use the RHEL V7.5 minimal install ISO. Use the following link to get step by step details : https://www.ibm.com/support/knowledgecenter/SS42VS_7.3.1/com.ibm.qradar.doc/c_siem_inst_prep.html

    But what is weird is : I am pretty sure QRoC does not ask you for installation of QRadar or any VMs. It is SaaS provided to you.
    I am quite sure this guy is not asking about QRoC but any side installation you might be doing in the past.

    Let me know if you need more clarification.



    ------------------------------
    Chinmay Kulkarni
    ------------------------------



  • 3.  RE: Need to understand

    Posted Fri December 06, 2019 01:26 AM
    Hi Chinmay,

    Thanks for replying, Yes we have 3 data gateways in our company environment and all 3 are on VMs, So one of the data gateway (the Server actually which is on VM ) they want to migrate to new VM (new server) ​as existing ESXI is getting expired.

    So my question here is,
    1) If we migrate this existing data gateway VM on to the new VM, will this migrate all current configurations?
    2) Do we expect any loss of logs because that data gateway continuously sends logs to Qradar.(And We do not want to loose any logs)

    Regards
    Asif Siddiqui

    ------------------------------
    asif siddiqui
    ------------------------------



  • 4.  RE: Need to understand

    Posted Thu December 12, 2019 07:59 AM
    Hi @asif siddiqui,

    1) I think it depends on how you migrate. If you are restoring the new VM from the snapshot from the old one, then yes. But is you creating a fresh VM and restoring the backup of the old VMs, you may need to change some configurations manually like deployment details, interface IP details etc
    2) Technically speaking , if you restart the ecs-ec-igress service, you will lose logs as this is the service which buffers logs when other services are not processing logs. Other option can be you can use a rsyslog server to buffer the logs for the time you are restoring/creating the new VM. That should be doable and you would not lose the logs(but logs will come in late of course)

    ------------------------------
    Chinmay Kulkarni
    ------------------------------