IBM Security QRadar

 View Only
  • 1.  EXTERNAL STORAGE

    Posted Mon September 16, 2019 06:01 AM
    Hi everyone,
    the scenario is the following: I got to add an external disk to my qradar appliance in such a way between two event processors each other in HA.
    the problem is right this: to add it to that the only way you can do it is to add it through ISCSI as cited also in the guides IBM, but my problem is that adding it to my vcenter specifically as a RDM that is virtual disk it can be reached just only local so just one processor instead i need it reached even from the other.

    Any advice to do it?

    ------------------------------
    THROUGH
    ------------------------------


  • 2.  RE: EXTERNAL STORAGE

    Posted Tue September 17, 2019 05:48 AM
    I am not sure at which point you encountered the problem - on QRadar or on vSphere's RDM ?
    As mentioned, QRadar can be implemented in HA config either using shared SAN storage (FC, iSCSI) or DRBD ("Distributed Replicated Block Device"). If distance, connection and data volume allows it, it is probably best to opt for DRBD when vSphere is used (as you would avoid potential obstacles on the storage side through vSphere stack). That said, if you go with shared storage and RDM (I assume it is on two VMs on separate physical hosts?), make sure you are using pass-through (physical compatibility mode) RDM. For QRadar HA, /store would be mounted on the external device, and your primary and secondary QRadar instances should be configured to communicate wit that external device, but /store would be mounted on one host and only in case of failover to the other host.
    There are QRadar High Availability Guide and QRadar Offboard Storage Guide which should provide good guidance for the implementation.

    ------------------------------
    Dusan VIDOVIC
    ------------------------------



  • 3.  RE: EXTERNAL STORAGE

    Posted Fri September 23, 2022 10:31 AM

    Hi @Dusan VIDOVIC,

    Based on your response.
    we wanted to know whether above scenario is possible with single shared storage between two VM's on Separate physical host using Fibre Channel with SAN Storage.

    do we need 30 TB shared storage single storage attached with both Physical Server or 2x30 TB storage? 30 TB with Server 1 and another 30 TB with server 2

    we are also using VMware ESXi where we are using below settings

    Virtual Machine - 1(Physical Server - 1)
    HDD1
    Type : Thin Provisioned
    Disk File : QRadar_VM1_1.vmdk
    Shares : Normal
    Limit - IOPs : Unlimited
    Controller location : SCSI Controller 1
    Disk mode : Dependent


    HDD2 (Shared /store by Raw Disk Mapping)
    Disk File : QRadar_VM1_2.vmdk
    Controller location : SCSI Controller 1
    Disk Mode : Independent - persistent
    Disk compatibility : Physical

    Virtual Machine - 2 (Physical Server - 2)
    HDD1
    Type : Thin Provisioned
    Disk File : QRadar_VM2_1.vmdk
    Shares : Normal
    Limit - IOPs : Unlimited
    Controller location : SCSI Controller 1
    Disk mode : Dependent


    HDD2 (Shared /store by Raw Disk Mapping)
    Disk File : QRadar_VM1_2.vmdk
    Controller location : SCSI Controller 1
    Disk Mode : Independent - persistent
    Disk compatibility : Physical

    Output to validate FC
    [root@QRTEST01 ~]# ls -l /dev/disk/by-path/*-fc-*
    ls: cannot access /dev/disk/by-path/*-fc-*: No such file or directory
    [root@QRTEST01 ~]#


    Additionally can we do this on single Physical server with shared storage?
    below issue happened when we was using 2 VM on same Physical host.
    i followed all steps from the storage offboard Guide but after adding Both host to HA. Primary and Secondary QRadar machine shows offline state.
    [root@QRTEST01-primary ~]# /opt/qradar/ha/bin/ha cstate
    Local: R:PRIMARY S:OFFLINE/SYNCHRONIZING CS:NONE P:1.0 HBC:UP RTT:1 I:0 SI:3527750
    Remote: R:SECONDARY S:OFFLINE/INSTALL CS:NONE P:0.0 HBC:UP RTT:1 I:12921 SI:32721246

    Please Help how this issue can be resolve



    ------------------------------
    Jaswinder Singh
    ------------------------------



  • 4.  RE: EXTERNAL STORAGE

    Posted Sat September 24, 2022 08:50 AM
    We were talking about a standard failover cluster with shared storage, so that would be a single LUN on the FC-attached SAN storage where /store partition would be mounted and in case a failure of the primary (active) host occurs the secondary (passive) host would take over and automatically mount the /store partition on the FC-attached LUN. (see Offboard storage requirements for HA). *In the  Offboard storage guide that was referenced above in the section dedicated to moving /store to FC you can also find  this sentence "To use multipath Fibre Channel storage in a high-availability (HA) environment, you must configure the primary HA host and the secondary HA host to use the same storage partition.")
    Now, for any solution to be supported you need to work with your IBM architect.
    That said, it is not possible for me to resolve this is this way (I do not know all the components you have or particularities of the systems you have). I can only give few comments :
    - I heard few years ago a comment from someone who was close to development in a similar matter, and the message was that if shared storage must be used then you should enable access to this secondary volume outside of VMware (so either by SCSI connectivity or dedicated/emulated FC controller). This is generally in line with what RedHat says for cluster shared storage config in support for RHEL HA cluster with VM members).
    - When using ext. SAN storage then you need to count-in also multipathing; I recall some time ago (in non-QRadar implementation) that the multipath config we could use within VMware differed from what the storage vendor supported - which created problems in device mapping
    - Wondering what's the case behind using two QRadar VMs on a single host for HA ?
    - In your case I would probably go back to the beginning and follow step steps from the guide for FC storage attachment and moving the /store to ext. LUN; also, I think consulting RedHat documentation regarding HA clustering and ext. storage could help.

    ------------------------------
    Dusan VIDOVIC
    ------------------------------



  • 5.  RE: EXTERNAL STORAGE

    Posted Sun June 18, 2023 08:54 AM

    Hello ALex and Jaswinder,

    Did the above Arch worked with you or not.

    shared storage in VMware environment .

    Thanks



    ------------------------------
    M R
    ------------------------------