IBM Security QRadar

 View Only
Expand all | Collapse all

Appliance Type Change required (HA Appliances)

  • 1.  Appliance Type Change required (HA Appliances)

    Posted Wed April 03, 2019 10:13 AM
    Hi Team,

    I have one query here with regards to Appliance Type Change in a HA environment. Not sure if this is correct forum to post this query, however here is the scenario and i would need some recommendation here.

    Our current setup has Event Collector/Processors in HA with Appliance Type 1624 which supports 20K EPS, however the license was issued for 35K EPS. Now the appliances show that the appliance is not supported for 35K EPS and its not utilizing all the allocated EPS which is causing the events to drop.

    We wanted to change the appliance type now to 1629 so that it would support the 35K EPS. I believe we can only rebuild the system and no other option to have the appliance type changed. Can someone suggest on the best possible way to address the issue.

    If rebuilding is the possible fix, is there a better way to minimize the downtime during the rebuild of the appliances (they are in HA). As far as i know the down time will be the time taken to rebuild the Primary Server (as it will not help adding the Secondary to deployment unless the Primary is updated to 1629 and added back to deployment, because the events will be forwarded to Virtual IP which is Primary Server IP Address).

    Please suggest.

    ------------------------------
    Thanks and Regards
    David Joshua Edithi
    ------------------------------


  • 2.  RE: Appliance Type Change required (HA Appliances)

    Posted Wed April 03, 2019 10:35 AM
    You can only update the appliance type when you use a new 1629 appliance


    Sent from mobileTenzij hierboven anders aangegeven: / Unless stated otherwise above:
    IBM Nederland B.V.
    Gevestigd te Amsterdam
    Inschrijving Handelsregister Amsterdam Nr. 33054214




  • 3.  RE: Appliance Type Change required (HA Appliances)

    Posted Thu April 04, 2019 01:39 AM
    Hi @Nico de Smidt

    Thanks for your response. Yes, the existing appliances support 1629 type and i believe activation key is the one that defines the appliance type during installation. So, ideally we have the box that support 1629 and if we have the activation key for 1629 this should be possible right.

    Please correct me if i am wrong. Here, QRadar is a software installation only.​

    ------------------------------
    Thanks and Regards
    David Joshua Edithi
    ------------------------------



  • 4.  RE: Appliance Type Change required (HA Appliances)

    Posted Fri April 05, 2019 11:21 AM
    Hi David,

    from my experience, the type is defined during the installation of the node. When you install your Qradar iso, you select appliance, then Event-Processor. Afterwards, a sort of auto-detect of the hardware is ran and defines your system properties such as the type, for instance 1629, your EPS limits, etc. The licenses doesn't unlock your EPS cap. From what I know, you'll have to upgrade your hardware.

    Maybe IBM support can unlock that cap for you, but you won't be supported anymore.

    In my case, I've migrated all my appliances 3124/1624/1724 to software nodes installations. The 1624 appliance was limited to 20K, and my systems builds, which copied the xx48 hardware, gave me limits of 100K/3.6M per system after the iso installation. In this migration, I didn't change any licenses, and my caps were upgraded automatically.

    I don't know who told you that you could transform a 1624 appliance in a 1629, but I'm quite sure it's not something we can normally do. The seller wasn't supposed to sell you 35K EPS for a 1624 appliance. Something's wrong here?

    I have some old xx24 appliances, I could try reinstalling from scratch and see if it's possible to force another type, but I doubt it. What Qradar version are you running right now?

    ------------------------------
    Anthony Gayadeen
    ------------------------------



  • 5.  RE: Appliance Type Change required (HA Appliances)

    Posted Fri April 05, 2019 12:04 PM
    Hi @Anthony Gayadeen

    Thanks for the details provided.

    The reason i was thinking that we can re-build and change the appliance type to 1629 from 1624 is because we already have similar hardware that is being using as 1629 appliance type. Hence, was thinking for the other appliance as well we would re-build and use a activation key for 1629 so that the system would be configured as 1629 and we can utilize the license completely.

    We are running on 7.2.8 Patch 9.

    Also, the 2 appliances we are trying to re-build are in HA. So, can you please suggest the best possible way to re-build these appliances with minimum downtime.


    ------------------------------
    Thanks and Regards
    David Joshua Edithi
    ------------------------------



  • 6.  RE: Appliance Type Change required (HA Appliances)

    Posted Sun April 07, 2019 06:19 AM
    Hi David 
    Could you let me know if you installed QRadar Software on a server which was <g class="gr_ gr_127 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling" id="127" data-gr-id="127">speced</g> as per 1629 or you bought the appliance pre-installed with QRadar


    ------------------------------
    Ibrahim Najmi
    ------------------------------



  • 7.  RE: Appliance Type Change required (HA Appliances)

    Posted Sun April 07, 2019 06:38 AM
    ​Hi @Ibrahim Najmi

    This is a software installation, we have installed QRadar software on a server which has specs that support both 1624 and 1629. Currently the appliance type is 1624, so I want to change the appliance type to 1629.

    Thanks
    David Joshua Edithi​

    ------------------------------
    Thanks and Regards
    David Joshua Edithi
    ------------------------------



  • 8.  RE: Appliance Type Change required (HA Appliances)

    Posted Tue April 09, 2019 04:52 PM
    Edited by Anthony Gayadeen Tue April 09, 2019 04:54 PM
      |   view attached
    Hi David,

    I think I understand your setup. You provided your own servers, but installed Qradar as an appliance on them. That's why you're talking about types. Although, you should select "Software Install" when you bring your own devices. (check attached image) Your setup is not conventional, and might be a problem. I'm not even sure if IBM supports this setup. The only case you need to select appliance in a bring your own server is for the HA secondary node which requires the appliance type 500 to work correctly in your HA cluster. Otherwise, you should always pick "software install" when you provide your own equipment.

    Anyways, to answer your question which is reinstalling with the smallest downtime and maxing out your license to 40K EPS, here's how I would do it.

    My suggestion, which I know would work, but would reverse primary and secondary, is:
    1. Delete your secondary HA node;
    2. Reinstall Qradar as software and select event processor (which includes EC);
    3. Migrate primary event processor to this new node (20-30min collection downtime);
    4. Reinstall Qradar as appliance type 500 on the old primary;
    5. Add the HA node, and you're done.

    To keep the primary and secondary as-is, maybe you could transfer the service to the secondary. Then reinstalling Qradar as software on it. After, migrate the secondary to the new primary. Reinstall the secondary in a type 500 and re-create the HA cluster. I'm not sure it would work, but downtime would be the same. This is not a standard/documented way, so it may or may not work. It might also create deployment issues in your setup.

    The best possible way with only 10-20min downtime overall would be to do it in HA recovery mode. Reinstalling one server at a time and bringing it back in the cluster. However, since the installation on each will change, I'm not sure it will work. It's quite risky. I don't have enough experience rebuilding HA nodes, since it never happened to me before, so I wouldn't bet my money on this option.

    Before doing any of this, you should contact support and ask them if it's possible to change the type in the database and/or reissue you a new license. It maybe simpler than we think ;)

    Regards,

    ------------------------------
    Anthony Gayadeen
    ------------------------------



  • 9.  RE: Appliance Type Change required (HA Appliances)

    Posted Wed April 10, 2019 03:44 AM
    hello
    I deployed a host and it was successfully deployed but i cant see under the system and license management neither can l see its log activities. what could be the matter?





  • 10.  RE: Appliance Type Change required (HA Appliances)

    Posted Wed April 17, 2019 04:05 AM
    ​Hi @Anthony Gayadeen

    Thanks for the detailed suggestion. For Secondary appliance we have actually tried to perform the first suggested way. Rebuild the secondary appliance with activation key of 1629, however it gave us an error when entered the activation key saying that the activation key is invalid and the 1629 activation is not supported on the hardware.​

    However, all our hardware components are of the same model, size and other components and we have a 1629 appliance type system running already on the same hardware on a different deployment (Production and DR). Not sure what could be the issue here.

    ------------------------------
    Thanks and Regards
    David Joshua Edithi
    ------------------------------



  • 11.  RE: Appliance Type Change required (HA Appliances)

    Posted Wed April 17, 2019 02:00 PM
    Hi David,
    the last time we installed a 7.2.8 version was many years ago, and I can't remember if the license was mandatory during the factory installation, so you may be able to fully install the application without it... maybe. On 7.3+, you don't need the license to install the node. The licensing has considerately changed from 7.2.8 to 7.3+, so It might not work on your version.

    Like I mentioned, your Qradar setup is not standard. Normally, IBM is supposed to provide a software node license when you provide your own servers (even if your servers are exactly like theirs). From what you're saying, they sold you the 1629 appliance license for your own server. This means that they will support your hardware, since it's an appliance type. Unless IBM has a special package for your case, this is a mistake.

    Back to your issue… Can you tell us step by step how you tried to rebuild your server and what's the error you're getting?

    ------------------------------
    Anthony Gayadeen
    Security Analyst
    Videotron
    QC
    ------------------------------