IBM Security QRadar

 View Only
Expand all | Collapse all

Event records backup excluding payload

  • 1.  Event records backup excluding payload

    Posted Mon January 25, 2021 04:06 AM
    Hello Experts,

    I backed up events records for the month of july 2020 from the /store/ariel/events/records/2020/7 to a remote system.

    I didn't take a back up of the events payload which is in /store/ariel/events/payload/2020/7. Do i need to also take a backup of this payload in-order to successfully restore my records?

    What is the impact if i only take the events records without the payload?

    Thank You

    ------------------------------
    benjamin Nworah
    ------------------------------


  • 2.  RE: Event records backup excluding payload

    Posted Tue January 26, 2021 10:19 AM
    Hello Benjamin,

    If you don't have the payloads, you will not be able to see the raw payloads in Log Activity, Quick Filter/Payload Contains searches will not work, and custom properties will not display and searches involving custom properties won't work.

    Cheers
    Colin

    ------------------------------
    COLIN HAY
    IBM Security
    ------------------------------



  • 3.  RE: Event records backup excluding payload

    Posted Tue January 26, 2021 10:26 AM
    Hello Colin,

    I have confirmed that on my test lab. Thanks .

    Can you assist with the below, it is urgent.

    I have taken a backup of my events records (including payloads) from /store/ariel/events/records/ and /store/ariel/events/payloads/, i want to upgrade my qradar from 7.3.3 to 7.4.2, can I restore the backup events records to this upgraded version (7.4.2) and still view my events on the log activity tab without any issues?

    Regards

    ------------------------------
    benjamin Nworah
    ------------------------------



  • 4.  RE: Event records backup excluding payload

    Posted Tue January 26, 2021 10:47 AM
    Yes I think that should work fine. We never update ariel files so on any upgrade, so the existing files on disk don't get changed; ariel is backwards compatible with older files

    ------------------------------
    COLIN HAY
    IBM Security
    ------------------------------



  • 5.  RE: Event records backup excluding payload

    Posted Tue January 26, 2021 11:44 AM
    Hello Colin,

    Thanks for the feedback. I really appreciate.

    One more question. I have a server with RHel v7.6, and i want to install QRadar on it. Is the iso file on the link below is what i will use by mounting it on a directory??

    https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+Vulnerability+Manager&release=All&platform=All&function=fixId&fixids=7.4.0-QRADAR-QRFULL-20200304205308&includeRequisites=1&includeSupersedes=0&downloadMethod=http&source=SAR

    Regards,

    ------------------------------
    benjamin Nworah
    ------------------------------



  • 6.  RE: Event records backup excluding payload

    Posted Tue January 26, 2021 01:08 PM
    Hello Benjamin,

    Yes, that's the iso for installed QRadar 7.4.0

    ------------------------------
    COLIN HAY
    IBM Security
    ------------------------------



  • 7.  RE: Event records backup excluding payload

    Posted Tue January 26, 2021 02:59 PM
    Hello Colin,

    I am a bit not clear on something. 

    i am having issue with disk space on my environment, I have two options to deploy QRadar as described below.

    1) I have a local disk space of 300GB (above the required 256GB), i want to install QRadar iso (7.4.0) file as a VM, and attach an external storage that i will use to resize /store and all other partitions with LVM. Can this resize be done? Also the Rhel that is bundled in the QRadar Iso, does it have the necessary tools to support iscsi storage?

    2) The other option is to use my own Rhel, i know i have to create partitions with texact names as stated in the link below, But my concern is this, if for example i installed Rhel 7.6 to support 7.4.0 qradar iso, what happen when i want to upgrade my qradar to say version 7,4,2 that supports rhel v7.8, Will the sfs file upgrade my existing Rhel OS from version 7.6 to 7.8? Also what is the impact of using this method.

    https://www.ibm.com/support/knowledgecenter/SS42VS_7.4/com.ibm.qradar.doc/r_siem_inst_part_guide.html

    In addition i want to set up a this Qradar as a secondary node for HA.

    Thank You.

    ------------------------------
    benjamin Nworah
    ------------------------------



  • 8.  RE: Event records backup excluding payload

    Posted Wed January 27, 2021 08:51 AM
    Generally (once QRadar is up and running) no updates to RHEL aside to the ones coming within fixpack (.SFS) should be installed. It is expected to find e.g. updates to kernel in the .SFS package and these would be installed by the update script as well.
    As for the LVM, have a look at this technote. Since a VM was mentioned, you could maybe add additional virtual disk to the VM, and then use instructions that can be found in the Offboard storage guide to mount it to /store or /store/ariel and copy (move) data from the original to the new location.
    As I am aware, iSCSI is supported - additional info should also be available in the Offboard storage guide (of course, care should be taken to have adequate performance and availability on the storage and storage networking side).

    ------------------------------
    Dusan VIDOVIC
    ------------------------------



  • 9.  RE: Event records backup excluding payload

    Posted Wed January 27, 2021 10:05 AM
    Hello Dusan,

    I can see from the offboard storage guide, that for HA deployment which is want i want to implement that both primary and secondary have to use the same Iscsi external storage device.

    In my client environment the primary has a local disk storage, and we want to implement a secondary node , but we don't have enough local disk space, so we are doing Iscsi external storage for the secondary node to resize the /store directory. 

    Will the data on the /store primary sync with the /store on the secondary node?

    Regards,

    ------------------------------
    benjamin Nworah
    ------------------------------



  • 10.  RE: Event records backup excluding payload

    Posted Wed January 27, 2021 10:28 AM
    'not sure if I understood correctly, but I'll try to respond as I see it.
    Generally you have two ways to implement HA: using DRBD (replicates data in the background to the secondary-standby node to maintain data consistency) or as Active-passive cluster using shared storage for the /store partition. In the latter case you have one instance of shared data that should be accessible by both hosts (but only one can have it mounted and actively using). In QRadar high availability guide 
    So, in your case, you would need to provide an iSCSI storage that can be accessed by both QRadar instances, move /store to the external storage (which means data will not be physically within the QRadar instance) and configure the cluster (HA pair). This way, only one copy of data will be maintained (hopefully enough redundancy is there in the storage and in the network from Qradar instances to the storage) but could be accessed by the initially standby node after failing over.
    ' hope this is what you had in mind (this info can also be found in the QRadar high availability guide).

    ------------------------------
    Dusan VIDOVIC
    ------------------------------



  • 11.  RE: Event records backup excluding payload

    Posted Wed January 27, 2021 10:37 AM
    Edited by benlinux Wed January 27, 2021 11:40 AM
    Hello Dusan,

    Thank you for the feedback.

    We have our primary node using a local(physical) disk , i want to setup the secondary node at a different Data center separated by a distance of 50km from the primary node (I have advised the client fail over is not feasible at this distance, but they insist on providing the latency and bandwidth requirement of <2ms and 1Gbps).

    So my secondary node does not have enough physical disk space, so we want to provide an external storage to this secondary node to resize the /store. 

    So my question i this, can i setup HA using DRBD, both host are on the same network?

    Regards,

    ------------------------------
    benjamin Nworah
    ------------------------------



  • 12.  RE: Event records backup excluding payload

    Posted Wed January 27, 2021 03:27 PM
    I would personally opt not to do it that way - but that is my personal opinion.  To start with - if something happens to the storage you lose both instances. Going one step back - are you looking to build HA or something "almost like DR" ? 
    If you have something like VMware, it is usually advised to use its HA mechanism (yes, there is some time needed to restart the VM on another host, but QRadar HA failover is also not instantaneous); if not, then DRBD would probably be next option in the line (of course, if you provide needed additional disk space).
    Is this what you have between sites a "private" fiber or e.g an MPLS L2 or L3 VPN? Is it shared for multiple purposes or you have separate link for iSCSI and another link for connection between primary and secondary node (min. 1Gbps)? All this can have an impact latency and network performance in reality. For DRBD, it should also be a separate link min 1Gbps (and latency has to be <2ms) ; I would also consider expected rate of changes when planning. Can you ensure the nodes are on the same subnet for the HA setup?
    When it comes to SAN, iSCSI has noticeable overhead over FC and performance-wise I would probably opt for 10Gbps if iSCSI is used. In addition, generally you would want to keep the hosts as close to the storage as possible. Unpredictable network could have a big impact on the functionality - always have in mind this is connection to the disks, and you do not want to have surprises there (kind of like they were within the server itself).
    So, generally DRBD can work with geographically separated instances (to a certain point). However, I think you should get more details before you decide on feasibility.  I hope the notes here helped (also, do go though the HA guide - there are references there that can help you with planning).

    ------------------------------
    Dusan VIDOVIC
    ------------------------------