IBM Security QRadar

 View Only
Expand all | Collapse all

QRadar /store disk expansion

  • 1.  QRadar /store disk expansion

    Posted Tue April 09, 2024 07:42 PM

    Hello,

    I have a QRadar setup with Master Console, AppHost, couple of EPs running the 7.5 version of the code. On the Event Processor, the disk is running out of space for the /store partition.  This is deployed on a VMware environment.

    Could someone please let me know the procedure to increase the disk partition by attaching another disk?

    Regards,

    Umamaheshwar



    ------------------------------
    Umamaheshwara Manekar
    ------------------------------


  • 2.  RE: QRadar /store disk expansion

    Posted Wed April 10, 2024 02:18 AM

    I suppose the standard LVM extension method still not officially supported by IBM, however this is the standard method for QROC (Qradar On Cloud) and it is working perfectly. So, just google 'Extend LVM' and you'll find the solution at many sites. I have a document somewhere with all the steps required to extend /store by adding new disks, if I'll find it and noone else posting something similar I'll add it here, but again, this is just a Linux, so use standard tools



    ------------------------------
    László Pál
    ------------------------------



  • 3.  RE: QRadar /store disk expansion

    Posted Wed April 10, 2024 07:11 AM

    Hi

    The use of LVM to resize a disk in QRadara is not supported.  This can lead to data loss.

    https://www.ibm.com/support/pages/does-qradar-support-lvm-file-system-storage-expansion

    The methods listed in the above link should be used if additonal space is required

    Thanks



    ------------------------------
    John Dawson
    Qradar Support Architect
    IBM
    ------------------------------



  • 4.  RE: QRadar /store disk expansion

    Posted Wed April 10, 2024 09:12 AM

    As I said it is not 'officialy' supported, however this is the 'official method' for QROC which is basically the same as on-premise. Also we used this method for years and we never experienced any data loss

     

    L:

     

    Unless stated otherwise above:
    Kyndryl Hungary Korlátolt Felelősségű Társaság / Kyndryl Hungary Llc
    8000 Székesfehérvár, Berényi út 72-100. 35. ép
    Cg.07-09-031714 - registering court: Székesfehérvári Törvényszék Cégbírósága





  • 5.  RE: QRadar /store disk expansion

    Posted Wed April 10, 2024 09:18 AM

    QRoC add datanodes when space is required.  



    ------------------------------
    John Dawson
    Qradar Support Architect
    IBM
    ------------------------------



  • 6.  RE: QRadar /store disk expansion

    Posted Wed April 10, 2024 09:25 AM

    I see. So what do you think what is the proper solution migrating 40+ TB data from a HW appliance to a VA environment if the ESX guys screaming due to huge disks? I asked this also from support, but I'm always checking community experience as well 😊

     

    Thank you

    L:

    Unless stated otherwise above:
    Kyndryl Hungary Korlátolt Felelősségű Társaság / Kyndryl Hungary Llc
    8000 Székesfehérvár, Berényi út 72-100. 35. ép
    Cg.07-09-031714 - registering court: Székesfehérvári Törvényszék Cégbírósága





  • 7.  RE: QRadar /store disk expansion

    Posted Thu April 11, 2024 03:02 AM

    Hello , there's an long-running RFE filed on the ideas-portal which does describe the need for LVM-support: https://ibmsecurity.ideas.ibm.com/ideas/SIEMCORE-I-3299

    Please have a look at it an vote for it. Thx



    ------------------------------
    Kammerstetter Bernhard
    IBM
    (431) 211-4533 x92
    ------------------------------