IBM QRadar

Hi Community,

Here is a little background of our system. 
We have a pair of Console HA, a pair of EventProcessor HA with 13 EventCollectors pointing at them, and 1 AppHost. 

We are planning to change IP addresses and hostnames for both Console HA and EventProcessor HA. 
Since we cannot afford to have any data loss, here is the approach we are planning,
1. Remove HA of EP, re-install EP-secondary as EP-primary with new IP address and hostname. 
2. Add new EP-primary into deployment, hopefully with settings (re-mapping) of old EP-primary. 
3. Remove old EP-primary, re-install it as new EP-secondary. And then form HA.

We are likely to use the same method for Console HA. 
However, we are facing the issue of re-mapping.
How do we allow the new appliance to inherit old settings in step2? Or do we have to do it manually?
As far as I know, re-mapping is only possible when there is a removed host in the database? 
Since we cannot afford any data loss in the practice, is there a better way to perform such practice? 

Thank you advance for your help!

Philip 

OMG this is tricky.No community answers for 30 days. Little wonder. As I do believe ther should be an answer to any questions inside our wonderful community I will put in a few comments from many years of HA experience.

1st by "remapping " you talk about HA sync right? I wonder how you setup the new primary EP without a secondary EP as a new Managed host. In case you would be successful you still need to point your ECs to the new EP host. Prevent data loss can't be guaranteed. 
2nd the existing configuration must be deployed once you fire up the new Managed host. This will be ok.

3rd the new console will be more difficult to setup as you need to backup an restore your old configuration. The only way to achieve that is running CMT. Depending on your requirements an export and subsequent import of logsource, policy and net hierarchy can be done manually.

Better way? You need more redundancy when setup the new HA environment. That would be true even in a non HA configuration. Then do a Big Bang migration. Start with new console first rather than with new IP. You may use non HA setup to start with and integrate HA later. Remember that IP of primary can't be changed when setting up HA. Or face some data loss. You won't get both. Sorry to say.

BR

Karl

Hi Community,

Here is a little background of our system. 
We have a pair of Console HA, a pair of EventProcessor HA with 13 EventCollectors pointing at them, and 1 AppHost. 

We are planning to change IP addresses and hostnames for both Console HA and EventProcessor HA. 
Since we cannot afford to have any data loss, here is the approach we are planning,
1. Remove HA of EP, re-install EP-secondary as EP-primary with new IP address and hostname. 
2. Add new EP-primary into deployment, hopefully with settings (re-mapping) of old EP-primary. 
3. Remove old EP-primary, re-install it as new EP-secondary. And then form HA.

We are likely to use the same method for Console HA. 
However, we are facing the issue of re-mapping.
How do we allow the new appliance to inherit old settings in step2? Or do we have to do it manually?
As far as I know, re-mapping is only possible when there is a removed host in the database? 
Since we cannot afford any data loss in the practice, is there a better way to perform such practice? 

Thank you advance for your help!

Hi Karl,

Thank you for the information. I should have clarified it with more details. 

By "re-mapping" I mean, when you add host on web GUI, a window prompt (on the final step) would ask you if it is a removed ManagedHost in which you can select the old settings you want to apply to the newly added ManagedHost. 

However, I have noticed that the approach probably won't be possible as the old EP-primary has not been removed yet. The new EP-primary (newly installed on old EP-secondary) cannot inherit the settings when old EP-primary is currently in the deployment. 

I am now wondering what the best practice would be. IBM documents describe how to replace a Console with or without changing the IP address, but they do not describe the scenario where you need to change the hostname too. As there are quite a number of ManagedHosts in the deployment, we are trying to avoid removing all 16 ManagedHosts just to run # qchange_netsetup. 

Thank you.

Best regards,

Philip

Philip 

OMG this is tricky.No community answers for 30 days. Little wonder. As I do believe ther should be an answer to any questions inside our wonderful community I will put in a few comments from many years of HA experience.

1st by "remapping " you talk about HA sync right? I wonder how you setup the new primary EP without a secondary EP as a new Managed host. In case you would be successful you still need to point your ECs to the new EP host. Prevent data loss can't be guaranteed. 
2nd the existing configuration must be deployed once you fire up the new Managed host. This will be ok.

3rd the new console will be more difficult to setup as you need to backup an restore your old configuration. The only way to achieve that is running CMT. Depending on your requirements an export and subsequent import of logsource, policy and net hierarchy can be done manually.

Better way? You need more redundancy when setup the new HA environment. That would be true even in a non HA configuration. Then do a Big Bang migration. Start with new console first rather than with new IP. You may use non HA setup to start with and integrate HA later. Remember that IP of primary can't be changed when setting up HA. Or face some data loss. You won't get both. Sorry to say.

BR

Karl

Hi Community,

Here is a little background of our system. 
We have a pair of Console HA, a pair of EventProcessor HA with 13 EventCollectors pointing at them, and 1 AppHost. 

We are planning to change IP addresses and hostnames for both Console HA and EventProcessor HA. 
Since we cannot afford to have any data loss, here is the approach we are planning,
1. Remove HA of EP, re-install EP-secondary as EP-primary with new IP address and hostname. 
2. Add new EP-primary into deployment, hopefully with settings (re-mapping) of old EP-primary. 
3. Remove old EP-primary, re-install it as new EP-secondary. And then form HA.

We are likely to use the same method for Console HA. 
However, we are facing the issue of re-mapping.
How do we allow the new appliance to inherit old settings in step2? Or do we have to do it manually?
As far as I know, re-mapping is only possible when there is a removed host in the database? 
Since we cannot afford any data loss in the practice, is there a better way to perform such practice? 

Thank you advance for your help!