If you are talking about an All-in-One Console, then all services are down while a software update is in process and no event collection can occur. If you have a distribute deployment, you can upgrade the Console, then upgrade boxes selectively as you load balance Syslog events. Syslog log sources are cloned across all appliances so you can load balance to another Event Collector or Event Processor that is not being upgraded.
This process allows the ecs-ec-ingress service to continue to listen for Syslog events, while other appliances are being upgraded.
A typical upgrade route for administrators is to upgrade the QRadar Console using the SFS file to confirm it completes successfully.
- Upgrade the QRadar Console and ensure it completes successfully.
- If you have multiple Event Collectors/Processors, then you can update those as needed and redirect log sources or load balance Syslog events to boxes that are not being upgraded.
- Wait for some appliances to complete, then load balance to appliances that have completed their update. It typically takes around 30-45 minutes to upgrade a managed host. A Console takes 45m to 1HR.
In short, no processes are running while an individual appliance is being upgraded. Either you can upgrade the Console, then do all other appliance in parallel to shorten the upgrade window or you can selectively upgrade and redirect Syslog events in your network to appliances that have not started their upgrade yet. Any event EPS overages will write to the 5GB spillover queue on each appliance receiving events while others are being upgraded. The spillover/burst queue can hold approximately 10 million events, depending on the payload size.
#QRadar#Support#SupportMigration