Bookmarks - wr0ng.nameShaared links2020-09-28T19:27:45+02:00https://links.wr0ng.name/https://links.wr0ng.name/https://links.wr0ng.name/ShaarliQRadar: Verifying HA crossover connections with qradar_nettune.plhttps://links.wr0ng.name/?mVTcDQ2020-02-03T10:44:27+01:002020-02-03T10:44:27+01:00 — Direct link]]>QRadar: Using ThreadTop to detemine QRadar process loadhttps://links.wr0ng.name/?PFfiCg2019-10-30T10:27:53+01:002019-10-30T10:27:53+01:00 — Direct link]]>QRadar: How to monitor percentage of memory that is used by a processhttps://links.wr0ng.name/?4YRH_g2019-10-30T10:27:08+01:002019-10-30T10:27:08+01:00
— Direct link]]>QRadar: Impact of Deploy Full Configuration on events, flows, and offenseshttps://links.wr0ng.name/?BoqWLw2019-09-24T11:59:23+02:002019-09-24T11:59:23+02:00
— Direct link]]>Home - QRadar 101https://links.wr0ng.name/?tIXhTA2019-09-24T11:56:00+02:002019-09-24T11:56:50+02:00
— Direct link]]>Event Processing Pipelinehttps://links.wr0ng.name/?QziRng2019-09-24T11:49:36+02:002020-02-03T10:49:58+01:00 — Direct link]]>How to write a JSON keypath expressionhttps://links.wr0ng.name/?kbJh9A2019-09-24T09:48:54+02:002020-09-28T19:21:25+02:00 — Direct link]]>IBM Security Learning Serviceshttps://links.wr0ng.name/?V8mmIg2019-07-22T17:35:11+02:002019-07-22T17:35:11+02:00— Direct link]]>IBM QRadar Technote Indexhttps://links.wr0ng.name/?Z1NBAw2019-07-17T13:47:38+02:002020-09-28T19:21:58+02:00 — Direct link]]>QRadar Threat Intelligence apphttps://links.wr0ng.name/?hewNWA2019-07-16T09:45:22+02:002020-09-28T19:22:17+02:00
When you install the app, a Threat Intelligence icon is added to the QRadar Admin tab. Click this icon to open the Threat Intelligence window.
— Direct link]]>Parsing issues and exampleshttps://links.wr0ng.name/?N5phLA2019-07-15T17:27:40+02:002020-09-28T19:22:50+02:00
— Direct link]]>Creating a log source extensions document to get data into QRadarhttps://links.wr0ng.name/?-D_9Qg2019-07-15T17:25:57+02:002020-09-28T19:22:57+02:00
— Direct link]]>Changes in Traffic Analysis in 7.3.1 | www.robertrojek.plhttps://links.wr0ng.name/?Dg4ulQ2019-07-15T17:23:41+02:002020-09-28T19:23:03+02:00— Direct link]]>Creating a Custom DSM - QRadar App Developmenthttps://links.wr0ng.name/?HlOxjQ2019-07-15T17:21:56+02:002020-09-28T19:23:10+02:00 — Direct link]]>Secure Engineering & Your QRadar App - QRadar App Developmenthttps://links.wr0ng.name/?0UNYkg2019-07-15T17:20:56+02:002020-09-28T19:23:17+02:00— Direct link]]>IBM QRadar Event and Flow Burst Handling (Buffer)https://links.wr0ng.name/?2JETUA2019-07-15T17:19:43+02:002020-09-28T19:23:24+02:00
— Direct link]]>Knowledge - QRadar 101https://links.wr0ng.name/?FAuaoQ2019-07-15T11:21:03+02:002020-09-28T19:23:32+02:00— Direct link]]>IBM QRadar: How to Modify Event Formats using Syslog, Forwarding, and Routing Ruleshttps://links.wr0ng.name/?x-tB1w2019-07-15T11:09:44+02:002020-09-28T19:23:39+02:00— Direct link]]>IBM QRadar: Software update checklist for administratorshttps://links.wr0ng.name/?Bk9LCw2019-07-15T11:07:31+02:002020-09-28T19:23:50+02:00
— Direct link]]>Restore QRadar configurations and datahttps://links.wr0ng.name/?TOrLow2019-07-15T10:24:05+02:002020-09-28T19:24:15+02:00 — Direct link]]>Learning by practicing: QRadar High Availability (HA) considerations and tipshttps://links.wr0ng.name/?_iDKtA2019-07-12T17:56:25+02:002020-09-28T19:24:32+02:00
1. HA Overview
- Uses Primary and Secondary HA hosts
- Uses Virtual IPs
- Network connectivity is tested via hearbeat (pings) to all managed hosts
- HA Can be configured for either console or managed host
- Both devices must have the same versions of the software
- Both devices must support the same DSM, scanner and protocols RPMs
- Uses data synchronization or shared external storage
- Consistency is maintained locally by using Distributed Replicated Block Device (DRDB)
- If using external storage data consistency is maintained through iSCSI or Fibre Channel
- Data is synchronized in real time
- Note: Asset profiler can impact DRDB speed
- "/store" partition on secondary is automatically replicated to the secondary host
- Ensure min 1 Gbps between primary and secondary HA hosts
- Initial synchronization can take greater than 24 hours
This may be an understatement. I've seen initial synchronization take upwards of 72 hours.
- Secondary host goes into "standby" after synchronization
- Primary HA hosts status becomes "offline" when restored from a failover
- Primary needs to be placed "online" before it becomes active
- Disk replication is enabled while primary is "offline"
- Post disk failover synchronization is faster
- Basically uses deltas
- When the primary host is restored, only the data collected by the secondary during the period the primary was unavailable is synchronized
- Replacing or reformating the disk on the primary can result in longer synchronization time in the event of a failback
IP Considerations
- Uses Virtual IPs
- Needs 3 IP address - VIP, Primary and Secondary
- The IP address initially configured on the primary host is automatically made the cluster VIP
- A new IP will need to be assigned to the primary once HA configuration is started
- Primary host can act as a standby for secondary
- VIP is used by a host that has a status of active
- All IPs must be in the same subnet
- Latency must be less than 2ms for traffic crosing the WAN
HA Wizard
- Used to configure Primary, Secondary and cluster VIP
- Verifies the secondary has a valid HA activation key
- Verifies the secondary is not part of an existing HA cluster
- Verifies software version is the same on both devices
- Verifies external storage (if configured) on primary and then secondary
- Verifies both support the same DSM, scanner and protocol RPMS
Failover scenarios
- Power supply failure
- network failure (detected by connectivity tests)
- OS malfunction that delays or stops hearbeat tests
- RAID failure
- Manual failover
- Management interface failure on primary hosts
- Primary does not take back its role as primary in the case of a failover.
- Secondary stays as primary while primary acts as standy
- Primary must be switched to "active" to take over its role
- No failover for software errors or disk capacity issues
- If both primary and secondary are unable to ping a managed hosts no failover occurs
- If primary cannot but secondary can ping a managed host, failover occurs
HA Failover event sequence
- File systems are mounted
- Management interface alias is created eth0 is eth0:0
- VIP is assigned to the alias
- QRadar services are started
- Secondary connects to console and downloads configuration files
Tips for manual synchronization
- Ensure primary and secondary hosts are sync'd
- Secondary must be in standby
- Secondary to offline and power off the primary
- DO NOT MANUALLY FORCE FAILOVER DURING PATCHES OR SOFTWARE UPGRADES
2. HA Planning
- File systems on both devices much match - ext-3, etc
- Secondary's "/store" partion must be equal to or greater than the primary
- Both devices should have the same number of interfaces
- Both must use the same management interface
- Only 1 VIP
- Port 7789 is needed for Distributed Replicated Block Device (DRDB)
- DRBD traffic is bidirectional
- Disk replication ensures software updates are applied to the secondary
- Ensure the host has a valid activation key
3. HA Management
- Uses System and License management window to:
- monitor HA
- Force failover
- Disconnect cluster
- Modify cluster settings
- Modify heartbeat interval
- Place the device in "offline" mode before maintenance
— Direct link]]>IBM Master Firmware Version List for QRadar Appliances (Updated)https://links.wr0ng.name/?05AnPg2019-07-12T17:42:20+02:002020-09-28T19:24:43+02:00 — Direct link]]>IBM How to Find QRadar Known Issues and Defects?https://links.wr0ng.name/?S1cDoA2019-07-12T17:41:09+02:002020-09-28T19:24:57+02:00
— Direct link]]>IBM QRadar: Impact of Deploy Full Configuration on events, flows, and offenseshttps://links.wr0ng.name/?2gsJCQ2019-07-12T17:40:16+02:002020-09-28T19:25:05+02:00
— Direct link]]>IBM QRadar: What is the difference between "Deploy Changes" and "Deploy Full Configuration"?https://links.wr0ng.name/?x_XTjg2019-07-12T17:39:40+02:002020-09-28T19:25:12+02:00
— Direct link]]>IBM QRadar: Determine physical specifications of QRadar applianceshttps://links.wr0ng.name/?wCPDww2019-07-12T17:38:35+02:002020-09-28T19:25:29+02:00
— Direct link]]>www.robertrojek.plhttps://links.wr0ng.name/?t2nCBg2019-07-12T17:33:21+02:002020-09-28T19:25:22+02:00— Direct link]]>IBM QRadar: Versions of the DSA utility required for my QRadar Appliancehttps://links.wr0ng.name/?RX08Uw2019-07-12T10:42:55+02:002020-09-28T19:25:41+02:00
— Direct link]]>IBM QRadar: HA synchronization progress resets to 0%https://links.wr0ng.name/?t8EJTA2019-07-12T10:42:30+02:002020-09-28T19:25:52+02:00 — Direct link]]>IBM QRadar: HA failovershttps://links.wr0ng.name/?Gi9Swg2019-07-12T10:41:04+02:002020-09-28T19:26:04+02:00
— Direct link]]>Event categorieshttps://links.wr0ng.name/?cmk40A2019-07-12T10:40:28+02:002020-09-28T19:26:25+02:00 — Direct link]]>IBM QRadar: Verifying HA crossover connectionshttps://links.wr0ng.name/?R_nUgw2019-07-12T10:37:11+02:002020-09-28T19:26:18+02:00— Direct link]]>Modifying event mappinghttps://links.wr0ng.name/?C9-8zQ2019-07-12T10:35:46+02:002020-09-28T19:26:31+02:00— Direct link]]>Guilherme Ornellas | IT, Compliance, Network, Securityhttps://links.wr0ng.name/?XgZUeg2019-07-09T16:42:47+02:002020-09-28T19:26:45+02:00— Direct link]]>QRadar Upgrade Guidehttps://links.wr0ng.name/?Bq-sfw2019-07-09T14:02:56+02:002020-09-28T19:26:50+02:00— Direct link]]>Example: Asset exclusion rules that are tuned to exclude IP addresses from the blacklisthttps://links.wr0ng.name/?VieE2g2019-07-09T14:01:09+02:002020-09-28T19:27:05+02:00— Direct link]]>IBM QRadar: Troubleshooting Pipeline NATIVE_To_MPC messages on Console onlyhttps://links.wr0ng.name/?31KWsg2019-07-09T13:59:50+02:002020-09-28T19:26:57+02:00— Direct link]]>IBM QRadar: List of Open Mic events and presentations (Updated) - Francehttps://links.wr0ng.name/?SumRMQ2019-07-09T13:58:12+02:002019-07-09T13:59:09+02:00— Direct link]]>IBM QRadar: High Availability appliances and Rsynchttps://links.wr0ng.name/?93DBLg2019-07-09T13:57:38+02:002020-09-28T19:27:11+02:00— Direct link]]>IBM QRadar: High Availability (HA) Peer data replicationhttps://links.wr0ng.name/?lAW5kw2019-07-09T13:56:45+02:002020-09-28T19:27:30+02:00— Direct link]]>Logged actionshttps://links.wr0ng.name/?oa-Ohg2019-07-09T13:55:45+02:002020-09-28T19:27:37+02:00
The following list describes the categories of actions that are in the audit log file.
— Direct link]]>Creating a custom column layouthttps://links.wr0ng.name/?BUHlhQ2019-07-09T13:54:42+02:002020-09-28T19:27:45+02:00 — Direct link]]>develop an app with Qradar App Editor - YouTubehttps://links.wr0ng.name/?QhYDjg2017-06-23T14:40:55+02:002017-06-23T14:40:55+02:00— Direct link]]>GitHub - ibm-security-intelligence/api-samples: Samples code that uses QRadar API'shttps://links.wr0ng.name/?od_VGA2017-04-26T13:24:07+02:002017-04-26T13:24:07+02:00— Direct link]]>IBM X-Force Exchangehttps://links.wr0ng.name/?0zhHig2017-04-14T16:41:28+02:002017-04-14T16:41:28+02:00
Introducing threat feed manager: you can now view external sources of threat intelligence within XFE.
— Direct link]]>IBM Security App Exchangehttps://links.wr0ng.name/?Wep4Fw2017-04-14T16:39:02+02:002017-04-14T16:39:02+02:00
Browse, Download, Use. qRadar extensions verified for a better security.
— Direct link]]>IBM Knowledge Center - Ariel Query Languagehttps://links.wr0ng.name/?QEAM4w2017-04-14T14:12:13+02:002017-04-14T14:12:13+02:00— Direct link]]>IBM developerWorks : Develophttps://links.wr0ng.name/?FT-VqA2017-04-13T17:19:15+02:002017-04-13T17:19:15+02:00— Direct link]]>IBM Security Learning Serviceshttps://links.wr0ng.name/?732f9A2017-03-28T16:08:22+02:002017-03-28T16:08:22+02:00— Direct link]]>