IBM QRadar

I wrote this so community users who would like to use Qradar CE on Azure shall be able to skip some of the hurdles i encountered.
I went into this adventure thinking i would be done in a few hours but the few issues/details i encountered slowed the process a bit but it finally paid off.

1. Getting the source:
--

So this is quite trivial:
- download the OVA and
- rename to .tar
- extract the vmdk file from the package,

The extracted image will be our working tool.

2. Preparing for Hyper-V

--
. Since Azure does not support vmdk, the file will need to be converted.

. I did use qemu-img to quickly convert the file to a vhdx file. (if you plan to modify it with hyperV)
If you modify the original image before hand in vmware for example, then you can just merge step 1 and two and go straight from the vmdk to vpc.
Note: The fixed vpc disk file size will bring the file to ~250gb so you might want to think about that before when you will upload it to Azure.

There is other tools to convert the images but quickest/cleanest way i found was to use qemu-img.
The conversion was done in two step,
- First: to a vmdk -> vhdx for size and to do some tests and
- Second: From the final vhdx to vhd(vpc) before uploading it to Azure via (Azure Storage Explorer).
Command:
first conversion: qemu-img.exe convert -o subformat=fixed -f vmdk -O vhdx QCE-jan22-disk1.vmdk QCE-jan22-disk1.vhdx
<image manipulation for hyper-v>
second conversion : qemu-img convert -o subformat=fixed -f vhdx -O vpc QCE-jan22-disk1.vhdx QCE-jan22-disk1-vpc.vhd

3. Booting in Hyper-V

(Some of those steps, could probably be done in vmware before knowing the required steps are done before the disk conversion)
--

So we have a vhdx, now lets boot it in hyperV (create a machine with enough ram for setup it you want to test it localy after making a copy of the good hyper-v source image).

Some users might have find out that there is an issue and will end up in a dracut shell after some patience. (or i was just unlucky)..

Since we need to "modify" some settings for Azure, lets boot the rescue mode (which should work in hyper-v) and lets add the requirements from azure page to the image.
( i must admit i did many test run to get all the details right)
Ref: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/create-upload-centos#centos-70

The only differences is that the Qradar CE image ship with two kernel and using the bare instructions
it will not boot the default kernel (kernel 3.10.0-1062.4.1) needed for the setup to run correctly.

So on step 10 for that image there is missing drivers : scsi_tgt and scsi_transport_fc
So the drivers added to dracut configuration file should be the following:
-> add_drivers+=" scsi_tgt scsi_transport_fc hv_vmbus hv_netvsc hv_storvsc "

Also for the execution of the dracut command ,make sure to use the following arguments to rebuild all images.
dracut --no-hostonly --verbose --force --regenerate-all

Once the initrd image are reconfigured and that the grub is configured, I rebooted the vm to make sure it was working fine with the good kernel.

From there and after a few tests on azure i figured we really needed to install the azure Agent else the setup was a bit to glitchy to my liking and i am sure it could have had long term effect.

. To install the Azure Linux Agent:
configure temporary networking
- configure eth0 with /etc/sysconfig/network-script/ifcfg-eth0 (depending on your setup)
- add a nameserver (ex:8.8.8.8) to resolv.conf
install wget
install pip
- wget https://bootstrap.pypa.io/get-pip.py
- python get-pip.py
install Azure Agent
Ref: https://github.com/Azure/WALinuxAgent/releases
- wget https://github.com/Azure/WALinuxAgent/archive/pre-v2.2.53.zip
- unzip pre-v2.2.53.zip
- cd WALinuxAgent-pre-v2.2.53
- python setup.py install

Fix back /etc/sysconfig/network-script/ifcfg-eth0 according to the procedure
Ref: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/create-upload-centos#centos-70


I encountered some issue so in the waagent.conf file i disabled ResourceDisk.Format option.
The issue i encountered could have been from networking issue but they where related to DVD mounting hence i setted ressource format to n in case it was a side effect.

#check for agent provisioning disabling. (/etc/waagent.conf)
ResourceDisk.Format=n

(Step 11 from the Azure procedure)
systemctl enable waagent

When everything is done then(Step 13 from the procedure) (Make sure because it will remove root password from the image)
waagent -force -deprovision

#Its always possible to boot back in single user mode in Hyper-V for example to fix stuff but be sure you reviews the reference a few time before you upload your image.
Ref: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/create-upload-centos#centos-70

When the vm is shutdown then the final disk conversion can take place (to the fixed vpc format) and the resulting image should be ready to upload to a storage blob.

4. Azure.

--
- With the modified VHD(vpc), If you do not have one, you will need to to create a storage account and store the vhd in a blob container.
- Using that blob information you will create a custom image and using that source you should be able to spawn custom VM instances of Qradar CE on Azure.
- From each instances you will need internet access for the install process (which will take a while).

5. Qradar

--
- I would suggest to reboot the system once it is provisionned for the first time so it will get its fqdn hostname required for the setup, else the first setup will fail.
- I would also recommand to run the setup in a screen in case the network connection dies in the middle of the install and that you have to start over
- sudo to root and run ~/setup

If someone want to try the vpc image i made, drop me a comment and i will share it.
Feel free to comment and adjust any of the above statement.

Happy Qradar in the Cloud.