Denver QRadar User Group

Installing QRadar Community edition. v7.3

By Chris Schulz posted Sun July 08, 2018 05:18 PM

  

So after a lot of trial and error I got Qradar Community edition installed and the install guide is correct. The catch is the guide is out of date and CentOS has moved on causing issues with dependencies during setup. All of this makes sense once it clicks and you know what's going on but it took me a while to get there. So Im going to pull together the steps that worked with some explanation.

 

First you have to get the right OS installed, and as the guide states you have to have a minimal install of CentOS 7.3.

Again the catch is that this ISO is no longer available for direct download and once you have it you will have to update some repos so that the QCE install can find the proper version of dependencies that it needs.

 

Get CentOS from the vault, I've included a link here and the ISO file name:

CentOS-7-x86_64-Minimal-1611.iso

 

You may also get package conflicts if you use a full or base install so stick with the minimal install.

You will need a torrent client to download the ISO

 

Once you have the ISO you will need to create a VM, the guide does a nice job of telling you the requirements.

Grab the PDF guide and the QRadar Community edition ISO

QRadarCE7_3_0.GA.iso

 

I used virtual box and it seemed to work fine. I also used dynamic disk so I didn't have to preallocate 80G of disk and that seemed to work fine as well.

 

Once CentOS 7.3 is installed on virutalbox or whatever hypervisor you use, we start editing files to get setup for the QCE install.

 

I pulled this next configuration from one of the community forums and it seemed like a good Idea since Im not supporting IP v6 on my VM anyway.

  • Disable ipv6 /etc/sysctl.conf

Add the following lines:

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

 

You will need to disable selinux. This step is in the guide but I thought Id just add it quickly here.

  • edit /etc/selinux/config

Modify so you have this line

SELINUX=disabled

 

Now we are back to fixing the issues with QCE using an older version of CentOS. The QCE setup script downloads some rpm's and dependencies and if you don’t point the repo files to the valut you will get the wrong versions.

  • Edit CentOS-Base.repo: /etc/yum.repos.d/CentOS-Base.repo

[base]

name=CentOS-$releasever - Base

baseurl=http://vault.centos.org/centos/7.3.1611/os/$basearch/

gpgcheck=1

gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

 

[updates]

name=CentOS-$releasever - Updates

baseurl=http://vault.centos.org/centos/7.3.1611/updates/$basearch/

gpgcheck=1

gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

 

[extras]

name=CentOS-$releasever - Extras

baseurl=http://vault.centos.org/centos/7.3.1611/extras/$basearch/

gpgcheck=1

gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

 

[centosplus]

name=CentOS-$releasever -Plus

baseurl=http://vault.centos.org/centos/7.3.1611/centosplus/$basearch/

gpgcheck=1

enabled=0

gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

  • Add a repo for the right version of gluster: /etc/yum.repos.d/CentOS-Gluster3.8.repo

[centos-gluster38]

name=CentOS-$releasever - Gluster 3.8

baseurl=http://vault.centos.org/centos/7.3.1611/storage/x86_64/gluster-3.8/

gpgcheck=0

enabled=1

 

Again I pulled this from the forum and it seemed to make sense, because Im adding my own repos I don’t need QCE looking around at mirrors. 

  • Disable fastest mirror plugin

/etc/yum/pluginconf.d/fastestmirror.conf

enabled=0

 

  • Test yum

# yum clean all

# rm -rf /var/cache/yum/*

# yum makecache

 

Some of the forums have you run an update but, given all the work Ive done to get the right ISO and update the repo files I did not feel it was wise so I didn't run any update before the setup.

 

Now you are ready to mount the QCE ISO that you downloaded earlier. The guide does a nice job of telling you how to upload it and mount a ISO file but if you're using virtual box you can just load the ISO in the VM's CD drive and mount it.

 

# mount /dev/cdrom /mnt

# cd /mnt

# ./setup

1 comment
15 views

Permalink

Comments

Wed August 08, 2018 07:16 PM

Well Ive had the privilege of working with the early release of QRadarCE 7.3.1 and the install now supports RHEL/CentOS 7 making it much easier to install. It will also make most of this post outdated when it does GA. 
* You still need to use the minimal install (CentOS-7-x86_64-Minimal-1804)
* You shouldn't have to update any repo files