So after a lot of trial and error I got Qradar Community edition installed and the install guide is correct. The catch is the guide is out of date and CentOS has moved on causing issues with dependencies during setup. All of this makes sense once it clicks and you know what's going on but it took me a while to get there. So Im going to pull together the steps that worked with some explanation.
First you have to get the right OS installed, and as the guide states you have to have a minimal install of CentOS 7.3.
Again the catch is that this ISO is no longer available for direct download and once you have it you will have to update some repos so that the QCE install can find the proper version of dependencies that it needs.
Get CentOS from the vault, I've included a link here and the ISO file name:
CentOS-7-x86_64-Minimal-1611.iso
You may also get package conflicts if you use a full or base install so stick with the minimal install.
You will need a torrent client to download the ISO
Once you have the ISO you will need to create a VM, the guide does a nice job of telling you the requirements.
Grab the PDF guide and the QRadar Community edition ISO
QRadarCE7_3_0.GA.iso
I used virtual box and it seemed to work fine. I also used dynamic disk so I didn't have to preallocate 80G of disk and that seemed to work fine as well.
Once CentOS 7.3 is installed on virutalbox or whatever hypervisor you use, we start editing files to get setup for the QCE install.
I pulled this next configuration from one of the community forums and it seemed like a good Idea since Im not supporting IP v6 on my VM anyway.
- Disable ipv6 /etc/sysctl.conf
Add the following lines:
net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1
|
You will need to disable selinux. This step is in the guide but I thought Id just add it quickly here.
Modify so you have this line
Now we are back to fixing the issues with QCE using an older version of CentOS. The QCE setup script downloads some rpm's and dependencies and if you don’t point the repo files to the valut you will get the wrong versions.
- Edit CentOS-Base.repo: /etc/yum.repos.d/CentOS-Base.repo
[base]
name=CentOS-$releasever - Base
baseurl=http://vault.centos.org/centos/7.3.1611/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
[updates]
name=CentOS-$releasever - Updates
baseurl=http://vault.centos.org/centos/7.3.1611/updates/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
[extras]
name=CentOS-$releasever - Extras
baseurl=http://vault.centos.org/centos/7.3.1611/extras/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
[centosplus]
name=CentOS-$releasever -Plus
baseurl=http://vault.centos.org/centos/7.3.1611/centosplus/$basearch/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
|
- Add a repo for the right version of gluster: /etc/yum.repos.d/CentOS-Gluster3.8.repo
[centos-gluster38]
name=CentOS-$releasever - Gluster 3.8
baseurl=http://vault.centos.org/centos/7.3.1611/storage/x86_64/gluster-3.8/
gpgcheck=0
enabled=1
|
Again I pulled this from the forum and it seemed to make sense, because Im adding my own repos I don’t need QCE looking around at mirrors.
- Disable fastest mirror plugin
/etc/yum/pluginconf.d/fastestmirror.conf
# yum clean all
# rm -rf /var/cache/yum/*
# yum makecache
|
Some of the forums have you run an update but, given all the work Ive done to get the right ISO and update the repo files I did not feel it was wise so I didn't run any update before the setup.
Now you are ready to mount the QCE ISO that you downloaded earlier. The guide does a nice job of telling you how to upload it and mount a ISO file but if you're using virtual box you can just load the ISO in the VM's CD drive and mount it.
# mount /dev/cdrom /mnt
# cd /mnt
# ./setup
|