IBM Security QRadar

10 Tips For Installing QRadar Community Edition

By SREE ANANTHASAYANAM posted Tue February 11, 2020 04:10 PM

  


QRadar_2000x200.jpg

IBM Security QRadar Community Edition is now released in a virtualization appliance format (OVA) which enables rapid access to the market leading SIEM for home, development and lab use cases. Community Edition is a free and fully featured version of QRadar that is low memory, low EPS, and includes a perpetual license. This version is limited to 50 events per second and 5,000 network flows a minute, supports apps, but is based on a smaller footprint for non-enterprise use.

 

Research the following areas before you begin for the best experience.

 

Sign up for the FREE IBM QRadar Community Edition here.

 

Tip #1: Read the QCE Installation Document

 

Before you begin, download and read the installation document in its entirety. Understanding the system and networking requirements will save time later in the install process. In previous versions of Community Edition, the software was packaged as an ISO and was set up as part of the Operating System installation. With the packaging of the updated Community Edition as an OVA file, installation begins with the Import function in your virtualization platform.

 

Tip #2: Understand the OVA format

 

The OVA format delivers a preinstalled and configured image with a base operating system of CentOS 7.5 and comes bundled with the QRadar Community Edition ISO. With just one file to download and no underlying operating system configuration, setup is as simple as running a single command from the command line. With this update, there is a slight change in where and how you set your configurations.

 

Tip #3: Choose the correct virtualization product for your need

 

Before you begin installation, research the virtualization platform that will best suit the needs of your environment. You should select a platform that will satisfy the following criteria for easy install:

  • Network Configuration User Interface: If you are not comfortable configuring networking using the command line, consider a product that has an integrated network configuration UI. This will help reduce possible misconfigurations if you are unsure how to proceed in command line.
  • Support for OVA Import: Some virtualization products do not support direct OVA import. Make sure that your platform of choice supports OVA importing before proceeding.
  • Cost: While there are a variety of free and open source options available, cost of the platform should be a consideration. Be sure to read the licensing agreement of the platform you select
  • Download and install: Ensure your virtualization product is compatible with the underlying infrastructure that you will be utilizing for Community Edition environment.

 

Tip #4: Download the OVA in the correct format

 

Ensure that the downloaded file is in the correct format as an OVA. If the file is downloaded as anything other than an OVA, set the format to ‘All files’ in the browser as default.

 

Tip #5: Validate the Checksum of the Download

Download the provided SHA 256 checksum value to ensure the OVA download integrity. The following are some commands used to validate the OVA checksum value for various operating systems:

  • Mac OS: $ shasum -a 256 <path to downloaded ova>
  • Windows: $ CertUtil -hashfile <path to filename> SHA256
  • Linux: $ sha256sum <path to filename>

 

Tip #6: Calculate Usage requirements  

 

For future-proofing your environment, ensure to size CPU, RAM and disk storage specifications for future usage not just current or minimum specifications. These values may be set up during the import process or shortly after in most virtualized environments. For Community Edition, system specifications need to be set before running the setup.

 

Minimum storage size requirements are enforced by default.  The number of CPU cores will be variable based on intended use, but CPU resources are 2 cores by default. 6 CPU cores are the suggested minimum however use cases requiring Ariel queries or app development may require more resources for optimal performance.

 

RAM requirements are 6GB for minimum specifications, however 8GB or higher is suggested for optimal performance. For those using Community Edition for app development, 10GB of RAM is recommended.

 

Tip #7: Network access to your VM

Configuring a network adapter with internet access is imperative to a successful installation. How to best proceed depends on whether you plan to use Community Edition on a single network of multiple networks.

 

Single Network Configuration

If the purpose is for monitoring a single network, a Bridged Networking will be preferable.

  • Ensure the ens network interface points to the correct adapter.
  • Choose the name associated to Wi-Fi to use the wireless adapter of the Host
  • For a wired connection choose the value of the ethernet adapter which feeds the wired connection.
  • Manually edit configuration to assign static IP, CIDR Netmask, Gateway and DNS values. These values should be the same as the Host computer’s Networking Details.

 

Multiple Network Configuration

If the answer was multiple networks, then a NAT networking will be preferential for the movement.

  • If you choose NAT, make sure you enable port forwarding as documented in the Installation Guide for Community Edition
  • Port forwarding must be enabled. Direct Port 8444 to Port 443 and Port 2222 to Port 22

 

Tip #8:  Make sure that the Private and Public IP are static.  

Setting up static IPs for both the private and public IP can be found in your preferred virtualization product documentation. Another resource is the experience of other users who could provide their practical experience in the QRadar Community Edition forums. Note that you cannot change the IP of Community Edition once the installation process starts.

 

Tip #9: Setting up Network Configuration using the command line

 

If your virtualization platform does not support network configuration in the UI, you can log in as root after the vm is imported to configure network settings.

  • Power on the VM and type: $nmtui
  • Select the value you want to edit to configure it for your environment.
  • Note: Watch this video to learn how to set the values on the command line

 

Tip #10: Checking settings using the command line

Verify that your network settings are configured correctly using the following commands in the command line after installation.

 

  • Check IP information in the primary adapter: $ ip a
  • Ensure the host name checks: $ hostname
    • Expected Result: The hostname contains the DNS (eg. localhost.localdomain)
  • Check the length of the hostname: $ hostname -f | wc -c
    • Note: If you change the hostname, ensure that it is not greater than 63 characters and is a fully qualified domain name.
  • Check if there is internet access by pinging an external IP address: $ ping 9.9.9.9
    • Expected result: You should see packets being returned instead of Network Unreachable

 

Bonus: Choose strong passwords for Root Access

When first powering on the created VM, you will notice that you are asked to login as the root user. Immediately after you will be asked to set a root password. Remember to choose a password that is strong and includes a mix of alpha numeric characters greater than 5 and with special characters.

 

Similarly choose another password for the admin user (default administrator role) with similar criteria. Remember, longer passwords with complex characters provide better protection of your QRadar Community Edition instance.

 

For an in-depth look at Community Edition v7.3.3, join QRadar experts on a technical webinar on February 21st. Register here.

 


#QRadar
#Security

Permalink

Comments

15 days ago

VMware fusion 11.1.0 is fine. Make sure you set virtual NIC to NAT mode and double check install tips 8,9 and 10. Standard ova IP seems to be 172.16.174.134. Leave that if you get in trouble. Always check psql for managed host ip before reboot! Use subcommand select * from managedhost; deploy warnings in admin GUI regarding host ip can be ignored if everything else works and host ip equals managed host ip. Use 2nd VM as a life log source e.g. ubuntu desktop or issue logrun.pl for simulating log sources. Set everything ready inside your VM for ESX and export ovf format 1st if you want to run it inside vsphere. This however needs a bit more thought about network setup cause NAT is not supported by ESX.

Tue February 25, 2020 09:08 AM

first, let me express my appreciation for the support work that went into making the OVA format change. the old method was extremely time consuming and prone to unexplainable errors requiring trying multiple times. I am more likely to encourage others to try it 'at home' without having to babysit them. keep it coming!

secondly, the instructions on setting up adapters appear to be oriented to a specific virtualization product and host environment but you don't say which one. with hyper-v for example I can give qradar its own IP separate from that of the host. Perhaps someone can contribute specific material for each host+virtualization combination as they work through it. Also documenting how to deal with a second NIC for snooping would be appreciated.

Fri February 14, 2020 06:29 AM

Great blog !​