IBM Security QRadar Community Edition is now released in a virtualization appliance format (OVA) which enables rapid access to the market leading SIEM for home, development and lab use cases. Community Edition is a free and fully featured version of QRadar that is low memory, low EPS, and includes a perpetual license. This version is limited to 50 events per second and 5,000 network flows a minute, supports apps, but is based on a smaller footprint for non-enterprise use.
Research the following areas before you begin for the best experience.
Sign up for the FREE IBM QRadar Community Edition here.
Tip #1: Read the QCE Installation Document
Before you begin, download and read the installation document in its entirety. Understanding the system and networking requirements will save time later in the install process. In previous versions of Community Edition, the software was packaged as an ISO and was set up as part of the Operating System installation. With the packaging of the updated Community Edition as an OVA file, installation begins with the Import function in your virtualization platform.
Tip #2: Understand the OVA format
The OVA format delivers a preinstalled and configured image with a base operating system of CentOS 7.5 and comes bundled with the QRadar Community Edition ISO. With just one file to download and no underlying operating system configuration, setup is as simple as running a single command from the command line. With this update, there is a slight change in where and how you set your configurations.
Tip #3: Choose the correct virtualization product for your need
Before you begin installation, research the virtualization platform that will best suit the needs of your environment. You should select a platform that will satisfy the following criteria for easy install:
- Network Configuration User Interface: If you are not comfortable configuring networking using the command line, consider a product that has an integrated network configuration UI. This will help reduce possible misconfigurations if you are unsure how to proceed in command line.
- Support for OVA Import: Some virtualization products do not support direct OVA import. Make sure that your platform of choice supports OVA importing before proceeding.
- Cost: While there are a variety of free and open source options available, cost of the platform should be a consideration. Be sure to read the licensing agreement of the platform you select
- Download and install: Ensure your virtualization product is compatible with the underlying infrastructure that you will be utilizing for Community Edition environment.
Tip #4: Download the OVA in the correct format
Ensure that the downloaded file is in the correct format as an OVA. If the file is downloaded as anything other than an OVA, set the format to ‘All files’ in the browser as default.
Tip #5: Validate the Checksum of the Download
Download the provided SHA 256 checksum value to ensure the OVA download integrity. The following are some commands used to validate the OVA checksum value for various operating systems:
- Mac OS: $ shasum -a 256 <path to downloaded ova>
- Windows: $ CertUtil -hashfile <path to filename> SHA256
- Linux: $ sha256sum <path to filename>
Tip #6: Calculate Usage requirements
For future-proofing your environment, ensure to size CPU, RAM and disk storage specifications for future usage not just current or minimum specifications. These values may be set up during the import process or shortly after in most virtualized environments. For Community Edition, system specifications need to be set before running the setup.
Minimum storage size requirements are enforced by default. The number of CPU cores will be variable based on intended use, but CPU resources are 2 cores by default. 6 CPU cores are the suggested minimum however use cases requiring Ariel queries or app development may require more resources for optimal performance.
RAM requirements are 6GB for minimum specifications, however 8GB or higher is suggested for optimal performance. For those using Community Edition for app development, 10GB of RAM is recommended.
Tip #7: Network access to your VM
Configuring a network adapter with internet access is imperative to a successful installation. How to best proceed depends on whether you plan to use Community Edition on a single network of multiple networks.
Single Network Configuration
If the purpose is for monitoring a single network, a Bridged Networking will be preferable.
- Ensure the ens network interface points to the correct adapter.
- Choose the name associated to Wi-Fi to use the wireless adapter of the Host
- For a wired connection choose the value of the ethernet adapter which feeds the wired connection.
- Manually edit configuration to assign static IP, CIDR Netmask, Gateway and DNS values. These values should be the same as the Host computer’s Networking Details.
Multiple Network Configuration
If the answer was multiple networks, then a NAT networking will be preferential for the movement.
- If you choose NAT, make sure you enable port forwarding as documented in the Installation Guide for Community Edition
- Port forwarding must be enabled. Direct Port 8444 to Port 443 and Port 2222 to Port 22
Tip #8: Make sure that the Private and Public IP are static.
Setting up static IPs for both the private and public IP can be found in your preferred virtualization product documentation. Another resource is the experience of other users who could provide their practical experience in the QRadar Community Edition forums. Note that you cannot change the IP of Community Edition once the installation process starts.
Tip #9: Setting up Network Configuration using the command line
If your virtualization platform does not support network configuration in the UI, you can log in as root after the vm is imported to configure network settings.
- Power on the VM and type: $nmtui
- Select the value you want to edit to configure it for your environment.
- Note: Watch this video to learn how to set the values on the command line
Tip #10: Checking settings using the command line
Verify that your network settings are configured correctly using the following commands in the command line after installation.
- Check IP information in the primary adapter: $ ip a
- Ensure the host name checks: $ hostname
- Expected Result: The hostname contains the DNS (eg. localhost.localdomain)
- Check the length of the hostname: $ hostname -f | wc -c
- Note: If you change the hostname, ensure that it is not greater than 63 characters and is a fully qualified domain name.
- Check if there is internet access by pinging an external IP address: $ ping 126.96.36.199
- Expected result: You should see packets being returned instead of Network Unreachable
Bonus: Choose strong passwords for Root Access
When first powering on the created VM, you will notice that you are asked to login as the root user. Immediately after you will be asked to set a root password. Remember to choose a password that is strong and includes a mix of alpha numeric characters greater than 5 and with special characters.
Similarly choose another password for the admin user (default administrator role) with similar criteria. Remember, longer passwords with complex characters provide better protection of your QRadar Community Edition instance.
For an in-depth look at Community Edition v7.3.3, join QRadar experts on a technical webinar on February 21st. Register here.