Thank you, Karl. I will look it over mit ein bier oder zwei oder drei :)
It was a big learning process for me as I am not familiar with:
The IBM ecosystem of patches, installs, etc
New to cyber security
New to Linux, relying on Unix commands I used in the 80's
New to networking at this level
Hadn't used virtual machines in a long time
------------------------------
John Tyson
------------------------------
Original Message:
Sent: Thu December 09, 2021 07:37 AM
From: Karl Jaeger
Subject: My Experience Setting Up QRadar CE
John,
it was a great pleasure for Ralph and myself to chat and email with you and watch you walking up the steap QRadar hill.
Even more thanks for the two documents that will help many beginners getting in close contact with QRadar using the "community edition".
We have done hundreds of training sessions in the past five years. From the very beginning we've been using CE for our boot camps.
Setting up your own QRadar helps a lot to understand the technology and how to integrate logsources and evaluate data using the many functions provided for free!
As an alternative to your great papers, members may download our whitepaper P4B Boot Camp - QRadar 7.3.3 CE VM-Setup which is in German. Its containing many pictures and the amount of German you need for getting the message is low. Using the URL https://www.pro4bizz.de/downloads.html its available for free and you receive a download link via email.
Thx again and stay tuned
Best Regards
Karl
PS just realized that the latest version of the CE whitepaper has much more info. So i have uploaded it to the QRadar library folder
https://community.ibm.com/community/user/security/viewdocument/p4b-boot-camp-qradar-733-ce-vm?CommunityKey=f9ea5420-0984-4345-ba7a-d93b4e2d4864&tab=librarydocuments
Original Message:
Sent: Wed December 08, 2021 12:57 PM
From: John Tyson
Subject: My Experience Setting Up QRadar CE
I want to thank Karl Jaeger and Ralph Belfiore of Pro4bizz for all their help and patience helping me get QRadar CE up and running for me. Here are the steps I used.
The issues I had was that while I could login to QRadar CE, I wasn't getting any data under Log Activity or Network Activity.
High-Level Overview
- Setup your virtual machine (https://www.ibm.com/community/qradar/ce/)
- Set the static IP addr (Jose Bravo video listed in link above)
- Install QRadar CE
- Apply the License Patch (https://community.ibm.com/community/user/security/blogs/ralph-belfiore1/2021/01/30/waiting-for-a-valid-license-issue-important-to-kno)
- Apply the Auto Updates patches (2) - see My Journey doc attached
- Edit the syslog/rsyslog conf file on the machine(s) that will be sending log data to CE and add *.* @192.168.1.96:514 at the bottom of the file, where 192.168.1.96 is the IPv4 addr of your CE vm.
- Configure Flow Sources
For the "gory details" I will add them as Word doc attachments.
The first one "QRadar CE My Journey.docx" goes thru the installation and setup process.
The second doc "CE 3rd Install.docx" is somewhat redundant to the first doc, but contains a lot of screen shots, esp of NMTUI. It doesn't have the Flow Sources setup.
I may merge the 2 docs at a later date.
-John Tyson
------------------------------
John Tyson
------------------------------