IBM Security QRadar

This seems a very confusing topic.  Can someone clarify what is the difference between them? On the official IBM guide, it says when don't have RHEL installed then go for appliance installation but when you have RHEL installed then go for software installation.

But I've seen many cases where companies are using software installation without separately installing RHEL. A guy in Reddit chat was saying that I concluded that when you buy appliance directly from IBM then go for appliance installation and when you have your own appliance then do software installation.

Please someone clarify this. Thanks

------------------------------
Nouman Ahmad
------------------------------

You have several combinations with QRadar.
1- You get the physical hardware from IBM + RHEL from IBM + QRadar
2- You get your own hardware + you install your own RHEL + QRadar
3 - You install (IBM provided RHEL + Qradar ) on a virtualized environment.
4 - You install your own RHEL on a virtualized environment + you install QRadar.

Now, IBM provides a QRadar installation ISO file. inside the ISO there is already a particular version of the RHEL.

When you see the options menu during installation.
Appliance installation - you are installing the QRadar + the 'RHEL version' inside the ISO file. if you select this option your own hardware or virtual environment, you must purchase the software node entitlemenet.
Software installation - This option, you are providing the RHEL version. the RHEL entitlement is provided by a third party, not IBM, you also need to make sure you handled the OS partitioning and other pre-requisites before the installation of the QRadar.

example of option 2:
supose you want to install QRadar on a CentOS in AWS and not use the appliance from Marketplace.

Ref
Qradar installation guide 7.3.2 ( Chapter 2, page 7)

------------------------------
Ditmar Tavares
------------------------------

Original Message:
Sent: Sun January 09, 2022 12:18 PM
From: Nouman Ahmad
Subject: Appliance Installation vs Software Installation

This seems a very confusing topic.  Can someone clarify what is the difference between them? On the official IBM guide, it says when don't have RHEL installed then go for appliance installation but when you have RHEL installed then go for software installation.

But I've seen many cases where companies are using software installation without separately installing RHEL. A guy in Reddit chat was saying that I concluded that when you buy appliance directly from IBM then go for appliance installation and when you have your own appliance then do software installation.

Please someone clarify this. Thanks

------------------------------
Nouman Ahmad
------------------------------

If it is not the appliance, then it is either a VM or self-provided hardware. To have QRadar on own hardware or VM, you should follow hardware compatibility prerequisites that are in line with RHEL HCL (for QRadar 7.4.x it is RHEL 7.x). If using own VM, you should follow the sizing guidelines in order to support your required/intended workload, or for hardware you can check the config examples related to appliances. (Never underestimate the performance requirements related to the storage subsystem, as it really can impact the overall performance).
If you acquire the appliance, QRadar software image will be there already. Otherwise, you should go to your passport advantage or search on fixcentral to obtain the needed .iso
To install QRadar software on your own hardware or VM, you must acquire entitlement to a QRadar Software Node for a QRadar software installation. This one serves to cover the entitlement for the RHEL components used in QRadar (it is needed for each instance you installed on a non-appliance system to be "in the clear"). You can ask the IBM or IBM partner's seller for more info about QRadar Software Node.
You should not select the Appliance install option during deployment if you use your own hardware (use Software installation option). (The install script detects the resources available and applies adequate tuning for the assumed appliance)
If you want to check what is the appliance QRadar was installed on, you can use the command  /opt/qradar/bin/myver -hw (if the result is low-end , it can be an older system or maybe a lower-spec VM.) For more details, you can also use dmidecode -t system .


------------------------------
Dusan VIDOVIC
------------------------------

Original Message:
Sent: Sun January 09, 2022 12:18 PM
From: Nouman Ahmad
Subject: Appliance Installation vs Software Installation

This seems a very confusing topic.  Can someone clarify what is the difference between them? On the official IBM guide, it says when don't have RHEL installed then go for appliance installation but when you have RHEL installed then go for software installation.

But I've seen many cases where companies are using software installation without separately installing RHEL. A guy in Reddit chat was saying that I concluded that when you buy appliance directly from IBM then go for appliance installation and when you have your own appliance then do software installation.

Please someone clarify this. Thanks

------------------------------
Nouman Ahmad
------------------------------