IBM Security QRadar

 View Only
  • 1.  10 Tips For Installing QRadar Community Edition

    Posted Tue February 11, 2020 04:22 PM

    IBM Security QRadar Community Edition is now released in a virtualization appliance format (OVA) which enables rapid access to the market leading SIEM for home, development and lab use cases. Community Edition is a free and fully featured version of QRadar that is low memory, low EPS, and includes a perpetual license. This version is limited to 50 events per second and 5,000 network flows a minute, supports apps, but is based on a smaller footprint for non-enterprise use.


    Research the following areas before you begin for the best experience.


    Tip #1: Read the QCE Installation Document


    Before you begin, download and read the installation document in its entirety. Understanding the system and networking requirements will save time later in the install process. In previous versions of Community Edition, the software was packaged as an ISO and was set up as part of the Operating System installation. With the packaging of the updated Community Edition as an OVA file, installation begins with the Import function in your virtualization platform.


    Tip #2: Understand the OVA format


    The OVA format delivers a preinstalled and configured image with a base operating system of CentOS 7.5 and comes bundled with the QRadar Community Edition ISO. With just one file to download and no underlying operating system configuration, setup is as simple as running a single command from the command line. With this update, there is a slight change in where and how you set your configurations.


    Tip #3: Choose the correct virtualization product for your need


    Before you begin installation, research the virtualization platform that will best suit the needs of your environment. You should select a platform that will satisfy the following criteria for easy install:

    • Network Configuration User Interface: If you are not comfortable configuring networking using the command line, consider a product that has an integrated network configuration UI. This will help reduce possible misconfigurations if you are unsure how to proceed in command line.
    • Support for OVA Import: Some virtualization products do not support direct OVA import. Make sure that your platform of choice supports OVA importing before proceeding.
    • Cost: While there are a variety of free and open source options available, cost of the platform should be a consideration. Be sure to read the licensing agreement of the platform you select
    • Download and install: Ensure your virtualization product is compatible with the underlying infrastructure that you will be utilizing for Community Edition environment.


    Tip #4: Download the OVA in the correct format


    Ensure that the downloaded file is in the correct format as an OVA. If the file is downloaded as anything other than an OVA, set the format to 'All files' in the browser as default.


    Tip #5: Validate the Checksum of the Download

    Download the provided SHA 256 checksum value to ensure the OVA download integrity. The following are some commands used to validate the OVA checksum value for various operating systems:

    • Mac OS: $ shasum -a 256 <path to downloaded ova>
    • Windows: $ CertUtil -hashfile <path to filename> SHA256
    • Linux: $ sha256sum <path to filename>


    Tip #6: Calculate Usage requirements  


    For future-proofing your environment, ensure to size CPU, RAM and disk storage specifications for future usage not just current or minimum specifications. These values may be set up during the import process or shortly after in most virtualized environments. For Community Edition, system specifications need to be set before running the setup.


    Minimum storage size requirements are enforced by default.  The number of CPU cores will be variable based on intended use, but CPU resources are 2 cores by default. 6 CPU cores are the suggested minimum however use cases requiring Ariel queries or app development may require more resources for optimal performance.


    RAM requirements are 6GB for minimum specifications, however 8GB or higher is suggested for optimal performance. For those using Community Edition for app development, 10GB of RAM is recommended.


    Tip #7: Network access to your VM

    Configuring a network adapter with internet access is imperative to a successful installation. How to best proceed depends on whether you plan to use Community Edition on a single network of multiple networks.


    Single Network Configuration

    If the purpose is for monitoring a single network, a Bridged Networking will be preferable.

    • Ensure the ens network interface points to the correct adapter.
    • Choose the name associated to Wi-Fi to use the wireless adapter of the Host
    • For a wired connection choose the value of the ethernet adapter which feeds the wired connection.
    • Manually edit configuration to assign static IP, CIDR Netmask, Gateway and DNS values. These values should be the same as the Host computer's Networking Details.


    Multiple Network Configuration

    If the answer was multiple networks, then a NAT networking will be preferential for the movement.

    • If you choose NAT, make sure you enable port forwarding as documented in the Installation Guide for Community Edition
    • Port forwarding must be enabled. Direct Port 8444 to Port 443 and Port 2222 to Port 22


    Tip #8:  Make sure that the Private and Public IP are static.  

    Setting up static IPs for both the private and public IP can be found in your preferred virtualization product documentation. Another resource is the experience of other users who could provide their practical experience in the QRadar Community Edition forums. Note that you cannot change the IP of Community Edition once the installation process starts.


    Tip #9: Setting up Network Configuration using the command line


    If your virtualization platform does not support network configuration in the UI, you can log in as root after the VM is imported to configure network settings.

    • Power on the VM and type: $nmtui
    • Select the value you want to edit to configure it for your environment.
    • Note: Watch this video to learn how to set the values on the command line


    Tip #10: Checking settings using the command line

    Verify that your network settings are configured correctly using the following commands in the command line after installation.


    • Check IP information in the primary adapter: $ ip a
    • Ensure the host name checks: $ hostname
      • Expected Result: The hostname contains the DNS (eg. localhost.localdomain)
    • Check the length of the hostname: $ hostname -f | wc -c
      • Note: If you change the hostname, ensure that it is not greater than 63 characters and is a fully qualified domain name.
    • Check if there is internet access by pinging an external IP address: $ ping
      • Expected result: You should see packets being returned instead of Network Unreachable


    Bonus: Choose strong passwords for Root Access

    When first powering on the created VM, you will notice that you are asked to login as the root user. Immediately after you will be asked to set a root password. Remember to choose a password that is strong and includes a mix of alpha numeric characters greater than 5 and with special characters.


    Similarly choose another password for the admin user (default administrator role) with similar criteria. Remember, longer passwords with complex characters provide better protection of your QRadar Community Edition instance.


  • 2.  RE: 10 Tips For Installing QRadar Community Edition

    Posted Wed February 12, 2020 04:37 AM

    Do you also know if we can ask for an EPS upgrade to at least 100 or 150 EPS because honestly 50 is a bit less even for dev?​

    Chinmay Kulkarni

  • 3.  RE: 10 Tips For Installing QRadar Community Edition

    Posted Thu February 13, 2020 12:34 PM
    Hi Chinmay,
    Have to tried applying routing rules to drop events? This will increase your ability to use QRadar CE. 
    Your requirement is an enhancement to the product.
    Also kindly use the QRadar CE forum for further questions.
    We appreciate your feedback.
    Thanks and Regards.


  • 4.  RE: 10 Tips For Installing QRadar Community Edition

    Posted Wed February 12, 2020 09:51 AM
    Thank you for this very helpful write up

  • 5.  RE: 10 Tips For Installing QRadar Community Edition

    Posted Thu February 13, 2020 12:36 PM
    Hi Jim,


  • 6.  RE: 10 Tips For Installing QRadar Community Edition

    Posted Thu February 13, 2020 10:27 AM
    Edited by VIKAS MANORIA Thu February 13, 2020 10:57 AM
    Hi @SREE ANANTHASAYANAM, Good post. Two questions here.

    1) Instead of installing 7.3.3 CE from scratch, is there any way to upgrade 7.3.1 CE?
    2) Can we get the installable version of 7.3.3 CE, like the way we had for 7.3.1 CE?


  • 7.  RE: 10 Tips For Installing QRadar Community Edition

    Posted Thu February 13, 2020 01:17 PM
    Hi Vikas,
    Thank you.
    1) The current implementation does not allow for upgrades. .
    2) If you mean an iso, is there no 7.3.3 iso for QRadar CE for download.
    The CE ova makes the installation simpler and way easier.