IC SunsetThe developerWorks Connections platform will be sunset on December 31, 2019. On January 1, 2020, this forum will no longer be available. More details available on our FAQ.
Topic
  • 5 replies
  • Latest Post - ‏2014-05-14T03:02:56Z by Aaron_Breen(IBM)
sentence
sentence
3 Posts

Pinned topic Virtual Appliance

‏2014-05-08T09:14:34Z | deployment hyper-v vm

Dear all,

since the InstallationGuide provides information that Virtual Appliances (VM EP QRadar SIEM 1690) requires a VMWare ESX 5.0 virtual machine, I want to ask you if it's also possible on a Hyper-V?

Please, do you have any information on this? Is there anything planned?

 

Are there any other solutions to collect logs from remote entities/regions?

 

Thank you in advance and best regards,

Sentence

 

  • Daniel Mahrenholz
    Daniel Mahrenholz
    9 Posts
    ACCEPTED ANSWER

    Re: Virtual Appliance

    ‏2014-05-08T12:40:15Z  
    • sentence
    • ‏2014-05-08T12:03:01Z

    Hi Daniel,

     

    thank you very much for the fast response!

    Please, do you have any documentation for installing an EP on Hyper-V? I just found the documentation for ESX.

    That would be great!

    Thanks a lot and best regards,

    Alex

    Hi Alex,

    I don't have any documentation - all important points are in my previous post. The procedures looks as follows:

    1. Create new HyperV VM (assign ressources as needed / specified in ESX docu)

    2. Remove default network adaptor from VM, add legacy network adapter

    3. Select to boot from installation ISO

    4. power on VM, install QRadar

    5. Login via HyperV console and disable IRQ balancing

    6. Reboot

    You can use the default network adaptor too, but then you have to install Linux integration services for Hyper-V (http://www.microsoft.com/en-us/download/details.aspx?id=34603). I think this would incread performance as well, but I cannot say for sure.

     

    Regards,

    Daniel.

     

  • Daniel Mahrenholz
    Daniel Mahrenholz
    9 Posts

    Re: Virtual Appliance

    ‏2014-05-08T10:51:49Z  

    Hi Sentence,

    We have different QRadar systems running on Hyper-V (Server 2008 R2, Server 2012, Windows 8.1). There are only two points to consider:

    1) Configure virtual machine to use a legacy network adapter

    2) If you assign multiple CPUs to the virtual machine you need to disable IRQ balancing. Otherwise you don't get any network connectivity.

    service irqbalance stop
    chkconfig --level 123456 irqbalance off

    <reboot>

     

    Regarding event collection from remote enties, you can do different things:

    - place a QRadar appliance in every location,

    - use syslog/TCP directly to your HQ

    - setup a windows server with WinCollect Agent in every location,

    - setup a syslog server in every location that receives, caches and forwards to your HQ.

    The best solution always depends on your specific requirements.

     

    Regards,

    Daniel.

  • sentence
    sentence
    3 Posts

    Re: Virtual Appliance

    ‏2014-05-08T12:03:01Z  

    Hi Sentence,

    We have different QRadar systems running on Hyper-V (Server 2008 R2, Server 2012, Windows 8.1). There are only two points to consider:

    1) Configure virtual machine to use a legacy network adapter

    2) If you assign multiple CPUs to the virtual machine you need to disable IRQ balancing. Otherwise you don't get any network connectivity.

    service irqbalance stop
    chkconfig --level 123456 irqbalance off

    <reboot>

     

    Regarding event collection from remote enties, you can do different things:

    - place a QRadar appliance in every location,

    - use syslog/TCP directly to your HQ

    - setup a windows server with WinCollect Agent in every location,

    - setup a syslog server in every location that receives, caches and forwards to your HQ.

    The best solution always depends on your specific requirements.

     

    Regards,

    Daniel.

    Hi Daniel,

     

    thank you very much for the fast response!

    Please, do you have any documentation for installing an EP on Hyper-V? I just found the documentation for ESX.

    That would be great!

    Thanks a lot and best regards,

    Alex

  • Daniel Mahrenholz
    Daniel Mahrenholz
    9 Posts

    Re: Virtual Appliance

    ‏2014-05-08T12:40:15Z  
    • sentence
    • ‏2014-05-08T12:03:01Z

    Hi Daniel,

     

    thank you very much for the fast response!

    Please, do you have any documentation for installing an EP on Hyper-V? I just found the documentation for ESX.

    That would be great!

    Thanks a lot and best regards,

    Alex

    Hi Alex,

    I don't have any documentation - all important points are in my previous post. The procedures looks as follows:

    1. Create new HyperV VM (assign ressources as needed / specified in ESX docu)

    2. Remove default network adaptor from VM, add legacy network adapter

    3. Select to boot from installation ISO

    4. power on VM, install QRadar

    5. Login via HyperV console and disable IRQ balancing

    6. Reboot

    You can use the default network adaptor too, but then you have to install Linux integration services for Hyper-V (http://www.microsoft.com/en-us/download/details.aspx?id=34603). I think this would incread performance as well, but I cannot say for sure.

     

    Regards,

    Daniel.

     

  • sentence
    sentence
    3 Posts

    Re: Virtual Appliance

    ‏2014-05-13T12:16:37Z  

    Hi Alex,

    I don't have any documentation - all important points are in my previous post. The procedures looks as follows:

    1. Create new HyperV VM (assign ressources as needed / specified in ESX docu)

    2. Remove default network adaptor from VM, add legacy network adapter

    3. Select to boot from installation ISO

    4. power on VM, install QRadar

    5. Login via HyperV console and disable IRQ balancing

    6. Reboot

    You can use the default network adaptor too, but then you have to install Linux integration services for Hyper-V (http://www.microsoft.com/en-us/download/details.aspx?id=34603). I think this would incread performance as well, but I cannot say for sure.

     

    Regards,

    Daniel.

     

    Thank you very much Daniel!

  • Aaron_Breen(IBM)
    Aaron_Breen(IBM)
    150 Posts

    Re: Virtual Appliance

    ‏2014-05-14T03:02:56Z  

    Hi Alex,

    I don't have any documentation - all important points are in my previous post. The procedures looks as follows:

    1. Create new HyperV VM (assign ressources as needed / specified in ESX docu)

    2. Remove default network adaptor from VM, add legacy network adapter

    3. Select to boot from installation ISO

    4. power on VM, install QRadar

    5. Login via HyperV console and disable IRQ balancing

    6. Reboot

    You can use the default network adaptor too, but then you have to install Linux integration services for Hyper-V (http://www.microsoft.com/en-us/download/details.aspx?id=34603). I think this would incread performance as well, but I cannot say for sure.

     

    Regards,

    Daniel.

     

    Great response and thank you