Installing a QRadar data gateway in IBM Cloud

You connect to IBM® QRadar® on Cloud through a data gateway. You can install the data gateway in IBM Cloud.

Before you begin

Ensure that your appliance meets the data gateway system requirements. See System requirements for data gateways.

Schedule a maintenance window for this task and ensure that users do not deploy changes while the data gateway is being added to your deployment.

Ensure that you have the full host name of the Console that you connect to through your gateway appliance.

About this task

For any issues with QRadar software, engage IBM Support. If you experience any problems with IBM Cloud® infrastructure, refer to IBM Cloud documentation (https://cloud.ibm.com/docs). If IBM Support determines that your issue is caused by the IBM Cloud infrastructure, you must contact IBM Cloud for support to resolve the underlying issue.

You must use static private and public IP addresses.

Data gateways must be installed one at a time. If you are installing more than one data gateway, wait until you complete installation of one before you install the next one.

You cannot have more than two DNS entries. QRadar installation fails if you have more than two DNS entries in the /etc/resolv.conf file.

Procedure

  1. Download the .vhd image file.
    1. Go to the CLOUD MARKET PLACE section of Fix Central (https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.4.0&platform=Linux®&function=all).
    2. Click 7.4.1-CMP-IBMCloud-MANAGEDHOST-PRIVATE-QRADAR-QRSIEM-20200716115107.
    3. Download the .vhd and .sig files.
      The .vhd file download can take several hours.
  2. Upload the .vhd image file.
    1. Go to IBM Cloud (https://cloud.ibm.com/) and create a new storage bucket.
      You need the location that is used by your storage bucket, and the IBM Cloud API Key for your storage bucket, in step 3.
    2. Upload the .vhd file.
      The upload can take up to an hour. Do not rename the .vhd file. Renaming the file causes the import to fail.
  3. Import the .vhd image.
    1. In IBM Cloud, click Navigation Menu () > Classic Infrastructure > Manage > Images.
    2. Click Import custom image.
    3. Enter a name for the image and the IBM Cloud API Key for your storage bucket.
    4. Select the Cloud Object Storage service instance, the location that is used by your storage bucket, your storage bucket, and the .vhd file that you uploaded.
    5. Select RedHat EL 7.0 minimal (64-bit).
    6. From the Boot mode menu, select Hardware Virtual Machine (HVM).
    7. Check Your license and Cloud-init.
    8. Click Import image.
      The import can take up to 15 minutes.
  4. Configure network settings and create the instance.
    1. Click Navigation Menu () > Classic Infrastructure > Manage > Images.
    2. In the Visibility menu, select Private images and find the image that you uploaded.
    3. Click Actions menu () > Order Public VSI.
    4. Select the Public Multi-tenant virtual server type.
    5. Enter a hostname and domain. The combined character count of the hostname and domain cannot exceed 64 characters.
    6. Select a data center location.
    7. Select a profile that meets the data gateway system requirements. See System requirements for data gateways.
      Important: Profiles from the Balanced local storage family are not supported.
    8. Select an SSH key if you have one. Otherwise, select None.
    9. Choose an uplink port speed under Public & Private network uplinks.
      You must choose a private-only network. The data gateway will have only a private IP address, and can only be accessed within the same network, or through a routing solution of your own choosing.
    10. Select allow_all and allow_outbound for a private security group. If you are deploying a public machine, select allow_all and allow_outbound for a public security group too.
      In a QRadar deployment with multiple appliances, many ports must be allowed between managed hosts. For more information about what ports might need to be allowed in your deployment, see QRadar port usage. Restrict ports that are not needed by using a firewall or other technology that allows you to restrict ports.
    11. Accept the third-party service agreements and click Create.
    The Devices screen loads. In a few minutes, a date appears in the Start Date field.
  5. After the instance has a Start Date, configure storage for the instance.
    1. Click Navigation Menu () > Classic Infrastructure > Block Storage.
    2. In the Portable storage section, click Order Portable Storage.
    3. Select the same Region, Location, and Zone for your portable storage that your instance is in.
    4. Enter a description for your portable storage.
    5. Estimate your storage needs and enter a size for the second disk in GB.
      The minimum size is 250 GB. The added disk must be the second disk. It cannot be the third or greater disk.

      When the installation is complete, this disk contains the /store and /transient partitions.

      Warning: You cannot increase storage after installation.
    6. Accept the service agreement and click Create.
  6. Attach storage to your instance.
    1. Click Navigation Menu () > Classic Infrastructure > Block Storage.
    2. In the Portable storage section, find the disk that you created and click Actions menu () > Attach.
    3. Find the instance that you created and click Attach.
    4. Accept the warning that the virtual server will be shut off during disk attachment and click Attach.
    The second disk is added and the instance restarts. This process takes several minutes.
  7. Install the data gateway and set the admin password.
    1. When the instance is ready, log in by typing the following command: 
      ssh root@<public_IP_address>

      If you are not using an SSH key, you are prompted to enter the root password. This password is provided in your instance details.

      You will not be able to SSH directly to the host. You must first connect to a router that allows access to the host.

    2. Type the following command: 
      sudo /root/setup_mh 7000
    3. The system prompts you to set the root password. Set a strong password that meets the following criteria.
      • Contains at least 5 characters
      • Contains no spaces
      • Includes one or more of the following special characters: @, #, ^, and *.
  8. Upgrade the data gateway to the same version of QRadar as your Console.
    1. Log in to the Console.
    2. To find the version of QRadar that the Console is at, click the navigation menu (), and then click About.
    3. Download the SFS file for the version of QRadar that the Console is at from Fix Central (https://www.ibm.com/support/fixcentral).
    4. Copy the software update SFS file to your data gateway.
    5. If you have disconnected from your ssh session, use ssh to log back in to your data gateway.
    6. On your data gateway, move the SFS file to the /storetmp directory by typing the following command: 
      sudo mv <version_number>_QRadar_patchupdate-<full_version_number>.sfs /storetmp
    7. Open the superuser shell by typing the following command: 
      sudo su -
    8. Create the /media/updates directory by typing the following command: 
      mkdir /media/updates
    9. Mount the SFS file by typing the following command: 
      mount -o loop -t squashfs /storetmp/<version_number>_QRadar_patchupdate-<full_version_number>.sfs /media/updates
    10. Run the software update installer by typing the following command: 
      /media/updates/installer
  9. Use the QRadar on Cloud Self Serve app to generate a token for your data gateway and allowlist the data gateway's IP address. For more information, see Access management to the console.
  10. After you receive your token:
    1. If you have disconnected from your ssh session, use ssh to log back in to your data gateway.
    2. Because the appliance restarted after the previous step, open the superuser shell again by typing the following command: 
      sudo su -
    3. To mitigate a known issue with an intermittent connection, type the following command on the newly added data gateway: 
      mkdir /etc/systemd/system/tunnel-monitor.service.d/; printf "[Service]\nExecStart=\nExecStart=/bin/true\n" > /etc/systemd/system/tunnel-monitor.service.d/override.conf; chmod 644 /etc/systemd/system/tunnel-monitor.service.d/override.conf; systemctl daemon-reload
    4. To finish the initial data gateway setup, type the following command: 
      /opt/qradar/bin/setup_qradar_host.py mh_setup interactive -p
  11. Exit the superuser shell by typing the following command: 
    exit

What to do next

Editing a target processor for your data gateway